Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

subgroup checks via Bowe19 #21

Closed
kwantam opened this issue Jul 15, 2019 · 2 comments
Closed

subgroup checks via Bowe19 #21

kwantam opened this issue Jul 15, 2019 · 2 comments

Comments

@kwantam
Copy link
Collaborator

kwantam commented Jul 15, 2019
edited
Loading

Sean Bowe shows how to check subgroup membership more quickly than exponentiation by the group order.

This post quickly summarizes the results as pseudocode.

TODO: should subgroup testing be a required part of deserialization? Sean points out (in personal communication) that G2 subgroup checks are necessary, because the pairing operation is undefined otherwise. So probably it makes sense to just require subgroup checks for both G1 and G2.

For G1, define the endomorphism sigma as

sigma(x, y)

Input: a point P = (x, y)
Output: a point Q = (x', y')

Constants:
1. beta = 0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac

Steps:
1. x' = x * beta
2. y' = y
2. return (x', y')

Then, to check subgroup membership, test the following:

subgroup_test_g1(x, y)

Input: a point P
Output: True if P is in the order-q subgroup of E1, else False

Constants:
- c1 = (z^2 - 1) / 3 (in the integers), where z = -0xd201000000010000
- point_at_infinity_E1 is the point at infinity on E1

Steps:
1. sP = sigma(P)
2. Q = 2 * sP
3. sP = sigma(sP)
4. Q = Q - P
5. Q = Q - sP
6. Q = c1 * Q
7. Q = Q - sP
8. return Q == point_at_infinity_E1

For G2, let psi(P) be the "untwist-Frobenius-twist" endomorphism given by Galbraith and Scott in Section 5 of GS08. Then to test subgroup membership, check the following:

subgroup_test_g2(P)

Input: a point P
Output: True if P is in the order-q subgroup of E2, else False

Constants:
- z = -0xd201000000010000
- point_at_infinity_E2 is the point at infinity on E2

Steps:
1. pP = psi(P)
2. pP = psi(pP)
3. Q = P - pP
4. pP = psi(pP)
5. pP = z * pP
6. Q = Q + pP
7. return Q == point_at_infinity_E2
@kwantam
Copy link
Collaborator Author

kwantam commented Aug 2, 2019

At a guess, this draft will specify that subgroup checks are required but not how to do them (that's up to impls). So probably this means we'll use this approach in our ref impl, but otherwise not specify it.

(I think @ebfull suggested something similar to the above at some point. So: thanks!)

@kwantam kwantam closed this as completed Aug 2, 2019
@ebfull
Copy link

ebfull commented Aug 14, 2019

BTW, I completely agree with that.

The checks in my paper are applications of the GLV techniques which are currently under patent. These patents don't expire for at least another year. :(

@mratsim mratsim mentioned this issue Jun 14, 2020
Closed
This was referenced Sep 22, 2020
Closed
Open
@mratsim mratsim mentioned this issue Oct 26, 2020
Closed
@ghost ghost mentioned this issue Mar 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kwantam @ebfull