concatenate in the monero world

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

1

I am trying to replicate in python the calculation of public key derivation, that is: P = H(aR||i)G +B where i is the output index in a transaction.

I got all the operators figured out (using a python ed25519 implementation) except for the concatenation.
How is concatenation (||) defined in Monero? Is it taking the two scalars as strings and calculate their hash? bitwise or? etc...

Thanks

cryptonote

share|improve this question

asked 4 hours ago

Shak

484

add a comment | 

up vote
3
down vote

favorite

1

I am trying to replicate in python the calculation of public key derivation, that is: P = H(aR||i)G +B where i is the output index in a transaction.

I got all the operators figured out (using a python ed25519 implementation) except for the concatenation.
How is concatenation (||) defined in Monero? Is it taking the two scalars as strings and calculate their hash? bitwise or? etc...

Thanks

cryptonote

share|improve this question

asked 4 hours ago

Shak

484

add a comment | 

up vote
3
down vote

favorite

1

up vote
3
down vote

favorite

1

1

I am trying to replicate in python the calculation of public key derivation, that is: P = H(aR||i)G +B where i is the output index in a transaction.

I got all the operators figured out (using a python ed25519 implementation) except for the concatenation.
How is concatenation (||) defined in Monero? Is it taking the two scalars as strings and calculate their hash? bitwise or? etc...

Thanks

cryptonote

share|improve this question

asked 4 hours ago

Shak

484

I am trying to replicate in python the calculation of public key derivation, that is: P = H(aR||i)G +B where i is the output index in a transaction.

I got all the operators figured out (using a python ed25519 implementation) except for the concatenation.
How is concatenation (||) defined in Monero? Is it taking the two scalars as strings and calculate their hash? bitwise or? etc...

Thanks

cryptonote

cryptonote

share|improve this question

asked 4 hours ago

Shak

484

share|improve this question

asked 4 hours ago

Shak

484

share|improve this question

share|improve this question

asked 4 hours ago

Shak

484

asked 4 hours ago

Shak

484

asked 4 hours ago

Shak

484

484

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
2
down vote

aR is an elliptic curve point, and has a 32 byte compressed representation. i is not a scalar. Scalars, like a would have a 32 byte representation. i however is a varint. Varints are specified in section 1.2 of this document: https://tukaani.org/xz/xz-file-format.txt

Therefore aR||i will usually be 32+1 = 33 bytes of data. The concatenation has no padding, and is simply one byte sequence followed by another.

Also note that although the white paper says P = H(aR||i)G + B, if you look at the Monero source code it's actually P = H(8aR||i)G + B. This is to avoid small subgroup attacks, because it forces the result of 8aR to be in the subgroup of the base point G.

share|improve this answer

answered 1 hour ago

knaccc

5,683416

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "656"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmonero.stackexchange.com%2fquestions%2f10420%2fconcatenate-in-the-monero-world%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

aR is an elliptic curve point, and has a 32 byte compressed representation. i is not a scalar. Scalars, like a would have a 32 byte representation. i however is a varint. Varints are specified in section 1.2 of this document: https://tukaani.org/xz/xz-file-format.txt

Therefore aR||i will usually be 32+1 = 33 bytes of data. The concatenation has no padding, and is simply one byte sequence followed by another.

Also note that although the white paper says P = H(aR||i)G + B, if you look at the Monero source code it's actually P = H(8aR||i)G + B. This is to avoid small subgroup attacks, because it forces the result of 8aR to be in the subgroup of the base point G.

share|improve this answer

answered 1 hour ago

knaccc

5,683416

add a comment | 

up vote
2
down vote

aR is an elliptic curve point, and has a 32 byte compressed representation. i is not a scalar. Scalars, like a would have a 32 byte representation. i however is a varint. Varints are specified in section 1.2 of this document: https://tukaani.org/xz/xz-file-format.txt

Therefore aR||i will usually be 32+1 = 33 bytes of data. The concatenation has no padding, and is simply one byte sequence followed by another.

Also note that although the white paper says P = H(aR||i)G + B, if you look at the Monero source code it's actually P = H(8aR||i)G + B. This is to avoid small subgroup attacks, because it forces the result of 8aR to be in the subgroup of the base point G.

share|improve this answer

answered 1 hour ago

knaccc

5,683416

add a comment | 

up vote
2
down vote

up vote
2
down vote

aR is an elliptic curve point, and has a 32 byte compressed representation. i is not a scalar. Scalars, like a would have a 32 byte representation. i however is a varint. Varints are specified in section 1.2 of this document: https://tukaani.org/xz/xz-file-format.txt

Therefore aR||i will usually be 32+1 = 33 bytes of data. The concatenation has no padding, and is simply one byte sequence followed by another.

Also note that although the white paper says P = H(aR||i)G + B, if you look at the Monero source code it's actually P = H(8aR||i)G + B. This is to avoid small subgroup attacks, because it forces the result of 8aR to be in the subgroup of the base point G.

share|improve this answer

answered 1 hour ago

knaccc

5,683416

aR is an elliptic curve point, and has a 32 byte compressed representation. i is not a scalar. Scalars, like a would have a 32 byte representation. i however is a varint. Varints are specified in section 1.2 of this document: https://tukaani.org/xz/xz-file-format.txt

Therefore aR||i will usually be 32+1 = 33 bytes of data. The concatenation has no padding, and is simply one byte sequence followed by another.

Also note that although the white paper says P = H(aR||i)G + B, if you look at the Monero source code it's actually P = H(8aR||i)G + B. This is to avoid small subgroup attacks, because it forces the result of 8aR to be in the subgroup of the base point G.

share|improve this answer

answered 1 hour ago

knaccc

5,683416

share|improve this answer

share|improve this answer

answered 1 hour ago

knaccc

5,683416

answered 1 hour ago

knaccc

5,683416

answered 1 hour ago

knaccc

5,683416

5,683416

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmonero.stackexchange.com%2fquestions%2f10420%2fconcatenate-in-the-monero-world%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email