Paper 2022/1145

Yafa-108/146: Implementing ed25519-embedding Cocks-Pinch curves in arkworks-rs

Rami Akeela, DZK Labs
Weikeng Chen, DZK Labs

This note describes two pairing-friendly curves that embed ed25519, of different bit security levels. Our search is not novel; it follows the standard recipe of the Cocks-Pinch method. We implemented these two curves on arkworks-rs. This note is intended to document how the parameters are being generated and how to implement these curves in arkworks-rs 0.4.0, for further reference. We name the two curves as Yafa-108 and Yafa-146: - Yafa-108 is estimated to offer 108-bit security, which we parameterized to match the 103-bit security of BN254 - Yafa-146 is estimated to offer 146-bit security, which we parameterized to match the 132-bit security of BLS12-446 or 123-bit security of BLS12-381 We use these curves as an example to demonstrate two things: - The "elastic" zero-knowledge proof, Gemini (EUROCRYPT '22), is more than being elastic, but it is more curve-agnostic and hardware-friendly. - The cost of nonnative field arithmetics can be drastic, and the needs of application-specific curves may be inherent. This result serves as evidence of the necessity of EIP-1962, and the insufficiency of EIP-2537.

Note: Revealed the tricks.

Available format(s)
Publication info
Contact author(s)
rami @ dzk org
weikeng @ dzk org
2023-01-30: last of 5 revisions
2022-09-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Rami Akeela and Weikeng Chen},
      title = {Yafa-108/146: Implementing ed25519-embedding Cocks-Pinch curves in arkworks-rs},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1145},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.