plonk-bls12_381

Crates.ioplonk-bls12_381
lib.rsplonk-bls12_381
version0.2.0
sourcesrc
created_at2021-11-28 01:24:54.426897
updated_at2021-12-12 10:38:51.810725
descriptionFork of the implementation of the BLS12-381 pairing-friendly elliptic curve construction with some extra tooling needed by the Dusk team
homepagehttps://github.com/dusk-network/bls12_381
repositoryhttps://github.com/dusk-network/bls12_381
max_upload_size
id488634
size492,427
(ashWhiteHat)

documentation

https://github.com/dusk-network/bls12_381

README

Build Status Repository Documentation

THIS CRATE IS A FORK OF https://github.com/zkcrypto/bls12_381 where the Dusk-Network team has added a variety of tools required by other libraries built on the top of this one. The 99% of the library stills being done by @ebfull and you SHOULD NOT use this one unless you need a specific tool that we've implemented and it's not on the original library.

Extra tools added to the original bls12_381 lib:

  • Add serde support for every single data structure in the crate that is exported.
  • Add various multiscalar_mul algorithms.
  • Use std & endo as a default feature.
  • Impl Iter Sum & Product for Scalar.
  • Implement random for Scalar.
  • Implement XOR & AND for Scalar.
  • Add base_4 conversion fn (no longer required).
  • Impl Ord & PartialOrd for Scalar.
  • Implement w_naf_scalar_mul (71% faster than the original double-and-add impl).
  • Implement a reduce function wrapper for Scalar.
  • Expose some Scarlar-related Constants as public.

This crate provides an implementation of the BLS12-381 pairing-friendly elliptic curve construction.

  • This implementation has not been reviewed or audited. Use at your own risk.
  • This implementation targets Rust 1.36 or later.
  • This implementation does not require the Rust standard library.
  • All operations are constant time unless explicitly noted.

Features

  • groups (on by default): Enables APIs for performing group arithmetic with G1, G2, and GT.
  • pairings (on by default): Enables some APIs for performing pairings.
  • alloc (on by default): Enables APIs that require an allocator; these include pairing optimizations.
  • nightly: Enables subtle/nightly which tries to prevent compiler optimizations that could jeopardize constant time operations. Requires the nightly Rust compiler.
  • endo: Enables optimizations that leverage curve endomorphisms, which may run foul of patents US7110538B2 and US7995752B2 set to expire in September 2020.
  • parallel (on by default): Enables rayon usage for higly parallelizable ops such as multiscalar multiplication.
  • canon: Enables the usage of canonical for WASM-related serialization usages.

Documentation

Curve Description

BLS12-381 is a pairing-friendly elliptic curve construction from the BLS family, with embedding degree 12. It is built over a 381-bit prime field GF(p) with...

  • z = -0xd201000000010000
  • p = (z - 1)2(z4 - z2 + 1) / 3 + z
    • = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
  • q = z4 - z2 + 1
    • = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001

... yielding two source groups G1 and G2, each of 255-bit prime order q, such that an efficiently computable non-degenerate bilinear pairing function e exists into a third target group GT. Specifically, G1 is the q-order subgroup of E(Fp) : y2 = x3 + 4 and G2 is the q-order subgroup of E'(Fp2) : y2 = x3 + 4(u + 1) where the extension field Fp2 is defined as Fp(u) / (u2 + 1).

BLS12-381 is chosen so that z has small Hamming weight (to improve pairing performance) and also so that GF(q) has a large 232 primitive root of unity for performing radix-2 fast Fourier transforms for efficient multi-point evaluation and interpolation. It is also chosen so that it exists in a particularly efficient and rigid subfamily of BLS12 curves.

Curve Security

Pairing-friendly elliptic curve constructions are (necessarily) less secure than conventional elliptic curves due to their small "embedding degree". Given a small enough embedding degree, the pairing function itself would allow for a break in DLP hardness if it projected into a weak target group, as weaknesses in this target group are immediately translated into weaknesses in the source group.

In order to achieve reasonable security without an unreasonably expensive pairing function, a careful choice of embedding degree, base field characteristic and prime subgroup order must be made. BLS12-381 uses an embedding degree of 12 to ensure fast pairing performance but a choice of a 381-bit base field characteristic to yield a 255-bit subgroup order (for protection against Pollard's rho algorithm) while reaching close to a 128-bit security level.

There are known optimizations of the Number Field Sieve algorithm which could be used to weaken DLP security in the target group by taking advantage of its structure, as it is a multiplicative subgroup of a low-degree extension field. However, these attacks require an (as of yet unknown) efficient algorithm for scanning a large space of polynomials. Even if the attack were practical it would only reduce security to roughly 117 to 120 bits. (This contrasts with 254-bit BN curves which usually have less than 100 bits of security in the same situation.)

Alternative Curves

Applications may wish to exchange pairing performance and/or G2 performance by using BLS24 or KSS16 curves which conservatively target 128-bit security. In applications that need cycles of elliptic curves for e.g. arbitrary proof composition, MNT6/MNT4 curve cycles are known that target the 128-bit security level. In applications that only need fixed-depth proof composition, curves of this form have been constructed as part of Zexe.

Acknowledgements

Please see Cargo.toml for a list of primary authors of this codebase.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Commit count: 304

cargo fmt