# Triton and field extensions

In [143]:
# Helper functions
def u_64_little_endian(n):
    str_hex = hex(n)
    str_hex_without_0x = str_hex[2:]
    full_width_str = '0' * (112 - len(str_hex_without_0x)) + str_hex_without_0x
    assert len(full_width_str) == 112

    res = []
    for i in range(7):
        temp = '\t0x' + full_width_str[112 - 16 * (i + 1) : 112 - 16 * i]
        res.append(temp)
    return res

def print_for_rust(elem, prefix='Fp'):
    print('\t// ' + hex(elem))
    print('\t' +prefix + '::from_raw([')
    for limb in u_64_little_endian(elem):
        print('\t' +limb + ",")
    print('\t]),')


def print_coeffs( coeff_list, prefix='Fp' ):
    for i, c in enumerate(coeff_list):
        print("// Coefficient", i)
        print(prefix + '2{')
        # Coefficient coordinates
        vals = c.polynomial().list()

        for (val, coord) in zip(vals, ['c0', 'c1']):
            print_for_rust(val, coord + ': ' + prefix)
        if len(vals) ==1:
            print('\tc1:' + prefix + '::ZERO,')
        print('},\n')


In [144]:
# Pluto base field
p = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5cda8a6c7be4a7a5fe8fadffd6a2a7e8c30006b9459ffffcd300000001

# Pluto scalar field
q = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5c7a8a6c7be4a775fe8e177fd69ca7e85d60050af41ffffcd300000001

In [145]:
Fp = GF(p)
K2.<x> = PolynomialRing(Fp)
assert (x^2 + 5).roots(multiplicities=False) == []
Fp2.<u> = Fp.extension(x^2 + 5)

K6.<y> = PolynomialRing(Fp2)
beta = Fp2(u+3).inverse() * Fp2(57) 
assert (y^3 - beta ).roots(multiplicities=False) == []
Fp6.<v> = Fp2.extension(y^3 - beta)

# K12.<z> = PolynomialRing(Fq6)
# Fq12.<w> = Fq6.extension(z^2 - v)


In [146]:
print_coeffs([beta])
print(beta)

// Coefficient 0
Fp2{
	// 0xcdb6db6db6dc3b6dbda9924971b3a9ace4a7f2a7bcb449573cd928ee056022c3f6072240ebe2483833bf7b35b701d98ddb6da4b5b6db6e8
	c0: Fp::from_raw([
		0xddb6da4b5b6db6e8,
		0x833bf7b35b701d98,
		0x3f6072240ebe2483,
		0x73cd928ee056022c,
		0xce4a7f2a7bcb4495,
		0xdbda9924971b3a9a,
		0x0cdb6db6db6dc3b6,
	]),
	// 0x7b6db6db6db756db71cc2492776bcc3489319197d79f5f3457b57ef5366ce1a8c6d1148d5a5491bb523fb0536dcde8eeb6db62d36db6db3
	c1: Fp::from_raw([
		0xeb6db62d36db6db3,
		0xb523fb0536dcde8e,
		0x8c6d1148d5a5491b,
		0x457b57ef5366ce1a,
		0x489319197d79f5f3,
		0xb71cc2492776bcc3,
		0x07b6db6db6db756d,
	]),
},

21902506200872160452693799751661806447409125759205040479869336040462288535916310410867718211025404905980594113530317090904334254435763*u + 36504177001453600754489666252769677412348542932008400799782226734103814226527184018112863685042341509967656855883861818173890424059624


## Compute coefficients for Frobenius map in Fp6

In [147]:
coeff_1 = []
coeff_2 = []
for i in range(6):
    coeff_1.append(beta ** ((   p**i - 1) /3))
    coeff_2.append(beta ** (( 2*p**i - 2) /3))

In [148]:
print_coeffs(coeff_1)

// Coefficient 0
Fp2{
	// 0x1
	c0: Fp::from_raw([
		0x0000000000000001,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
	]),
	c1:Fp::ZERO,
},

// Coefficient 1
Fp2{
	// 0x120de97f024c55bc3bc0d351f4c70da1e3886170077a50986f93678bc921dcd5041bc4bb14cc42dc52e787634eccc335a001825382850d03
	c0: Fp::from_raw([
		0xa001825382850d03,
		0x52e787634eccc335,
		0x041bc4bb14cc42dc,
		0x6f93678bc921dcd5,
		0xe3886170077a5098,
		0x3bc0d351f4c70da1,
		0x120de97f024c55bc,
	]),
	// 0x2096f3f804d973afd82becc2ef081b76132461908eadbe3da1a7f5502b7091965efa1ddf4658080413be1b7cd3c9ea0e2772fea378a9b322
	c1: Fp::from_raw([
		0x2772fea378a9b322,
		0x13be1b7cd3c9ea0e,
		0x5efa1ddf46580804,
		0xa1a7f5502b709196,
		0x132461908eadbe3d,
		0xd82becc2ef081b76,
		0x2096f3f804d973af,
	]),
},

// Coefficient 2
Fp2{
	// 0x480000000000360001c950000d7ee0e4a803c956d01c903d720dc8ad8b38dffaf50c100004c37ffffffe
	c0: Fp::from_raw([
		0x100004c37fffff

In [149]:
print_coeffs(coeff_2)

// Coefficient 0
Fp2{
	// 0x1
	c0: Fp::from_raw([
		0x0000000000000001,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
	]),
	c1:Fp::ZERO,
},

// Coefficient 1
Fp2{
	// 0x93733692ce3cdcfc34610bac6bd22c4dc590efb038c82998c9549048e7b424cc00e17ffb4a61950d0ec132a7b38f09db0a818e422737f7c
	c0: Fp::from_raw([
		0xb0a818e422737f7c,
		0xd0ec132a7b38f09d,
		0xc00e17ffb4a61950,
		0x8c9549048e7b424c,
		0xdc590efb038c8299,
		0xc34610bac6bd22c4,
		0x093733692ce3cdcf,
	]),
	// 0x12cb19daadc92882ba3593aa6f3e6bf426f29bd46039e3036f61d0bd35f39ebecdac3209d9df546061c90b4940d9031c240ce398421dc7dc
	c1: Fp::from_raw([
		0x240ce398421dc7dc,
		0x61c90b4940d9031c,
		0xcdac3209d9df5460,
		0x6f61d0bd35f39ebe,
		0x26f29bd46039e303,
		0xba3593aa6f3e6bf4,
		0x12cb19daadc92882,
	]),
},

// Coefficient 2
Fp2{
	// 0x24000000000024000130e0000d7f28e4a803ca76be3924a5f43f8cddf9a5c4781b50d5e1ff708dc8d9fa5d8a200bc4398ffff80f80000002
	c0: Fp::fr

# Frobenius map coefficient for Fp12

In [150]:
coeff = []
for i in range(12):
    coeff.append(beta ** ((p**i - 1)  /6))

In [151]:
print_coeffs(coeff)

// Coefficient 0
Fp2{
	// 0x1
	c0: Fp::from_raw([
		0x0000000000000001,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
	]),
	c1:Fp::ZERO,
},

// Coefficient 1
Fp2{
	// 0x3c3ad3da8b99cb1df0709dc343113ccd9892dedd51f30695d89c647b90de8f41df055384b9e6cfd4e70648622c750f32ee965dfef2303d3
	c0: Fp::from_raw([
		0x2ee965dfef2303d3,
		0x4e70648622c750f3,
		0x1df055384b9e6cfd,
		0x5d89c647b90de8f4,
		0xd9892dedd51f3069,
		0xdf0709dc343113cc,
		0x03c3ad3da8b99cb1,
	]),
	// 0x149fd9ed2c7affe7aaa3b912182da22dccb29838628f04b6f333d052540294889f03876b2ddb143559f9373f4cf44e6afa0be24ad758a5ff
	c1: Fp::from_raw([
		0xfa0be24ad758a5ff,
		0x59f9373f4cf44e6a,
		0x9f03876b2ddb1435,
		0xf333d05254029488,
		0xccb29838628f04b6,
		0xaaa3b912182da22d,
		0x149fd9ed2c7affe7,
	]),
},

// Coefficient 2
Fp2{
	// 0x480000000000360001c950000d7ee0e4a803c956d01c903d720dc8ad8b38dffaf50c100004c37fffffff
	c0: Fp::from_raw([
		0x100004c37ffffff

## Square root in Fp2

In [152]:
# Precomputation from Algorithm 10 in  https://eprint.iacr.org/2012/685.pdf

c = Fp2(x)
assert c.is_square() == False

d = c ** ((p-1)/2)
e = (d*c).inverse()
f = (d*c)**2


In [153]:
p_minus_one_over_4 = (p - 1) /4
print('// q_minus_1_over_4')
print_for_rust(p_minus_one_over_4)
print('\n')
print_coeffs([e,f])

// q_minus_1_over_4
	// 0x900000000000900004c3800035fdc392a00f29dbd0e499bd10fe69736a29b1ef929e97fa3eb7ff5a8a9fa30c001ae5167ffff34c0000000
	Fp::from_raw([
		0x67ffff34c0000000,
		0xa8a9fa30c001ae51,
		0xf929e97fa3eb7ff5,
		0xd10fe69736a29b1e,
		0x2a00f29dbd0e499b,
		0x004c3800035fdc39,
		0x0900000000000900,
	]),


// Coefficient 0
Fp2{
	// 0x0
	c0: Fp::from_raw([
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
	]),
	// 0x13e275a1fa6a13af7a82a3d83bc9e63a667c70cf991a36e603b21f15823a404a021848271d63f0875d232408689b4c6c67153f9701e19938
	c1: Fp::from_raw([
		0x67153f9701e19938,
		0x5d232408689b4c6c,
		0x021848271d63f087,
		0x03b21f15823a404a,
		0x667c70cf991a36e6,
		0x7a82a3d83bc9e63a,
		0x13e275a1fa6a13af,
	]),
},

// Coefficient 1
Fp2{
	// 0x5
	c0: Fp::from_raw([
		0x0000000000000005,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000000000,
		0x0000000000

In [154]:
print_coeffs(Fp2.zeta(3)**2)

// Coefficient 0
Fp2{
	// 0x24000000000024000130e0000d7f28e4a803ca76be3924a5f43f8cddf9a5c4781b50d5e1ff708dc8d9fa5d8a200bc4398ffff80f80000002
	c0: Fp::from_raw([
		0x8ffff80f80000002,
		0xd9fa5d8a200bc439,
		0x1b50d5e1ff708dc8,
		0xf43f8cddf9a5c478,
		0xa803ca76be3924a5,
		0x0130e0000d7f28e4,
		0x2400000000002400,
	]),
	c1:Fp::ZERO,
},

// Coefficient 1
Fp2{
},



# Triton Constants

In [155]:
# Script from Daira's GH

p = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5cda8a6c7be4a7a5fe8fadffd6a2a7e8c30006b9459ffffcd300000001
q = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5c7a8a6c7be4a775fe8e177fd69ca7e85d60050af41ffffcd300000001

Fp2.<x> = GF(p^2, modulus=x^2 + 5)
Fp = GF(p)
Ep = EllipticCurve(Fp, [0, 57])
assert Ep.count_points() == q
for i in range(1, 3):
    E_not_triton = EllipticCurve(Fp2, [0, x+i])
    r = E_not_triton.count_points()
    assert q*(2*p - q) != r  # wrong twist

E_triton = EllipticCurve(Fp2, [0, x+3])
r = E_triton.count_points()
assert q*(2*p - q) == r  # right twist



In [156]:
cofactor = (2*p - q)
print_for_rust(cofactor)

	// 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5d3a8a6c7be4a7d5fe91447fd6a8a7e928a00867971ffffcd300000001
	Fp::from_raw([
		0x1ffffcd300000001,
		0xa8a7e928a0086797,
		0xe4a7d5fe91447fd6,
		0x443f9a5d3a8a6c7b,
		0xa803ca76f439266f,
		0x0130e0000d7f70e4,
		0x2400000000002400,
	]),


In [157]:
generator_candidates = E_triton.lift_x(3, all)

In [158]:
g1, g2 = generator_candidates
assert g1.xy()[1] < g2.xy()[1]
gen = g1 * cofactor
print_coeffs(gen.xy())

// Coefficient 0
Fp2{
	// 0x13576c81faf3a13fd815d0e9bd54b845ee935948b84498b27ca972bfb93722e223c9e276a4ebe7559cfc86dd865f07d64f2b5fe6556f9066
	c0: Fp::from_raw([
		0x4f2b5fe6556f9066,
		0x9cfc86dd865f07d6,
		0x23c9e276a4ebe755,
		0x7ca972bfb93722e2,
		0xee935948b84498b2,
		0xd815d0e9bd54b845,
		0x13576c81faf3a13f,
	]),
	// 0x142164cb875db0465e5092f9380f44f555243d011699b7393029f2d201554727aeb383298fdf5847b9b3dff01bbe8d63fe7c781a8fd7bf21
	c1: Fp::from_raw([
		0xfe7c781a8fd7bf21,
		0xb9b3dff01bbe8d63,
		0xaeb383298fdf5847,
		0x3029f2d201554727,
		0x55243d011699b739,
		0x5e5092f9380f44f5,
		0x142164cb875db046,
	]),
},

// Coefficient 1
Fp2{
	// 0x2239f7408ead478c58e88d4df1e7418c42fdbb92e64ba85aa4dc17d7dace3f32eb471c004db774bfe78574aca67b3898cd1b78ad106ab9fe
	c0: Fp::from_raw([
		0xcd1b78ad106ab9fe,
		0xe78574aca67b3898,
		0xeb471c004db774bf,
		0xa4dc17d7dace3f32,
		0x42fdbb92e64ba85a,
		0x58e88d4df1e7418c,
		0x2239f7408ead478c,
	]),
	// 0x1260b04d51136590dbb53dfd7caf450aeca714555bbe4f079ca6