Article

Families of SNARK-Friendly 2-Chains of Elliptic Curves

Authors:

Youssef El Housni,

Aurore GuillevicAuthors Info & Claims

Advances in Cryptology – EUROCRYPT 2022: 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 – June 3, 2022, Proceedings, Part II

Pages 367 - 396

https://doi.org/10.1007/978-3-031-07085-3_13

Published: 30 May 2022 Publication History

Abstract

At CANS’20, El Housni and Guillevic introduced a new 2-chain of pairing-friendly elliptic curves for recursive zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs) made of the former BLS12-377 curve (a Barreto–Lynn–Scott curve over a 377-bit prime field) and the new BW6-761 curve (a Brezing–Weng curve of embedding degree 6 over a 761-bit prime field). First we generalise the curve construction, the pairing formulas (

e : G_{1} \times G_{2} \to G_{T}

) and the group operations to any BW6 curve defined on top of any BLS12 curve, forming a family of 2-chain pairing-friendly curves.

Second, we investigate other possible 2-chain families made on top of the BLS12 and BLS24 curves. We compare BW6 to Cocks–Pinch curves of higher embedding degrees 8 and 12 (CP8, CP12) at the 128-bit security level. We derive formulas for efficient optimal ate and optimal Tate pairings on our new CP curves. We show that for both BLS12 and BLS24, the BW6 construction always gives the fastest pairing and curve arithmetic compared to Cocks-Pinch curves. Finally, we suggest a short list of curves suitable for Groth16 and KZG-based universal SNARKs and present an optimized implementation of these curves. Based on Groth16 and PlonK (a KZG-based SNARK) implementations in the gnark ecosystem, we obtain that the BLS12-377/BW6-761 pair is optimized for the former while the BLS24-315/BW6-672 pair is optimized for the latter.

References

[1]

Aranha DF, Barreto PSLM, Longa P, and Ricardini JE Lange T, Lauter K, and Lisoněk P The realm of the pairings Selected Areas in Cryptography – SAC 2013 2014 Heidelberg Springer 3-25

Digital Library

[2]

Aranha DF, Karabina K, Longa P, Gebotys CH, and López J Paterson KG Faster explicit formulas for computing pairings over ordinary curves Advances in Cryptology – EUROCRYPT 2011 2011 Heidelberg Springer 48-68

[3]

Barbulescu R and Duquesne S Updating key size estimations for pairings J. Cryptol. 2019 32 4 1298-1336

Digital Library

[4]

Barreto PSLM, Lynn B, and Scott M Cimato S, Persiano G, and Galdi C Constructing elliptic curves with prescribed embedding degrees Security in Communication Networks 2003 Heidelberg Springer 257-267

[5]

Ben-Sasson E, Chiesa A, Tromer E, and Virza M Garay JA and Gennaro R Scalable zero knowledge via cycles of elliptic curves Advances in Cryptology – CRYPTO 2014 2014 Heidelberg Springer 276-294

[6]

Bernstein DJ, Doumen J, Lange T, and Oosterwijk J-J Galbraith S and Nandi M Faster batch forgery identification Progress in Cryptology - INDOCRYPT 2012 2012 Heidelberg Springer 454-473

[7]

Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Goldwasser, S. (ed.) ITCS 2012, pp. 326–349. ACM, January 2012.

Digital Library

[8]

Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: Recursive composition and bootstrapping for SNARKS and proof-carrying data. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 111–120. ACM Press, June 2013.

Digital Library

[9]

Botrel, G., Piellard, T., Housni, Y.E., Kubjas, I., Tabaie, A.: Consensys/gnark: v0.6.0, January 2022.

[10]

Bowe, S., Chiesa, A., Green, M., Miers, I., Mishra, P., Wu, H.: ZEXE: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy, pp. 947–964. IEEE Computer Society Press, May 2020.

[11]

Chiesa A, Hu Y, Maller M, Mishra P, Vesely N, and Ward N Canteaut A and Ishai Y Marlin: preprocessing zkSNARKs with universal and updatable SRS Advances in Cryptology – EUROCRYPT 2020 2020 Cham Springer 738-768

Digital Library

[12]

Costello C, Lange T, and Naehrig M Nguyen PQ and Pointcheval D Faster pairing computations on curves with high-degree twists Public Key Cryptography – PKC 2010 2010 Heidelberg Springer 224-242

Digital Library

[13]

De Micheli G, Gaudry P, and Pierrot C Tibouchi M and Wang H Lattice enumeration for tower NFS: a 521-bit discrete logarithm computation Advances in Cryptology – ASIACRYPT 2021 2021 Cham Springer 67-96

Digital Library

[14]

El Housni, Y.: A fork of gnark-crypto: Golang library for finite fields, fft, and elliptic curves (2021). https://github.com/yelhousni/gnark-crypto

[15]

El Housni Y and Guillevic A Krenn S, Shulman H, and Vaudenay S Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition Cryptology and Network Security 2020 Cham Springer 259-279

Digital Library

[16]

El Housni, Y., Guillevic, A.: Families of SNARK-friendly 2-chains of elliptic curves. ePrint 2021/1359 (2021)

[17]

El Housni, Y., Guillevic, A.: Families of SNARK-friendly 2-chains of elliptic curves (2021). MIT License. https://gitlab.inria.fr/zk-curves/snark-2-chains

[18]

Fotiadis G and Konstantinou E TNFS resistant families of pairing-friendly elliptic curves Theor. Comput. Sci. 2019 800 73-89

[19]

Freeman D, Scott M, and Teske E A taxonomy of pairing-friendly elliptic curves J. Cryptol. 2010 23 2 224-280

Digital Library

[20]

Gabizon, A., Williamson, Z.J.: plookup: a simplified polynomial protocol for lookup tables. ePrint 2020/315 (2020)

[21]

Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. ePrint 2019/953 (2019)

[22]

Galbraith SD, Lin X, and Scott M Joux A Endomorphisms for faster elliptic curve cryptography on a large class of curves Advances in Cryptology - EUROCRYPT 2009 2009 Heidelberg Springer 518-535

[23]

Granger R and Scott M Nguyen PQ and Pointcheval D Faster squaring in the cyclotomic subgroup of sixth degree extensions Public Key Cryptography – PKC 2010 2010 Heidelberg Springer 209-223

Digital Library

[24]

Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: USENIX Security Symposium (2021)

[25]

Groth J Fischlin M and Coron J-S On the size of pairing-based non-interactive arguments Advances in Cryptology – EUROCRYPT 2016 2016 Heidelberg Springer 305-326

[26]

Guillevic A Kiayias A, Kohlweiss M, Wallden P, and Zikas V A short-list of pairing-friendly curves resistant to special TNFS at the 128-bit security level Public-Key Cryptography – PKC 2020 2020 Cham Springer 535-564

Digital Library

[27]

Guillevic A, Masson S, and Thomé E Cocks-Pinch curves of embedding degrees five to eight and optimal ate pairing computation Des. Codes Cryptogr. 2020 88 1047-1081

Digital Library

[28]

Guillevic, A., Singh, S.: On the alpha value of polynomials in the tower number field sieve algorithm. Math. Cryptol. 1(1), 1–39 (2021). https://journals.flvc.org/mathcryptology/article/view/125142

[29]

Hayashida, D., Hayasaka, K., Teruya, T.: Efficient final exponentiation via cyclotomic structure for pairings over families of elliptic curves. ePrint 2020/875 (2020)

[30]

Hess F, Smart NP, and Vercauteren F The eta pairing revisited IEEE Trans. Inf. Theory 2006 52 10 4595-4602

Digital Library

[31]

Karabina K Squaring in cyclotomic subgroups Math. Comput. 2013 82 281 555-579

[32]

Kate A, Zaverucha GM, and Goldberg I Abe M Constant-size commitments to polynomials and their applications Advances in Cryptology - ASIACRYPT 2010 2010 Heidelberg Springer 177-194

[33]

Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723–732. ACM Press, May 1992.

Digital Library

[34]

Kim T and Barbulescu R Robshaw M and Katz J Extended tower number field sieve: a new complexity for the medium prime case Advances in Cryptology – CRYPTO 2016 2016 Heidelberg Springer 543-571

Digital Library

[35]

Micali, S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436–453. IEEE Computer Society Press, November 1994.

Digital Library

[36]

Schoof R Nonsingular plane cubic curves over finite fields J. Comb. Theory Ser. A 1987 46 2 183-211

Digital Library

[37]

Scott, M.: A note on group membership tests for

G_{1}

,

G_{2}

and

G_{T}

on BLS pairing-friendly curves. ePrint 2021/1130 (2021)

[38]

Scott, M.: Pairing implementation revisited. ePrint 2019/077 (2019)

[39]

Scott, M.: Unbalancing pairing-based key exchange protocols. ePrint 2013/688 (2013)

[40]

Silverman JH The Arithmetic of Elliptic Curves 2009 Dordrecht Springer

[41]

Valiant P Canetti R Incrementally verifiable computation or proofs of knowledge imply time/space efficiency Theory of Cryptography 2008 Heidelberg Springer 1-18

[42]

Vercauteren F Optimal pairings IEEE Trans. Inf. Theory 2010 56 1 455-461

Digital Library

[43]

Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR TCHES 2019(4), 154–179 (2019).

Cited By

Sanso AHousni Y(2024)Families of Prime-Order Endomorphism-Equipped Embedded Curves on Pairing-Friendly CurvesJournal of Cryptology10.1007/s00145-024-09514-537:4Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1007/s00145-024-09514-5
Dai YHe DPeng CYang ZZhao C(2024)Revisiting Pairing-Friendly Curves with Embedding Degrees 10 and 14Advances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0888-1_15(454-485)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0888-1_15
Corte-Real Santos MCostello CNaehrig M(2024)On Cycles of Pairing-Friendly Abelian VarietiesAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68400-5_7(221-253)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68400-5_7
Show More Cited By

Recommendations

Families of Fast Elliptic Curves from ℚ-curves
Part I of the Proceedings of the 19th International Conference on Advances in Cryptology - ASIACRYPT 2013 - Volume 8269

We construct new families of elliptic curves over $\mathbb{F}_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant---Lambert---Vanstone GLV and Galbraith---Lin---Scott GLS ...
Generating more Kawazoe-Takahashi genus 2 pairing-friendly hyperelliptic curves
Pairing'10: Proceedings of the 4th international conference on Pairing-based cryptography

Constructing pairing-friendly hyperelliptic curves with small ρ-values is one of challenges for practicability of pairing-friendly hyperelliptic curves. In this paper, we describe a method that extends the Kawazoe-Takahashi method of generating families ...
Special polynomial families for generating more suitable pairing-friendly elliptic curves
EHAC'06: Proceedings of the 5th WSEAS International Conference on Electronics, Hardware, Wireless and Optical Communications

Constructing non-supersingular elliptic curves for pairing-based cryptosystems have attracted much attention in recent years. The best previous technique builds curves with ρ = lg(q) / lg(r) ≈ 1 (k = 12) and ρ = lg(q) / lg(r) ≈ 1.25 (k = 24). When k > ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Advances in Cryptology – EUROCRYPT 2022: 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 – June 3, 2022, Proceedings, Part II

May 2022

920 pages

ISBN:978-3-031-07084-6

DOI:10.1007/978-3-031-07085-3

Editors:
Orr Dunkelman
University of Haifa, Haifa, Haifa, Israel
,
Stefan Dziembowski
University of Warsaw, Warsaw, Poland

© International Association for Cryptologic Research 2022.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 30 May 2022

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sanso AHousni Y(2024)Families of Prime-Order Endomorphism-Equipped Embedded Curves on Pairing-Friendly CurvesJournal of Cryptology10.1007/s00145-024-09514-537:4Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1007/s00145-024-09514-5
Dai YHe DPeng CYang ZZhao C(2024)Revisiting Pairing-Friendly Curves with Embedding Degrees 10 and 14Advances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0888-1_15(454-485)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0888-1_15
Corte-Real Santos MCostello CNaehrig M(2024)On Cycles of Pairing-Friendly Abelian VarietiesAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68400-5_7(221-253)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68400-5_7
Campanelli MGailly NGennaro RJovanovic PMihali MThaler J(2023): Linear Time Prover SNARKs with Constant Size Proofs and Square Root Size Universal SetupProgress in Cryptology – LATINCRYPT 202310.1007/978-3-031-44469-2_17(331-351)Online publication date: 3-Oct-2023
https://dl.acm.org/doi/10.1007/978-3-031-44469-2_17
Bellés-Muñoz MJiménez Urroz JSilva J(2023)Revisiting Cycles of Pairing-Friendly Elliptic CurvesAdvances in Cryptology – CRYPTO 202310.1007/978-3-031-38545-2_1(3-37)Online publication date: 20-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-38545-2_1

View Options

View options

Media

Figures

Other

Tables

View Table of Contents