06:59:55 <DataHoarder> 14:33:02 <br-m> <syntheticbird> https://mrelay.p2pool.observer/m/monero.social/jUYbmXnHjTASBvlfIjpsSrVh.png (carrotAddressGeneration.png)
07:00:29 <DataHoarder> ScalarDerive(x) in chart has different behavior than ScalarDerive(x) as in the markdown document
07:00:48 <DataHoarder> sc_reduce32 only acts on the first 32 bytes as fed to the function
07:01:14 <DataHoarder> while markdown specifies mod l which is the generalized form (so it can work on 64 byte input)
07:02:24 <DataHoarder> so specifically ScalarDerive(x) = sc_reduce32(H64(x)) will drop the low value 32 bytes of the 64-byte H64 result (little endian)
07:02:45 <DataHoarder> https://github.com/jeffro256/carrot/blob/master/src/carrot_raw.md#private-keys
07:03:01 <DataHoarder> also on the non-raw file https://github.com/jeffro256/carrot/blob/master/carrot.md#334-private-keys
07:33:32 <br-m> <helene:unredacted.org> DataHoarder: the endianness seems very important to clarify and specify especially when it comes to using hash functions ^^;;
07:34:01 <DataHoarder> yeah not just the endianness but that function specifically doesn't work there
07:34:18 <DataHoarder> if you are treating the ops for hashing bytes, endianness by default on all ops has been little endian
07:36:21 <DataHoarder> and question > "Here Hp1 and Hp2 refer to two hash-to-point functions on Ed25519."
07:37:01 <DataHoarder> they are two functions, but ... which are they? :)
08:08:21 <br-m> <helene:unredacted.org> well, in the codebase, it seems to mean "just use the hash as-is", which surely can't be quite right?
08:19:35 <DataHoarder> it is little endian :)
08:19:39 <DataHoarder> so yes, use as-is
08:24:49 <br-m> <helene:unredacted.org> my problem with it being "just use as-is" is that H_p^1 clearly has an effect on G, so it can't just be cast-to-int256
08:25:32 <br-m> <helene:unredacted.org> could it be elligator's map to curve, maybe?
08:46:47 <DataHoarder> then H_p^2 ?
08:47:50 <DataHoarder> and yeah I could just use these values as-is but same as my randomx implementation I'll derive them from their most raw form
08:50:44 <br-m> <helene:unredacted.org> yeah it's best to make sure we can actually reproduce this, because otherwise it would be Funny Business
08:52:02 <DataHoarder> I was doing something else and yet again I meet my worst friend, ge_fromfe_frombytes_vartime
08:54:57 <DataHoarder> maybe let's look at oxide https://github.com/monero-oxide/monero-oxide/blob/71be6f9180f78675dee7cab48fbee38134688574/monero-oxide/generators/src/hash_to_point.rs
09:14:09 <br-m> <helene:unredacted.org> DataHoarder: this is quite an odd thing to do
09:15:41 <DataHoarder> It was documented better after https://github.com/monero-project/research-lab/issues/142 / https://github.com/monero-oxide/monero-oxide/pull/33
09:18:23 <br-m> <helene:unredacted.org> but is there a reason to keep doing this on Carrot, especially since... a lot of things get converted back to Curve25519?
09:19:49 <DataHoarder> oh, this is somewhat unrelated, while awaiting clarification on the above I am just doing hash to point :)