I am trying to replicate in python the calculation of public key derivation, that is: P = H(aR||i)G +B where i is the output index in a transaction.
I got all the operators figured out (using a python ed25519 implementation) except for the concatenation.
How is concatenation (||) defined in Monero? Is it taking the two scalars as strings and calculate their hash? bitwise or? etc...
Thanks
aR is an elliptic curve point, and has a 32 byte compressed representation. i is not a scalar. Scalars, like a would have a 32 byte representation. i however is a varint. Varints are specified in section 1.2 of this document: https://tukaani.org/xz/xz-file-format.txt
Therefore aR||i will usually be 32+1 = 33 bytes of data. The concatenation has no padding, and is simply one byte sequence followed by another.
Also note that although the white paper says P = H(aR||i)G + B, if you look at the Monero source code it's actually P = H(8aR||i)G + B. This is to avoid small subgroup attacks, because it forces the result of 8aR to be in the subgroup of the base point G.
