# Questions tagged as ['pairings']

I wonder about the CRS of NIZK argument.

I think [A]$_1$, [B]$_2$, [C]$_1$ is calculated using CRS. Instead of calculating A, B, C first and then calculating [A]$_1$, [C]$_1$, [B]$_2$.

- May I know if this is correct?

If it is correct, in order to calculate [C]$_1$, I think [B]$_1$ is also needed.

- Is it correct that we need to calculate both [B]$_1$ and [B]$_2$?

And I marked curious parts with ...

I have read some code, the generator of the additive group of prime order is easy to get because every element in the group is a generator.So in JPBC I just need to randomly generate elements as generators.But this method is not valid in composite order groups because the elements in composite order groups are not all generators.So how to get the generator of composite order group in JPBC?

I'm reading "On the implementation of pairing-based cryptosystems".

It states that $E(\mathbb{F}_{k^q})[r]$ is isomorphic to the product of $\mathbb{Z}_r$ with itself. $E(\mathbb{F}_{k^q})[r]$ is the set of $r$-torsion points, which means all points, $P$ where $rP = O$ (I think).

Ok. Let's test this with $r = 2$. We know, the 4 solutions are: $\{O, (a_0, 0), (a_1, 0), (a_2, 0)\}$ where $a_n$ is t ...

Consider two points P, Q over a pairing friendly elliptic curve $E[F_q]$, e.g., BN254. Let Z = e(P, Q). It is known that $Z \in F_{q^k}$ where $k$ is the embedding degree. The norm map N(Z) is defined as $\prod_{0\leq i\leq k-1} Z^{q^i}$. We observed that for BN254, N(Z) is always the 1 in $F_p$.

Is that the case for all pairing friendly groups?

I am implementing certificateless cryptography from this research paper in python language. Essentially, I want to have the following hash function mapping. This hash function is mentioned in the setup algorithm in section 2.4 of the paper. Here n is the bit-length of plaintexts. $$\begin{align} H_4: \{0, 1\}^n\to\{0, 1\}^n\\ \end{align}$$ Is there any inbuilt hash function in hashlib python libra ...

I am reading up on Pairings using Elliptic curves & all the texts talk about functions on a Curve.

I am finding it difficult to even figure out what they mean by "function on a curve" or "function on a line"

The equation of a line or a curve itself is in the form of a function, but I am unable to figure what is "function on a curve" or "function on a line".

Some examples.

In Mathematical Cryptography ...

In a **asymetric** pairing context, which size (in bits) should have the elements of $\mathbb{G}_1,\mathbb{G}_2$ and $\mathbb{G}_T$ if we consider the most efficient elliptic curves?

I am facing a problem in programming with the charm-crypto library. The hash functions for pairing group elements in charm-crypto can only map from a string to a specific field: $\mathbb Z_r$, $G_1$ or $G_2$.

Examples: $$\begin{align} H_1: \{0, 1\}^*\to\ &G_1\\ H_2: \{0, 1\}^*\to\ &Z_r\\ H_3: \{0, 1\}^*\to\ &G_2\\ \end{align}$$

I am implementing a certificateless public key encryption ...

What are the recent developments in Attribute-Based Encryption (ABE) using Pairings assumptions?

Is pairings the most viable assumption while designing ABE. What other assumptions are used for ABE schemes and are there any advantages it gives over pairings assumption?

Assume that we have a pairing as $e:G_1\times G_2\rightarrow G_T$. such that $g_1$ and $g_2$ are the generator of $G_1$ and $G_2$ respectively. In a protocol I have $A=\prod_{i=1}^n e(H(i),pk_i)$ where $H(i)\in G_1$ and its discrete-logarithm is unknown (since it is a random oracle) and $pk_i\in G_2$. I can design another protocol such that I can compute my target value $A$ in another way i.e., $A=e( ...

I've been trying to understand an article (https://ieeexplore.ieee.org/document/8538446) about using blockchain to overcome identity based encryption (ibe) drawbacks. My purpose is to be able to code the method explained in the article at the end BUT i have big issues understanding the math behind the identity based encryption, here are my questions.

1- How are groups generated ( chosen ) in ibe ?

...

I compare the algorithm description of Optimal ate pairing and R-ate pairing, it turns out to me that the formulas are the same. So I'm a little confused, what's the difference between them? or is it just I misunderstand? Thanks very much.

ref: Beuchat J L, González-Díaz J E, Mitsunari S, et al. High-speed software implementation of the optimal ate pairing over Barreto–Naehrig curves[C]//Internationa ...

Are there any pairing-friendly curves whose group order is a safe prime?

That is: the order of the group is $2q + 1$ for some prime number $q$.

Or, is it impossible to have such groups?

Let's say there is a bilinear pairing $G \times G \rightarrow G_t$ (e.g., for bn128), and let prime $q$ be the order of $G$. Is it possible to find a prime order group over integers such that its order $p | q-1$ (that is $q$ is used as the modulus for the "smaller" group)? I checked the order of bn128 and bs381 groups, it seems that the $q-1$ has no large prime factors.

As my survey, most of(I am not sure if it is "all") the constructions of VRF are instantiated with the use of pairing. Can we construct a VRF without using pairing?