Quadratic and Cubic non-residues for tower of extension fields about constantine HOT 3 CLOSED

So literature is contradicting itself (?)

For BN254:

0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47 ≡ 7 (mod 8)

Aranha in https://caramba.loria.fr/sem-slides/201905241000.pdf / https://ecc2017.cs.ru.nl/slides/ecc2017-aranha.pdf mentions that they can use the following towering:

• 𝔽p²=𝔽p[𝑖]/(i² − β), where β=−1
• 𝔽p6=𝔽p[v]/(v² − ξ), where ξ=𝑖+1
  

and https://eprint.iacr.org/2010/526.pdf

But Grewal in https://eprint.iacr.org/2012/408.pdf mentions that for BN curve with p ≡ 7 (mod 8) you need 𝔽p² = √-2

[8] refers to Pereira paper: https://eprint.iacr.org/2010/429.pdf

Edit:
From Pereira paper

From Bos, Costello Naehrig https://www.microsoft.com/en-us/research/wp-content/uploads/2013/08/exponentiating_pairing.pdf

from constantine.

So in Ethereum the curve equation is y^2 = x^3 + 3

• https://eips.ethereum.org/EIPS/eip-196
• https://eips.ethereum.org/EIPS/eip-197

But in the papers cited they create y² = x³ + 2. According to Pereira paper, b = N(ξ) (norm of Xi) with ξ = c² + d³ 𝑖, due to b = 2 this works for ξ = 1+𝑖 and bypasses (?) the cubic non-residue requirement.
However for Ethereum usage, the curve is y² = x³ + 3 so we can't find "friendly" parameters for y² = x³ + 2 and we need to fallback to cubic non-residue to extend 𝔽p6=𝔽p[v]/(v² − ξ), possible using √-2 instead of 𝑖 for the base quadratic extension.

Can someone with a good grasp on that confirm?

from constantine.

Confusion solved Snarks and Ethereum use the prime 0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47 and Nogami/Aranha and the litterature use 0x2523648240000001ba344d80000000086121000000000013a700000000000013. Both are BN primes of width 254-bit .

The sage formulas have been updated and the suggested towers matches the litterature and specifications.

from constantine.