Cryptology ePrint Archive: Report 2019/814

Faster Subgroup Checks for BLS12-381

Sean Bowe

Abstract: Pairing-friendly elliptic curve constructions provide two elliptic curve groups which are both of prime order $q$ and usually each have a nontrivial cofactor $h$. Due to the way these curves are typically constructed, endomorphisms can be applied to perform fast cofactor multiplication. However, cofactor multiplication is sometimes insufficient for dealing with cofactors, such as with malleability attacks.

In this brief note, we describe efficient techniques for checking that points exist within the correct $q$-order subgroups of the BLS12-381 elliptic curve construction, which is the focus of standardization for pairing-based protocols. Instead of multiplying by $q$ and comparing the point with the identity, we use endomorphisms to eliminate the $q$-torsion while modifying (but not killing) the $h$-torsion components. The result can then be compared against the identity.

Category / Keywords: public-key cryptography / elliptic curve cryptosystem, public-key cryptography, implementation

Date: received 13 Jul 2019

Contact author: sean at z cash

Available format(s): PDF | BibTeX Citation

Version: 20190714:155821 (All versions of this report)

Short URL: ia.cr/2019/814


[ Cryptology ePrint archive ]