4

According to the CN whitepaper key image I is generated thusly:

I = xHp(P)

I understand P is the one-time public key for the transaction, x the corresponding private key and H a deterministic hash function, but what is p?

Thanks

ArrestedDevlopment
  • 43
  • 4

2 Answers2

5

There are two hash functions you'll see referenced often with Monero - there is Hs and Hp.

Hs means "hash to scalar", meaning take a keccak(256) hash and then ensure the result is a "scalar" (a positive integer less than 2252 + 27742317777372353535851937790883648493).

Hp means "hash to point", meaning take a keccak(256) hash, interpret the resulting bytes as an elliptic curve point, and then multiply that curve point by 8 to force the resulting point to be in the base point group - i.e. to force it to be the case that there must exist an value x (even though x will be unknown) such that Hp(..data..) == xG.

knaccc
  • 8,468
  • 16
  • 22
  • About interpretting the resulting bytes as an ec point - the bytes are interpreted as integer which is the X coordinate of a compressed EC point. You then solve the curve equation for Y which gives you +-Y. How do you pick the correct one? – redacted Dec 22 '19 at 14:15
  • @RobinNemeth You can see the source code for Hp() here: https://github.com/monero-project/monero/blob/8f6f674753bae7494e1ee4569004947d47a4e983/src/crypto/crypto.cpp#L481 and there is a full explanation of the ge_fromfe_frombytes_vartime method here: https://github.com/monero-project/research-lab/blob/master/whitepaper/ge_fromfe_writeup/ge_fromfe.pdf – knaccc Dec 27 '19 at 19:17
1

Hp is the hash function but SE doesn't support subscripts well. Sometimes it can be written as H_p to avoid confusion.

JollyMort
  • 19,934
  • 3
  • 46
  • 105