[curves] Curves for pairings

Jeff Burdges burdges at gnunet.org
Wed Sep 28 16:09:31 PDT 2016

On Tue, 2016-09-27 at 05:28 +0000, Zooko Wilcox-OHearn wrote:
> I was totally wrong about this. Our performance bottleneck is in a
> path (zk-SNARK proving) that doesn't require pairing operations, so
> using a curve which was 2.5 times slower at pairing operations would
> not worsen our performance issues. However, if it was also 2.5 slower
> for curve operations, then it would.

It's still slower for scalar multiplication due to being a larger curve,

In any case, you said there are no risks to the anonymity here, so an
alternative to changing curves might be to prevent attacks from being
profitable by capping the maximum value in a transaction or account,
right?  In the short term, this should not require dong anything.  


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20160929/97fd88f6/attachment.sig>

More information about the Curves mailing list