research-article

A survey of elliptic curves for proof systems

Authors:

Diego F. Aranha,

Youssef El Housni,

Aurore GuillevicAuthors Info & Claims

Designs, Codes and Cryptography, Volume 91, Issue 11

Pages 3333 - 3378

https://doi.org/10.1007/s10623-022-01135-y

Published: 21 December 2022 Publication History

Abstract

Elliptic curves have become key ingredients for instantiating zero-knowledge proofs and more generally proof systems. Recently, there have been many tailored constructions of these curves that aim at efficiently implementing different kinds of proof systems. In this survey we provide the reader with a comprehensive overview on existing work and revisit the contributions in terms of efficiency and security. We present an overview at three stages of the process: curves to instantiate a SNARK, curves to instantiate a recursive SNARK, and also curves to express an elliptic-curve related statement. We provide new constructions of curves for SNARKs and generalize the state-of-the-art constructions for recursive SNARKs. We also exhaustively document the existing work and open-source implementations.

References

[1]

arkworks Contributors. arkworks zkSNARK ecosystem. https://arkworks.rs (2022).

[2]

Aranha D.F., Gouvêa C.P.L., Markmann T., Wahby R.S., Liao K.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic.

[3]

André-Ratsimbazafy M.: Constant time pairing-based or elliptic curve based cryptography and digital signatures. https://github.com/mratsim/constantine.

[4]

Baylina J.: Web assembly low level implementation of pairing friendly curves. https://github.com/iden3/wasmcurves.

[5]

Bünz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018).

[6]

Bootle J, Cerulli A, Chaidos P, Groth J, and Petit C Fischlin M and Coron J-S Efficient zero-knowledge arguments for arithmetic circuits in the discret log setting EUROCRYPT 2016, Part II, volume 9666 of LNCS 2016 Heidelberg Springer 327-357

[7]

Bitansky N., Canetti R., Chiesa A, Tromer E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Goldwasser S. (ed.) ITCS 2012, pp. 326–349. ACM (2012).

[8]

Ben-Sasson E, Chiesa A, Genkin D, Tromer E, and Virza M Canetti R and Garay JA SNARKs for C: verifying program executions succinctly and in zero knowledge CRYPTO 2013, Part II, volume 8043 of LNCS 2013 Heidelberg Springer 90-108

[9]

Ben-Sasson E., Chiesa A., Garman C., Green M., Miers I., Tromer E., Virza M.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press (2014).

[10]

Bowe S., Chiesa A., Green M., Miers I., Mishra P., Wu H.: ZEXE: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy, pp. 947–964. IEEE Computer Society Press (2020).

[11]

Ben-Sasson E., Carmon D., Kopparty S., Levit D.: Elliptic curve fast fourier transform (ECFFT) part I: fast polynomial algorithms over all finite fields. CoRR, abs/2107.08473 (2021).

[12]

Bünz B, Chiesa A, Mishra P, and Spooner N Pass R and Pietrzak K Recursive proof composition from accumulation schemes TCC 2020, Part II, volume 12551 of LNCS 2020 Heidelberg Springer 1-18

[13]

Ben-Sasson E, Chiesa A, Tromer E, and Virza M Garay JA and Gennaro R Scalable zero knowledge via cycles of elliptic curves CRYPTO 2014, Part II, volume 8617 of LNCS 2014 Heidelberg Springer 276-294

[14]

Ben-Sasson E., Chiesa A., Tromer E., Virza M.: Succinct non-interactive zero knowledge for a von neumann architecture. In: Fu K., Jung J. (eds.) USENIX Security 2014, pp. 781–796. USENIX Association (2014).

[15]

Barbulescu R and Duquesne S Updating key size estimations for pairings J. Cryptol. 2019 32 4 1298-1336

[16]

Boneh D, Drake J, Fisch B, and Gabizon A Malkin T and Peikert C Halo infinite: proof-carrying data from additive polynomial commitments CRYPTO 2021, Part I, volume 12825 of LNCS 2021 Heidelberg Virtual Event. Springer 649-680

[17]

Bernstein DJ, Duif N, Lange T, Schwabe P, and Yang B-Y High-speed high-security signatures. J. Cryptogr. Eng. 2012 2 2 77-89

[18]

Bernstein DJ, Doumen J, Lange T, and Oosterwijk J-J Galbraith SD and Nandi M Faster batch forgery identification INDOCRYPT 2012, volume 7668 of LNCS 2012 Heidelberg Springer 454-473

[19]

Braun B., Feldman A.J., Ren Z., Setty S., Blumberg A.J., Walfish M.: Verifying computations with state. In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, SOSP ’13, pp. 341–357, New York, NY, USA, 2013. Association for Computing Machinery. ePrint with major differences at ePrint 2013/356.

[20]

Bünz B, Fisch B, and Szepieniec A Canteaut A and Ishai Y Transparent SNARKs from DARK compilers EUROCRYPT 2020, Part I, volume 12105 of LNCS 2020 Heidelberg Springer 677-706

[21]

Barbulescu R, Gaudry P, Guillevic A, and Morain F Oswald E and Fischlin M Improving NFS for the discret logarithm problem in non-prime finite fields EUROCRYPT 2015, Part I, volume 9056 of LNCS 2015 Heidelberg Springer 129-155

[22]

Bowe S., Grigg J., Hopwood D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021. https://eprint.iacr.org/2019/1021 (2019).

[23]

Barbulescu R, Gaudry P, Joux A, and Thomé E Nguyen PQ and Oswald E A heuristic quasi-polynomial algorithm for discret logarithm in finite fields of small characteristic EUROCRYPT 2014, volume 8441 of LNCS 2014 Heidelberg Springer 1-16

[24]

Barbulescu R, Gaudry P, and Kleinjung T Iwata T and Cheon JH The tower number field sieve ASIACRYPT 2015, Part II, volume 9453 of LNCS 2015 Heidelberg Springer 31-55

[25]

Beuchat J-L, González-Díaz JE, Mitsunari S, Okamoto E, Rodríguez-Henríquez F, and Teruya T Joye M, Miyaji A, and Otsuka A High-speed software implementation of the optimal Ate pairing over Barreto-Naehrig curves PAIRING 2010, volume 6487 of LNCS 2010 Heidelberg Springer 21-39

[26]

Boneh D, Goh E-J, and Nissim K Kilian J Evaluating 2-DNF formulas on ciphertexts TCC 2005, volume 3378 of LNCS 2005 Heidelberg Springer 325-341

[27]

Bernstein DJ, Hamburg M, Krasnova A, and Lange T Sadeghi A-R, Gligor VD, and Yung M Elligator: elliptic-curve points indistinguishable from uniform random strings ACM CCS 2013 2013 New York ACM Press 967-980

[28]

Bernstein D.J., Lange T.: Safecurves: choosing safe curves for elliptic-curve cryptography. https://safecurves.cr.yp.to. Accessed 28 Feb 2022.

[29]

Boneh D, Lynn B, and Shacham H Boyd C Short signatures from the Weil pairing ASIACRYPT 2001, volume 2248 of LNCS 2001 Heidelberg Springer 514-532

[30]

Barreto PSLM, Lynn B, and Scott M Matsui M and Zuccherato RJ On the selection of pairing-friendly groups SAC 2003, volume 3006 of LNCS 2004 Heidelberg Springer 17-25

[31]

Bonneau J., Meckler I., Rao V., Shapiro E.: Coda: decentralized cryptocurrency at scale. Cryptology ePrint Archive, Report 2020/352. https://eprint.iacr.org/2020/352 (2020).

[32]

Barreto PSLM and Naehrig M Preneel B and Tavares S Pairing-friendly elliptic curves of prime order SAC 2005, volume 3897 of LNCS 2006 Heidelberg Springer 319-331

[33]

Bowe S.: BLS12-381: new zk-SNARK elliptic curve construction. Zcash blog, March 11 2017. https://blog.z.cash/new-snark-curve/.

[34]

Botrel G., Piellard T., El Housni Y., Tabaie A., Kubjas I.: Go library for finite fields, elliptic curves and pairings for zero-knowledge proof systems. https://doi.org/10.5281/zenodo.6092968.

[35]

Botrel G., Piellard T., El Housni Y., Kubjas I., Tabaie A.: Consensys/gnark. https://doi.org/10.5281/zenodo.6093969 (2022).

[36]

Bowe S, Str4d.: Zero-Knowledge Cryptography in Rust. https://github.com/zkcrypto.

[37]

Ben-Sasson E., Chiesa A., Tromer E., Virza M., Wu H., Contributors: C++ library for finite fields and elliptic curves. https://github.com/scipr-lab/libff.

[38]

Ben-Sasson E., Chiesa A., Tromer E., Virza M., Wu H., Contributors: C++ library for zksnark. https://github.com/scipr-lab/libsnark.

[39]

Beaulieu R., Shors D., Smith J., Treatman-Clark S., Weeks B., Wingers L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404. https://eprint.iacr.org/2013/404 (2013).

[40]

Chiesa A, Chua L, and Weidner M On cycles of pairing-friendly elliptic curves SIAM J. Appl. Algebra Geom. 2019 3 2 175-192

[41]

Costello C., Fournet C., Howell J., Kohlweiss M., Kreuter B., Naehrig M., Parno B., Zahur S.: Geppetto: versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17–21, 2015, pp. 253–270. IEEE Computer Society, 2015. ePrint 2014/976.

[42]

Cheon JH Discret logarithm problems with auxiliary inputs J. Cryptol. 2010 23 3 457-476

[43]

Chiesa A, Yuncong H, Maller M, Mishra P, Vesely N, and Ward NP Canteaut A and Ishai Y Marlin: preprocessing zkSNARKs with universal and updatable SRS EUROCRYPT 2020, Part I, volume 12105 of LNCS 2020 Heidelberg Springer 738-768

[44]

Cai S.P., Hu Z., Zhao C.A.: Faster final exponentiation on the kss18 curve. In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E105.A(8):1162–1164 (2022).

[45]

Costello C.: Pairings for beginners. https://www.craigcostello.com.au/s/PairingsForBeginners.pdf (2012).

[46]

Chávez-Saab J., Rodríguez-Henríquez F., Tibouchi M.: Swiftec: Shallue-van de woestijne indifferentiable function to elliptic curves. Cryptology ePrint Archive, Paper 2022/759, 2022. To appear in ASIACRYPT 2022.

[47]

Delignat-Lavaud A., Fournet C., Kohlweiss M., Parno B.: Cinderella: turning shabby X.509 certificates into elegant anonymous credentials with the magic of verifiable computation. In: 2016 IEEE Symposium on Security and Privacy, pp. 235–254. IEEE Computer Society Press (2016).

[48]

De Micheli G, Gaudry P, and Pierrot C Micciancio D and Ristenpart T Asymptotic complexities of discret logarithm algorithms in pairing-relevant finite fields CRYPTO 2020, Part II, volume 12171 of LNCS 2020 Heidelberg Springer 32-61

[49]

De Micheli G., Gaudry P., Pierrot C.: Lattice enumeration for tower NFS: a 521-bit discret logarithm computation. In: Tibouchi M., Wang H. (eds.) Advances in Cryptology—ASIACRYPT 2021—27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, 2021, Proceedings, Part I, volume 13090 of LNCS, pp. 67–96. Springer, 2021. ePrint 2021/707.

[50]

de Valence H.: The ristretto group. https://ristretto.group (2021).

[51]

de Valence H., Yun C., Andreev O.: dalek cryptography: fast, sage, pure-rust elliptic curve cryptography. https://github.com/dalek-cryptography/bulletproofs (2022).

[52]

El Housni Y., Guillevic A.: Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition. In: Krenn S., Shulman H., Vaudenay S. (eds.) Cryptology and Network Security—19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings, volume 12579 of LNCS, pp. 259–279. Springer (2020).

[53]

El Housni Y., Guillevic A.: Families of SNARK-friendly 2-chains of elliptic curves. In: Dunkelman O., Dziembowski S. (eds) EUROCRYPT 2022, volume 13276 of LNCS, pp. 367–396. Springer (2022). ePrint 2021/1359.

[54]

El Housni Y., Guillevic A.: Families of SNARK-friendly 2-chains of elliptic curves. https://gitlab.inria.fr/zk-curves/snark-2-chains (2022). SageMath/Python and Magma implementation.

[55]

Enge A and Sutherland AV Hanrot G, Morain F, and Thomé E Class invariants by the CRT method Algorithmic Number Theory Symposium 2010 Berlin Springer 142-156

[56]

Faz-Hernández A., Scott S., Sullivan N., Wahby R.S., Wood C.A.: Hashing to Elliptic Curves. Technical Report, IETF Secretariat, 2022. Working Draft. https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/.

[57]

Fotiadis G and Konstantinou E TNFS resistant families of pairing-friendly elliptic curves Theor. Comput. Sci. 2019 800 73-89

[58]

Fuentes-Castañeda L, Knapp E, and Rodríguez-Henríquez F Miri A and Vaudenay S Faster hashing to

G_{2}

SAC 2011, volume 7118 of LNCS 2012 Heidelberg Springer 412-430

[59]

Fujitsu Laboratories, NICT, and Kyushu University. DL record in

F_{3^{6 \cdot 97}}

of 923 bits (278 dd). NICT press release, June 18, 2012. http://www.nict.go.jp/en/press/2012/06/18en-1.html.

[60]

Freeman D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert H. (ed.) EUROCRYPT 2010. volume 6110 of LNCS, pp. 44–61. Springer, Heidelberg (2010).

[61]

Freeman D, Scott M, and Teske E A taxonomy of pairing-friendly elliptic curves J. Cryptol. 2010 23 2 224-280

[62]

Gabizon A.: AuroraLight: improved prover efficiency and SRS size in a sonic-like system. Cryptology ePrint Archive, Report 2019/601. https://eprint.iacr.org/2019/601 (2019).

[63]

Ghammam L., Fouotsa E.: On the computation of the optimal ate pairing at the 192-bit security level. Cryptology ePrint Archive, Report 2016/130. https://eprint.iacr.org/2016/130 (2016).

[64]

Gennaro R, Gentry C, Parno B, and Raykova M Johansson T and Nguyen PQ Quadratic span programs and succinct NIZKs without PCPs EUROCRYPT 2013, volume 7881 of LNCS 2013 Heidelberg Springer 626-645

[65]

Granger R., Kleinjung T., Lenstra A.K., Wesolowski B., Zumbrägel J.: Computation of a 30750-bit binary field discret logarithm. Math. Comput. 90(332):2997–3022, 2021. ePrint 2020/965.

[66]

Groth J, Kohlweiss M, Maller M, Meiklejohn S, and Miers I Shacham H and Boldyreva A Updatable and universal common reference strings with applications to zk-SNARKs CRYPTO 2018, Part III, volume 10993 of LNCS 2018 Heidelberg Springer 698-728

[67]

Granger R, Kleinjung T, and Zumbrägel J Garay JA and Gennaro R Breaking ‘128-bit secure’ supersingular binary curves–(or how to solve discret logarithms in

F_{2^{4 \cdot 1223}}

and

F_{2^{12 \cdot 367}}

) CRYPTO 2014, Part II, volume 8617 of LNCS 2014 Heidelberg Springer 126-145

[68]

Gallant RP, Lambert RJ, and Vanstone SA Kilian J Faster point multiplication on elliptic curves with efficient endomorphisms CRYPTO 2001, volume 2139 of LNCS 2001 Heidelberg Springer 190-200

[69]

Guillevic A., Morain F.: Pairings for engineers, chap. 9—discret logarithms, pp. 203–242. CRC Press Taylor and Francis group, Spring 2016. ElMrabet N., Joye M. (eds.). https://www.crcpress.com/Guide-to-Pairing-Based-Cryptography/El-Mrabet-Joye/p/book/9781498729505 https://hal.inria.fr/hal-01420485v2.

[70]

Goldwasser S, Micali S, and Rackoff C The knowledge complexity of interactive proof systems SIAM J. Comput. 1989 18 1 186-208

[71]

Guillevic A, Masson S, and Thomé E Cocks-Pinch curves of embedding degrees five to eight and optimal ate pairing computation Des. Codes Cryptogr. 2020 88 1047-1081

[72]

Galbraith SD, McKee JF, and Valença PC Ordinary abelian varieties having small embedding degree Finite Fields Appl. 2007 13 4 800-814

[73]

Groth J, Ostrovsky R, and Sahai A Dwork C Non-interactive zaps and new techniques for NIZK CRYPTO 2006, volume 4117 of LNCS 2006 Heidelberg Springer 97-111

[74]

Groth J Lai X and Chen K Simulation-sound NIZK proofs for a practical language and constant size group signatures ASIACRYPT 2006, volume 4284 of LNCS 2006 Heidelberg Springer 444-459

[75]

Groth J Abe M Short pairing-based non-interactive zero-knowledge arguments ASIACRYPT 2010, volume 6477 of LNCS 2010 Heidelberg Springer 321-340

[76]

Groth J Fischlin M and Coron J-S On the size of pairing-based non-interactive arguments EUROCRYPT 2016, Part II, volume 9666 of LNCS 2016 Heidelberg Springer 305-326

[77]

Groth J and Sahai A Smart NP Efficient non-interactive proof systems for bilinear groups EUROCRYPT 2008, volume 4965 of LNCS 2008 Heidelberg Springer 415-432

[78]

Granger R and Scott M Nguyen PQ and Pointcheval D Faster squaring in the cyclotomic subgroup of sixth degree extensions PKC 2010, volume 6056 of LNCS 2010 Heidelberg Springer 209-223

[79]

Guillevic A, Singh S.: On the alpha value of polynomials in the tower number field sieve algorithm. Math. Cryptol. 1(1) (2021).

[80]

Guillevic A Kiayias A, Kohlweiss M, Wallden P, and Zikas V A short-list of pairing-friendly curves resistant to special TNFS at the 128-bit security level PKC 2020, Part II, volume 12111 of LNCS 2020 Heidelberg Springer 535-564

[81]

Guillevic A.: Pairing-friendly curves. https://members.loria.fr/AGuillevic/pairing-friendly-curves/ (2021).

[82]

Gentry C., Wichs D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow L., Vadhan S.P. (eds.) 43rd ACM STOC, pp. 99–108. ACM Press (2011).

[83]

Gabizon A., Williamson Z.J., Ciobotaru O.: PLONK: permutations over Lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953. https://eprint.iacr.org/2019/953 (2019).

[84]

Hamburg M Gennaro R and Robshaw MJB Decaf: eliminating cofactors through point compression CRYPTO 2015, Part I, volume 9215 of LNCS 2015 Heidelberg Springer 705-723

[85]

Hayashida D., Hayasaka K., Teruya T.: Efficient final exponentiation via cyclotomic structure for pairings over families of elliptic curves. Cryptology ePrint Archive, Report 2020/875. https://eprint.iacr.org/2020/875 (2020).

[86]

Hopwood D.: The pasta curves for halo 2 and beyond. https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/ (2020).

[87]

Hopwood D.: Pluto-eris hybrid cycle of elliptic curves. https://github.com/daira/pluto-eris (2021).

[88]

Hisil H, Koon-Ho Wong K, Carter G, and Dawson E Pieprzyk J Twisted Edwards curves revisited ASIACRYPT 2008, volume 5350 of LNCS 2008 Heidelberg Springer 326-343

[89]

Juels A., Kosba A.E., Shi E.: The ring of Gyges: investigating the future of criminal smart contracts. In: Weippl E.R., Katzenbeisser S., Kruegel C., Myers A.C., Halevi S. (eds.) ACM CCS 2016, pp. 283–295. ACM Press (2016).

[90]

Jones N Elliptic aliquot cycles of fixed length Pac. J. Math. 2013 263 2 353-371

[91]

Karabina K Squaring in cyclotomic subgroups Math. Comput. 2013 82 281 555-579

[92]

Kim T and Barbulescu R Robshaw M and Katz J Extended tower number field sieve: a new complexity for the medium prime case CRYPTO 2016, Part I, volume 9814 of LNCS 2016 Heidelberg Springer 543-571

[93]

Kilic O.: High-Speed Implementation of Curves in Go. https://github.com/kilic/bn254, https://github.com/kilic/bls12-381, https://github.com/kilic/bls12-377 and https://github.com/kilic/bw6.

[94]

Kilian J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723–732. ACM Press (1992).

[95]

Kosba A.E., Miller A., Shi E., Wen Z., Papamanthou C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839–858. IEEE Computer Society Press (2016).

[96]

Kosba A.E., Papadopoulos D., Papamanthou C., Sayed M.F., Shi E., Triandopoulos N.: TRUESET: faster verifiable set computations. In: Fu K., Jung J. (eds.) USENIX Security 2014, pp. 765–780. USENIX Association (2014).

[97]

Kattis A., Panarin K., Vlasov A.: RedShift: transparent SNARKs from list polynomial commitment IOPs. Cryptology ePrint Archive, Report 2019/1400, 2019. https://eprint.iacr.org/2019/1400.

[98]

Kachisa EJ, Schaefer EF, and Scott M Galbraith SD and Paterson KG Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field PAIRING 2008, volume 5209 of LNCS 2008 Heidelberg Springer 126-135

[99]

Karabina K., Teske E.: On prime-order elliptic curves with embedding degrees k = 3, 4, and 6. In: van der Poorten A.J., Stein A. (eds.) Algorithmic Number Theory, 8th International Symposium, ANTS-VIII, Banff, Canada, May 17–22, 2008, Proceedings, volume 5011 of Lecture Notes in Computer Science, pp. 102–117. Springer (2008).

[100]

Kleinjung T., Wesolowski B.: Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic. J. Am. Math. Soc. 35(02):581–624 (2022). ePrint 2019/751.

[101]

Kate A, Zaverucha GM, and Goldberg I Abe M Constant-size commitments to polynomials and their applications ASIACRYPT 2010, volume 6477 of LNCS 2010 Heidelberg Springer 177-194

[102]

Kosba A., Zhao Z., Miller A., Qian Y., Chan H., Papamanthou C., Pass R., Shelat A., Shi E.: C

\emptyset

c

\emptyset

: a framework for building composable zero-knowledge proofs. Cryptology ePrint Archive, Report 2015/1093. https://eprint.iacr.org/2015/1093 (2015).

[103]

Maller M., Bowe S., Kohlweiss M., Meiklejohn S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: Cavallaro L., Kinder J., Wang X.F., Katz J. (eds.) ACM CCS 2019, pp. 2111–2128. ACM Press (2019).

[104]

Meckler I.: O(1) labs fork of zexe: implementation of bn382-plain. https://github.com/o1-labs/zexe/tree/master/algebra/src/bn_382 (2020).

[105]

Micali S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436–453. IEEE Computer Society Press (1994).

[106]

Mihailescu P.: Dual elliptic primes and applications to cyclotomy primality proving. arXiv arXiv:0709.4113 (2007).

[107]

Mouha N, Mennink B, Van Herrewege A, Watanabe D, Preneel B, and Verbauwhede I Joux A and Youssef AM Chaskey: An efficient MAC algorithm for 32-bit microcontrollers SAC 2014, volume 8781 of LNCS 2014 Heidelberg Springer 306-323

[108]

Miyaji A, Nakabayashi M, and Takano S Won D Characterization of elliptic curve traces under FR-reduction ICISC 00, volume 2015 of LNCS 2001 Heidelberg Springer 90-108

[109]

Menezes A., Sarkar P., Singh S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan R.C.-W., Yung M. (eds) Mycrypt Conference, volume 10311 of LNCS, pp. 83–108, Kuala Lumpur, Malaysia, December 1–2 2016. Springer. https://ia.cr/2016/1102.

[110]

Masson S., Sanso A., Zhang Z.: Bandersnatch: a fast elliptic curve built over the bls12-381 scalar field. Cryptology ePrint Archive, Report 2021/1152. https://ia.cr/2021/1152 (2021).

[111]

Nogami Y, Akane M, Sakemi Y, Katou H, and Morikawa Y Galbraith SD and Paterson KG Integer variable chi-based Ate pairing PAIRING 2008, volume 5209 of LNCS 2008 Heidelberg Springer 178-191

[112]

Naehrig M, Niederhagen R, and Schwabe P Abdalla M and Barreto PSLM New software speed records for cryptographic pairings LATINCRYPT 2010, volume 6212 of LNCS 2010 Heidelberg Springer 109-123

[113]

Parks J An asymptotic for the average number of amicable pairs for elliptic curves Math. Proc. Camb. Philos. Soc. 2019 166 1 33-59

[114]

Parno B., Howell J., Gentry C., Raykova M.: Pinocchio: Nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press (2013).

[115]

Poelstra A.: Curve with group order

2^{255} - 19

. https://moderncrypto.org/mail-archive/curves/2018/000992.html. Accessed 28 Feb 2022 (2018).

[116]

Pollard JM The fast Fourier transform in a finite field Math. Comput. 1971 25 114 365-374

[117]

Shigeo M.: A portable and fast pairing-based cryptography library. https://github.com/herumi/mcl.

[118]

Sakemi Y, Hanaoka G, Izu T, Takenaka M, and Yasuda M Fischlin M, Buchmann J, and Manulis M Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve PKC 2012, volume 7293 of LNCS 2012 Heidelberg Springer 595-608

[119]

Smart NP The discrete logarithm problem on elliptic curves of trace one J. Cryptol. 1999 12 3 193-196

[120]

Silverman JH and Stange KE Amicable pairs and aliquot cycles for elliptic curves Exp. Math. 2011 20 3 329-357

[121]

Supranational. Multilingual BLS12-381 signature library. https://github.com/supranational/blst.

[122]

Sutherland A.V.: Computing Hilbert class polynomials with the chinese remainder theorem. Math. Comput. 80(273):501–538 (2011). arXiv arXiv:0903.2785.

[123]

Tibouchi M Christin N and Safavi-Naini R Elligator squared: Uniform points on elliptic curves of prime order as uniform random strings FC 2014, volume 8437 of LNCS 2014 Heidelberg Springer 139-156

[124]

Vercauteren F Optimal pairings IEEE Trans. Inf. Theory 2010 56 1 455-461

[125]

Vlasov A., Panarin K.: Transparent polynomial commitment scheme with polylogarithmic communication complexity. Cryptology ePrint Archive, Report 2019/1020. https://eprint.iacr.org/2019/1020 (2019).

[126]

Williamson Z.: An optimized elliptic curve library for the BN128 curve, and PLONK SNARK prover. https://github.com/AztecProtocol/barretenberg/tree/master/barretenberg.

[127]

Wahby R.S., Tzialla I., Shelat A., Thaler J., Walfish M.: Doubly-efficient zkSNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926–943. IEEE Computer Society Press (2018).

[128]

Wuille P.: Elligator Squared for BN-like curves. https://github.com/sipa/writeups/tree/main/elligator-square-for-bn (2021).

[129]

Zcash. Rust implementation for the Pasta cycle in Rust. https://github.com/zcash/pasta_curves.

[130]

ZCash. What is jubjub? https://z.cash/technology/jubjub/ (2021).

Cited By

Sanso AHousni Y(2024)Families of Prime-Order Endomorphism-Equipped Embedded Curves on Pairing-Friendly CurvesJournal of Cryptology10.1007/s00145-024-09514-537:4Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1007/s00145-024-09514-5
Koshelev D(2024)Hashing to Elliptic Curves Through Cipolla–Lehmer–Müller’s Square Root AlgorithmJournal of Cryptology10.1007/s00145-024-09490-w37:2Online publication date: 27-Feb-2024
https://dl.acm.org/doi/10.1007/s00145-024-09490-w
Dai YHe DPeng CYang ZZhao C(2024)Revisiting Pairing-Friendly Curves with Embedding Degrees 10 and 14Advances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0888-1_15(454-485)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0888-1_15

Recommendations

Self-pairings on supersingular elliptic curves with embedding degree three

Self-pairings are a special subclass of pairings and have interesting applications in cryptographic schemes and protocols. In this paper, we speed up the computation of the self-pairing by using a simple final exponentiation on supersingular elliptic ...
Differential addition on binary elliptic curves
Abstract
This paper presents new and fast differential addition (i.e., the addition of two points with the known difference) and doubling formulas, as the core step in Montgomery scalar multiplication, for various forms of elliptic curves over ...
Highlights
- Differential addition and doubling formulas.
- Efficient arithmetic on elliptic ...
Implementing the 4-dimensional GLV method on GLS elliptic curves with j-invariant 0

The Gallant---Lambert---Vanstone (GLV) method is a very efficient technique for accelerating point multiplication on elliptic curves with efficiently computable endomorphisms. Galbraith et al. (J Cryptol 24(3):446---469, 2011) showed that point ...

Comments

Information & Contributors

Information

Published In

cover image Designs, Codes and Cryptography

Designs, Codes and Cryptography Volume 91, Issue 11

Nov 2023

486 pages

ISSN:0925-1022

Issue’s Table of Contents

© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2022. Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 21 December 2022

Accepted: 09 September 2022

Revision received: 16 May 2022

Received: 16 May 2022

Author Tags

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sanso AHousni Y(2024)Families of Prime-Order Endomorphism-Equipped Embedded Curves on Pairing-Friendly CurvesJournal of Cryptology10.1007/s00145-024-09514-537:4Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1007/s00145-024-09514-5
Koshelev D(2024)Hashing to Elliptic Curves Through Cipolla–Lehmer–Müller’s Square Root AlgorithmJournal of Cryptology10.1007/s00145-024-09490-w37:2Online publication date: 27-Feb-2024
https://dl.acm.org/doi/10.1007/s00145-024-09490-w
Dai YHe DPeng CYang ZZhao C(2024)Revisiting Pairing-Friendly Curves with Embedding Degrees 10 and 14Advances in Cryptology – ASIACRYPT 202410.1007/978-981-96-0888-1_15(454-485)Online publication date: 10-Dec-2024
https://dl.acm.org/doi/10.1007/978-981-96-0888-1_15

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents