Cryptology ePrint Archive: Report 2021/1359

Families of SNARK-friendly 2-chains of elliptic curves

Youssef El Housni and Aurore Guillevic

Abstract: At CANS’20, El Housni and Guillevic introduced a new 2-chain of pairing-friendly elliptic curves for recursive zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs) made of the former BLS12-377 curve (a Barreto–Lynn–Scott curve over a 377- bit prime field) and the new BW6-761 curve (a Brezing–Weng curve of embedding degree 6 over a 761-bit prime field). First we generalise the curve construction, the pairing formulas (e : G1 × G2 → GT ) and the group operations to any BW6 curve defined on top of any BLS12 curve, forming a family of 2-chain pairing-friendly curves. Second, we investigate other possible 2-chain families made on top of the BLS12 and BLS24 curves. We compare BW6 to Cocks–Pinch curves of higher embedding degrees 8 and 12 (CP8, CP12) at the 128-bit security level. We explicit an optimal ate and optimal Tate pairing on our new CP curves. We show that both for BLS12 and BLS24, the BW6 construction always gives the fastest pairing and curve arithmetic compared to Cocks-Pinch curves. Finally, we suggest a short list of curves suitable for Groth16 and KZG-based universal SNARKs and present an optimized implementation of these curves. Based on Groth16 and PlonK (a KZG- based SNARK) implementations, we obtain that the BLS12-377/BW6-761 pair is optimized for the former while the BLS24-315/BW6-672 pair is optimized for the latter.

Category / Keywords: public-key cryptography / pairing, elliptic curves, implementation, zero knowledge, snark, recursive snark

Date: received 8 Oct 2021, last revised 13 Oct 2021

Contact author: youssef elhousni at consensys net, aurore guillevic at inria fr

Available format(s): PDF | BibTeX Citation

Version: 20211013:114339 (All versions of this report)

Short URL: ia.cr/2021/1359


[ Cryptology ePrint archive ]