## Finite fields

Prime finite fields (i.e. $\mathbb{Z}/p\mathbb{Z}$ with $p$ prime) are created with the command `GF(p)`. Casting an integer into a prime field can be done explicitly, but is usually implicit.

In [82]:
K=GF(65537)
K

In [83]:
a=K(-11)
print(a)
print(a+25)
print(a.lift_centered())

Elements in a non-prime finite field $\mathbb{F}_{p^d}$ are represented as polynomials of degree $<d$ modulo an irreducible degree $d$ polynomial $P$. This polynomial can be specified; otherwise Sagemath chooses one, and similarly for the name of the indeterminate.

In [144]:
print(GF(125))
print(GF(125).random_element())

K.<t> = GF(169)
print(K)
print(K.random_element())

Finite Field in z3 of size 5^3
2*z3^2 + z3 + 2
Finite Field in t of size 13^2
t + 9


**Exercice :** 
- Find an element of multiplicative order $5$ in $(\mathbb{Z}/101\mathbb{Z})^*$
- Find the irreducible polynomials used by Sagemath to define $\mathbb{F}_{121}$ and $\mathbb{F}_{125}$
- The polynomial ring $K[X]$ over a field $K$ can be created by the command `PolynomialRing(K,'X')`. Check that the polynomial $P=X^5+2X^2+1$ is irreducible in $\mathbb{F}_{101}[X]$, and use this polynomial to define $\mathbb F_{101^5}$ as $\mathbb F_{101}[X]/(P)$.
- Find an irreducible polynomial $Q$ of degree 2 over $\mathbb F_{25}$ and define $\mathbb F_{625}$ as $\mathbb F_{25}[X]/(Q)$.

## Elliptic curves and pairings

An elliptic curve defined over a field K by a short Weierstrass equation $y^2=x^3+ax+b$ can be created with the command `EllipticCurve(K,[a,b])`. Note that the quantity $4a^3+27b^2$ must be non-zero, otherwise the curve is singular (not an elliptic curve).

**Exercice:** Let $E$ be the elliptic curve of equation $y^2 = x^3+x+25$ over $\mathbb Z/107\mathbb Z$. 
- What is the cardinality of $E$ ? 
- Pick two random points $P$ and $Q$ on $E$ and check that $P$, $Q$ and $-(P+Q)$ are aligned.
- Find the discrete logarithm of $Q$ in base $P$.


**Exercice (continued):** 
- Show that the embedding degree of $E$ is equal to $3$.
- Construct the field $\mathbb F_{107^3}$ and use the command `change_ring` to consider the curve $E$ as defined over $\mathbb F_{107^3}$.
- What is the cardinality of $E(\mathbb F_{107^3})$ ? Find a point $R \in E$ of order $127$ that is not defined over $\mathbb F_{107}$.
- Compute the Weil pairing of $P$ and $Q$. You might have to cast $P$ as a point defined over $\mathbb F_{107^3}$.
- Check on several examples the bilinearity and antisymmetry of the Weil pairing.
- Are there other pairings you can compute ?

**Exercice : constructing small pairing-friendly curves**

In this exercice we are looking for curves $E$ defined over a small prime field $\mathbb F_p$ such that $\#E$ is prime and the embedding degree of $E$ is small ($\leq 6$). 
We will use the following fact (Hasse's bound): $$p+1-2\sqrt{p} \leq \#E \leq p+1+2\sqrt{p}$$
- Apply exhaustive search to find all couples of distinct primes $(p,\ell)$ with $p \in [1000,10000]$ such that $\ell$ is within Hasse's bound and the multiplicative order $d$ of $p$ mod $\ell$ is smaller than or equal to $6$ (you can use the function `n.next_prime()` to return the smallest prime strictly greater than `n`).
- Are pairing-friendly curves rather common or rare?
- Choose one such couple $(p,\ell)$ satisfying $d=6$. By exhaustive search again, find an elliptic curve $E$ defined over $\mathbb F_p$ having exactly $\ell$ points.

**Exercice (continued):**

Let $E$ be the elliptic curve of embedding degree $6$ constructed above. One can show that for any $x\in \mathbb F_{p^3}$, the equation $y^2 = x^3+ax+b$ has a solution $y$ that lies either in $\mathbb F_{p^3}$ or in $\mathbb F_{p^6}$. 

- Pick a random $x\in \mathbb F_{p^3}$ until the corresponding value of $y$ lies in $\mathbb F_{p^6}\setminus \mathbb F_{p^3}$. We recall that an element $y$ is in $\mathbb F_{p^3}$ if and only if $y^{p^3}=y$.
- Construct the corresponding point $Q\in E(\mathbb F_{p^6})$. Compute several multiples of $Q$ and check that their $x$-coordinates belong to $\mathbb F_{p^3}$. Explain this property.
- Find two points $P_0, P_1$ that generate $E(\mathbb F_{p^6})[\ell]$ such that $P_0 \in E(\mathbb F_p)$ and $x(P_1) \in \mathbb F_{p^3}$. Why is such a basis interesting?

**Exercice: Barreto-Naehrig curves**

The following code snippet constructs elliptic curves of prime order of a given size with an embedding degree of 12, with the command `E=BN.generate_prime_order(size)`.
- Construct a BN curve of size 100 bits. Check that its embedding degree is indeed 12 (the command `E.base_ring()` allows to recover the field of definition).
- Try to construct BN curves of larger size. What do you observe?
- Uncomment the third line of the method `generate_prime_order` (so that everybody gets the same curve), and run `E=BN.generate_prime_order(100)`. In order to compute pairings on this curve, we need the corresponding field $\mathbb F_{p^{12}}$; construct it with the following piece of code:\
`p=E.base_ring().cardinality()`\
`A.<x>=PolynomialRing(GF(p))`\
`K12.<t>=GF(p^12,modulus=x^12 + x^11 + x^10 + x^9 + x^8 + x^7 + x^6 + x^5 + x^4 + x^3 + x^2 + x + 1)`
- Time the computation of the Weil pairing of two points in $E(\mathbb F_{p^{12}})$ whose order is $\ell = \#E(\mathbb F_p)$. Is it fast?
- Pick a random prime number of $\approx$ 100 bits and choose random elliptic curves over the corresponding prime field until one is found with a large prime factor. Compute its embedding degree. What do you observe?

In [19]:
class BN(object):
    @staticmethod
    def generate_prime_order(zbits):
        while True:
            z = randint(2^(zbits - 1), 2^zbits)
            #z = 1056017018967232695326726523462
            pz = int(BN.p(z))
            if not is_prime(pz):
                continue
            rz = int(BN.r(z))
            if not is_prime(rz):
                continue
            break
        K = GF(pz)
        b = 1
        while True:
            curve = EllipticCurve(K, [0, b])
            card = curve.cardinality()
            if card % rz == 0:
                break
            b += 1
        return curve

    @staticmethod
    def p(z):
        return 36 * z^4 + 36 * z^3 + 24 * z^2 + 6 * z + 1
    @staticmethod
    def r(z):
        return 36 * z^4 + 36 * z^3 + 18 * z^2 + 6 * z + 1
    @staticmethod
    def t(z):
        return 6 * z^2 + 1