status-im
/
constantine
mirror of https://github.com/status-im/constantine.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
constantine/constantine/tower_field_extensions
History
Mamy André-Ratsimbazafy a6e4517be2
Implement 𝔽p12 inversion, enable 𝔽p12 tests and bench 		2020-04-09 14:28:01 +02:00
..
README.md Add more curves for testing: Curve25519, BLS12-377, BN446, FKM-447, BLS12-461, BN462 2020-03-21 13:05:58 +01:00
abelian_groups.nim Add multiplication in 𝔽p6 = 𝔽p2[∛(1+𝑖)] 2020-03-21 19:03:57 +01:00
fp2_complex.nim Fix squaring in 𝔽p6 (𝔽p2 squaring require separate target and source buffer) 2020-04-09 13:20:05 +02:00
fp2_sqrt_minus2.nim 30% faster constant-time inversion 2020-03-20 23:03:52 +01:00
fp2_sqrt_minus5.nim 30% faster constant-time inversion 2020-03-20 23:03:52 +01:00
fp6_1_plus_i.nim Fix squaring in 𝔽p6 (𝔽p2 squaring require separate target and source buffer) 2020-04-09 13:20:05 +02:00
fp12_quad_fp6.nim Implement 𝔽p12 inversion, enable 𝔽p12 tests and bench 2020-04-09 14:28:01 +02:00

README.md

Tower Extensions of Finite Fields

Overview

From Ben Edgington, https://hackmd.io/@benjaminion/bls12-381

Field extensions

Field extensions are fundamental to elliptic curve pairings. The "12" is BLS12-381 is not only the embedding degree, it is also (relatedly) the degree of field extension that we will need to use.

The field F_q can be thought of as just the integers modulo q: 0,1,...,q-1. But what kind of beast is F_{q^{12}}, the twelfth extension of F_q?

I totally failed to find any straightforward explainers of field extensions out there, so here's my attempt after wrestling with this for a while.

Let's construct an F_{q^2}, the quadratic extension of F_q. In F_{q^2} we will represent field elements as first-degree polynomials like a_0 + a_1x, which we can write more concisely as (a_0, a_1) if we wish.

Adding two elements is easy: (a, b) + (c, d) =a + bx + c + dx =(a+c) + (b+d)x =(a+c, b+d). We just need to be sure to reduce a+c and b+d modulo q.

What about multiplying? (a, b) \times (c, d) =(a + bx)(c + dx) =ac + (ad+bc)x+ bdx^2 =???. Oops - what are we supposed to do with that x^2 coefficient?

We need a rule for reducing polynomials so that they have a degree less than two. In this example we're going to take x^2 + 1 = 0 as our rule, but we could make other choices. There are only two rules about our rule^[Our rule is "an extension field modular reduction" (terminology from here).]:

  1. it must be a degree k polynomial, where k is our extension degree, 2 in this case; and
  2. it must be irreducible in the field we are extending. That means it must not be possible to factor it into two or more lower degree polynomials.

Applying our rule, by substituting x^2 = -1, gives us the final result (a, b) \times (c, d) =ac + (ad+bc)x + bdx^2 =(ac-bd) + (ad+bc)x =(ac-bd, ad+bc). This might look a little familiar from complex arithmetic: (a+ib) \times (c+id) =(ac-bd) + (ad+bc)i. This is not a coincidence! The complex numbers are a quadratic extension of the real numbers.

Complex numbers can't be extended any further because there are no irreducible polynomials over the complex numbers. But for finite fields, if we can find an irreducible k-degree polynomial in our field F_q, and we often can, then we are able to extend the field to F_{q^k}, and represent the elements of the extended field as degree k-1 polynomials, a_0 + a_1x +...+ a_{k-1}x^{k-1}. We can represent this compactly as (a_0,...,a_{k-1}), as long as we remember that there may be some very funky arithmetic going on.

Also worth noting is that modular reductions like this (our reduction rule) can be chosen so that they play nicely with the twisting operation.

In practice, large extension fields like F_{q^{12}} are implemented as towers of smaller extensions. That's an implementation aspect, so I've put it in the more practical section below.

Extension towers

Recall our discussion of field extensions? In practice, rather than implementing a massive 12th-degree extension directly, it is more efficient to build it up from smaller extensions: a tower of extensions.

For BLS12-381, the F_{q^{12}} field is implemented as a quadratic (degree two) extension, on top of a cubic (degree three) extension, on top of a quadratic extension of F_q.

As long as the modular reduction polynomial (our reduction rule) is irreducible (can't be factored) in the field being extended at each stage, then this all works out fine.

Specifically:

  1. F_{q^2} is constructed as F_q(u) / (u^2 - \beta) where \beta = -1.
  2. F_{q^6} is constructed as F_{q^2}(v) / (v^3 - \xi) where \xi = u + 1.
  3. F_{q^{12}} is constructed as F_{q^6}(w) / (w^2 - \gamma) where \gamma = v

Interpreting these in terms of our previous explantation:

  1. We write elements of the F_{q^2} field as first degree polynomials in u, with coefficients from F_q, and apply the reduction rule u^2 + 1 = 0, which is irreducible in F_q.
    • an element of F_{q^2} looks like a_0 + a_1u where a_j \in F_q.
  2. We write elements of the F_{q^6} field as second degree polynomials in v, with coefficients from the F_{q^2} field we just constructed, and apply the reduction rule v^3 - (u + 1) = 0, which is irreducible in F_{q^2}.
    • an element of F_{q^6} looks like b_0 + b_1v + b_2v^2 where b_j \in F_{q^2}.
  3. We write elements of the F_{q^{12}} field as first degree polynomials in w, with coefficients from the F_{q^6} field we just constructed, and apply the reduction rule w^2 - v = 0, which is irreducible in F_{q^6}.
    • an element of F_{q^{12}} looks like c_0 + c_1w where c_j \in F_{q^6}.

This towered extension can replace the direct extension as a basis for pairings, and when well-implemented can save a huge amount of arithmetic when multiplying F_{q^{12}} points. See Pairings for Beginners section 7.3 for a full discussion of the advantages.

References

Research

Presentations