BN254

Overview

• Applications:
  • In Ethereum 1.x
  • Previously used by Zcash
• aka BN128, alt_bn128, BN256
• Pairing-friendly elliptic curve
• Security of ~100 bits
• Barreto-Naehrig curves are constructed using the Complex Multiplication (CM) method
• Currently, the only curve with precompiled contracts on Ethereum for elliptic curve addition, scalar multiplication and pairings, thus the most practical choice of pairing-friendly curve to use for verifying on-chain zkSNARKs for ZKP such as Groth16 and PLONK
• $G_1$​ is the curve $y^2=x^3+3$ over $F_p$​
• $G_2$​ is the twisted curve $y^2=x^3+3/(9+u)$ over $F_{p^2}$​
• $G_T$=${\mu }_r\subset F_{p^{12}}^{\times }$

$F_q$ as Abelian Group

• let $E(F_p)$ be the BN254 curve
• there is isomorphism of abelian groups:
  • $E(F_p)\approx (Z)/q(Z)$
  • i.e. $E$ is a 1-dimensional vector space over $F_q$
  • i.e. $F_q$ is the set of points on $E(F_p)$ (which has exactly $q$ elements), can be viewed as black boxes that can be added, subtracted and multiplied by arbitrary scalars from $F_q$
  • thus, one can think of $F_q$ as the base field for Elliptic Curve Cryptography (ECC) (despite the coordinates of the points are in $F_p$), and any “numbers” or “scalars” in ECC are elements of $F_q$
  • since $q\approx 2^{254}$, we are doing something like 254 bits integer arithmetic

Parameters

Parameter	Notes	Symbol	Symbol (FTROU)	halo2curves	Equation	Value (dec)	Value (hex)
Basic Equation (Weierstrass form)	$y^2=x^3+ax+b$, a = 0, b = 3				$Y^2=X^3+3$
Weierstrass: a			a			0	0x0
Weierstrass: b			b			3	0x3
Embedding Degree	also degree of field extension					12
Parameter			$\mathbf{x}$			4965661367192848881	0x44e992b44a6909f1
Base Field Modulus	254 bit prime, derived from $\mathbf{x}$	p	p	p, q (fq.rs)	$36x^4+36x^3+24x^2+6x+1$	21888242871839275222246405745257275088696311157297823662689037894645226208583	0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47
1. Scalar Field Modulus 2. Curve Order 3. Number of points inc point at infinity	254 bit prime, also the Baby Jubjub prime	q	r	r (fr.rs)		21888242871839275222246405745257275088548364400416034343698204186575808495617	0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001
Trace of Frobenius			t		$6x^2+1$

Type	Macro	Prime	Struct	size() → usize	Prime Field (PF) Repr	PF Bits	PF Capacity	PF S	FROBENIUS_COEFF_FQ_C1 Size
Fr	field_common	r - 254 bits	[u64; 4]	256b = 32B	[u8; 32] = 256b = 32B	254b	253b	u32: 28
Fq	field_common	p - 254 bits	[u64; 4]	256b = 32B	[u8; 32] = 256b = 32B	254b	253b	0
Fq2	field_common		{c0: Fq, c1: Fq}	64B	Fq2Bytes = [u8; 64] = 64B	254b	253b	0	[Fq; 2]
Fq6	field_common		{c0: Fq2, c1: Fq2, c2: Fq2}	192B					[Fq2; 6]
Fq12	field_common		{c0: Fq6, c1: Fq6}	384B					[Fq2: 12]
G1	new_curve_impl		Fq	32B
G2	new_curve_impl		Fq2	64B

Reference

• BN254 For The Rest Of Us - HackMD