algebra icon indicating copy to clipboard operation
algebra copied to clipboard

Published 20 hours ago verified publisher icon arkworks-rs

Modification of `ed_on_bw6_761`

Open simonmasson opened this issue 3 years ago • 5 comments

Summary

The ed_on_bw6_761 curve is an elliptic curve whose base field matches the BW6-761 curve. This curve is useless and should be replaced by the BLS12-377 curve:

  • BLS12-377 base field is BW6-761 scalar field (by construction of the half-cycle, more details here).
  • BLS12-377 scalar field modulus is 253-bit long, which leads to more efficient computations that the current ed_on_bw6_761 (its scalar field modulus is 374-bit long).
  • BLS12-377 is pairing-friendly, while ed_on_bw6_761 is not. Note that for most of the applications, we need a curve (whose BaseField = BW6-761ScalarField) that is pairing-friendly.

I don't know if we should simply remove the directory corresponding to ed_on_bw6_761, or change its parameters so that it points towards the BLS12-377 parameters.

simonmasson avatar Dec 16 '21 21:12 simonmasson

The primary purpose was to have an edwards curve over BW6, since that allows you to obtain efficient BHP-hashes over the BW6 scalar field.

If this purpose can also be served by providing an edwards model for BLS12-377, then I agree that it makes sense to remove ed_over_bw6

Pratyush avatar Dec 17 '21 04:12 Pratyush

I'd say choose another Edwards curve that's actually faster than BLS12-377 but an Edwards form of BLS12-377's G1 might possibly work, given its cofactor contains plenty of 2 torsion.

I'd suggest asking @dfaranha or whoever if we could be faster using another Edwards curve besides an Edwards form of BLS12-377's G1.

There is a minor consideration that maybe someone cares more about discrete log hardness in ed_on_bw6_761 than in BLS12-377 or BW6, like because manages secrete key material or whatever, but.. Imho this does not really matter here on BW6, although maybe it matters in ed_on_bls12_377

burdges avatar Dec 17 '21 08:12 burdges

The primary purpose was to have an edwards curve over BW6, since that allows you to obtain efficient BHP-hashes over the BW6 scalar field.

Hmmm.... ed_on_bw6_761's scalar field is 374 bits. It is a lot worse than bls12-377 which a) also has an Edward form, and b) uses only a 252 bits scalar field. IMHO it is sufficient to remove ed_on_bw6_761.

zhenfeizhang avatar Jan 11 '22 18:01 zhenfeizhang

The primary goal to have a twisted Edwards is to use the law completeness to implement windowed scalar multiplication inside a circuit. If you convert BLS12-377 to a twisted Edwards form the law won't be complete because the d coefficient will be a square.

Also ed_on_bw6_761 follows SafeCurve design choices but this is less important.

yelhousni avatar Mar 23 '22 10:03 yelhousni

The primary goal to have a twisted Edwards is to use the law completeness to implement windowed scalar multiplication inside a circuit. If you convert BLS12-377 to a twisted Edwards form the law won't be complete because the d coefficient will be a square.

Actually that might work still, with some caution. This is similar to my comment here https://github.com/arkworks-rs/algebra/issues/726.

yelhousni avatar Mar 23 '22 16:03 yelhousni