# Arion Constant Generation

This SageMath Jupyter Notebook generates constants for Arion and prints them in little endian big integer representation.

In [15]:
def little_endian_order(n, b, min_length=1):
    b_adic_expansion = [n % b]
    n = (n - b_adic_expansion[-1]) / b
    while n != 0:
        b_adic_expansion.append(n % b)
        n = (n - b_adic_expansion[-1]) / b
    while len(b_adic_expansion) < min_length:
        b_adic_expansion.append(0)
    return b_adic_expansion

In [16]:
# BLS12-381
p = 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
K = GF(p)

# Maximum Arion width
width = 8
# Maximum Arion rounds
rounds  = 6

# Basis for big integer representation
B = 2**64

## High Degree Inverse Permutation

Computes the exponent of the inverse permutation of $x^{d_2}$ and prints it in big integer representation.

In [47]:
d_2 = 257

little_endian_order(xgcd(d_2, p - 1)[1] % p, B, 4)

[8469711284772863745,
 1214928404647555091,
 15849274830579433833,
 3867970841541904563]

In [39]:
little_endian_order((p - 1) / 2, B, 4)

[9223372034707292160,
 12240451741123816959,
 1845609449319885826,
 4176758429732224676]

## Affine Round Constants

Generates the affine round constants.

In [20]:
affine_constants = []
for r in range(0, rounds):
    constants = []
    for b in range(0, width):
        const = K(0)
        while const == K(0):
            const = K.random_element()
        constants.append(little_endian_order(int(const), B, 4))
    affine_constants.append(constants)

In [21]:
affine_constants

[[[970454385332725214,
   4735158914852834846,
   16702983313962767143,
   7375736764391876140],
  [4230679363595362084,
   14748170609639716385,
   6726276718525653011,
   209585127932669456],
  [6985368126114302085,
   15042707609042090796,
   6574303427188805453,
   4260491623787833808],
  [4211534376445758016,
   4194194800130890524,
   6189979315052828417,
   6333043189070472884],
  [7713061483966079236,
   2531813565031281972,
   15141872849730284883,
   2617614298691088635],
  [9384435332689772208,
   6380797830192786222,
   14046751767082687730,
   6726703997800057086],
  [1992080556398414636,
   4864203202662323702,
   12166009503139942213,
   4341074411686198705],
  [9183113592048845618,
   18038533873937178850,
   16188992193114910863,
   5450448736873179721]],
 [[1266687978422234986,
   69881920587063368,
   16171726449901498918,
   5950717589371861074],
  [6930917184652543673,
   10514231817671922317,
   4035945929007950627,
   6501921180983397386],
  [7732435664247685777,

In [23]:
for el in affine_constants:
    print(el)
    print("\n")

[[970454385332725214, 4735158914852834846, 16702983313962767143, 7375736764391876140], [4230679363595362084, 14748170609639716385, 6726276718525653011, 209585127932669456], [6985368126114302085, 15042707609042090796, 6574303427188805453, 4260491623787833808], [4211534376445758016, 4194194800130890524, 6189979315052828417, 6333043189070472884], [7713061483966079236, 2531813565031281972, 15141872849730284883, 2617614298691088635], [9384435332689772208, 6380797830192786222, 14046751767082687730, 6726703997800057086], [1992080556398414636, 4864203202662323702, 12166009503139942213, 4341074411686198705], [9183113592048845618, 18038533873937178850, 16188992193114910863, 5450448736873179721]]


[[1266687978422234986, 69881920587063368, 16171726449901498918, 5950717589371861074], [6930917184652543673, 10514231817671922317, 4035945929007950627, 6501921180983397386], [7732435664247685777, 1843882157446206982, 5208046253713768039, 3231264108358203476], [2468010120310035552, 752360851117569350, 16

## Constants For Irreducible Quadratic Polynomials

Generates constants in $\mathbb{F}_p$ for quadratic polynomials
$$ g (x) = x^2 + a \cdot x + b$$
such that
$$\left( \frac{a^2 - 4 \cdot b}{p} \right) = -1.$$

In [41]:
constants_g = []
for r in range(0, rounds):
    constants = []
    for b in range(0, width - 1):
        const_1 = K.random_element()
        const_2 = K.random_element()
        while legendre_symbol(const_1**2 - 4 * const_2, p) != - 1:
            const_1 = K.random_element()
            const_2 = K.random_element()
        constants.append([little_endian_order(int(const_1), B, 4), little_endian_order(int(const_2), B, 4)])
    constants_g.append(constants)

In [42]:
for el in constants_g:
    print(el)
    print("\n")

[[[8118021754834449418, 18137426088772698758, 11203759450720152331, 3900225123309009714], [14639014844555717986, 10036122947945021134, 16847282596167317246, 7187814803256400694]], [[14525900076367906240, 285701828013040820, 8209039863985472825, 6002201468642717514], [1976020842633079501, 10845738633802611111, 13765667994085148964, 3261502654422324242]], [[7758101740920843174, 18176659492512981487, 8932647722209367966, 6536481862122956546], [18144900633143714544, 9006025712098685260, 17305636935215169546, 4021291266829413815]], [[13430340930673190471, 6340972178702447167, 18395728821334867436, 4507679155598365721], [13274273673115050468, 14355740628689897277, 16358078499105545713, 4206170965530390973]], [[12969467437587247133, 14185495908945610644, 3356607114650797197, 6562861671434439], [5288709648859117752, 7862515103577432033, 17470788809537922822, 5858991881344592831]], [[15909451001460723575, 15899331260159970773, 12497740786161253656, 857273899484426815], [1726323722231622433, 141

## Constants For Quadratic Polynomials

Generates constants in $\mathbb{F}_p$ for quadratic polynomials
$$ g (x) = x^2 + a \cdot x.$$

In [27]:
constants_h = []
for r in range(0, rounds):
    constants = []
    for b in range(0, width - 1):
        const = K(0)
        while const == K(0):
            const = K.random_element()
        constants.append(little_endian_order(int(const), B, 4))
    constants_h.append(constants)

In [28]:
for el in constants_h:
    print(el)
    print("\n")

[[10921243481068140754, 2518525656384150226, 6113210645428543405, 3965711976898692104], [3485595414554252575, 409582036943307088, 13828756501544561109, 1677462619007352731], [3334782092255076761, 5570395682066137536, 10608845724528439175, 7579215251462115483], [9694456976992470658, 15804342176037893448, 9169995828282038490, 3088629552174663926], [4736994860782243944, 7685556290627959999, 11715635745556264818, 5943033524509355117], [10215347721694543935, 15993796356778898738, 10137559064734388862, 227314686331948528], [13460852012916779609, 4358098711408330618, 8978707826599623711, 7213924270875377657]]


[[4926870207870077544, 5277045161118171188, 10224442989354951543, 7444723940524320645], [7471186748802007366, 7260661708697062126, 7283265288265511831, 1869305939512461199], [3095833256795908432, 16687801437939668899, 7117743567829038038, 3849376791502321111], [7960370455870505448, 16454464364719604501, 4344917559538738003, 8090736631896107454], [13146371958286040330, 14077105886872986