The Realm of the Pairings

Bilinear maps, or pairings, initially proposed in a cryptologic context for cryptanalytic purposes, proved afterward to be an amazingly flexible and useful tool for the construction of cryptosystems with unique features. Yet, they are notoriously hard to implement efficiently, so that their effective deployment requires a careful choice of parameters and algorithms. In this paper we review the evolution of pairing-based cryptosystems, the development of efficient algorithms and the state of the art in pairing computation, and the challenges yet to be addressed on the subject, while also presenting some new algorithmic and implementation refinements in affine and projective coordinates.

[1]  Reza Azarderakhsh,et al.  Efficient Implementation of Bilinear Pairings on ARM Processors , 2012, Selected Areas in Cryptography.

[2]  Xavier Boyen,et al.  Multipurpose Identity-Based Signcryption (A Swiss Army Knife for Identity-Based Cryptography) , 2003, CRYPTO.

[3]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[4]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[5]  M. Anwar Hasan,et al.  Asymmetric Squaring Formulae , 2007, 18th IEEE Symposium on Computer Arithmetic (ARITH '07).

[6]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[7]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[8]  Tanja Lange,et al.  Faster Pairing Computations on Curves with High-Degree Twists , 2010, Public Key Cryptography.

[9]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[10]  Reihaneh Safavi-Naini,et al.  An Efficient Signature Scheme from Bilinear Pairings and Its Applications , 2004, Public Key Cryptography.

[11]  Koray Karabina,et al.  On Prime-Order Elliptic Curves with Embedding Degrees k = 3, 4, and 6 , 2008, ANTS.

[12]  A. Weil Sur les fonctions algébriques à corps de constantes fini , 1979 .

[13]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[14]  Hyang-Sook Lee,et al.  Efficient and Generalized Pairing Computation on Abelian Varieties , 2009, IEEE Transactions on Information Theory.

[15]  Jung Hee Cheon,et al.  An Identity-Based Signature from Gap Diffie-Hellman Groups , 2003, Public Key Cryptography.

[16]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[17]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[18]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[19]  Fangguo Zhang,et al.  Yet Another Short Signatures Without Random Oracles from Bilinear Pairings , 2005, IACR Cryptol. ePrint Arch..

[20]  Ricardo Dahab,et al.  Implementing Cryptographic Pairings over Barreto-Naehrig Curves , 2007, Pairing.

[21]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[22]  Hovav Shacham,et al.  The k-BDH Assumption Family: Bilinear Map Cryptography from Progressively Weaker Assumptions , 2013, CT-RSA.

[23]  Jean-Jacques Quisquater,et al.  A new identity based signcryption scheme from pairings , 2003, Proceedings 2003 IEEE Information Theory Workshop (Cat. No.03EX674).

[24]  Craig Costello,et al.  Attractive Subfamilies of BLS Curves for Implementing High-Security Pairings , 2011, INDOCRYPT.

[25]  Francisco Rodríguez-Henríquez,et al.  Software Implementation of an Attribute-Based Encryption Scheme , 2015, IEEE Transactions on Computers.

[26]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[27]  Paul G. Comba,et al.  Exponentiation Cryptosystems on the IBM PC , 1990, IBM Syst. J..

[28]  Paulo S. L. M. Barreto,et al.  On Compressible Pairings and Their Computation , 2008, AFRICACRYPT.

[29]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[30]  Antoine Joux,et al.  A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic , 2013, IACR Cryptol. ePrint Arch..

[31]  Michael Naehrig,et al.  Affine Pairings on ARM , 2012, Pairing.

[32]  Michael Scott,et al.  Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography , 2010, WAIFI.

[33]  Kwangjo Kim,et al.  New ID-based group signature from pairings , 2006 .

[34]  Paulo S. L. M. Barreto,et al.  On the Selection of Pairing-Friendly Groups , 2003, Selected Areas in Cryptography.

[35]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[36]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[37]  Michael Scott,et al.  On the Efficient Implementation of Pairing-Based Protocols , 2011, IMACC.

[38]  P. Longa High-Speed Elliptic Curve and Pairing-Based Cryptography , 2011 .

[39]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[40]  Igor E. Shparlinski,et al.  On the number of isogeny classes of pairing-friendly elliptic curves and statistics of MNT curves , 2011, Math. Comput..

[41]  Masaaki Shirase,et al.  Pseudo 8-Sparse Multiplication for Efficient Ate-Based Pairing on Barreto-Naehrig Curve , 2013, Pairing.

[42]  Paulo S. L. M. Barreto,et al.  Compressed Pairings , 2004, CRYPTO.

[43]  Eiji Okamoto,et al.  Optimised Versions of the Ate and Twisted Ate Pairings , 2007, IMACC.

[44]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[45]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[46]  Ingrid Verbauwhede,et al.  FPGA Implementation of Pairings Using Residue Number System and Lazy Reduction , 2011, CHES.

[47]  Iwan M. Duursma,et al.  Tate Pairing Implementation for Hyperelliptic Curves y2 = xp-x + d , 2003, ASIACRYPT.

[48]  Alice Silverberg,et al.  Supersingular Abelian Varieties in Cryptology , 2002, CRYPTO.

[49]  Peter Schwabe,et al.  New Software Speed Records for Cryptographic Pairings , 2010, LATINCRYPT.

[50]  Francisco Rodríguez-Henríquez,et al.  Faster Hashing to ${\mathbb G}_2$ , 2011, Selected Areas in Cryptography.

[51]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[52]  Kwangjo Kim,et al.  ID-Based Blind Signature and Ring Signature from Pairings , 2002, ASIACRYPT.

[53]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[54]  Diana K. Smetters,et al.  Secret handshakes from pairing-based key agreements , 2003, 2003 Symposium on Security and Privacy, 2003..

[55]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[56]  Gerhard Frey,et al.  The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems , 1999, IEEE Trans. Inf. Theory.

[57]  Shigeo Mitsunari A Fast Implementation of the Optimal Ate Pairing over BN curve on Intel Haswell Processor , 2013, IACR Cryptol. ePrint Arch..

[58]  Francisco Rodríguez-Henríquez,et al.  High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves , 2010, Pairing.

[59]  Andreas Enge,et al.  Building Curves with Arbitrary Small MOV Degree over Finite Prime Fields , 2004, Journal of Cryptology.

[60]  Michael Scott,et al.  On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves , 2009, Pairing.

[61]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[62]  Michael Scott,et al.  Constructing Brezing-Weng Pairing-Friendly Elliptic Curves Using Elements in the Cyclotomic Field , 2008, Pairing.

[63]  David Mandell Freeman,et al.  Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10 , 2006, ANTS.

[64]  Brent Waters,et al.  Anonymous Hierarchical Identity-Based Encryption (Without Random Oracles) , 2006, CRYPTO.

[65]  Darrel HANKERSON,et al.  Software Implementation of Pairings , 2009, Identity-Based Cryptography.

[66]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[67]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[68]  Michael Naehrig,et al.  An Analysis of Affine Coordinates for Pairing Computation , 2010, Pairing.

[69]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[70]  Masaaki Shirase,et al.  Barreto-Naehrig Curve With Fixed Coefficient , 2010 .

[71]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[72]  Igor E. Shparlinski,et al.  Elliptic Curves with Low Embedding Degree , 2006, Journal of Cryptology.

[73]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[74]  Francisco Rodríguez-Henríquez,et al.  Implementing Pairings at the 192-bit Security Level , 2012, IACR Cryptol. ePrint Arch..

[75]  Mehdi Tibouchi,et al.  Indifferentiable Hashing to Barreto-Naehrig Curves , 2012, LATINCRYPT.

[76]  Michael Scott Unbalancing Pairing-Based Key Exchange Protocols , 2013, IACR Cryptol. ePrint Arch..

[77]  Frederik Vercauteren,et al.  Efficient Hardware Implementation of Fp-Arithmetic for Pairing-Friendly Curves , 2012, IEEE Transactions on Computers.

[78]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[79]  Craig Costello Particularly Friendly Members of Family Trees , 2012, IACR Cryptol. ePrint Arch..

[80]  M. Kasahara,et al.  A New Traitor Tracing , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[81]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.

[82]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[83]  Kwangjo Kim,et al.  Identity-Based Chameleon Hash Scheme without Key Exposure , 2010, ACISP.

[84]  Julio César López-Hernández,et al.  Software Implementation of Pairing-Based Cryptography on Sensor Networks Using the MSP430 Microcontroller , 2009, INDOCRYPT.

[85]  Paulo S. L. M. Barreto,et al.  Efficient and Provably-Secure Identity-Based Signatures and Signcryption from Bilinear Maps , 2005, ASIACRYPT.

[86]  Jung Hee Cheon,et al.  Discrete Logarithm Problems with Auxiliary Inputs , 2010, Journal of Cryptology.

[87]  Annegret Weng,et al.  Elliptic Curves Suitable for Pairing Based Cryptography , 2005, Des. Codes Cryptogr..

[88]  Paulo S. L. M. Barreto,et al.  A family of implementation-friendly BN elliptic curves , 2011, J. Syst. Softw..

[89]  P. L. Montgomery Modular multiplication without trial division , 1985 .