Abstract
A recent area of interest in cryptography is recursive composition of proof systems. One of the approaches to make recursive composition efficient involves cycles of pairing-friendly elliptic curves of prime order. However, known constructions have very low embedding degrees. This entails large parameter sizes, which makes the overall system inefficient. In this paper, we explore 2-cycles composed of curves from families parameterized by polynomials, and show that such cycles do not exist unless a strong condition holds. As a consequence, we prove that no 2-cycles can arise from the known families, except for those cycles already known. Additionally, we show some general properties about cycles, and provide a detailed computation on the density of pairing-friendly cycles among all cycles.
Authors are listed in alphabetical order (https://www.ams.org/profession/leaders/CultureStatement04.pdf).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Other works take \(|d |\) as the discriminant.
- 2.
Furthermore, numerical experiments easily find many tuples (t, p, q) with low degree and small coefficients satisfying conditions 1–4, but unfortunately not condition 5.
- 3.
In [3], the authors define pairing friendliness as having an embedding degree \(k \le (\log q)^2\). We will keep the bound as an unspecified parameter K.
References
SageMath code from Appendix C. GitHub repository (2022). https://github.com/pairingfriendlycycles/pairing-friendly-cycles/tree/main
Aranha, D.F., Housni, Y.E., Guillevic, A.: A survey of elliptic curves for proof systems. Cryptology ePrint Archive, Paper 2022/586 (2022)
Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm. J. Cryptol. 11(2), 141–145 (1998)
Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_19
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_22
Beckenbach, E.F., Bellman, R.: Inequalities (1961)
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Scalable zero knowledge via cycles of elliptic curves. Algorithmica 79(4), 1102–1160 (2017)
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 326–349 (2012)
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo Infinite: recursive zk-SNARKs from any additive polynomial commitment scheme. Cryptology ePrint Archive (2020)
Bonneau, J., Meckler, I., Rao, V., Shapiro, E.: Mina: decentralized cryptocurrency at scale. New York Univ. O(1) Labs, New York, NY, USA, Whitepaper, pp. 1–47 (2020)
Bowe, S., Grigg, J., Hopwood, D.: Recursive proof composition without a trusted setup. Cryptology ePrint Archive (2019)
Bünz, B., Chiesa, A., Lin, W., Mishra, P., Spooner, N.: Proof-carrying data without succinct arguments. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 681–710. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_24
Bünz, B., Chiesa, A., Mishra, P., Spooner, N.: Proof-carrying data from accumulation schemes. Cryptology ePrint Archive (2020)
Cahen, P.J., Chabert, J.L.: What you should know about integer-valued polynomials. Am. Math. Mon. 123(4), 311–337 (2016)
Chiesa, A., Chua, L., Weidner, M.: On cycles of pairing-friendly elliptic curves. SIAM J. Appl. Algebra Geometry 3(2), 175–192 (2019)
Chiesa, A., Tromer, E.: Proof-carrying data and hearsay arguments from signature cards. In: ICS, vol. 10, pp. 310–331 (2010)
Chiesa, A., Tromer, E., Virza, M.: Cluster computing in zero knowledge. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 371–403. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_13
Costello, C., et al.: Geppetto: versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, pp. 253–270 (2015). https://doi.org/10.1109/SP.2015.23
Cox, D.A.: Primes of the Form \(x^2 + ny^2\): Fermat, Class Field Theory, and Complex Multiplication. Wiley, Hoboken (1989)
El Housni, Y., Guillevic, A.: Families of SNARK-friendly 2-chains of elliptic curves. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 367–396. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_13
Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006). https://doi.org/10.1007/11792086_32
Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10 (2006). https://theory.stanford.edu/dfreeman/talks/ants.pdf, presentation slides from ANTS-VII
Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010)
Frey, G., Rück, H.G.: A remark concerning \(m\)-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comput. 62(206), 865–874 (1994)
Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PlonK: permutations over Lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive (2019)
Galbraith, S.D., McKee, J.F., Valença, P.C.: Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13(4), 800–814 (2007)
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Karabina, K., Teske, E.: On prime-order elliptic curves with embedding degrees k = 3, 4, and 6. In: van der Poorten, A.J., Stein, A. (eds.) ANTS 2008. LNCS, vol. 5011, pp. 102–117. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79456-1_6
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11
Kattis, A., Bonneau, J.: Proof of necessary work: succinct state verification with fairness guarantees. Cryptology ePrint Archive (2020)
Koblitz, N.: Elliptic curve implementation of zero-knowledge blobs. J. Cryptol. 4(3), 207–213 (1991). https://doi.org/10.1007/BF00196728
Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. (2) 126(3), 649–673 (1987)
Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Information Theory 39(5), 1639–1646 (1993)
Migotti, A.: Zur Theorie der Kreisteilungsgleichung. B. der Math.-Naturwiss, Classe der Kaiserlichen Akademie der Wissenschaften, Wien 87, 7–14 (1883)
Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(5), 1234–1243 (2001)
Montgomery, H.L., Vaughan, R.C.: The large sieve. Mathematika 20(2), 119–134 (1973)
Naveh, A., Tromer, E.: PhotoProof: cryptographic image authentication for any set of permissible transformations. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 255–271. IEEE (2016)
Parno, B., Howell, J., Gentry, C., Raykova, M.: Pinocchio: Nearly Practical Verifiable Computation, vol. 59, pp. 238–252 (2013). https://doi.org/10.1109/SP.2013.47
Pegg, E.J.: Bouniakowsky conjecture. MathWorld-A Wolfram Web Resource, created by Eric W. Weisstein. https://mathworld.wolfram.com/BouniakowskyConjecture.html
Silverman, J.H.: The Arithmetic of Elliptic Curves, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6
Silverman, J.H., Stange, K.E.: Amicable pairs and aliquot cycles for elliptic curves. Exp. Math. 20(3), 329–357 (2011)
Smart, N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12, 193–196 (1999)
Sutherland, A.V.: Accelerating the CM method. LMS J. Comput. Math. 15, 172–204 (2012)
Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1
Acknowledgements
The second author is partially supported by Dusk Network and the Spanish grant PID2019-110224RB-I00.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Polynomial Division
In this section, we show that \(p(X)^\ell \bmod {q(X)}\) is an integer-valued polynomial, when \(E \leftrightarrow (t, p, q)\) are either the MNT3 or BN curves. This is completely analogous to the argument in Remark 4.6.
MNT3 Curves. In this case, \(q(X) = 12X^2 - 1\). We proceed by induction on \(\ell \). For \(\ell = 1\), we have that
which is of the form \(6aX + b\), for some \(a, b\in \mathbb {Z}\). We show that, if \(p^\ell \bmod q\) is of this form, then so is \(p^{\ell +1}\bmod {q}\). Then all the remainders will actually be in \(\mathbb {Z}[X]\).
Assume that there exist \(a, b, c, d \in \mathbb {N}\) such that
Then
Since the coefficient of degree 1 is divisible by 6, the induction step works.
BN Curves. In this case, \(q(X) = 36X^4 + 36X^3 + 24X^2 + 6X + 1\). Assume that there exist \(a, b, c, d \in \mathbb {N}\) such that
for some \(a, b, c, d\in \mathbb {Z}\). Then
Since the coefficient of degree 3 is divisible by 36, and the coefficients of degree 2 and 1 are divisible by 6, the induction step works.
B Tables
C SageMath Code
This code is available at [1].
Setup
MNT3() , MNT4() , MNT6() , Freeman() , BN()
These functions return the set of polynomials that define the families of curves MNT3, MNT4, MNT6, Freeman, and BN, respectively.
The expected outputs are:
-
t: polynomial \(t(X)\in \mathbb {Q}[X]\) that parameterizes the trace.
-
p: polynomial \(p(X)\in \mathbb {Q}[X]\) that parameterizes the order of the curves.
-
q: polynomial \(q(X)\in \mathbb {Q}[X]\) that parameterizes the order of the finite field over which the curve is defined.
Code for Proposition 4.1
candidate_embedding_degrees(Family, K_low, K_high)
Given a family of curves, this function computes the possible embedding degrees of curves that may form 2-cycles with a curve of the given family.
The expected inputs are:
-
Family: a polynomial parameterization (t(X), p(X), q(X)) of a family of pairing-friendly elliptic curves with prime order.
-
K_low, K_high: lower and upper bounds on the embedding degree to look for.
The expected outputs are:
-
embedding_degrees: a list of potential embedding degrees k such that \(\texttt {K\_low} \le k \le \texttt {K\_high}\) and a curve from the family might form a cycle with a curve with embedding degree k.
-
modular_conditions: conditions on \(x\bmod {k}\) for each of these k.
Auxiliary functions
is_integer_valued(g)
This function checks whether a given polynomial g is integer-valued. It returns True if so, and False otherwise. The test is based on the fact that a polynomial \(g\in \mathbb {Q}[X]\) is integer-valued if and only if \(g(x)\in \mathbb {Z}\) for \(\textrm{deg}\,g + 1\) consecutive \(x\in \mathbb {Z}\) [14, Corollary 2].
find_relevant_root(w, b, side)
This function finds the left-most or right-most root of a polynomial \(b(X)\in \mathbb {Q}[X]\).
The expected inputs are:
-
w: positive integer.
-
b: polynomial \(b(X)\in \mathbb {Q}[X]\).
-
side: this parameter specifies which root to keep. If side = -1, then the function takes the left-most root, and if side = 1, it returns the right-most root.
The expected output is the relevant extremal root.
check_embedding_degree(px, qx, k)
This function determines whether k is the smallest positive integer such that \((\texttt {px}^k - 1) \pmod {\texttt {qx}} = 1\), and outputs \(\texttt {True/False}\).
Code for Table 3
compute_bounds(a, b)
This function computes the bounds \(N_{\textsf{left}}, N_{\textsf{right}}\) of Lemma 4.4. This function has been used to produce the results of tables from Table 3. It uses the auxiliary functions from Appendix C.
The expected inputs are:
-
a, b: two integer-valued polynomials in \(\mathbb {Q}[X]\).
The expected outputs are:
-
N_left, N_right: integer bounds \(N_{\textsf{left}}, N_{\textsf{right}}\) described in Lemma 4.4.
Code for Corollary 4.8
exhaustive_search(Family, k, N_left, N_right, mod_cond)
This function performs the exhaustive search from Corollary 4.8 within the intervals \([N_{\textsf{left}}, N_{\textsf{right}}]\).
The expected inputs are:
-
Family: a polynomial parameterization (t(X), p(X), q(X)) of a family of pairing-friendly elliptic curves with prime order.
-
k: an embedding degree.
-
N_left, N_right: upper and lower integer bounds.
-
mod_cond: conditions on \(x\bmod {\texttt {k}}\) for every x in the interval \([\texttt {N\_left, N\_right}]\).
The expected output is:
-
curves: a list of curve descriptions (x, k, t(x), p(x), q(x)) such that \(x\in [\texttt {N\_left, N\_right}]\), and the curve parameterized by (t(x), p(x), q(x)) forms a cycle with a curve with embedding degree k.
1.1 Main function
search_for_cycles(Family, K_low, K_high)
This function looks for 2-cycles formed by a curve belonging to a given parameterized family of curves and a prime-order curve with an embedding degree between two given bounds.
The expected inputs are:
-
Family: a polynomial parameterization (t(X), p(X), q(X)) of a family of pairing-friendly elliptic curves with prime order.
-
K_low, K_high: integer lower and upper bounds on the embedding degree to look for.
The function prints to a file all 2-cycles involving a curve from the family and a prime-order curve with embedding degree \(\texttt {K\_low} \le k \le \texttt {K\_high}\).
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Bellés-Muñoz, M., Jiménez Urroz, J., Silva, J. (2023). Revisiting Cycles of Pairing-Friendly Elliptic Curves. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14082. Springer, Cham. https://doi.org/10.1007/978-3-031-38545-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-38545-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38544-5
Online ISBN: 978-3-031-38545-2
eBook Packages: Computer ScienceComputer Science (R0)