Pairing-based cryptography centers around a particular function with interesting properties.
Let G1, G2, GT be cyclic groups of prime order r. Let g1 be a generator of G1 and g2 be a generator of G2. Let e be a function
e : G1 x G2 --> GT
that is efficiently computable with e(g1, g2) != 1 (nondegenerate) and e(g1^a, g2^b) = e(g1,g2)^ab (bilinear) for all integers a,b. We refer to this function e as a bilinear map or a pairing. When G1 = G2 we say that the pairing is symmetric, otherwise we say the pairing is asymmetric.
With a few more conditions (for example, we may require the discrete log problem to be hard in G1 and the existence of an efficiently computable isomorphism from G2 to G1), these pairings can be used to build a wide variety of cryptosystems.
The PBC library builds groups G1, G2, GT and a pairing from given parameters. The underlying mathematics behind the groups are abstracted away in the interface.
Routines to generate pairing parameters of are also provided.
Several test programs and curve parameters are bundled with the library.
After compilation succeeds, try:
test/testpairing < a.param test/benchmark < c159.param test/testibe < e.param
The *.param files contain pairing parameters one might typically use in a real cryptosystem. Many of the test programs read the parameters from standard input.
Searches for discriminants D that lead to MNT curves with subgroups of prime order.
Prints parameters for a curve suitable for computing pairings of a given type. The output can be fed to some of the other test programs.
The program gencparam should be given a discriminant as the first argument.
Prints the Hilbert polynomial for a given discriminant.
These programs read curve parameters on standard input and perform computations that would be required in an implementation of the Boneh-Lynn-Shacham short signature scheme and the Boneh-Franklin identity-based encryption scheme.
These test programs are more realistic, and test the implementations of the Boneh-Boyen, Boneh-Lynn-Shacham, Boneh-Boyen-Shacham signature schemes and the Cha-Cheon and Sakai-Kasahara-Schnorr identity-based signature schemes
Reads pairing parameters on standard input and benchmarks the pairing.
Programs using the PBC library should include the file pbc.h:
#include "pbc.h"
and linked against the PBC library, e.g.
gcc program.c -L. -lpbc
The file pbc.h includes gmp.h thus all GMP functions are available. To use a pairing, first declare and initialize:
pairing_t pairing; pairing_init_inp_str(pairing, stdin);
In this case, the pairing parameters are fed to the program on standard input (e.g. "./program < a.param"). Now pairing->G1, pairing->G2, pairing->GT and bilinear_map() can be used as follows. Declare and initialize some group elements:
element_t x, y, z; element_init(x, pairing->G1); element_init(y, pairing->G2); element_init(z, pairing->GT);
To pick random elements of G1, G2 and compute a pairing:
element_random(x); element_random(y); bilinear_map(z, x, y, pairing);
Now z = e(x, y).
To raise x by some random exponent r:
element_t r; element_init(r, pairing->Zr); element_random(r); element_pow_fp(x, x, r);
The PBC library implements the pairing using different types of curves. Which curve to use depends on the application. To make it easy to refer to them, I have labelled them with letters. See below for the details.
The library provides pairing parameters useful in typical pairing-based cryptosystems. If you're not interested in what the details are, always use Type A when a fast pairing is desired, and Type F when short group elements are needed. Type C are not as slow as type F, but cannot be quite as short.
We use the curve y^2 = x^3 + x over the field F_q for some prime q. It turns out #E(F_q) = q + 1 and #E(F_q^2) = (q+1)^2. Thus the embedding degree k is 2.
We set things up so that q + 1 = r * h, for a particular r. For speed, we pick r to be a Solinas prime, that is, r has the form 2^a +- 2^b +- 1 for some integers 0 < b < a.
We also choose q = -1 mod 12 so we can implement F_q^2 as F_q[i] (where i = sqrt(-1)). Also, since q = -1 mod 3, cube roots in F_q are easy to compute. This latter feature may be removed because I have not found a use for it yet (in which case only q = -1 mod 4 is guaranteed).
Pairings on type A curves are the fast and ought to be used where the main concern is efficiency. Typically, r should be about 160 bits long and q about 512 bits. In this case, elements of groups G1 and G2 take 512 bits to represent.
Additionally, the pairing is symmetric, that is G1 and G2 are in fact the same group.
a_param struct fields:
exp2, exp1, sign1, sign0, r:
r = 2^exp2 + sign1 * 2^exp1 + sign0 * 1 (Solinas prime)
q, h:
r * h = q + 1
q is a prime, h is a multiple of 12 (thus q = -1 mod 12)
This type is reserved for the curve y^2 = x^3 + 1 over F_q with q = -1 mod 12. It has yet to be implemented as I have not seen a compelling reason to use it.
There are advantages unique to this curve however. Since cube roots in F_q are fast and guaranteed to exist, for any given value of y, it is easy to solve for x. Also, the coefficient of x is zero in the curve equation, simplifying some equations (e.g. point doubling).
There is also at least one drawback when compared with the similar type A pairing. If symmetry of the pairing is insisted upon, some optimizations are not possible. If ever implemented, perhaps I will divide this case into two subtypes, one symmetric, and the other asymmetric but slightly faster.
These are ordinary curves of with embedding degree 6, whose orders are prime or a prime multiplied by a small constant. These are constructed using the method due to MNT.
A type C curve is defined over some field F_q and has order h * r where r is a prime and h is a small constant. Over the field F_q^6 its order is a multiple of r^2.
Typically the order of the curve E is around 170 bits, as is F_q, the base field, thus q^k is around the 1024-bit mark which is commonly considered good enough.
Using type C pairings allows elements of group G1 to be quite short, typically 170-bits. Because of a certain trick, elements of group G2 need only be 3 times longer, that is, about 510 bits rather than 6 times long. They are not quite as short as type F pairings, but much faster.
c_param struct fields:
q F_q is the base field
n # of points in E(F_q)
r large prime dividing n
h n = h * r
a E is given by y^2 = x^3 + ax + b
b
nk # of points in E(F_q^k)
hk nk = hk * r * r
I sometimes refer to a type C curve as a triplet of numbers: the discriminant, the number of bits in the prime q, and the number of bits in the prime r. The listmnt program prints these numbers. The bundled type C curve parameters are the curves 9563-201-181, 62003-159-158 and 496659-224-224.
This type is reserved for supersingular curves with embedding degree 6. Pairings are fast as optimizations specific to fields of characteristic 3 may be used. The embedding degree of 6 also means the representations of elements of G1 are short.
On the other hand, the low characteristic also makes these curves more susceptible to Coppersmith's attack, so slightly larger fields are needed for security.
The CM (Complex Multiplication) method of constructing elliptic curves starts with the Diophantine equation
DV^2 = 4q - t^2
If t = 2 and q = D r^2 h^2 + 1 for some prime r (which we choose to be a Solinas prime) and some integer h, we find that this equation is easily solved with V = 2rh.
Thus it is easy to find a curve (over the field F_q) with order q - 1. Note r^2 divides q - 1, thus we have an embedding degree of 1.
Hence all computations necessary for the pairing can be done in F_q alone. There is never any need to extend F_q.
As q is typically 1024 bits, group elements take a lot of space to represent. Moreover, many optimizations do not apply to this type, resulting in a slower pairing.
This pairing is kept as a reserve, in case some day it is discovered that discrete log in field extensions is easier to solve than previously thought.
Using carefully crafted polynomials, k = 12 pairings can be constructed. Only 160 bits are needed to represent elements of one group, and 320 bits for the other.
They should be used when the top priority is to minimize bandwidth (e.g. short signatures). The pairing is slower than the other types.
Also, k = 12 allows higher security short signatures. (k = 6 curves cannot be used to scale security from 160-bits to say 256-bits because finite field attacks are subexponential.)
These are curves containing a subgroup of a specified order. Boneh, Goh and Nissim have use for an elliptic curve with subgroup order N = pq for large primes p, q.
To implement them, Type A curves can be used, only instead of a Solinas prime, we generate curves with a given group order. Type B can also be used (and that is what is suggested in their paper) but this is less desirable.