From burdges at gnunet.org  Thu Apr 13 13:53:48 2023
From: burdges at gnunet.org (Jeff Burdges)
Date: Thu, 13 Apr 2023 22:53:48 +0200
Subject: [curves] transcripts
Message-ID: <0156003C-601A-45F9-B5B9-949A63C40EAB@getmailspring.com>


I've always liked merlin despite it being overly opinionated in some
ways, but I recently noticed merlin interacts poorly with arkworks, so..

I wrote up this little front end on shake128..
https://github.com/w3f/ring-vrf/tree/master/ark-transcript

In brief, it's simply shake128 but overlay with a domain separate
operation that "postfix" pushes the length written since the last
separate operation.

These lengths being postfix means you do not need to know in advance how
much data, or how many write calls, which makes it more polymorphism
friendly than merlin.  

Also, seperate is idempotent in that it does nothing if you've not even
tried to write a zero length string since the last seperate call.  In
this way, we have simple merlin-like "append" calls which push a whole
element into the transcript, but no worries like two G1 elements being
the same as a G2 element or whatever.

It's all fairly simple so if your protocol later needs an IRTF spec,
alternative implementation, remote HSM things, etc. then these should
not become too weird.

Best,
Jeff