International Association
for Cryptologic Research

Pairing-based cryptography (PBC) has many elegant properties. It is claimed that PBC can offer a desired security level with smaller parameters as the general elliptic curve cryptography (ECC). In the note, we remark that this view is misleading. Suppose that an elliptic curve $E$ is defined over the field $\\mathbb{F}_q$. Then ECC is working with elements which are defined over $\\mathbb{F}_q$. But PBC is working with the functions and elements defined over $\\mathbb{F}_{q^k}$, where $k$ is the \\emph{embedding degree}.

The security of PBC depends directly on the intractable level of either elliptic curve discrete log problem (ECDLP) in the group $E(\\mathbb{F}_q)$ or discrete log problem (DLP) in the group $\\mathbb{F}_{q^k}^*$. That means PBC protocols have to work in a running environment with parameters of 1024 bits so as to offer 80 bits security level. The shortcoming makes PBC lose its competitive advantages significantly.