f1 has to be a R16 element, and A a R4 element. I build up a small, but ugly, work around. I take every A and put it in a List. Then, in the end, I return that list and convert each element to a Poly=PolynomialRing(R) element, where f1 is also an PolynomialRing(R) element. Then I do the multiplication over that PolynomialRing and do a "lazy reduction" in the end, by "Poly(R16(List[pos]))". From this position, I'm able to print via ".list()" any coefficient in Hex.

Let

p=13
R = GF(p)

_.<v> = PolynomialRing(R)
R4.<v> = R.extension(v^4 - 2, 'v')
_.<w> = PolynomialRing(R4)
R16.<w> = R4.extension(w^4-v, 'w')

I need to compute

f1 = R16(1)
for i in range(34):
    A=R4.random_element() #in my case, this is not random, its derived by an function
    f1 = f1^2*A #this is not the whole code, but it displayes the problem

This element stays allways in R4. But the result i expect, is an element of R16.

So: How can I tell sage to use the R16 multiplication instead? I need a full degree 15 polynomial. If it is possible, in one variable (w, since w^4=v).

Furthermore: How can I tell Sage to print any coefficient in Hex?

My Question is actually obsolet. I will add an answere and some miss-thoughts in the next days.

Ok. Thinking about you mentioned behaviour delivers, that this can't work. I'll add a more precise question.

I'm on generating an example from now on.

Ok. You got it right. I might produce an example in the next hours. For instance the parameters "p=13" and "r=5" should do it. Consider $E':\ y^2=x^3+ (2^{-1/4})x$ over $\mathbb F_{p^4}$. This curve becomes isomorphic over $\mathbb F_{p^{16}}$ to $E:\ y^2=x^3+x$, where $E(\mathbb F_p)[r]=E(\mathbb F_{p^{16}})[r]\cap {P\in E:\ \pi (P)= \mathcal O }$. (Twist)

Ok, I do. :) $\pi$ is the p-Frobenius, that means: $\pi(P)=(x(P)^p, y(P)^p)$ and the prime is around 340 bits of size. You can find that in the edit also.

Hey,

is there a way, to define a subgroup of an elliptic curve with two or more characteristics? I would like to take an elliptic curve over a finite field of order p and $p^4$, define the r-torsion subgroup (where $r$ is a prime, too) and reduce those to the set of points, which also lays in the Frobenius-eigenspace.

For example:

p= 13
r=5
R=GF(p)
_.<x> = PolynomialRing(R)
R4.<x> = R.extension(x^4 - 2, 'x')
_.<y> = PolynomialRing(R)

b= x^-1

E = EllipticCurve(R, [1,0]) # y^2 = x^3+x
E4 = EllipticCurve(R4, [b,0])

Well, it is easy to find a point on $Q\in E4$, such that $r*Q = (0:1:0)$, use

Q=ZZ(E4.order()/r *Q

, but checking, if $( x(Q)^p, y(Q)^p )=\pi(Q) = pQ$ is hard. I only need one point of that group at all, but my $p$ is even larger (~340 bits), so brute-forcing would be an option, if I could start it 6-12 month ago :)

Furthermore, if I concider to evaluate the secant or tangent on E and let me return a point on that curve, it will have projective coordinates, with $z(P)\neq1$. Shall I apply $\pi$ to all three coordinates?

Wow nice, thank you. Yesterday, after some hours of wondering, why this does not work or even produces different results, as I thought to get, I saw, that I missunderstood twists. They are becoming isomorphic over the extension field, not through the different fields ($F_k:=\mathbb F_{p^k}$) $F_4$ and $F_{16}$. So the r-torsion point I found worked over $F_{16}$, but now over $F_4$.

Hey, I would like to do map points of the ellitptic curve $E(\mathbb F_{p^{k}})$ to its twist. I am able to define the twist on a mathematical way, but it returns always errors. I will give you a M(n)WE:

Aim: Get a generator of a r-torsion subgroup of E, lift that to E16 and twist it down to E4, to get a r-torsion subgroup-generator of E4.

MWE

Mathematical definition:

$E(\mathbb F_{p^{16}}): y^2=x^3+x$ and its quartic twist $E'(\mathbb F_{p^4}): y^2=x^3+2^{-1/4}x$. The point mapping is defined as $\psi: E\to E', (x,y,z)\mapsto (2^{-1/2}x, 2^{-3/4}y, z)$.

Define the fields and curves

p= 13
r=5
R=GF(p)
_.<x> = PolynomialRing(R)
R4.<x> = R.extension(x^4 - 2, 'x')
_.<y> = PolynomialRing(R)
R16.<y> = R.extension(y^16 -2, 'y')
_.<z> = PolynomialRing(R4)
R16_over_R4.<z> = R4.extension(z^4-x, 'z')

E = EllipticCurve(R, [1,0]) # y^2 = x^3+x
E4 = EllipticCurve(R4, [x,0])
E16 = EllipticCurve(R16, [1,0])

Defining the point and pre-computations

k= ZZ(E.order()/r) # since E.order()*P = (0:1:0), we can trick with that
b=R16(2^(-1)); b= sqrt(sqrt(2)) #the twisting parameter, that is a square in R4 and R16
P= E.gens()[0]
Q=k*P # check if Q != E((0,1,0)), if yes its a r-torsion point. 
Q16 = E16(Q) #raise Q

The not working twist

#twist
E4( (Q16[0]*b^2, Q16[1]*b^3))

Sage is able to compute the quartic twist of its own, but I do not recieve the right twist, that I had computed by hand ( $E'$ ). Using

E4.quartic_twist(v^-1)