-
UkoeHB_TheCharlatan: sarang's Monero implementation might be good to look at
-
UkoeHB_
-
TheCharlatanHa, I already looked it there.
-
sarangWhat specific guidance are you looking for?
-
UkoeHB_github.com/SarangNoether/monero/blo…18a649c/src/ringct/rctSigs.cpp#L333 domain separation is also used in the challenge hash
-
TheCharlatanMight make sense to update the separators in ZtoM to those in cryptonote_config.h:212 on sarangs's branch.
-
sarangThe precise nature of the separation isn't important, FWIW
-
UkoeHB_yeah that was the basic idea. bLSAG and MLSAG also dont exactly follow how Monero implements it either
-
TheCharlatanno guidance, just busy reading through some details - sorry for the ruckus.
-
sarangNo problem at all!
-
UkoeHB_TheCharlatan: in CLSAG domain separation is _required_ since each aggregation coefficient must be different even though the hash inputs are all the same. That's why there are multiple H_j differentiated by simple tags. However, more broadly and in the name of robust implementation, domain separating all uses of hash functions is recommended to avoid collisions.
-
UkoeHB_So ZtM combined those two separate design goals for the CLSAG writeup
-
UkoeHB_Tbh my footnote on the topic doesn't make that clear
-
UkoeHB_and now Im full of regret lol
-
sarangping gingeropolous