Representation of G2 in MNT curves

[Giuseppe D'Alconzo]

Hi, I am working with Charm and I want test my protocol with another library (eg. MAGMA).

The curve is MNT224, so a type D curve (embedding deg=6), and I don't understand how elements of the group G2 are represented.

I expect g2=(x,y), where x,y are in F_{q^6} but when I print one random element from G2 it is represented by two triples of the form:

[[3666, 3037, 2239], [265, 4298, 3861]].

Isn't this the representation of a generic element of F_{q^6}? Why there is only one coordinate?

Furthermore, I notice a couple of things:

1- This isn't the x-coordinate of a point on E(F_{q^k}) since x^3+ax+b is not a square;

2- the order of an element is not r (this depends on the coset of E(F_{q^6})/rE(F_{q^6}) ?);

3- if I take the inverse of the point above, I obtain:

[[3666, 3037, 2239], [-265, -4298, -3861]]

This behaviour is the same of -(x,y)=(x,-y) but I can't see how this works with the used representation;

Thanks in advance,

Giuseppe.

[Giuseppe D'Alconzo]

Hi, all. I finally figure it out, here there is answer to my question, hoping that it can help someone.

The element of G2 is represented as a point of the "twisted" curve E'(Fq^3). This paper helps a lot: https://eprint.iacr.org/2003/086 (2.1 and 3).

So we can get an element of E(Fq6) via the map \psi showed in Section 3 of the previous paper.

The non-quadratic residue used to construct the twisted curve E' is the one used to build the degree-2 extension field of Fq^3, i.e. "nqr" in the parameters of pairingcurves.py

Sincerely,

Giuseppe