pub fn endo_coefficient<F: PrimeField>() -> FExpand description
Computes a primitive cube root of unity ξ in the field F.
For a prime field F_p where 3 divides p-1, this returns:
ξ = g^((p-1)/3)
where g is a generator of the multiplicative group F_p*.
§Properties
- ξ³ = g^(p-1) = 1 (by Fermat’s Little Theorem)
- ξ ≠ 1 (since (p-1)/3 is not a multiple of p-1)
- The three cube roots of unity are: {1, ξ, ξ²}
§Usage
This is used in two contexts:
- Base field (ξ): For the curve endomorphism φ(x,y) = (ξ·x, y)
- Scalar field (λ): As the scalar such that
φ(P) = [λ]P
Both fields (Fp and Fq for Pasta curves) have cube roots of unity, and they correspond to each other via the endomorphism relationship.
§References
- Halo paper, Section 6.2: https://eprint.iacr.org/2019/1021