Cryptology ePrint Archive: Report 2020/351

Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition

Youssef El Housni and Aurore Guillevic

Abstract: A zero-knowledge proof is a method by which one can prove knowledge of general non-deterministic polynomial (NP) statements. SNARKs are in addition non-interactive, short and cheap to verify. This property makes them suitable for recursive proof composition, that is proofs attesting to the validity of other proofs. To achieve this, one moves the arithmetic operations to the exponents. Recursive proof composition has been empirically demonstrated for pairing-based SNARKs via tailored constructions of expensive pairing-friendly elliptic curves namely a pair of 753-bit MNT curves, so that one curve’s order is the other curve’s base field order and vice-versa. The ZEXE construction restricts to one layer proof composition and uses a pair of curves, BLS12-377 and CP6-782, which improve significantly the arithmetic on the first curve. In this work we construct a new pairing-friendly elliptic curve to be used with BLS12- 377, which is STNFS-secure and fully optimized for one layer composition. We propose to name the new curve BW6-761. This work shows that it is at least five times faster to verify a composed SNARK proof on this curve compared to the previous state-of-the-art, and proposes an optimized Rust implementation that is almost thirty times faster than the one available in ZEXE library.

Category / Keywords: implementation / elliptic curve, bilinear pairing, zkSNARK, proof composition

Original Publication (with minor differences): CANS 2020

Date: received 24 Mar 2020, last revised 9 Oct 2020

Contact author: youssef el housni at fr ey com, aurore guillevic at inria fr

Available format(s): PDF | BibTeX Citation

Note: This is the extended version of the paper submitted to CANS 2020 ( It includes appendices related to pairing computation and security analysis.

Rust implementation can is available at ( and SageMath/Magma scripts at (

Version: 20201009:153507 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]