{"id":18206280,"url":"https://github.com/dusk-network/bls12_381","last_synced_at":"2025-12-30T04:19:43.126Z","repository":{"id":37867172,"uuid":"244313821","full_name":"dusk-network/bls12_381","owner":"dusk-network","description":"Implementation of the BLS12-381 pairing-friendly elliptic curve group with extra features needed by the Dusk-Network team","archived":false,"fork":true,"pushed_at":"2025-02-27T15:03:55.000Z","size":850,"stargazers_count":22,"open_issues_count":5,"forks_count":20,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-28T04:11:54.050Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"zkcrypto/bls12_381","license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dusk-network.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-03-02T08:05:52.000Z","updated_at":"2025-02-27T15:03:57.000Z","dependencies_parsed_at":"2023-10-11T15:38:23.084Z","dependency_job_id":null,"html_url":"https://github.com/dusk-network/bls12_381","commit_stats":{"total_commits":190,"total_committers":16,"mean_commits":11.875,"dds":0.7842105263157895,"last_synced_commit":"96b039e76a65dcb6f977380a445e700ba2b6fc58"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dusk-network%2Fbls12_381","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dusk-network%2Fbls12_381/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dusk-network%2Fbls12_381/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dusk-network%2Fbls12_381/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dusk-network","download_url":"https://codeload.github.com/dusk-network/bls12_381/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246841481,"owners_count":20842603,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-03T12:01:14.788Z","updated_at":"2025-12-12T14:06:22.742Z","avatar_url":"https://github.com/dusk-network.png","language":"Rust","funding_links":[],"categories":["Libraries"],"sub_categories":["Cryptography"],"readme":"![Build Status](https://github.com/dusk-network/bls12_381/workflows/Continuous%20integration/badge.svg)\n[![Repository](https://img.shields.io/badge/github-dusk--bls12_381-blueviolet?logo=github)](https://github.com/dusk-network/bls12_381)\n[![Documentation](https://img.shields.io/badge/docs-dusk--bls12_381-blue?logo=rust)](https://docs.rs/dusk-bls12_381/)\n\n\u003e :warning: THIS CRATE IS A FORK OF [https://github.com/zkcrypto/bls12_381](https://github.com/zkcrypto/bls12_381/): The Dusk team has added a variety of tools required for its own uses on the top of the original library. You SHOULD NOT use this library unless you need a specific tool that we've implemented and is not available in the original.\n\n## Extra tools added to [bls12_381](https://github.com/zkcrypto/bls12_381/) lib:\n- Add serde support for every single data structure in the crate that is exported.\n- Add various multiscalar_mul algorithms.\n- Impl Iter Sum \u0026 Product for Scalar.\n- Implement hash for Scalar.\n- Implement XOR \u0026 AND for Scalar.\n- Add base_4 conversion fn (no longer required).\n- Impl Ord \u0026 PartialOrd for Scalar.\n- Implement w_naf_scalar_mul (71% faster than the original double-and-add impl).\n- Implement a reduce function wrapper for Scalar.\n- Expose some Scalar-related constants as public.\n- Add our own implementation of hashing to a Scalar.\n\nThis crate provides an implementation of the BLS12-381 pairing-friendly elliptic curve construction.\n\n* **This implementation has not been reviewed or audited. Use at your own risk.**\n* This implementation targets Rust `1.56` or later.\n* This implementation does not require the Rust standard library.\n* All operations are constant time unless explicitly noted.\n\n## Features\n\n* `bits` (on by default): Enables APIs for obtaining bit iterators for scalars.\n* `groups` (on by default): Enables APIs for performing group arithmetic with G1, G2, and GT.\n* `pairings` (on by default): Enables some APIs for performing pairings.\n* `alloc` (on by default): Enables APIs that require an allocator; these include pairing optimizations.\n* `nightly`: Enables `subtle/nightly`, which tries to prevent compiler optimizations that could jeopardize constant time operations. Requires the nightly Rust compiler.\n* `experimental`: Enables experimental features. These features have no backwards-compatibility guarantees and may change at any time; users that depend on specific behaviour should pin an exact version of this crate. The current list of experimental features:\n  * Hashing to curves ([Internet Draft v12](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-12))\n* `parallel` (on by default): Enables `rayon` usage for highly parallelizable ops such as multiscalar multiplication.\n\n## [Documentation](https://docs.rs/dusk-bls12_381)\n\n## Curve Description\n\nBLS12-381 is a pairing-friendly elliptic curve construction from the [BLS family](https://eprint.iacr.org/2002/088), with embedding degree 12. It is built over a 381-bit prime field `GF(p)` with...\n\n* z = `-0xd201000000010000`\n* p = (z - 1)\u003csup\u003e2\u003c/sup\u003e(z\u003csup\u003e4\u003c/sup\u003e - z\u003csup\u003e2\u003c/sup\u003e + 1) / 3 + z\n\t* = `0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab`\n* q = z\u003csup\u003e4\u003c/sup\u003e - z\u003csup\u003e2\u003c/sup\u003e + 1\n\t* = `0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001`\n\n... yielding two **source groups** G\u003csub\u003e1\u003c/sub\u003e and G\u003csub\u003e2\u003c/sub\u003e, each of 255-bit prime order `q`, such that an efficiently computable non-degenerate bilinear pairing function `e` exists into a third **target group** G\u003csub\u003eT\u003c/sub\u003e. Specifically, G\u003csub\u003e1\u003c/sub\u003e is the `q`-order subgroup of E(F\u003csub\u003ep\u003c/sub\u003e) : y\u003csup\u003e2\u003c/sup\u003e = x\u003csup\u003e3\u003c/sup\u003e + 4 and G\u003csub\u003e2\u003c/sub\u003e is the `q`-order subgroup of E'(F\u003csub\u003ep\u003csup\u003e2\u003c/sup\u003e\u003c/sub\u003e) : y\u003csup\u003e2\u003c/sup\u003e = x\u003csup\u003e3\u003c/sup\u003e + 4(u + 1) where the extension field F\u003csub\u003ep\u003csup\u003e2\u003c/sup\u003e\u003c/sub\u003e is defined as F\u003csub\u003ep\u003c/sub\u003e(u) / (u\u003csup\u003e2\u003c/sup\u003e + 1).\n\nBLS12-381 is chosen so that `z` has small Hamming weight (to improve pairing performance) and also so that `GF(q)` has a large 2\u003csup\u003e32\u003c/sup\u003e primitive root of unity for performing radix-2 fast Fourier transforms for efficient multi-point evaluation and interpolation. It is also chosen so that it exists in a particularly efficient and rigid subfamily of BLS12 curves.\n\n### Curve Security\n\nPairing-friendly elliptic curve constructions are (necessarily) less secure than conventional elliptic curves due to their small \"embedding degree\". Given a small enough embedding degree, the pairing function itself would allow for a break in DLP hardness if it projected into a weak target group, as weaknesses in this target group are immediately translated into weaknesses in the source group.\n\nIn order to achieve reasonable security without an unreasonably expensive pairing function, a careful choice of embedding degree, base field characteristic and prime subgroup order must be made. BLS12-381 uses an embedding degree of 12 to ensure fast pairing performance but a choice of a 381-bit base field characteristic to yield a 255-bit subgroup order (for protection against [Pollard's rho algorithm](https://en.wikipedia.org/wiki/Pollard%27s_rho_algorithm)) while reaching close to a 128-bit security level.\n\nThere are [known optimizations](https://ellipticnews.wordpress.com/2016/05/02/kim-barbulescu-variant-of-the-number-field-sieve-to-compute-discrete-logarithms-in-finite-fields/) of the [Number Field Sieve algorithm](https://en.wikipedia.org/wiki/General_number_field_sieve) which could be used to weaken DLP security in the target group by taking advantage of its structure, as it is a multiplicative subgroup of a low-degree extension field. However, these attacks require an (as of yet unknown) efficient algorithm for scanning a large space of polynomials. Even if the attack were practical it would only reduce security to roughly 117 to 120 bits. (This contrasts with 254-bit BN curves which usually have less than 100 bits of security in the same situation.)\n\n### Alternative Curves\n\nApplications may wish to exchange pairing performance and/or G\u003csub\u003e2\u003c/sub\u003e performance by using BLS24 or KSS16 curves which conservatively target 128-bit security. In applications that need cycles of elliptic curves for e.g. arbitrary proof composition, MNT6/MNT4 curve cycles are known that target the 128-bit security level. In applications that only need fixed-depth proof composition, curves of this form have been constructed as part of Zexe.\n\n## Acknowledgements\n\nPlease see `Cargo.toml` for a list of primary authors of this codebase.\n\n## License\n\nLicensed under either of\n\n * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)\n * MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)\n\nat your option.\n\n### Contribution\n\nUnless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdusk-network%2Fbls12_381","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdusk-network%2Fbls12_381","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdusk-network%2Fbls12_381/lists"}