Article

Optimized and Secure Pairing-Friendly Elliptic Curves Suitable for One Layer Proof Composition

Authors:

Youssef El Housni,

Aurore GuillevicAuthors Info & Claims

Cryptology and Network Security: 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings

Pages 259 - 279

https://doi.org/10.1007/978-3-030-65411-5_13

Published: 14 December 2020 Publication History

Abstract

A zero-knowledge proof is a method by which one can prove knowledge of general non-deterministic polynomial (NP) statements. SNARKs are in addition non-interactive, short and cheap to verify. This property makes them suitable for recursive proof composition, that is proofs attesting to the validity of other proofs. To achieve this, one moves the arithmetic operations to the exponents. Recursive proof composition has been empirically demonstrated for pairing-based SNARKs via tailored constructions of expensive pairing-friendly elliptic curves namely a pair of 753-bit MNT curves, so that one curve’s order is the other curve’s base field order and vice-versa. The ZEXE construction restricts to one layer proof composition and uses a pair of curves, BLS12-377 and CP6-782, which improve significantly the arithmetic on the first curve. In this work we construct a new pairing-friendly elliptic curve to be used with BLS12-377, which is STNFS-secure and fully optimized for one layer composition. We propose to name the new curve BW6-761. This work shows that it is at least five times faster to verify a composed SNARK proof on this curve compared to the previous state-of-the-art, and proposes an optimized Rust implementation that is almost thirty times faster than the one available in ZEXE library.

References

[1]

Aranha DF, Karabina K, Longa P, Gebotys CH, and López J Paterson KG Faster explicit formulas for computing pairings over ordinary curves Advances in Cryptology – EUROCRYPT 2011 2011 Heidelberg Springer 48-68

[2]

Arène, C., Lange, T., Naehrig, M., Ritzenthaler, C.: Faster computation of the tate pairing. J. Number Theory 131(5, Elliptic Curve Cryptography), 842–857 (2011)., http://cryptojedi.org/papers/#edpair

[3]

Ben-Sasson E, Chiesa A, Genkin D, Tromer E, and Virza M Canetti R and Garay JA SNARKs for C: verifying program executions succinctly and in zero knowledge Advances in Cryptology – CRYPTO 2013 2013 Heidelberg Springer 90-108

[4]

Ben-Sasson E, Chiesa A, Tromer E, and Virza M Garay JA and Gennaro R Scalable zero knowledge via cycles of elliptic curves Advances in Cryptology – CRYPTO 2014 2014 Heidelberg Springer 276-294

[5]

Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 967–980. ACM Press, November 2013.

[6]

Bowe, S.: BLS12-381: New zk-SNARK elliptic curve construction (2017). https://electriccoin.co/blog/new-snark-curve/

[7]

Bowe, S., Chiesa, A., Green, M., Miers, I., Mishra, P., Wu, H.: Zexe: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy (SP), Los Alamitos, CA, USA, pp. 1059–1076. IEEE Computer Society, May 2020. https://www.computer.org/csdl/proceedings-article/sp/2020/349700b059/1i0rIqoBYD6

[8]

Brier E, Coron J-S, Icart T, Madore D, Randriam H, and Tibouchi M Rabin T Efficient indifferentiable hashing into ordinary elliptic curves Advances in Cryptology – CRYPTO 2010 2010 Heidelberg Springer 237-254

[9]

Celo: BLS-ZEXE: BLS signatures verification inside a SNARK proof (2019). https://github.com/celo-org/bls-zexe

[10]

Chatterjee S, Sarkar P, and Barua R Park C and Chee S Efficient computation of Tate pairing in projective coordinate over general characteristic fields Information Security and Cryptology – ICISC 2004 2005 Heidelberg Springer 168-181

[11]

Cheon JH Discrete logarithm problems with auxiliary inputs J. Cryptol. 2009 23 3 457-476

[12]

Chiesa A, Chua L, and Weidner M On cycles of pairing-friendly elliptic curves SIAM J. Appl. Algebra Geo. 2019 3 2 175-192

[13]

Costello C, Lange T, and Naehrig M Nguyen PQ and Pointcheval D Faster pairing computations on curves with high-degree twists Public Key Cryptography – PKC 2010 2010 Heidelberg Springer 224-242

[14]

EY-Blockchain: Nightfall: an open source suite of tools designed to enable private token transactions over the public Ethereum blockchain (2019). https://github.com/EYBlockchain/nightfall

[15]

Fouque P-A and Tibouchi M Hevia A and Neven G Indifferentiable hashing to Barreto–Naehrig curves Progress in Cryptology – LATINCRYPT 2012 2012 Heidelberg Springer 1-17

[16]

Freeman D, Scott M, and Teske E A taxonomy of pairing-friendly elliptic curves J. Cryptol. 2010 23 2 224-280

[17]

Fuentes-Castañeda L, Knapp E, and Rodríguez-Henríquez F Miri A and Vaudenay S Faster Hashing to

G_{2}

Selected Areas in Cryptography 2012 Heidelberg Springer 412-430

[18]

Gallant RP, Lambert RJ, and Vanstone SA Kilian J Faster point multiplication on elliptic curves with efficient endomorphisms Advances in Cryptology — CRYPTO 2001 2001 Heidelberg Springer 190-200

[19]

Goldwasser S, Micali S, and Rackoff C The knowledge complexity of interactive proof systems SIAM J. Comput. 1989 18 1 186-208

[20]

Groth J Fischlin M and Coron J-S On the size of pairing-based non-interactive arguments Advances in Cryptology – EUROCRYPT 2016 2016 Heidelberg Springer 305-326

[21]

Guillevic A, Masson S, and Thomé E Cocks–Pinch curves of embedding degrees five to eight and optimal ate pairing computation Des. Codes Crypt. 2020 88 6 1047-1081

[22]

Guillevic, A., Singh, S.: On the alpha value of polynomials in the tower number field sieve algorithm. Cryptology ePrint Archive, Report 2019/885 (2019). https://eprint.iacr.org/2019/885

[23]

Karabina K Squaring in cyclotomic subgroups Math. Comput. 2013 82 281 555-579

[24]

scipr lab: ZEXE rust implementation (2018). https://github.com/scipr-lab/zexe

[25]

Lauter K, Montgomery PL, and Naehrig M Joye M, Miyaji A, and Otsuka A An analysis of affine coordinates for pairing computation Pairing-Based Cryptography - Pairing 2010 2010 Heidelberg Springer 1-20

[26]

Meckler, I., Shapiro, E.: Coda: decentralized cryptocurrency at scale. O(1) Labs whitepaper (2018). https://cdn.codaprotocol.com/v2/static/coda-whitepaper-05-10-2018-0.pdf

[27]

ProtocolLabs: Filecoin: a decentralized storage network (2017). https://filecoin.io/filecoin.pdf

[28]

Shallue A and van de Woestijne CE Hess F, Pauli S, and Pohst M Construction of rational points on elliptic curves over finite fields Algorithmic Number Theory 2006 Heidelberg Springer 510-524

[29]

Vercauteren F Optimal pairings IEEE Trans. Inf. Theory 2010 56 1 455-461

[30]

Wahby RS and Boneh D Fast and simple constant-time hashing to the BLS12-381 elliptic curve IACR TCHES 2019 2019 4 154-179

Cited By

Dai YHe DPeng CYang ZZhao C(2024)Revisiting Pairing-Friendly Curves with Embedding Degrees 10 and 14Advances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0888-1_15(454-485)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0888-1_15
Libert B(2024)Vector Commitments with Proofs of Smallness: Short Range Proofs and MorePublic-Key Cryptography – PKC 202410.1007/978-3-031-57722-2_2(36-67)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57722-2_2
Campanelli MGailly NGennaro RJovanovic PMihali MThaler J(2023): Linear Time Prover SNARKs with Constant Size Proofs and Square Root Size Universal SetupProgress in Cryptology – LATINCRYPT 202310.1007/978-3-031-44469-2_17(331-351)Online publication date: 3-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-44469-2_17
Show More Cited By

Index Terms

Optimized and Secure Pairing-Friendly Elliptic Curves Suitable for One Layer Proof Composition

Index terms have been assigned to the content through auto-classification.

Recommendations

Tate pairing computation on jacobi's elliptic curves
Pairing'12: Proceedings of the 5th international conference on Pairing-Based Cryptography

We propose for the first time the computation of the Tate pairing on Jacobi intersection curves. For this, we use the geometric interpretation of the group law and the quadratic twist of Jacobi intersection curves to obtain a doubling step formula which ...
Pairing Computation on Twisted Edwards Form Elliptic Curves
Pairing '08: Proceedings of the 2nd international conference on Pairing-Based Cryptography

A new form of elliptic curve was recently discovered by Edwards and their application to cryptography was developed by Bernstein and Lange. The form was later extended to the twisted Edwards form. For cryptographic applications, Bernstein and Lange ...
A Method for Building More Non-supersingular Elliptic Curves Suitable for Pairing-based Cryptosystems

Non-supersingular elliptic curves are important for the security of pairing-based cryptosystems. But there are few suitable non-supersingular elliptic curves for pairing-based cryptosystems. This letter introduces a method which allows the existing ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Cryptology and Network Security: 19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings

Dec 2020

633 pages

ISBN:978-3-030-65410-8

DOI:10.1007/978-3-030-65411-5

Editors:
Stephan Krenn
AIT Austrian Institute of Technology GmbH, Vienna, Austria
,
Haya Shulman
Fraunhofer SIT, Darmstadt, Germany
,
Serge Vaudenay
IC LASEC, EPFL, Lausanne, Switzerland

© Springer Nature Switzerland AG 2020.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 14 December 2020

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dai YHe DPeng CYang ZZhao C(2024)Revisiting Pairing-Friendly Curves with Embedding Degrees 10 and 14Advances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0888-1_15(454-485)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0888-1_15
Libert B(2024)Vector Commitments with Proofs of Smallness: Short Range Proofs and MorePublic-Key Cryptography – PKC 202410.1007/978-3-031-57722-2_2(36-67)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57722-2_2
Campanelli MGailly NGennaro RJovanovic PMihali MThaler J(2023): Linear Time Prover SNARKs with Constant Size Proofs and Square Root Size Universal SetupProgress in Cryptology – LATINCRYPT 202310.1007/978-3-031-44469-2_17(331-351)Online publication date: 3-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-44469-2_17
El Housni YGuillevic A(2022)Families of SNARK-Friendly 2-Chains of Elliptic CurvesAdvances in Cryptology – EUROCRYPT 202210.1007/978-3-031-07085-3_13(367-396)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1007/978-3-031-07085-3_13

View Options

View options

Media

Figures

Other

Tables

View Table of Contents