How to decide if a point on a elliptic curve belongs to a group generated by a generator g?

The answer really depends on the Cryptographic Elliptic Curves that we know!

1. Prime order Cryptographic EC: Since the order of the subgroup generated by an element must divide the order, then there is the full group and the group of $\mathcal{O}$ of order $1$ ( NIST P curves P-192, P-224, P-256, P-384, P-521) curves has prime order listed in NIST.FIPS.186-4 and taken from Sec1).

2. Cryptographic EC with a small factor: In Cryptography the curves have large order to be safe and we have to choose the base element from the largest subgroup. This is due to the

   1. Protecting from Pohlig-Hellman Algorithm that reduces the time to the largest factor and is very efficient when order is smooth i.e. all factors are small.

   2. To have a birational Montogmery equivalent of the curve like Curve25519 with cofactor $8$ and Ed448-Goldilocks with cofactor $4$. In this case, we have orders for the subgroups like; $2,4,8,p,2p,4p,8p$ (for Curve25519)^*

      To see that a point $G$ is of order $2$ or $p$ is easy, check $2[G]$ or $[p]G$, if the result is identity, then they are in this group. They but they are also in the subgroup that contains the subgroups. There are elements in the subgroup of order $2p$ but not in the subgroup of order $2$ or $p$. Check $[2]G$ and $[p]G$ if they are not identity but $[2p]G$ is then it is on the subgroup of order $2p$.

      The Klein group is the smallest group that has two subgroups of order 2, it is isomorphic to $\mathbb Z_2 \times \mathbb Z_2$. This is may help to understand that the two different subgroups can have the same order.

      The NIST B curves have cofactor 2, and K curves have 4, and they are taken from Sec2.

3. Twist of the Cryptographic EC: The twist of the well-known curves doesn't have a large quadratic factor, the same applies as in case 2.

4. Random curve: I've no idea about the expected size of factors of randomly generated curves (seen some works). We can have a curve with an order such that it has a large factor of order 2 or more. In this case, the $[p]G$ will not reveal the subgroup membership. To solve it we need to find a generator for each of the subgroups and try to solve the DLog.

5. Factorization of the order of the group is not known: In this case, we have a subgroup decision problem (as stated in the other answer)

   Given $(n, G, G1, e)$ and an element $x \in G$, output $1$ if the order of $x$ is $q_1$ and output $0$ otherwise; That is, without knowing the factorization of the group order $n$, decide if an element $x$ is in a subgroup of $G$. We refer to this problem as the subgroup decision problem

   While this problem sets interesting results in its context, this is not related to the Elliptic Curves used in ECDH, EdDSA, etc. In the elliptic curves, all parameters are public. Even if you don't provide the factorization of the order of the curve ( not clear how are you gonna sell your curve to the community) one can factor around 829 bits ( 512-bit has achieved around 20 years ego).

   If you consider curves in very large order we can say there is not much meaning of curve order larger than 512 bits ( even 256), since once the Shor's algorithm is set in Cryptographic Quantum Computer for 256-bit curves, it is a matter of time researchers will break the other. This can be seen from the table of Proos and Zalks's work

The post-quantum ECC, on the other hand, uses jumping on the isogenies instead of DH and this paper provides a good introduction to whoever wants to learn.

• Supersingular isogeny key exchange for beginners, Craig Costello, 2019. ( Welcome back supersingular curves!)

In the end, the only problematics cases are not cryptographic curves.

^* There we used the Lagrange Theorem on Group theory;

• If $H$ is a subgroup of a group $G$ then $ord(H) \mid ord(G)$

One should note that we used the reverse of the theorem, if $x|org(G)$ then there is a subgroup of order $x$. This is not always true, and alternating group of degree 4 $A_4$ is the smallest example.