TheCharlatan: sarang's Monero implementation might be good to look at

Ha, I already looked it there.

What specific guidance are you looking for?

github.com/SarangNoether/monero/blo…18a649c/src/ringct/rctSigs.cpp#L333 domain separation is also used in the challenge hash

Might make sense to update the separators in ZtoM to those in cryptonote_config.h:212 on sarangs's branch.

The precise nature of the separation isn't important, FWIW

yeah that was the basic idea. bLSAG and MLSAG also dont exactly follow how Monero implements it either

no guidance, just busy reading through some details - sorry for the ruckus.

No problem at all!

TheCharlatan: in CLSAG domain separation is _required_ since each aggregation coefficient must be different even though the hash inputs are all the same. That's why there are multiple H_j differentiated by simple tags. However, more broadly and in the name of robust implementation, domain separating all uses of hash functions is recommended to avoid collisions.

So ZtM combined those two separate design goals for the CLSAG writeup

Tbh my footnote on the topic doesn't make that clear

and now Im full of regret lol

ping gingeropolous