Cycles against knowledge

Having Halo on your mind, it is unlikely someone will look back into cycles of curves with pairing. It is just hard (citing “arguments against knowledge” paper from the MNT5 inventor):

Still we might look into hyperelliptic curves with pairing. The idea is, number of group elements (pairs of curve points) scales roughly quadratic of base field cardinality, in case of quintic polynomial. There should be plenty of searchspace for a subgroup of the proper prime order, hopefully completing a cycle with a BLS12 curve.

Pairing on hyperelliptic curves was discussed with Dr.Nelasa around 2018.

For completeness, I should also cite Mihir Bellare and Oded Goldreich, On Defining Proofs of Knowledge.

“We adduce the general parameters for the Poseidon hash function that allow using this hash function in recurrent SNARK-proofs based on MNT-4 and MNT-6 triplets.”

“The construction of such proofs…should be described as a system of certain equations of many variables over a finite field, the left part of which contains a polynomial of many second degree variables, and the right part — a polynomial of many variables of the first degree.”

Probably one should read an R1CS system of equations like “a*b=c”, no polynomials yet.
Or maybe a QAP instance, polynomials of higher degree.

“Models of Distributed Proof Generation for ZK-SNARK-based Bloekehains”