### Faster Subgroup Checks for BLS12-381

Sean Bowe

##### Abstract

Pairing-friendly elliptic curve constructions provide two elliptic curve groups which are both of prime order $q$ and usually each have a nontrivial cofactor $h$. Due to the way these curves are typically constructed, endomorphisms can be applied to perform fast cofactor multiplication. However, cofactor multiplication is sometimes insufficient for dealing with cofactors, such as with malleability attacks. In this brief note, we describe efficient techniques for checking that points exist within the correct $q$-order subgroups of the BLS12-381 elliptic curve construction, which is the focus of standardization for pairing-based protocols. Instead of multiplying by $q$ and comparing the point with the identity, we use endomorphisms to eliminate the $q$-torsion while modifying (but not killing) the $h$-torsion components. The result can then be compared against the identity.

Available format(s)
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
elliptic curve cryptosystempublic-key cryptographyimplementation
Contact author(s)
sean @ z cash
History
Short URL
https://ia.cr/2019/814

CC BY

BibTeX

@misc{cryptoeprint:2019/814,
author = {Sean Bowe},
title = {Faster Subgroup Checks for BLS12-381},
howpublished = {Cryptology ePrint Archive, Paper 2019/814},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/814}},
url = {https://eprint.iacr.org/2019/814}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.