Subgroup membership testing on elliptic curves via the Tate pairing

Hi. My name is Dimitri Koshelev. I am a researcher from Paris in elliptic cryptography.

Recently, my article has been published in the quite prestigious Journal of Cryptographic Engineering. This article explains how to guarantee the membership of a point in the prime-order subgroup of an elliptic curve (over a finite field) satisfying some moderate conditions. For this purpose, I apply the Tate pairing on the curve, however it is not required to be pairing-friendly. Whenever the cofactor is small, the new subgroup test is much more efficient than other known ones, because it needs to compute at most two n-th power residue symbols (with small n) in the basic field. More precisely, the running time of the test is (sub-)quadratic in the bit length of the field size, which is comparable with the Decaf-style technique. The test is relevant, e.g., for the zk-SNARK friendly curves Bandersnatch and Jubjub proposed by the Ethereum and Zcash research teams, respectively.

I would like to submit an application to Zcash community grants. The purpose of the application should be a low-level implementation of the new subgroup membership test. However, I have three questions:

  1. Is subgroup checking actually important for Zcash ?
  2. Is Jubjub still used in Zcash ? Or did you completely switch to Bandersnatch, because it has an efficient endomorphism ?
  3. What programming language should I indicate in the application ? I saw that Zcash is mainly written in C, C++, Rust. Is it true ? Depending on the language, I will find a colleague for the application who is a professional developer in this language.

Please answer my questions. I need to know your responses to write correctly the application to Zcash community grants.



My friend told me that Zcash is now written in Rust. Do you know a Rust developer who may be ready to collaborate with me during my project ? I can write the new subgroup check in Sage or Magma. And I need somebody who can code in Rust for some monetary reward. Please let me know if you are familiar with such a person.

I submitted the application. Please let me know if you have any questions related to my project.

1 Like

I would be interested in writing the Rust implementation of this. I am currently working as a member of ZingoLabs on the Implement Orchard grant. I would not be able to devote significant time to developing the subgroup membership test until that grant is finished, with an estimated completion time of the end of October.

As for whether jubjub is still used in zcash… The new orchard shielded pool uses the Pallas curve, but the sapling shielded pool (which uses jubjub) is still in use, and is being slowly phased out… Currently, only a few wallets support the orchard pool, so sapling (and therefore jubjub) will likely remain in use for some years to come. I expect it will be deprecated eventually, but I don’t believe there’s a timeline for that yet.


Hi @Dimitri. Welcome to the forum, and thank you for submitting your grant proposal! We will review it in the upcoming weeks and reach out if we have any questions.

In the meantime, if you have any questions for us, you can post them to this thread or DM us at @ZcashGrants.