following-up to my own post On Sun, Sep 25, 2016 at 11:58 PM, Zooko Wilcox-OHearn <[email protected]> wrote: > > b) Pairing performance is critical for us. A curve like Michael Scott > suggested that took 2.5 times as long for a pairing operation would > almost certainly blow our performance budget and we'd have to do some > serious re-engineering to get it back.
I was totally wrong about this. Our performance bottleneck is in a path (zk-SNARK proving) that doesn't require pairing operations, so using a curve which was 2.5 times slower at pairing operations would not worsen our performance issues. However, if it was also 2.5 slower for curve operations, then it would. Proving time: https://speed.z.cash/timeline/?exe=1&base=1%2B9&ben=time+createjoinsplit&env=1&revs=1000&equid=off&quarts=on&extr=on Verifying time: https://speed.z.cash/timeline/?exe=1&base=1%2B9&ben=time+verifyjoinsplit&env=1&revs=1000&equid=off&quarts=on&extr=on I guess it might also be an issue if our verifier took a lot longer, but it's currently unclear how serious of a problem that would be. Also, Zcash engineer Sean Bowe said this to me, and I completely don't understand what he is talking about so I'm just writing it in here verbatim: "hopefully if work is done on BLS curves, they will select a curve that works well for snarks. i.e. with group order p such that p-1 is a multiple of 2^28 or another large power of 2" Sincerely, Zooko _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
