{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,23]],"date-time":"2026-02-23T23:15:42Z","timestamp":1771888542964,"version":"3.50.1"},"reference-count":130,"publisher":"Springer Science and Business Media LLC","issue":"11","license":[{"start":{"date-parts":[[2022,12,21]],"date-time":"2022-12-21T00:00:00Z","timestamp":1671580800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2022,12,21]],"date-time":"2022-12-21T00:00:00Z","timestamp":1671580800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Des. Codes Cryptogr."],"published-print":{"date-parts":[[2023,11]]},"DOI":"10.1007\/s10623-022-01135-y","type":"journal-article","created":{"date-parts":[[2022,12,21]],"date-time":"2022-12-21T16:03:30Z","timestamp":1671638610000},"page":"3333-3378","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":26,"title":["A survey of elliptic curves for proof systems"],"prefix":"10.1007","volume":"91","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2457-0783","authenticated-orcid":false,"given":"Diego F.","family":"Aranha","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2873-3479","authenticated-orcid":false,"given":"Youssef","family":"El Housni","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0824-7273","authenticated-orcid":false,"given":"Aurore","family":"Guillevic","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,12,21]]},"reference":[{"key":"1135_CR1","unstructured":"arkworks Contributors. arkworks zkSNARK ecosystem. https:\/\/arkworks.rs (2022)."},{"key":"1135_CR2","unstructured":"Aranha D.F., Gouv\u00eaa C.P.L., Markmann T., Wahby R.S., Liao K.: RELIC is an Efficient LIbrary for Cryptography. https:\/\/github.com\/relic-toolkit\/relic."},{"key":"1135_CR3","unstructured":"Andr\u00e9-Ratsimbazafy M.: Constant time pairing-based or elliptic curve based cryptography and digital signatures. https:\/\/github.com\/mratsim\/constantine."},{"key":"1135_CR4","unstructured":"Baylina J.: Web assembly low level implementation of pairing friendly curves. https:\/\/github.com\/iden3\/wasmcurves."},{"key":"1135_CR5","doi-asserted-by":"crossref","unstructured":"B\u00fcnz B., Bootle J., Boneh D., Poelstra A., Wuille P., Maxwell G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy, pp. 315\u2013334. IEEE Computer Society Press (2018).","DOI":"10.1109\/SP.2018.00020"},{"key":"1135_CR6","first-page":"327","volume-title":"EUROCRYPT 2016, Part II, volume 9666 of LNCS","author":"J Bootle","year":"2016","unstructured":"Bootle J., Cerulli A., Chaidos P., Groth J., Petit C.: Efficient zero-knowledge arguments for arithmetic circuits in the discret log setting. In: Fischlin M., Coron J.-S. (eds.) EUROCRYPT 2016, Part II, volume 9666 of LNCS, pp. 327\u2013357. Springer, Heidelberg (2016)."},{"key":"1135_CR7","doi-asserted-by":"crossref","unstructured":"Bitansky N., Canetti R., Chiesa A, Tromer E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Goldwasser S. (ed.) ITCS 2012, pp. 326\u2013349. ACM (2012).","DOI":"10.1145\/2090236.2090263"},{"key":"1135_CR8","first-page":"90","volume-title":"CRYPTO 2013, Part II, volume 8043 of LNCS","author":"E Ben-Sasson","year":"2013","unstructured":"Ben-Sasson E., Chiesa A., Genkin D., Tromer E., Virza M.: SNARKs for C: verifying program executions succinctly and in zero knowledge. In: Canetti R., Garay J.A. (eds.) CRYPTO 2013, Part II, volume 8043 of LNCS, pp. 90\u2013108. Springer, Heidelberg (2013)."},{"key":"1135_CR9","doi-asserted-by":"crossref","unstructured":"Ben-Sasson E., Chiesa A., Garman C., Green M., Miers I., Tromer E., Virza M.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459\u2013474. IEEE Computer Society Press (2014).","DOI":"10.1109\/SP.2014.36"},{"key":"1135_CR10","doi-asserted-by":"crossref","unstructured":"Bowe S., Chiesa A., Green M., Miers I., Mishra P., Wu H.: ZEXE: enabling decentralized private computation. In: 2020 IEEE Symposium on Security and Privacy, pp. 947\u2013964. IEEE Computer Society Press (2020).","DOI":"10.1109\/SP40000.2020.00050"},{"key":"1135_CR11","unstructured":"Ben-Sasson E., Carmon D., Kopparty S., Levit D.: Elliptic curve fast fourier transform (ECFFT) part I: fast polynomial algorithms over all finite fields. CoRR, abs\/2107.08473 (2021)."},{"key":"1135_CR12","first-page":"1","volume-title":"TCC 2020, Part II, volume 12551 of LNCS","author":"B B\u00fcnz","year":"2020","unstructured":"B\u00fcnz B., Chiesa A., Mishra P., Spooner N.: Recursive proof composition from accumulation schemes. In: Pass R., Pietrzak K. (eds.) TCC 2020, Part II, volume 12551 of LNCS, pp. 1\u201318. Springer, Heidelberg (2020)."},{"key":"1135_CR13","first-page":"276","volume-title":"CRYPTO 2014, Part II, volume 8617 of LNCS","author":"E Ben-Sasson","year":"2014","unstructured":"Ben-Sasson E., Chiesa A., Tromer E., Virza M.: Scalable zero knowledge via cycles of elliptic curves. In: Garay J.A., Gennaro R. (eds.) CRYPTO 2014, Part II, volume 8617 of LNCS, pp. 276\u2013294. Springer, Heidelberg (2014)."},{"key":"1135_CR14","unstructured":"Ben-Sasson E., Chiesa A., Tromer E., Virza M.: Succinct non-interactive zero knowledge for a von neumann architecture. In: Fu K., Jung J. (eds.) USENIX Security 2014, pp. 781\u2013796. USENIX Association (2014)."},{"issue":"4","key":"1135_CR15","doi-asserted-by":"crossref","first-page":"1298","DOI":"10.1007\/s00145-018-9280-5","volume":"32","author":"R Barbulescu","year":"2019","unstructured":"Barbulescu R., Duquesne S.: Updating key size estimations for pairings. J. Cryptol. 32(4), 1298\u20131336 (2019).","journal-title":"J. Cryptol."},{"key":"1135_CR16","first-page":"649","volume-title":"CRYPTO 2021, Part I, volume 12825 of LNCS","author":"D Boneh","year":"2021","unstructured":"Boneh D., Drake J., Fisch B., Gabizon A.: Halo infinite: proof-carrying data from additive polynomial commitments. In: Malkin T., Peikert C. (eds.) CRYPTO 2021, Part I, volume 12825 of LNCS, pp. 649\u2013680. Virtual Event. Springer, Heidelberg (2021)."},{"issue":"2","key":"1135_CR17","first-page":"77","volume":"2","author":"DJ Bernstein","year":"2012","unstructured":"Bernstein D.J., Duif N., Lange T., Schwabe P., Yang B.-Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77\u201389 (2012).","journal-title":"High-speed high-security signatures. J. Cryptogr. Eng."},{"key":"1135_CR18","first-page":"454","volume-title":"INDOCRYPT 2012, volume 7668 of LNCS","author":"DJ Bernstein","year":"2012","unstructured":"Bernstein D.J., Doumen J., Lange T., Oosterwijk J.-J.: Faster batch forgery identification. In: Galbraith S.D., Nandi M. (eds.) INDOCRYPT 2012, volume 7668 of LNCS, pp. 454\u2013473. Springer, Heidelberg (2012)."},{"key":"1135_CR19","doi-asserted-by":"crossref","unstructured":"Braun B., Feldman A.J., Ren Z., Setty S., Blumberg A.J., Walfish M.: Verifying computations with state. In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, SOSP \u201913, pp. 341\u2013357, New York, NY, USA, 2013. Association for Computing Machinery. ePrint with major differences at ePrint 2013\/356.","DOI":"10.1145\/2517349.2522733"},{"key":"1135_CR20","first-page":"677","volume-title":"EUROCRYPT 2020, Part I, volume 12105 of LNCS","author":"B B\u00fcnz","year":"2020","unstructured":"B\u00fcnz B., Fisch B., Szepieniec A.: Transparent SNARKs from DARK compilers. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT 2020, Part I, volume 12105 of LNCS, pp. 677\u2013706. Springer, Heidelberg (2020)."},{"key":"1135_CR21","first-page":"129","volume-title":"EUROCRYPT 2015, Part I, volume 9056 of LNCS","author":"R Barbulescu","year":"2015","unstructured":"Barbulescu R., Gaudry P., Guillevic A., Morain F.: Improving NFS for the discret logarithm problem in non-prime finite fields. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015, Part I, volume 9056 of LNCS, pp. 129\u2013155. Springer, Heidelberg (2015)."},{"key":"1135_CR22","unstructured":"Bowe S., Grigg J., Hopwood D.: Halo: recursive proof composition without a trusted setup. Cryptology ePrint Archive, Report 2019\/1021. https:\/\/eprint.iacr.org\/2019\/1021 (2019)."},{"key":"1135_CR23","first-page":"1","volume-title":"EUROCRYPT 2014, volume 8441 of LNCS","author":"R Barbulescu","year":"2014","unstructured":"Barbulescu R., Gaudry P., Joux A., Thom\u00e9 E.: A heuristic quasi-polynomial algorithm for discret logarithm in finite fields of small characteristic. In: Nguyen P.Q., Oswald E. (eds.) EUROCRYPT 2014, volume 8441 of LNCS, pp. 1\u201316. Springer, Heidelberg (2014)."},{"key":"1135_CR24","first-page":"31","volume-title":"ASIACRYPT 2015, Part II, volume 9453 of LNCS","author":"R Barbulescu","year":"2015","unstructured":"Barbulescu R., Gaudry P., Kleinjung T.: The tower number field sieve. In: Iwata T., Cheon J.H. (eds.) ASIACRYPT 2015, Part II, volume 9453 of LNCS, pp. 31\u201355. Springer, Heidelberg (2015)."},{"key":"1135_CR25","first-page":"21","volume-title":"PAIRING 2010, volume 6487 of LNCS","author":"J-L Beuchat","year":"2010","unstructured":"Beuchat J.-L., Gonz\u00e1lez-D\u00edaz J.E., Mitsunari S., Okamoto E., Rodr\u00edguez-Henr\u00edquez F., Teruya T.: High-speed software implementation of the optimal Ate pairing over Barreto-Naehrig curves. In: Joye M., Miyaji A., Otsuka A. (eds.) PAIRING 2010, volume 6487 of LNCS, pp. 21\u201339. Springer, Heidelberg (2010)."},{"key":"1135_CR26","first-page":"325","volume-title":"TCC 2005, volume 3378 of LNCS","author":"D Boneh","year":"2005","unstructured":"Boneh D., Goh E.-J., Nissim K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian J. (ed.) TCC 2005, volume 3378 of LNCS, pp. 325\u2013341. Springer, Heidelberg (2005)."},{"key":"1135_CR27","first-page":"967","volume-title":"ACM CCS 2013","author":"DJ Bernstein","year":"2013","unstructured":"Bernstein D.J., Hamburg M., Krasnova A., Lange T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: Sadeghi A.-R., Gligor V.D., Yung M. (eds.) ACM CCS 2013, pp. 967\u2013980. ACM Press, New York (2013)."},{"key":"1135_CR28","unstructured":"Bernstein D.J., Lange T.: Safecurves: choosing safe curves for elliptic-curve cryptography. https:\/\/safecurves.cr.yp.to. Accessed 28 Feb 2022."},{"key":"1135_CR29","first-page":"514","volume-title":"ASIACRYPT 2001, volume 2248 of LNCS","author":"D Boneh","year":"2001","unstructured":"Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. In: Boyd C. (ed.) ASIACRYPT 2001, volume 2248 of LNCS, pp. 514\u2013532. Springer, Heidelberg (2001)."},{"key":"1135_CR30","first-page":"17","volume-title":"SAC 2003, volume 3006 of LNCS","author":"PSLM Barreto","year":"2004","unstructured":"Barreto P.S.L.M., Lynn B., Scott M.: On the selection of pairing-friendly groups. In: Matsui M., Zuccherato R.J. (eds.) SAC 2003, volume 3006 of LNCS, pp. 17\u201325. Springer, Heidelberg (2004)."},{"key":"1135_CR31","unstructured":"Bonneau J., Meckler I., Rao V., Shapiro E.: Coda: decentralized cryptocurrency at scale. Cryptology ePrint Archive, Report 2020\/352. https:\/\/eprint.iacr.org\/2020\/352 (2020)."},{"key":"1135_CR32","first-page":"319","volume-title":"SAC 2005, volume 3897 of LNCS","author":"PSLM Barreto","year":"2006","unstructured":"Barreto P.S.L.M., Naehrig M.: Pairing-friendly elliptic curves of prime order. In: Preneel B., Tavares S. (eds.) SAC 2005, volume 3897 of LNCS, pp. 319\u2013331. Springer, Heidelberg (2006)."},{"key":"1135_CR33","unstructured":"Bowe S.: BLS12-381: new zk-SNARK elliptic curve construction. Zcash blog, March 11 2017. https:\/\/blog.z.cash\/new-snark-curve\/."},{"key":"1135_CR34","unstructured":"Botrel G., Piellard T., El\u00a0Housni Y., Tabaie A., Kubjas I.: Go library for finite fields, elliptic curves and pairings for zero-knowledge proof systems. https:\/\/doi.org\/10.5281\/zenodo.6092968."},{"key":"1135_CR35","unstructured":"Botrel G., Piellard T., El\u00a0Housni Y., Kubjas I., Tabaie A.: Consensys\/gnark. https:\/\/doi.org\/10.5281\/zenodo.6093969 (2022)."},{"key":"1135_CR36","unstructured":"Bowe S, Str4d.: Zero-Knowledge Cryptography in Rust. https:\/\/github.com\/zkcrypto."},{"key":"1135_CR37","unstructured":"Ben-Sasson E., Chiesa A., Tromer E., Virza M., Wu H., Contributors: C++ library for finite fields and elliptic curves. https:\/\/github.com\/scipr-lab\/libff."},{"key":"1135_CR38","unstructured":"Ben-Sasson E., Chiesa A., Tromer E., Virza M., Wu H., Contributors: C++ library for zksnark. https:\/\/github.com\/scipr-lab\/libsnark."},{"key":"1135_CR39","unstructured":"Beaulieu R., Shors D., Smith J., Treatman-Clark S., Weeks B., Wingers L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013\/404. https:\/\/eprint.iacr.org\/2013\/404 (2013)."},{"issue":"2","key":"1135_CR40","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1137\/18M1173708","volume":"3","author":"A Chiesa","year":"2019","unstructured":"Chiesa A., Chua L., Weidner M.: On cycles of pairing-friendly elliptic curves. SIAM J. Appl. Algebra Geom. 3(2), 175\u2013192 (2019).","journal-title":"SIAM J. Appl. Algebra Geom."},{"key":"1135_CR41","doi-asserted-by":"crossref","unstructured":"Costello C., Fournet C., Howell J., Kohlweiss M., Kreuter B., Naehrig M., Parno B., Zahur S.: Geppetto: versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17\u201321, 2015, pp. 253\u2013270. IEEE Computer Society, 2015. ePrint 2014\/976.","DOI":"10.1109\/SP.2015.23"},{"issue":"3","key":"1135_CR42","doi-asserted-by":"crossref","first-page":"457","DOI":"10.1007\/s00145-009-9047-0","volume":"23","author":"JH Cheon","year":"2010","unstructured":"Cheon J.H.: Discret logarithm problems with auxiliary inputs. J. Cryptol. 23(3), 457\u2013476 (2010).","journal-title":"J. Cryptol."},{"key":"1135_CR43","first-page":"738","volume-title":"EUROCRYPT 2020, Part I, volume 12105 of LNCS","author":"A Chiesa","year":"2020","unstructured":"Chiesa A., Yuncong H., Maller M., Mishra P., Vesely N., Ward N.P.: Marlin: preprocessing zkSNARKs with universal and updatable SRS. In: Canteaut A., Ishai Y. (eds.) EUROCRYPT 2020, Part I, volume 12105 of LNCS, pp. 738\u2013768. Springer, Heidelberg (2020)."},{"key":"1135_CR44","doi-asserted-by":"crossref","unstructured":"Cai S.P., Hu Z., Zhao C.A.: Faster final exponentiation on the kss18 curve. In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E105.A(8):1162\u20131164 (2022).","DOI":"10.1587\/transfun.2021EAL2086"},{"key":"1135_CR45","unstructured":"Costello C.: Pairings for beginners. https:\/\/www.craigcostello.com.au\/s\/PairingsForBeginners.pdf (2012)."},{"key":"1135_CR46","doi-asserted-by":"crossref","unstructured":"Ch\u00e1vez-Saab J., Rodr\u00edguez-Henr\u00edquez F., Tibouchi M.: Swiftec: Shallue-van de woestijne indifferentiable function to elliptic curves. Cryptology ePrint Archive, Paper 2022\/759, 2022. To appear in ASIACRYPT 2022.","DOI":"10.1007\/978-3-031-22963-3_3"},{"key":"1135_CR47","doi-asserted-by":"crossref","unstructured":"Delignat-Lavaud A., Fournet C., Kohlweiss M., Parno B.: Cinderella: turning shabby X.509 certificates into elegant anonymous credentials with the magic of verifiable computation. In: 2016 IEEE Symposium on Security and Privacy, pp. 235\u2013254. IEEE Computer Society Press (2016).","DOI":"10.1109\/SP.2016.22"},{"key":"1135_CR48","first-page":"32","volume-title":"CRYPTO 2020, Part II, volume 12171 of LNCS","author":"G De Micheli","year":"2020","unstructured":"De Micheli G., Gaudry P., Pierrot C.: Asymptotic complexities of discret logarithm algorithms in pairing-relevant finite fields. In: Micciancio D., Ristenpart T. (eds.) CRYPTO 2020, Part II, volume 12171 of LNCS, pp. 32\u201361. Springer, Heidelberg (2020)."},{"key":"1135_CR49","doi-asserted-by":"crossref","unstructured":"De Micheli G., Gaudry P., Pierrot C.: Lattice enumeration for tower NFS: a 521-bit discret logarithm computation. In: Tibouchi M., Wang H. (eds.) Advances in Cryptology\u2014ASIACRYPT 2021\u201427th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6\u201310, 2021, Proceedings, Part I, volume 13090 of LNCS, pp. 67\u201396. Springer, 2021. ePrint 2021\/707.","DOI":"10.1007\/978-3-030-92062-3_3"},{"key":"1135_CR50","unstructured":"de\u00a0Valence H.: The ristretto group. https:\/\/ristretto.group (2021)."},{"key":"1135_CR51","unstructured":"de\u00a0Valence H., Yun C., Andreev O.: dalek cryptography: fast, sage, pure-rust elliptic curve cryptography. https:\/\/github.com\/dalek-cryptography\/bulletproofs (2022)."},{"key":"1135_CR52","doi-asserted-by":"crossref","unstructured":"El\u00a0Housni Y., Guillevic A.: Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition. In: Krenn S., Shulman H., Vaudenay S. (eds.) Cryptology and Network Security\u201419th International Conference, CANS 2020, Vienna, Austria, December 14\u201316, 2020, Proceedings, volume 12579 of LNCS, pp. 259\u2013279. Springer (2020).","DOI":"10.1007\/978-3-030-65411-5_13"},{"key":"1135_CR53","doi-asserted-by":"crossref","unstructured":"El\u00a0Housni Y., Guillevic A.: Families of SNARK-friendly 2-chains of elliptic curves. In: Dunkelman O., Dziembowski S. (eds) EUROCRYPT 2022, volume 13276 of LNCS, pp. 367\u2013396. Springer (2022). ePrint 2021\/1359.","DOI":"10.1007\/978-3-031-07085-3_13"},{"key":"1135_CR54","doi-asserted-by":"crossref","unstructured":"El\u00a0Housni Y., Guillevic A.: Families of SNARK-friendly 2-chains of elliptic curves. https:\/\/gitlab.inria.fr\/zk-curves\/snark-2-chains (2022). SageMath\/Python and Magma implementation.","DOI":"10.1007\/978-3-031-07085-3_13"},{"key":"1135_CR55","doi-asserted-by":"crossref","first-page":"142","DOI":"10.1007\/978-3-642-14518-6_14","volume-title":"Algorithmic Number Theory Symposium","author":"A Enge","year":"2010","unstructured":"Enge A., Sutherland A.V.: Class invariants by the CRT method. In: Hanrot G., Morain F., Thom\u00e9 E. (eds.) Algorithmic Number Theory Symposium, pp. 142\u2013156. Springer, Berlin (2010)."},{"key":"1135_CR56","doi-asserted-by":"crossref","unstructured":"Faz-Hern\u00e1ndez A., Scott S., Sullivan N., Wahby R.S., Wood C.A.: Hashing to Elliptic Curves. Technical Report, IETF Secretariat, 2022. Working Draft. https:\/\/datatracker.ietf.org\/doc\/draft-irtf-cfrg-hash-to-curve\/.","DOI":"10.17487\/RFC9380"},{"key":"1135_CR57","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1016\/j.tcs.2019.10.017","volume":"800","author":"G Fotiadis","year":"2019","unstructured":"Fotiadis G., Konstantinou E.: TNFS resistant families of pairing-friendly elliptic curves. Theor. Comput. Sci. 800, 73\u201389 (2019).","journal-title":"Theor. Comput. Sci."},{"key":"1135_CR58","first-page":"412","volume-title":"SAC 2011, volume 7118 of LNCS","author":"L Fuentes-Casta\u00f1eda","year":"2012","unstructured":"Fuentes-Casta\u00f1eda L., Knapp E., Rodr\u00edguez-Henr\u00edquez F.: Faster hashing to $$\\mathbb{G} _2$$. In: Miri A., Vaudenay S. (eds.) SAC 2011, volume 7118 of LNCS, pp. 412\u2013430. Springer, Heidelberg (2012)."},{"key":"1135_CR59","unstructured":"Fujitsu Laboratories, NICT, and Kyushu University. DL record in $${\\mathbb{F}} _{3^{6\\cdot 97}}$$ of 923 bits (278\u00a0dd). NICT press release, June 18, 2012. http:\/\/www.nict.go.jp\/en\/press\/2012\/06\/18en-1.html."},{"key":"1135_CR60","doi-asserted-by":"crossref","unstructured":"Freeman D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert H. (ed.) EUROCRYPT\u00a02010. volume 6110 of LNCS, pp. 44\u201361. Springer, Heidelberg (2010).","DOI":"10.1007\/978-3-642-13190-5_3"},{"issue":"2","key":"1135_CR61","doi-asserted-by":"crossref","first-page":"224","DOI":"10.1007\/s00145-009-9048-z","volume":"23","author":"D Freeman","year":"2010","unstructured":"Freeman D., Scott M., Teske E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224\u2013280 (2010).","journal-title":"J. Cryptol."},{"key":"1135_CR62","unstructured":"Gabizon A.: AuroraLight: improved prover efficiency and SRS size in a sonic-like system. Cryptology ePrint Archive, Report 2019\/601. https:\/\/eprint.iacr.org\/2019\/601 (2019)."},{"key":"1135_CR63","unstructured":"Ghammam L., Fouotsa E.: On the computation of the optimal ate pairing at the 192-bit security level. Cryptology ePrint Archive, Report 2016\/130. https:\/\/eprint.iacr.org\/2016\/130 (2016)."},{"key":"1135_CR64","first-page":"626","volume-title":"EUROCRYPT 2013, volume 7881 of LNCS","author":"R Gennaro","year":"2013","unstructured":"Gennaro R., Gentry C., Parno B., Raykova M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson T., Nguyen P.Q. (eds.) EUROCRYPT 2013, volume 7881 of LNCS, pp. 626\u2013645. Springer, Heidelberg (2013)."},{"key":"1135_CR65","doi-asserted-by":"crossref","unstructured":"Granger R., Kleinjung T., Lenstra A.K., Wesolowski B., Zumbr\u00e4gel J.: Computation of a 30750-bit binary field discret logarithm. Math. Comput. 90(332):2997\u20133022, 2021. ePrint 2020\/965.","DOI":"10.1090\/mcom\/3669"},{"key":"1135_CR66","first-page":"698","volume-title":"CRYPTO 2018, Part III, volume 10993 of LNCS","author":"J Groth","year":"2018","unstructured":"Groth J., Kohlweiss M., Maller M., Meiklejohn S., Miers I.: Updatable and universal common reference strings with applications to zk-SNARKs. In: Shacham H., Boldyreva A. (eds.) CRYPTO 2018, Part III, volume 10993 of LNCS, pp. 698\u2013728. Springer, Heidelberg (2018)."},{"key":"1135_CR67","first-page":"126","volume-title":"CRYPTO 2014, Part II, volume 8617 of LNCS","author":"R Granger","year":"2014","unstructured":"Granger R., Kleinjung T., Zumbr\u00e4gel J.: Breaking \u2018128-bit secure\u2019 supersingular binary curves\u2013(or how to solve discret logarithms in $$\\mathbb{F} _{2^{4 \\cdot 1223}}$$ and $$\\mathbb{F} _{2^{12 \\cdot 367}}$$). In: Garay J.A., Gennaro R. (eds.) CRYPTO 2014, Part II, volume 8617 of LNCS, pp. 126\u2013145. Springer, Heidelberg (2014)."},{"key":"1135_CR68","first-page":"190","volume-title":"CRYPTO 2001, volume 2139 of LNCS","author":"RP Gallant","year":"2001","unstructured":"Gallant R.P., Lambert R.J., Vanstone S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian J. (ed.) CRYPTO 2001, volume 2139 of LNCS, pp. 190\u2013200. Springer, Heidelberg (2001)."},{"key":"1135_CR69","unstructured":"Guillevic A., Morain F.: Pairings for engineers, chap. 9\u2014discret logarithms, pp. 203\u2013242. CRC Press Taylor and Francis group, Spring 2016. ElMrabet N., Joye M. (eds.). https:\/\/www.crcpress.com\/Guide-to-Pairing-Based-Cryptography\/El-Mrabet-Joye\/p\/book\/9781498729505https:\/\/hal.inria.fr\/hal-01420485v2."},{"issue":"1","key":"1135_CR70","doi-asserted-by":"crossref","first-page":"186","DOI":"10.1137\/0218012","volume":"18","author":"S Goldwasser","year":"1989","unstructured":"Goldwasser S., Micali S., Rackoff C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186\u2013208 (1989).","journal-title":"SIAM J. Comput."},{"key":"1135_CR71","doi-asserted-by":"crossref","first-page":"1047","DOI":"10.1007\/s10623-020-00727-w","volume":"88","author":"A Guillevic","year":"2020","unstructured":"Guillevic A., Masson S., Thom\u00e9 E.: Cocks-Pinch curves of embedding degrees five to eight and optimal ate pairing computation. Des. Codes Cryptogr. 88, 1047\u20131081 (2020).","journal-title":"Des. Codes Cryptogr."},{"issue":"4","key":"1135_CR72","doi-asserted-by":"crossref","first-page":"800","DOI":"10.1016\/j.ffa.2007.02.003","volume":"13","author":"SD Galbraith","year":"2007","unstructured":"Galbraith S.D., McKee J.F., Valen\u00e7a P.C.: Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13(4), 800\u2013814 (2007).","journal-title":"Finite Fields Appl."},{"key":"1135_CR73","first-page":"97","volume-title":"CRYPTO 2006, volume 4117 of LNCS","author":"J Groth","year":"2006","unstructured":"Groth J., Ostrovsky R., Sahai A.: Non-interactive zaps and new techniques for NIZK. In: Dwork C. (ed.) CRYPTO 2006, volume 4117 of LNCS, pp. 97\u2013111. Springer, Heidelberg (2006)."},{"key":"1135_CR74","first-page":"444","volume-title":"ASIACRYPT 2006, volume 4284 of LNCS","author":"J Groth","year":"2006","unstructured":"Groth J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai X., Chen K. (eds.) ASIACRYPT 2006, volume 4284 of LNCS, pp. 444\u2013459. Springer, Heidelberg (2006)."},{"key":"1135_CR75","first-page":"321","volume-title":"ASIACRYPT 2010, volume 6477 of LNCS","author":"J Groth","year":"2010","unstructured":"Groth J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe M. (ed.) ASIACRYPT 2010, volume 6477 of LNCS, pp. 321\u2013340. Springer, Heidelberg (2010)."},{"key":"1135_CR76","first-page":"305","volume-title":"EUROCRYPT 2016, Part II, volume 9666 of LNCS","author":"J Groth","year":"2016","unstructured":"Groth J.: On the size of pairing-based non-interactive arguments. In: Fischlin M., Coron J.-S. (eds.) EUROCRYPT 2016, Part II, volume 9666 of LNCS, pp. 305\u2013326. Springer, Heidelberg (2016)."},{"key":"1135_CR77","first-page":"415","volume-title":"EUROCRYPT 2008, volume 4965 of LNCS","author":"J Groth","year":"2008","unstructured":"Groth J., Sahai A.: Efficient non-interactive proof systems for bilinear groups. In: Smart N.P. (ed.) EUROCRYPT 2008, volume 4965 of LNCS, pp. 415\u2013432. Springer, Heidelberg (2008)."},{"key":"1135_CR78","first-page":"209","volume-title":"PKC 2010, volume 6056 of LNCS","author":"R Granger","year":"2010","unstructured":"Granger R., Scott M.: Faster squaring in the cyclotomic subgroup of sixth degree extensions. In: Nguyen P.Q., Pointcheval D. (eds.) PKC 2010, volume 6056 of LNCS, pp. 209\u2013223. Springer, Heidelberg (2010)."},{"key":"1135_CR79","unstructured":"Guillevic A, Singh S.: On the alpha value of polynomials in the tower number field sieve algorithm. Math. Cryptol. 1(1) (2021)."},{"key":"1135_CR80","first-page":"535","volume-title":"PKC 2020, Part II, volume 12111 of LNCS","author":"A Guillevic","year":"2020","unstructured":"Guillevic A.: A short-list of pairing-friendly curves resistant to special TNFS at the 128-bit security level. In: Kiayias A., Kohlweiss M., Wallden P., Zikas V. (eds.) PKC 2020, Part II, volume 12111 of LNCS, pp. 535\u2013564. Springer, Heidelberg (2020)."},{"key":"1135_CR81","unstructured":"Guillevic A.: Pairing-friendly curves. https:\/\/members.loria.fr\/AGuillevic\/pairing-friendly-curves\/ (2021)."},{"key":"1135_CR82","doi-asserted-by":"crossref","unstructured":"Gentry C., Wichs D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow L., Vadhan S.P. (eds.) 43rd ACM STOC, pp. 99\u2013108. ACM Press (2011).","DOI":"10.1145\/1993636.1993651"},{"key":"1135_CR83","unstructured":"Gabizon A., Williamson Z.J., Ciobotaru O.: PLONK: permutations over Lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019\/953. https:\/\/eprint.iacr.org\/2019\/953 (2019)."},{"key":"1135_CR84","first-page":"705","volume-title":"CRYPTO 2015, Part I, volume 9215 of LNCS","author":"M Hamburg","year":"2015","unstructured":"Hamburg M.: Decaf: eliminating cofactors through point compression. In: Gennaro R., Robshaw M.J.B. (eds.) CRYPTO 2015, Part I, volume 9215 of LNCS, pp. 705\u2013723. Springer, Heidelberg (2015)."},{"key":"1135_CR85","unstructured":"Hayashida D., Hayasaka K., Teruya T.: Efficient final exponentiation via cyclotomic structure for pairings over families of elliptic curves. Cryptology ePrint Archive, Report 2020\/875. https:\/\/eprint.iacr.org\/2020\/875 (2020)."},{"key":"1135_CR86","unstructured":"Hopwood D.: The pasta curves for halo 2 and beyond. https:\/\/electriccoin.co\/blog\/the-pasta-curves-for-halo-2-and-beyond\/ (2020)."},{"key":"1135_CR87","unstructured":"Hopwood D.: Pluto-eris hybrid cycle of elliptic curves. https:\/\/github.com\/daira\/pluto-eris (2021)."},{"key":"1135_CR88","first-page":"326","volume-title":"ASIACRYPT 2008, volume 5350 of LNCS","author":"H Hisil","year":"2008","unstructured":"Hisil H., Koon-Ho Wong K., Carter G., Dawson E.: Twisted Edwards curves revisited. In: Pieprzyk J. (ed.) ASIACRYPT 2008, volume 5350 of LNCS, pp. 326\u2013343. Springer, Heidelberg (2008)."},{"key":"1135_CR89","doi-asserted-by":"crossref","unstructured":"Juels A., Kosba A.E., Shi E.: The ring of Gyges: investigating the future of criminal smart contracts. In: Weippl E.R., Katzenbeisser S., Kruegel C., Myers A.C., Halevi S. (eds.) ACM CCS 2016, pp. 283\u2013295. ACM Press (2016).","DOI":"10.1145\/2976749.2978362"},{"issue":"2","key":"1135_CR90","doi-asserted-by":"crossref","first-page":"353","DOI":"10.2140\/pjm.2013.263.353","volume":"263","author":"N Jones","year":"2013","unstructured":"Jones N.: Elliptic aliquot cycles of fixed length. Pac. J. Math. 263(2), 353\u2013371 (2013).","journal-title":"Pac. J. Math."},{"issue":"281","key":"1135_CR91","doi-asserted-by":"crossref","first-page":"555","DOI":"10.1090\/S0025-5718-2012-02625-1","volume":"82","author":"K Karabina","year":"2013","unstructured":"Karabina K.: Squaring in cyclotomic subgroups. Math. Comput. 82(281), 555\u2013579 (2013).","journal-title":"Math. Comput."},{"key":"1135_CR92","first-page":"543","volume-title":"CRYPTO 2016, Part I, volume 9814 of LNCS","author":"T Kim","year":"2016","unstructured":"Kim T., Barbulescu R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part I, volume 9814 of LNCS, pp. 543\u2013571. Springer, Heidelberg (2016)."},{"key":"1135_CR93","unstructured":"Kilic O.: High-Speed Implementation of Curves in Go. https:\/\/github.com\/kilic\/bn254, https:\/\/github.com\/kilic\/bls12-381, https:\/\/github.com\/kilic\/bls12-377 and https:\/\/github.com\/kilic\/bw6."},{"key":"1135_CR94","doi-asserted-by":"crossref","unstructured":"Kilian J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: 24th ACM STOC, pp. 723\u2013732. ACM Press (1992).","DOI":"10.1145\/129712.129782"},{"key":"1135_CR95","doi-asserted-by":"crossref","unstructured":"Kosba A.E., Miller A., Shi E., Wen Z., Papamanthou C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839\u2013858. IEEE Computer Society Press (2016).","DOI":"10.1109\/SP.2016.55"},{"key":"1135_CR96","unstructured":"Kosba A.E., Papadopoulos D., Papamanthou C., Sayed M.F., Shi E., Triandopoulos N.: TRUESET: faster verifiable set computations. In: Fu K., Jung J. (eds.) USENIX Security 2014, pp. 765\u2013780. USENIX Association (2014)."},{"key":"1135_CR97","unstructured":"Kattis A., Panarin K., Vlasov A.: RedShift: transparent SNARKs from list polynomial commitment IOPs. Cryptology ePrint Archive, Report 2019\/1400, 2019. https:\/\/eprint.iacr.org\/2019\/1400."},{"key":"1135_CR98","first-page":"126","volume-title":"PAIRING 2008, volume 5209 of LNCS","author":"EJ Kachisa","year":"2008","unstructured":"Kachisa E.J., Schaefer E.F., Scott M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith S.D., Paterson K.G. (eds.) PAIRING 2008, volume 5209 of LNCS, pp. 126\u2013135. Springer, Heidelberg (2008)."},{"key":"1135_CR99","unstructured":"Karabina K., Teske E.: On prime-order elliptic curves with embedding degrees k = 3, 4, and 6. In: van\u00a0der Poorten A.J., Stein A. (eds.) Algorithmic Number Theory, 8th International Symposium, ANTS-VIII, Banff, Canada, May 17\u201322, 2008, Proceedings, volume 5011 of Lecture Notes in Computer Science, pp. 102\u2013117. Springer (2008)."},{"key":"1135_CR100","doi-asserted-by":"crossref","unstructured":"Kleinjung T., Wesolowski B.: Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic. J. Am. Math. Soc. 35(02):581\u2013624 (2022). ePrint 2019\/751.","DOI":"10.1090\/jams\/985"},{"key":"1135_CR101","first-page":"177","volume-title":"ASIACRYPT 2010, volume 6477 of LNCS","author":"A Kate","year":"2010","unstructured":"Kate A., Zaverucha G.M., Goldberg I.: Constant-size commitments to polynomials and their applications. In: Abe M. (ed.) ASIACRYPT 2010, volume 6477 of LNCS, pp. 177\u2013194. Springer, Heidelberg (2010)."},{"key":"1135_CR102","unstructured":"Kosba A., Zhao Z., Miller A., Qian Y., Chan H., Papamanthou C., Pass R., Shelat A., Shi E.: C$$\\emptyset $$c$$\\emptyset $$: a framework for building composable zero-knowledge proofs. Cryptology ePrint Archive, Report 2015\/1093. https:\/\/eprint.iacr.org\/2015\/1093 (2015)."},{"key":"1135_CR103","doi-asserted-by":"crossref","unstructured":"Maller M., Bowe S., Kohlweiss M., Meiklejohn S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: Cavallaro L., Kinder J., Wang X.F., Katz J. (eds.) ACM CCS 2019, pp. 2111\u20132128. ACM Press (2019).","DOI":"10.1145\/3319535.3339817"},{"key":"1135_CR104","unstructured":"Meckler I.: O(1) labs fork of zexe: implementation of bn382-plain. https:\/\/github.com\/o1-labs\/zexe\/tree\/master\/algebra\/src\/bn_382 (2020)."},{"key":"1135_CR105","unstructured":"Micali S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436\u2013453. IEEE Computer Society Press (1994)."},{"key":"1135_CR106","unstructured":"Mihailescu P.: Dual elliptic primes and applications to cyclotomy primality proving. arXiv arXiv:0709.4113 (2007)."},{"key":"1135_CR107","first-page":"306","volume-title":"SAC 2014, volume 8781 of LNCS","author":"N Mouha","year":"2014","unstructured":"Mouha N., Mennink B., Van Herrewege A., Watanabe D., Preneel B., Verbauwhede I.: Chaskey: An efficient MAC algorithm for 32-bit microcontrollers. In: Joux A., Youssef A.M. (eds.) SAC 2014, volume 8781 of LNCS, pp. 306\u2013323. Springer, Heidelberg (2014)."},{"key":"1135_CR108","first-page":"90","volume-title":"ICISC 00, volume 2015 of LNCS","author":"A Miyaji","year":"2001","unstructured":"Miyaji A., Nakabayashi M., Takano S.: Characterization of elliptic curve traces under FR-reduction. In: Won D. (ed.) ICISC 00, volume 2015 of LNCS, pp. 90\u2013108. Springer, Heidelberg (2001)."},{"key":"1135_CR109","doi-asserted-by":"crossref","unstructured":"Menezes A., Sarkar P., Singh S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan R.C.-W., Yung M. (eds) Mycrypt Conference, volume 10311 of LNCS, pp. 83\u2013108, Kuala Lumpur, Malaysia, December 1\u20132 2016. Springer. https:\/\/ia.cr\/2016\/1102.","DOI":"10.1007\/978-3-319-61273-7_5"},{"key":"1135_CR110","unstructured":"Masson S., Sanso A., Zhang Z.: Bandersnatch: a fast elliptic curve built over the bls12-381 scalar field. Cryptology ePrint Archive, Report 2021\/1152. https:\/\/ia.cr\/2021\/1152 (2021)."},{"key":"1135_CR111","first-page":"178","volume-title":"PAIRING 2008, volume 5209 of LNCS","author":"Y Nogami","year":"2008","unstructured":"Nogami Y., Akane M., Sakemi Y., Katou H., Morikawa Y.: Integer variable chi-based Ate pairing. In: Galbraith S.D., Paterson K.G. (eds.) PAIRING 2008, volume 5209 of LNCS, pp. 178\u2013191. Springer, Heidelberg (2008)."},{"key":"1135_CR112","first-page":"109","volume-title":"LATINCRYPT 2010, volume 6212 of LNCS","author":"M Naehrig","year":"2010","unstructured":"Naehrig M., Niederhagen R., Schwabe P.: New software speed records for cryptographic pairings. In: Abdalla M., Barreto P.S.L.M. (eds.) LATINCRYPT 2010, volume 6212 of LNCS, pp. 109\u2013123. Springer, Heidelberg (2010)."},{"issue":"1","key":"1135_CR113","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1017\/S0305004117000688","volume":"166","author":"J Parks","year":"2019","unstructured":"Parks J.: An asymptotic for the average number of amicable pairs for elliptic curves. Math. Proc. Camb. Philos. Soc. 166(1), 33\u201359 (2019).","journal-title":"Math. Proc. Camb. Philos. Soc."},{"key":"1135_CR114","doi-asserted-by":"crossref","unstructured":"Parno B., Howell J., Gentry C., Raykova M.: Pinocchio: Nearly practical verifiable computation. In: 2013 IEEE Symposium on Security and Privacy, pp. 238\u2013252. IEEE Computer Society Press (2013).","DOI":"10.1109\/SP.2013.47"},{"key":"1135_CR115","unstructured":"Poelstra A.: Curve with group order $$2^{255}-19$$. https:\/\/moderncrypto.org\/mail-archive\/curves\/2018\/000992.html. Accessed 28 Feb 2022 (2018)."},{"issue":"114","key":"1135_CR116","doi-asserted-by":"crossref","first-page":"365","DOI":"10.1090\/S0025-5718-1971-0301966-0","volume":"25","author":"JM Pollard","year":"1971","unstructured":"Pollard J.M.: The fast Fourier transform in a finite field. Math. Comput. 25(114), 365\u2013374 (1971).","journal-title":"Math. Comput."},{"key":"1135_CR117","unstructured":"Shigeo M.: A portable and fast pairing-based cryptography library. https:\/\/github.com\/herumi\/mcl."},{"key":"1135_CR118","first-page":"595","volume-title":"PKC 2012, volume 7293 of LNCS","author":"Y Sakemi","year":"2012","unstructured":"Sakemi Y., Hanaoka G., Izu T., Takenaka M., Yasuda M.: Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve. In: Fischlin M., Buchmann J., Manulis M. (eds.) PKC 2012, volume 7293 of LNCS, pp. 595\u2013608. Springer, Heidelberg (2012)."},{"issue":"3","key":"1135_CR119","doi-asserted-by":"crossref","first-page":"193","DOI":"10.1007\/s001459900052","volume":"12","author":"NP Smart","year":"1999","unstructured":"Smart N.P.: The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193\u2013196 (1999).","journal-title":"J. Cryptol."},{"issue":"3","key":"1135_CR120","doi-asserted-by":"crossref","first-page":"329","DOI":"10.1080\/10586458.2011.565253","volume":"20","author":"JH Silverman","year":"2011","unstructured":"Silverman J.H., Stange K.E.: Amicable pairs and aliquot cycles for elliptic curves. Exp. Math. 20(3), 329\u2013357 (2011).","journal-title":"Exp. Math."},{"key":"1135_CR121","unstructured":"Supranational. Multilingual BLS12-381 signature library. https:\/\/github.com\/supranational\/blst."},{"key":"1135_CR122","doi-asserted-by":"crossref","unstructured":"Sutherland A.V.: Computing Hilbert class polynomials with the chinese remainder theorem. Math. Comput. 80(273):501\u2013538 (2011). arXiv arXiv:0903.2785.","DOI":"10.1090\/S0025-5718-2010-02373-7"},{"key":"1135_CR123","first-page":"139","volume-title":"FC 2014, volume 8437 of LNCS","author":"M Tibouchi","year":"2014","unstructured":"Tibouchi M.: Elligator squared: Uniform points on elliptic curves of prime order as uniform random strings. In: Christin N., Safavi-Naini R. (eds.) FC 2014, volume 8437 of LNCS, pp. 139\u2013156. Springer, Heidelberg (2014)."},{"issue":"1","key":"1135_CR124","doi-asserted-by":"crossref","first-page":"455","DOI":"10.1109\/TIT.2009.2034881","volume":"56","author":"F Vercauteren","year":"2010","unstructured":"Vercauteren F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455\u2013461 (2010).","journal-title":"IEEE Trans. Inf. Theory"},{"key":"1135_CR125","unstructured":"Vlasov A., Panarin K.: Transparent polynomial commitment scheme with polylogarithmic communication complexity. Cryptology ePrint Archive, Report 2019\/1020. https:\/\/eprint.iacr.org\/2019\/1020 (2019)."},{"key":"1135_CR126","unstructured":"Williamson Z.: An optimized elliptic curve library for the BN128 curve, and PLONK SNARK prover. https:\/\/github.com\/AztecProtocol\/barretenberg\/tree\/master\/barretenberg."},{"key":"1135_CR127","doi-asserted-by":"crossref","unstructured":"Wahby R.S., Tzialla I., Shelat A., Thaler J., Walfish M.: Doubly-efficient zkSNARKs without trusted setup. In: 2018 IEEE Symposium on Security and Privacy, pp. 926\u2013943. IEEE Computer Society Press (2018).","DOI":"10.1109\/SP.2018.00060"},{"key":"1135_CR128","unstructured":"Wuille P.: Elligator Squared for BN-like curves. https:\/\/github.com\/sipa\/writeups\/tree\/main\/elligator-square-for-bn (2021)."},{"key":"1135_CR129","unstructured":"Zcash. Rust implementation for the Pasta cycle in Rust. https:\/\/github.com\/zcash\/pasta_curves."},{"key":"1135_CR130","unstructured":"ZCash. What is jubjub? https:\/\/z.cash\/technology\/jubjub\/ (2021)."}],"container-title":["Designs, Codes and Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-022-01135-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10623-022-01135-y\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-022-01135-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,10,24]],"date-time":"2023-10-24T19:15:11Z","timestamp":1698174911000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10623-022-01135-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,12,21]]},"references-count":130,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2023,11]]}},"alternative-id":["1135"],"URL":"https:\/\/doi.org\/10.1007\/s10623-022-01135-y","relation":{},"ISSN":["0925-1022","1573-7586"],"issn-type":[{"value":"0925-1022","type":"print"},{"value":"1573-7586","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,12,21]]},"assertion":[{"value":"16 May 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 May 2022","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 September 2022","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 December 2022","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}