monero_bulletproofs/plus/
transcript.rs

1use std_shims::{sync::LazyLock, vec::Vec};
2
3use curve25519_dalek::{Scalar, EdwardsPoint};
4
5use monero_primitives::keccak256;
6
7// Monero starts BP+ transcripts with the following constant.
8// Why this uses a hash to point is completely unknown.
9// TODO: This can be promoted to a constant, remove `monero-primitives`
10pub(crate) static TRANSCRIPT: LazyLock<[u8; 32]> = LazyLock::new(|| {
11  monero_ed25519::Point::biased_hash(keccak256(b"bulletproof_plus_transcript"))
12    .compress()
13    .to_bytes()
14});
15
16// TODO: An incremental hash would avoid allocating within this function
17pub(crate) fn initial_transcript(commitments: core::slice::Iter<'_, EdwardsPoint>) -> Scalar {
18  let commitments_hash = monero_ed25519::Scalar::hash(
19    commitments.flat_map(|V| V.compress().to_bytes()).collect::<Vec<_>>(),
20  );
21  monero_ed25519::Scalar::hash([*TRANSCRIPT, <[u8; 32]>::from(commitments_hash)].concat()).into()
22}

monero_bulletproofs/plus/transcript.rs

monero_bulletproofs/plus/
transcript.rs