perf(bls24-315): faster G2 membership test

[yelhousni]

#122

[ThomasPiellard]

@yelhousni Can you add a specific test for IsInSubGroup ?

Also there is something that bothers me in https://eprint.iacr.org/2021/1130.pdf... The reasoning that I understood from the paper is "psi acts as the multiplication by u on the r torsion of E' (=the twist), so let's just check that psi(Q)=[u]Q".

However, nothing says that there is no other torsion subgroup on which psi acts like this. For example, if we find a such that a | h2, (so E'[Fp^2] contains at least a subgroup of E'[r]) and u is a root of X^2-tX+p [a], then psi acts by multiplication by u on (at least a subgroup of) the a torsion of E'[Fp^2]. So the test might work in some other very specific subgroups (those a torsion subgroups). From the equations, it's not clear that such a situation does not happen. It seems really unlikely because of the second condition (that u has to be a root of X^2-tX+p [a]), but unless proceeding case by case (I checked it does not happen for bls12381 for instance) there is no guarantee of that.

So I am in favour of keeping the solution before the very end of sect 4 for a general implem (that is checking if psi(uQ)+psi(Q)+..=uQ), or keep this implem but we must check for each curves that the situation does not happen.

The delta between the 2 implems is

benchmark                         old ns/op     new ns/op     delta
BenchmarkG2JacIsInSubGroup-12     122793        126198        +2.77%

[yelhousni]

@yelhousni Can you add a specific test for IsInSubGroup ?

added

Also there is something that bothers me in https://eprint.iacr.org/2021/1130.pdf... The reasoning that I understood from the paper is "psi acts as the multiplication by u on the r torsion of E' (=the twist), so let's just check that psi(Q)=[u]Q".

However, nothing says that there is no other torsion subgroup on which psi acts like this. For example, if we find a such that a | h2, (so E'[Fp^2] contains at least a subgroup of E'[r]) and u is a root of X^2-tX+p [a], then psi acts by multiplication by u on (at least a subgroup of) the a torsion of E'[Fp^2]. So the test might work in some other very specific subgroups (those a torsion subgroups). From the equations, it's not clear that such a situation does not happen. It seems really unlikely because of the second condition (that u has to be a root of X^2-tX+p [a]), but unless proceeding case by case (I checked it does not happen for bls12381 for instance) there is no guarantee of that.

So I am in favour of keeping the solution before the very end of sect 4 for a general implem (that is checking if psi(uQ)+psi(Q)+..=uQ), or keep this implem but we must check for each curves that the situation does not happen.

The delta between the 2 implems is

benchmark                         old ns/op     new ns/op     delta
BenchmarkG2JacIsInSubGroup-12     122793        126198        +2.77%

As discussed, I checked that the criterion for this to be valid works for all BLS12 and BLS24 curves (although I agree on the discrepancy of the proof in the eprint). I think we can keep this one.