Overview
Pairing = Bilinear Map
Technically, pairing is a special kind of bilinear map for modules. In cryptography, they are often used interchangeably.
What do pairings allow you to do that normal groups do not?
Pairings allow you to multiply two hidden numbers, while “normal groups” only allow you to add
Pairing Rules
Pairing Application
Question
Let’s suppose Alice want to prove to Bob that she know some integer that satisfies the equation: without revealing to Bob. How would Alice do this using an elliptic curve pairing?
Answer:
Choose 2 public generators , and
Compute and and send results to Bob (Bob cannot compute due to ECDLP)
Bob computes:
If the above result == 1, then we know with high probability
Definition
A pairing is a map:
where:
- are groups of points on elliptic curves (sometimes the same curve, sometimes different).
- is a multiplicative subgroup of a finite field .
- The pairing must be:
- Bilinear: for all points and integers
- Non-degenerate: if and are generators of and , so it carries meaningful information
- Efficiently computable: there must be an efficient algorithm to compute
Pairing Friendly Elliptic Curves
- for an elliptic curve defined by , there is an integer such that divides (i.e. )
- k is called the embedding degree
- the smaller is, the more pairing-friendly the curve
- e.g. for BN254,
- Reason:
- the pairing function pair(𝑎, 𝑏) takes as input two points 𝑎, 𝑏 ∈ 𝐸 on the elliptic curve and spits out a value pair
- in other words, a nonzero element of the finite field of order
- thus, the smaller the , the smaller the order of
Pairing Types
- All types are equally secure
- Tate Pairing
- Weil and Ate pairings can be written in terms of Tate pairing
- Weil Pairing
- Ate Pairing
- most efficient type
Pairing Classification
Type 1
- (symmetric pairing)
Type 2
- which is an efficiently computable homomorphism
- no efficient secure hash to group function exists.
Type 3
- no efficiently computable homomorphism exists
Type 4
- which is an efficiently computable homomorphism
- there exists some which is an efficient secure hash to group function
Security
- let be a bilinear map and and for asymmetric bilinear map groups , such that
- the general pairing inversion problem to be the problem of finding given
Different than Elliptic Curve Hardness
Hardness assumption in Pairing-based cryptography is separate from Elliptic Curve Cryptography
Calculation
- Miller Loop
- Final Exponentiation a. Easy Part b. Hard Part where is the cyclotomic polynomial evaluated at p
Notation (additive vs multiplicative)
Simply put, it’s a matter of preference.
Example
Discrete Logarithm Problem (DLP)
Multiplicative Notation
- will give a result that is uniformly distributed between 1 and (p - 1), inclusive
- Given g, r and p, it is hard to deduce x
- If p is small, it is easy to find x
- If p is very large, it is hard to find x
Additive Notation
- Given is a standard elliptic curve and arbitrary nonzero
- where and (e.g. is 254-bit if is BN254 )
- is hard to find
- However, given and , one can compute in
General
Link to original
- An instance of the Hidden Subgroup Problem (HSP)
Benchmarks
Implementations
pairings_bn.nim Faster pairings · Issue #101 · axiom-crypto/halo2-lib · GitHub