# Triton and field extensions

In [9]:
# Helper functions
def u_64_little_endian(n):
    str_hex = hex(n)
    str_hex_without_0x = str_hex[2:]
    full_width_str = '0' * (112 - len(str_hex_without_0x)) + str_hex_without_0x
    assert len(full_width_str) == 112

    res = []
    for i in range(7):
        temp = '0x' + full_width_str[112 - 16 * (i + 1) : 112 - 16 * i]
        res.append(temp)
    return res

def print_for_rust(elem):
    print(hex(elem))
    print('[')
    for limb in u_64_little_endian(elem):
        print(limb + ",")
    print(']')
    print('\n')

def print_coeffs( coeff_list):
    for i, c in enumerate(coeff_list):
        print("Coeff", i)
        for (val, coord) in zip(c.polynomial().list(), ["x", "y"]):
            print(coord)
            print_for_rust(val)
        print("###########")

In [10]:
# Pluto base field
p = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5cda8a6c7be4a7a5fe8fadffd6a2a7e8c30006b9459ffffcd300000001

# Pluto scalar field
q = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5c7a8a6c7be4a775fe8e177fd69ca7e85d60050af41ffffcd300000001

In [11]:
Fp = GF(p)
K2.<x> = PolynomialRing(Fp)
assert (x^2 + 5).roots(multiplicities=False) == []

Fp2.<u> = Fp.extension(x^2 + 5)
K6.<y> = PolynomialRing(Fp2)
assert (y^3 - (u+2) ).roots(multiplicities=False) == []

Fp6.<v> = Fp2.extension(y^3 - (u+2))
# K12.<z> = PolynomialRing(Fq6)
# Fq12.<w> = Fq6.extension(z^2 - v)


## Compute coefficients for Frobenius map in Fp6

In [12]:
coeff_1 = []
coeff_2 = []
for i in range(6):
    coeff_1.append(Fp2(u+2)**((  p**i - 1) /3))
    coeff_2.append(Fp2(u+2)**((2*p**i - 2) /3))

In [13]:
print_coeffs(coeff_1)

Coeff 0
x
0x1
[
0x0000000000000001,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
]


###########
Coeff 1
x
0xa12a7a5bb16c30e70ed772cd3a465fb9a95b4ac5841e111d3ee22591d2c9f387870fd58bb208ac369b0926203e0d8b2672a2f804be5c3d2
[
0x672a2f804be5c3d2,
0x69b0926203e0d8b2,
0x7870fd58bb208ac3,
0xd3ee22591d2c9f38,
0x9a95b4ac5841e111,
0x70ed772cd3a465fb,
0x0a12a7a5bb16c30e,
]


y
0x169c69ad87060cd2f94b547d64e48b8eb2b3f55438c0bc3e38a1914bdb01e208918d3b6fbd6061efa04dc91e9dc401c5b0aa20a5bf27d84b
[
0xb0aa20a5bf27d84b,
0xa04dc91e9dc401c5,
0x918d3b6fbd6061ef,
0x38a1914bdb01e208,
0xb2b3f55438c0bc3e,
0xf94b547d64e48b8e,
0x169c69ad87060cd2,
]


###########
Coeff 2
x
0x480000000000360001c950000d7ee0e4a803c956d01c903d720dc8ad8b38dffaf50c100004c37ffffffe
[
0x100004c37ffffffe,
0xc8ad8b38dffaf50c,
0xc956d01c903d720d,
0x50000d7ee0e4a803,
0x00000000360001c9,
0x0000000000004800,
0x0000000000000000,
]


###########
Coeff 3
x
0x1fdb6f538b54ca12

In [14]:
print_coeffs(coeff_2)

Coeff 0
x
0x1
[
0x0000000000000001,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
]


###########
Coeff 1
x
0x1d51c23fcb1f9dae6458b6193a3766305bedb614a7feb8ec89f2de54da4204fe6832f879b2d457a239174d60a6247988fc8442b768993461
[
0xfc8442b768993461,
0x39174d60a6247988,
0x6832f879b2d457a2,
0x89f2de54da4204fe,
0x5bedb614a7feb8ec,
0x6458b6193a376630,
0x1d51c23fcb1f9dae,
]


y
0x1500a70695886e6cab571195c7d6000acb2b830a12825c2b4c494d816a5f107ce3393a7f8808224892191b8bc5a401e57acbf5e1ff7aa60d
[
0x7acbf5e1ff7aa60d,
0x92191b8bc5a401e5,
0xe3393a7f88082248,
0x4c494d816a5f107c,
0xcb2b830a12825c2b,
0xab571195c7d6000a,
0x1500a70695886e6c,
]


###########
Coeff 2
x
0x24000000000024000130e0000d7f28e4a803ca76be3924a5f43f8cddf9a5c4781b50d5e1ff708dc8d9fa5d8a200bc4398ffff80f80000002
[
0x8ffff80f80000002,
0xd9fa5d8a200bc439,
0x1b50d5e1ff708dc8,
0xf43f8cddf9a5c478,
0xa803ca76be3924a5,
0x0130e0000d7f28e4,
0x2400000000002400,
]


###########

# Frobenius map coefficient for Fp12

In [15]:
coeff = []
for i in range(12):
    coeff.append(Fp2(u+2)**((p**i - 1)  /6))

In [16]:
print_coeffs(coeff)

Coeff 0
x
0x1
[
0x0000000000000001,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
]


###########
Coeff 1
x
0x1b753f8b1c790596306643e8d56a36e8a2ab4f2aaaed2b24e4982068bdf5e6fa81754882f0b9fea9ae5247e985509a8faefbc19a0ebb9c80
[
0xaefbc19a0ebb9c80,
0xae5247e985509a8f,
0x81754882f0b9fea9,
0xe4982068bdf5e6fa,
0xa2ab4f2aaaed2b24,
0x306643e8d56a36e8,
0x1b753f8b1c790596,
]


y
0x39a53badefef2817c8f793c5b3d3d674964841b3cf9e8921fde920acb190ffde389f817427cbd34d576f049a35a7126f4bee638825d52d
[
0x6f4bee638825d52d,
0x4d576f049a35a712,
0xde389f817427cbd3,
0x21fde920acb190ff,
0x74964841b3cf9e89,
0x17c8f793c5b3d3d6,
0x0039a53badefef28,
]


###########
Coeff 2
x
0x24000000000024000130e0000d7f28e4a803ca76be3924a5f43f8cddf9a5c4781b50d5e1ff708dc8d9fa5d8a200bc4398ffff80f80000002
[
0x8ffff80f80000002,
0xd9fa5d8a200bc439,
0x1b50d5e1ff708dc8,
0xf43f8cddf9a5c478,
0xa803ca76be3924a5,
0x0130e0000d7f28e4,
0x2400000000002400,
]


###########
C

## Square root in Fp2

In [17]:
# Precomputation from Algorithm 10 in  https://eprint.iacr.org/2012/685.pdf

c = Fp2(x)
assert c.is_square() == False

d = c ** ((p-1)/2)
e = (d*c).inverse()
f = (d*c)**2


In [18]:
q_minus_one_over_4 = (p - 1) /4
print_for_rust(q_minus_one_over_4)
for var in [e,f]:
    print_coeffs(var)

0x900000000000900004c3800035fdc392a00f29dbd0e499bd10fe69736a29b1ef929e97fa3eb7ff5a8a9fa30c001ae5167ffff34c0000000
[
0x67ffff34c0000000,
0xa8a9fa30c001ae51,
0xf929e97fa3eb7ff5,
0xd10fe69736a29b1e,
0x2a00f29dbd0e499b,
0x004c3800035fdc39,
0x0900000000000900,
]


Coeff 0
###########
Coeff 1
x
0x13e275a1fa6a13af7a82a3d83bc9e63a667c70cf991a36e603b21f15823a404a021848271d63f0875d232408689b4c6c67153f9701e19938
[
0x67153f9701e19938,
0x5d232408689b4c6c,
0x021848271d63f087,
0x03b21f15823a404a,
0x667c70cf991a36e6,
0x7a82a3d83bc9e63a,
0x13e275a1fa6a13af,
]


###########
Coeff 0
x
0x5
[
0x0000000000000005,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
0x0000000000000000,
]


###########
Coeff 1
###########


In [19]:
print_coeffs(Fp2.zeta(3)**2)

Coeff 0
x
0x24000000000024000130e0000d7f28e4a803ca76be3924a5f43f8cddf9a5c4781b50d5e1ff708dc8d9fa5d8a200bc4398ffff80f80000002
[
0x8ffff80f80000002,
0xd9fa5d8a200bc439,
0x1b50d5e1ff708dc8,
0xf43f8cddf9a5c478,
0xa803ca76be3924a5,
0x0130e0000d7f28e4,
0x2400000000002400,
]


###########
Coeff 1
###########


# Triton Constants

In [20]:
# Script from Daira's GH

p = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5cda8a6c7be4a7a5fe8fadffd6a2a7e8c30006b9459ffffcd300000001
q = 0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5c7a8a6c7be4a775fe8e177fd69ca7e85d60050af41ffffcd300000001

Fp2.<x> = GF(p^2, modulus=x^2 + 5)
Fp = GF(p)
Ep = EllipticCurve(Fp, [0, 57])
assert Ep.count_points() == q
for i in range(1, 3):
    E_not_triton = EllipticCurve(Fp2, [0, x+i])
    r = E_not_triton.count_points()
    assert q*(2*p - q) != r  # wrong twist

E_triton = EllipticCurve(Fp2, [0, x+3])
r = E_triton.count_points()
assert q*(2*p - q) == r  # right twist



In [21]:
cofactor = (2*p - q)
print_for_rust(cofactor)

0x24000000000024000130e0000d7f70e4a803ca76f439266f443f9a5d3a8a6c7be4a7d5fe91447fd6a8a7e928a00867971ffffcd300000001
[
0x1ffffcd300000001,
0xa8a7e928a0086797,
0xe4a7d5fe91447fd6,
0x443f9a5d3a8a6c7b,
0xa803ca76f439266f,
0x0130e0000d7f70e4,
0x2400000000002400,
]




In [22]:
generator_candidates = E_triton.lift_x(3, all)

In [23]:
g1, g2 = generator_candidates
assert g1.xy()[1] < g2.xy()[1]
gen = g1 * cofactor
print_coeffs(gen.xy())

Coeff 0
x
0x13576c81faf3a13fd815d0e9bd54b845ee935948b84498b27ca972bfb93722e223c9e276a4ebe7559cfc86dd865f07d64f2b5fe6556f9066
[
0x4f2b5fe6556f9066,
0x9cfc86dd865f07d6,
0x23c9e276a4ebe755,
0x7ca972bfb93722e2,
0xee935948b84498b2,
0xd815d0e9bd54b845,
0x13576c81faf3a13f,
]


y
0x142164cb875db0465e5092f9380f44f555243d011699b7393029f2d201554727aeb383298fdf5847b9b3dff01bbe8d63fe7c781a8fd7bf21
[
0xfe7c781a8fd7bf21,
0xb9b3dff01bbe8d63,
0xaeb383298fdf5847,
0x3029f2d201554727,
0x55243d011699b739,
0x5e5092f9380f44f5,
0x142164cb875db046,
]


###########
Coeff 1
x
0x2239f7408ead478c58e88d4df1e7418c42fdbb92e64ba85aa4dc17d7dace3f32eb471c004db774bfe78574aca67b3898cd1b78ad106ab9fe
[
0xcd1b78ad106ab9fe,
0xe78574aca67b3898,
0xeb471c004db774bf,
0xa4dc17d7dace3f32,
0x42fdbb92e64ba85a,
0x58e88d4df1e7418c,
0x2239f7408ead478c,
]


y
0x1260b04d51136590dbb53dfd7caf450aeca714555bbe4f079ca65d97eb28fc9fc697b4e10bbcd9e0539ef82a731fb88ed49e3c080e6d945d
[
0xd49e3c080e6d945d,
0x539ef82a731fb88e,
0xc697b4e10bbcd9e0,
0x9c