Elliptic Curves in Aleo. From BLS12-377 to Record Encoding
Aleo is a privacy-first layer-1 blockchain where general-purpose programs execute off-chain with zero-knowledge proofs, and only concise proofs and encrypted records are published on-chain. At its heart is a two-curve SNARK architecture - a pairing-friendly curve (BLS12-377) for succinct proofs, and a companion curve (BW6-761) for efficient proof recursion and aggregation. Together these enable Aleo’s record model, in which every piece of state (owner addresses, values, etc.) is kept private (ciphertext) unless explicitly marked public. In this article we dive into the mathematics of these curves, why they were chosen, and how Aleo uses them to encode and encrypt records. We give concrete Leo code examples for elliptic operations and record handling, and sketch diagrams of the curve relationships and record commitments to illuminate Aleo’s elegant design.
The BLS12-377 Curve
Aleo’s primary elliptic curve is BLS12-377, a Barreto–Lynn–Scott (BLS) curve at ~128-bit security. Formally, BLS12-377 is defined over the prime field $\mathbb{F}_q$ with characteristic
q=258664426012969094010652733694893533536393512754914660539884262666720468348340822774968888139573360124440321458177
(approximately $2^{377}$) and its group order $r$ is a 253-bit prime
r=8444461749428370424248824938781546531375899335154063827935233455917409239041.
The curve equation is of Weierstrass form (for example, $y^2 = x^3 + 4$) and admits an efficiently computable bilinear pairing of embedding degree 12. In practice this means we have groups $G_1 = E(\mathbb{F}q)[r]$ and $G_2 = E'(\mathbb{F}{q^2})[r]$ such that a pairing e: G1×G2 → μr ⊂ Fq12 satisfies bilinearity $e(aP,bQ) = e(P,Q)^{ab}$, which is crucial for many SNARK verification equations. The cofactor of the curve is small (so the prime-order subgroup is large), and the parameters are chosen to resist known attacks (BLS12-377 has no small twists, etc.). Its security level (≈ 128 bits) is comparable to well-known curves like BLS12-381 or secp256k1, but it was specifically tuned for efficient SNARK proofs.
A key property is that $r \approx 2^{253}$, meaning field operations in $\mathbb{F}_q$ are about 1.5× larger than the 254-bit Ethereum BN254 curve but slightly smaller than 381-bit. Arithmetic on BLS12-377 (e.g. point addition and scalar multiplication) is very fast in software, and numerous libraries and hardware circuits have been optimized for it. Importantly, its cofactor is 1, and it is defined with a simple $y^2=x^3+b$ form, making implementation and formal verification straightforward. In Aleo, BLS12-377 is used in SNARK generation and verification: the circuit proofs (Marlin/Varuna) are ultimately checked via group and field operations in this curve. As Aleo’s dev docs note, “BLS12-377 … supports fast proof verification” while an alternative twisted-Edwards “Edwards-BLS12” curve is used to “enable efficient circuit operations”.
Mathematically, one may write a BLS12-377 point addition or scalar multiplication in Leo as operations over two coordinates $(x,y)\in \mathbb{F}_q$. For example, if $G\in G_1$ is the generator, then $2G$ and $3G$ are computed in $\mathbb{F}_q$ by the usual elliptic curve formulas. (Leo code supports this via built-in group primitives.) We will show examples of doing such operations in Leo below.
Decaf377 (Twisted Edwards “Edwards BLS12”)
In addition to the short Weierstrass form of BLS12-377, Aleo also uses a twisted Edwards variant on the same base-field modulus. This Edwards curve, colloquially called Decaf377, has the same 377-bit prime field $\mathbb{F}_q$ but is represented with a curve equation of the form $ax^2 + y^2 = 1 + dx^2y^2$. (In practice Aleo’s library provides a group Address over this curve.) The Edwards curve is actually defined over a 253-bit prime field equal to the order $r$ of BLS12-377, hence its base-field size is ~2^253 (253 bits) and its scalar order is 251 bits. In other words, Decaf377 is a safe prime-order twisted Edwards curve with field characteristic equal to $r$. This curve is much “smaller” (fewer bits) than BLS12-377’s base field, making its operations (point add, multiply, hash-to-curve) very efficient in SNARK circuits. For example, the compressed size of a point in this group is 32 bytes (vs 48 bytes for a G1 point on BLS12-377). Aleo uses this Edwards curve for most in-circuit cryptography – e.g. Pedersen hashes, commitments, Schnorr signatures, etc. – because twisted Edwards addition formulas have very low R1CS cost.
In practice, Leo provides an address type (which is actually a point in this Edwards curve’s group) and a Group interface for arbitrary base-point operations. For instance, one might write in Leo:
// Example: scalar multiply on Edwards curve
import leo::crypto::Group;
function example_ec() {
let G = Group::generator::<BLS12_377>(); // generator point on Edwards curve
let scalar = 123456u64;
let P = G * scalar; // scalar multiplication
let Q = P + G; // point addition
let (x,y) = Q.to_xy_coordinates();
output x as Field; // output x-coordinate
}Here Group::generator::<BLS12_377>() yields the basepoint on the Edwards form of BLS12-377, and arithmetic operations * and + are done inside the SNARK circuit. The operations occur in $\mathbb{F}_r$ (the 253-bit field), so they are relatively cheap. In contrast, doing these in the 377-bit field or an extension field (as required for pairings) would be more costly. The decaf377 group has cofactor 8 with a fast “cofactor-clearing” map, so it provides a prime-order subgroup for signatures and commitments.
Why BLS12-377 (Performance, Security, Pairings)
Why did Aleo choose BLS12-377 rather than other popular curves (like BLS12-381 or BN254)? Several factors influenced this:
- SNARK Efficiency. BLS12-377 is optimized for small proofs and fast verification. Its relatively moderate base-field size (377 bits) yields smaller curve arithmetic than 381 bits, and it was specifically chosen in the Zexe framework. Empirically, proofs over BLS12-377 verify faster than equivalent ones over heavier curves, improving throughput. (By contrast, Ethereum’s BN254 is 254-bit but has known security weaknesses at that bitlength, while BLS12-381 is larger and offers slightly higher security than needed.)
- Security Margin. The 377-bit prime and 253-bit order give a security level over 125 bits. This comfortably exceeds 128-bit symmetric security. In the long term, stronger curves might be added, but currently 125+ bits is ample. The chosen curve resists known attacks and was scrutinized in the literature.
- Pairing Properties. BLS12-377 has embedding degree 12, enabling efficient Type-3 pairings. This is important for the underlying Marlin/Varuna SNARK (which uses KZG polynomial commitments based on pairings) and any Groth16 proofs internally. BLS12-377 was paired with a compatible “two-cycle” partner (as we discuss below) to support recursion.
- Library Support. The Aleo/SnarkVM ecosystem had mature implementations for BLS12-377 (from Zexe and others). This gave confidence in correctness and performance. Moreover, the pairing-friendly curve allows reuse of many existing proof systems without reinventing them.
In summary, BLS12-377 strikes a balance: strong enough security, very efficient for both scalar-field arithmetic (for in-circuit use) and group operations (for proofs), and pairing-friendly for succinct SNARKs.
The BW6-761 Curve and 2-Chain Construction
Aleo’s SNARK architecture uses two curves in tandem. The second is BW6-761, a so-called Pinch–Cook curve specially constructed to pair with BLS12-377. BW6-761 has embedding degree 6 and is defined so that its subgroup order equals the base-field characteristic of BLS12-377. In other words, if we write
and let $r_{BW6}$ be the prime order of the BW6-761 group, then
This “2-cycle” property (base field of one equals group order of the other) is crucial for recursive SNARKs.
Concretely, BLS12-377’s base field $\mathbb{F}q$ has size 377 bits; BW6-761’s scalar field is 761 bits (so its base field is larger, ~761 bits) and it has order $\approx 377$ bits. Thus, arithmetic in BW6’s base field implements 761-bit operations, about twice as heavy per multiplication as BLS12-377’s 377-bit field. However, this price is paid in order to do proof aggregation: Aleo uses BW6-761 to build a SNARK circuit that verifies proofs produced over BLS12-377. For example, to aggregate $k$ Groth16 proofs (each on BLS12-377), Aleo simply writes a BW6-761 circuit that takes those proofs as public inputs and verifies each one. Since in this circuit the BLS12-377 base field element (such as a target exponent in a pairing) is just an integer mod $r{BW6}$, it becomes native arithmetic in the BW6 SNARK. In effect, operations like exponentiation by $q$ (BLS12 base field) are just multiplications by $r_{BW6}$ (BW6’s group order), which are free (since $r_{BW6}\equiv 0$ in the exponent).
The result is a constant-size aggregated proof: Groth16 ensures each proof is 3 group elements, so naively $k$ proofs would give $O(k)$ size. But by verifying them inside one BW6 SNARK, Aleo obtains a single proof attesting to all of them. As the Maya ZK blog explains, “the aggregation algorithm is simply the Groth16 SNARK over BW6-761 for a circuit verifying $k$ proofs”. In other words, Aleo’s proof-of-proof circuit uses Groth16 on BW6-761 with an R1CS encoding of the BLS12-377 verifier. The creative insight is that the enormous embedding (12 → 6) matches up so that the internal exponentiations are over integers mod $r_{BW6}$ (trivial) instead of mod $q^{something}$.
Practically, this “2-chain” approach yields constant-size proofs no matter how many are aggregated. (By contrast, SNARKPack or other inner-product schemes only reduce but still depend on $k$ logarithmically.) Aleo’s papers report that verifying one BLS12-377 proof inside a BW6-761 SNARK costs on the order of $45,$K R1CS constraints. This is heavier than verifying a proof natively (Groth16 on BLS12-377 is quite fast), but it enables recursive proofs. Future plans (e.g. VeriexZexe) even replace the Groth16 recursion with PlonK, roughly halving the constraint count.
Mathematically, one can summarize the pairing cycles as follows: BLS12-377 has embedding degree 12, BW6-761 has degree 6, and they form a reciprocal 2-cycle. The BW6 base field $\mathbb{F}{p{BW6}}$ is ~2× larger than BLS12’s (761-bit vs 377-bit), but its order equals BLS12’s field characteristic. In shorthand,
Thus one can map a BLS12 pairing equation into BW6 arithmetic. Without this, recursively proving a pairing check in the same curve would cost millions of constraints, which is infeasible. The BW6-761 curve (sometimes called “Pinch–Cook curve”) was specially constructed for this use.
The Aleo Record Model
Before diving deeper into pairings, let us step back to how Aleo uses elliptic curves for data records and privacy. Aleo adopts a UTXO-like record model (inspired by Zcash), where each application state change consumes old records and creates new ones. However, unlike typical UTXO, each record can contain arbitrary key-value data (not just a coin amount) and, crucially, every private field is encrypted. By default, everything is private unless marked public. The on-chain ledger never sees raw secret values – only ciphertexts and commitments.
Concretely, an Aleo program defines a record type with named fields. For example:
record AssetRecord {
owner as address.private; // owner’s public address (encrypted)
balance as u64.private; // asset balance (encrypted)
}Here both owner and balance are .private, indicating they must be encrypted before storing on-chain. The owner field is an Aleo account address (a public key), but as a record entry it is kept private to avoid linking. A record also carries a special nonce (a group element) which ensures each record has a unique serial number; this nonce is public in the record data (indeed, in the storage proof one sees the nonce). In summary, each stored record consists of:
- apk (address public key) – the owner of the record (encrypted on-chain, but used as a public commitment),
- payload/data – all the user-defined fields (encrypted or public as tagged),
- serial number nonce ($\rho$) – a group element unique to this record,
- predicate data ($\Phi_b,\Phi_d$) – flags or conditions on record birth/death (used for program logic).
These components are hashed together into a record commitment $cm$.
Records are tied to programs: only the program that created a record (identified by program ID) can later update or spend it. When a record is created in a transaction, the program includes its (encrypted) payload and assigns a new random nonce. Later, to spend that record, the owner must reveal its serial number $\rho$ (derived from the nonce) in a spending proof. Revealing the correct $\rho$ publicly prevents double-spending because the same nonce cannot be used twice. The nonce itself is computed via a pseudorandom function of the owner’s secret key and some index: in SnarkVM this is done as $\rho = \text{PRF}(ask, index)$ where $ask$ is the account’s spending key and index is usually a counter or random salt. In code, one does not compute $\rho$ manually; it is automatically generated. But conceptually, each record’s serial number depends on the owner’s private key, binding the record to that key.
Importantly, only ciphertexts and commitments appear on-chain. For a private entry like balance, the program’s R1CS variables work with the plaintext integer internally, but the published record stores an encryption of it. Aleo provides an account view key so that users can decrypt records they own. As the docs state: “Only the sender and receiver with their corresponding account view keys are able to decrypt the private entries”. The owner’s view key is derived from their secret key and published only to them (not to validators). This ensures the ledger is private by default: outsiders see only record commitments $cm$, not the actual addresses or values.
Another contrast is with traditional account-balance models: in Aleo, programs manage isolated records, not global storage slots. One can still have “mappings” or public state by using special public records, but that’s opt-in. By default, the record model gives concurrency (many records can be spent independently) and privacy.
Record Encryption on BLS12-377
How is the encryption of record fields actually done? In Aleo, encryption is based on elliptic-curve Diffie–Hellman over the Edwards BLS12-377 group. Specifically, when a program outputs a record with a private field $m$, the prover performs an ECDH operation between the owner’s public address and a random scalar to derive a symmetric key. In SnarkVM’s Rust library, this is implemented in Plaintext::encrypt(address, randomizer). The steps are roughly (see code):
- Pick a randomizer. the prover samples a fresh scalar $r$ (called the randomizer) for the record.
- Compute shared key. multiply the recipient’s address point $A$ by $r$ (point-scalar multiply). Take the x-coordinate of $r \cdot A$ to form a field element $k = x(rA)$. This is the
plaintext_view_key. - Derive stream cipher. hash $k$ (with domain separation) to generate one random field element per plaintext field bit.
- Mask the plaintext. add each hash output to the corresponding plaintext field. In effect $c_i = m_i + h_i(k)$ in $\mathbb{F}_r$.
Concretely, if $A$ is the owner’s public key (a group element on the Edwards curve) and $r$ is a private scalar, then the shared secret is $[r]A$. The prover uses $\text{Key} = x([r]A)$ to derive a one-time pad. Only someone with the owner’s view key (which equals the owner’s private address scalar $a$) can recompute $x([a] [r]G) = x([r]A)$ and thus the hash stream.
Mathematically, the encryption of a plaintext vector $m = (m_1,\dots,m_n)$ is:
where $H_i$ are hash-derived field elements. Since addition in $\mathbb{F}_r$ is invertible, knowing $k$ allows subtraction of $H_i(k)$ from the ciphertext $c_i$ to recover $m_i$. In code one never sees $c_i$ as a field; instead SnarkVM internally constructs a Ciphertext object from the fields of $m$ and the derived randomizers.
From the record-model perspective, this means: in a record structure, any .private entry is encrypted to the owner’s address via ECDH. For example, in the earlier AssetRecord, both owner and balance would be encrypted. The nonce of the record (a group element) is public and is computed as $\rho = [ask],(H(index))$ where $ask$ is the owner’s spend key and $H(index)$ is a fixed group map – essentially another ECDH-like PRF. The resulting ciphertexts and nonce $\rho$ are then hashed into the record’s commitment.
We emphasize - encryption happens off-chain as part of proof generation. A Leo programmer simply writes owner as address.private and works with owner as a public key type in the code; under the hood, after proof generation, the payload will be replaced by ciphertext. For example:
record AssetRecord {
owner as address.private; // owner (encrypted to this address)
balance as u64.private; // balance (encrypted)
}
function transfer(
input rec as AssetRecord.record,
input to as address.private,
input amt as u64.private
) {
// Subtract amt from sender’s balance
sub rec.balance amt into new_balance;
// Create sender’s new record with remaining balance
cast rec.owner new_balance into rec1 as AssetRecord.record;
// Create receiver’s new record with amt
cast to 0u64 amt into rec2 as AssetRecord.record;
// Output both as new records
output rec1 as AssetRecord.record;
output rec2 as AssetRecord.record;
}In this example, rec.owner and rec.balance are handled as private values. The Leo compiler and runtime ensure they are encrypted to the appropriate addresses. (The second record’s to field is also marked .private, meaning the receiver address itself is stored privately.) Note that we never explicitly code the ECDH encryption – the SNARKVM library does it when emitting the transaction. We simply mark data as private in the type system. This ensures “all records in Aleo are fully private” as noted in Aleo docs.
Commitments and Record Serial Numbers
While encryption hides contents, Aleo also uses cryptographic commitments to bind data. Each record $r$ has a commitment $cm = \mathsf{Commit}(apk, \text{data}, \Phi_b, \Phi_d, \rho)$, where $apk$ is the owner’s public key, “data” are the payload fields, $\Phi_b,\Phi_d$ are any birth/death predicates, and $\rho$ is the nonce/serial. This commitment (often a Pedersen hash on the Edwards group) is included in the proof, so that one proves “I know a record with values that hash to $cm$”. On-chain only $cm$ (and later the spent serial) are revealed. As Aleo documentation explains, commitments “ensure that sensitive information isn’t revealed but allow verification of correctness”.
The following diagram (adapted from Zexe) illustrates the commit step for a record:
apk), the encrypted data payload, the serial nonce $\rho$, and any program predicates. The result $cm$ is the record commitment stored on-chain.In the figure above, the box “Commit” represents a Pedersen or cryptographic hash into a group. Notice the inputs: the owner’s public key (address public key) and the payload data are fixed by the program logic; the serial nonce $\rho$ is a fresh random group element (derived via the PRF on the owner’s key); and $\Phi_b,\Phi_d$ capture conditions like “this record was just created” or “this record is consumed”. The output is $cm$, published on-chain when the record is created. Later, when spending that record, one reveals $\rho$ publicly so anyone can check $\rho$ hasn’t been used before (preventing double-spend).
Taken together, Aleo’s private-record architecture works as follows: all critical data (owner, balance, etc.) are encrypted with ECDH on BLS12-377; a one-time nonce $\rho$ (also group-valued) is derived and used to tie the record to its owner; and the combination is hashed to a commitment $cm$. The SNARK proof for any transaction then shows that the new commitments and serials are correctly computed from the program’s logic and old commitments, without revealing plaintext data. This achieves confidentiality (hiding user data) and integrity (through hash commitments) simultaneously.
Pairing and SNARK Proof Structure
Aleo’s proving system (based on SnarkVM and Marlin) uses pairing-based SNARKs. Concretely, when you execute a program function on private inputs, SnarkVM compiles it to an R1CS and generates a proof (via a variant of Groth16 or PlonK). Verifying that proof involves pairings on BLS12-377. For example, in a Groth16-style proof one checks an equation of the form
for some group elements $A,B,C,D$ derived from the proof and public inputs. Each $e(\cdot,\cdot)$ is a BLS12-377 pairing. Thus Groth16 verification on BLS12-377 would require evaluating three pairings (and one exponentiation). Representing a pairing inside another SNARK directly is extremely expensive: one estimate is that a single BLS12-377 pairing costs on the order of $2^{24}$ R1CS gates. That is why Aleo employs the two-curve trick described above.
In practice, Aleo does the following: user transactions are executed and proved off-chain. The resulting proofs (for each program transition) are posted on-chain in aggregated form. A validator node can verify each Groth16 proof by doing a few pairings in native code. But if one wants to build a recursively-verified chain of proofs (for, say, a super-light client), Aleo can prove the validity of proofs inside another SNARK using BW6-761. This way the verifier only sees one BW6-761 proof, and need not perform many BLS12-377 pairings itself.
- Marlin/Varuna SNARKs on BLS12-377. Aleo’s AVM compiles programs to R1CS over the BLS12-377 scalar field. A Marlin SNARK is generated (trusted-setup SRS given). This uses KZG polynomial commitments (which themselves rely on BLS12-377 pairings) to construct the proof.
- Groth16 on BW6-761 for recursion. If a user wants to aggregate proofs, Aleo can pack them into a single statement: “I know Groth16 witnesses that produce these $k$ proofs on BLS12-377”. This statement is checked by a BW6-761 Groth16 circuit (the witness includes the original Groth proofs). Thanks to $r_{BW6}=q_{BLS}$, the heavy exponentiations become simple multiplies, and the circuit size is modest (e.g. ≈45k constraints to verify one proof).
The result is that Aleo proofs can be chained: a proof can certify not only a program execution but also the correctness of a previous proof (and so on). As one article explains, “a recursive SNARK allows us to generate a single proof for the claim ‘there exist valid proofs that prove the validity of $t_1$ and $t_2$’… compressing $p_1$ and $p_2$ into one proof”. In practice this means final blocks can attest to the validity of all history with constant overhead. (Of course, building the proving circuits and keys is heavier than a simple aggregator, but it is feasible with the tailored curves.)
Leo Code Examples
We now give some concrete Leo snippets showing elliptic operations and record handling. Recall that in Leo, the address type is a group element (Edwards-BLS12-377) and operations like + and * on group values correspond to elliptic curve addition and scalar multiplication. Likewise, marking a field as .private causes the runtime to encrypt it.
Example 1: Elliptic curve operations (Edwards BLS12-377). Suppose we want to do some low-level curve arithmetic. We might write:
import leo::crypto::Group;
// Compute point P = 5*G and Q = G+P on the Edwards curve
function curve_ops_example:
let G = Group::generator::<BLS12_377>(); // basepoint on Edwards curve
let P = G * 5u64; // scalar multiply by 5
let Q = G + P; // point addition
let (x,y) = Q.to_xy_coordinates(); // get affine coordinates
output x as Field;This function multiplies the generator by 5 and adds it, demonstrating group ops. Internally this uses the Edwards curve formulas over the 253-bit field. Because Edwards operations are efficient, such code is relatively cheap in an R1CS. One could similarly implement a Pedersen hash by repeatedly adding fixed base points (not shown here), or verify a simple Schnorr signature by doing $R + [s]G = [e]A$ check – all on this group.
Example 2: Record splitting/transfer. Consider a token balance record as above:
record Asset {
owner as address.private;
balance as u64.private;
}
function transfer_asset:
input rec as Asset.record;
input recipient as address.private;
input amount as u64.private;
// Compute new sender balance
sub rec.balance amount into new_bal;
// Create output record for sender with reduced balance
cast rec.owner new_bal into out1 as Asset.record;
// Create output record for recipient with received amount
cast recipient 0u64 amount into out2 as Asset.record;
output out1 as Asset.record;
output out2 as Asset.record;Here transfer_asset takes a private Asset record rec and a private amount to send. It computes new_bal = rec.balance - amount. Then it uses cast ... into ... as Asset.record to form new records: one for the sender (out1) and one for the recipient (out2). The recipient address is provided as an input and marked .private so that the new record’s owner field is encrypted to that address. Finally the two records are output from the function. When this transaction executes, the resulting records will be encrypted such that only the owner can decrypt them.
Notice that in Leo code, we never see the encryption directly. We simply mark data as .private. The documentation clarifies that “an entry which has a visibility of private is encrypted and stored on the ledger. This enables users to securely and privately transfer record data”. After proof generation, SnarkVM applies the group-based encryption described above to each private field.
These examples illustrate how elliptic curve primitives are integrated into Aleo programs: group operations appear as normal arithmetic in Leo, and record handling (cast/output) triggers encryption under the hood. Together with pairing-based SNARK verification, this makes Aleo a fully end-to-end zero-knowledge execution environment.
Aleo Mainnet and Future Directions
Aleo’s mainnet (launched in sep 2024) is one of the first to offer privacy by default for general computation. It supports features like private assets, private DeFi, and private voting. On-chain, validators see only commitments and ciphertexts; users decrypt with their view keys. Aleo also allows optional public state (mappings) when needed.
Key capabilities today include:
- SNARK-based execution. All Aleo program transitions are proved with zk-SNARKs. As the docs explain, this is achieved via Marlin/Varuna proofs and a universal SRS.
- Record commitments and serials. Every new record produces a unique commitment and serial number, enabling private UTXO-style accounting with double-spend protection.
- Account model interoperability. Although primarily UTXO-like, Aleo also has account-level view keys and addresses for convenience.
- Built-in curves and algorithms. The platform natively supports BLS12-377 and BW6-761; developers do not need to implement pairing themselves.
Looking forward, Aleo continues to innovate on both curves and protocols. Recent research (e.g. the “Veri-Zexe” paper) replaces the Groth16 recursion with PlonK, yielding about 10× faster proving and halving verification cost. Longer-term, one may imagine multi-curve hierarchies or use of PLONKish SNARKs to further shrink proofs. Aleo’s two-curve design is already a powerful enabler: in principle, it lets the protocol recursively attest to an unbounded chain of proofs (each new proof certifying all prior ones). This property could be leveraged for ultra-light clients or verifiable blockchains like Mina.
Moreover, the separation of private vs. public state is a distinctive feature: applications can choose to reveal data when needed (e.g. in a poker game revealing flop cards) without sacrificing general privacy. As zero-knowledge technology advances, Aleo may integrate new curve families or hashing schemes, but the core strategy of efficient curves + record encryption will remain. For now, Aleo’s mainnet showcases the practical viability of pairing-friendly curves and record-centric ZK, and points toward a future where cryptographers can design complex privacy protocols with confidence in their underlying curves.