What’s the equivalent of this py_ecc code for untwisting the bn128 curve in SageMath ?
Simple, I’ve curve defined as $\frac {Y^2 = X^3 + 3}{i+9}$ definied over finite finite field $\mathbb F_p^2=\frac {F_p[i]}{i^2 + 1}$ with $p=21888242871839275222246405745257275088696311157297823662689037894645226208583$ and point $X=11559732032986387107991004021392285783925812861821192530917403151452391805634 \times i + 10857046999023057135944570762232829481370756359578518086990519993285655852781$ $Y=4082367875863433681332203403145435568316851327593401208105741076214120093531 \times i +8495653923123431417604973247489272438418190587263600148770280649306958101930$
As this curve is homomorphic to the curve $Y^2 = X^3 + 3$ defined over $\mathbb F_p^{12}$, how to convert the point to the $\mathbb F_p^{12}$ curve such as the discrete logarithm relation between 2 points on the 1st curve is preserved ?
I’ve following code from py_ecc :
def twist(pt: Point2D[FQP]) -> Point2D[FQ12]:
_x, _y = pt
# Field isomorphism from Z[p] / x**2 to Z[p] / x**2 - 18*x + 82
xcoeffs = [_x.coeffs[0] - _x.coeffs[1] * 9, _x.coeffs[1]]
ycoeffs = [_y.coeffs[0] - _y.coeffs[1] * 9, _y.coeffs[1]]
# Isomorphism into subfield of Z[p] / w**12 - 18 * w**6 + 82,
# where w**6 = x
nx = FQ12([int(xcoeffs[0])] + [0] * 5 + [int(xcoeffs[1])] + [0] * 5)
ny = FQ12([int(ycoeffs[0])] + [0] * 5 + [int(ycoeffs[1])] + [0] * 5)
# Divide x coord by w**2 and y coord by w**3
return (nx * w**2, ny * w**3)
but what it’s SageMath equivalent ?
Can you please elaborate why you are not happy with the given code and what do you mean under "SageMath equivalent"?
@MaxAlekseyev py_ecc doesn’t support elliptic curve multiplication in p¹²