nach oben

Designs, Codes and Cryptography

Erschienen in:

21.12.2022

A survey of elliptic curves for proof systems

verfasst von: Diego F. Aranha, Youssef El Housni, Aurore Guillevic

Erschienen in: Designs, Codes and Cryptography | Ausgabe 11/2023

Einloggen, um Zugang zu erhalten

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Elliptic curves have become key ingredients for instantiating zero-knowledge proofs and more generally proof systems. Recently, there have been many tailored constructions of these curves that aim at efficiently implementing different kinds of proof systems. In this survey we provide the reader with a comprehensive overview on existing work and revisit the contributions in terms of efficiency and security. We present an overview at three stages of the process: curves to instantiate a SNARK, curves to instantiate a recursive SNARK, and also curves to express an elliptic-curve related statement. We provide new constructions of curves for SNARKs and generalize the state-of-the-art constructions for recursive SNARKs. We also exhaustively document the existing work and open-source implementations.

Vorheriger Artikel Guest editorial: Special issue on Mathematics of Zero-Knowledge

Nächster Artikel Ligero: lightweight sublinear arguments without a trusted setup

Nur mit Berechtigung zugänglich

arkworks Contributors. arkworks zkSNARK ecosystem. https://arkworks.rs (2022).

Aranha D.F., Gouvêa C.P.L., Markmann T., Wahby R.S., Liao K.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic.

André-Ratsimbazafy M.: Constant time pairing-based or elliptic curve based cryptography and digital signatures. https://github.com/mratsim/constantine.

Baylina J.: Web assembly low level implementation of pairing friendly curves. https://github.com/iden3/wasmcurves.

Bünz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315–334. IEEE Computer Society Press (2018).

Bootle J., Cerulli A., Chaidos P., Groth J., Petit C.: Efficient zero-knowledge arguments for arithmetic circuits in the discret log setting. In: Fischlin M., Coron J.-S. (eds.) EUROCRYPT 2016, Part II, volume 9666 of LNCS, pp. 327–357. Springer, Heidelberg (2016).

Bitansky N., Canetti R., Chiesa A, Tromer E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Goldwasser S. (ed.) ITCS 2012, pp. 326–349. ACM (2012).

Ben-Sasson E., Chiesa A., Genkin D., Tromer E., Virza M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti R., Garay J.A. (eds.) CRYPTO 2013, Part II, volume 8043 of LNCS, pp. 90–108. Springer, Heidelberg (2013).

Ben-Sasson E., Chiesa A., Garman C., Green M., Miers I., Tromer E., Virza M.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press (2014).

10.

Bowe S., Chiesa A., Green M., Miers I., Mishra P., Wu H.: ZEXE: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy, pp. 947–964. IEEE Computer Society Press (2020).

11.

Ben-Sasson E., Carmon D., Kopparty S., Levit D.: Elliptic curve fast fourier transform (ECFFT) part I: fast polynomial algorithms over all finite fields. CoRR, abs/2107.08473 (2021).

12.

Bünz B., Chiesa A., Mishra P., Spooner N.: Recursive proof composition from accumulation schemes. In: Pass R., Pietrzak K. (eds.) TCC 2020, Part II, volume 12551 of LNCS, pp. 1–18. Springer, Heidelberg (2020).

13.

Ben-Sasson E., Chiesa A., Tromer E., Virza M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay J.A., Gennaro R. (eds.) CRYPTO 2014, Part II, volume 8617 of LNCS, pp. 276–294. Springer, Heidelberg (2014).MATH

14.

Ben-Sasson E., Chiesa A., Tromer E., Virza M.: Succinct non-interactive zero knowledge for a von neumann architecture. In: Fu K., Jung J. (eds.) USENIX Security 2014, pp. 781–796. USENIX Association (2014).

15.

Barbulescu R., Duquesne S.: Updating key size estimations for pairings. J. Cryptol. 32(4), 1298–1336 (2019).MathSciNetMATH

16.

Boneh D., Drake J., Fisch B., Gabizon A.: Halo infinite: proof-carrying data from additive polynomial commitments. In: Malkin T., Peikert C. (eds.) CRYPTO 2021, Part I, volume 12825 of LNCS, pp. 649–680. Virtual Event. Springer, Heidelberg (2021).

17.

Bernstein D.J., Duif N., Lange T., Schwabe P., Yang B.-Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012).

18.

Bernstein D.J., Doumen J., Lange T., Oosterwijk J.-J.: Faster batch forgery identification. In: Galbraith S.D., Nandi M. (eds.) INDOCRYPT 2012, volume 7668 of LNCS, pp. 454–473. Springer, Heidelberg (2012).

19.

Braun B., Feldman A.J., Ren Z., Setty S., Blumberg A.J., Walfish M.: Verifying computations with state. In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, SOSP ’13, pp. 341–357, New York, NY, USA, 2013. Association for Computing Machinery. ePrint with major differences at ePrint 2013/356.

20.

Bünz B., Fisch B., Szepieniec A.: Transparent SNARKs from DARK compilers. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT 2020, Part I, volume 12105 of LNCS, pp. 677–706. Springer, Heidelberg (2020).

21.

Barbulescu R., Gaudry P., Guillevic A., Morain F.: Improving NFS for the discret logarithm problem in non-prime finite fields. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015, Part I, volume 9056 of LNCS, pp. 129–155. Springer, Heidelberg (2015).

22.

Bowe S., Grigg J., Hopwood D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019/1021. https://eprint.iacr.org/2019/1021 (2019).

23.

Barbulescu R., Gaudry P., Joux A., Thomé E.: A heuristic quasi-polynomial algorithm for discret logarithm in finite fields of small characteristic. In: Nguyen P.Q., Oswald E. (eds.) EUROCRYPT 2014, volume 8441 of LNCS, pp. 1–16. Springer, Heidelberg (2014).

24.

Barbulescu R., Gaudry P., Kleinjung T.: The tower number field sieve. In: Iwata T., Cheon J.H. (eds.) ASIACRYPT 2015, Part II, volume 9453 of LNCS, pp. 31–55. Springer, Heidelberg (2015).

25.

Beuchat J.-L., González-Díaz J.E., Mitsunari S., Okamoto E., Rodríguez-Henríquez F., Teruya T.: High-speed software implementation of the optimal Ate pairing over Barreto-Naehrig curves. In: Joye M., Miyaji A., Otsuka A. (eds.) PAIRING 2010, volume 6487 of LNCS, pp. 21–39. Springer, Heidelberg (2010).MATH

26.

Boneh D., Goh E.-J., Nissim K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian J. (ed.) TCC 2005, volume 3378 of LNCS, pp. 325–341. Springer, Heidelberg (2005).

27.

Bernstein D.J., Hamburg M., Krasnova A., Lange T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Sadeghi A.-R., Gligor V.D., Yung M. (eds.) ACM CCS 2013, pp. 967–980. ACM Press, New York (2013).

28.

Bernstein D.J., Lange T.: Safecurves: choosing safe curves for elliptic-curve cryptography. https://safecurves.cr.yp.to. Accessed 28 Feb 2022.

29.

Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. In: Boyd C. (ed.) ASIACRYPT 2001, volume 2248 of LNCS, pp. 514–532. Springer, Heidelberg (2001).

30.

Barreto P.S.L.M., Lynn B., Scott M.: On the selection of pairing-friendly groups. In: Matsui M., Zuccherato R.J. (eds.) SAC 2003, volume 3006 of LNCS, pp. 17–25. Springer, Heidelberg (2004).

31.

Bonneau J., Meckler I., Rao V., Shapiro E.: Coda: decentralized cryptocurrency at scale. Cryptology ePrint Archive, Report 2020/352. https://eprint.iacr.org/2020/352 (2020).

32.

Barreto P.S.L.M., Naehrig M.: Pairing-friendly elliptic curves of prime order. In: Preneel B., Tavares S. (eds.) SAC 2005, volume 3897 of LNCS, pp. 319–331. Springer, Heidelberg (2006).

33.

Bowe S.: BLS12-381: new zk-SNARK elliptic curve construction. Zcash blog, March 11 2017. https://blog.z.cash/new-snark-curve/.

34.

Botrel G., Piellard T., El Housni Y., Tabaie A., Kubjas I.: Go library for finite fields, elliptic curves and pairings for zero-knowledge proof systems. https://doi.org/10.5281/zenodo.6092968.

35.

Botrel G., Piellard T., El Housni Y., Kubjas I., Tabaie A.: Consensys/gnark. https://doi.org/10.5281/zenodo.6093969 (2022).

36.

Bowe S, Str4d.: Zero-Knowledge Cryptography in Rust. https://github.com/zkcrypto.

37.

Ben-Sasson E., Chiesa A., Tromer E., Virza M., Wu H., Contributors: C++ library for finite fields and elliptic curves. https://github.com/scipr-lab/libff.

38.

Ben-Sasson E., Chiesa A., Tromer E., Virza M., Wu H., Contributors: C++ library for zksnark. https://github.com/scipr-lab/libsnark.

39.

Beaulieu R., Shors D., Smith J., Treatman-Clark S., Weeks B., Wingers L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404. https://eprint.iacr.org/2013/404 (2013).

40.

Chiesa A., Chua L., Weidner M.: On cycles of pairing-friendly elliptic curves. SIAM J. Appl. Algebra Geom. 3(2), 175–192 (2019).MathSciNetMATH

41.

Costello C., Fournet C., Howell J., Kohlweiss M., Kreuter B., Naehrig M., Parno B., Zahur S.: Geppetto: versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17–21, 2015, pp. 253–270. IEEE Computer Society, 2015. ePrint 2014/976.

42.

Cheon J.H.: Discret logarithm problems with auxiliary inputs. J. Cryptol. 23(3), 457–476 (2010).MATH

43.

Chiesa A., Yuncong H., Maller M., Mishra P., Vesely N., Ward N.P.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT 2020, Part I, volume 12105 of LNCS, pp. 738–768. Springer, Heidelberg (2020).

44.

Cai S.P., Hu Z., Zhao C.A.: Faster final exponentiation on the kss18 curve. In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E105.A(8):1162–1164 (2022).

45.

Costello C.: Pairings for beginners. https://www.craigcostello.com.au/s/PairingsForBeginners.pdf (2012).

46.

Chávez-Saab J., Rodríguez-Henríquez F., Tibouchi M.: Swiftec: Shallue-van de woestijne indifferentiable function to elliptic curves. Cryptology ePrint Archive, Paper 2022/759, 2022. To appear in ASIACRYPT 2022.

47.

Delignat-Lavaud A., Fournet C., Kohlweiss M., Parno B.: Cinderella: turning shabby X.509 certificates into elegant anonymous credentials with the magic of verifiable computation. In: 2016 IEEE Symposium on Security and Privacy, pp. 235–254. IEEE Computer Society Press (2016).

48.

De Micheli G., Gaudry P., Pierrot C.: Asymptotic complexities of discret logarithm algorithms in pairing-relevant finite fields. In: Micciancio D., Ristenpart T. (eds.) CRYPTO 2020, Part II, volume 12171 of LNCS, pp. 32–61. Springer, Heidelberg (2020).MATH

49.

De Micheli G., Gaudry P., Pierrot C.: Lattice enumeration for tower NFS: a 521-bit discret logarithm computation. In: Tibouchi M., Wang H. (eds.) Advances in Cryptology—ASIACRYPT 2021—27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6–10, 2021, Proceedings, Part I, volume 13090 of LNCS, pp. 67–96. Springer, 2021. ePrint 2021/707.

50.

de Valence H.: The ristretto group. https://ristretto.group (2021).

51.

de Valence H., Yun C., Andreev O.: dalek cryptography: fast, sage, pure-rust elliptic curve cryptography. https://github.com/dalek-cryptography/bulletproofs (2022).

52.

El Housni Y., Guillevic A.: Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition. In: Krenn S., Shulman H., Vaudenay S. (eds.) Cryptology and Network Security—19th International Conference, CANS 2020, Vienna, Austria, December 14–16, 2020, Proceedings, volume 12579 of LNCS, pp. 259–279. Springer (2020).

53.

El Housni Y., Guillevic A.: Families of SNARK-friendly 2-chains of elliptic curves. In: Dunkelman O., Dziembowski S. (eds) EUROCRYPT 2022, volume 13276 of LNCS, pp. 367–396. Springer (2022). ePrint 2021/1359.

54.

El Housni Y., Guillevic A.: Families of SNARK-friendly 2-chains of elliptic curves. https://gitlab.inria.fr/zk-curves/snark-2-chains (2022). SageMath/Python and Magma implementation.

55.

Enge A., Sutherland A.V.: Class invariants by the CRT method. In: Hanrot G., Morain F., Thomé E. (eds.) Algorithmic Number Theory Symposium, pp. 142–156. Springer, Berlin (2010).

56.

Faz-Hernández A., Scott S., Sullivan N., Wahby R.S., Wood C.A.: Hashing to Elliptic Curves. Technical Report, IETF Secretariat, 2022. Working Draft. https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/.

57.

Fotiadis G., Konstantinou E.: TNFS resistant families of pairing-friendly elliptic curves. Theor. Comput. Sci. 800, 73–89 (2019).MathSciNetMATH

58.

Fuentes-Castañeda L., Knapp E., Rodríguez-Henríquez F.: Faster hashing to \(\mathbb{G} _2\). In: Miri A., Vaudenay S. (eds.) SAC 2011, volume 7118 of LNCS, pp. 412–430. Springer, Heidelberg (2012).

59.

Fujitsu Laboratories, NICT, and Kyushu University. DL record in \({\mathbb{F}} _{3^{6\cdot 97}}\) of 923 bits (278 dd). NICT press release, June 18, 2012. http://www.nict.go.jp/en/press/2012/06/18en-1.html.

60.

Freeman D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert H. (ed.) EUROCRYPT 2010. volume 6110 of LNCS, pp. 44–61. Springer, Heidelberg (2010).

61.

Freeman D., Scott M., Teske E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010).MathSciNetMATH

62.

Gabizon A.: AuroraLight: improved prover efficiency and SRS size in a sonic-like system. Cryptology ePrint Archive, Report 2019/601. https://eprint.iacr.org/2019/601 (2019).

63.

Ghammam L., Fouotsa E.: On the computation of the optimal ate pairing at the 192-bit security level. Cryptology ePrint Archive, Report 2016/130. https://eprint.iacr.org/2016/130 (2016).

64.

Gennaro R., Gentry C., Parno B., Raykova M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson T., Nguyen P.Q. (eds.) EUROCRYPT 2013, volume 7881 of LNCS, pp. 626–645. Springer, Heidelberg (2013).

65.

Granger R., Kleinjung T., Lenstra A.K., Wesolowski B., Zumbrägel J.: Computation of a 30750-bit binary field discret logarithm. Math. Comput. 90(332):2997–3022, 2021. ePrint 2020/965.

66.

Groth J., Kohlweiss M., Maller M., Meiklejohn S., Miers I.: Updatable and universal common reference strings with applications to zk-SNARKs. In: Shacham H., Boldyreva A. (eds.) CRYPTO 2018, Part III, volume 10993 of LNCS, pp. 698–728. Springer, Heidelberg (2018).

67.

Granger R., Kleinjung T., Zumbrägel J.: Breaking ‘128-bit secure’ supersingular binary curves–(or how to solve discret logarithms in \(\mathbb{F} _{2^{4 \cdot 1223}}\) and \(\mathbb{F} _{2^{12 \cdot 367}}\)). In: Garay J.A., Gennaro R. (eds.) CRYPTO 2014, Part II, volume 8617 of LNCS, pp. 126–145. Springer, Heidelberg (2014).

68.

Gallant R.P., Lambert R.J., Vanstone S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian J. (ed.) CRYPTO 2001, volume 2139 of LNCS, pp. 190–200. Springer, Heidelberg (2001).

69.

Guillevic A., Morain F.: Pairings for engineers, chap. 9—discret logarithms, pp. 203–242. CRC Press Taylor and Francis group, Spring 2016. ElMrabet N., Joye M. (eds.). https://www.crcpress.com/Guide-to-Pairing-Based-Cryptography/El-Mrabet-Joye/p/book/9781498729505https://hal.inria.fr/hal-01420485v2.

70.

Goldwasser S., Micali S., Rackoff C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989).MathSciNetMATH

71.

Guillevic A., Masson S., Thomé E.: Cocks-Pinch curves of embedding degrees five to eight and optimal ate pairing computation. Des. Codes Cryptogr. 88, 1047–1081 (2020).MathSciNetMATH

72.

Galbraith S.D., McKee J.F., Valença P.C.: Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13(4), 800–814 (2007).MathSciNetMATH

73.

Groth J., Ostrovsky R., Sahai A.: Non-interactive zaps and new techniques for NIZK. In: Dwork C. (ed.) CRYPTO 2006, volume 4117 of LNCS, pp. 97–111. Springer, Heidelberg (2006).

74.

Groth J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai X., Chen K. (eds.) ASIACRYPT 2006, volume 4284 of LNCS, pp. 444–459. Springer, Heidelberg (2006).

75.

Groth J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe M. (ed.) ASIACRYPT 2010, volume 6477 of LNCS, pp. 321–340. Springer, Heidelberg (2010).

76.

Groth J.: On the size of pairing-based non-interactive arguments. In: Fischlin M., Coron J.-S. (eds.) EUROCRYPT 2016, Part II, volume 9666 of LNCS, pp. 305–326. Springer, Heidelberg (2016).

77.

Groth J., Sahai A.: Efficient non-interactive proof systems for bilinear groups. In: Smart N.P. (ed.) EUROCRYPT 2008, volume 4965 of LNCS, pp. 415–432. Springer, Heidelberg (2008).

78.

Granger R., Scott M.: Faster squaring in the cyclotomic subgroup of sixth degree extensions. In: Nguyen P.Q., Pointcheval D. (eds.) PKC 2010, volume 6056 of LNCS, pp. 209–223. Springer, Heidelberg (2010).

79.

Guillevic A, Singh S.: On the alpha value of polynomials in the tower number field sieve algorithm. Math. Cryptol. 1(1) (2021).

80.

Guillevic A.: A short-list of pairing-friendly curves resistant to special TNFS at the 128-bit security level. In: Kiayias A., Kohlweiss M., Wallden P., Zikas V. (eds.) PKC 2020, Part II, volume 12111 of LNCS, pp. 535–564. Springer, Heidelberg (2020).

81.

Guillevic A.: Pairing-friendly curves. https://members.loria.fr/AGuillevic/pairing-friendly-curves/ (2021).

82.

Gentry C., Wichs D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow L., Vadhan S.P. (eds.) 43rd ACM STOC, pp. 99–108. ACM Press (2011).

83.

Gabizon A., Williamson Z.J., Ciobotaru O.: PLONK: permutations over Lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953. https://eprint.iacr.org/2019/953 (2019).

84.

Hamburg M.: Decaf: eliminating cofactors through point compression. In: Gennaro R., Robshaw M.J.B. (eds.) CRYPTO 2015, Part I, volume 9215 of LNCS, pp. 705–723. Springer, Heidelberg (2015).

85.

Hayashida D., Hayasaka K., Teruya T.: Efficient final exponentiation via cyclotomic structure for pairings over families of elliptic curves. Cryptology ePrint Archive, Report 2020/875. https://eprint.iacr.org/2020/875 (2020).

86.

Hopwood D.: The pasta curves for halo 2 and beyond. https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/ (2020).

87.

Hopwood D.: Pluto-eris hybrid cycle of elliptic curves. https://github.com/daira/pluto-eris (2021).

88.

Hisil H., Koon-Ho Wong K., Carter G., Dawson E.: Twisted Edwards curves revisited. In: Pieprzyk J. (ed.) ASIACRYPT 2008, volume 5350 of LNCS, pp. 326–343. Springer, Heidelberg (2008).

89.

Juels A., Kosba A.E., Shi E.: The ring of Gyges: investigating the future of criminal smart contracts. In: Weippl E.R., Katzenbeisser S., Kruegel C., Myers A.C., Halevi S. (eds.) ACM CCS 2016, pp. 283–295. ACM Press (2016).

90.

Jones N.: Elliptic aliquot cycles of fixed length. Pac. J. Math. 263(2), 353–371 (2013).MathSciNetMATH

91.

Karabina K.: Squaring in cyclotomic subgroups. Math. Comput. 82(281), 555–579 (2013).MathSciNetMATH

92.

Kim T., Barbulescu R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part I, volume 9814 of LNCS, pp. 543–571. Springer, Heidelberg (2016).

93.

Kilic O.: High-Speed Implementation of Curves in Go. https://github.com/kilic/bn254, https://github.com/kilic/bls12-381, https://github.com/kilic/bls12-377 and https://github.com/kilic/bw6.

94.

Kilian J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723–732. ACM Press (1992).

95.

Kosba A.E., Miller A., Shi E., Wen Z., Papamanthou C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839–858. IEEE Computer Society Press (2016).

96.

Kosba A.E., Papadopoulos D., Papamanthou C., Sayed M.F., Shi E., Triandopoulos N.: TRUESET: faster verifiable set computations. In: Fu K., Jung J. (eds.) USENIX Security 2014, pp. 765–780. USENIX Association (2014).

97.

Kattis A., Panarin K., Vlasov A.: RedShift: transparent SNARKs from list polynomial commitment IOPs. Cryptology ePrint Archive, Report 2019/1400, 2019. https://eprint.iacr.org/2019/1400.

98.

Kachisa E.J., Schaefer E.F., Scott M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith S.D., Paterson K.G. (eds.) PAIRING 2008, volume 5209 of LNCS, pp. 126–135. Springer, Heidelberg (2008).

99.

Karabina K., Teske E.: On prime-order elliptic curves with embedding degrees k = 3, 4, and 6. In: van der Poorten A.J., Stein A. (eds.) Algorithmic Number Theory, 8th International Symposium, ANTS-VIII, Banff, Canada, May 17–22, 2008, Proceedings, volume 5011 of Lecture Notes in Computer Science, pp. 102–117. Springer (2008).

100.

Kleinjung T., Wesolowski B.: Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic. J. Am. Math. Soc. 35(02):581–624 (2022). ePrint 2019/751.

101.

Kate A., Zaverucha G.M., Goldberg I.: Constant-size commitments to polynomials and their applications. In: Abe M. (ed.) ASIACRYPT 2010, volume 6477 of LNCS, pp. 177–194. Springer, Heidelberg (2010).

102.

Kosba A., Zhao Z., Miller A., Qian Y., Chan H., Papamanthou C., Pass R., Shelat A., Shi E.: C\(\emptyset \)c\(\emptyset \): a framework for building composable zero-knowledge proofs. Cryptology ePrint Archive, Report 2015/1093. https://eprint.iacr.org/2015/1093 (2015).

103.

Maller M., Bowe S., Kohlweiss M., Meiklejohn S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: Cavallaro L., Kinder J., Wang X.F., Katz J. (eds.) ACM CCS 2019, pp. 2111–2128. ACM Press (2019).

104.

Meckler I.: O(1) labs fork of zexe: implementation of bn382-plain. https://github.com/o1-labs/zexe/tree/master/algebra/src/bn_382 (2020).

105.

Micali S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436–453. IEEE Computer Society Press (1994).

106.

Mihailescu P.: Dual elliptic primes and applications to cyclotomy primality proving. arXiv arXiv:0709.4113 (2007).

107.

Mouha N., Mennink B., Van Herrewege A., Watanabe D., Preneel B., Verbauwhede I.: Chaskey: An efficient MAC algorithm for 32-bit microcontrollers. In: Joux A., Youssef A.M. (eds.) SAC 2014, volume 8781 of LNCS, pp. 306–323. Springer, Heidelberg (2014).

108.

Miyaji A., Nakabayashi M., Takano S.: Characterization of elliptic curve traces under FR-reduction. In: Won D. (ed.) ICISC 00, volume 2015 of LNCS, pp. 90–108. Springer, Heidelberg (2001).MATH

109.

Menezes A., Sarkar P., Singh S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan R.C.-W., Yung M. (eds) Mycrypt Conference, volume 10311 of LNCS, pp. 83–108, Kuala Lumpur, Malaysia, December 1–2 2016. Springer. https://ia.cr/2016/1102.

110.

Masson S., Sanso A., Zhang Z.: Bandersnatch: a fast elliptic curve built over the bls12-381 scalar field. Cryptology ePrint Archive, Report 2021/1152. https://ia.cr/2021/1152 (2021).

111.

Nogami Y., Akane M., Sakemi Y., Katou H., Morikawa Y.: Integer variable chi-based Ate pairing. In: Galbraith S.D., Paterson K.G. (eds.) PAIRING 2008, volume 5209 of LNCS, pp. 178–191. Springer, Heidelberg (2008).MATH

112.

Naehrig M., Niederhagen R., Schwabe P.: New software speed records for cryptographic pairings. In: Abdalla M., Barreto P.S.L.M. (eds.) LATINCRYPT 2010, volume 6212 of LNCS, pp. 109–123. Springer, Heidelberg (2010).

113.

Parks J.: An asymptotic for the average number of amicable pairs for elliptic curves. Math. Proc. Camb. Philos. Soc. 166(1), 33–59 (2019).MathSciNetMATH

114.

Parno B., Howell J., Gentry C., Raykova M.: Pinocchio: Nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238–252. IEEE Computer Society Press (2013).

115.

Poelstra A.: Curve with group order \(2^{255}-19\). https://moderncrypto.org/mail-archive/curves/2018/000992.html. Accessed 28 Feb 2022 (2018).

116.

Pollard J.M.: The fast Fourier transform in a finite field. Math. Comput. 25(114), 365–374 (1971).MathSciNetMATH

117.

Shigeo M.: A portable and fast pairing-based cryptography library. https://github.com/herumi/mcl.

118.

Sakemi Y., Hanaoka G., Izu T., Takenaka M., Yasuda M.: Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve. In: Fischlin M., Buchmann J., Manulis M. (eds.) PKC 2012, volume 7293 of LNCS, pp. 595–608. Springer, Heidelberg (2012).

119.

Smart N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193–196 (1999).MathSciNetMATH

120.

Silverman J.H., Stange K.E.: Amicable pairs and aliquot cycles for elliptic curves. Exp. Math. 20(3), 329–357 (2011).MathSciNetMATH

121.

Supranational. Multilingual BLS12-381 signature library. https://github.com/supranational/blst.

122.

Sutherland A.V.: Computing Hilbert class polynomials with the chinese remainder theorem. Math. Comput. 80(273):501–538 (2011). arXiv arXiv:0903.2785.

123.

Tibouchi M.: Elligator squared: Uniform points on elliptic curves of prime order as uniform random strings. In: Christin N., Safavi-Naini R. (eds.) FC 2014, volume 8437 of LNCS, pp. 139–156. Springer, Heidelberg (2014).

124.

Vercauteren F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010).MathSciNetMATH

125.

Vlasov A., Panarin K.: Transparent polynomial commitment scheme with polylogarithmic communication complexity. Cryptology ePrint Archive, Report 2019/1020. https://eprint.iacr.org/2019/1020 (2019).

126.

Williamson Z.: An optimized elliptic curve library for the BN128 curve, and PLONK SNARK prover. https://github.com/AztecProtocol/barretenberg/tree/master/barretenberg.

127.

Wahby R.S., Tzialla I., Shelat A., Thaler J., Walfish M.: Doubly-efficient zkSNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926–943. IEEE Computer Society Press (2018).

128.

Wuille P.: Elligator Squared for BN-like curves. https://github.com/sipa/writeups/tree/main/elligator-square-for-bn (2021).

129.

Zcash. Rust implementation for the Pasta cycle in Rust. https://github.com/zcash/pasta_curves.

130.

ZCash. What is jubjub? https://z.cash/technology/jubjub/ (2021).

Titel: A survey of elliptic curves for proof systems
verfasst von: Diego F. Aranha
Youssef El Housni
Aurore Guillevic
Publikationsdatum: 21.12.2022
Verlag: Springer US
Erschienen in: Designs, Codes and Cryptography / Ausgabe 11/2023
Print ISSN: 0925-1022
Elektronische ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-022-01135-y

Springer Professional

A survey of elliptic curves for proof systems

Abstract

Premium Partner

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Weitere Artikel der Ausgabe 11/2023

Improved attacks against reduced-round Whirlwind

Generalized attack on ECDSA: known bits in arbitrary positions

Proving knowledge of isogenies: a survey

Leakage-resilient identity-based cryptography from minimal assumptions

Zero-knowledge proofs for set membership: efficient, succinct, modular

Guest editorial: Special issue on Mathematics of Zero-Knowledge

Premium Partner