Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dusk-network/bls12_381
Implementation of the BLS12-381 pairing-friendly elliptic curve group with extra features needed by the Dusk-Network team
https://github.com/dusk-network/bls12_381
Last synced: about 1 month ago
JSON representation
Implementation of the BLS12-381 pairing-friendly elliptic curve group with extra features needed by the Dusk-Network team
- Host: GitHub
- URL: https://github.com/dusk-network/bls12_381
- Owner: dusk-network
- License: other
- Fork: true (zkcrypto/bls12_381)
- Created: 2020-03-02T08:05:52.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-07-29T15:52:32.000Z (5 months ago)
- Last Synced: 2024-10-29T20:56:27.190Z (about 1 month ago)
- Language: Rust
- Homepage:
- Size: 789 KB
- Stars: 19
- Watchers: 9
- Forks: 20
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE-APACHE
Awesome Lists containing this project
- fucking-awesome-rust - dusk-network/bls12-381 - A Rust-native BLS12-381 with enhancements for zk performance: optimized multi-scalar multiplication, custom hashing, and serde support—ideal for privacy-focused protocols and zero-knowledge applications.  🌎 [dusk-bls12_381](crates.io/crates/dusk-bls12_381)] (Libraries / Cryptography)
- awesome-rust - dusk-network/bls12-381 - A Rust-native BLS12-381 with enhancements for zk performance: optimized multi-scalar multiplication, custom hashing, and serde support—ideal for privacy-focused protocols and zero-knowledge applications.  [[dusk-bls12_381](https://crates.io/crates/dusk-bls12_381)] (Libraries / Cryptography)
README
[](https://github.com/dusk-network/bls12_381)
[](https://docs.rs/dusk-bls12_381/)
> :warning: THIS CRATE IS A FORK OF [https://github.com/zkcrypto/bls12_381](https://github.com/zkcrypto/bls12_381/): The Dusk team has added a variety of tools required for its own uses on the top of the original library. You SHOULD NOT use this library unless you need a specific tool that we've implemented and is not available in the original.
## Extra tools added to [bls12_381](https://github.com/zkcrypto/bls12_381/) lib:
- Add serde support for every single data structure in the crate that is exported.
- Add various multiscalar_mul algorithms.
- Impl Iter Sum & Product for Scalar.
- Implement hash for Scalar.
- Implement XOR & AND for Scalar.
- Add base_4 conversion fn (no longer required).
- Impl Ord & PartialOrd for Scalar.
- Implement w_naf_scalar_mul (71% faster than the original double-and-add impl).
- Implement a reduce function wrapper for Scalar.
- Expose some Scalar-related constants as public.
- Add our own implementation of hashing to a Scalar.
This crate provides an implementation of the BLS12-381 pairing-friendly elliptic curve construction.
* **This implementation has not been reviewed or audited. Use at your own risk.**
* This implementation targets Rust `1.56` or later.
* This implementation does not require the Rust standard library.
* All operations are constant time unless explicitly noted.
## Features
* `bits` (on by default): Enables APIs for obtaining bit iterators for scalars.
* `groups` (on by default): Enables APIs for performing group arithmetic with G1, G2, and GT.
* `pairings` (on by default): Enables some APIs for performing pairings.
* `alloc` (on by default): Enables APIs that require an allocator; these include pairing optimizations.
* `nightly`: Enables `subtle/nightly`, which tries to prevent compiler optimizations that could jeopardize constant time operations. Requires the nightly Rust compiler.
* `experimental`: Enables experimental features. These features have no backwards-compatibility guarantees and may change at any time; users that depend on specific behaviour should pin an exact version of this crate. The current list of experimental features:
* Hashing to curves ([Internet Draft v12](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-12))
* `parallel` (on by default): Enables `rayon` usage for highly parallelizable ops such as multiscalar multiplication.
## [Documentation](https://docs.rs/dusk-bls12_381)
## Curve Description
BLS12-381 is a pairing-friendly elliptic curve construction from the [BLS family](https://eprint.iacr.org/2002/088), with embedding degree 12. It is built over a 381-bit prime field `GF(p)` with...
* z = `-0xd201000000010000`
* p = (z - 1)2(z4 - z2 + 1) / 3 + z
* = `0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab`
* q = z4 - z2 + 1
* = `0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001`
... yielding two **source groups** G1 and G2, each of 255-bit prime order `q`, such that an efficiently computable non-degenerate bilinear pairing function `e` exists into a third **target group** GT. Specifically, G1 is the `q`-order subgroup of E(Fp) : y2 = x3 + 4 and G2 is the `q`-order subgroup of E'(Fp2) : y2 = x3 + 4(u + 1) where the extension field Fp2 is defined as Fp(u) / (u2 + 1).
BLS12-381 is chosen so that `z` has small Hamming weight (to improve pairing performance) and also so that `GF(q)` has a large 232 primitive root of unity for performing radix-2 fast Fourier transforms for efficient multi-point evaluation and interpolation. It is also chosen so that it exists in a particularly efficient and rigid subfamily of BLS12 curves.
### Curve Security
Pairing-friendly elliptic curve constructions are (necessarily) less secure than conventional elliptic curves due to their small "embedding degree". Given a small enough embedding degree, the pairing function itself would allow for a break in DLP hardness if it projected into a weak target group, as weaknesses in this target group are immediately translated into weaknesses in the source group.
In order to achieve reasonable security without an unreasonably expensive pairing function, a careful choice of embedding degree, base field characteristic and prime subgroup order must be made. BLS12-381 uses an embedding degree of 12 to ensure fast pairing performance but a choice of a 381-bit base field characteristic to yield a 255-bit subgroup order (for protection against [Pollard's rho algorithm](https://en.wikipedia.org/wiki/Pollard%27s_rho_algorithm)) while reaching close to a 128-bit security level.
There are [known optimizations](https://ellipticnews.wordpress.com/2016/05/02/kim-barbulescu-variant-of-the-number-field-sieve-to-compute-discrete-logarithms-in-finite-fields/) of the [Number Field Sieve algorithm](https://en.wikipedia.org/wiki/General_number_field_sieve) which could be used to weaken DLP security in the target group by taking advantage of its structure, as it is a multiplicative subgroup of a low-degree extension field. However, these attacks require an (as of yet unknown) efficient algorithm for scanning a large space of polynomials. Even if the attack were practical it would only reduce security to roughly 117 to 120 bits. (This contrasts with 254-bit BN curves which usually have less than 100 bits of security in the same situation.)
### Alternative Curves
Applications may wish to exchange pairing performance and/or G2 performance by using BLS24 or KSS16 curves which conservatively target 128-bit security. In applications that need cycles of elliptic curves for e.g. arbitrary proof composition, MNT6/MNT4 curve cycles are known that target the 128-bit security level. In applications that only need fixed-depth proof composition, curves of this form have been constructed as part of Zexe.
## Acknowledgements
Please see `Cargo.toml` for a list of primary authors of this codebase.
## License
Licensed under either of
* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
* MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)
at your option.
### Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.