Paper 2022/1145

Yafa-108/146: Implementing ed25519-embedding Cocks-Pinch curves in arkworks-rs

Rami Akeela, DZK Labs
Weikeng Chen, DZK Labs
Abstract

This note describes two pairing-friendly curves that embed ed25519, of different bit security levels. Our search is not novel; it follows the standard recipe of the Cocks-Pinch method. We implemented these two curves on arkworks-rs. This note is intended to document how the parameters are being generated and how to implement these curves in arkworks-rs 0.4.0, for further reference. We name the two curves as Yafa-108 and Yafa-146: - Yafa-108 is estimated to offer 108-bit security, which we parameterized to match the 103-bit security of BN254 - Yafa-146 is estimated to offer 146-bit security, which we parameterized to match the 132-bit security of BLS12-446 or 123-bit security of BLS12-381 We use these curves as an example to demonstrate two things: - The "elastic" zero-knowledge proof, Gemini (EUROCRYPT '22), is more than being elastic, but it is more curve-agnostic and hardware-friendly. - The cost of nonnative field arithmetics can be drastic, and the needs of application-specific curves may be inherent. This result serves as evidence of the necessity of EIP-1962, and the insufficiency of EIP-2537.

Note: Fixed a typo on two-arity for Yafa-108.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
EIPEVMCocks-Pinched25519recursionnonnativeSNARK
Contact author(s)
rami @ dzk org
weikeng @ dzk org
History
2023-05-03: last of 7 revisions
2022-09-03: received
See all versions
Short URL
https://ia.cr/2022/1145
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/1145,
      author = {Rami Akeela and Weikeng Chen},
      title = {Yafa-108/146: Implementing ed25519-embedding Cocks-Pinch curves in arkworks-rs},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1145},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/1145}},
      url = {https://eprint.iacr.org/2022/1145}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.