in Bilinear pairings, what is the difference between Type 2 and Type 3?

Question

in Bilinear pairings, what is the difference between Type 2 and Type 3?

I understand in Type 2, there exists an efficiently computable homomorphic function $\phi : G_2 \rightarrow G_1$ , which is not present in Type 3 pairings.

But what I don't understand is what is the use of the homomorphism in cryptography?

---

For those who might need a refresher, for a bilinear pairing $e : G_1 \times G_2 \rightarrow G_T$ , we define

• Type 2: $G_1 \neq G_2$ and there is an efficiently computable homomorphic function $\phi : G_2 \rightarrow G_1$

• Type 3: $G_1 \neq G_2$ and there is NO efficiently computable homomorphic function

Answer 1

Note that you do not have an efficiently computable homomorphism from $G_1$ to $G_2$, but in Type-2 you have an efficiently computable homomorphism $\psi: G_2 \rightarrow G_1$ and in Type-3 you do not have one.

But what I don't understand is what is the use of the homomorphism in cryptography?

Well, if you have a tuple $(aP',bP',cP')\in G_2^3$ with $P'$ being a generator of $G_2$, you can check if $e(\psi(aP'),bP')=e(\psi(P'),cP')$ holds. Consequently, the decisional Diffie Hellman (DDH) problem is easy in $G_2$, but remains hard in $G_1$. In cryptography, this is typically formalized as the so called external Diffie Hellman (XDH) assumption.

In a Type-3 setting, as you can not map between $G_2$ and $G_1$, the DDH seems to be hard in $G_1$ and in $G_2$. In cryptography, this is typically formalized as the so called symmetric XDH (SXDH) assumption.

So if you have a Type-2 pairing, then you have the XDH setting and if you have a Type-3 pairing, you have the SXDH setting.

Answer 2

The paper Pairings for Cryptographers talks about the use of the homomorphisms.

Specifically:

This distinction into types is relevant for the design of cryptographic schemes. In particular, the existence of maps between $G_2$ and $G_1$ is sometimes required to get a security proof to work (see for example [6] and [17] for a general discussion on this point). There exist many primitives in pairing-based cryptography whose security proof does not apply if the cryptosystem is implemented using pairings of the third type.

I haven't followed the PBC literature close enough to give concrete examples of primitives whose security proof does not apply when using the third type. Hopefully someone else can chime in there.