Hi @waxwing, I'm reading through your paper about Confidential Transactions (github.com/AdamISZ/Confidentia), and I'm trying to write a toy code to wrap my mind around Borromean Signatures.
Following the protocol on page 11, I have a question regarding step 9. The signer (D) can compute a signature by multiplying the hashed message e with his private key x and adding the private nonce k, how do you avoid producing a signature larger than 32B?

@waxwing Besides, I already have a toy code for ecdsa signature that first compute a r value and looks like s = (e + r * x ) * k_inv % N (N being the "order of the group" in my note, but I did it a while ago I'm a bit confused about what it means right now maybe)

Yes. Sorry for delayed response, been away from the site last couple of days.

So right, these values are scalars in the group of integers modulo N. And yes the value of s has to be calculated there (in s = k + e * x) modulo N. Apologies for not making it 100% clear.

If it helps: remember these are numbers we are using as scalar multipliers on elliptic curve points. So e.g. 100G mean s take generator G and add it 100 times: G + G + ... 100 times.
(100+N)G = 100G +NG = 100G

(1/2)

@Sosthene
... because NG gives the "point at infinity" (sometimes written O), which is the additive identity for the elliptic curve group, i.e. G + (-G) = 0.

So effectively these scalars are all implicitly mod N, in code yeah for sure you should apply mod N to avoid any confusing scenarios.

@waxwing No problem, thanks for the clarification.
Your paper is pretty clear even for profane like me, I'm basically turning it into a jupyter notebook to break down all the cryptography in CT, which I found very confusing at first.

@Sosthene i wrote commented python code at the time, here: github.com/AdamISZ/borring/blo (I think i referenced it somewhere). I actually took out the bitcoin backend signing/keys code but the algo is still there, in case that helps. 