@Sosthene

... because NG gives the "point at infinity" (sometimes written O), which is the additive identity for the elliptic curve group, i.e. G + (-G) = 0.

So effectively these scalars are all implicitly mod N, in code yeah for sure you should apply mod N to avoid any confusing scenarios.

Your paper is pretty clear even for profane like me, I'm basically turning it into a jupyter notebook to break down all the cryptography in CT, which I found very confusing at first.

I just made my toy code to work, it seems it didn't work because I didn't mod N the dummy sigs that I was generating, looks better now

waxwing@[email protected]@Sosthene

Yes. Sorry for delayed response, been away from the site last couple of days.

So right, these values are scalars in the group of integers modulo N. And yes the value of s has to be calculated there (in s = k + e * x) modulo N. Apologies for not making it 100% clear.

If it helps: remember these are numbers we are using as scalar multipliers on elliptic curve points. So e.g. 100G mean s take generator G and add it 100 times: G + G + ... 100 times.

(100+N)G = 100G +NG = 100G

(1/2)