I'm reading the RingCT whitepaper by Shen Noether. The scheme requires a second random generator H such that its discrete logarithm w.r.t. G is not known. Paragraph 3.2 suggests two variants to generate H:
1. H = toPoint(cn_fast_hash(G))
2. H = toPoint(cn_fast_hash(123456*G))
The first option is supported by the comments in rctTypes.h. The function toPoint isn't defined, neither in the article nor in the Monero source code, but I assume it is the rct::hashToPoint function.
1. 80f9755245adc94e9f3a1bf9b891ba515b3e6ed324b61b350b8918da59c9d5fd
2. 24a1d0d7e659e986f31dae8d9a80234f518f6eb50346b04c98ca44df0f51c1e2
Both of them are not equal to the actual rct::H used in the official Monero code (again see rctTypes.h):
8b655970153799af2aeadc9ff1add0ea6c7251d54154cfa92c173a0dd39c1f94
I thought that rct::hashToPoint already contains the hash function and I need to just call H = rct::hashToPoint(G), but I again got different results:
rct::hashToPoint(G) = d6329b5b1f7c0805b5c345f4957554002a2f557845f64d7645dae0e051a6498a
rct::hashToPoint(123456*G) = 89c0517d869e740d47429b10b642137ef7c789cc6d4dbcf6293e5a18c6044d48
It is crucial for Monero's security model that no one knows the discrete logarithm of H w.r.t. G. I assume that the code uses the hash-to-point from some modified version of G, e.g. G times some scalar or with some prefix/postfix string, but I failed to get any info about that.
Recap, how exactly was H computed?
