This repository has been archived by the owner on Dec 18, 2023. It is now read-only.
Consider implementing BLS27-319 #16
Comments
jon-chuang
changed the title
Pratyush
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
If we are considering a model in which a group of users are willing to trust a server to preserve their functional privacy, one could consider proof batching. Value privacy is still preserved if the user generates their own proof. If not, the user can also delegate this.
In this setting, it seems that the miller loop arithmetic complexity is the most important number, at least for batching for Groth16, in which case BLS27, which has both the lowest arithmetic complexity and G1 size among all curves considered at the 128-bit security level in the 2019 review on pairings, should be considered.
Taking into account Cheon's attack, I propose to find a curve with a 319-bit modulus, which would have a subgroup of size about 275-bits, giving a security of 125-bits with powers of tau up to 2^23.
The text was updated successfully, but these errors were encountered: