IA Scholar Query: Computation of a 30750-bit binary field discrete logarithm.
https://scholar.archive.org/
Internet Archive Scholar query results feedeninfo@archive.orgfatcat-scholarhttps://scholar.archive.org/help1440A survey of elliptic curves for proof systems
https://scholar.archive.org/work/gbryaol7onharpdlfndvxzu4pi
Elliptic curves have become key ingredients for instantiating zero-knowledge proofs and more generally proof systems. Recently, there have been many tailored constructions of these curves that aim at efficiently implementing different kinds of proof systems. In this survey we provide the reader with a comprehensive view on existing work and revisit the contributions in terms of efficiency and security. We present an overview at three stages of the process: curves to instantiate a SNARK, curves to instantiate a recursive SNARK, and also curves to express an elliptic-curve related statement. We provide new constructions of curves for SNARKs and generalize the state-of-the-art constructions for recursive SNARKs. We also exhaustively document the existing work and open-source implementations. State of the art Building on ideas from the pairing-based doubly-homomorphic encryption scheme [BGN05], Groth, Ostrovsky and Sahai [GOS06,Gro06,GS08] introduced the pairing-based non-interactive zero-knowledge proofs, yielding the first linear-size proofs based on standard assumptions. Groth [Gro10] combined these techniques with ideas from interactive zero-knowledge proofs to give the first constant-size proofs which are based on constructing a set of polynomial equations and using pairings to efficiently verify these equations. This work relies on two new introduced pairing-based cryptographic assumptions, namely the q-computational power Diffie-Hellman (q-CPDH) and the q-power knowledge of Exponent (q-PKE). Following this direction of work, Gennaro et al. [GGPR13] proposed an insightful construction of polynomial equations that resulted in many interesting implementations [PHGR13,BFR + 13,BCG + 13,BCTV14b,KPP + 14] leading to the most succinct and widely implemented pairing-based SNARK [Gro16]. The first implementation, Pinocchio [PHGR13] used a pairing-friendly elliptic curve in the Barreto-Naehrig family [BN06] (BN) targeting a 128-bit security level, but the source code was proprietary. They used the BN curve defined over a 256-bit field suggested in [NNS10] (seed x = 1868033 3 ). Next, as part of Pantry [BFR + 13], authors re-implemented Pinocchio under a BSD-style license using a 254-bit BN curve from [BGM + 10] (seed x = −(2 62 + 2 55 + 1), first introduced in [NAS + 08]). This new BN implementation partially builds on techniques from the previous BN paper [NNS10] Pinocchio used. Later in [BCG + 13], the authors observed that constructing a pairing-friendly curve with a subgroup order r where r − 1 is divisible by 2 L a large power of 2, results in an efficient proof generation via suitable Fast Fourier Transforms (FFTs) in F r . To speedup the arithmetic, they proposed to use the elliptic curve in Edwards form, by looking for a group order multiple of 4. To match these two constraints: 2 L divides r − 1 and the curve has order 4 • r, they designed a Galbraith-McKee-Valença curve [GMV07] of embedding degree 6 (GMV6) defined over F p where p is a prime of 183 bits, and of order 4r where r is of 181 bits such that 2 31 | r − 1. This curve was targeting a 80-bit security level in 2013 and was implemented in libff [BSCT + a].Diego F. Aranha, Youssef El Housni, Aurore Guillevicwork_gbryaol7onharpdlfndvxzu4pi