Youssef El Housni

> There are other methods we've looked at which wouldn't be too bad in our case - Fouque-Tibouchi for example. BLS12-377 doesn't have a good low-degree isogeny from what we've...

The security of BLS12-377 wrt STNFS and Cheon's attack is discussed in section 4 [here](https://eprint.iacr.org/2020/351.pdf).

Yes because the analysis takes Cheon's attack into consideration as opposed to [Guillevic19].

It is indeed incomplete but "practically" complete with a reasonable assumption. The points at infinity are all of even order while we work on a field of odd prime order....

I think it still falls in patents US7110538B2 and US7995752B2 until September 2020.

The primary goal to have a twisted Edwards is to use the law completeness to implement windowed scalar multiplication inside a circuit. If you convert BLS12-377 to a twisted Edwards...

> The primary goal to have a twisted Edwards is to use the law completeness to implement windowed scalar multiplication inside a circuit. If you convert BLS12-377 to a twisted...

> @yelhousni is the paper author. Thank you for tagging me. This is a joint work with @auroreguillevic.

Here is a ML in projective coordinates for SW6 curve: https://github.com/EYBlockchain/zk-swap-libff/blob/ey/libff/algebra/curves/sw6/sw6_pairing.cpp and for SW6_BIS (field size of 761 bits): https://github.com/EYBlockchain/zk-swap-libff/blob/ey/libff/algebra/curves/sw6_bis/sw6_bis_pairing.cpp

Yes, it is MIT you can port it to Rust. I am working btw on porting SW6_BIS to Rust and do a PR here if you want.