From 4cac44358f8ef1a1073e7fa484a22792c245be7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mamy=20Andr=C3=A9-Ratsimbazafy?= Date: Thu, 13 Feb 2020 00:11:04 +0100 Subject: [PATCH] Update security level of BN254 to ~100bits --- constantine/config/curves.nim | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/constantine/config/curves.nim b/constantine/config/curves.nim index 5aff612..9e15013 100644 --- a/constantine/config/curves.nim +++ b/constantine/config/curves.nim @@ -75,17 +75,20 @@ func montyMagic(M: static BigInt): static Word {.inline.} = # # ############################################################ -# Finite fields are preconfigured in this file -# To workaround the following limitation https://github.com/nim-lang/Nim/issues/11142 -# i.e. an object can be parametrized by a compiletime bigint -# we instead have the fields, curve points and Montgomery objects -# be parametrized over an enum. +# Curves & their corresponding finite fields are preconfigured in this file # Note, in the past the convention was to name a curve by its conjectured security level. # as this might change with advances in research, the new convention is # to name curves according to the length of the prime bit length. # i.e. the BN254 was previously named BN128. +# Curves security level were significantly impacted by +# advances in the Tower Number Field Sieve. +# in particular BN254 curve security dropped +# from estimated 128-bit to estimated 100-bit +# Barbulescu, R. and S. Duquesne, "Updating Key Size Estimations for Pairings", +# Journal of Cryptology, DOI 10.1007/s00145-018-9280-5, January 2018. + # Generates: # - type Curve = enum # - const CurveBitSize: array[Curve, int] @@ -96,7 +99,8 @@ func montyMagic(M: static BigInt): static Word {.inline.} = # associated with the curve modulus when not defined(testingCurves): declareCurves: - # Barreto-Naehrig curve, Prime 254 bit, 128-bit security, https://eprint.iacr.org/2013/879.pdf + # Barreto-Naehrig curve, pairing-friendly, Prime 254 bit, ~100-bit security + # https://eprint.iacr.org/2013/879.pdf # Usage: Zero-Knowledge Proofs / zkSNARKs in ZCash and Ethereum 1 # https://eips.ethereum.org/EIPS/eip-196 curve BN254: