mmagician/bls12-381-effective-cofactor.sage

## bls12-381-effective-cofactor.sage
field_modulus = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
desired_curve_order = 52435875175126190479447740508185965837690552500527637822603658699938581184513
x = -0xd201000000010000

Fp = GF(field_modulus)
Fr = GF(desired_curve_order)

X = Fp(x)

PARAM_A4 = 0
PARAM_A6 = 4

E = EllipticCurve(Fp, [PARAM_A4, PARAM_A6])

E_order = E.order()
cofactor = Fp(E_order // desired_curve_order)

# cofactor is the product of some primes, by definition should be positive
# since (1-X)^2 == (X-1)^2:
assert(cofactor == (1-X)^2 / 3)
assert(cofactor == (X-1)^2 / 3)

random_elem_on_curve = E(1087508418522513028581609315370772240618466973629180727947555338061895794892526735444564331058882512443779273487476, 1615514793815606191421622357316365312881377381258479237563561805595195685157187067101213748485404293545009496148742)

# element is on curve but not in prime order subgroup
assert(random_elem_on_curve.order() != desired_curve_order)

eff_cofactor = 1-X

# after effective cofactor clearing, point is in the prime order subgroup
assert((eff_cofactor*random_elem_on_curve).order() == desired_curve_order)

# after multiplying by X-1, point is NOT in the prime order subgroup
assert(((X-1)*random_elem_on_curve).order() != desired_curve_order)
	field_modulus = 4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559787
	desired_curve_order = 52435875175126190479447740508185965837690552500527637822603658699938581184513
	x = -0xd201000000010000

	Fp = GF(field_modulus)
	Fr = GF(desired_curve_order)

	X = Fp(x)

	PARAM_A4 = 0
	PARAM_A6 = 4

	E = EllipticCurve(Fp, [PARAM_A4, PARAM_A6])

	E_order = E.order()
	cofactor = Fp(E_order // desired_curve_order)

	# cofactor is the product of some primes, by definition should be positive
	# since (1-X)^2 == (X-1)^2:
	assert(cofactor == (1-X)^2 / 3)
	assert(cofactor == (X-1)^2 / 3)

	random_elem_on_curve = E(1087508418522513028581609315370772240618466973629180727947555338061895794892526735444564331058882512443779273487476, 1615514793815606191421622357316365312881377381258479237563561805595195685157187067101213748485404293545009496148742)

	# element is on curve but not in prime order subgroup
	assert(random_elem_on_curve.order() != desired_curve_order)

	eff_cofactor = 1-X

	# after effective cofactor clearing, point is in the prime order subgroup
	assert((eff_cofactor*random_elem_on_curve).order() == desired_curve_order)

	# after multiplying by X-1, point is NOT in the prime order subgroup
	assert(((X-1)*random_elem_on_curve).order() != desired_curve_order)