Clarify some details of view key generation.

[acoglio]

In the description of view key generation, it is not clear to me what the following things are, exactly:

• The ppaccount_sig value.
• The ppaccount_cm value.
• The AccountSignature.GeneratePublicKey function.
• The AcountCommitment.Commit function.

[moAlobaidi]

Hi @acoglio. Taking a look at this now-- would you be able to provide definitions of the referenced values and functions?

[ghost]

Hey @acoglio I also need some clarity on what these are. I'll follow-up with the protocol team e.g., @raychu86 and @howardwu and update this issue with their thoughts. It may take a few days, though.

[ghost]

From @raychu86:

Compute pk_sig := G^sk_sig.
Compute pr_sig := G^r_sig.
Compute sk_prf := HashToScalar(pk_sig || pr_sig).
Compute view_key := sk_sig + r_sig + sk_prf

The G^ and HashtoScalar here are done with public parameters, which is abbreviated pp .

In code its:

pub static ref GENERATOR_G: Vec<Group<Testnet3>> =
Testnet3::new_bases("AleoAccountEncryptionAndSignatureScheme0");

pub static ref POSEIDON_4: Poseidon4<Testnet3> = Poseidon4::
<Testnet3>::setup("AleoPoseidon4").expect("Failed to setup Poseidon4");

And then Address is derived from a view key like this: Compute address := G^view_key

cc @moAlobaidi @acoglio

[acoglio]

@moAlobaidi @aharshbe Thank you for helping to track this down. (And no, I don't know the definitions; I opened this issue both to get the doc improved and to understand the details myself.) I have some follow-up questions:

• How is the generator G computed exactly? I.e. what does Testnet3::new_bases() do? Presumably it's calculating a curve point according to some hashing algorithm, so the question is what that is.
• Each of sk_sig and r_sig is a sequence of 32 bytes, resulting from BLAKE2s, but their use as exponents in G^sk_pig and G^r_sig needs them to be integers. Are the 32 bytes converted to integers in little or big endian order?
• In HashToScalar(pk_sig || pr_sig), is || concatenation, or bitwise 'or'?
• What hash function is HashToScalar exactly?
• In sk_sig + r_sig + sk_prf, what are the exact meaning of +? Are sk_sig and the other (32-byte sequences from BLAKE2s) added as (little or big endian) integers?

(As discussed at today's meeting, this level of detail may or may not be the goal for this developer documentation. The purpose of my questions is to get to an informal but precise specification, which would hypothetically suffice for a well-informed developer to implement account creation and other protocol calculations without looking at our Rust code.)