This post was first published on Medium.
Pairing-based cryptography is a variant of elliptic curve cryptography, which Bitcoin ECDSA signatures are based on. Thanks to the characteristics of pairing, new cryptographic algorithms and protocols can achieve functions or efficiency which cannot be realized otherwise, such as identity-based encryption (IBE), attribute-based encryption (ABE), authenticated key exchange (AKE), and short signatures.
Several applications of Pairing-based cryptography have been in practical use in many blockchains.
- Zcash implements a zero-knowledge proof algorithm named zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge)
- Ethereum supports pairing check to perform zkSNARK verification
- DFINITY (now called The Internet Computer) constructed a BLS signature-based scheme, shorter than ECDSA signatures.
We demonstrate pairings can be implemented directly on Bitcoin and thus enable all kinds of pairing-based cryptography applications previously thought impossible on Bitcoin.
A pairing e is simply a function that takes two inputs¹ and returns one output as below.
A bilinear pairing has the following property:
That is, it is linear in each of its inputs separately. It is easy to see the following holds.
Intuitively, one can swap the scalar n between its inputs and take it out as an exponent.
A Toy Example
Let us look at the following pairing function.
It is bilinear because it satisfies the two equations above. For instance,
Bilinear pairings on elliptic curves
In practice, the pairing above is not secure for cryptographic use. Instead, we use pairings over elliptic curves. The inputs are points on an elliptic curve and the output is a number². There are multiple ways to construct pairings over elliptic curves, such as Weil, Tate, and Ate pairings.
Miller’s algorithm is used to efficiently compute pairings. It consists of two parts:
- main loop: Line 3 to 10. It is structurally akin to the double-and-add algorithm when calculating scalar point multiplication.
- final exponentiation at Line 11.
p, k, and r are parameters of the elliptic curve used³.
We have implemented the Miller’s algorithm to compute Tate pairings below, based on our elliptic curve arithmetic library.
Implementing Tate pairing e(P, Q)
linefunc(P, Q, R) is a line function that passes through P and Q and is evaluated at R.
 Thus the name pairing.
 Strictly speaking, it is an element in a multiplicative group. Since this serves as an introduction on pairings, we choose readability over mathematical rigor throughout the article.
 Not all elliptic curves can be used for pairings. Only ones where pairings are efficiently computable are used in practice. They are called pairing-friendly curves, of which Barreto-Naehrig (BN) or Boneh–Lynn–Shacham (BLS) curves are notable examples.
Watch: Dr. Craig Wright’s Keynote speech: Cloud Security, Overlays & Blockchain at the BSV Global Blockchain Convention
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.