BLS12-381

Overview

Applications:
- Replace BN254 in Zcash Sapling upgrade (subsequently replaced by Pasta curves in halo2)
- Ethereum 2.0 by validators to verify transactions
BLS curve family introduced by Paulo Barreto, Ben Lynn and Michael Scott in 2002
pairing-friendly elliptic curve
proposed by Sean Bowe in 2017 with BLS12-381: New zk-SNARK Elliptic Curve Construction
Security: 117-120 bits

Properties

Basic Form

The curve E is: $y^{2} = x^{3} + 4$ over $F_{q}$ for a 381-bit prime q

Sextic Twist

The sextic twist E2 of E is the curve $y^{2} = x^{3} + 4 (1 + u)$ over $F_{q^{2}}$

Implementations in `halo2curves`, `FTROU`, `zkcrypto`

Paramter	Notes	halo2curves Symbol	halo2curves Module	Symbol (FTROU)	Symbol (zkcrypto)	Equation	Value (dec)	Value (hex)
Basic Equation (Weierstrass form)	$y^{2} = x^{3} + a x + b$					$Y^{2} = X^{3} + 4$
Weierstrass: a				a			`0`	`0x0`
Weierstrass: b				b			`4`	`0x4`
Embedding Degree	also degree of field extension			k			12
Parameter				$x$	z		`-15132376222941642752`	`-0xd201000000010000`
Size of Subgroups, Order	255 bits, prime, # of points in subgroup, gives the curve ~128 bit of security¹	r	`fr.rs`	r, Subgroup size	q, Scalar Field (scalar.rs)	$z^{4} - z^{2} + 1$	`52435875175126190479447740508185965837690552500527637822603658699938581184513`	`0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001`
Field Modulus	number of bits needed to represent coordinates on the curve, 381 bit, prime, private key size	q	`fq.rs`	q	p	$\frac{1}{3} (z - 1)^{2} (z^{4} - z^{2} + 1) + z$	`4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787`	`0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab`
$G_{1}$ generator	²			$g_{1}$		$g_{1} = [h_{1}] p_{1}$	`(3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507, 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569)`	(`0x17F1D3A73197D7942695638C4FA9AC0FC3688C4F9774B905A14E3A3F171BAC586C55E83FF97A1AEFFB3AF00ADB22C6BB, 0x8B3F481E3AAA0F1A09E30ED741D8AE4FCF5E095D5D00AF600DB18CB2C04B3EDD03CC744A2888AE40CAA232946C5E7E1)`
$G_{2}$ generator	²			$g_{2}$		$g_{2} = [h_{2}] p_{2}$	`(3059144344244213709971259814753781636986470325476647558659373206291635324768958432433509563104347017837885763365758u + 352701069587466618187139116011060144890029952792775240219908644239793785735715026873347600343865175952761926303160, 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582u + 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905)`	`(13E02B6052719F607DACD3A088274F65596BD0D09920B61AB5DA61BBDC7F5049334CF11213945D57E5AC7D055D042B7Eu + 24AA2B2F08F0A91260805272DC51051C6E47AD4FA403B02B4510B647AE3D1770BAC0326A805BBEFD48056C8C121BDB8, 606C4A02EA734CC32ACD2B02BC28B99CB3E287E85A763AF267492AB572E99AB3F370D275CEC1DA1AAA9075FF05F79BEu + CE5D527727D6E118CC9CDC6DA2E351AADFD9BAA8CBDD3A76D429A695160D12C923AC9CC3BACA289E193548608B82801)`
$G_{1}$ cofactor				$h_{1}$		$\frac{1}{3} (x - 1)^{2}$		`0x396c8c005555e1568c00aaab0000aaab`
$G_{2}$ cofactor				$h_{2}$		$\frac{1}{9} (x^{8} - 4 x^{7} + 5 x^{6} - 4 x^{4} + 6 x^{3} - 4 x^{2} - 4 x + 13)$		`0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5`
$G_{1}$ generator point				$p_{1}$				`(0x04, 0x0a989badd40d6212b33cffc3f3763e9bc760f988c9926b26da9dd85e928483446346b8ed00e1de5d5ea93e354abe706c)`
$G_{2}$ generator point				$p_{2}$				`([0x02, 0x00],[0x013a59858b6809fca4d9a3b6539246a70051a3c88899964a42bc9a69cf9acdd9dd387cfa9086b894185b9a46a402be73,0x02d27e0ec3356299a346a09ad7dc4ef68a483c3aed53f9139d2f929a3eecebf72082e5e58c6da24ee32e03040c406d4f])`

subgroup order r = 255 bits is needed to give ~128 bits of security due to $O (r)$ of Pollard’s 𝜌 attack (the fastest known algorithm to find discrete logs on elliptic curves)
The generators of $G_{1}$ and $G_{2}$ are computed by finding the lexicographically smallest valid x-coordinate, and its lexicographically smallest y-coordinate and scaling it by the cofactor such that the result is not the point at infinity

PF = Prime Field

Type	Macro / Module	Notes	Prime	Struct	size() → usize	PF Repr	PF Bits	PF Capacity	PF S	FROBENIUS_COEFF_FQ_C1 Size
`Fr`	`field_common`		`r` - 255 bits	`[u64; 4]`	256b = 32B	`[u8; 32]` = 256b = 32B	255b	254b	`u32: 5`
`Fq`	`field_common_fq`		`p` - 381 bits	`[u64; 6]`	384b = 48B	FqBytes = `[u8; 48]` = 384b = 48B	381b	380b	`u32: 1`
`Fq2`	`field_common_fq`			`{c0: Fq, c1: Fq}`	768b = 96B	Fq2Bytes = `[u8; 96]` = 768b = 96B	381b	380b	`u32: 0`	`[Fq; 2]` = 768b = 96B
`Fq6`	`field_common_fq`			`{c0: Fq2, c1: Fq2, c2: Fq2}`	2304b = 288B					`[Fq2; 6]` = 4608b = 576B
`Fq12`	`field_common_fq`			`{c0: Fq6, c1: Fq6}`	4608b = 576B					`[Fq2: 12]` = 9216b = 1152B
`G1`	`new_curve_impl_bls12381`			`{x: Fq, y: Fq, z: Fq}`
`G2`	`new_curve_impl_bls12381`			`{x: Fq2, y: Fq2, z: Fq2}`
`G1Affine`	`new_curve_impl_bls12381`			`{x: Fq, y: Fq, infinity: Choice}`
`G2Affine`	`new_curve_impl_bls12381`			`{x: Fq2, y: Fq2, infinity: Choice}`
`G1Compressed`	`new_curve_impl_bls12381`			`[u8; Fq::size()]`
`G2Compressed`	`new_curve_impl_bls12381`			`[u8; Fq2::size()]`
`G2Prepared`	`engine.rs`	- used for converting `G2Affine` in `pairing()`		`{coeffs: Vec<(Fq2, Fq2, Fq2)>, infinity: bool}`
`Gt`	`engine.rs`			`Fq12`

Reference