استفاده اشتباه از جفت سازی در رمزنگاری Still wrong use of pairings in cryptography

1. Introduction Pairing-based cryptography has received much attention because of wide variety of its immediately deployable applications. These applications include identity-based encryption, functional and attribute-based encryption, searchable encryption, short/group/ring signatures, signcryption, homomorphic linear authenticators for integrity checking, security, privacy and integrity solutions for cloud computing and Internet of Things (IoT), e-health systems, and wearable technologies. We refer to Appendix for a selected list of some novel applications using pairing-based cryptography. In practice, Voltage Security (now an HP company) and Trend Micro are the most well-known companies utilizing the pairing-based security solutions [66]. There have been unfortunately a collection of recent results using the pairings incorrectly due to not being aware of the recent advancements on solving the discrete logarithm problems in some groups. We observed that there are unfortunately plenty of very recently introduced papers (surprisingly) either having pairing related wrong security assumptions and/or efficiency issues. The security of pairing-based cryptosystems relies on the difficulty of various computationally hard problems related to the discrete logarithm problem (DLP). The new attacks on the DLP on some groups [3,9,37,39,69] have significant consequences on the security of some pairings primitives. Furthermore, very recent results on solving the DLP for finite fields of medium characteristics and composite degrees size have also consequences on the choice of key sizes for pairing based cryptography [8,45,48,72]. Hence, ignoring these recent technical advancements in solving the DLP make certain security assumptions incorrect. We note that although some basic problems related to using pairings as “black boxes” incorrectly was introduced by Galbraith et al. [35], not being aware of of these new issues is the primary reason of designing protocols which have considerably critical security vulnerabilities, realizability issues and/or efficiency problems. The complexity of these mathematical preliminaries is undoubtedly the reason of neglecting the realization concerns in the design of pairing-based protocols.