coins/monero/src/ringct/bulletproofs/plus/transcript.rs

use std_shims::{sync::OnceLock, vec::Vec};

use dalek_ff_group::{Scalar, EdwardsPoint};

use monero_generators::{hash_to_point as raw_hash_to_point};
use crate::{hash, hash_to_scalar as dalek_hash};

// Monero starts BP+ transcripts with the following constant.
static TRANSCRIPT_CELL: OnceLock<[u8; 32]> = OnceLock::new();
pub(crate) fn TRANSCRIPT() -> [u8; 32] {
  // Why this uses a hash_to_point is completely unknown.
  *TRANSCRIPT_CELL
    .get_or_init(|| raw_hash_to_point(hash(b"bulletproof_plus_transcript")).compress().to_bytes())
}

pub(crate) fn hash_to_scalar(data: &[u8]) -> Scalar {
  Scalar(dalek_hash(data))
}

pub(crate) fn initial_transcript(commitments: core::slice::Iter<'_, EdwardsPoint>) -> Scalar {
  let commitments_hash =
    hash_to_scalar(&commitments.flat_map(|V| V.compress().to_bytes()).collect::<Vec<_>>());
  hash_to_scalar(&[TRANSCRIPT().as_ref(), &commitments_hash.to_bytes()].concat())
}
Use FCMP implementation of BP+ in monero-serai (#344) * Add in an implementation of BP+ based off the paper, intended for clarity and review This was done as part of my work on FCMPs from Monero, and is copied from https://github.com/kayabaNerve/full-chain-membership-proofs * Remove crate structure of BP+ * Remove arithmetic circuit code * Remove AC/VC generators code * Remove generator transcript Monero uses non-transcripted static generators. * Further trimming of generators * Remove the single range proof It's unused by Monero and accordingly unhelpful. * Work on getting BP+ to compile in its new env * Correct BP+ folder name * Further tweaks to get closer to compiling * Remove the ScalarMatrix file It's only used for AC proofs * Compiles, with tests passing * Lock BP+ to Ed25519 instead of the generic Ciphersuite * Resolve most warnings in BP+ * Make existing bulletproofs test easier to read * Further strip generators * Swap G/H as Monero did * Replace RangeCommitment with Commitment * Hard-code BP+ h to Ed25519's generator * Use pub(crate) for BP+, not pub * Replace initial_transcript with hash_plus * Rename hash_plus to initial_transcript * Finish integrating the FCMP BP+ impl * Move BP+ folder * Correct no-std support * Rename "long_n" to eta * Add note on non-prime order dfg points 2023-08-27 15:33:17 -04:00			`use std_shims::{sync::OnceLock, vec::Vec};`

			`use dalek_ff_group::{Scalar, EdwardsPoint};`

			`use monero_generators::{hash_to_point as raw_hash_to_point};`
			`use crate::{hash, hash_to_scalar as dalek_hash};`

			`// Monero starts BP+ transcripts with the following constant.`
			`static TRANSCRIPT_CELL: OnceLock<[u8; 32]> = OnceLock::new();`
			`pub(crate) fn TRANSCRIPT() -> [u8; 32] {`
			`// Why this uses a hash_to_point is completely unknown.`
			`*TRANSCRIPT_CELL`
			`.get_or_init(\|\| raw_hash_to_point(hash(b"bulletproof_plus_transcript")).compress().to_bytes())`
			`}`

			`pub(crate) fn hash_to_scalar(data: &[u8]) -> Scalar {`
			`Scalar(dalek_hash(data))`
			`}`

			`pub(crate) fn initial_transcript(commitments: core::slice::Iter<'_, EdwardsPoint>) -> Scalar {`
			`let commitments_hash =`
			`hash_to_scalar(&commitments.flat_map(\|V\| V.compress().to_bytes()).collect::<Vec<_>>());`
			`hash_to_scalar(&[TRANSCRIPT().as_ref(), &commitments_hash.to_bytes()].concat())`
			`}`