Paper 2022/1145
Yafa-108/146: Implementing ed25519-embedding Cocks-Pinch curves in arkworks-rs
Abstract
This note describes two pairing-friendly curves that embed ed25519, of different bit security levels. Our search is not novel; it follows the standard recipe of the Cocks-Pinch method. We implemented these two curves on arkworks-rs. This note is intended to document how the parameters are being generated and how to implement these curves in arkworks-rs 0.4.0, for further reference. We name the two curves as Yafa-108 and Yafa-146: - Yafa-108 is estimated to offer 108-bit security, which we parameterized to match the 103-bit security of BN254 - Yafa-146 is estimated to offer 146-bit security, which we parameterized to match the 132-bit security of BLS12-446 or 123-bit security of BLS12-381 We use these curves as an example to demonstrate two things: - The "elastic" zero-knowledge proof, Gemini (EUROCRYPT '22), is more than being elastic, but it is more curve-agnostic and hardware-friendly. - The cost of nonnative field arithmetics can be drastic, and the needs of application-specific curves may be inherent. This result serves as evidence of the necessity of EIP-1962, and the insufficiency of EIP-2537.
Note: Fixed a typo on two-arity for Yafa-108.
Metadata
- Available format(s)
-
PDF
- Category
- Applications
- Publication info
- Preprint.
- Keywords
- EIPEVMCocks-Pinched25519recursionnonnativeSNARK
- Contact author(s)
-
rami @ dzk org
weikeng @ dzk org - History
- 2023-05-03: last of 7 revisions
- 2022-09-03: received
- See all versions
- Short URL
- https://ia.cr/2022/1145
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/1145,
author = {Rami Akeela and Weikeng Chen},
title = {Yafa-108/146: Implementing ed25519-embedding Cocks-Pinch curves in arkworks-rs},
howpublished = {Cryptology {ePrint} Archive, Paper 2022/1145},
year = {2022},
url = {https://eprint.iacr.org/2022/1145}
}
