hello good day

do bulletproofs use elliptic curves? Or is it just in Z_p?

Bulletproofs use EC math.

i'm thinking to grok it, to write it in python... And will it still work if instead of EC i use also Z_p for the group?

If for Z_p you mean Z modulo p, well EC used in crypto are defined on modular field, so I don’t get your point: you already use modular arithmetic when you work with cryptographic EC, and you also need EC essentially because they provide a sort of OWF with stuff like P=pG.. I guess all comes from Pedersen Commitments use. I don’t know if the same structure can be replicated with a math entity different from EC, but why doing

that? That said Z_p alone isn’t enough imho, and in general it’s discouraged to implement a cryptographic algo if you don’t master the theoretical aspect beneath.. what I mean is that implementing a protocol in a different language from the reference one is a good exercise, but it’s not rewriting the crypto library (better to find a respectable one for the new language).. all of this of course just imho :) and I respect

a lot your python efforts (you are the guy rewriting in python a lot of stuff, right?)

> i'm thinking to grok it, to write it in python... And will it still work if instead of EC i use also Z_p for the group?

Talk to dangerousfreedom, I think they're doing that exact same thing

:|

Y'all could work on it together and make it easy for the rest of us :D

> <@jeffro256:monero.social> > i'm thinking to grok it, to write it in python... And will it still work if instead of EC i use also Z_p for the group?

>

I guess I have mistaken slave_blocker with dangerousfreedom 😅

im just the guy that is trying to write an additional chapter in the ztm v2 to portuguese...

Kudos !

thanks :)

if i look at : eprint.iacr.org/2017/1066.pdf

slave_blocker: Great .. About BP I guess .. so I suggest to check this out if not already done: github.com/AdamISZ/from0k2bp

to the power means times and times means plus?

yes i have that too

i have 3 mirrors in my room aswell :)

its more fancy than whiteboards

And if all that ZK stuff is a bit confusing , I’m working on a cheat-sheet about ZK basics , hopefully completed and out in no more than 2 months

so from what i gather from those 2 sources, is that the range proof with bulletproofs does not use recursion.

right?

i dont mean even the aggregated case

just the simple one from eprint.iacr.org/2017/1066.pdf

@ 4.1

simple, ...

so i was thinking to write a script in python from scratch and instead of using ec just using Z_p for some small prime like 11 or so?

are pedersen commitments possible to do in Z_p ?

its additively homomorphic right?

<slave_blocker> "to the power means times and..." <- yep, it's just a different notation for groups

I think pederson commitments technically work for any 2 generators for a group as long as no one can know the logarithm b/t them

and if p = 11, i can take any element from 1 to 10 as a generator of that group right?

take everything i say with a grain of salt

No a generator for Zp must be a primitive root

it's just to convince me and the reader that the proving scheme works

p is a prime any element inside the group generates the whole group

??

basically for all a in Zp* your chosen generator g must have a solution to g^x = a (mod n)

generators don't have to be prime

n is prime !

Yes but you can't pick n to be your generator because n == 0 (mod n) and therefore there are no solutions to n^x = a (mod n) for any a in Fp*

...

g^x = a (mod p), if p = 11 i can use any g € [1,2,3,...10] ?

Okay sorry lol heavy math language. Intuitively its called a "generator" because it can "generate" all the numbers of group through "power" (exponentionation)

??

So 2 is a primitive root mod 11 because 2^y for y in range [1, 11) is repectively:

2... (full message at libera.ems.host/_matrix/media/r0/do…1493121a779e000bdaacd866047c8bdde8a)

Sory that's big idk how I did that

All those numbers together form the entire group mod 11

Technically Fp* where p=11

jeffro256[m], all numbers are primitive roots in Z_p ?

No those numbers prove that 2 is a primitive root

except 0 and 11

of course

3 is not

Run this code:

(in python)

g = 3

n = 11

print([pow(g, x, n) for x in range(1, n)])

Because (e.g.) 7 is not in this list, 3 did not "generate" all the elements of the group mod 11, and because of that, 3 is not a primitve root mod 11

And hence shouldn't be used as generator for Pederson commitments because some of the operations won't be well defined

ok great thanks

besides that are pedersen commitments additively homomorphic ?

If you choose the correct generators, then yes I believe they should be

believe?

:)

Grain of salt, remember haha

I didn't write any ringct code for Monero or anything, just took some cryptography classes

Don't sue me

If P generates a subgroup whose order is prime, then all the included points (except for

the point-at-infinity) generate that same subgroup.

at page 14.

uff

jeffro256[m], so for subgroups it's different?

what you are saying of the primitive root is if you take the powers of the generators. If you multiply say :

g*x = a (mod p)

then because p is prime then all g € [1,2,3,...10] are generators. Run the following python code :

i don't know how to calculate t_1 and t_2 in :

<slave_blocker> "i don't know how to calculate t_..." <- github.com/AdamISZ/bulletproofs-poc/blob/master/rangeproof.py#L90

uhhh

"github.com/SarangNoether/skunkworks…/pybullet/pybullet/pybullet.py#L192" or this

just add this python code into book and that would be sufficient translation for all languages

hahahaha

<slave_blocker> "im just the guy that is trying..." <- Hey slave_blocker. Have a look at moneroinflation.com (it might help you to better understand ztm2). If you have some issues, please let me know. (I do speak a bit of portuguese :p)

Hey guys, I would like to get your thoughts on this issue here:

ooo123ooo1234[m]: discussion in #monero-research-lounge about an audit on 8149. Speak there now if you have something useful to say.

i see a recursion in that code. Does the bulletproof that Monero uses also have a recursion?