Function schnorrkel::vrf::vrf_malleable_hash

pub fn vrf_malleable_hash<T: SigningTranscript>(t: T) -> RistrettoBoth

Create a malleable VRF input point by hashing a transcript to a point.

Warning We caution that malleable VRF inputs are insecure when used in conjunction with HDKD, as provided in dervie.rs. Attackers could translate malleable VRF outputs from one soft subkey to another soft subkey, gaining early knowledge of the VRF output. We think most VRF applications for which HDKH sounds suitable benefit from using implicit certificates instead of HDKD anyways, which should also be secure in combination with HDKH. We always use non-malleable VRF inputs in our convenience methods.