# TurtleCoin® v2 Cryptographic Commons ## Primitives <sup>s</sup> denotes a scalar value <sup>p</sup> denotes a point value $G^p$ = [ED25519](https://ed25519.cr.yp.to/) base point $(x, -4/5)$ $s$ = Random Wallet Seed $H(x)$ = [SHA3](https://en.wikipedia.org/wiki/SHA-3)-256 $sc(x)$ = sc_reduce32(x) <sub>scalar reduction operation</sub> $H_s(x) = sc(H(x))$ <sub>hash to scalar operation</sub> $H_p(x) = H_s(x)G$ <sub>hash to point operation</sub> $H^p = H_p(G)$ <sub>secondary generator point</sub> $U^p = H_p(H)$ <sub>tertiary generator point</sub> $t(x)$ <sub>transcript generation method (see. scalar_transcript.h)</sub> $||$ = concatenation $\oplus$ = bytewise [XOR](https://en.wikipedia.org/wiki/Bitwise_operation#:~:text=A%20bitwise%20XOR%20is%20a,0%20or%20both%20are%201.) ## Single Party Wallet $\gamma$ <sub>view key salt</sub> $\delta$ <sub>spend key salt</sub> ### View Keys $a^s = H_s(\gamma || s)$ <sub>(private view key)</sub> $A^p = a^sG^p$ <sub>(public view key)</sub> ### Spend Keys $i$ <sub>(subwallet index as uint64_t)</sub> $b^s = H_s(\delta || s || i)$ <sub>(private spend key)</sub> $B^p = b^sG^p$ <sub>(public spend key)</sub> ## Output Creation ### Public Ephemeral $n$ <sub>(index of the output in the transaction as a uint64_t)</sub> $\beta$ <sub>key derivation salt</sub> $r^s$ <sub>(one-time random transaction private key)</sub> $R^p = r^sG^p$ <sub>(one-time random transaction public key)</sub> $D_1^p = r^sA^p$ <sub>(key derivation)</sub> $D^s_1 = H_s(\beta || D_1^p || n)$ <sub>(key derivation scalar)</sub> $P^p_1 = D^s_1G^p + B^p$ <sub>(public ephemeral)</sub> ### Masked Amount & Commitment $\psi$ <sub>blinding factor salt</sub> $\omega$ <sub>amount mask salt</sub> $m$ <sub>unmasked amount as uint64_t</sub> $\sigma^s = t(\psi,D^s_1)$ <sub>(blinding factor)</sub> $\tau^s = t(\omega,D^s_1)$ <sub>(amount mask)</sub> $M^s = m^s \oplus \tau^s$ <sub>(masked amount as uint64_t)</sub> $C^p = m^sH^p + {\sigma}^s G^p$ <sub>(pedersen commitment)</sub> ## Scanning Outputs ### Public Ephemeral $D_2^p = a^sR^p$ <sub>(key derivation)</sub> $D^s_2 = H_s(\beta || D_2^p || n)$ <sub>(key derivation scalar)</sub> $P^p_2 = D^s_2G^p + B^p$ <sub>(public ephemeral)</sub> If $P^p_2 \equiv P^p_1$ the output belongs to us ### Unmasked Amount $\sigma^s = t(\psi,D^s_2)$ <sub>(blinding factor)</sub> $\tau^s = t(\omega,D^s_2)$ <sub>(amount mask)</sub> $m^s = M^s \oplus \tau^s$ <sub>(unmasked amount as uint64_t)</sub> If $m^sH^p + {\sigma}^s G^p \equiv C^p$ the amount is valid ### Private Ephemeral $p^p_2 = D^s_2 + b^s$ <sub>(private ephemeral)</sub> If $p^p_2G \equiv P^p_2$ it is a single party wallet (not multisig) ### Key Image $I^p = {p^p_2}^{-1}U^p$ <sub>(key image)</sub>