feat: simplify seed construction

Cargo.toml

@@ -75,7 +75,6 @@ rand_chacha = { version = "0.3", default-features = false }
 rand_core = { version = "0.6", default-features = false }
 rand-utils = {git = 'https://github.com/Al-Kindi-0/winterfell', package = "winter-rand-utils" , branch = 'al-zk', optional = true }
 rayon = { version = "1.10", optional = true }
-rfc6979 = { version = "0.4", default-features = false }
 serde = { version = "1.0", default-features = false, optional = true, features = ["derive"] }
 sha3 = { version = "0.10", default-features = false }
 thiserror = { version = "2.0", default-features = false }

src/dsa/rpo_stark/stark/mod.rs

@@ -1,17 +1,9 @@
 use core::marker::PhantomData;
+use std::vec::Vec;
 
 use prover::RpoSignatureProver;
 use rand::{distributions::Standard, prelude::Distribution};
 use rand_chacha::ChaCha20Rng;
-use rfc6979::{consts::U32, ByteArray, HmacDrbg};
-use sha3::{
-    digest::{
-        core_api::BlockSizeUser,
-        generic_array::{ArrayLength, GenericArray},
-        Digest as GenericDigest, FixedOutput, FixedOutputReset,
-    },
-    Sha3_256,
-};
 use winter_crypto::{ElementHasher, Hasher, SaltedMerkleTree};
 use winter_math::fields::f64::BaseElement;
 use winter_prover::{Proof, ProofOptions, Prover};
@@ -50,7 +42,7 @@ where
         let trace = prover.build_trace(sk);
 
         // generate the initial seed for the PRNG used for zero-knowledge
-        let seed: [u8; 32] = generate_seed::<Sha3_256, U32>(sk, msg).into();
+        let seed: [u8; 32] = generate_seed(sk, msg);
 
         // generate the proof
         prover.prove(trace, Some(seed)).expect("failed to generate the signature")
@@ -78,33 +70,33 @@ where
 
 /// Deterministically generates a seed for seeding the PRNG used for zero-knowledge.
 ///
-/// This uses the Algorithm described in [RFC 6979](https://tools.ietf.org/html/rfc6979#section-3) § 3.2.
-/// The direct approach would be to just use the concatentation of the secret key and the message as
-/// the value of the seed but we opt instead to use it as the seed of an `HMAC_DRBG` PRNG similar
-/// to how it is used in `RFC 6979` to generate the value `k`.
+/// This uses the argument described in [RFC 6979](https://datatracker.ietf.org/doc/html/rfc6979#section-3.5)
+/// § 3.5 where the concatenation of the private key and the hashed message, i.e., sk || H(m), is
+/// used in order to construct the initial seed of a PRNG.
 ///
-/// Note that in `RFC 6979` the hash function used in the `HMAC_DRBG` PRNG is chosen to be the same
-/// hash function used in hashing the message. In Section 3.6., however, a variant allowing
-/// different hash functions is discussed and the overall security is claimed to be limited by
-/// the weaker of the two.
+/// Note that we hash in also a context string in order to domain separate between different
+/// instantiations of the signature scheme.
 #[inline]
-pub fn generate_seed<D, N>(
-    sk: [BaseElement; DIGEST_SIZE],
-    msg: [BaseElement; DIGEST_SIZE],
-) -> ByteArray<N>
-where
-    D: GenericDigest + BlockSizeUser + FixedOutput<OutputSize = N> + FixedOutputReset,
-    N: ArrayLength<u8>,
-{
+pub fn generate_seed(sk: [BaseElement; DIGEST_SIZE], msg: [BaseElement; DIGEST_SIZE]) -> [u8; 32] {
+    let context_bytes = "
+    Seed for PRNG used for Zero-knowledge in RPO-STARK signature scheme:
+        1. Version: Conjectured security
+        2. FRI queries: 30
+        3. Blowup factor: 8
+        4. Grinding bits: 12
+        5. Field extension degree: 2
+        6. FRI folding factor: 4
+        7. FRI remainder polynomial max degree: 7
+    "
+    .to_bytes();
     let sk_bytes = sk.to_bytes();
-    let sk_byte_array: &GenericArray<u8, N> = ByteArray::from_slice(&sk_bytes);
     let msg_bytes = msg.to_bytes();
-    let msg_byte_array: &GenericArray<u8, N> = ByteArray::from_slice(&msg_bytes);
-
-    let mut hmac_drbg = HmacDrbg::<D>::new(sk_byte_array, msg_byte_array, &[]);
 
-    let mut seed = ByteArray::<N>::default();
-    hmac_drbg.fill_bytes(&mut seed);
+    let total_length = context_bytes.len() + sk_bytes.len() + msg_bytes.len();
+    let mut buffer = Vec::with_capacity(total_length);
+    buffer.extend_from_slice(&context_bytes);
+    buffer.extend_from_slice(&sk_bytes);
+    buffer.extend_from_slice(&msg_bytes);
 
-    seed
+    blake3::hash(&buffer).into()
 }