[curves] Curves for pairings

Zooko Wilcox-OHearn zooko at leastauthority.com
Mon Sep 26 22:28:35 PDT 2016

following-up to my own post

On Sun, Sep 25, 2016 at 11:58 PM, Zooko Wilcox-OHearn
<zooko at leastauthority.com> wrote:
> b) Pairing performance is critical for us. A curve like Michael Scott
> suggested that took 2.5 times as long for a pairing operation would
> almost certainly blow our performance budget and we'd have to do some
> serious re-engineering to get it back.

I was totally wrong about this. Our performance bottleneck is in a
path (zk-SNARK proving) that doesn't require pairing operations, so
using a curve which was 2.5 times slower at pairing operations would
not worsen our performance issues. However, if it was also 2.5 slower
for curve operations, then it would.

Proving time:


Verifying time:


I guess it might also be an issue if our verifier took a lot longer,
but it's currently unclear how serious of a problem that would be.

Also, Zcash engineer Sean Bowe said this to me, and I completely don't
understand what he is talking about so I'm just writing it in here

"hopefully if work is done on BLS curves, they will select a curve
that works well for snarks. i.e. with group order p such that p-1 is a
multiple of 2^28 or another large power of 2"



More information about the Curves mailing list