Re: bilinear pairing on curves where discrete log is easy

Hi,

>
> So now I have 2 values c_1 and c_2 in Z_n, calculated as above (in fact
> c_1 and c_2 are only in the subgroup G_2 of Z_n).
> Then in multiplying c_1 and c_2, I get:
> g^{m_1 + m_2} mod n.
> I can then easily calculate the discrete log and get m_1 + m_2 mod q
> (cause g has order q).
>
> What do you think about this, or is it wrong? Or are there any problems,
> I don't see?
Probably what I wrote above was wrong.... but what do you think about,
the following (it is in a way an adaption of the Paillier scheme):
I choose n = p^2, where p is prime. I define the following function
(where g has order n in (Z_n^2)^*):
f: Z_p X Z_p x Z_p x Z_p -> (Z_n^2)^*
f(u,v,w,x) = e(u,v)^w * g^x mod n^2.

So now if I calculate:
c_1 = f(u,v,w,m_1) = e(u,v)^w * g^{m_1} mod n^2
c_1 = f(u,v,-w,m_2) = e(u,v)^{-w} * g^{m_2} mod n^2
Now it is easy to calculate m_1+m_2 mod n (cause I can use the approach
described in Pailliers paper). What do you think about this?

In fact I think this way, it could work, but I am not sure if I can
calculate the bilinear pairing efficiently in the groups I use.

Thanks in advance,
Zsuzsi
Received on Thu Sep 29 21:44:44 2005