You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 18, 2023. It is now read-only.
If we are considering a model in which a group of users are willing to trust a server to preserve their functional privacy, one could consider proof batching. Value privacy is still preserved if the user generates their own proof. If not, the user can also delegate this.
In this setting, it seems that the miller loop arithmetic complexity is the most important number, at least for batching for Groth16, in which case BLS27, which has both the lowest arithmetic complexity and G1 size among all curves considered at the 128-bit security level in the 2019 review on pairings, should be considered.
Taking into account Cheon's attack, I propose to find a curve with a 319-bit modulus, which would have a subgroup of size about 275-bits, giving a security of 125-bits with powers of tau up to 2^23.
The text was updated successfully, but these errors were encountered:
jon-chuang
changed the title
Batching Groth16, consideration of BLS27-319 for batching
Batching Groth16, consideration of BLS27-319
Mar 31, 2020
If we are considering a model in which a group of users are willing to trust a server to preserve their functional privacy, one could consider proof batching. Value privacy is still preserved if the user generates their own proof. If not, the user can also delegate this.
In this setting, it seems that the miller loop arithmetic complexity is the most important number, at least for batching for Groth16, in which case BLS27, which has both the lowest arithmetic complexity and G1 size among all curves considered at the 128-bit security level in the 2019 review on pairings, should be considered.
Taking into account Cheon's attack, I propose to find a curve with a 319-bit modulus, which would have a subgroup of size about 275-bits, giving a security of 125-bits with powers of tau up to 2^23.
The text was updated successfully, but these errors were encountered: