edwards25519 icon indicating copy to clipboard operation
edwards25519 copied to clipboard
verified publisher icon FiloSottile

Add Point method to check prime order subgroup inclusion

Open FiloSottile opened this issue 3 years ago • 1 comments

Naively, we can do this by multiplying by l and checking if we get the infinity.

That multiplication can be precomputed as an addition chain generated with addchain.

Eventually, we should use Pronin's technique described in https://eprint.iacr.org/2022/1164.pdf.

FiloSottile avatar Sep 07 '22 11:09 FiloSottile

I'm finding myself needing this to check whether the point is torsion free akin to Rust's curve25519-dalek is_torsion_free. Given that this library does not directly implement field.Element Sqrt for the paper implementation, I considered multiplying by the basepoint order (l) then checking against identity equality; however that's not directly allowed on current Scalar implementation (it must be strictly < than l).

Is this planned to get added at some point?

WeebDataHoarder avatar Oct 10 '25 07:10 WeebDataHoarder