TransWikia.com

What is different between G1×G1→GT and G1×G2→GT in the bilinear pairing?

Cryptography Asked on October 24, 2021

It is an implementation of the bls12-381 algorithm known as pairing-friendly, at GitHub.

Looking at this, the pairing parameters are $G_1$ and $G_2$,
$G_1$ is the point of $F_q$, $G_2$ is the point of $F_{q^2}$.

However, some papers describe it as follows.

Bilinear Map Let G1, G2 be two cyclic groups of prime modulo p. Let g
be a primitive root (i.e. generator) of G1. A bilinear map [10] or
bilinear pairing „e‟ is an effectively calculable task e : G1 × G1 →
G2 such that it satisfies the below two conditions,

  1. Non degeneracy: e(g, g) ≠ 1.
  2. Bilinearity: e(gx, gy) = e(g, g)xy for all x, y ∈ Z.

Setup: Let E(Fq) be an elliptic curve above the fixed field Fq where q
is large prime number (at least 160 bits) and G be a point on elliptic
curve E of order n. Let G1, G2 be two multiplicative cyclic groups of
prime modulo n. Let e : G1 × G1 → G2 be a bilinear map, z = e(G1, G1)
∈ G2.

$$z = e(G_1, G_1)$$

Here, both parameters take the point of $F_q$. How are they different?

elliptic curvespairings

One Answer

The most general form of a bilinear map is $e : G_1 times G_2 to G_T$. We can categorize a scheme's usage of the bilinear map into 3 standard categories:

  • Type 1: in addition to the bilinear pairing, the scheme requires efficiently computable homomorphisms $phi_{12} : G_1 to G_2$ and $phi_{21} : G_2 to G_1$. In other words, the scheme sometimes needs to "convert/cast" a $G_1$-element to a $G_2$-element and vice-versa. This is the same thing as requiring that $G_1 = G_2$.

  • Type 2: the scheme requires an efficient homomorphism $phi_{12} : G_1 to G_2$. In other words, the scheme sometimes needs to "convert/cast" a $G_1$-element into a $G_2$-element (but not vice-versa).

  • Type 3: the scheme never needs to "convert/cast" between groups.

See Pairings for Cryptographers by Galbraith, Paterson, and Smart for more discussion about these types (especially section 2).

Type 3 is the most desirable since it places the fewest restrictions on the bilinear map. Type 1 demands a lot of structure from the bilinear map, and I think type-1-compatible groups/pairings are less efficient.

Answered by Mikero on October 24, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP