BN254 Curve Operations

Why $BN254$ curve?

The elliptic curve $y^2=x^3+3$ over a certain prime field $F_p$ is called $BN254$ curve. Some of the reasons of BN254 curve being pairing friendly curve:

• The prime $p$ is big enough for security and satisfies some modular conditions.
• Number of solutions of the curve over $F_p$ (called $r$) is prime.
• Embedding degree($k$) of BN254 curve (minimum positive integer which satisfies $r|p^k-1$) is 12. 12 is one of the optimal options for embedding degree because if embedding degree is large, it is hard to make calculations; if embedding degree is low, the curve security is not good enough. For more detailed explanation

Field Extensions

Since embedding degree of BN254 curve is 12, we want to represent $F_{p^{12}}$. The standart way to do this for BN254 curve is using tower of field extensions of $F_p$ as follows:

$$F_{p^2}=F_p[u]/(u^2+1)$$

$$F_{p^6}=F_{p^2}[v]/(v^3-(9+u))$$

$$F_{p^2}=F_{p^6}[w]/(w^2-v)$$

Alternatively, $F_{p^{12}}=F_p[w]/(w^{12}-18w^6+82)$ (These extensions are possible due to some modular choices of $p$).

Note: In ourcode base $F_p$ is named as fq

G1Affine Curve

We want to construct a group scructure of BN254 curve with operation curve addition.