00:34:09 <yanmaani> Is there any primer on what you can do with curves? For example, in Bitcoin I know you can add two public keys together.
00:34:47 <yanmaani> I've always thought of these things as opaque blobs. Is there some list of primitives out there, e.g. "you have public key K and private key k, you can do X, Y, and Z with it"
00:36:42 <moneromooo> You can add too with monero's curve. That's what multisig address creation does.
00:37:21 <moneromooo> src/ringct/rctOps.h has a few useful ops on keys.
00:37:41 <moneromooo> It uses the same type for scalars and points though.
00:37:57 <moneromooo> But scalars are lowercase and points are uppercase.
00:43:06 <yanmaani> What is a point? 2 scalars?
00:43:26 <UkoeHB_> yanmaani: I discuss it in chapter 2 https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf; there are a lot of resources out there if you search, although none are ideal (even ztm)
00:43:33 <yanmaani> What is a scalar? like a private/public key?
00:45:02 <moneromooo> Here, scalar === secret key, point == public key
00:48:55 <yanmaani> So what can you do with this? Anything you can do with a public key, you can do with a private key also?
00:49:47 <moneromooo> Doubt it, but I'm not a crypto geek so I'll let you peruse ECC primers.
00:51:50 <yanmaani> what's the difference to normal addition?
00:52:01 <yanmaani> If I control key x, and I want to hijack key Y
00:52:20 <yanmaani> how come I can't compute x + (Y-X) = y?
00:52:57 <yanmaani> Is the result of an addition unpredictable, like when you take the public/private key and add somethign to it? Is addition to public key fundamentally different from to private key?
00:55:50 <moneromooo> Addition for public keys is more like multiplication.
00:56:02 <moneromooo> Scalars is really modular addition.
00:56:24 <yanmaani> So what's multiplication of public keys then? UB?
00:57:52 <moneromooo> I'm likely just confusing things so I'll shut up now ^_^
01:05:54 <yanmaani> UkoeHB_: This is helpful but some of the stuff seems a bit handwavey. It has version numbers, so is there anywhere you can send in patches?
01:07:23 <yanmaani> specifically, 2.2.4: "Now we have a way to do modular subtraction.". If it's for any operation, then why can't you just do ((A mod 9) - (B mod 9)) mod 9?
01:07:57 <yanmaani> should be "a commutative operation °," right?
01:14:08 <yanmaani> OK, so "addition" of points is just arbitrary, and from that the rest of arithmetic follows.
01:14:51 <yanmaani> Because there's nothing like defining addition as repeated succession
01:16:02 <yanmaani> It would be helpful to have some indication of what's logical or a definition (e.g. how to go from addition to multiplication, or what a finite field is) and what's just arbitrary (e.g. the formulae for the curves, point multiplication)
01:17:33 <jtgrassie> yanmaani: I suggest you read some primer on elliptic curve cryptography. This is a good start: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
01:20:06 <yanmaani>  in 2.3.1 just before 1st equation, (a,b) are constant params across the curve, whereas (x, y) are what's being iterated over?
01:20:51 <yanmaani> jtgrassie: thanks
01:27:42 <jtgrassie> np. the chapter you reference is a little handwaivy but it's also trying to condense a lot of information in a short space!
01:30:20 <jtgrassie> (a,b) are curve constants
01:31:28 <yanmaani> Oh yeah, I don't mind the handwaves, but it'd be nice if they were clearly marked
01:31:33 <jtgrassie> (x,y) are any x,y that satisfy the curve equation (so are a point on the curve)
01:31:43 <yanmaani> "this is just arbitrary, no need to think about it"
01:32:43 <jtgrassie> yeah, that's why I sent you the link. if your starting out, some fundamentals are useful.
01:39:11 <UkoeHB_> well you could define a new subtraction operation, but (a - b) = (a + (-b)) uses fewer fundamental ops
01:39:42 <yanmaani> UkoeHB_: Define? Isn't a-b already defined by maths? (a-b) + b = a
01:39:50 <UkoeHB_> not modular subtraction
01:40:18 <UkoeHB_> section 2.2.0 we define addition and negation
01:41:06 <UkoeHB_> 2.2.0 and 2.2.1*
01:41:58 <UkoeHB_> there are various ways to do it, the chapter just shows what made sense to me at the time, so yes a bit handwavy
01:42:09 <yanmaani> Well yes, but isn't it a premature optimization? Is (a + -b) mod n == ((a mod n) - (b mod n)) mod n?
01:42:34 <UkoeHB_> what if you have an unsigned int?
01:42:51 <UkoeHB_> I think that's why I avoided real negatives
01:42:59 <UkoeHB_> since all crypto uses unsigned integrals
01:43:51 <yanmaani> If I have an unsigned int, subtraction works fine
01:44:00 <yanmaani> as if it's two's complement
01:44:40 <UkoeHB_> overflow is the issue
01:45:20 <UkoeHB_> we also have the finite field issue, where elliptic curve scalars are in the finite field q, which is positive integers [0,q-1]
01:46:15 <UkoeHB_> so you can't 'create' a negative number from an op, which subtraction would do; you can only 'negate' a number
01:46:58 <yanmaani> doesn't negating a number create a negative number? (which is immediately turned positive by taking q-1 - n)?
01:47:13 <yanmaani> just so, subtraction "temporarily creates" a neg number which then overflows back
01:47:27 <UkoeHB_> I believe it's more like 'a + -a = 0', rather than creating a negative number you are creating its negation
01:47:47 <yanmaani> a + -a - 1 = q-1?
01:47:53 <UkoeHB_> that's right
01:47:59 <yanmaani> (is there a repo for you book where you can send in PRs?)
01:48:22 <yanmaani> uh, so why the -a phrasing then? Won't a-b (for b>a) overflow just the same?
01:48:22 <UkoeHB_> https://github.com/UkoeHB/Monero-RCT-report
01:48:35 <yanmaani> thanks
01:48:42 <UkoeHB_> however, conceptually there is no 'negative number', negation isn't the same thing
01:48:44 <yanmaani> oh jesus, github are starting to do the cookie nonsense now
01:48:58 <UkoeHB_> -a means 'the negation of a'
01:49:01 <yanmaani> I think of it like a "negative" number in two's complement cast to uint
01:49:52 <yanmaani> so -1 == UINT_MAX - 1
01:50:58 <UkoeHB_> yes, however it should be constrained to the field order q; it can get a bit messy with overflow...
01:51:57 <yanmaani> What do you mean 'can get messy'? Don't you just do mod n on each op, conceptually?
01:52:07 <yanmaani> like doing addition or whatever with uint's
01:52:15 <yanmaani> (with multiplication needing special care because not defined)
01:52:18 <moneromooo> -1 is UINT_MAX.
01:52:57 <UkoeHB_> yes mod n; it's conceptually analogous to uint overflow
01:53:33 <UkoeHB_> I mean messy if you try to subtract field scalars when n < UINT_MAX
01:54:04 <UkoeHB_> since (-1 mod n) != (n - 1)
01:55:09 <UkoeHB_> so it's much simpler to just use the binary+ and unary- ops
01:55:56 <yanmaani> UkoeHB_: Wait, what? Isn't -1 mod n == n - 1?
01:56:12 <UkoeHB_> not if you are allowing uint overflow
01:56:26 <yanmaani> Oh, yeah, if you have the two at the same time
01:56:34 <yanmaani> then, sure, but that's an impl detail
01:57:11 <yanmaani> Would you accept a PR changing the (a + -b) to a separate equation, something like "this can be optimized as ..."?
01:59:45 <UkoeHB_> it's not really an optimization, I am basically defining subtraction as adding an element's negation (or inverse); see https://www.uotechnology.edu.iq/dep-eee/lectures/4th/Communication/Information%20theory/8.pdf for example
02:00:05 <yanmaani> Does your definition change things from the normal definition you have in normal maths, though?
02:00:27 <yanmaani> like is there some edge case further down the line where "my" mental model causes problems?
02:01:11 <UkoeHB_> well we have the same issue in curve point arithmetic, where only addition and negation are defined
02:01:22 <UkoeHB_> and there it's more rigorous
02:02:37 <yanmaani> So what does P + -P get you when working with points?
02:02:52 <UkoeHB_> it's P + inversion(P)
02:03:09 <UkoeHB_> page 13
02:03:13 <yanmaani> Is modular multiplicative inverse defined for points?
02:03:30 <UkoeHB_> no
02:03:42 <UkoeHB_> it's an inversion of one coordinate
02:04:23 <UkoeHB_> you can't multiply points together
02:04:52 <yanmaani> So P1 + inversion(P1) = (0, new_y)?
02:05:08 <UkoeHB_> well, check out page 13 there is a lot of stuff going on
02:05:16 <yanmaani> oh right, because you can't "subtract 1"
02:05:20 <yanmaani> yeah I overlooked that bit
02:06:16 <yanmaani> but in x3 you get x1y2 + y1x2 = xy2 + y1x = xy2 + xy1 = xy + x(-y) = x0 = 0, right?
02:07:25 <yanmaani> at the end of p13, is the order u intrinsic or chosen?
02:08:01 <UkoeHB_> for P - P? yes the point at infinite has coordinate (0, 1); page 14 :p
02:08:17 <yanmaani> oh, the other term comes to 1
02:08:46 <UkoeHB_> it is intrinsic
02:09:33 <yanmaani> oh, intrinsic for the curve?
02:10:22 <UkoeHB_> intrinsic for the point on the curve; every point belongs to one or more subgroups
02:11:05 <yanmaani> Oh, so the EC having order N is something different?
02:12:16 <UkoeHB_> all points are members of the group with order N, and if N is non-prime some points also belong to subgroups with orders that are divisors of N
02:13:42 <yanmaani> If EC doesn't have multiplication on points, how can a point have "multiples of itself"?
02:13:58 <UkoeHB_> 5*P is a multiple of P
02:14:15 <yanmaani> Oh, so it's not like a certain point P has a given order? It's more like a set of orders?
02:14:30 <yanmaani> so like "P has order 10, 5, and 2"
02:15:21 <UkoeHB_> I suppose that's correct; typically you only talk about a point in the context of its smallest subgroup
02:16:14 <UkoeHB_> since by implication it's also in the larger subgroups
02:16:37 <yanmaani> I think the language there is a little confusing. It might make more sense to describe the pattern first (P*N = 0, 0*P = P), and then describe subgroups, and point out how they can repeat given common factors.
02:17:01 <yanmaani> But for cryptography, N is prime => order = N always?
02:17:06 <UkoeHB_> it definitely could be better; that section is probably the most difficult in the entire book
02:17:15 <UkoeHB_> both to understand and explain succinctly
02:18:46 <UkoeHB_> usually N is not prime (curves selected for use in cryptography don't have prime N), although they do have a large prime factor (page 14)
02:19:11 <yanmaani> yeah but if N = hl, and l = 1, then h is prime?
02:19:54 <UkoeHB_> not sure why you would choose l = 1
02:20:10 <UkoeHB_> do you mean h = 1? l is always prime by convention afaik
02:20:48 <yanmaani> h = 1, yes
02:21:06 <UkoeHB_> well, convention and also you need a big prime group for EC crypto
02:22:58 <yanmaani> So could you write the phrase "If $P_1 = n_1*P$ has order l' as 'If P_1 has order l'?
02:24:33 <yanmaani> Like, the phrasing of pg. 14 gives rise to a mental model like "if (order(P) == X)", whereas it's more like "if (X ∈ order(P))", I found this confusing
02:25:33 <UkoeHB_> saying 'P has order N'  is meant to mean 'N' is the smallest subgroup of which it's a member
02:26:01 <UkoeHB_> put another way, N*P is the soonest you will cycle back to 0
02:26:37 <UkoeHB_> I may be making a mistake here actually
02:30:24 <UkoeHB_> yeah, it's best to say a point only has one order, even if it is a member of 'multiple' subgroups; the order of a point is the size of the subgroup creatable out of multiples of itself
04:04:23 <sarang> Group element order is defined as the smallest multiple-to- identity if this number is finite
10:06:55 <kenshamir[m]> yanmaani: there are curve points with this property such as those defined by secp256r1. The math does change however, because you need a different curve representation called a weierstrass curve, unlike the one you have been looking at currently called a Twisted Edwards curve.
10:06:56 <kenshamir[m]> I believe there is a formula which states that h must be a multiple of 4, for it to be represented as an Edwards curve, so if h=1, then you cannot represent it as an Edwards curve
10:10:24 <kenshamir[m]> For group order, checking out Lagrange theorem would probably be the most helpful
17:14:15 <yanmaani> If you publish nG somewhere, is it impossible to calculate n = (nG)/G?
17:17:40 <UkoeHB_> Try it with the curve equation :) seems pretty tough
17:31:40 <yanmaani> Is it possible to do multisig in a non-interactive fashion, like in Bitcoin?
17:44:30 <UkoeHB_> if there is, I have not heard of it
19:00:51 <needmoney90> https://usercontent.irccloud-cdn.com/file/8dcUMmSS/zf19wzbcjer51.png
20:34:59 <yanmaani> Is the shared secret rG used for anything else but the one-time addresses?
20:43:52 <yanmaani> Put differently, could you pre-compute K_v = r*K_v and then set r = 1?
21:05:28 <UkoeHB_> it's used with output commitments too
21:05:39 <UkoeHB_> ch 5