# 22.1 Bilinear Pairings

Although most of this chapter could be done in the context of cyclic groups of prime order, the primary examples of pairings in cryptography are based on elliptic curves or closely related situations. Therefore, for concreteness, we use only the following situation.

Let $p$ be a prime of the form $6q-1\text{,}\text{}$ where $q$ is also prime. Let $E$ be the elliptic curve ${y}^{2}\equiv {x}^{3}+1$ mod $p\text{.}$ We need the following facts about $E$.

There are exactly $p+1=6q$ points on $E$.

There is a point ${P}_{0}\ne \infty $ such that $q{P}_{0}=\infty $. In fact, if we take a random point $P\text{,}\text{}$ then, with very high probability, $6P\ne \infty $ and $6P$ is a multiple of ${P}_{0}$.

There is a function $\tilde{e}$ that maps pairs of points $(a{P}_{0}\text{,}\text{}b{P}_{0})$ to $q$th roots of unity for all integers $a\text{,}\text{}b$. It satisfies the

**bilinearity property**$$\begin{array}{r}\tilde{e}(a{P}_{0}\text{,}\text{}b{P}_{0})=\tilde{e}({P}_{0}\text{,}\text{}{P}_{0}{)}^{ab}\end{array}$$for all $a\text{,}\text{}b$. This implies that

$$\tilde{e}(aP\text{,}\text{}bQ)=\tilde{e}(P\text{,}\text{}Q{)}^{ab}$$for all points $P\text{,}\text{}Q$ that are multiples of ${P}_{0}$. (See Exercise 2.)

If we are given two points $P$ and $Q$ that are multiples of ${P}_{0}\text{,}\text{}$ then $\tilde{e}(P\text{,}\text{}Q)$ can be computed quickly from the coordinates of $P$ and $Q$.

$\tilde{e}({P}_{0}\text{,}\text{}{P}_{0})\ne 1\text{,}\text{}$ so it is a nontrivial $q$th root of unity.

We also make the following assumption:

If we are given a random point $P\ne \infty $ on $E$ and a random $q$th root of unity $\omega \ne 1\text{,}\text{}$ it is computationally infeasible to find a point $Q$ on $E$ with $\tilde{e}(Q\text{,}\text{}P)=\omega $ and it is computationally infeasible to find ${Q}^{\prime}$ with $\tilde{e}(P\text{,}\text{}{Q}^{\prime})=\omega $.

# Remarks

Properties (1) and (2) are fairly easy to verify (see Exercises 4 and 5). The existence of $\tilde{e}$ satisfying (3), (4), (5) is deep. In fact, $\tilde{e}$ is a modification of what is known as the Weil pairing in the theory of elliptic curves. The usual Weil pairing $e$ satisfies $e({P}_{0}\text{,}\text{}{P}_{0})=1\text{,}\text{}$ but the present version is modified using special properties of $E$ to obtain (5). It is generally assumed that (A) is true if the prime $p$ is large enough, but this is not known. See Exercise 10.

The fact that $\tilde{e}(P\text{,}\text{}Q)$ can be computed quickly needs some more explanation. The two points $P\text{,}\text{}Q$ satisfy $P=a{P}_{0}$ and $Q=b{P}_{0}$ for some $a\text{,}\text{}b$. However, to find $a$ and $b$ requires solving a discrete log problem, which could take a long time. Therefore, the obvious solution of choosing a random $q$th root of unity for $\tilde{e}({P}_{0}\text{,}\text{}{P}_{0})$ and then using the bilinearity property to define $\tilde{e}$ does not work, since it cannot be computed quickly. Instead, $\tilde{e}(P\text{,}\text{}Q)$ is computed directly in terms of the coordinates of the points $P\text{,}\text{}$ $Q$.

Although we will not need to know this, the $q$th roots of unity lie in the finite field with ${p}^{2}$ elements (see Section 3.11).

For more about the definition of $\tilde{e}\text{,}\text{}$ see [Boneh-Franklin] or [Washington].

The curve $E$ is an example of a **supersingular** elliptic curve, namely one where the number of points is congruent to 1 mod $p$. (See Exercise 4.) For a while, these curves were regarded as desirable for cryptographic purposes because computations can be done quickly on them. But then it was shown that the discrete logarithm problem for them is only slightly more difficult than the classical discrete logarithm mod $p$ (see Section 22.2), so they fell out of favor (after all, they are slower computationally than simple multiplication mod $p\text{,}\text{}$ and they provide no security advantage). Because of the existence of the pairing $\tilde{e}\text{,}\text{}$ they have become popular again.