hdevalence
commented
4 years ago At the moment, we can't change the generator construction mechanism that we use, because it would break the setup for existing proofs. But using Merlin doesn't really meaningfully remove any dependencies, because Merlin uses STROBE, which uses the same Keccak-f permutation as SHA3, so ultimately there is only one sponge construction at work here. This is why we used SHA3 to construct the generators rather than SHA2 or similar.
(In fact, I think that some of the STROBE constants are aligned with the NIST ones in order to ensure that Merlin output is in some sense "technically" shake, or something like that -- but I don't recall exactly so don't quote me on it :) ).
What are thoughts on removing a dependency with SHA3 and using merlin to form the generators as it also does use the same sponge construction? Is there any issues with this avenue?
thanks