Subgroup membership testing on elliptic curves via the Tate pairing

Hi. My name is Dimitri Koshelev. I am a researcher from Paris in elliptic cryptography.

Recently, my article has been published in the quite prestigious Journal of Cryptographic Engineering. This article explains how to guarantee the membership of a point in the prime-order subgroup of an elliptic curve (over a finite field) satisfying some moderate conditions. For this purpose, I apply the Tate pairing on the curve, however it is not required to be pairing-friendly. Whenever the cofactor is small, the new subgroup test is much more efficient than other known ones, because it needs to compute at most two n-th power residue symbols (with small n) in the basic field. More precisely, the running time of the test is (sub-)quadratic in the bit length of the field size, which is comparable with the Decaf-style technique. The test is relevant, e.g., for the zk-SNARK friendly curves Bandersnatch and Jubjub proposed by the Ethereum and Zcash research teams, respectively.

I would like to submit an application to Zcash community grants. The purpose of the application should be a low-level implementation of the new subgroup membership test. However, I have three questions:

  1. Is subgroup checking actually important for Zcash ?
  2. Is Jubjub still used in Zcash ? Or did you completely switch to Bandersnatch, because it has an efficient endomorphism ?
  3. What programming language should I indicate in the application ? I saw that Zcash is mainly written in C, C++, Rust. Is it true ? Depending on the language, I will find a colleague for the application who is a professional developer in this language.

Please answer my questions. I need to know your responses to write correctly the application to Zcash community grants.



My friend told me that Zcash is now written in Rust. Do you know a Rust developer who may be ready to collaborate with me during my project ? I can write the new subgroup check in Sage or Magma. And I need somebody who can code in Rust for some monetary reward. Please let me know if you are familiar with such a person.

I submitted the application. Please let me know if you have any questions related to my project.

1 Like

I would be interested in writing the Rust implementation of this. I am currently working as a member of ZingoLabs on the Implement Orchard grant. I would not be able to devote significant time to developing the subgroup membership test until that grant is finished, with an estimated completion time of the end of October.

As for whether jubjub is still used in zcash… The new orchard shielded pool uses the Pallas curve, but the sapling shielded pool (which uses jubjub) is still in use, and is being slowly phased out… Currently, only a few wallets support the orchard pool, so sapling (and therefore jubjub) will likely remain in use for some years to come. I expect it will be deprecated eventually, but I don’t believe there’s a timeline for that yet.


Hi @Dimitri. Welcome to the forum, and thank you for submitting your grant proposal! We will review it in the upcoming weeks and reach out if we have any questions.

In the meantime, if you have any questions for us, you can post them to this thread or DM us at @ZcashGrants.



Hi @aquietinvestor. Could you tell me the current status of my submission ? Are you searching for an independent expert to take a decision ?

@Dimitri, thank you for your submission. After consideration from @ZcashGrants and receiving some feedback on the application of this technique in the Zcash protocol, the Committee has decided to reject the funding of this proposal.

The feedback ZCG received can be found below:

  1. The Sapling protocol only uses subgroup checks for Jubjub when a) parsing an address, e.g. when given an address by a counterparty, and b) when receiving a note that has been successfully trial-decrypted using a full viewing key (not an incoming viewing key). It is pk_d that is subgroup-checked in these cases.

  2. Neither of these are performance bottlenecks, and so implementing the technique in the proposed grant, interesting as it is, would not improve the performance of Zcash nodes or wallets (under denial of service or otherwise)

  3. I like the technique, it’s very clever. There may well be other applications of Jubjub and similar curves outside the main Zcash protocols that it could be applicable to."

I would encourage you to join the R&D Discord and stay active here on the forum to continue getting feedback and interacting with the community on the possibilities of this proposal/technique going forward.

1 Like

@decentralistdan, thank you for considering attentively my submission and for your feedback.

@decentralistdan, @aquietinvestor, @AloeareV, I added an important appendix to my article. You will find attached
Subgroup membership testing on elliptic curves via the Tate pairing.pdf (307.5 KB)
the full version of the text (including appendix). Thereby, the new subgroup check is generalized to most elliptic curves. Do you have in Zcash an elliptic curve (different from Jubjub) for which such a subgroup membership test is necessary ? If so, I can adapt the new test for that curve.

Hi @Dimitri. Thank you for following up on this. Unfortunately, I do not know the answer to your question. It would be best for you to discuss this with one of the core engineers. You can do that in the Zcash R&D Discord group or by attending a bi-weekly Arborist call. The Arborist calls are held in alternate time slots every two weeks,15:00 UTC and 22:30 UTC. The next call will be held on Thursday, February 9 at 15:00 UTC.

1 Like