### Families of SNARK-friendly 2-chains of elliptic curves

Youssef El Housni and Aurore Guillevic

##### Abstract

At CANS’20, El Housni and Guillevic introduced a new 2-chain of pairing-friendly elliptic curves for recursive zero-knowledge Succinct Non-interactive ARguments of Knowledge (zk-SNARKs) made of the former BLS12-377 curve (a Barreto–Lynn–Scott curve over a 377- bit prime field) and the new BW6-761 curve (a Brezing–Weng curve of embedding degree 6 over a 761-bit prime field). First we generalise the curve construction, the pairing formulas (e : G1 × G2 → GT ) and the group operations to any BW6 curve defined on top of any BLS12 curve, forming a family of 2-chain pairing-friendly curves. Second, we investigate other possible 2-chain families made on top of the BLS12 and BLS24 curves. We compare BW6 to Cocks–Pinch curves of higher embedding degrees 8 and 12 (CP8, CP12) at the 128-bit security level. We explicit an optimal ate and optimal Tate pairing on our new CP curves. We show that both for BLS12 and BLS24, the BW6 construction always gives the fastest pairing and curve arithmetic compared to Cocks-Pinch curves. Finally, we suggest a short list of curves suitable for Groth16 and KZG-based universal SNARKs and present an optimized implementation of these curves. Based on Groth16 and PlonK (a KZG- based SNARK) implementations, we obtain that the BLS12-377/BW6-761 pair is optimized for the former while the BLS24-315/BW6-672 pair is optimized for the latter.

Available format(s)
Category
Public-key cryptography
Publication info
A minor revision of an IACR publication in Eurocrypt 2022
DOI
10.1007/978-3-031-07085-3_13
Keywords
pairingelliptic curvesimplementationzero knowledgesnarkrecursive snark
Contact author(s)
youssef elhousni @ consensys net
aurore guillevic @ inria fr
History
2022-05-13: last of 3 revisions
See all versions
Short URL
https://ia.cr/2021/1359

CC BY

BibTeX

@misc{cryptoeprint:2021/1359,
author = {Youssef El Housni and Aurore Guillevic},
title = {Families of SNARK-friendly 2-chains of elliptic curves},
howpublished = {Cryptology ePrint Archive, Paper 2021/1359},
year = {2021},
doi = {10.1007/978-3-031-07085-3_13},
note = {\url{https://eprint.iacr.org/2021/1359}},
url = {https://eprint.iacr.org/2021/1359}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.