[curves] transcripts
Jeff Burdges
burdges at gnunet.org
Thu Apr 13 13:53:48 PDT 2023
I've always liked merlin despite it being overly opinionated in some
ways, but I recently noticed merlin interacts poorly with arkworks, so..
I wrote up this little front end on shake128..
https://github.com/w3f/ring-vrf/tree/master/ark-transcript
In brief, it's simply shake128 but overlay with a domain separate
operation that "postfix" pushes the length written since the last
separate operation.
These lengths being postfix means you do not need to know in advance how
much data, or how many write calls, which makes it more polymorphism
friendly than merlin.
Also, seperate is idempotent in that it does nothing if you've not even
tried to write a zero length string since the last seperate call. In
this way, we have simple merlin-like "append" calls which push a whole
element into the transcript, but no worries like two G1 elements being
the same as a G2 element or whatever.
It's all fairly simple so if your protocol later needs an IRTF spec,
alternative implementation, remote HSM things, etc. then these should
not become too weird.
Best,
Jeff
More information about the Curves
mailing list