05:33:11 <slave_blocker> hello good day
05:34:18 <slave_blocker> do bulletproofs use elliptic curves? Or is it just in Z_p?
05:58:25 <moneromooo> Bulletproofs use EC math.
06:13:02 <slave_blocker> i'm thinking to grok it, to write it in python... And will it still work if instead of EC i use also Z_p for the group?
07:09:15 <baro77[m]> If for Z_p you mean Z modulo p, well EC used in crypto are defined on modular field, so I don’t get your point: you already use modular arithmetic when you work with cryptographic EC, and you also need EC essentially because they provide a sort of OWF with stuff like P=pG.. I guess all comes from Pedersen Commitments use. I don’t know if the same structure can be replicated with a math entity different from EC, but why doing
07:09:15 <baro77[m]> that? That said Z_p alone isn’t enough imho, and in general it’s discouraged to implement a cryptographic algo if you don’t master the theoretical aspect beneath.. what I mean is that implementing a protocol in a different language from the reference one is a good exercise, but it’s not rewriting the crypto library (better to find a respectable one for the new language).. all of this of course just imho :) and I respect
07:09:15 <baro77[m]> a lot your python efforts (you are the guy rewriting in python a lot of stuff, right?)
07:11:38 <jeffro256[m]> > i'm thinking to grok it, to write it in python... And will it still work if instead of EC i use also Z_p for the group?
07:11:38 <jeffro256[m]> Talk to dangerousfreedom, I think they're doing that exact same thing 
07:12:37 <slave_blocker> :|
07:13:13 <jeffro256[m]> Y'all could work on it together and make it easy for the rest of us :D
07:13:34 <baro77[m]> > <@jeffro256:monero.social> > i'm thinking to grok it, to write it in python... And will it still work if instead of EC i use also Z_p for the group?
07:13:34 <baro77[m]> > 
07:13:34 <baro77[m]> I guess I have mistaken slave_blocker with dangerousfreedom 😅
07:14:16 <slave_blocker> im just the guy that is trying to write an additional chapter in the ztm v2 to portuguese...
07:15:04 <jeffro256[m]> Kudos !
07:17:15 <slave_blocker> thanks :)
07:17:24 <slave_blocker> if i look at : https://eprint.iacr.org/2017/1066.pdf
07:17:43 <baro77[m]> slave_blocker: Great .. About BP I guess .. so I suggest to check this out if not already done: https://github.com/AdamISZ/from0k2bp
07:17:44 <slave_blocker> to the power means times and times means plus?
07:18:02 <slave_blocker> yes i have that too
07:18:17 <slave_blocker> i have 3 mirrors in my room aswell :)
07:18:33 <slave_blocker> its more fancy than whiteboards
07:19:49 <baro77[m]> And if all that ZK stuff is a bit confusing , I’m working on a cheat-sheet about ZK basics , hopefully completed and out in no more than 2 months
07:20:40 <slave_blocker> so from what i gather from those 2 sources, is that the range proof with bulletproofs does not use recursion.
07:20:43 <slave_blocker> right?
07:21:07 <slave_blocker> i dont mean even the aggregated case
07:21:31 <slave_blocker> just the simple one from https://eprint.iacr.org/2017/1066.pdf
07:21:35 <slave_blocker> @ 4.1
07:21:46 <slave_blocker> simple, ...
07:24:45 <slave_blocker> so i was thinking to write a script in python from scratch and instead of using ec just using Z_p for some small prime like 11 or so?
07:25:32 <slave_blocker> are pedersen commitments possible to do in Z_p ?
07:25:51 <slave_blocker> its additively homomorphic right?
07:26:08 <baro77[m]> <slave_blocker> "to the power means times and..." <- yep, it's just a different notation for groups
07:26:54 <jeffro256[m]> I think pederson commitments technically work for any 2 generators for a group as long as no one can know the logarithm b/t them
07:27:02 <slave_blocker> and if p = 11, i can take any element from 1 to 10 as a generator of that group right?
07:27:18 <jeffro256[m]> take everything i say with a grain of salt 
07:27:56 <jeffro256[m]> No a generator for Zp must be a primitive root 
07:28:08 <slave_blocker> it's just to convince me and the reader that the proving scheme works
07:28:32 <jeffro256[m]> https://en.wikipedia.org/wiki/Primitive_root_modulo_n
07:29:02 <slave_blocker> p is a prime any element inside the group generates the whole group
07:29:34 <slave_blocker> ??
07:29:35 <jeffro256[m]> basically for all a in Zp* your chosen generator g must have a solution to g^x = a (mod n)
07:29:52 <jeffro256[m]> generators don't have to be prime 
07:30:03 <slave_blocker> n is prime !
07:31:02 <jeffro256[m]> Yes but you can't pick n to be your generator because n == 0 (mod n) and therefore there are no solutions to n^x = a (mod n) for any a in Fp*
07:31:21 <slave_blocker> ...
07:32:31 <slave_blocker> g^x = a (mod p), if p = 11 i can use any g € [1,2,3,...10] ?
07:32:40 <jeffro256[m]> Okay sorry lol heavy math language. Intuitively its called a "generator" because it can "generate" all the numbers of group through "power" (exponentionation)
07:34:15 <slave_blocker> ??
07:35:32 <jeffro256[m]> So 2 is a primitive root mod 11 because 2^y for y in range [1, 11) is repectively:
07:36:04 <jeffro256[m]> 2... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/3d4f41493121a779e000bdaacd866047c8bdde8a)
07:36:22 <jeffro256[m]> Sory that's big idk how I did that 
07:36:38 <jeffro256[m]> All those numbers together form the entire group mod 11
07:36:47 <jeffro256[m]> Technically Fp* where p=11
07:37:27 <slave_blocker> jeffro256[m], all numbers are primitive roots in Z_p ?
07:37:50 <jeffro256[m]> No those numbers prove that 2 is a primitive root
07:37:51 <slave_blocker> except 0 and 11
07:37:54 <slave_blocker> of course
07:38:04 <jeffro256[m]> 3 is not 
07:38:15 <jeffro256[m]> Run this code: 
07:38:19 <jeffro256[m]> (in python)
07:38:21 <jeffro256[m]> g = 3
07:38:27 <jeffro256[m]> n = 11
07:38:56 <jeffro256[m]> print([pow(g, x, n) for x in range(1, n)])
07:40:01 <jeffro256[m]> Because (e.g.) 7 is not in this list, 3 did not "generate" all the elements of the group mod 11, and because of that, 3 is not a primitve root mod 11
07:40:31 <jeffro256[m]> And hence shouldn't be used as generator for Pederson commitments because some of the operations won't be well defined 
07:41:36 * slave_blocker bows
07:42:09 <slave_blocker> ok great thanks
07:42:44 <slave_blocker> besides that are pedersen commitments additively homomorphic ?
07:43:49 <jeffro256[m]> If you choose the correct generators, then yes I believe they should be 
07:44:13 <slave_blocker> believe?
07:44:38 <slave_blocker> :)
07:44:48 <jeffro256[m]> Grain of salt, remember haha
07:45:18 <jeffro256[m]> I didn't write any ringct code for Monero or anything, just took some cryptography classes 
07:45:33 <jeffro256[m]> Don't sue me
07:52:26 <slave_blocker> If P generates a subgroup whose order is prime, then all the included points (except for
07:52:27 <slave_blocker> the point-at-infinity) generate that same subgroup.
07:53:59 <slave_blocker> https://raw.githubusercontent.com/UkoeHB/Monero-RCT-report/master/Zero-to-Monero-2-0-0.pdf
07:54:07 <slave_blocker> at page 14.
07:54:11 <slave_blocker> uff
07:58:09 <slave_blocker> jeffro256[m], so for subgroups it's different?
08:50:21 <slave_blocker> what you are saying of the primitive root is if you take the powers of the generators. If you multiply say :
08:50:52 <slave_blocker> g*x = a (mod p)
08:51:55 <slave_blocker> then because p is prime then all g € [1,2,3,...10] are generators. Run the following python code :
08:52:14 <slave_blocker> https://pastebin.com/yaxHNwmu
14:05:03 <slave_blocker> i don't know how to calculate t_1 and t_2 in :
14:06:04 <slave_blocker> https://eprint.iacr.org/2017/1066.pdf
15:09:44 <ooo123ooo1234[m]> <slave_blocker> "i don't know how to calculate t_..." <- https://github.com/AdamISZ/bulletproofs-poc/blob/master/rangeproof.py#L90
15:10:46 <slave_blocker> uhhh
15:16:21 <ooo123ooo1234[m]> "https://github.com/SarangNoether/skunkworks/blob/pybullet/pybullet/pybullet.py#L192" or this
15:17:10 <ooo123ooo1234[m]> just add this python code into book and that would be sufficient translation for all languages
15:17:11 <ooo123ooo1234[m]> hahahaha
16:54:17 <dangerousfreedom> <slave_blocker> "im just the guy that is trying..." <- Hey slave_blocker. Have a look at moneroinflation.com (it might help you to better understand ztm2). If you have some issues, please let me know. (I do speak a bit of portuguese :p)
16:54:53 <dangerousfreedom> Hey guys, I would like to get your thoughts on this issue here:
16:55:04 <dangerousfreedom> https://github.com/monero-project/monero/issues/8351
17:04:58 <UkoeHB> ooo123ooo1234[m]: discussion in #monero-research-lounge about an audit on 8149. Speak there now if you have something useful to say.
18:55:57 <slave_blocker> i see a recursion in that code. Does the bulletproof that Monero uses also have a recursion?