Study of Pairing based cryptography BLS signatures, ID based encryption

chapter1:Using Bitcoin-compatible BLS signatures for DLCs
chapter2:Study of Pairing based cryptography BLS signatures, ID based encryption(this post)
chapter3:Deep dive into Cryptographic Oracle-Based Conditional Payments

This chapter is the preliminary technical description of “Cryptographic Oracle-Based Conditional Payments”. The abstract of this proposal is described in “Using Bitcoin-compatible BLS signatures for DLCs”.

This chapter introduces pairing based cryptography. Pairing based cryptography enables a number of use-cases such as ZK roll up projects on Ethereum.
To understand the concept of pairing, we need to understand the notion of “group” in mathematics.

group

A set G that satisfies the following conditions is called a “group”.

For all x, y , z in G (x , y , z ∈ G)
(x・y)・z = x・(y・z) (associativity)

There exists an element e in G such that, x・e=x (e is called the identity element)
There exists an element x^-1( inverse of x) in G such that x・(x^-1) = e (x^-1 is called the inverse element)

Note that ・ is a notation that stands for a binary operation.
When using the + notation, G is called an additive group.
This notation is most often used for groups whose elements are also commutative (where a・(b・c) = (a・b)・c).
When using the × notation, G is called a multiplicative group.
If a group has a finite number of elements (this number is called its “order”) and all of these elements can be generated from a single element X (the group generator) , it is called a finite cyclic group

Pairing

Pairing is a one-way function that outputs an element of a cyclic group GT using two elements of cyclic groups G1 and G2 as inputs (this function is called “mapping”). G1 and G2 are additive groups while Gt is a multiplicative group, all of order q .
A common way of representing it is

e: G1×G2→GT

When used with elliptic curves (EC), pairing is a function that takes two points P and Q on one or two EC as inputs and outputs a rational number n:

e(P,Q)→n

An EC pairing has the following characteristics.

P,Q: Base points of each elliptic curve
a,b: Integers
e(a×P,b×Q) =e(ab×P,Q) =e(P,ab×Q)=e(P,Q)^ab

Properties of an additive group: aP+bP=(a+b)P
Properties of a multiplicative group: e(a×P,b×Q) =e(P,Q)^ab

BLS signatures

BLS signature verification is based on pairing, and the distinguishing feature compared to ECDSA/Schnorr signatures is that BLS signatures do not use a nonce.
The signature scheme is as follows:

m:message
H:hash function
σ:signature
Q:base point of EC2
s:secret key
S:public key
G1:cyclic group formed by points of EC1
G2:cyclic group formed by points of EC2
q:order of G1 and G2

Key generation
s:Select a random integer s(0<s<q)
S:s×Q∈G2
Signing
σ:s×H(m)∈G1
Verification
e(σ , Q) =? e(H(m) , S)
Correctness
e(σ , Q) =e (s×H(m) , Q)= e (H(m) , s×Q) = e (H(m) , S)

ID-based encryption

ID-based encryption also uses pairing based cryptography. As with traditional asymmetric encryption, a public key is used to encrypt a message m, and the associated private key can be used to extract the message from the cipher text.
But while conventional public key cryptography generates a public key from a randomly selected private key, ID-based cryptography generates a private key from an arbitrary public key.
So a cipher-text can be created knowing only something like a mail address. Note that a private key generator is required, which is a trust point.

The encryption/decryption scheme is as follows;

Drawbacks

Pairing is great but also has drawbacks, among which a high computational complexity. BLS signature verification is also several orders of magnitude harder than ECDSA/Schnorr.
Multiple proposals exist for pairing schemes and elliptic curves (there is no de facto standard), and this is an area that is likely to continue to develop and mature in the future.
We have learned the preliminary to understand “Cryptographic Oracle-Based Conditional Payments”. Next chapter we will dive into it!!

Reference
https://crypto.stanford.edu/~dabo/papers/bfibe.pdf
https://crypto.stanford.edu/pbc/notes/elliptic/weil.html
https://datatracker.ietf.org/doc/pdf/draft-boneh-bls-signature-00
https://eprint.iacr.org/2013/258.pdf