Try โ€‚โ€‰HackMD

Multiset hashing based on elliptic curves

References:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

(screenshot from SP1 V4 turbo note)

Discussion

An extension degree

k=7 gets a security level of:

This is fine for their targetted security level of 100 bits.

However arithmetic over

Fp7 is cumbersome to implement out-circuit. So choosing
k=6 or
8 is preferable to use Karatsuba and Toom-Cook routines. A
k=6 extension gets:

A

k=8 extension gets:

Fp8 can be simply represented as
Fp[z]/z8โˆ’11 and the prime-order following curve can be instantiated:
(E/Fp8):Y2=X3โˆ’3X+32z5
This curve has the prime order:
r=0x98c29b8b2f1b6f4c0a66714470a403628e1deb2a36f88d57337f85c4e42c99.

Note that since the coefficient

A cannot be
0, we choose
A=โˆ’3 to benefit from an optimization when using Jacobian coordinates EFD.
Out-circuit the octic extension can be implemented as follows
Fp2=Fp[x]/x2โˆ’11,
Fp4=Fp2[y]/y2โˆ’x and
Fp8=Fp4[z]/z2โˆ’y using Karatsuba-over-Karatsuba-over-Karatsuba for the arithmetic.

Koala-bear case

A similar effort can be conducted with Koala-Bear prime for Linea use-case. Given

p=231โˆ’224+1 of 31 bits, we find the elliptic curve:

(E/Fp8):Y2=X3โˆ’3X+17z5
with prime order:
r=0xf06e44682c2aa440f5f26a5ae1748fec171df66abbdb81ad07f36ed81b9049

and

Fp[z]/z8โˆ’3, or equivalently
Fp2=Fp[x]/x2โˆ’3,
Fp4=Fp2[y]/y2โˆ’x and
Fp8=Fp4[z]/z2โˆ’y.

The security analysis is similar:

If we end up not caring about the performance out-circuit and we only focus on the in-circuit cost, we can choose a

7-th extension and implement the arithmetic in circuit over
Fp7 using the randomized Schwartz-Zippel trick (Feltroid post). We find the following parameters:

  • Fp7=Fp[z]/z7+z+4    ,
  • (E/Fp7):Y2=X3+9X+15z5     and
  • prime order
    r=0x1e4a5d47579fd9acc910bb689b459f0a9ba4adbefb76f53ab9c25b3.

The security analysis is similar:

Last changed by 
โ€‰
Youssef El Housni
Applied researcher @ConsenSys. I do crytography and zk-stuff @gnark and @Linea.
0
89

Read more

Fake GLV in-circuit

Let E be an elliptic curve defined over the prime field \mathbb{F}_p and let r be a prime divisor of the curve order \#E(\mathbb{F}_p).Let s \in \mathbb{F}_r and P=(x,y) \in E(\mathbb{F}_p), we are interested in proving scalar multiplication s\cdot P over the r-torsion subgroup of E, denoted E[r].

Sep 12, 2024
Notes about optimizing emulated pairing (part 2)

This note focuses on the techniques used for optimizing the emulated bilinear pairing circuit in gnark library. This is the part 2 of the part 1 by @ivokub.

Jul 4, 2023
BN254 pairing in gnark vs. google and cloudflare

A "potential security issue" in gnark-crypto was mentioned in the EF security call and was later reported to the gnark team by Besu, geth and EF teams. It was about a BN254 pairing value not consistant with google and cloudflare implementations discovered by the geth fuzzer. :::info TL;DR there is no bug. Starting from v0.8.0, gnark-crypto uses a different algorithm for the final exponentiation that outputs different (correct) results compared to google and cloudflare. ::: Example of a failing test vector: bn256.G1(192c207ae0491ac1b74673d0f05126dc5a3c4fa0e6d277492fe6f3f6ebb4880c, 168b043bbbd7ae8e60606a7adf85c3602d0cd195af875ad061b5a6b1ef19b645) bn256.G2((07caa9e61fc843cf2f3769884e7467dd341a07fac1374f901d6e0da3f47fd2ec, 2b31ee53ccd0449de5b996cb8159066ba398078ec282102f016265ddec59c354), (1b38870e413a29c6b0b709e0705b55ab61ccc2ce24bbee322f97bb40b1732a4b, 28d255308f12e81dc16363f0f4f1410e1e9dd297ccc79032c0379aeb707822f9))

May 15, 2023
Elliptic nets

Let $E$ be an elliptic curve $y^2 = x^3 + ax +b$ over some finite field $\mathbb{F}_p$, where $p$ is a prime $\ne 2, 3$. For simplicity, let's focus on $j$-invariant $0$ i.e. $y^2=x^3+b$. With division polynomials, one can come up with the following formulas due to Katherine E. Stange. input: $P = (x_1,y_1)$ output: $[n]P = (x_n, y_n)$ where $x_n=x_1โˆ’\frac{W(n-1, 0)\cdot W(n+ 1, 0)}{W(n, 0)^2}$ $y_n=\frac{W(nโˆ’ 1, 0)^2 \cdot W(n+ 2, 0) โˆ’W(n+1, 0)^2 \cdot W(nโˆ’ 2, 0)}{4y_1 \cdot W(n, 0)^3}$ With:

Apr 26, 2023
Read more from Youssef El Housni
Published on HackMD