zk-SNARK零知识证明曲线选择——BN128 VS BLS12-381曲线

libsnark中提供的椭圆曲线选择有：

• edwards: an instantiation based on an Edwards curve, providing 80 bits of security.
• bn128: an instantiation based on a Barreto-Naehrig curve, providing 128 bits of security. The underlying curve implementation is [ate-pairing], which has incorporated our patch that changes the BN curve to one suitable for SNARK applications.
  • This implementation uses dynamically-generated machine code for the curve arithmetic. Some modern systems disallow execution of code on the heap, and will thus block this implementation.
    For example, on Fedora 20 at its default settings, you will get the error zmInit ERR:can't protect when running this code. To solve this, run sudo setsebool -P allow_execheap 1 to allow execution, or use make CURVE=ALT_BN128 instead.
• alt_bn128: an alternative to bn128, somewhat slower but avoids dynamic code generation.

Barreto-Naehrig (BN) curves为pairing-friendly椭圆曲线，基于的base field Fq of order r, where r≈q. 但是，libsnark中实现所选择的q≈2²⁵⁴，根据 https://electriccoin.co/blog/new-snark-curve/ 中说明，BN128曲线保守估计，所能达到的security只能到110-bit，并不是之前所称的128-bit security. 若想要达到128-bit security，需要q≈2³⁸⁴，相应的BN曲线的order r值也会提高到2³⁸⁴量级，r值的增大，会影响multi-exponentiation, FFT等运算性能，从而影响zk-SNARK以及安全多方计算的执行效率，同时也会影响key文件不必要的增大。

Barreto-Lynn-Scott (BLS) curves 也为pairing-friendly椭圆曲线，当q≈2³⁸⁴ 且 embedding degree k=12时，具有128-bit security level，而相应的group order r≈2²⁵⁶，远小于BN curve的2³⁸⁴量级。

在zk-SNARK中，为了保证64-bit limbs的符号位不设置（即无overflow），特意选取r≈2²⁵⁵的BLS曲线。 最终选取的曲线名为BLS12-381，相应的q≈2³⁸¹.

u = -0xd201000000010000
k = 12
q = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
r = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
E(Fq) := y^2 = x^3 + 4
Fq2 := Fq[i]/(x^2 + 1)
E'(Fq2) := y^2 = x^3 + 4(i + 1)

论文《Implementing Pairings at the 192-bit Security Level》中也有相应的参数说明：

曲线的选择应平衡security和performance，在zcash的安全审计报告中有指出：

• NCC-2018-004: Curve BLS12-381 Security Is Less Than 128 Bits

  • As the issue rightly points out, the existing analysis of this curve puts a practical attack well beyond the foreseeable computing power available to humanity, although we will monitor the research situation as time progresses.The research mentioned in the issue was also referenced in our blog post on curve selection.We are satisfied that use of this curve strikes an appropriate balance between security and performance.

以下摘自zcash protocol：