monero_bulletproofs/plus/
transcript.rs

1use std_shims::{sync::LazyLock, vec::Vec};
2
3use curve25519_dalek::{scalar::Scalar, edwards::EdwardsPoint};
4
5use monero_generators::biased_hash_to_point;
6use monero_primitives::{keccak256, keccak256_to_scalar};
7
8// Monero starts BP+ transcripts with the following constant.
9// Why this uses a hash to point is completely unknown.
10pub(crate) static TRANSCRIPT: LazyLock<[u8; 32]> = LazyLock::new(|| {
11  biased_hash_to_point(keccak256(b"bulletproof_plus_transcript")).compress().to_bytes()
12});
13
14pub(crate) fn initial_transcript(commitments: core::slice::Iter<'_, EdwardsPoint>) -> Scalar {
15  let commitments_hash =
16    keccak256_to_scalar(commitments.flat_map(|V| V.compress().to_bytes()).collect::<Vec<_>>());
17  keccak256_to_scalar([*TRANSCRIPT, commitments_hash.to_bytes()].concat())
18}

monero_bulletproofs/plus/transcript.rs

monero_bulletproofs/plus/
transcript.rs