Join Log in
Score:2
Chunchi Liu avatar Crypto

Is pairing-based crypto post-quantum secure?

tm flag
Chunchi Liu

Bilinear Pairings are widely used in many new schemes like Group Signature and Aggregate Signature. The problem is whether it is post-quantum secure. In other words, does Bilinear Diffie-Hellman intractability assumption stand against a quantum computer?

With a quantum computer, Shor's Algorithm solves Prime Factorization and Discrete Log problem in polynomial time, which nullifies the security of plain Diffie-Hellman-based schemes. But Bilinear Diffie-Hellman is a bit different since it has a mapping e(g,g), instead of plain g. I haven't seen any quantum-resistance analysis/discussion on Pairing-related papers, nor have I seen any paper that specifically discusses this topic. Anyone has a clue?

Related pages: What is the post-quantum cryptography alternative to Diffie-Hellman?

342
1 + 0
Score:6
fgrieu avatar Crypto
ng flag
fgrieu

Is pairing-based crypto post-quantum secure?

No. That's because solving the Discrete Logarithm Problem in one of the pairing's source groups breaks the pairing's security, and Shor's algorithm running on a Cryptographically Relevant Quantum Computer could solve such DLP.

More justification per request: all usages of pairings in cryptography assume that the Computational Diffie-Hellman problem is hard on one at least of the pairing's source group (often noted $\mathbb G_1$ or/and designated the Gap Group). Breaking the DLP also breaks CDH, thus a security assumption on the pairing. Typical example: Dan Boneh, Ben Lynn, Hovav Shacham, Short Signatures from the Weil Pairing, in JoC 2004:

Our signature scheme uses groups where the CDH problem is hard.

+ 1
Chunchi Liu avatar
tm flag
Chunchi Liu
Can you elaborate more on the reason of the statement _"...solving the Discrete Logarithm Problem in one of the pairing's base groups breaks the pairing's security"_? Which theorem or whose work proves this conclusion? I only saw vague statements like [_"Verheul’s theorem... provides evidence that the multiplicative group of a finite field provides essentially more...security than the group of points of a supersingular elliptic curve of comparable size."_](https://eprint.iacr.org/2008/456.pdf) but the reasoning is still not clear to me.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.