[curves] Curves for pairings

Zooko Wilcox-OHearn zooko at leastauthority.com
Mon Sep 26 22:28:35 PDT 2016


following-up to my own post

On Sun, Sep 25, 2016 at 11:58 PM, Zooko Wilcox-OHearn
<zooko at leastauthority.com> wrote:
>
> b) Pairing performance is critical for us. A curve like Michael Scott
> suggested that took 2.5 times as long for a pairing operation would
> almost certainly blow our performance budget and we'd have to do some
> serious re-engineering to get it back.

I was totally wrong about this. Our performance bottleneck is in a
path (zk-SNARK proving) that doesn't require pairing operations, so
using a curve which was 2.5 times slower at pairing operations would
not worsen our performance issues. However, if it was also 2.5 slower
for curve operations, then it would.

Proving time:

https://speed.z.cash/timeline/?exe=1&base=1%2B9&ben=time+createjoinsplit&env=1&revs=1000&equid=off&quarts=on&extr=on

Verifying time:

https://speed.z.cash/timeline/?exe=1&base=1%2B9&ben=time+verifyjoinsplit&env=1&revs=1000&equid=off&quarts=on&extr=on

I guess it might also be an issue if our verifier took a lot longer,
but it's currently unclear how serious of a problem that would be.

Also, Zcash engineer Sean Bowe said this to me, and I completely don't
understand what he is talking about so I'm just writing it in here
verbatim:

"hopefully if work is done on BLS curves, they will select a curve
that works well for snarks. i.e. with group order p such that p-1 is a
multiple of 2^28 or another large power of 2"

Sincerely,

Zooko


More information about the Curves mailing list