the base field of Pluto: $\mathbb{F}_{p}$ where $p$ has $446$ bits

In [117]:
p_str = "0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5cda8a6c7be4a7a5fe8fadffd6a2a7e8c30006b9459ffffcd300000001"
p = int(p_str, 16)
p.bit_length()

446

In [118]:
Fp = GF(p)
Fp

Finite Field of size 102211695604070082112571065507755096754575920209623522239390234855490679834276115250716018318118556227909439196474813090886893187366913

the scalar field of Pluto: $\mathbb{F}_{q}$ where $q$ has $446$ bits

In [119]:
q_str = "0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5c7a8a6c7be4a775fe8e177fd69ca7e85d60050af41ffffcd300000001"
q = int(q_str, 16)
q.bit_length()

446

In [120]:
Fq = GF(q)
Fq

Finite Field of size 102211695604070082112571065507755096754575920209623522239390234855480569854275933742834077002685857629445612735086326265689167708028929

the equation of Pluto:
$$E / \mathbb{F}_{p}: y^2 = x^3 + 57$$

In [121]:
E = EllipticCurve(Fp, [0, 57])
E

Elliptic Curve defined by y^2 = x^3 + 57 over Finite Field of size 102211695604070082112571065507755096754575920209623522239390234855490679834276115250716018318118556227909439196474813090886893187366913

the order of the group $E(\mathbb{F}_{p})$ is $q$ which is prime, thus the group is cyclic and $E(\mathbb{F}_{p}) = \mathbb{G}_{1}$

In [122]:
E.cardinality() == q

True

In [123]:
E.abelian_group()

Additive abelian group isomorphic to Z/102211695604070082112571065507755096754575920209623522239390234855480569854275933742834077002685857629445612735086326265689167708028929 embedded in Abelian group of points on Elliptic Curve defined by y^2 = x^3 + 57 over Finite Field of size 102211695604070082112571065507755096754575920209623522239390234855490679834276115250716018318118556227909439196474813090886893187366913

we take the generator of $\mathbb{G}_{1}$ as $(-2, 7)$, as fixed in Daira's repo, one other choice is $(1, y_0)$ subject to further dicussion

In [124]:
G1_GENERATOR_X = Fp(-2)
G1_GENERATOR_Y = Fp(7)
G1_GENERATOR = E(G1_GENERATOR_X, G1_GENERATOR_Y)
G1_GENERATOR.order() == q

True

In [125]:
G1_GENERATOR_X

102211695604070082112571065507755096754575920209623522239390234855490679834276115250716018318118556227909439196474813090886893187366911

bit-lengths of coordinates of the generator

In [126]:
(Integer(G1_GENERATOR_X).bit_length(), Integer(G1_GENERATOR_Y).bit_length())

(446, 3)

Given an element in the base field $\mathbb{F}_{p}$ or in the scalar field $\mathbb{F}_{q}$, decompose it into $7$ limbs and each limb has $64$ bits (recall the modulus has $446$ bits) \
We test the function with the values given in the repo: https://github.com/daira/pluto-eris

In [127]:
def u_64_little_endian(n):
    str_hex = hex(n)
    str_hex_without_0x = str_hex[2:]
    full_width_str = '0' * (112 - len(str_hex_without_0x)) + str_hex_without_0x
    assert len(full_width_str) == 112

    res = []
    for i in range(7):
        temp = '0x' + full_width_str[112 - 16 * (i + 1) : 112 - 16 * i]
        res.append(temp)
    return res

# test the function with the given modulus p
u_64_little_endian(p) == [
    '0x9ffffcd300000001',
    '0xa2a7e8c30006b945',
    '0xe4a7a5fe8fadffd6',
    '0x443f9a5cda8a6c7b',
    '0xa803ca76f439266f',
    '0x0130e0000d7f70e4',
    '0x2400000000002400',
]

True

In [128]:
u_64_little_endian(Integer(G1_GENERATOR_X))

['0x9ffffcd2ffffffff',
 '0xa2a7e8c30006b945',
 '0xe4a7a5fe8fadffd6',
 '0x443f9a5cda8a6c7b',
 '0xa803ca76f439266f',
 '0x0130e0000d7f70e4',
 '0x2400000000002400']

In [129]:
u_64_little_endian(Integer(G1_GENERATOR_Y))

['0x0000000000000007',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000']

the extension field of the base field $\mathbb{F}_{p^{2}} = \mathbb{F}_{p} / (z^{2} + 5)$ as defined the repo of Pluto/Eris

In [130]:
R.<z> = PolynomialRing(Fp)
type(R)

<class 'sage.rings.polynomial.polynomial_ring.PolynomialRing_dense_mod_p_with_category'>

In [131]:
Fp2 = GF(p * p, name='z', modulus=z^2 + 5); Fp2

Finite Field in z of size 102211695604070082112571065507755096754575920209623522239390234855490679834276115250716018318118556227909439196474813090886893187366913^2

the twist curve *Triton* defined by
$$E_{2} / \mathbb{F}_{p^{2}}: y^{2} = x^{3} + (z + 3)$$

In [132]:
E2 = EllipticCurve(Fp2, [0, z + 3])
E2

Elliptic Curve defined by y^2 = x^3 + (z+3) over Finite Field in z of size 102211695604070082112571065507755096754575920209623522239390234855490679834276115250716018318118556227909439196474813090886893187366913^2

In [133]:
# E2.abelian_group(): it takes too long for output, probably because the extension field is too large

the order of the group $E_{2}(\mathbb{F}_{p^{2}})$ is $q (2 p - q)$ as showed in the repo \
https://github.com/daira/pluto-eris \
we know this group is also cyclic based on elliptic curves theory

In [134]:
E2.cardinality() == q * (2 * p - q)

True

We take a random point $P$ in $E_{2}(\mathbb{F}_{p^{2}})$, its order is very probably $q(2p - q)$, \
then we only need to take the generator of $\mathbb{G}_{2}$ as $Q = (2p - q) \cdot P$ whose order is thus $q$ as required

In [135]:
G2_GENERATOR = E2(73825144661657802320622230235198938990499597858335392319575549414437389618818590520326285321360920202797735030655909561889777699859203*z + 71734302620089618492699913728937268183797385533150575889378098330781954797102305587510777407800704588982064101415828137491262185115028, 98071031875237312442546746862775115431449232820321509333598658952664126924349333079397199359138721588981040507328584731002107992741432*z + 38777463725275824700618213641456882570018733940119470655919893307532794266845691064759257478242590798775325761756453196673183479571667)
G2_GENERATOR

(73825144661657802320622230235198938990499597858335392319575549414437389618818590520326285321360920202797735030655909561889777699859203*z + 71734302620089618492699913728937268183797385533150575889378098330781954797102305587510777407800704588982064101415828137491262185115028 : 98071031875237312442546746862775115431449232820321509333598658952664126924349333079397199359138721588981040507328584731002107992741432*z + 38777463725275824700618213641456882570018733940119470655919893307532794266845691064759257478242590798775325761756453196673183479571667 : 1)

In [136]:
# its order is q
q * G2_GENERATOR

(0 : 1 : 0)

In [137]:
(G2_GENERATOR_X, G2_GENERATOR_Y) = G2_GENERATOR.xy()

the $x$-coordinate of the generator of $\mathbb{G}_{2}$, note that it is in the extension field \
$\mathbb{F}_{p^2} = \{c_{0} + c_1 z: c_0, c_1 \in \mathbb{F}_p  \}$

In [138]:
G2_GENERATOR_X

# c_1 * z + c_0

73825144661657802320622230235198938990499597858335392319575549414437389618818590520326285321360920202797735030655909561889777699859203*z + 71734302620089618492699913728937268183797385533150575889378098330781954797102305587510777407800704588982064101415828137491262185115028

In [139]:
G2_GENERATOR_X.list()
# output (c_0, c_1)

[71734302620089618492699913728937268183797385533150575889378098330781954797102305587510777407800704588982064101415828137491262185115028,
 73825144661657802320622230235198938990499597858335392319575549414437389618818590520326285321360920202797735030655909561889777699859203]

In [140]:
G2_GENERATOR_X_0 = G2_GENERATOR_X.list()[0]
G2_GENERATOR_X_1 = G2_GENERATOR_X.list()[1]
(Integer(G2_GENERATOR_X_0).bit_length(), Integer(G2_GENERATOR_X_1).bit_length())



(445, 445)

In [141]:
u_64_little_endian(Integer(G2_GENERATOR_X_0))

['0x64df94ec64138d94',
 '0x9c1b62269cfa10e4',
 '0x3886dca44a7f6c19',
 '0x9b02208cfd650e17',
 '0x052896a707cf8947',
 '0xa9490edfe7707f05',
 '0x1943fb34a457551b']

In [142]:
u_64_little_endian(Integer(G2_GENERATOR_X_1))

['0xb1bd9958ca2d2b03',
 '0xf34dd1eb12904ef0',
 '0xfe10783b9106e92f',
 '0x343fc095636c8117',
 '0x8fc4095ab8d5f6c0',
 '0x93454f05c55110e5',
 '0x1a0080f48de3bb46']

the $y$-coordinate of the generator of $\mathbb{G}_{2}$, note that it is in the extension field \
$\mathbb{F}_{p^2} = \{c_{0} + c_1 z: c_0, c_1 \in \mathbb{F}_p  \}$

In [143]:
G2_GENERATOR_Y
# c_1 * z + c_0


98071031875237312442546746862775115431449232820321509333598658952664126924349333079397199359138721588981040507328584731002107992741432*z + 38777463725275824700618213641456882570018733940119470655919893307532794266845691064759257478242590798775325761756453196673183479571667

In [144]:
G2_GENERATOR_Y.list()
# output (c_0, c_1)


[38777463725275824700618213641456882570018733940119470655919893307532794266845691064759257478242590798775325761756453196673183479571667,
 98071031875237312442546746862775115431449232820321509333598658952664126924349333079397199359138721588981040507328584731002107992741432]

In [145]:
G2_GENERATOR_Y_0 = G2_GENERATOR_Y.list()[0]
G2_GENERATOR_Y_1 = G2_GENERATOR_Y.list()[1]
(Integer(G2_GENERATOR_Y_0).bit_length(), Integer(G2_GENERATOR_Y_1).bit_length())


(444, 446)

In [146]:
u_64_little_endian(Integer(G2_GENERATOR_Y_0))


['0x1a40ea5e6b9924d3',
 '0xe7ad21b3504fc522',
 '0x54293e270ef1d75d',
 '0x5796b6e18f6c5e39',
 '0x20540d68e5e7cafe',
 '0xc72900d3c580b99b',
 '0x0da866bbcb2696a5']

In [147]:
u_64_little_endian(Integer(G2_GENERATOR_Y_1))


['0xcf3ae4b7c5181638',
 '0x0fd1fedc66c1f210',
 '0xaa33870a9e316d6f',
 '0xc844de8ce3795939',
 '0x2068f65c6ea24746',
 '0xe282c87cb0420ae1',
 '0x228aa759cf616115']

$\zeta_{p}$ is one of the two $3nd$ primitive roots of unity in $\mathbb{F}_{p}$, the other one is $\zeta_{p}^{2}$.

In [148]:
zetap = Fp.zeta(3)
zetap

39370513046094319542878173447389497729725081225711316008956793976697167703016365005507455943322894334

$\zeta_{q}$ is one of the two $3nd$ primitive roots of unity in $\mathbb{F}_{q}$, the other one is $\zeta_{q}^{2}$.


In [149]:
zetaq = Fq.zeta(3)
zetaq

102211695604070082112571065507755018013549828020984436483043340076454780464112937796556235142799808455295617893795351495840632510873602

the endomorphism of $E/\mathbb{F}_{p}$ defined by:
$$(x, y) \mapsto (\zeta x, y)$$
where $\zeta$ is a primitive $3nd$ root

In [150]:
def endo (E, zeta, P):
    (xp, yp) = P.xy()
    return E(zeta * xp, yp)
    

we know 
$$(\zeta_{p} x, y) = [\zeta_{q}] (x, y)$$
but we should find the right $\zeta_{p}$ which maybe $\zeta_{p}$ or $\zeta_{p}^2$, the same applies to $\zeta_{q}$

In [151]:
zP = endo(E, zetap, G1_GENERATOR)
if zP == int(zetaq)*G1_GENERATOR:
    print("1st trial")
else:
    zetaq = zetaq^2
    if zP == int(zetaq)*G1_GENERATOR: 
        print("2nd trial")
    else: 
        zetap = zetap^2
        zP = endo(E, zetap, G1_GENERATOR)
        if zP == int(zetaq)*G1_GENERATOR:
            print("3nd trial")
        else:
            zetaq = zetaq^2
            assert zP == int(zetaq)*G1_GENERATOR
            print("4th trial")
(zetap, zetaq)

2nd trial


(39370513046094319542878173447389497729725081225711316008956793976697167703016365005507455943322894334,
 78741026092188639085756346894779025789390162995946277841859886049174149994841290974769848535197155326)

the bit lengths of $\zeta_{p}$ and $\zeta_{q}$ are exactly as mentioned in the Pluto/Eris repo

In [152]:
(Integer(zetap).bit_length(), Integer(zetaq).bit_length())

(335, 336)

we follow the method mentioned in:
https://hackmd.io/@drouyang/glv
and the papewer:
https://www.iacr.org/archive/crypto2001/21390189.pdf

In [153]:
def ext_euclidean(a, b):
    assert a <= b
    sqr_b = sqrt(b)
    u = a
    v = b
    x1 = 1
    y1 = 0
    x2 = 0
    y2 = 1

    X = []
    Y = []
    R = []

    flag = -1
    i = -1
    while not u == 0:
        q = v // u
        r = v - q * u
        if flag == -1:
            if r < sqr_b:
                flag = i # exactly the largest index i such that R[i] >= sqrt_b
        i = i + 1
        R.append(r)  #R[i] = r
        x = x2 - q * x1
        X.append(x)
        y = y2 - q * y1  # ax + by = d
        Y.append(y)
        v = u
        u = r
        x2 = x1
        x1 = x
        y2 = y1
        y1 = y
    
    d = v
    x = x2
    y = y2
    X.append(x)
    Y.append(y)
    R.append(0)

    # ((r_l, t_l), (r_l_1, t_l_1), (r_l_2, t_l_2))
    return ((R[flag], X[flag]), (R[flag + 1], X[flag + 1]), (R[flag + 2], X[flag + 2]))  

In [154]:
def GLV(scalar, n):
    ((r_l, t_l), (r_l_1, t_l_1), (r_l_2, t_l_2)) = ext_euclidean(scalar, n)
    b_1 = t_l_1
    a_1 = r_l_1
    if (r_l^2 + t_l^2) <= (r_l_2^2 + t_l_2^2):
        b_2 = -t_l
        a_2 = r_l
    else:
        b_2 = -t_l_2
        a_2 = r_l_2

    return ((a_1, b_1), (a_2, b_2))  # two points: V1 and V2
    

In [155]:
scalar = int(zetaq)
n = q
scalar <= n

True

In [156]:
ext_euclidean(scalar, n)

((10109980000181507881941315432698595867678032121070705088304164896768,
  -2596148429267416120109421314441215),
 (2596148429267416120109421314441215,
  10109980000181507881941315432698593271529602853654584978882850455553),
 (1298074214633708060054710657220608,
  -39370513046094319542878173447389507839705081407219197950272226675290439232619218660092434826173349887))

the output of GLV is $(b_1, b_2)$ whose counterpart for BN254 can be found in: \
https://github.com/privacy-scaling-explorations/halo2curves/blob/main/src/bn256/curve.rs#L124-L125 

In [157]:
((a1, b1), (a2, b2)) = GLV(scalar, n)
(u_64_little_endian(b1), u_64_little_endian(b2))

(['0x3ffffde200000001',
  '0x05ff0065a001ae51',
  '0x0000300001968000',
  '0x0000000060000000',
  '0x0000000000000000',
  '0x0000000000000000',
  '0x0000000000000000'],
 ['0x2000010effffffff',
  '0x0000800000000000',
  '0x0000000000000000',
  '0x0000000000000000',
  '0x0000000000000000',
  '0x0000000000000000',
  '0x0000000000000000'])

output gamma1 and gamma2 whose counterpart for BN256 can be found in: \
https://github.com/privacy-scaling-explorations/halo2curves/blob/main/src/bn256/curve.rs#L121-L123 \
note that we shift right in $448$ bits instead of $256$ bits as in BN256

In [158]:
gamma1 = round(b1 * 2^448 / q )
u_64_little_endian(gamma1)

['0xdf52222a6a19d56d',
 '0x2aae415b8e5c9500',
 '0xaaa955554a0aaaab',
 '0x00000002aaaaaaaa',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000']

In [159]:
gamma2 = round(b2 * 2^448 / q )
u_64_little_endian(gamma2)

['0xe38e224e38e4e395',
 '0x00038e38e38e38e0',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000']

given an arbitrary scalar $k$, we use GLV method to decompose: \
$k = k_1 + k_2 \times \zeta$
where $k_1, k_2$ are almost the half bit length of $k$ (recall $k$ with $446$ bits)

In [160]:
def decompose(k):
    c1_ = gamma2 * k
    c2_ = gamma1 * k
    c1 = c1_ >> 448
    c2 = c2_ >> 448
    q1 = c1 * b1
    q2 = c2 * b2
    k2 = q1 - q2
    k1 = k - c1 * a1 - c2 * a2
    return ((k1.bit_length(), k2.bit_length()), Fq(k) == Fq(k1 + k2 * int(zetaq)))
    

In [161]:
k = int(Fq.random_element())
assert k.bit_length() <= 447
decompose(k)

((220, 222), True)

co_factor used for the group $\mathbb{G}_{2}$, the counterpart for BN256 is here: \
https://github.com/privacy-scaling-explorations/halo2curves/blob/pluto_eris/src/bn256/curve.rs#L168


In [162]:
co_factor = 2 * p - q
hex(co_factor)

'0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5d3a8a6c7be4a7d5fe91447fd6a8a7e928a00867971ffffcd300000001'

const used for _is_tortion_free_, the counterpart for BN256 is here: \
https://github.com/privacy-scaling-explorations/halo2curves/blob/pluto_eris/src/bn256/curve.rs#L193

In [163]:
hex(q)

'0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5c7a8a6c7be4a775fe8e177fd69ca7e85d60050af41ffffcd300000001'

In [164]:
M = inverse_mod(p, 2^(64))
hex(-M + 2^(64))

'0x9ffffcd2ffffffff'

In [165]:
u_64_little_endian(57)

['0x0000000000000039',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000',
 '0x0000000000000000']

In [166]:
# for x in range(p):
#     if kronecker(x*x*x + 57, p) == 1:
#         print(x)
#         break

In [167]:
two_adicity_factor_Fp = (p - 1) / 2^(32)
two_adicity_factor_Fp % 2

1

In [168]:
Fp(10)^(p-1)

1

In [169]:
Fp(10)^(two_adicity_factor_Fp)

8025472862114844456838418029263901839040294958599644306134008217464912571547919166926181024175725358166481996067595519732360402055313

In [170]:
two_adicity_factor_Fq = (q - 1)/2^(32)
two_adicity_factor_Fq % 2

1

In [171]:
Fq(7)^(q-1)

1

In [172]:
Fp(19)^(p-1)

1

In [173]:
Fq(19)^(q-1)

1

In [174]:
u_str = "-0x4000000000001000008780000000"
u = int(u_str, 16)
u
# p = 36 * u^4 + 36 * u^3 + 24 * u^2 + 6 * u + 1
# hex(p)

-1298074214633708060054710657220608