Merge pull request #251 from ConsenSys/perf/IsInSubGroup-BN

[perf] Faster G2 subgroup membership on BN254
Consensys · Oct 28, 2022 · eca29d9 · eca29d9
2 parents 86a5ea5 + ad842f5
commit eca29d9
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 27 deletions.
diff --git a/ecc/bls12-377/g2.go b/ecc/bls12-377/g2.go
diff --git a/ecc/bls12-378/g2.go b/ecc/bls12-378/g2.go
diff --git a/ecc/bls12-381/g2.go b/ecc/bls12-381/g2.go
diff --git a/ecc/bls24-315/g2.go b/ecc/bls24-315/g2.go
diff --git a/ecc/bls24-317/g2.go b/ecc/bls24-317/g2.go
diff --git a/ecc/bn254/bn254.go b/ecc/bn254/bn254.go
@@ -99,9 +99,6 @@ var endo struct {
 // seed x₀ of the curve
 var xGen big.Int
 
-// trace - 1 = 6x₀²
-var fixedCoeff big.Int
-
 func init() {
 
 	bCurveCoeff.SetUint64(3)
@@ -147,9 +144,6 @@ func init() {
 
 	xGen.SetString("4965661367192848881", 10)
 
-	// 6x₀²
-	fixedCoeff.SetString("147946756881789318990833708069417712966", 10)
-
 }
 
 // Generators return the generators of the r-torsion group, resp. in ker(pi-id), ker(Tr)

diff --git a/ecc/bn254/g2.go b/ecc/bn254/g2.go
diff --git a/internal/generator/ecc/template/point.go.tmpl b/internal/generator/ecc/template/point.go.tmpl
@@ -416,15 +416,22 @@ func (p *{{ $TJacobian }}) IsOnCurve() bool {
 		}
 	{{else if eq .PointName "g2"}}
 		// IsInSubGroup returns true if p is on the r-torsion, false otherwise.
-        // [r]P == 0 <==> Frob(P) == [6x²]P
+        // https://eprint.iacr.org/2022/348.pdf, sec. 3 and 5.1
+        // [r]P == 0 <==> [x₀+1]P + ψ([x₀]P) + ψ²([x₀]P) = ψ³([2x₀]P)
 		func (p *{{ $TJacobian }}) IsInSubGroup() bool {
-            var a, res G2Jac
-            a.psi(p)
-            res.ScalarMultiplication(p, &fixedCoeff).
-                SubAssign(&a)
-
-			return res.IsOnCurve() && res.Z.IsZero()
+            var a, b, c, res G2Jac
+            a.ScalarMultiplication(p, &xGen)
+            b.psi(&a)
+            a.AddAssign(p)
+            res.psi(&b)
+            c.Set(&res).
+                AddAssign(&b).
+                AddAssign(&a)
+            res.psi(&res).
+                Double(&res).
+            SubAssign(&c)
 
+            return res.IsOnCurve() && res.Z.IsZero()
 		}
 	{{- end}}
 {{else if or (eq .Name "bw6-761") (eq .Name "bw6-756")}}
@@ -491,7 +498,8 @@ func (p *{{ $TJacobian }}) IsOnCurve() bool {
 	{{else if eq .PointName "g2"}}
         // IsInSubGroup returns true if p is on the r-torsion, false otherwise.
         // https://eprint.iacr.org/2021/1130.pdf, sec.4
-        // ψ(p) = x₀ P
+        // and https://eprint.iacr.org/2022/352.pdf, sec. 4.2
+        // ψ(p) = [x₀]P
         func (p *{{ $TJacobian }}) IsInSubGroup() bool {
             var res, tmp {{ $TJacobian }}
             tmp.psi(p)
@@ -529,7 +537,8 @@ func (p *{{ $TJacobian }}) IsOnCurve() bool {
         {{if eq .Name "bls12-381"}}
             // IsInSubGroup returns true if p is on the r-torsion, false otherwise.
             // https://eprint.iacr.org/2021/1130.pdf, sec.4
-            // ψ(p) = x₀ P
+            // and https://eprint.iacr.org/2022/352.pdf, sec. 4.2
+            // ψ(p) = [x₀]P
             func (p *{{ $TJacobian }}) IsInSubGroup() bool {
                 var res, tmp {{ $TJacobian }}
                 tmp.psi(p)
@@ -540,7 +549,8 @@ func (p *{{ $TJacobian }}) IsOnCurve() bool {
         }
         {{else if or (eq .Name "bls12-377") (eq .Name "bls12-378")}}
             // https://eprint.iacr.org/2021/1130.pdf, sec.4
-            // ψ(p) = x₀ P
+            // and https://eprint.iacr.org/2022/352.pdf, sec. 4.2
+            // ψ(p) = [x₀]P
             func (p *{{ $TJacobian }}) IsInSubGroup() bool {
                 var res, tmp {{ $TJacobian }}
                 tmp.psi(p)