mmagician/bls12_381-iso_gens.sage

## bls12_381-iso_gens.sage
# Finding the generators of G1 & G2 of a curve isogenous to BLS12-381, which has non-zero A, B coefficients in Short Weierstrass form.
# Script adapted from https://github.com/zkcrypto/bls12_381/blob/main/src/notes/design.rs
# Below are some links to the IETF draft where the isogeny is defined.

param = -0xd201000000010000
def r(x):
    return (x**4) - (x**2) + 1
def q(x):
    return (((x - 1) ** 2) * ((x**4) - (x**2) + 1) // 3) + x

# cofactors for G1, G2
def g1_h(x):
    return ((x-1)**2) // 3
def g2_h(x):
    return ((x**8) - (4 * (x**7)) + (5 * (x**6)) - (4 * (x**4)) + (6 * (x**3)) - (4 * (x**2)) - (4*x) + 13) // 9

q = q(param)
r = r(param)
Fq = GF(q)

# curve parameters, https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-bls12-381-g1
a_iso = 12190336318893619529228877361869031420615612348429846051986726275283378313155663745811710833465465981901188123677
b_iso = 2906670324641927570491258158026293881577086121416628140204402091718288198173574630967936031029026176254968826637280

ec = EllipticCurve(Fq, [a_iso, b_iso])
def psqrt(v):
    assert(not v.is_zero())
    a = sqrt(v)
    b = -a
    if a < b:
        return a
    else:
        return b
for x in range(0,100):
    rhs = Fq(x)^3 + a_iso*x + b_iso
    if rhs.is_square():
        y = psqrt(rhs)
        p = ec(x, y) * g1_h(param)
        if (not p.is_zero()) and (p * r).is_zero():
            print("x: {}".format(x))
            print("y: {}".format(y))
            print("g1 generator: {}".format(p))
            break

Fq2.<i> = GF(q^2, modulus=[1, 0, 1])

# Curve parameters for the extension, https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-bls12-381-g2
a_iso_g2 = 240*i
b_iso_g2 = 1012 + 1012*i

ec2 = EllipticCurve(Fq2, [a_iso_g2, b_iso_g2])
assert(ec2.order() == (r * g2_h(param)))
for x in range(0,100):
    rhs = (Fq2(x))^3 + a_iso_g2*x + b_iso_g2
    if rhs.is_square():
        y = psqrt(rhs)
        p = ec2(Fq2(x), y) * g2_h(param)
        if not p.is_zero() and (p * r).is_zero():
            print("x: {}".format(x))
            print("y: {}".format(y))
            print("g2 generator: {}".format(p))
            break
	# Finding the generators of G1 & G2 of a curve isogenous to BLS12-381, which has non-zero A, B coefficients in Short Weierstrass form.
	# Script adapted from https://github.com/zkcrypto/bls12_381/blob/main/src/notes/design.rs
	# Below are some links to the IETF draft where the isogeny is defined.

	param = -0xd201000000010000
	def r(x):
	return (x4) - (x2) + 1
	def q(x):
	return (((x - 1) ** 2) * ((x4) - (x2) + 1) // 3) + x

	# cofactors for G1, G2
	def g1_h(x):
	return ((x-1)**2) // 3
	def g2_h(x):
	return ((x*8) - (4 (x*7)) + (5 (x*6)) - (4 (x*4)) + (6 (x*3)) - (4 (x*2)) - (4x) + 13) // 9

	q = q(param)
	r = r(param)
	Fq = GF(q)

	# curve parameters, https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-bls12-381-g1
	a_iso = 12190336318893619529228877361869031420615612348429846051986726275283378313155663745811710833465465981901188123677
	b_iso = 2906670324641927570491258158026293881577086121416628140204402091718288198173574630967936031029026176254968826637280

	ec = EllipticCurve(Fq, [a_iso, b_iso])
	def psqrt(v):
	assert(not v.is_zero())
	a = sqrt(v)
	b = -a
	if a < b:
	return a
	else:
	return b
	for x in range(0,100):
	rhs = Fq(x)^3 + a_iso*x + b_iso
	if rhs.is_square():
	y = psqrt(rhs)
	p = ec(x, y) * g1_h(param)
	if (not p.is_zero()) and (p * r).is_zero():
	print("x: {}".format(x))
	print("y: {}".format(y))
	print("g1 generator: {}".format(p))
	break

	Fq2.<i> = GF(q^2, modulus=[1, 0, 1])

	# Curve parameters for the extension, https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-bls12-381-g2
	a_iso_g2 = 240*i
	b_iso_g2 = 1012 + 1012*i

	ec2 = EllipticCurve(Fq2, [a_iso_g2, b_iso_g2])
	assert(ec2.order() == (r * g2_h(param)))
	for x in range(0,100):
	rhs = (Fq2(x))^3 + a_iso_g2*x + b_iso_g2
	if rhs.is_square():
	y = psqrt(rhs)
	p = ec2(Fq2(x), y) * g2_h(param)
	if not p.is_zero() and (p * r).is_zero():
	print("x: {}".format(x))
	print("y: {}".format(y))
	print("g2 generator: {}".format(p))
	break