luigi1111w: I described the process here pastebin.com/LwzqfGCq, did you look at it?

I checked my code with mininero implementation and it looks like I have everything working, except the last mutiplication with output's privkey. Then I am doing some thing wrong with chosing the right coordinate.

I calculate H_p(P), the result is stored into extended coordinate form. Then I pack it with github.com/trezor/trezor-firmware/b…onna/ed25519-donna-impl-base.c#L183 and the result looks all good (checked with mininero)

And then finally I recover this into a point and do a scalar multiply with a output's private key, I got two coordinates, x and y.

I check the even/odd of x-coordinate and based on this I update y-coordinate. Thats how I pack the resulting coordinates.

do you not pack x*G into P?

Yes I pack it. I check x-coordinate, if LSb is 1, then I flip y-coordinates' MSb to 1.

Sorry maybe i am missing the point, packing is the same thing as compressing..?

my point is they are the same thing. if P works then I should as well

I think that the problem appears when I am recovering a packed result of H_p(P) into coordinates to do a final x*H_p(P). Otherwise I am lost.

hmm I see. I don't really understand why that function is negative. I remember something similar in a js lib I used

Is the dummy encrypted payment ID enforced in the protocol or just added to the core wallet?

AFAIK core wallet

I think extra is still wide open at this point