On Cryptographic Protocols Employing Asymmetric Pairings -- The Role of $\Psi$ Revisited

Sanjit Chatterjee and Alfred Menezes

Abstract

Asymmetric pairings $e : \mathbb{G}_1 \times \mathbb{G}_2 \rightarrow \mathbb{G}_T$ for which an efficiently-computable isomorphism $\psi : \mathbb{G}_2 \rightarrow \mathbb{G}_1$ is known are called Type 2 pairings; if such an isomorphism $\psi$ is not known then $e$ is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of $\psi$ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance.

Metadata
Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
s2chatte @ math uwaterloo ca
History
2011-05-03: revised
2009-09-29: received
See all versions
Short URL
https://ia.cr/2009/480
License

CC BY

BibTeX

@misc{cryptoeprint:2009/480,
author = {Sanjit Chatterjee and Alfred Menezes},
title = {On Cryptographic Protocols Employing Asymmetric Pairings -- The Role of $\Psi$ Revisited},
howpublished = {Cryptology ePrint Archive, Paper 2009/480},
year = {2009},
note = {\url{https://eprint.iacr.org/2009/480}},
url = {https://eprint.iacr.org/2009/480}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.