Notation

A curve $E(F_q)$ of order $r$ A point is $(x,y) \in F_q^2$ A scalar is $x \in F_r$ Scalar multiplication $xG$

DKG requires operation both on $F_r$ and $E(F_q)$

1. Add, Mul, Inv on $F_r$ -> this for evaluating polynomials $f(1),f(2)...$
2. Add, Sub, Scalar Multiplication on $E(F_q)$

Curves Recap

Cycle of Curves

Two curves “connected” with each other: $E_1(F_q)$ of order $r$ -> can write circuits on $F_r$ $E_2(F_r)$ of order $q$ -> can write circuits on $F_q$

Required for Halo2, Nova, Non Succinct Argument... Why ? Because we need to implement a verifier of the previous proof inside a circuit. Verifier needs to do Group operations -> circuit in $F_r$, verifier needs to do operation in circuit in $F_q$

List: Secp (Bitcoin curves), Pasta curves & many others (”easy” to find a cycle).

2chain of pairing based curves

2 pairing based curves where one is defined on top of the other. Typically used to have a circuit that can verify another pairing based proof.

We have two proofs, one that deals with $F_q$ circuit and one that deals with $F_r$ circuit and the former proof verifies the latter inside its circuit.

• Outer curve $E_1(F_w)$of order $q$ -> circuits can be written on $F_q$
  • Allows to write point operations
• Write a circuit that verifies a proof done on the inner curve i.e. verify a Groth16 made on $E_2(F_q)$
• Inner curve $E_2(F_q)$ of order $r$ -> circuits can be written on $F_r$ -> Allows to write scalar operations

Note: There also exists cycle of pairing based curves but these are very costly so it’s not considered here

Embedded curve