[curves] Curve cycles

Discussion:

Jeff Burdges

2018-08-18 12:28:46 UTC

Is anyone actively working on cycles of pairing friendly elliptic curves?

In other words, each curveâs field of definition is the scalar field of itâs predecessor, which makes recursive composition of SNARKs not totally insane:
https://www.iacr.org/archive/crypto2014/86160202/86160202.pdf

Iâd think youâd want to explore a lot of possible optimisations beyond that paper before trying to use something like this, so maybe someone has tried?

In practice, Iâm unsure if recursively composed SNARKs really give you much since, if you want to add a SNARK layer, then you still need access to some large database, but.. that discussion might veer off topic for here.

Best,
Jeff

p.s. Weâre hiring cryptographers at the web 3 foundation : https://web3.foundation/jobs

Michael Scott

2018-08-18 13:10:31 UTC

Permalink

I really don't expect any other cycles to be found, outside the simple MNT
case. The search for pairing-friendly curves is I suspect largely complete
at this stage.

Mike Scott

Post by Jeff Burdges
Is anyone actively working on cycles of pairing friendly elliptic curves?
In other words, each curveâs field of definition is the scalar field of
itâs predecessor, which makes recursive composition of SNARKs not totally
https://www.iacr.org/archive/crypto2014/86160202/86160202.pdf
Iâd think youâd want to explore a lot of possible optimisations beyond
that paper before trying to use something like this, so maybe someone has
tried?
In practice, Iâm unsure if recursively composed SNARKs really give you
much since, if you want to add a SNARK layer, then you still need access to
some large database, but.. that discussion might veer off topic for here.
Best,
Jeff
https://web3.foundation/jobs
_______________________________________________
Curves mailing list
https://moderncrypto.org/mailman/listinfo/curves

Watson Ladd

2018-08-18 16:08:21 UTC

Permalink

But now there is a number theory problem: prove the examples we have are it
or find more.

And I don't believe this has been approched.

Post by Michael Scott
I really don't expect any other cycles to be found, outside the simple

MNT case. The search for pairing-friendly curves is I suspect largely
complete at this stage.

Post by Michael Scott
Mike Scott

Post by Jeff Burdges
Is anyone actively working on cycles of pairing friendly elliptic curves?
In other words, each curveâs field of definition is the scalar field of

itâs predecessor, which makes recursive composition of SNARKs not totally

Post by Michael Scott

Post by Jeff Burdges
https://www.iacr.org/archive/crypto2014/86160202/86160202.pdf
Iâd think youâd want to explore a lot of possible optimisations beyond

that paper before trying to use something like this, so maybe someone has
tried?

Post by Michael Scott

Post by Jeff Burdges
In practice, Iâm unsure if recursively composed SNARKs really give you

much since, if you want to add a SNARK layer, then you still need access to
some large database, but.. that discussion might veer off topic for here.

Post by Michael Scott

Post by Jeff Burdges
Best,
Jeff

https://web3.foundation/jobs

Post by Michael Scott

Post by Jeff Burdges
_______________________________________________
Curves mailing list
https://moderncrypto.org/mailman/listinfo/curves

_______________________________________________
Curves mailing list
https://moderncrypto.org/mailman/listinfo/curves

Jeff Burdges

2018-08-31 09:28:42 UTC

Permalink

I really don't expect any other cycles to be found, outside the simple MNT case. The search for pairing-friendly curves is I suspect largely complete at this stage.

Interesting. It looks like the authors estimated an 80 bit security level for the curve cycle they explored/recommended.

If I understand, the more recent NFS improvements that impact BN curves do not impact these MNT curves much, as folks had unrelated concerns about their security that were already incorporated.
https://ellipticnews.wordpress.com/2016/05/02/kim-barbulescu-variant-of-the-number-field-sieve-to-compute-discrete-logarithms-in-finite-fields/

Is anyone actively working on cycles of pairing friendly elliptic curves?
https://www.iacr.org/archive/crypto2014/86160202/86160202.pdf
Iâd think youâd want to explore a lot of possible optimisations beyond that paper before trying to use something like this, so maybe someone has tried?
In practice, Iâm unsure if recursively composed SNARKs really give you much since, if you want to add a SNARK layer, then you still need access to some large database, but.. that discussion might veer off topic for here.
Best,
Jeff
p.s. Weâre hiring cryptographers at the web 3 foundation : https://web3.foundation/jobs
_______________________________________________
Curves mailing list
https://moderncrypto.org/mailman/listinfo/curves
_______________________________________________
Curves mailing list
https://moderncrypto.org/mailman/listinfo/curves

Continue reading on narkive:

Search results for '[curves] Curve cycles' (Questions and Answers)

replies

Curved Lines- things to draw?

started 2008-09-10 21:41:06 UTC

drawing & illustration

replies

how can i draw Sigmoid curve in excel/spss?

started 2011-09-08 22:43:13 UTC

science & mathematics

replies

What Happens When Girls Get Their Curves?