--- Log opened Wed Jan 11 00:00:12 2023
05:48 -!- jon_atack [~jonatack@user/jonatack] has joined #secp256k1
05:49 -!- jonatack [~jonatack@user/jonatack] has quit [Ping timeout: 260 seconds]
07:33 -!- hg [~halosghos@user/halosghost] has joined #secp256k1
08:00 -!- siv2r [~siv2rmatr@2001:470:69fc:105::fed3] has quit [Quit: You have been kicked for being idle]
11:23 < real_or_random> sipa: should this be a consideration for the exhaustive group generation? https://github.com/bitcoin-core/secp256k1/blob/5c789dcd7318649c43d89361eaaa07c3bd1c9c57/src/group_impl.h#L313
11:25 < sipa> real_or_random: There is a simpler explanation why that's not needed: if a point with Y=0 exists, that point necessarily has order two (because it would equal its own negation). In other words, no such point can exist on an odd-ordered group.
11:26 < real_or_random> nice argument
11:28 < real_or_random> so you mean even if there's such a point on a twist, it won't be in the subgroup we consider? 
11:29 < sipa> Indeed, unless we pick a subgroup of order 2, which won't have endomorphisms etc.
11:29 < sipa> But it turns out that the curves we use for the exhaustive test orders don't even have a Y=0 point (not even outside of the subgroup we use).
11:29 < sipa> That's a coincidence, though.
11:30 < real_or_random> right ok property doesn't depend on the concrete choice of twist 
11:30 < real_or_random> *that propery
11:31 < sipa> Some twists do have Y=0 points.
11:32 < real_or_random> I meant, it doesn't matter which curve you pick from an isomorphism class
11:32 < real_or_random> they either all have a Y=0 point or none has
11:32 < sipa> Within an isomorphism class, indeed.
11:33 < sipa> But not all twists are isomorphic (clearly, otherwise they'd all be prime-ordered).
11:33 < real_or_random> sure
11:33 < sipa> And some non-isomorphic twists do have Y=0 points. Yet, if we picked such a curve for exhaustive tests, it would still be a subgroup that doesn't include any such points.
11:33 < sipa> I'm pretty sure that's what you meant all along.
11:33 < real_or_random> ok yes.
11:35 < sipa> y^2 = x^3 + 1 has 3 distinct points with Y=0, FWIW.
11:35 < real_or_random> yes, plus I meant that even for non-trivial twists (not isomorphic to secp), whether y=0 is independent of the concrete choice within the isomorphism class 
11:35 < sipa> Right.
11:35 < real_or_random> great for x-only signing :P
11:35 < real_or_random> *x-only keys
11:36 < sipa> Well the elliptic curve y^2 = x^3 + 1 is also not a cyclic group.
11:36 < sipa> So you'd necessarily be restricted to a subgroup.
11:37 < real_or_random> ok
11:37 < sipa> Which has at most one Y=0 point.
11:38 < sipa> Since in a cyclic group, every non-infinity point of order 2 must have a discrete logarithm that is 1/2 (mod group order). If there are multiple such points, they'd all have the same DL...
11:41 < sipa> Eh, is order/2 I mean.
12:37 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has joined #secp256k1
14:46 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
14:57 -!- hg [~halosghos@user/halosghost] has quit [Quit: WeeChat 3.8]
15:03 -!- jonatack1 [~jonatack@user/jonatack] has joined #secp256k1
15:05 -!- jon_atack [~jonatack@user/jonatack] has quit [Ping timeout: 260 seconds]
23:51 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has joined #secp256k1
--- Log closed Thu Jan 12 00:00:12 2023