8

I've recently looked a bit at pairing based cryptography and I was wondering what properties the groups involved should have in order to be useful for cryptographic purposes? Has anything more exact been formulated? As an example, we could just take the pairing

$\mathbb{Z}_p\times \mathbb{Z}_p\to \mathbb{Z}_p,\;\; (x,y)\mapsto xy,$

where the group is the additive subgroup of $\mathbb{Z}_p$. Clearly, this would not be terribly useful for cryptographic applications, since picking any nonzero $a\in \mathbb{Z}_p$ as a generator, we can trivially solve the discrete logatithm problem in this additive group. Hence any standard formulation of Diffie-Hellman can be solved as $c$ from $ca$ can be solved just by multiplying with the inverse of $a$, which is efficiently computable. How do we differentiate between ''good'' and ''bad'' groups?

del
  • 183
  • 3

1 Answers1

3

That depends on the protocol being used, but most pairing-based protocols assume that the Bilinear Diffie-Hellman (BDH) problem is hard: given $P, aP, bP, cP$ for group element $P$ and integers $a, b, c$ it is hard to compute $e(P, P)^{abc}$ for a given pairing $e$.

There are many related problems that, if broken, could be used to break the BDH: the discrete logarithm, the Computational Diffie-Hellman (given $P, aP, bP$ compute $abP$), etc.

Conrado
  • 6,614
  • 1
  • 30
  • 45