## Cryptology ePrint Archive: Report 2010/388

On the Efficiency and Security of Pairing-Based Protocols in the Type 1 and Type 4 Settings

Sanjit Chatterjee and Darrel Hankerson and Alfred Menezes

Abstract: We focus on the implementation and security aspects of cryptographic protocols that use Type 1 and Type 4 pairings. On the implementation front, we report improved timings for Type 1 pairings derived from supersingular elliptic curves in characteristic 2 and 3 and the first timings for supersingular genus-2 curves in characteristic 2 at the 128-bit security level. In the case of Type 4 pairings, our main contribution is a new method for hashing into ${\mathbb G}_2$ which makes the Type 4 setting almost as efficient as Type 3. On the security front, for some well-known protocols we discuss to what extent the security arguments are tenable when one moves to genus-2 curves in the Type 1 case. In Type 4, we observe that the Boneh-Shacham group signature scheme, the very first protocol for which the Type 4 setting was introduced in the literature, is trivially insecure, and we describe a small modification that appears to restore its security.

Category / Keywords: cryptographic protocols / pairing-based cryptography, Type 1 and type 4 pairings

Publication Info: Abbreviated version appears in the proceedings of WAIFI 2010.