以下内容源自PBC Library 的 英文manual(Chapter 5)。
本文摘要:
五,Param functions
- 1.1.Param generation
一. Param functions
Pairings are initialized from pairing parameters, which are objects of type pbc_param_t. Some
applications can ignore this data type because pairing_init_set_str() handles it behind the scenes:
it reads a string as a pbc_param_t, then initializes a pairing with these parameters.
int pbc_param_init_set_str(pbc_param_t par, const char *s)
Initializes pairing parameters from the string s. Returns 0 if successful, 1 otherwise.
int pbc_param_init_set_buf(pbc_param_t par, const char *s, size_t len)
Same, but read at most len bytes. If len is 0, it behaves as the previous function. Returns 0 if successful, 1
otherwise.
void pbc_param_out_str(FILE *stream, pbc_param_t p)
Write pairing parameters to ’stream’ in a text format.
void pbc_param_clear(pbc_param_t p)
Clear p. Call after p is no longer needed.
【译文】
第5章参数函数配对是从配对参数初始化的,配对参数是pbc_param_t类型的对象。某些应用程序可以忽略此数据类型,因为
pairing_init_set_str()
在后台处理该数据类型:它读取字符串作为pbc_param_t,然后使用这些参数初始化配对。
int pbc_param_init_set_str(pbc_param_t par,const char * s)
从字符串s初始化配对参数。如果成功,则返回0,否则返回1。
int pbc_param_init_set_buf(pbc_param_t par,const char * s,size_t len)
相同,但最多读取len个字节。如果len为0,则其行为与前一个函数相同。如果成功,则返回0,否则返回1。
void pbc_param_out_str(FILE * stream,pbc_param_t p)
将配对参数以文本格式写入“ stream”。
void pbc_param_clear(pbc_param_t p)
清除p。 p之后不再需要调用。
1.1. Param generation
These were used to prepare the sample parameters in the param subdirectory.
We label the pairing families with capital letters roughly in the order of discovery, so we can refer to them easily. Type A is fastest. Type D is a good choice when elements should be short but is slower. Type F has even shorter elements but is slower still. The speed differences are hardware-dependent, and also change when preprocessing is used. Type B and C are unimplemented.
The pbc_cm_t data type holds CM parameters that are used to generate type D and G curves.
【译文】
参数生成这些用于在param子目录中准备示例参数。
我们大致按照发现的顺序用大写字母标记配对族,因此我们可以轻松地引用它们。 A型最快。当元素应该较短但较慢时,D类型是一个不错的选择。 F型元素更短,但速度仍然更慢。速度差异取决于硬件,并且在使用预处理时也会发生变化。类型B和C未实现。
pbc_cm_t数据类型保存用于生成D型和G型曲线的CM参数。
void pbc_cm_init(pbc_cm_t cm)
Initializes cm.
初始化cm.
void pbc_cm_clear(pbc_cm_t cm)
Clears cm.
清除cm.
int pbc_cm_search_d(int (*callback)(pbc_cm_t, void *), void *data,unsigned int D, unsigned int bitlimit)
For a given discriminant D, searches for type D pairings suitable for cryptography (MNT curves of embedding degree 6). The group order is at most bitlimit bits. For each set of CM parameters found, call callback with
pbc_cm_t and given void*. If the callback returns nonzero, stops search and returns that value. Otherwise returns 0.
对于给定的判别式D,搜索适用于密码学的D型配对(嵌入度为6的MNT曲线)。组顺序最多为位限制位。对于找到的每组CM参数,请使用pbc_cm_t并给定void *来调用回调。如果回调返回非零,则停止搜索并返回该值。否则返回0。
int pbc_cm_search_g(int (*callback)(pbc_cm_t, void *), void *data, unsigned int D, unsigned int bitlimit)
For a given discriminant D, searches for type G pairings suitable for cryptography (Freeman curve). The group order is at most bitlimit bits. For each set of CM parameters found, call callback with pbc_cm_t and given
void*. If the callback returns nonzero, stops search and returns that value. Otherwise returns 0.
对于给定的判别式D,搜索适用于密码学的G型配对(弗里曼曲线)。组顺序最多为位限制位。对于找到的每组CM参数,请使用pbc_cm_t并给定void *来调用回调。如果回调返回非零,则停止搜索并返回该值。否则返回0。
void pbc_param_init_a_gen(pbc_param_t par, int rbits, int qbits)
Generate type A pairing parameters and store them in p, where the group order r is r bits long, and the order of the base field q is qbits long. Elements take q bits to represent.
To be secure, generic discrete log algorithms must be infeasible in groups of order r, and finite field discrete log algorithms must be infeasible in finite fields of order q^2, e.g. rbits = 160, qbits = 512.
The file param/a.param contains parameters for a type A pairing suitable for cryptographic use.
生成A型配对参数并将其存储在p中,其中组顺序r为r bits长,基字段q的顺序为qbits长。元素以q位表示。
为了安全起见,通用离散对数算法必须在r阶的组中不可行,而有限域离散对数算法必须在q ^ 2阶的有限域中不可行,例如rbits = 160,qbits =512。
文件param / a.param包含适用于加密的A型配对的参数。
void pbc_param_init_i_gen(pbc_param_t par, int group_size)
Generate type I pairing parameters and store them in p, where the group order is at least 2^group_size.
To be as secure as 64 bit symmetric encryption, group_size may be 150. To get 128 bit symmetric secure level, group_size may be 696.
The file param/i.param contains parameters for a type I pairing suitable for cryptographic use.
生成I型配对参数,并将它们存储在组顺序至少为2 ^ group_size的p中。
为了与64位对称加密一样安全,group_size可以为150。要获得128位对称安全级别,group_size可以为696。
文件param / i.param包含适用于加密的I型配对的参数。
void pbc_param_init_a1_gen(pbc_param_t param, mpz_t n)
Generate type A1 pairing parameters and store them in p. The group order will be n. The order of the base fieldis a few bits longer. To be secure, generic discrete log algorithms must be infeasible in groups of order n, and
finite field discrete log algorithms must be infeasible in finite fields of order roughly n2. Additionally, n should be hard to factorize.
For example: n a product of two primes, each at least 512 bits.
The file param/a1.param contains sample parameters for a type A1 pairing, but it is only for benchmarking: it is useless without the factorization of n, the order of the group.
生成A1型配对参数并将其存储在p中。分组顺序为n。基本字段的顺序长了几位。为了安全起见,通用离散对数算法必须在n阶的组中不可行,而有限域离散对数算法必须在大约n2阶的有限域中不可行。此外,n应该很难分解。
例如:n是两个素数的乘积,每个素数至少为512位。
文件param / a1.param包含用于A1类型配对的样本参数,但仅用于基准测试:如果不对组的阶数n进行因式分解,则它是无用的。
void pbc_param_init_d_gen(pbc_param_t p, pbc_cm_t cm)
Type D curves are generated using the complex multiplication (CM) method. This function sets p to a type D pairing parameters from CM parameters cm. Other library calls search for appropriate CM parameters and theresults can be passed to this function.
To be secure, generic discrete log algorithms must be infeasible in groups of order r, and finite field discrete log algorithms must be infeasible in finite fields of order q6. For usual CM parameters, r is a few bits smaller than q.
Using type D pairings allows elements of group G1 to be quite short, typically 170-bits. Because of a certain trick, elements of group G2 need only be 3 times longer, that is, about 510 bits rather than 6 times long. They
are not quite as short as type F pairings, but much faster.
I sometimes refer to a type D curve as a triplet of numbers: the discriminant, the number of bits in the prime q, and the number of bits in the prime r. The gen/listmnt program prints these numbers.
Among the bundled type D curve parameters are the curves 9563-201-181, 62003-159-158 and 496659-224-224 which have shortened names param/d201.param, param/d159.param and param/d225.param respectively.
See gen/listmnt.c and gen/gendparam.c for how to generate type D pairing parameters.
D型曲线是使用复数乘法(CM)方法生成的。此功能将CM参数cm中的p设置为D型配对参数。其他库调用会搜索适当的CM参数,并将结果传递给此函数。
为了安全起见,通用离散对数算法必须在r阶组中不可行,而有限域离散对数算法在q6阶有限域中必须不可行。对于通常的CM参数,r比q小几位。
使用类型D配对可使组G1的元素很短,通常为170位。由于某种技巧,组G2的元素仅需要长3倍,即大约510位,而不是6倍长。它们不像F型配对那么短,但是要快得多。
有时我将D型曲线称为数字的三元组:判别式,素数q的位数和素数r的位数。 gen / listmnt程序将打印这些数字。
在捆绑的D型曲线参数中,曲线9563-201-181,曲线62003-159-158和496659-224-224分别具有较短的名称param / d201.param,param / d159.param和param / d225.param。有关如何生成D型配对参数的信息,请参阅gen / listmnt.c和gen / gendparam.c。
void pbc_param_init_e_gen(pbc_param_t p, int rbits, int qbits)
Generate type E pairing parameters and store them in p, where the group order r is rbits long, and the order of the base field q is qbits long. To be secure, generic discrete log algorithms must be infeasible in groups of order r, and finite field discrete log algorithms must be infeasible in finite fields of order q, e.g. rbits = 160, qbits =1024.
This pairing is just a curiosity: it can be implemented entirely in a field of prime order, that is, only arithmetic modulo a prime is needed and there is never a need to extend a field.
If discrete log in field extensions are found to be substantially easier to solve than previously thought, or discrete log can be solved in elliptic curves as easily as they can be in finite fields, this pairing type may
become useful.
生成类型E的配对参数并将其存储在p中,其中组顺序r为rbits长,而基字段q的顺序为qbits长。
为了安全起见,通用离散对数算法必须在r阶组中不可行,而有限域离散对数算法在q阶有限域中必须不可行,例如rbits = 160,qbits =1024。这种配对只是出于好奇:它可以完全在素数字段中实现,即,仅需要对素数进行算术运算,而无需扩展字段。
如果发现离散对数域扩展比以前想象的要容易解决,或者离散对数可以像在有限域中一样容易地在椭圆曲线中求解,则这种配对类型可能会有用。
void pbc_param_init_f_gen(pbc_param_t p, int bits)
Generate type F pairing parameters and store them in p. Both the group order r and the order of the base field q will be roughly bits-bit numbers.
To be secure, generic discrete log algorithms must be infeasible in groups of order r, and finite field discrete log algorithms must be infeasible in finite fields of order q^12, e.g. bits = 160.
Type F should be used when the top priority is to minimize bandwidth (e.g. short signatures). The current implementation makes them slow.
If finite field discrete log algorithms improve further, type D pairings will have to use larger fields, but type F can still remain short, up to a point.
生成F型配对参数并将其存储在p中。分组顺序r和基字段q的顺序都将是大致的位数。
为了安全起见,通用离散对数算法在r阶的组中必须是不可行的,而有限域离散对数算法在q ^ 12阶的有限域中必须是不可行的,例如位=160。
当最高优先级是最小化带宽(例如,短签名)时,应使用类型F。当前的实现使它们变慢。如果有限域离散对数算法得到进一步改善,D型配对将不得不使用更大的字段,但是F型仍然可以保持较短,直到某一点为止。
void pbc_param_init_g_gen(pbc_param_t p, pbc_cm_t cm)
Type G curves are generated using the complex multiplication (CM) method. This function sets p to a type G pairing parameters from CM parameters cm. They have embedding degree 10.
To be secure, generic discrete log algorithms must be infeasible in groups of order r, and finite field discrete log algorithms must be infeasible in finite fields of order q6. For usual CM parameters, r is a few bits smaller than q.
They are quite slow at the moment so for now type F is a better choice.
The file param/g149.param contains parameters for a type G pairing with 149-bit group and field sizes.
使用复数乘法(CM)方法生成G型曲线。此功能将CM参数cm中的p设置为G型配对参数。它们的嵌入度为10。
为安全起见,通用离散对数算法必须在r阶组中不可行,而有限域离散对数算法在q6阶有限域中必须不可行。对于通常的CM参数,r比q小几位。它们现在很慢,因此,现在F型是更好的选择。
文件param / g149.param包含与149位组和字段大小配对的G型配对的参数。
— end —