Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pairings]

Pairing-based cryptography uses bilinear maps to create a gap group that allows efficient constructions of certain primitives.

Pairing-based cryptography (PBC) uses bilinear maps (typically on elliptic curves) to create a group where the DDH assumption is easy while CDH and DL remains hard: a "gap" group.

Among the applications of PBC are different functional cryptography such as identity-based encryption and attribute-based encryption, short signatures, verifiable random functions, and non-interactive zero knowledge proofs.

287 questions
23
votes
1 answer

Mapping points between elliptic curves and the integers

My primary question is: Is there an easy way to create a bijective mapping from points on an elliptic curve E (over a finite field) to the integers (desirably to $\mathbb{Z}^*_q$ where $q$ is the order of E)? To phrase it a second way, given a…
PulpSpy
  • 8,767
  • 2
  • 31
  • 46
15
votes
1 answer

Security of pairing-based cryptography over binary fields regarding new attacks

In the last week, the discrete logarithm problem was broken for the binary fields $\mathbb{F}_{2^{(14 \times 127)}}$ and $\mathbb{F}_{2^{(27 \times 73)}}$. Pairing-based cryptography using binary fields currently relies on fields such as…
Conrado
  • 6,614
  • 1
  • 30
  • 45
14
votes
1 answer

Is pairing based cryptography ready for productive use?

I'm currently testing one among those many interesting cryptographic protocols based on bilinear maps. It's quite hard to understand the underlying fundamentals, especially since there are several types of pairing and different underlying algorithms…
Horst Lemke
  • 295
  • 1
  • 7
13
votes
3 answers

What is Identity-Based Encryption (IBE) and why is it "better"?

Most CS/Math undergrads run into the well-known RSA cryptosystem at some point. But about 10 years ago Boneh and Franklin introduced a practical Identity-Based Encryption system (IBE) that has excited much of the research community and produced a…
Fixee
  • 4,258
  • 3
  • 26
  • 39
13
votes
1 answer

Proving multiple products "in the exponent"

I'm trying to come up with a small-sized (non-interactive) proof for a Diffie-Hellman-like statement. I'll start by giving an example. The prover has $g^a, g^b, g^c, g^{ac}, g^{ab}, g^{bc}, g^{abc}$. The verifier only has $g^a, g^b$ and…
Alin Tomescu
  • 1,054
  • 10
  • 31
13
votes
2 answers

Pairing-friendly curves in small characteristic fields

There are several well-known techniques to generate pairing-friendly curves of degrees 1 to 36 on prime fields GF(p): Cocks-Pinch, MNT, Brezing-Weng, and several others. In extension fields GF(p^n), however, one is confined to supersingular curves.…
Samuel Neves
  • 12,960
  • 46
  • 54
13
votes
2 answers

in Bilinear pairings, what is the difference between Type 2 and Type 3?

in Bilinear pairings, what is the difference between Type 2 and Type 3? I understand in Type 2, there exists an efficiently computable homomorphic function $\phi : G_2 \rightarrow G_1$ , which is not present in Type 3 pairings. But what I don't…
Subhayan
  • 448
  • 3
  • 11
11
votes
1 answer

Are pairings still the most efficient implementation for identity and attribute-based encryption?

I read on Wikipedia: [...] pairings have also been used to construct many cryptographic systems for which no other efficient implementation is known, such as identity based encryption or attribute based encryption schemes. Is this still the…
Shalec
  • 407
  • 2
  • 10
9
votes
3 answers

When do we need composite order groups for bilinear maps and when prime order?

Why we need bilinear groups of composite order? What's the special security property of the composite order group in comparison with one of prime order? To put it in another way when do we need composite order groups for bilinear maps and when prime…
curious
  • 6,280
  • 6
  • 34
  • 48
8
votes
1 answer

Can somebody explain the major contributions of the tenants of the Gödel Prize 2013?

As you may know, the Gödel Prize 2013 will be awarded this year to cryptographers (see this ACM press release). The people awarded are Antoine Joux, the team of Dan Boneh and Matthew K. Franklin. Can somebody explain their contribution to…
perror
  • 605
  • 2
  • 10
  • 29
8
votes
1 answer

Useful pairings for cryptography

I've recently looked a bit at pairing based cryptography and I was wondering what properties the groups involved should have in order to be useful for cryptographic purposes? Has anything more exact been formulated? As an example, we could just take…
del
  • 183
  • 3
7
votes
2 answers

Does pairings based cryptography inherently require a CRS/trusted setup?

In all algorithms I've seen that rely on pairings-based cryptography (some examples: snarks without PCPs, more snarks, sublinear ring signatures), a common reference string is required. Is this always the case? If so, what is it about pairings (or…
bekah
  • 365
  • 1
  • 10
6
votes
1 answer

Simple explanation of Miller's algorithm

Could someone explain to me in few lines (even one sentence) what Miller's algorithm computes? Without talking about divisors and all the other concepts, I would like to be able to explain it to someone who doesn't necessarily know elliptic curve…
user1990088
  • 175
  • 12
6
votes
1 answer

Discrete logs on elliptic curve with embedding degree 3 with the 'MOV' attack

The curve $E(\mathbb{F}_{47}):y^2=x^3+x+38$ has order $61$ and $61|47^3-1$ so the embedding degree of $E$ is $3$ and therefore the MOV attack, presumably using some sort of distortion map and a suitable pairing can be used to find discrete…
Richard
  • 63
  • 1
  • 3
6
votes
1 answer

Elliptic curves with pairings at 128-bit security in libpbc?

I am using Ben Lynn's libpbc to implement a BLS threshold signature scheme and I am aiming for 128-bit security (i.e., a forgery attack should take around $2^{128}$ tries). I was wondering what curves in libpbc would provide this level of…
Alin Tomescu
  • 1,054
  • 10
  • 31
1
2 3
18 19