pub fn vrf_malleable_hash<T: SigningTranscript>(t: T) -> RistrettoBoth
Expand description

Create a malleable VRF input point by hashing a transcript to a point.

Warning We caution that malleable VRF inputs are insecure when used in conjunction with HDKD, as provided in dervie.rs. Attackers could translate malleable VRF outputs from one soft subkey to another soft subkey, gaining early knowledge of the VRF output. We think most VRF applicaitons for which HDKH soudns suitable benefit from using implicit certificates insead of HDKD anyways, which should also be secure in combination with HDKH. We always use non-malleable VRF inputs in our convenience methods.