Question: Show work for BLS12-381 Fq12 modulus

[wemeetagain]

I'm learning more about bls12-381 and currently stumped by one part of the code: I'm assuming that

FQ12_modulus_coeffs = (2, 0, 0, 0, 0, 0, -2, 0, 0, 0, 0, 0)  # Implied + [1]

means x¹² -2x⁶+2 and that it is the irreducable polynomial used as a modulus for F_q¹².

I feel like this had to be from the specification https://github.com/zkcrypto/pairing/tree/master/src/bls12_381#bls12-381-instantiation , but I don't see how it was done.

I feel pretty dense with this one, but I'm hoping that someone more knowledgable can show the work on how the above polynomial was created.

Edit: If this is off-topic for this repo, feel free to close this issue

[HarryR]

You can find these coefficients with Sage, using:

R.<T> = PolynomialRing(Fp)

# Starting at -1 is an arbitrary choice, could start at 1, where 2 will be the first non-residue
if not Fp(-1).is_square():
    print("# -1 is non-residue")
    non_residue = -1
    F2_equation = T^2-non_residue
    F2.<u> = Fp.extension(F2_equation, 'u')
    for j in range(1,4):
        if not (u+j).is_square():
            quadratic_non_residue = u+j
            F12_equation = (T^6 - j)^2 - non_residue
            u_to_w = T^6 - j
            w_to_u = T + j
            break
else:
    print("Unknown")
print '# F12 polynomial coeffs:', F12_equation.coefficients(sparse=False)[:12]