--- Log opened Fri Dec 03 00:00:50 2021
02:53 -!- elsirion [~quassel@gateway/tor-sasl/elsirion] has quit [Ping timeout: 276 seconds]
02:53 -!- elsirion [~quassel@gateway/tor-sasl/elsirion] has joined #secp256k1
04:47 -!- scgbckbone [~scgbckbon@2001:420:c0c0:1002::1f3] has joined #secp256k1
07:30 -!- halosghost [~halosghos@user/halosghost] has joined #secp256k1
09:17 -!- scgbckbone [~scgbckbon@2001:420:c0c0:1002::1f3] has quit [Quit: Client closed]
10:38 < roconnor> There are a couple of places where the infinity flag ends up set without z being 0.
10:39 < sipa> is that still the case?
10:39 < sipa> i thought we changed that
10:39 < roconnor> I was looking at gej_set_ge.
10:40 < roconnor> sounds like I should PR a change.
10:40 < roconnor> (that said, I'm not sure that gej_set_ge is ever called at infinity)
13:36 -!- halosghost [~halosghos@user/halosghost] has quit [Quit: WeeChat 3.3]
14:28 -!- scgbckbone [~scgbckbon@adsl-dyn81.78-99-195.t-com.sk] has joined #secp256k1
14:29 -!- scgbckbone [~scgbckbon@adsl-dyn81.78-99-195.t-com.sk] has quit [Client Quit]
14:56 < roconnor> Is the z cooridnate in jacobian coordinates implied by the x and y coordinates?
14:58 < sipa> do you mean: given x and y, does there exist a unique jacobian triplet (x,y,z) on the curve?
14:58 < roconnor> right.
14:58 < sipa> or do your x and y refer to affine coordinates?
14:58 < roconnor> jacobian x and y.
14:59 < roconnor> it's like ((y^2-x^3)/7)^1/6 ... or something like that.
15:00 < sipa> the jacobian curve equation is y^2 = x^3 + 7*z^6, right?
15:00 < sipa> numbers in GF(2^256 - 2^32 - 977) can have multiple hextic(?) roots i would expect
15:01 < roconnor> right ..
15:01 < roconnor> so I was thinking about this a different way
15:01 < sipa> but do those different z solutions to that equation represent distinct points?
15:02 < roconnor> that the z coodinate defines the "b" value of some isomorphic curve that you are going to use instead.
15:03 < roconnor> oooh but there are like 6 automorphisms of the curve.
15:03 < sipa> which is another way of saying: given two values z1 and z2 for which z1^6 = z2^6, are (z1^2,z1^3) and (z2^2,z2^3) possibly distinct?
15:03 < roconnor> so just knowing which "b" coordinate you are on doesn't tell you which isomorphism you are trying to use.
15:03 < sipa> and i think the answer is obviously yes
15:04 < roconnor> so I think the z value isn't recoverable.
15:04 < sipa> agreed
15:04 < roconnor> you can only recover upto 6 possible z values.
15:04 < sipa> indeed
15:04 < roconnor> so in other words the same x,y jacobian point can have 6 possible z values.
15:05 < roconnor> okay got it.
15:06 < sipa> right, and i think the 6 affine points represented by all those (x,y,z*) triplets are exactly the (y,-y) and (x,x*beta,x*beta^2) variants
15:06 < roconnor> yep
15:16 < robot-dreams> In the x, y you were given, did you assume they were valid affine points to begin with, i.e. satisfying y^2 = x^3 + 7?
15:17 < roconnor> given x,y from some jacobian coordinate.
15:17 < robot-dreams> So given x, y such that (x, y, u) is a valid Jacobian coordinate, what is the set of all (x, y, v) that are valid Jacobian coordinates
15:18 < roconnor> Right.  I was initially speculating there was only one, but there are 6.
15:19 < roconnor> u*(-beta)^i for all i.
15:19 < robot-dreams> those being the 6 solutions v to y^2 = x^3 + 7v^6?
15:19 < roconnor> yes.
15:21 < robot-dreams> yes, great, I'm convinced that (u(-beta)^i)^6 = u for any i, and that there are 6 distinct values
15:22 < robot-dreams> = u^6*
15:22 < roconnor> yep. -beta is a primitive 6th root of unity.
15:25 < roconnor> interesting, we could apply the endomorphism operation to the z coordinate instead of the x coordinate.
15:25 < roconnor> not that I think that is helpful in practice.
16:06 < robot-dreams> BTW I used to think it's totally mysterious why the endomorphism phi(x, y) = (beta * x, y) is equivalent to multiplying by some integer.
16:06 < robot-dreams> But on second thought, this is just because (1) E(F_p) is a cyclic group, so *any* automorphism is equivalent to multiplying by some integer, and (2) the endomorphism is in fact an automorphism, right?
16:24 < sipa> right, every endomorphism of the group is necessarily a point multiplication
16:25 < sipa> tbe surprising thing is that it's such a simple operation on the coordinates
18:42 < roconnor> oh there is a 7th endomorphism that maps everything to the point at infinity.
19:03 < sipa> which is also a multiplication with a scalar
--- Log closed Sat Dec 04 00:00:51 2021