00:34:09 Is there any primer on what you can do with curves? For example, in Bitcoin I know you can add two public keys together. 00:34:47 I've always thought of these things as opaque blobs. Is there some list of primitives out there, e.g. "you have public key K and private key k, you can do X, Y, and Z with it" 00:36:42 You can add too with monero's curve. That's what multisig address creation does. 00:37:21 src/ringct/rctOps.h has a few useful ops on keys. 00:37:41 It uses the same type for scalars and points though. 00:37:57 But scalars are lowercase and points are uppercase. 00:43:06 What is a point? 2 scalars? 00:43:26 yanmaani: I discuss it in chapter 2 https://web.getmonero.org/library/Zero-to-Monero-2-0-0.pdf; there are a lot of resources out there if you search, although none are ideal (even ztm) 00:43:33 What is a scalar? like a private/public key? 00:45:02 Here, scalar === secret key, point == public key 00:48:55 So what can you do with this? Anything you can do with a public key, you can do with a private key also? 00:49:47 Doubt it, but I'm not a crypto geek so I'll let you peruse ECC primers. 00:51:50 what's the difference to normal addition? 00:52:01 If I control key x, and I want to hijack key Y 00:52:20 how come I can't compute x + (Y-X) = y? 00:52:57 Is the result of an addition unpredictable, like when you take the public/private key and add somethign to it? Is addition to public key fundamentally different from to private key? 00:55:50 Addition for public keys is more like multiplication. 00:56:02 Scalars is really modular addition. 00:56:24 So what's multiplication of public keys then? UB? 00:57:52 I'm likely just confusing things so I'll shut up now ^_^ 01:05:54 UkoeHB_: This is helpful but some of the stuff seems a bit handwavey. It has version numbers, so is there anywhere you can send in patches? 01:07:23 specifically, 2.2.4: "Now we have a way to do modular subtraction.". If it's for any operation, then why can't you just do ((A mod 9) - (B mod 9)) mod 9? 01:07:57 should be "a commutative operation °," right? 01:14:08 OK, so "addition" of points is just arbitrary, and from that the rest of arithmetic follows. 01:14:51 Because there's nothing like defining addition as repeated succession 01:16:02 It would be helpful to have some indication of what's logical or a definition (e.g. how to go from addition to multiplication, or what a finite field is) and what's just arbitrary (e.g. the formulae for the curves, point multiplication) 01:17:33 yanmaani: I suggest you read some primer on elliptic curve cryptography. This is a good start: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ 01:20:06 in 2.3.1 just before 1st equation, (a,b) are constant params across the curve, whereas (x, y) are what's being iterated over? 01:20:51 jtgrassie: thanks 01:27:42 np. the chapter you reference is a little handwaivy but it's also trying to condense a lot of information in a short space! 01:30:20 (a,b) are curve constants 01:31:28 Oh yeah, I don't mind the handwaves, but it'd be nice if they were clearly marked 01:31:33 (x,y) are any x,y that satisfy the curve equation (so are a point on the curve) 01:31:43 "this is just arbitrary, no need to think about it" 01:32:43 yeah, that's why I sent you the link. if your starting out, some fundamentals are useful. 01:39:11 well you could define a new subtraction operation, but (a - b) = (a + (-b)) uses fewer fundamental ops 01:39:42 UkoeHB_: Define? Isn't a-b already defined by maths? (a-b) + b = a 01:39:50 not modular subtraction 01:40:18 section 2.2.0 we define addition and negation 01:41:06 2.2.0 and 2.2.1* 01:41:58 there are various ways to do it, the chapter just shows what made sense to me at the time, so yes a bit handwavy 01:42:09 Well yes, but isn't it a premature optimization? Is (a + -b) mod n == ((a mod n) - (b mod n)) mod n? 01:42:34 what if you have an unsigned int? 01:42:51 I think that's why I avoided real negatives 01:42:59 since all crypto uses unsigned integrals 01:43:51 If I have an unsigned int, subtraction works fine 01:44:00 as if it's two's complement 01:44:40 overflow is the issue 01:45:20 we also have the finite field issue, where elliptic curve scalars are in the finite field q, which is positive integers [0,q-1] 01:46:15 so you can't 'create' a negative number from an op, which subtraction would do; you can only 'negate' a number 01:46:58 doesn't negating a number create a negative number? (which is immediately turned positive by taking q-1 - n)? 01:47:13 just so, subtraction "temporarily creates" a neg number which then overflows back 01:47:27 I believe it's more like 'a + -a = 0', rather than creating a negative number you are creating its negation 01:47:47 a + -a - 1 = q-1? 01:47:53 that's right 01:47:59 (is there a repo for you book where you can send in PRs?) 01:48:22 uh, so why the -a phrasing then? Won't a-b (for b>a) overflow just the same? 01:48:22 https://github.com/UkoeHB/Monero-RCT-report 01:48:35 thanks 01:48:42 however, conceptually there is no 'negative number', negation isn't the same thing 01:48:44 oh jesus, github are starting to do the cookie nonsense now 01:48:58 -a means 'the negation of a' 01:49:01 I think of it like a "negative" number in two's complement cast to uint 01:49:52 so -1 == UINT_MAX - 1 01:50:58 yes, however it should be constrained to the field order q; it can get a bit messy with overflow... 01:51:57 What do you mean 'can get messy'? Don't you just do mod n on each op, conceptually? 01:52:07 like doing addition or whatever with uint's 01:52:15 (with multiplication needing special care because not defined) 01:52:18 -1 is UINT_MAX. 01:52:57 yes mod n; it's conceptually analogous to uint overflow 01:53:33 I mean messy if you try to subtract field scalars when n < UINT_MAX 01:54:04 since (-1 mod n) != (n - 1) 01:55:09 so it's much simpler to just use the binary+ and unary- ops 01:55:56 UkoeHB_: Wait, what? Isn't -1 mod n == n - 1? 01:56:12 not if you are allowing uint overflow 01:56:26 Oh, yeah, if you have the two at the same time 01:56:34 then, sure, but that's an impl detail 01:57:11 Would you accept a PR changing the (a + -b) to a separate equation, something like "this can be optimized as ..."? 01:59:45 it's not really an optimization, I am basically defining subtraction as adding an element's negation (or inverse); see https://www.uotechnology.edu.iq/dep-eee/lectures/4th/Communication/Information%20theory/8.pdf for example 02:00:05 Does your definition change things from the normal definition you have in normal maths, though? 02:00:27 like is there some edge case further down the line where "my" mental model causes problems? 02:01:11 well we have the same issue in curve point arithmetic, where only addition and negation are defined 02:01:22 and there it's more rigorous 02:02:37 So what does P + -P get you when working with points? 02:02:52 it's P + inversion(P) 02:03:09 page 13 02:03:13 Is modular multiplicative inverse defined for points? 02:03:30 no 02:03:42 it's an inversion of one coordinate 02:04:23 you can't multiply points together 02:04:52 So P1 + inversion(P1) = (0, new_y)? 02:05:08 well, check out page 13 there is a lot of stuff going on 02:05:16 oh right, because you can't "subtract 1" 02:05:20 yeah I overlooked that bit 02:06:16 but in x3 you get x1y2 + y1x2 = xy2 + y1x = xy2 + xy1 = xy + x(-y) = x0 = 0, right? 02:07:25 at the end of p13, is the order u intrinsic or chosen? 02:08:01 for P - P? yes the point at infinite has coordinate (0, 1); page 14 :p 02:08:17 oh, the other term comes to 1 02:08:46 it is intrinsic 02:09:33 oh, intrinsic for the curve? 02:10:22 intrinsic for the point on the curve; every point belongs to one or more subgroups 02:11:05 Oh, so the EC having order N is something different? 02:12:16 all points are members of the group with order N, and if N is non-prime some points also belong to subgroups with orders that are divisors of N 02:13:42 If EC doesn't have multiplication on points, how can a point have "multiples of itself"? 02:13:58 5*P is a multiple of P 02:14:15 Oh, so it's not like a certain point P has a given order? It's more like a set of orders? 02:14:30 so like "P has order 10, 5, and 2" 02:15:21 I suppose that's correct; typically you only talk about a point in the context of its smallest subgroup 02:16:14 since by implication it's also in the larger subgroups 02:16:37 I think the language there is a little confusing. It might make more sense to describe the pattern first (P*N = 0, 0*P = P), and then describe subgroups, and point out how they can repeat given common factors. 02:17:01 But for cryptography, N is prime => order = N always? 02:17:06 it definitely could be better; that section is probably the most difficult in the entire book 02:17:15 both to understand and explain succinctly 02:18:46 usually N is not prime (curves selected for use in cryptography don't have prime N), although they do have a large prime factor (page 14) 02:19:11 yeah but if N = hl, and l = 1, then h is prime? 02:19:54 not sure why you would choose l = 1 02:20:10 do you mean h = 1? l is always prime by convention afaik 02:20:48 h = 1, yes 02:21:06 well, convention and also you need a big prime group for EC crypto 02:22:58 So could you write the phrase "If $P_1 = n_1*P$ has order l' as 'If P_1 has order l'? 02:24:33 Like, the phrasing of pg. 14 gives rise to a mental model like "if (order(P) == X)", whereas it's more like "if (X ∈ order(P))", I found this confusing 02:25:33 saying 'P has order N' is meant to mean 'N' is the smallest subgroup of which it's a member 02:26:01 put another way, N*P is the soonest you will cycle back to 0 02:26:37 I may be making a mistake here actually 02:30:24 yeah, it's best to say a point only has one order, even if it is a member of 'multiple' subgroups; the order of a point is the size of the subgroup creatable out of multiples of itself 04:04:23 Group element order is defined as the smallest multiple-to- identity if this number is finite 10:06:55 yanmaani: there are curve points with this property such as those defined by secp256r1. The math does change however, because you need a different curve representation called a weierstrass curve, unlike the one you have been looking at currently called a Twisted Edwards curve. 10:06:56 I believe there is a formula which states that h must be a multiple of 4, for it to be represented as an Edwards curve, so if h=1, then you cannot represent it as an Edwards curve 10:10:24 For group order, checking out Lagrange theorem would probably be the most helpful 17:14:15 If you publish nG somewhere, is it impossible to calculate n = (nG)/G? 17:17:40 Try it with the curve equation :) seems pretty tough 17:31:40 Is it possible to do multisig in a non-interactive fashion, like in Bitcoin? 17:44:30 if there is, I have not heard of it 19:00:51 https://usercontent.irccloud-cdn.com/file/8dcUMmSS/zf19wzbcjer51.png 20:34:59 Is the shared secret rG used for anything else but the one-time addresses? 20:43:52 Put differently, could you pre-compute K_v = r*K_v and then set r = 1? 21:05:28 it's used with output commitments too 21:05:39 ch 5