Add Point method to check prime order subgroup inclusion

FiloSottile / edwards25519

filippo.io/edwards25519 — A safer, faster, and more powerful low-level edwards25519 Go implementation.

https://filippo.io/edwards25519

BSD 3-Clause "New" or "Revised" License

137 stars 30 forks source link

Open FiloSottile opened 2 years ago

FiloSottile commented 2 years ago

Naively, we can do this by multiplying by l and checking if we get the infinity.

That multiplication can be precomputed as an addition chain generated with addchain.

Eventually, we should use Pronin's technique described in https://eprint.iacr.org/2022/1164.pdf.