# Arion Constant Generation

This SageMath Jupyter Notebook generates constants for Arion and prints them in little endian big integer representation.

In [1]:
def little_endian_order(n, b, min_length=1):
    b_adic_expansion = [n % b]
    n = (n - b_adic_expansion[-1]) / b
    while n != 0:
        b_adic_expansion.append(n % b)
        n = (n - b_adic_expansion[-1]) / b
    while len(b_adic_expansion) < min_length:
        b_adic_expansion.append(0)
    return b_adic_expansion

In [2]:
# BLS12-381
p = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
K = GF(p)

# Maximum Arion width
width = 8
# Maximum Arion rounds
rounds  = 8

# Basis for big integer representation
B = 2**64

## High Degree Inverse Permutation

Computes the exponent of the inverse permutation of $x^{d_2}$ and prints it in big integer representation.

In [3]:
d_2 = 257

little_endian_order(xgcd(d_2, p - 1)[1] % p, B, 4)

[8469711284772863745,
 1214928404647555091,
 15849274830579433833,
 3867970841541904563]

In [4]:
little_endian_order((p - 1) / 2, B, 4)

[9223372034707292160,
 12240451741123816959,
 1845609449319885826,
 4176758429732224676]

## Affine Round Constants

Generates the affine round constants.

In [5]:
affine_constants = []
for r in range(0, rounds):
    constants = []
    for b in range(0, width):
        const = K(0)
        while const == K(0):
            const = K.random_element()
        constants.append(little_endian_order(int(const), B, 4))
    affine_constants.append(constants)

In [6]:
affine_constants

[[[12306438399703485369,
   375448340102769579,
   12871862686041511099,
   3477857241268721699],
  [6519542688612722981,
   17362143974960297276,
   6783760864343583746,
   894955722599378160],
  [3597999875996611749,
   10039128184299904907,
   12361574637104302609,
   4216726740267659665],
  [16499992986257591523,
   14597194618853800,
   545147365243073500,
   5058400187414493689],
  [5486772036942361459,
   8876394641980069637,
   13112386186755594736,
   3698695773753644659],
  [1354011043116483769,
   11148515921017514825,
   10505617175601672865,
   5861536056188937461],
  [11843230204534356679,
   1755415082978780512,
   9914217959247211903,
   5819622430266572892],
  [2893961999792040510,
   1526438339469668902,
   17956121958912048078,
   5564251607171037183]],
 [[13906219560090660378,
   18157120675335011585,
   13511533438913384631,
   4460085392301323664],
  [6959880094828364028,
   12113732879699159422,
   8855157986968756323,
   3667354594416417518],
  [1548165019226343

In [7]:
for el in affine_constants:
    print(str(el) + ",")
    print("\n")

[[12306438399703485369, 375448340102769579, 12871862686041511099, 3477857241268721699], [6519542688612722981, 17362143974960297276, 6783760864343583746, 894955722599378160], [3597999875996611749, 10039128184299904907, 12361574637104302609, 4216726740267659665], [16499992986257591523, 14597194618853800, 545147365243073500, 5058400187414493689], [5486772036942361459, 8876394641980069637, 13112386186755594736, 3698695773753644659], [1354011043116483769, 11148515921017514825, 10505617175601672865, 5861536056188937461], [11843230204534356679, 1755415082978780512, 9914217959247211903, 5819622430266572892], [2893961999792040510, 1526438339469668902, 17956121958912048078, 5564251607171037183]],


[[13906219560090660378, 18157120675335011585, 13511533438913384631, 4460085392301323664], [6959880094828364028, 12113732879699159422, 8855157986968756323, 3667354594416417518], [15481650192263438105, 15370962179040618954, 18337175469969730870, 2613140924953832095], [12238944322672252871, 4438384980385

## Constants For Irreducible Quadratic Polynomials

Generates constants in $\mathbb{F}_p$ for quadratic polynomials
$$ g (x) = x^2 + a \cdot x + b$$
such that
$$\left( \frac{a^2 - 4 \cdot b}{p} \right) = -1.$$

In [8]:
constants_g = []
for r in range(0, rounds):
    constants = []
    for b in range(0, width - 1):
        const_1 = K.random_element()
        const_2 = K.random_element()
        while legendre_symbol(const_1**2 - 4 * const_2, p) != - 1:
            const_1 = K.random_element()
            const_2 = K.random_element()
        constants.append([little_endian_order(int(const_1), B, 4), little_endian_order(int(const_2), B, 4)])
    constants_g.append(constants)

In [9]:
for el in constants_g:
    print(str(el) + ",")
    print("\n")

[[[17769932339522752201, 991700806762734643, 1055132556626659722, 5482155662016970067], [10373470298780555383, 2933650439041797365, 4497837049414742871, 7083481921024601049]], [[6579173159249344816, 16367055460396781109, 10331935492367057804, 7300173371695536952], [5660242530615637728, 10645629967681214278, 15920449808542728471, 4152739311714194626]], [[7105970505866680282, 200280136121458327, 9871656344659462010, 7119185359926590782], [18098000036116098649, 13678293048312644461, 17921211797758591533, 8288580145094791793]], [[5055268181327253163, 11770408059946555901, 3221958483003229103, 7511648397385338330], [1130450937530117148, 2432765857000729393, 9234550563932400859, 4521946379964060320]], [[3512139742219639860, 13243748340961368378, 14179241962115770530, 6404402865006305316], [4061820721705826545, 1547942267678625423, 17798742129922320394, 5304088031454002498]], [[11617910324683234464, 15837387459693337636, 11034611211802606726, 5409110491616343260], [15737019730507735253, 10058

## Constants For Quadratic Polynomials

Generates constants in $\mathbb{F}_p$ for quadratic polynomials
$$ g (x) = x^2 + a \cdot x.$$

In [10]:
constants_h = []
for r in range(0, rounds):
    constants = []
    for b in range(0, width - 1):
        const = K(0)
        while const == K(0):
            const = K.random_element()
        constants.append(little_endian_order(int(const), B, 4))
    constants_h.append(constants)

In [11]:
for el in constants_h:
    print(str(el) + ",")
    print("\n")

[[17378373655945514012, 15543279991031724039, 1347596296609456165, 646949225376302438], [10197880799089535618, 6061584460928184398, 1093339277967389291, 3532586032202725290], [11942346870781818436, 12164024066950675735, 9007529869376357425, 5915533915916301902], [246015369899951853, 1911675108268238827, 9195681281626459832, 7667439860962465536], [11857609043511458330, 15439664103006352749, 8030011318165301217, 8253166353180236186], [4151747154001328560, 7929804135988584519, 6353590686438744824, 7301901205458187110], [2227031853315688211, 17217265811711261795, 17683593731142508135, 4309244055655225558]],


[[6340618742361809168, 15980641563440612591, 8849622481476877458, 5759148372041382347], [10633726156316330837, 12464793194466640298, 4026789927533185536, 3694302157767426917], [5780026797695525860, 3580084910731490936, 10740647020208132243, 2550274060651369945], [3139468753429812986, 2503604497541291465, 8777070628455339514, 195119567936855239], [961269065861925499, 105912326611694676