International Association for Cryptologic Research
Pairings are typically implemented using ordinary pairing friendly elliptic curves. The two input groups of the pairing function are groups of elliptic curve points, while the target group lies in the multiplicative group of a large finite field. At moderate levels of security, at least two of the three pairing groups are necessarily proper subgroups of a much larger Composite order group, which makes pairing implementations potentially susceptible to small-subgroup attacks. To minimize the chances of such attacks, or the e ort required to thwart them, the authors put forward a property for ordinary pairing-friendly curves called subgroup security.