2 releases
0.4.1  Nov 26, 2021 

0.4.0  Nov 25, 2021 
#1975 in Cryptography
62 downloads per month
Used in 2 crates
510KB
8K
SLoC
cosmian_bls12_381
This crate provides an implementation of the BLS12381 pairingfriendly elliptic curve construction.
Forked by Cosmian
July 2021
 In order to serialize/deserialize Gt elements and thanks to Aurore Guillevic, Cosmian added this implementation. Also, this eprint 2019077 from Michael Scott confirmes the Gt deserialization verifications.
 Also, 2 issues on bls12_381 github are still pending:
Novembre 2021

Hence no there is no plan to add Gt serialization, the crate is pusblished as cosmian_bls12_381 in 0.4.0 version.
 A GithubPR will be made soon on bls12_381 original crate.

But there is a remaining problem:
Cosmian dit not update last version of bls12_381 (version 0.5) since it includes a dependency problem. Indeed, bls12_3810.5 uses ff0.10 which uses bitvec0.22. The problem comes from the dependency funty1.2.0 which did a breaking change (exposing another struct named BITS, confusing with same struct in bitvec crate). A comment on the funty crate has been made on July 2021 (followed by multiple same posts): https://github.com/myrrlyn/funty/issues/3#issuecomment877833781
 This implementation has not been reviewed or audited. Use at your own risk.
 This implementation targets Rust
1.47
or later.  This implementation does not require the Rust standard library.
 All operations are constant time unless explicitly noted.
Features
groups
(on by default): Enables APIs for performing group arithmetic with G1, G2, and GT.pairings
(on by default): Enables some APIs for performing pairings.alloc
(on by default): Enables APIs that require an allocator; these include pairing optimizations.nightly
: Enablessubtle/nightly
which tries to prevent compiler optimizations that could jeopardize constant time operations. Requires the nightly Rust compiler.endo
(on by default): Enables optimizations that leverage curve endomorphisms. Deprecated, will be removed in a future release.
Documentation
Curve Description
BLS12381 is a pairingfriendly elliptic curve construction from the BLS family, with embedding degree 12. It is built over a 381bit prime field GF(p)
with...
 z =
0xd201000000010000
 p = (z  1)^{2}(z^{4}  z^{2} + 1) / 3 + z
 =
0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
 =
 q = z^{4}  z^{2} + 1
 =
0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
 =
... yielding two source groups G_{1} and G_{2}, each of 255bit prime order q
, such that an efficiently computable nondegenerate bilinear pairing function e
exists into a third target group G_{T}. Specifically, G_{1} is the q
order subgroup of E(F_{p}) : y^{2} = x^{3} + 4 and G_{2} is the q
order subgroup of E'(F_{p2}) : y^{2} = x^{3} + 4(u + 1) where the extension field F_{p2} is defined as F_{p}(u) / (u^{2} + 1).
BLS12381 is chosen so that z
has small Hamming weight (to improve pairing performance) and also so that GF(q)
has a large 2^{32} primitive root of unity for performing radix2 fast Fourier transforms for efficient multipoint evaluation and interpolation. It is also chosen so that it exists in a particularly efficient and rigid subfamily of BLS12 curves.
Curve Security
Pairingfriendly elliptic curve constructions are (necessarily) less secure than conventional elliptic curves due to their small "embedding degree". Given a small enough embedding degree, the pairing function itself would allow for a break in DLP hardness if it projected into a weak target group, as weaknesses in this target group are immediately translated into weaknesses in the source group.
In order to achieve reasonable security without an unreasonably expensive pairing function, a careful choice of embedding degree, base field characteristic and prime subgroup order must be made. BLS12381 uses an embedding degree of 12 to ensure fast pairing performance but a choice of a 381bit base field characteristic to yield a 255bit subgroup order (for protection against Pollard's rho algorithm) while reaching close to a 128bit security level.
There are known optimizations of the Number Field Sieve algorithm which could be used to weaken DLP security in the target group by taking advantage of its structure, as it is a multiplicative subgroup of a lowdegree extension field. However, these attacks require an (as of yet unknown) efficient algorithm for scanning a large space of polynomials. Even if the attack were practical it would only reduce security to roughly 117 to 120 bits. (This contrasts with 254bit BN curves which usually have less than 100 bits of security in the same situation.)
Alternative Curves
Applications may wish to exchange pairing performance and/or G_{2} performance by using BLS24 or KSS16 curves which conservatively target 128bit security. In applications that need cycles of elliptic curves for e.g. arbitrary proof composition, MNT6/MNT4 curve cycles are known that target the 128bit security level. In applications that only need fixeddepth proof composition, curves of this form have been constructed as part of Zexe.
Acknowledgements
Please see Cargo.toml
for a list of primary authors of this codebase.
License
Licensed under either of
 Apache License, Version 2.0, (LICENSEAPACHE or http://www.apache.org/licenses/LICENSE2.0)
 MIT license (LICENSEMIT or http://opensource.org/licenses/MIT)
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Dependencies
~1MB
~25K SLoC