Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition

A zero-knowledge proof is a method by which one can prove knowledge of general non-deterministic polynomial (NP) statements. SNARKs are in addition non-interactive, short and cheap to verify. This property makes them suitable for recursive proof composition, that is proofs attesting to the validity of other proofs. To achieve this, one moves the arithmetic operations to the exponents. Recursive proof composition has been empirically demonstrated for pairing-based SNARKs via tailored constructions of expensive pairing-friendly elliptic curves namely a pair of 753-bit MNT curves, so that one curve’s order is the other curve’s base field order and vice-versa. The ZEXE construction restricts to one layer proof composition and uses a pair of curves, BLS12-377 and CP6-782, which improve significantly the arithmetic on the first curve. In this work we construct a new pairing-friendly elliptic curve to be used with BLS12377, which is STNFS-secure and fully optimized for one layer composition. We propose to name the new curve BW6-761. This work shows that it is at least five times faster to verify a composed SNARK proof on this curve compared to the previous state-of-the-art, and proposes an optimized Rust implementation that is almost thirty times faster than the one available in ZEXE library.

[1]  Emmanuel Thomé,et al.  Cocks–Pinch curves of embedding degrees five to eight and optimal ate pairing computation , 2019, IACR Cryptol. ePrint Arch..

[2]  Matthew Green,et al.  ZEXE: Enabling Decentralized Private Computation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[3]  Sanjit Chatterjee,et al.  Efficient Computation of Tate Pairing in Projective Coordinate over General Characteristic Fields , 2004, ICISC.

[4]  Tanja Lange,et al.  Faster Computation of the Tate Pairing , 2009, IACR Cryptol. ePrint Arch..

[5]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[6]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[7]  Christiaan E. van de Woestijne,et al.  Construction of Rational Points on Elliptic Curves over Finite Fields , 2006, ANTS.

[8]  Jean-Sébastien Coron,et al.  Efficient Indifferentiable Hashing into Ordinary Elliptic Curves , 2010, CRYPTO.

[9]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[10]  Dan Boneh,et al.  Fast and simple constant-time hashing to the BLS12-381 elliptic curve , 2019, IACR Cryptol. ePrint Arch..

[11]  Tanja Lange,et al.  Faster Pairing Computations on Curves with High-Degree Twists , 2010, Public Key Cryptography.

[12]  Jung Hee Cheon,et al.  Discrete Logarithm Problems with Auxiliary Inputs , 2010, Journal of Cryptology.

[13]  Lynn Chua,et al.  On Cycles of Pairing-Friendly Elliptic Curves , 2019, SIAM J. Appl. Algebra Geom..

[14]  Michael Naehrig,et al.  An Analysis of Affine Coordinates for Pairing Computation , 2010, Pairing.

[15]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[16]  M. Skalba Points on elliptic curves over finite fields , 2005 .

[17]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[18]  Frederik Vercauteren,et al.  Optimal Pairings , 2010, IEEE Transactions on Information Theory.

[19]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[20]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[21]  Michael Scott,et al.  A Taxonomy of Pairing-Friendly Elliptic Curves , 2010, Journal of Cryptology.

[22]  Ian Miers,et al.  Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model , 2017, IACR Cryptol. ePrint Arch..

[23]  Joseph Bonneau,et al.  Coda: Decentralized Cryptocurrency at Scale , 2020, IACR Cryptol. ePrint Arch..

[24]  Chik How Tan,et al.  Speeding up Ate Pairing Computation in Affine Coordinates , 2013, IACR Cryptol. ePrint Arch..

[25]  Mehdi Tibouchi,et al.  Indifferentiable Hashing to Barreto-Naehrig Curves , 2012, LATINCRYPT.

[26]  Aurore Guillevic,et al.  On the alpha value of polynomials in the tower number field sieve algorithm , 2019, IACR Cryptol. ePrint Arch..

[27]  Koray Karabina Squaring in cyclotomic subgroups , 2013, Math. Comput..

[28]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[29]  Patrick Longa,et al.  Faster Explicit Formulas for Computing Pairings over Ordinary Curves , 2011, EUROCRYPT.