A survey of elliptic curves for proof systems

Aranha, Diego F.; Housni, Youssef El; Guillevic, Aurore

doi:10.1007/s10623-022-01135-y

Cited by 17 publications

(3 citation statements)

References 56 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the sequel we will focus on the case of BLS12 inner curves that form a 2-chain but we stress that these results apply to 2-chain inner curves from other families (e.g. BLS24 and BN [AHG22]) and to 2-cycles as well.…”

Section: -Cyclesmentioning

confidence: 99%

Faster Montgomery multiplication and Multi-Scalar-Multiplication for SNARKs

Botrel¹,

Housni²

2023

TCHES

View full text Add to dashboard Cite

The bottleneck in the proving algorithm of most of elliptic-curve-based SNARK proof systems is the Multi-Scalar-Multiplication (MSM) algorithm. In this paper we give an overview of a variant of the Pippenger MSM algorithm together with a set of optimizations tailored for curves that admit a twisted Edwards form. We prove that this is the case for SNARK-friendly chains and cycles of elliptic curves, which are useful for recursive constructions. Our contribution is twofold: first, we optimize the arithmetic of finite fields by improving on the well-known Coarsely Integrated Operand Scanning (CIOS) modular multiplication. This is a contribution of independent interest that applies to many different contexts. Second, we propose a new coordinate system for twisted Edwards curves tailored for the Pippenger MSM algorithm.Accelerating the MSM over these curves is critical for deployment of recursive proof< systems applications such as proof-carrying-data, blockchain rollups and blockchain light clients. We implement our work in Go and benchmark it on two different CPU architectures (x86 and arm64). We show that our implementation achieves a 40-47% speedup over the state-of-the-art implementation (which was implemented in Rust). This MSM implementation won the first place in the ZPrize competition in the open division “Accelerating MSM on Mobile” and will be deployed in two real-world applications: Linea zkEVM by ConsenSys and probably Celo network.

show abstract

Section: -Cyclesmentioning

confidence: 99%

Faster Montgomery multiplication and Multi-Scalar-Multiplication for SNARKs

Botrel¹,

Housni²

2023

TCHES

View full text Add to dashboard Cite

show abstract

“…The first one was written in C++ and used previously in the Mina blockchain but is now obsolete as these MNT4/6 curves are quite inefficient at the 128-bit security level. More discussion on this can be found in this survey paper [3,Section 5]. The second implementation is in Rust and corresponds exactly to the problem we investigate in this paper.…”

Section: Implementation and Benchmarkmentioning

confidence: 99%

Pairings in Rank-1 Constraint Systems

Housni

2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Bilinear pairings have been used in different cryptographic applications and demonstrated to be a key building block for a plethora of constructions. In particular, some Succinct Non-interactive ARguments of Knowledge (SNARKs) have very short proofs and very fast verification thanks to a multi-pairing computation. This succinctness makes pairing-based SNARKs suitable for proof recursion, that is proofs verifying other proofs. In this scenario one requires to express efficiently a multi-pairing computation as a SNARK arithmetic circuit. Other compelling applications such as verifying Boneh-Lynn-Shacham (BLS) signatures or Kate-Zaverucha-Goldberg (KZG) polynomial commitment opening in a SNARK fall into the same requirement. The implementation of pairings is challenging but the literature has very detailed approaches on how to reach practical and optimized implementations in different contexts and for different target environments. However, to the best of our knowledge, no previous publication has addressed the question of efficiently implementing a pairing as a SNARK arithmetic circuit. In this work, we consider efficiently implementing pairings in Rank-1 Constraint Systems (R1CS), a widely used model to express SNARK statements. We implement our techniques in the gnark open-source ecosystem and show that the arithmetic circuit depth can be almost halved compared to the previously best known pairing implementation on a Barreto-Lynn-Scott (BLS) curve of embedding degree 12, resulting in a significantly faster proving time. We also investigate and implement the case of BLS curves of embedding degree 24.

show abstract

“…A pairing on an elliptic curve E defined over a prime field F p is a non-degenerate bilinear map of the form e : G 1 × G 2 → G T , where G 1 , G 2 and G T are three groups with the same order r. The two input groups G 1 and G 2 lie in E(F p k ) and the output group G T is a subgroup of F * p k , where k is the smallest positive integer such that r | p k − 1. Taking advantage of the powerful bilinearity property of pairings, a range of cryptographic protocols are designed, such as authenticated key agreements [CK03,Sco13], direct anonymous attestation (DAA) [BCC04, YCZ + 21] and Succinct Non-interactive ARguments of Knowledge (SNARKs) [EHG22,EHG20,AEHG22]. Very recently, pairings were also used to speed up group membership testing on several non-pairing-friendly curves [Kos22].…”

Section: Introductionmentioning

confidence: 99%

Don’t Forget Pairing-Friendly Curves with Odd Prime Embedding Degrees

Dai,

Zhang,

Zhao

2023

TCHES

View full text Add to dashboard Cite

Pairing-friendly curves with odd prime embedding degrees at the 128-bit security level, such as BW13-310 and BW19-286, sparked interest in the field of public-key cryptography as small sizes of the prime fields. However, compared to mainstream pairing-friendly curves at the same security level, i.e., BN446 and BLS12-446, the performance of pairing computations on BW13-310 and BW19-286 is usually considered inefficient. In this paper we investigate high performance software implementations of pairing computation on BW13-310 and corresponding building blocks used in pairing-based protocols, including hashing, group exponentiations and membership testings. Firstly, we propose efficient explicit formulas for pairing computation on this curve. Moreover, we also exploit the state-of-art techniques to implement hashing in G1 and G2, group exponentiations and membership testings. In particular, for exponentiations in G2 and GT , we present new optimizations to speed up computational efficiency. Our implementation results on a 64-bit processor show that the gap in the performance of pairing computation between BW13-310 and BN446 (resp. BLS12-446) is only up to 4.9% (resp. 26%). More importantly, compared to BN446 and BLS12-446, BW13-310 is about 109.1% − 227.3%, 100% − 192.6%, 24.5%−108.5% and 68.2%−145.5% faster in terms of hashing to G1, exponentiations in G1 and GT , and membership testing for GT , respectively. These results reveal that BW13-310 would be an interesting candidate in pairing-based cryptographic protocols.

show abstract

A survey of elliptic curves for proof systems

Cited by 17 publications

References 56 publications

Faster Montgomery multiplication and Multi-Scalar-Multiplication for SNARKs

Faster Montgomery multiplication and Multi-Scalar-Multiplication for SNARKs

Pairings in Rank-1 Constraint Systems

Don’t Forget Pairing-Friendly Curves with Odd Prime Embedding Degrees

Contact Info

Product

Resources

About