BLS12-377

BLS12-377 is a pairing-friendly curve in the Barreto–Lynn–Scott family with embedding degree 12. It was chosen specifically so that its scalar field Fr has 2-adicity 47 — meaning 2⁴⁷ divides Fr − 1 — which is required for efficient FFTs in the proof system.

Curve Equation

G1: y² = x³ + 1 over Fq (384-bit prime field)

Fields

Field	Size	Modulus
Fq (base field)	377 bits	`258664426012969094010652733694893533536393512754914660539884262666720468348340822774968888139573360124440321458177`
Fr (scalar field)	253 bits	`8444461749428370424248824938781546531375899335154063827935233455917409239041`

Subgroups

BLS12-377 has two prime-order subgroups:

G1: Points on y² = x³ + 1 over Fq, cofactor ≈ 2⁹⁴
G2: Points on the D-type quadratic twist over Fq²
GT: The target group in Fq¹² (degree-12 extension)

Pairing

The pairing e: G1 × G2 → GT is an optimal Ate pairing computed via a Miller loop followed by a final exponentiation. This bilinearity is the mathematical foundation of the Varuna SNARK and the polynomial commitment scheme:

e(aP, Q) = e(P, aQ) = e(P, Q)^a

Usage

BLS12-377 is used for:

SNARK proof generation and verification
The Structured Reference String (SRS)
KZG polynomial commitments
Proof aggregation

Field Parameters

Scalar Field

Modulus

Integer Representation

8444461749428370424248824938781546531375899335154063827935233455917409239041

Hexadecimal Representation

12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001

U64 Representation (Little-Endian)

[725501752471715841, 6461107452199829505, 6968279316240510977, 1345280370688173398]

Root of Unity

Integer Representation

5928890464389279575069867463136436689218492512582288454256978381122364252082

Hexadecimal Representation

0d1ba211c5cc349cd7aacc7c597248269a14cda3ec99772b3c3d3ca739381fb2

U64 Representation (Little-Endian)

[4340692304772210610, 11102725085307959083, 15540458298643990566, 944526744080888988]

Base Field

Modulus

Integer Representation

258664426012969094010652733694893533536393512754914660539884262666720468348340822774968888139573360124440321458177

Hexadecimal Representation

01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001

U64 Representation (Little-Endian)

[9586122913090633729, 1660523435060625408, 2230234197602682880, 1883307231910630287, 14284016967150029115, 121098312706494698]

Root of Unity

Integer Representation

146552004846884389553264564610149105174701957497228680529098805315416492923550540437026734404078567406251254115855

Hexadecimal Representation

00f3c1414ef58c54f95564f4cbc1b61fee086c1fe367c33776da78169a7f3950f1bd15c3898dd1af1c104955744e6e0f

U64 Representation (Little-Endian)

[2022196864061697551, 17419102863309525423, 8564289679875062096, 17152078065055548215, 17966377291017729567, 68610905582439508]

Curve Equation​

Fields​

Subgroups​

Pairing​

Usage​

Field Parameters​

Scalar Field​

Modulus​

Integer Representation​

Hexadecimal Representation​

U64 Representation (Little-Endian)​

Root of Unity​

Integer Representation​

Hexadecimal Representation​

U64 Representation (Little-Endian)​

Base Field​

Modulus​

Integer Representation​

Hexadecimal Representation​

U64 Representation (Little-Endian)​

Root of Unity​

Integer Representation​

Hexadecimal Representation​

U64 Representation (Little-Endian)​

Curve Equation

Fields

Subgroups

Pairing

Usage

Field Parameters

Scalar Field

Modulus

Integer Representation

Hexadecimal Representation

U64 Representation (Little-Endian)

Root of Unity

Integer Representation

Hexadecimal Representation

U64 Representation (Little-Endian)

Base Field

Modulus

Integer Representation

Hexadecimal Representation

U64 Representation (Little-Endian)

Root of Unity

Integer Representation

Hexadecimal Representation

U64 Representation (Little-Endian)