sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
thomasa__ has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 252 seconds]
PaulTroon_ has joined #bitcoin-wizards
thomasa__ has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 268 seconds]
<kallewoof>
waxwing: I'm confused about the whole hash G to get NUMS basepoint. If you JUST take the hash it's not a curve point at all, at least not on the same curve as G.
<kallewoof>
And if you multiply by G you .. know the opening to the commitment to the generator which doesn't sound good.
setpill has joined #bitcoin-wizards
<waxwing>
kallewoof, you basically interpret the hash value (32 bytes) as a potential x-coordinate of a curve point
<kallewoof>
waxwing: hm. I tried that and it didn't work for some reason.
<waxwing>
rather than multiply, as you say, that'd be pointless
<waxwing>
well, it won't work about half the time
<waxwing>
because the order of the curve is close to 2^256, and every x coordinate which solves the equation has two valid y values, there are two curve points for every x that fits
<waxwing>
hence, about half of the x values in range have curve points (2 of them), and the others have none
thomasa__ has joined #bitcoin-wizards
<kallewoof>
oh. yeah, it worked after a few tries!
<waxwing>
so if you do this 'coerce to point' operation, you have a ~ 50% chance of getting it to work each time. One reasonable approach is to do H(G||i)
<waxwing>
where i is a counter and just increment
<waxwing>
of course we've obfuscated exactly how you serialize 'G' in that, but it doens't really matter
<kallewoof>
Got it! Thanks a lot :)
SopaXorzTaker has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 268 seconds]
SopaXorzTaker has quit [Remote host closed the connection]
<sipa>
kallewoof: there also exist algorithms that map onto the curve in constant time, without needing to iterate
<sipa>
though they're much more complicated
<kallewoof>
sipa: good to hear, but wil stick to simple for now :)
Krellan has quit [Ping timeout: 260 seconds]
thrmo has quit [Quit: Waiting for .007]
TheoStorm has quit [Ping timeout: 272 seconds]
<sipa>
kallewoof: yeah, repeated hashing onto x coordinates in generally how you do it when that's sufficient :)
thomasa__ has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 252 seconds]
laurentmt has joined #bitcoin-wizards
phwalkr has joined #bitcoin-wizards
SopaXorzTaker has joined #bitcoin-wizards
thomasa__ has joined #bitcoin-wizards
thomasa__ has quit [Read error: Connection reset by peer]
thomasa__ has joined #bitcoin-wizards
funkenstein_ has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 244 seconds]
thrmo has joined #bitcoin-wizards
tromp has quit [Ping timeout: 252 seconds]
tromp has joined #bitcoin-wizards
thomasa__ has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 252 seconds]
<waxwing>
sipa, that's interesting; where is that useful? some kind of CA thing? or oh, maybe bulletproofs with the vector pedersen commitment stuff?
<sipa>
waxwing: we were looking into it for CA, so you can construct assets in constant time
<sipa>
"Indifferentiable hashing to Barreto-Naehrig curves"
<waxwing>
ah ok, thanks
laurentmt has quit [Ping timeout: 252 seconds]
<maaku>
why repeated hashing and not just increment the x coord after the first hash until you get something on the curve?
<sipa>
maaku: biased output
<sipa>
if you have a gap of N consecutive non-valid x coordinates, the next one has n times higher probability of being chosen
<maaku>
ok that's enough reason, but out of curiousity is that exploitable or a theoretical concern?
thomasa__ has joined #bitcoin-wizards
funkenstein_ has quit [Quit: Leaving]
<sipa>
maaku: i think it may be theoretical only
thomasa__ has quit [Ping timeout: 260 seconds]
phwalkr has quit [Quit: Leaving...]
Chris_Stewart_5 has joined #bitcoin-wizards
setpill has quit [Quit: o/]
setpill has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 252 seconds]
thomasa__ has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 272 seconds]
shesek has quit [Ping timeout: 244 seconds]
Deinogalerix21 has joined #bitcoin-wizards
SopaXorzTaker has quit [Quit: Leaving]
Guyver2 has joined #bitcoin-wizards
thomasa__ has joined #bitcoin-wizards
phwalkr has joined #bitcoin-wizards
thomasa__ has quit [Ping timeout: 252 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
kristofferR has joined #bitcoin-wizards
CheckDavid has joined #bitcoin-wizards
phwalkr has quit [Ping timeout: 252 seconds]
phwalkr has joined #bitcoin-wizards
phwalkr has quit [Killed (Sigyn (Spam is off topic on freenode.))]