paramfns.xml

这是一个C的源代码

<chapter id="chapter.param">
<title>Param Functions</title>
<para>
These functions are mainly used to generate pairing parameters.
There are several types of pairings, which, like vitamins, are
labelled with capital letters roughly in the order of discovery.
</para>
<para>
Not all known pairing types are implemented in PBC. We only consider
pairings whose group order is close to the field size.
Type C takes place in a field of low
characteristic, which makes it susceptible to the Coppersmith attack,
reducing its utility.
I hope to implement Type B soon.
</para>
<para>
Type A is best when speed is the main concern.
Type D is a good choice when elements should be short but is slower
(can be roughly two to five times slower).
Type F has even shorter elements but is slower still (can be at least
ten times slower than type A).
The speed differences are hardware-dependent,
and also change when preprocessing is used.
</para>
<para>
PBC uses G1 to denote the group with the shorter representation (G1 is
the group of points over the ground field) when G1 and G2 differ.
</para>
<section><title>Type A</title>
<para>
Pairings on type A curves are the fast and ought to be used where the
main concern is efficiency. Typically, r should be about 160 bits long
and q about 512 bits. In this case, elements of groups G1 and G2 take
512 bits to represent.
</para>
<para>
The file <filename>param/a.param</filename> contains parameters for a
type A pairing suitable for cryptographic use.
</para>
<para>
The <type>a_param_t</type> data type holds parameters for a type A pairing.
</para>
<variablelist>
&aparam;
</variablelist>
</section>
<section><title>Type A1</title>
<para>
Some pairing-based cryptosystems require the group order to be a particular
composite number. Fortunately, it is easy to find type A pairings with
any given order. Such pairings are designated type A1 in the library.
</para>
<para>
The file <filename>param/a1.param</filename> contains sample parameters for a
type A1 pairing, but it is most likely not useful as it does not provide
the factorization of <parameter>n</parameter>, the order of the group.
</para>
<para>
The <type>a1_param_t</type> data type holds parameters for a type A1 pairing.
</para>
<variablelist>
&a1param;
</variablelist>
</section>
<section><title>Type D</title>
<para>
Using type D pairings allows elements of group G1 to be quite short, typically
170-bits. Because of a certain trick, elements of group G2 need only be 3 times
longer, that is, about 510 bits rather than 6 times long. They are not quite
as short as type F pairings, but much faster.
</para>
<para>
I sometimes refer to a type D curve as a triplet of numbers:
the discriminant, the number of bits in the prime q, and the number of
bits in the prime r. The <command>gen/listmnt</command> program prints
these numbers.
</para>
<para>
Among the bundled type D curve parameters are the curves
9563-201-181, 62003-159-158 and 496659-224-224 which have shortened names
<filename>param/d201.param</filename>,
<filename>param/d159.param</filename> and
<filename>param/d225.param</filename> respectively.
</para>
<para>
The <type>d_param_t</type> data type holds parameters for a type D pairing.
</para>
<para>
See <filename>gen/listmnt.c</filename> and
<filename>gen/gendparam.c</filename> for how to generate type
D pairing parameters.
</para>
<para>
Unfortunately currently the only way to determine the order of
the curve group and the order of the base field is to access
internal fields of struct cm_info_s. I hope to change this soon.
</para>
<variablelist>
&dparam;
</variablelist>
<para>
The <type>cm_info_t</type> data type holds CM parameters that are used
to generate curves.
</para>
<variablelist>
&cminfo;
</variablelist>
</section>
<section><title>Type E</title>
<para>
This pairing is not very useful at present. It can be implemented entirely
in a field of prime order, that is, only arithmetic modulo a prime is needed
and there is never a need to extend a field.
</para>
<para>
If some day a mathematician discovers
that discrete log in field extensions is substantially
easier to solve than previously
thought, or finds that discrete log can be solved in elliptic curves
as easily as they can be in finite fields, this pairing type may become useful.
</para>
<variablelist>
&eparam;
</variablelist>
</section>
<section><title>Type F</title>
<para>
Type F should be used when the top priority is to minimize bandwidth (e.g.
short signatures). The pairing is slower than the other types.
</para>
<para>
If finite field discrete log algorithms improve further,
type D pairings will have to use larger fields, but type F can still remain
short, up to a point.
</para>
<variablelist>
&fparam;
</variablelist>
</section>
<section><title>Type G</title>
<para>
Type G curves have embedding degree 10. They are quite slow at the moment
so for now type F is a better choice.
</para>
<para>
The file <filename>param/g149.param</filename> contains parameters for a
type G pairing with 149-bit group and field sizes.
</para>
<para>
The <type>g_param_t</type> data type holds parameters for a type G pairing.
</para>
<variablelist>
&gparam;
</variablelist>
</section>
</chapter>