Re: bilinear pairing on curves where discrete log is easy

Zsuzsanna Doncho wrote:
> Hi,
>
> >
> > So now I have 2 values c_1 and c_2 in Z_n, calculated as above (in fact
> > c_1 and c_2 are only in the subgroup G_2 of Z_n).
> > Then in multiplying c_1 and c_2, I get:
> > g^{m_1 + m_2} mod n.
> > I can then easily calculate the discrete log and get m_1 + m_2 mod q
> > (cause g has order q).
> >
> > What do you think about this, or is it wrong? Or are there any problems,
> > I don't see?
> Probably what I wrote above was wrong.... but what do you think about,
> the following (it is in a way an adaption of the Paillier scheme):
> I choose n = p^2, where p is prime. I define the following function
> (where g has order n in (Z_n^2)^*):
> f: Z_p X Z_p x Z_p x Z_p -> (Z_n^2)^*
> f(u,v,w,x) = e(u,v)^w * g^x mod n^2.
>
> So now if I calculate:
> c_1 = f(u,v,w,m_1) = e(u,v)^w * g^{m_1} mod n^2
> c_1 = f(u,v,-w,m_2) = e(u,v)^{-w} * g^{m_2} mod n^2
> Now it is easy to calculate m_1+m_2 mod n (cause I can use the approach
> described in Pailliers paper). What do you think about this?

Is discrete log in (Z_n)^* easy just knowing the factors of n? In RSA
you also need to know the public exponent.

> In fact I think this way, it could work, but I am not sure if I can
> calculate the bilinear pairing efficiently in the groups I use.
>
>
> Thanks in advance,
> Zsuzsi

-- Matt Mahoney
Received on Thu Sep 29 21:44:49 2005