Why such a complicated way of cofactor clearing?

Question

I thought I understood cofactor clearing before I read this write-up which generally seems quite popular (lot of other sites link to it) - Cofactor Explained: Clearing Elliptic Curves' dirty little secret

Let's say you have a group of non-prime order like say $44$. Now, $44 = 11 * 4$. We are interested in working in the prime-order subgroup - i.e. the subgroup of order $11$ - i.e. $[0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40]$

If I pick a random element from the group of $44$, I can easily map it to the prime order subgroup by scalar multiplying the element by the cofactor ($4$). It can be easily shown that this operation maps any element of the group to an element of the prime-order subgroup. This is called cofactor clearing (as per other texts I have read).

However, this write-up (the one I have linked to at the start) presents quite a complicated way of doing cofactor clearing.

He first expresses an element $E$ of the group as $E = 4.a + 11.b$ & does some stuff to do the cofactor clearing. I spent quite some time poring over it & I am unable to figure out why is he is doing all this?

My question isn't about how he goes about cofactor clearing but about why he does this complicated stuff rather than just multiplying by $4$. Also my question isn't about why cofactor clearing is required which I understand.

One easy way to see this is viewing $Z_{44}$ as $Z_{4}\times Z_{11}$, then $12$ can be represented as $(0,1)$ — kelalaka, Sep 02 '22 at 16:03
@kelalaka - my question is why? Why do all this at all if you can map any element to the prime subgroup by multiplying by the cofactor? — user93353, Sep 02 '22 at 19:18
Because they ( poster ) want to investigate a possible structure, however they did not see the easy connection of the direct product groups. Also, multiplying with 4 maps to another point, where as, 12 is just removing the one dimension. — kelalaka, Sep 02 '22 at 19:31
@kelalaka How is the structure relevant to cofactor clearing? — user93353, Sep 02 '22 at 19:35
At first glance, I think the point being made is that there are two ways to ensure that you end up in the prime-order group, rather than in one of the other columns. One is to multiply by the co-factor, but the other is to check which column the group element is in, and shift it more precisely into the correct column. — knaccc, Sep 02 '22 at 21:15

Sam Jaques · Accepted Answer · 2022-09-06T10:27:08.507

What you're arguing is that if you pick a uniformly random element of a non-prime order group and you multiply by the cofactor, you'll get a uniformly random element of the prime-order subgroup. This is true and you could prove it by arguing that cosets of the kernel of this multiplication form a partition of the group.

However, if a cyclic group $C$ has order $np$ for $p$ prime and $gcd(n,p)=1$, then it can be written as $C\cong C_n\times C_p$, i.e. a product of two cyclic groups. So any element $g\in C$ can be written as a pair $(g_n,g_p)$. Multiplying just by the cofactor $n$ maps us from $(g_n,g_p)$ to $(0,ng_p)$. This cleared the cofactor part, but it changed the prime-order part. What if we didn't want that? What if we wanted to go from $(g_n,g_p)$ to $(0,g_p)$? We want to project to one component (almost like multiplying by $(0,1)$, but these are additive groups so we can't multiply elements like that). One way to see this is that after we multiply by $n$ (which clears out the first component) we need to multiply by something to clear out $n$ in the second component. Since $gcd(n,p)=1$, there is some $n'\equiv n^{-1}\mod p$, so multiplying by $nn'$ does the trick.

We can see this another way by noting that we have a projection $P:C_n\times C_p\rightarrow C_n\times C_p$ such that $P(a,b)=(0,b)$, and we want to create a map $\tilde{P}:C\rightarrow C$ such that $\tilde{P}$ has the same action as $P$ given the isomorphism from $C_n\times C_p$ to $C$. The original posted gives an explicit isomorphism in the comments, as $f(a,b)=an + bp$. You can then show that multiplying by $nn'$ in $C$ does have the effect of projecting to $C_p$ in $C_n\times C_p$.

But I have no idea why we would want that. I tried reading through the rest of it and I still don't really see why. Here's my best guess: later on they say for various reasons we want to output public keys as uniformly random points on Curve25519, even though we only do the key exchange on the prime-order subgroup. So, we need to add a random point in the cofactor group. That is, Alice's "real" public key would be some point $(0,p_A)=(0,s_Ap)$, but she modifies it to $(r_A,p_A)$ by adding a random cofactor point $r_A$ (here using the product notation of above).

The way they explain it, both parties have already multiplied a cofactor of 4 into their private keys, so multiplying by their private key will automatically clear out the cofactor part of the group, e.g., if Bob's secret key $s_B$ is divisible by $4$, then $s_B(r_A,p_A)=(s_Br_A,s_Bp_A)=(0,s_Bp_A)$, as it should be.

Suppose instead I stored my secret key as $s_B'\in \{0,1,\dots,p-1\}$, so that my public key is $(0,s_B'p)$. Then if I multiplied by this secret key, I'd get $(s_B'r_A,s_B'p_A)$ where $s_B'r_A$ is not necessarily $0$. I want to clear that out without modifying $s_B'p_A$ in any way. So, I use the more complicated cofactor clearing shown in the post.

It seems to me like a simpler way to do the same would be to enforce multiplying by the cofactor at the start of any scalar multiplication, but there might be subtle issues I'm missing, or I'm totally wrong about why we would do this.

Actually, the post just multiplies with $(0,1)$ that is 12, it is just another way to see the multiplier. Just clears the one dimension from the space, nothing more. — kelalaka, Sep 02 '22 at 16:09
I just indicate an easy way to see it to improve your post. The poster is not talking about efficiency, they talk about how to find the multiplier. — kelalaka, Sep 02 '22 at 18:06
@kelalaka - by "poster", do you mean me or the guy who wrote the blog? — user93353, Sep 02 '22 at 19:19
What is the canonical way of taking a group $C$ & writing it as a product $C_n \times C_p$ - i.e. how do I find the mapping? - i.e. is it the way he suggests or is there a simpler way of decomposing any element into it's $n$ component & it's $p$ component? Also tagging @kelalaka — user93353, Sep 05 '22 at 07:52
I tried with smaller Groups for generating a map between $C_{mn}$ & $C_m \times C_n$ - i.e. for $m = 2$ & $n=3$. This is the map $\phi(a,b) = na + mb$. I think this holds for higher values of co-prime $m$ & $n$. Considering this ${0,1}$ maps to $4$ & not $12$. So what have I misunderstood here? @kelalaka — user93353, Sep 06 '22 at 01:35
Actually, thinking about it now, $C_m\times C_n$ are additive groups (in the notation above) so the concept of "multiplying" by $(0,1)$ doesn't make sense unless we define some other action. So your map is correct, and $(0,1)$ should map to $4$. I'll edit the answer. — Sam Jaques, Sep 06 '22 at 10:15
@SamJaques Could you elaborate on your statement "cosets of the kernel of this multiplication form a partition of the group"? How would I see this? This is related to https://crypto.stackexchange.com/questions/109474/ed25519-scalar-multiplication-guaranteed-to-land-in-prime-order-subgroup. — mti, Jan 22 '24 at 16:37
It's a fundamental result in group theory that the cosets of a subgroup partition the group, i.e., two different cosets have no elements in common, and that each coset has the same number of elements. It is also true that if I have a group homomorphism $\varphi$ (such as multiplying by the cofactor), then $\varphi(g)=\varphi(g')$ if and only if $g$ and $g'$ are in the same coset. Thus, if I pick a uniformly random element of the group and apply the homomorphism $\varphi$, the output is a uniformly random element of the image by these two facts. — Sam Jaques, Jan 25 '24 at 19:16
I think if you want to understand more about this specifically you should probably post a new question. — Sam Jaques, Jan 25 '24 at 19:17

Why such a complicated way of cofactor clearing?

1 Answers1

Linked