From 579223ed4a3558d6fa905924f9b53b71ee9e62a4 Mon Sep 17 00:00:00 2001
From: Thomas Eizinger <thomas@eizinger.io>
Date: Tue, 18 May 2021 14:34:07 +1000
Subject: [PATCH] Unify definition of generator H

Fixes #24.
---
 Cargo.toml                    |  2 +-
 src/bulletproof/generators.rs | 18 ++----------------
 src/clsag.rs                  |  8 ++++----
 src/util/key.rs               | 11 +++++++----
 src/util/ringct.rs            |  3 +--
 5 files changed, 15 insertions(+), 27 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 02a504a..3c0213d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -36,7 +36,7 @@ subtle = { version = "2", default-features = false }
 hash_edwards_to_edwards = { git = "https://github.com/comit-network/hash_edwards_to_edwards" }
 integer-encoding = "3"
 rand = { version = "0.7", optional = true }
-lazy_static = "1"
+conquer-once = "0.3"
 clear_on_drop = { version = "0.2", default-features = false }
 itertools = "0.10"
 
diff --git a/src/bulletproof/generators.rs b/src/bulletproof/generators.rs
index f098857..bca21fd 100644
--- a/src/bulletproof/generators.rs
+++ b/src/bulletproof/generators.rs
@@ -1,29 +1,15 @@
 //! The `generators` module contains API for producing a set of
 //! generators for a rangeproof.
 
+use crate::util::key::H;
 use curve25519_dalek::constants::ED25519_BASEPOINT_POINT;
-use curve25519_dalek::edwards::{CompressedEdwardsY, EdwardsPoint};
+use curve25519_dalek::edwards::EdwardsPoint;
 use curve25519_dalek::scalar::Scalar;
 use curve25519_dalek::traits::MultiscalarMul;
 use hash_edwards_to_edwards::hash_to_point;
 use integer_encoding::VarInt;
 use keccak_hash::keccak_256;
 
-// TODO: Remove this
-lazy_static::lazy_static! {
-    /// Alternate generator of ed25519.
-    ///
-    /// Obtained by hashing `curve25519_dalek::constants::ED25519_BASEPOINT_POINT`.
-    /// Originally used in Monero Ring Confidential Transactions.
-    pub static ref H: EdwardsPoint = {
-        CompressedEdwardsY(hex_literal::hex!(
-            "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"
-        ))
-        .decompress()
-        .expect("edwards point")
-    };
-}
-
 /// Represents a pair of base points for Pedersen commitments.
 ///
 /// The Bulletproofs implementation and API is designed to support
diff --git a/src/clsag.rs b/src/clsag.rs
index 5c8f1a7..f1997e9 100644
--- a/src/clsag.rs
+++ b/src/clsag.rs
@@ -93,13 +93,13 @@ mod tests {
             let mut commitment_ring =
                 random_array(|| Scalar::random(&mut rng) * ED25519_BASEPOINT_POINT);
             commitment_ring[signing_key_index] = real_commitment_blinding * ED25519_BASEPOINT_POINT
-                + Scalar::from(amount_to_spend) * H.point.decompress().unwrap();
+                + Scalar::from(amount_to_spend) * *H;
 
-            let fee_key = Scalar::from(fee) * H.point.decompress().unwrap();
+            let fee_key = Scalar::from(fee) * *H;
 
             let out_pk_blinding = Scalar::random(&mut rng);
-            let out_pk = out_pk_blinding * ED25519_BASEPOINT_POINT
-                + Scalar::from(output_amount) * H.point.decompress().unwrap();
+            let out_pk =
+                out_pk_blinding * ED25519_BASEPOINT_POINT + Scalar::from(output_amount) * *H;
 
             let pseudo_output_commitment = fee_key + out_pk;
 
diff --git a/src/util/key.rs b/src/util/key.rs
index fadd23c..d436566 100644
--- a/src/util/key.rs
+++ b/src/util/key.rs
@@ -75,6 +75,7 @@ use thiserror::Error;
 use crate::consensus::encode::{self, Decodable, Encodable};
 use crate::cryptonote::hash;
 
+use conquer_once::Lazy;
 #[cfg(feature = "serde_support")]
 use serde::{Deserialize, Serialize};
 
@@ -502,11 +503,13 @@ impl hash::Hashable for PublicKey {
 /// Alternative generator `H` used for pedersen commitments, as defined in
 /// [`rctTypes.h`](https://github.com/monero-project/monero/blob/master/src/ringct/rctTypes.h#L555)
 /// in the Monero codebase.
-pub const H: PublicKey = PublicKey {
-    point: CompressedEdwardsY(hex!(
+pub static H: Lazy<EdwardsPoint> = Lazy::new(|| {
+    CompressedEdwardsY(hex!(
         "8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94"
-    )),
-};
+    ))
+    .decompress()
+    .unwrap()
+});
 
 /// Two private keys representing the view and the spend keys.
 #[derive(Debug)]
diff --git a/src/util/ringct.rs b/src/util/ringct.rs
index 2bc49d6..23b641b 100644
--- a/src/util/ringct.rs
+++ b/src/util/ringct.rs
@@ -213,8 +213,7 @@ impl EcdhInfo {
 
         let amount_scalar = Scalar::from(amount);
 
-        let expected_commitment = ED25519_BASEPOINT_POINT * blinding_factor
-            + H.point.decompress().unwrap() * amount_scalar;
+        let expected_commitment = ED25519_BASEPOINT_POINT * blinding_factor + *H * amount_scalar;
 
         if &expected_commitment != candidate_commitment {
             return None;