Abstract
An important cryptographic operation on elliptic curves is hashing to a point on the curve. When the curve is not of prime order, the point is multiplied by the cofactor so that the result has a prime order. This is important to avoid small subgroup attacks for example. A second important operation, in the composite-order case, is testing whether a point belongs to the subgroup of prime order. A pairing is a bilinear map \(e :\mathbb G_1 \times \mathbb G_2 \rightarrow \mathbb G_T\) where \(\mathbb G_1\) and \(\mathbb G_2\) are distinct subgroups of prime order r of an elliptic curve, and \(\mathbb G_T\) is a multiplicative subgroup of the same prime order r of a finite field extension. Pairing-friendly curves are rarely of prime order. We investigate cofactor clearing and subgroup membership testing on these composite-order curves. First, we generalize a result on faster cofactor clearing for BLS curves to other pairing-friendly families of a polynomial form from the taxonomy of Freeman, Scott and Teske. Second, we investigate subgroup membership testing for \(\mathbb G_1\) and \(\mathbb G_2\). We fix a proof argument for the \(\mathbb G_2\) case that appeared in a preprint by Scott in late 2021 and has recently been implemented in different cryptographic libraries. We then generalize the result to both \(\mathbb G_1\) and \(\mathbb G_2\) and apply it to different pairing-friendly families of curves. This gives a simple and shared framework to prove membership tests for both cryptographic subgroups.
preprint version available on ePrint at https://eprint.iacr.org/2022/352 and HAL at https://hal.inria.fr/hal-03608264, SageMath verification script at https://gitlab.inria.fr/zk-curves/cofactor.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aranha, D.F., Pagnin, E., Rodríguez-Henríquez, F.: LOVE a pairing. In: Longa, P., Ràfols, C. (eds.) LATINCRYPT 2021. LNCS, vol. 12912, pp. 320–340. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88238-9_16
Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Persiano, G., Galdi, C. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36413-7_19
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_22
Botrel, G., Piellard, T., Housni, Y.E., Tabaie, A., Kubjas, I.: Consensys/gnark-crypto (2022). https://doi.org/10.5281/zenodo.6092968
Bowe, S.: Faster subgroup checks for BLS12-381. Cryptology ePrint Archive, Report 2019/814 (2019). https://eprint.iacr.org/2019/814
Budroni, A., Pintore, F.: Efficient hash maps to \(\mathbb{G} _2\) on bls curves. Appl. Algebra Eng. Commun. Comput. 33, 261–281 (2022). https://doi.org/10.1007/s00200-020-00453-9, ePrint https://eprint.iacr.org/2017/419
Clarisse, R., Duquesne, S., Sanders, O.: Curves with fast computations in the first pairing group. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 280–298. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65411-5_14
El Housni, Y., Guillevic, A.: Families of SNARK-friendly 2-chains of elliptic curves. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 367–396. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_13
Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010). https://doi.org/10.1007/s00145-009-9048-z
Galbraith, S.D., Scott, M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 211–224. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85538-5_15
Schoof, R.: Nonsingular plane cubic curves over finite fields. J. Comb. Theor Series A 46(2), 183–211 (1987). https://doi.org/10.1016/0097-3165(87)90003-3
Scott, M.: A note on group membership tests for \(\mathbb{G} _1\), \(\mathbb{G} _2\) and \(\mathbb{G} _{T}\) on BLS pairing-friendly curves. ePrint https://eprint.iacr.org/2021/1130d2021/1130
Scott, M.: A note on twists for pairing friendly curves (2009). http://indigo.ie/ mscott/twists.pdf
Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR TCHES, 2019(4), 154–179 (2019). https://doi.org/10.13154/tches.v2019.i4.154-179
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
El Housni, Y., Guillevic, A., Piellard, T. (2022). Co-factor Clearing and Subgroup Membership Testing on Pairing-Friendly Curves. In: Batina, L., Daemen, J. (eds) Progress in Cryptology - AFRICACRYPT 2022. AFRICACRYPT 2022. Lecture Notes in Computer Science, vol 13503. Springer, Cham. https://doi.org/10.1007/978-3-031-17433-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-031-17433-9_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17432-2
Online ISBN: 978-3-031-17433-9
eBook Packages: Computer ScienceComputer Science (R0)