**Faster Subgroup Checks for BLS12-381**

*Sean Bowe*

**Abstract: **Pairing-friendly elliptic curve constructions provide two elliptic curve groups which are both of prime order $q$ and usually each have a nontrivial cofactor $h$. Due to the way these curves are typically constructed, endomorphisms can be applied to perform fast cofactor multiplication. However, cofactor multiplication is sometimes insufficient for dealing with cofactors, such as with malleability attacks.

In this brief note, we describe efficient techniques for checking that points exist within the correct $q$-order subgroups of the BLS12-381 elliptic curve construction, which is the focus of standardization for pairing-based protocols. Instead of multiplying by $q$ and comparing the point with the identity, we use endomorphisms to eliminate the $q$-torsion while modifying (but not killing) the $h$-torsion components. The result can then be compared against the identity.

**Category / Keywords: **public-key cryptography / elliptic curve cryptosystem, public-key cryptography, implementation

**Date: **received 13 Jul 2019

**Contact author: **sean at z cash

**Available format(s): **PDF | BibTeX Citation

**Version: **20190714:155821 (All versions of this report)

**Short URL: **ia.cr/2019/814

[ Cryptology ePrint archive ]