On subgroup checks for BLS12

Let

E

be an elliptic curve from the BLS12 family. We denote by

r

its prime subgroup order. Let

P (x, y) \in E

a point of order

r

. The goal is to verify efficiently that

r \cdot P = \infty

Notations

$E$ is an elliptic curve defined over a finite field
$F_{p}$ with the short Weierstrass equation
$y^{2} = x^{3} + a x + b$
$r$ is a prime-order subgroup of
$E (F_{p})$
$k$ is the embedding degree, i.e. the smallest integer s.t.
$r ∣ p^{k} - 1$
A pairing is a map
$e : G_{1} \times G_{2} \mapsto G_{T}$ , where
$G_{1} \subset E [r] (F_{p})$ ,
$G_{2} \subset E [r] (F_{p^{k}})$ and
$G_{T}$ the group of
$r$ -th roots of unity in
$F_{p}$ .

BLS12

BLS12 is a complete family of pairing-friendly elliptic curves with an embedding degree

k = 12

(Construction 6.6 in FST06, case

k \equiv 0 \mod 6

). It is defined over a finite field

F_{p}

of prime characteristic

p

by the equation

y^{2} = x^{3} + b

. It has Complex Multiplication by discriminant

D = - 3

and parameters defined by the following polynomials:

Parameter	Polynomial
field size $p (x)$	$(x - 1)^{2} / 3 \cdot r (x) + x$
subgroup order $r (x)$	$x^{4} - x^{2} + 1$
Frobenius trace $t (x)$	$x + 1$

\to

These polynomials are evaluated at some seed

z

to derive a specific curve with the desired security and efficiency.

Endomorphisms

BLS12 curves have CM discriminant

D = - 3

, so there is an efficient endomorphism

ϕ : (x, y) \mapsto (x \cdot ω, y)

with

ω \in F_{p}

a primitive cube root of unity (i.e.

ω^{2} + ω + 1 \equiv 0 \mod p

). The eigenvalue of this endomorphism is

λ = z^{2} - 1

which a cube root of unity in

F_{r}

BLS12 has Complex Multiplication by

\frac{- 1 + \sqrt{- 3}}{2}

. There is an endomorphism

ϕ

satisfying

ϕ^{2} + ϕ + 1

with eigenvalue

λ = \frac{- 1 + \sqrt{- 3}}{2} \mod r

. Given BLS12 polynomials, one finds

λ (x) = x^{2} - 1

Given a twist of order

d

G_{2} \subset E [r] (F_{p^{k}})

is isomorphic to

E^{'} [r] (F_{p^{k / d}})

with

ν : E \mapsto E^{'}

the twisting isomorphism. On

E^{'} (F_{p^{k / d}})

, there is an efficient endomorphism

ψ

called "untwist-Frobenius-twist"

ψ = ν^{- 1} \circ π_{p} \circ ν

where

π_{p}

is the

p

-power Frobenius. It satisfies

ψ^{2} - t ψ + p = 0

BLS12 curves have a twist of degree 6. Associated with a choice of

ξ \in F_{q^{k / 6}}

s.t.

x^{6} - ξ \in F_{q^{k / 6}} [X]

is irreducible, the equation of

E^{'}

can be either

$y^{2} = x^{3} + b / ξ$ and we call it a D-twist or
$y^{2} = x^{3} + b . ξ$ and we call it a M-twist

For the D-type,

ν^{- 1} : (x, y) \mapsto (ξ^{1 / 3} x, ξ^{1 / 2} y)

,
and for the M-type

ν^{- 1} : (x, y) \mapsto (ξ^{2 / 3} x / ξ, ξ^{1 / 2} y / ξ)

So given that

k = 12

and

d = 6

G_{2}

is over

F_{p^{2}}

and

π_{p} : (x, y) \mapsto (x^{p}, y^{p}) = (\bar{x}, \bar{y})

and

ψ

(x, y) \mapsto (\bar{x} \cdot c_{1}^{t e}, \bar{y} \cdot c_{2}^{t e})

Using the endomorphism

ϕ

G_{1}

and

ψ

G_{2}

, Sean Bowe [1] derived using LLL algorithm as in Fuentes et al.[2] and Budroni and Pintore[3] fast formulae to check that a point is on BLS12-381

G_{1}

and

G_{2}

. The formulae are

$P \in G_{1} ⟺ ((z^{2} - 1) / 3) \cdot (2 ϕ (P) - P - ϕ^{2} (P)) - ϕ^{2} (P) = \infty$
$Q \in G_{2} ⟺ z \cdot ψ^{3} (Q) - ψ^{2} (Q) + Q = \infty$

Observations

To derive
$G_{1}$ membership formula for BLS12, there is no need for LLL algorithm. Given the polynomials
$r (x)$ and
$λ (x)$ , a simple formula can be derived

$r (z) \cdot P = (z^{4} - z^{2} + 1) \cdot P = (z^{2} \cdot λ (z) + 1) \cdot P = z^{2} \cdot ϕ (P) + P$
The formula in [1] can be simplified into this one by using the fact that
$ϕ^{2} + ϕ + 1 = 0$ .
For
$G_{2}$ , the check can be done the same way:
$z^{2} \cdot ϕ (Q) + Q = \infty$ (note
$ϕ$ in
$G_{2}$ uses the other cube root of unity
$- ω - 1$ ). However, the formula in [1] is faster (multiplication by
$z$ instead of
$z^{2}$ ) but it can be simplified into
$- z \cdot ψ (ϕ (Q)) + ϕ (Q) + Q = 0$ by remarking that
$ψ^{2} = - ϕ$ .

\to

Why

ψ^{2} = - ϕ

?
Let's take the example of D-twist, we have

ν^{- 1} : (x, y) \mapsto (ξ^{1 / 3} x, ξ^{1 / 2} y) π_{p} : (x, y) \mapsto (y^{p}, y^{p}) = (\bar{x}, \bar{y}) ν : (x, y) \mapsto (1 / ξ^{1 / 3} x, 1 / ξ^{1 / 2} y) ψ : (x, y) \mapsto (ξ^{(p - 1) / 3} \cdot \bar{x}, ξ^{(p - 1) / 2} \cdot \bar{y})

and,

ψ^{2} : (x, y) \mapsto (ξ^{(p + 1) (p - 1) / 3} \cdot x, ξ^{(p + 1) (p - 1) / 2} \cdot y)

Now, recal that

x \mapsto x^{p + 1}

is the trace

F_{p^{2}} / F_{p}

hence

x^{p + 1} \in F_{p}

and

(ξ^{(p - 1) / 6})^{p + 1}

is a primitive 6th root of unity. So,

ξ^{(p + 1) (p - 1) / 3}

is primitive 3rd root of unity. Now,

(ξ^{(p - 1) / 2})^{p + 1} = (ξ^{p + 1})^{(p - 1) / 2}

and

ξ^{p + 1} \in F_{p}

, this is the trace. Finally,

(ξ^{p + 1})^{(p - 1) / 2} = {\begin{cases} 1 if square \\ - 1 otherwise \end{cases}

, and because

ξ

is not a square in

F_{p^{2}}

, then

(ξ^{p + 1})^{(p - 1) / 2} = - 1

, which means

ψ^{2} : (x, y) \mapsto (ω \cdot x, - y) = - ϕ

[NEW] Scott eprint 2021/1130

For
$G_{1}$ , Scott proves by contradiction that checking the endorphism is sufficient:
$ϕ (P) = - z^{2} P$ . In fact,
$- z^{6} \equiv λ \equiv 1 \mod r$ because
$λ$ a third root of unity in
$F_{r}$ . If the endomorphism was true for a point of order
$c \cdot r$ , then by CRT,
$- z^{6} \equiv 1 \mod c$ but
$c ∣ z - 1$ for BLS curves and hence
$u^{6} = 1 \mod c$ .
For
$G_{2}$ , he finds a simpler formula:
$ψ (P) = z P$ . In fact, given that
$(p + 1 - t) Q = \infty$ and
$t = z + 1$ then
$u P = p Q$ .
$ψ$ verifies
$ψ^{2} (Q) - t ψ (Q) + p Q = \infty$ and this becomes
$z Q = ψ (u Q) + ψ (Q) - ψ^{2} (Q)$ which has two solutions:
$ψ (Q) = Q$ or
$ψ (Q) = u Q$ . Only the latter is valid sinc
$ψ$ acts non-trivially on
$G_{2}$ .

Implementation

Example code for BLS12-381 (M-twist) with seed

z = - 15132376222941642752

and BLS12-377 (D-twist) with

z = 9586122913090633729

in gnark-crypto library (golang).

On subgroup checks for BLS12

Notations

BLS12

Endomorphisms

Related work

Observations

[NEW] Scott eprint 2021/1130

Implementation

Read more

Multiset hashing based on elliptic curves

Fake GLV in-circuit

Notes about optimizing emulated pairing (part 2)

BN254 pairing in gnark vs. google and cloudflare