## Cryptology ePrint Archive: Report 2009/480

**On Cryptographic Protocols Employing Asymmetric Pairings -- The Role of $\Psi$ Revisited**

*Sanjit Chatterjee and Alfred Menezes*

**Abstract: **Asymmetric pairings $e : \mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ for which an efficiently-computable isomorphism $\psi : \mathbb{G}_2 \rightarrow \mathbb{G}_1$ is known are called Type 2 pairings; if such an isomorphism $\psi$ is not known then $e$ is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of $\psi$ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance.

**Category / Keywords: **

**Date: **received 28 Sep 2009, last revised 3 May 2011

**Contact author: **s2chatte at math uwaterloo ca

**Available format(s): **PDF | BibTeX Citation

**Version: **20110503:163536 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]