G2 generator for BLS12-381 is undocumented #55
Comments
|
Thanks! Can you please share the script used to pick the generator for independent verification? |
|
Here's a sage script I managed to find on my machine. param = -0xd201000000010000
def r(x):
return (x**4) - (x**2) + 1
def q(x):
return (((x - 1) ** 2) * ((x**4) - (x**2) + 1) // 3) + x
def g1_h(x):
return ((x-1)**2) // 3
def g2_h(x):
return ((x**8) - (4 * (x**7)) + (5 * (x**6)) - (4 * (x**4)) + (6 * (x**3)) - (4 * (x**2)) - (4*x) + 13) // 9
q = q(param)
r = r(param)
Fq = GF(q)
ec = EllipticCurve(Fq, [0, 4])
def psqrt(v):
assert(not v.is_zero())
a = sqrt(v)
b = -a
if a < b:
return a
else:
return b
for x in range(0,100):
rhs = Fq(x)^3 + 4
if rhs.is_square():
y = psqrt(rhs)
p = ec(x, y) * g1_h(param)
if (not p.is_zero()) and (p * r).is_zero():
print "g1 generator: %s" % p
break
Fqx.<j> = PolynomialRing(Fq, 'j')
Fq2.<i> = GF(q^2, modulus=j^2 + 1)
ec2 = EllipticCurve(Fq2, [0, (4 * (1 + i))])
assert(ec2.order() == (r * g2_h(param)))
for x in range(0,100):
rhs = (Fq2(x))^3 + (4 * (1 + i))
if rhs.is_square():
y = psqrt(rhs)
p = ec2(Fq2(x), y) * g2_h(param)
if (not p.is_zero()) and (p * r).is_zero():
print "g2 generator: %s" % p
break
Produces: |
dfaranha
added a commit
that referenced
this issue
Oct 3, 2017
|
Thanks! The G2 generator is now the one provided here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
relic/src/epx/relic_ep2_curve.c
Lines 98 to 101 in f97c36e
How was this generator chosen?
Alternatively, change to use the generator:
Obtained by "finding the lexicographically smallest valid x-coordinate, and its lexicographically smallest y-coordinate and scaling it by the cofactor such that the result is not the point at infinity."
The text was updated successfully, but these errors were encountered: