monero_bulletproofs/plus/
transcript.rs

1use std_shims::{sync::LazyLock, vec::Vec};
2
3use curve25519_dalek::{scalar::Scalar, edwards::EdwardsPoint};
4
5use monero_generators::hash_to_point;
6use monero_primitives::{keccak256, keccak256_to_scalar};
7
8// Monero starts BP+ transcripts with the following constant.
9// Why this uses a hash_to_point is completely unknown.
10pub(crate) static TRANSCRIPT: LazyLock<[u8; 32]> =
11  LazyLock::new(|| hash_to_point(keccak256(b"bulletproof_plus_transcript")).compress().to_bytes());
12
13pub(crate) fn initial_transcript(commitments: core::slice::Iter<'_, EdwardsPoint>) -> Scalar {
14  let commitments_hash =
15    keccak256_to_scalar(commitments.flat_map(|V| V.compress().to_bytes()).collect::<Vec<_>>());
16  keccak256_to_scalar([TRANSCRIPT.as_ref(), &commitments_hash.to_bytes()].concat())
17}