A survey of elliptic curves for proof systems

Abstract

Elliptic curves have become key ingredients for instantiating zero-knowledge proofs and more generally proof systems. Recently, there have been many tailored constructions of these curves that aim at efficiently implementing different kinds of proof systems. In this survey we provide the reader with a comprehensive overview on existing work and revisit the contributions in terms of efficiency and security. We present an overview at three stages of the process: curves to instantiate a SNARK, curves to instantiate a recursive SNARK, and also curves to express an elliptic-curve related statement. We provide new constructions of curves for SNARKs and generalize the state-of-the-art constructions for recursive SNARKs. We also exhaustively document the existing work and open-source implementations.

Appendices

Appendix A: Implementations

We report in Table 12 some libraries that implement different SNARK curves, 2-chains and 2-cycles. We only cite implementations that are used in zero-knowledge proofs based projects and we omit to cite forks that improve independently over the original work. The libraries are implemented in different languages and some use more assembly acceleration than others. Besides the different algorithmic and software optimizations used across them, it should also be noted that some libraries target constant-time implementations for some or all the operations.

Table 12 Some implementations of SNARK curves

Note. Libraries in Table 12 provide the classical implementation of elliptic curves. Few of these libraries provide also implementations of curves as SNARK computations. That is, the arithmetic of fields and groups of elliptic curves as statements to be proved in a SNARK using another elliptic curve (e.g. Alg. 17 for twisted Edwards). For example arkworks [1], gnark [35], libsnark [38] and zcash [36] provide such implementations within different proving systems.

Appendix B: Parameter tables

Table 13 Parameters of a BW6 outer curve with a BLS12 inner curve, \(x \equiv 1 \bmod 3\)

Table 14 Parameters of a BW6 outer curve with a BLS24 inner curve, \(x \equiv 1 \bmod 3\)

Table 15 Parameters of a BW6 outer curve with a BN inner curve, any integer x

Appendix C: Optimized final exponentiation for our BW outer curves with inner BN, BLS12, and BLS24

Remember from Fig. 4 that the inner curves BN, BLS12 and BLS24 are called \(E_1\), defined over a prime field \(\mathbb F_p\), and have a subgroup of prime order r (the scalar field). The BW6 outer curves are called \(E_2\), have a subgroup of prime order p (the scalar field of the second SNARK is the coefficient field of the first SNARK), and are defined over a new prime field \(\mathbb F_s\).

BN-BW6 curves. A lattice reduction (with Magma on polynomials) gives the formulas in Table 15, where \(d = \Phi _{6}(t_i-1)/(3 p) = 3 x (x+1) + 1\). We highlight with an underbrace the similar parts that can be shared. The sequential steps are \(t_0 = -3 x (2 d + 1)\) then \(p = 2(-x t_0 + d) - 1\) in Alg. 9 to compute \(m^{e_0}\), and \(t_3 = 3 (x (2 d + 1) + 1)\), then \(p = 2 x (t_3 + 3 x) + 1\) in Alg. 10 to compute \(m^{e_3'}\).

\(\begin{array}{l} e_0= (2x) \tfrac{\Phi _6(s_0)}{p} = \overbrace{\bigl (1 + 2x\underbrace{(3x+1 + s_0)}_{a_0}\bigr )}^{b_0} \Bigl (\tfrac{h_t^2+3 h_y^2}{4} p + \tfrac{h_t-h_y}{2} t_0 + d\Bigr ) - \underbrace{(3 x+1 + s_0)}_{a_0}\\ e_0'= (6x^2+4x+1) \tfrac{\Phi _6(s_0)}{p} = \overbrace{\bigl (s_0-2x\underbrace{(1 -(3x+2)s_0)}_{a_0'}\bigr )}^{b_0'} \Bigl (\tfrac{h_t^2+3 h_y^2}{4} p + \tfrac{h_t-h_y}{2} t_0 + d\Bigr ) \\ \qquad \quad + \underbrace{1 - (3x+2) s_0}_{a_0'}\\ e_3= (2 x) \tfrac{\Phi _6(s_3)}{p} = \overbrace{\bigl (2 x \underbrace{(s_3-(3 x+2))}_{a_3} - 1\bigr )}^{b_3} \Bigl (\tfrac{h_t^2+3 h_y^2}{4} p + \tfrac{h_t+h_y}{2} t_3 + d\Bigr ) + \underbrace{s_3 - (3x+2)}_{a_3}\\ e_3'= (6x^2+2x+1) \tfrac{\Phi _6(s_3)}{p} = \overbrace{\bigl (2 x \underbrace{(1 + (3 x+1) s_3)}_{a_3'} + s_3\bigr )}^{b_3'} \Bigl (\tfrac{h_t^2+3 h_y^2}{4} p + \tfrac{h_t+h_y}{2} t_3 + d\Bigr )\\ \qquad \quad + \underbrace{1 + (3x+1) s_3}_{a_3'} \end{array}\)

BLS12-BW6 curves. Parameters are in Table 13, where \(d = \Phi _{6}(t_i-1)/(3 p) = (x^4 - 4x^3 + 7x^2 -6x +3)\). We highlight with an underbrace the exponent \(a_i,a_i'\) that can be shared.

\(\begin{array}{l} e_0= (x+1) \tfrac{\Phi _6(s_0)}{p} = \overbrace{\bigl ((x\!+\!1)\underbrace{(s_0\!-\!(x\!-\!1)^2\!-\!1)}_{a_0}\!+\!1\bigr )}^{b_0} \Bigl (\tfrac{h_t^2+3 h_y^2}{4}p\!+\!3\bigl (\tfrac{h_t-h_y}{2}\tfrac{t_0}{3}\!+\!\tfrac{d-1}{3}\bigr )\!+\!1\Bigr )\\ \qquad \quad -3 \underbrace{(s_0\!-\!(x\!-\!1)^2\!-\!1)}_{a_0}\\ e_0'= (x^3\!-\!x^2\!-\!x) \tfrac{\Phi _6(s_0)}{p} = \overbrace{\bigl ((x\!+\!1)\underbrace{((x\!-\!1)^2s_0\!+\!1)}_{a_0'}\!-\!p\bigr )}^{b_0'} \\ \qquad \quad \Bigl (\tfrac{h_t^2+3 h_y^2}{4}p\!+\!3\bigl (\tfrac{h_t-h_y}{2}\tfrac{t_0}{3}\!+\!\tfrac{d-1}{3}\bigr )\!+\!1\Bigr ) -3\underbrace{((x\!-\!1)^2s_0\!+\!1)}_{a_0'}\\ e_3= (x+1) \tfrac{\Phi _6(s_3)}{p} = \overbrace{\bigl ((x\!+\!1)\underbrace{((x\!-\!1)^2\!+\!s_3)}_{a_3}\!-\!1\bigr )}^{b_3} \Bigl (\tfrac{h_t^2+3 h_y^2}{4}p\!+\!3\bigl (\tfrac{h_t+h_y}{2}\tfrac{t_3}{3}\!+\!\tfrac{d-1}{3}\bigr )\!+\!1\Bigr )\\ \qquad \quad +3\underbrace{((x\!-\!1)^2\!+\!s_3)}_{a_3}\\ e_3'= (x^3\!-\!x^2\!+\!1) \tfrac{\Phi _6(s_3)}{p} = \overbrace{\bigl ((x\!+\!1)\underbrace{(((x\!-\!1)^2\!+\!1)s_3\!-\!1)}_{a_3'}\!-\!s_3\bigr )}^{b_3'}\\ \qquad \quad \Bigl (\tfrac{h_t^2+3 h_y^2}{4}p\!+\!3\bigl (\tfrac{h_t+h_y}{2}\tfrac{t_3}{3}\!+\!\tfrac{d-1}{3}\bigr )\!+\!1\Bigr )\!+\!3 \underbrace{(((x\!-\!1)^2\!+\!1)s_3\!-\!1)}_{a_3'} \end{array}\)

The steps in Alg. 11 for \(m^{e_0'}\) correspond to the exponents

$$\begin{aligned} \begin{array}{lclcccl} a &{}=&{} (x-1)/3 \\ b &{}=&{} a (x-1) &{} &{} &{}=&{} (x-1)^2/3\\ c &{}=&{} b ((x-1)^2+1) &{}=&{} (d-1)/3 &{}=&{} (x-1)^2/3(x^2-2x+2)\\ e &{}=&{} -(u+1) c + b - a &{}=&{} t_0/3 &{}=&{} (x-1)^2/3(-x^3+x^2-1) - (x-1)/3\\ f &{}=&{} -(u+1) (e + b) + a + 1 &{}=&{} p &{}=&{} (x-1)^2/3(x^4-x^2+1) + x\\ \end{array} \end{aligned}$$

The steps in Alg. 12 for \(m^{e_3}\) correspond to this sequence deduced from the former, with \(t_3/3 = -t_0+1\).

$$\begin{aligned} \begin{array}{lclclcl} a &{}=&{} (x-1)/3 \\ b &{}=&{} a (x-1) &{}=&{} (x-1)^2/3 \\ c &{}=&{} b ((x-1)^2 + 1) &{}=&{} (d-1)/3 \\ b'&{}=&{} -b \\ e &{}=&{} b' + 1 \\ f &{}=&{} c (x+1) + e &{}=&{} (x-1)^2/3 (x^3-x^2+1) + 1 \\ g &{}=&{} f + a &{}=&{} t_3/3 \\ h &{}=&{} (f+b') (x+1) - e &{}=&{} p \\ \end{array} \end{aligned}$$

BLS24-BW6 curves. The exponents of the hard part of the final exponentiation for BW6-BLS24 curves are the following, with \(i_0 = (x-1)^2 (x^2+1)\), \(i_0' = (x-1)^2 (x^2+1) + 1 = i_0+1\), \(i_3 = (x-1)^2 (x^2+1)\), and \(i_3' = (x-1)^2 (x^2+1) + 1 = i_3+1\).

\(\begin{array}{l} e_0= (x^5-x^4-x) \tfrac{\Phi _6(s_0)}{p} = \bigl (\overbrace{(x+1) \underbrace{(1 + i_0 s_0)}_{a_0} - s_0}^{b_0}\bigr ) \\ \qquad \quad \Bigl (\tfrac{h_t^2+3 h_y^2}{4} p + 3\bigl (\tfrac{h_t-h_y}{2} \tfrac{t_0}{3} + \tfrac{d-1}{3}\bigr )+1\Bigr ) - 3 \underbrace{(1 + i_0 s_0)}_{a_0}\\ e_0'= (x+1) \tfrac{\Phi _6(s_0)}{p} = \bigl (\overbrace{(x+1) \underbrace{(s_0-i_0')}_{a_0'} + 1}^{b_0'}\bigr ) \Bigl (\tfrac{h_t^2+3 h_y^2}{4} p + 3\bigl (\tfrac{h_t-h_y}{2} \tfrac{t_0}{3} + \tfrac{d-1}{3}\bigr )+1\Bigr )\\ \qquad \quad - 3 \underbrace{(s_0-i_0')}_{a_0}\\ e_3= (x+1) \tfrac{\Phi _6(s_3)}{p} = \bigl (\overbrace{(x+1) \underbrace{(i_3 + s_3)}_{a_3} - 1}^{b_3}\bigr ) \Bigl (\tfrac{h_t^2+3 h_y^2}{4} p + 3\bigl (\tfrac{h_t+h_y}{2} \tfrac{t_3}{3} + \tfrac{d-1}{3}\bigr )+1\Bigr ) \\ \qquad \quad + 3 \underbrace{(i_3 + s_3)}_{a_3} \\ e_3'= (x^5-x^4+1) \tfrac{\Phi _6(s_3)}{p} = \bigl (\overbrace{(x+1) \underbrace{(i_3' s_3 - 1)}_{a_3'} - p}^{b_3'}\bigr )\\ \qquad \quad \Bigl (\tfrac{h_t^2+3 h_y^2}{4} r + 3\bigl (\tfrac{h_t+h_y}{2} \tfrac{t_3}{3} + \tfrac{d-1}{3}\bigr )+1\Bigr ) + 3 \underbrace{(i_3' s_3 -1)}_{a_3'} \end{array}\)

The parameters are given in Table 14, and we set \(d = \Phi _6(t_i-1)/(3p) = x^8-4x^7+8x^6-12x^5+15x^4-14x^3+10x^2-6x+3\). Part of the exponent is

$$\begin{aligned} \tfrac{h_t^2+3 h_y^2}{4} p + \tfrac{h_t+h_y}{2} t_3 + d \quad ; \quad \tfrac{h_t^2+3 h_y^2}{4} p + \tfrac{h_t-h_y}{2} t_0 + d \end{aligned}$$

We compute the exponents p, \(t_0/3\), \(t_3/3\) and \((d-1)/3\) as follows and obtain Alg. 13 and Alg. 14.

$$\begin{aligned} \begin{array}{l@{~}|@{~}l} \begin{array}{lclcl} a &{}=&{} (x-1)/3 \\ b &{}=&{} a (x-1) (x^2+1)\\ c &{}=&{} b ((x - 1)^2 (x^2 + 1) + 1) &{}=&{} (d-1)/3 \\ \\ f &{}=&{} -(x+1) c + b - a &{}=&{} t_0/3 \\ g &{}=&{} -(x+1) (f + b) + a + 1 &{}=&{} p \end{array} &{} \begin{array}{lclcl} a &{}=&{} (x-1)/3 \\ b &{}=&{} a (x-1) (x^2+1)\\ c &{}=&{} b ((x - 1)^2 (x^2 + 1) + 1) &{}=&{} (d-1)/3 \\ e &{}=&{} (x+1) c - b + a \\ f &{}=&{} e + 1 &{}=&{} t_3/3 \\ g &{}=&{} (x+1) (e - b) + a + 1 &{}=&{} p \end{array} \end{array} \end{aligned}$$