Cryptology ePrint Archive: Report 2009/480

On Cryptographic Protocols Employing Asymmetric Pairings -- The Role of $\Psi$ Revisited

Sanjit Chatterjee and Alfred Menezes

Abstract: Asymmetric pairings $e : \mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ for which an efficiently-computable isomorphism $\psi : \mathbb{G}_2 \rightarrow \mathbb{G}_1$ is known are called Type 2 pairings; if such an isomorphism $\psi$ is not known then $e$ is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of $\psi$ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance.

Category / Keywords:

Date: received 28 Sep 2009, last revised 3 May 2011

Contact author: s2chatte at math uwaterloo ca

Available format(s): PDF | BibTeX Citation

Version: 20110503:163536 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]