Pairing-based cryptography was introduced by Sakai, Ohgishi and Kasahara~\cite{SOK00} to generalize Diffie-Hellman key exchange to three users in one round.
Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signatures~\cite{BBS04}.
Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis requires to reassess the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}.
In the following, we adopt black-box definitions of cryptographic pairings as bilinear maps, and on the assumed hardness of classical constant-size assumptions over pairing-friendly groups, namely $\SXDH$ and $\SDL$.
The notations $1_{\GG}^{}$, $1_{\Gh}^{}$ and $1_{\GT}^{}$ denote the identity elements in $\GG$, $\Gh$ and $\GT$ respectively.
For cryptographic purposes, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
The advantages of the best $\ppt$ adversary against $\DDH$ in group $\GG$ and $\Gh$ are written $\advantage{\DDH}{\GG}$ and $\advantage{\DDH}{\Gh}$ respectively. Both of those quantities are assumed negligible under the $\SXDH$ assumption.
In \cref{ch:sigmasig}, the security of our group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
Moreover, this assumption is static, meaning that the size of the assumption is independent of the number of queries made py the adversary or any feature (e.g., the maximal number of users) of the system, and is non-interactive, in the sense that it does not involve any oracle.
For instance, Cheon gave an attack against the $q$-Strong Diffie-Hellmann problem for large values of $q$~\cite{Che06} (which usually represents the number of adversarial queries).