Co-factor Clearing and Subgroup Membership Testing on Pairing-Friendly Curves

Abstract

AbstractAn important cryptographic operation on elliptic curves is hashing to a point on the curve. When the curve is not of prime order, the point is multiplied by the cofactor so that the result has a prime order. This is important to avoid small subgroup attacks for example. A second important operation, in the composite-order case, is testing whether a point belongs to the subgroup of prime order. A pairing is a bilinear map \(e :\mathbb G_1 \times \mathbb G_2 \rightarrow \mathbb G_T\) where \(\mathbb G_1\) and \(\mathbb G_2\) are distinct subgroups of prime order r of an elliptic curve, and \(\mathbb G_T\) is a multiplicative subgroup of the same prime order r of a finite field extension. Pairing-friendly curves are rarely of prime order. We investigate cofactor clearing and subgroup membership testing on these composite-order curves. First, we generalize a result on faster cofactor clearing for BLS curves to other pairing-friendly families of a polynomial form from the taxonomy of Freeman, Scott and Teske. Second, we investigate subgroup membership testing for \(\mathbb G_1\) and \(\mathbb G_2\). We fix a proof argument for the \(\mathbb G_2\) case that appeared in a preprint by Scott in late 2021 and has recently been implemented in different cryptographic libraries. We then generalize the result to both \(\mathbb G_1\) and \(\mathbb G_2\) and apply it to different pairing-friendly families of curves. This gives a simple and shared framework to prove membership tests for both cryptographic subgroups.