[zk-sdk] Add unique domain separator for zk elgamal proof program for proofs

[samkim-crypto]

Problem

All proof transcripts in the zk-sdk use hardcoded domain strings (e.g., b"ciphertext-ciphertext-equality-instruction", b"zero-ciphertext-instruction", etc.) without a shared chain-specific personalization prefix. Proofs generated on one blockchain can be replayed on any fork or chain using this code, as transcript domains are identical across all deployments

Summary of Changes

I added a domain separation tag in the transcript by adding a concrete transcript constructor Transcript::new_zk_elgamal_transcript(...) that first hashes b"solana-zk-elgamal-proof-program-v1" to the transcript before returning it. Then I updated all the instances of Transcript::new(...) in the zk-sdk to use Transcript::new_zk_elgamal_transcript(...).

The logic changes themselves should be pretty simple. But since we are adding new domain separations, I needed to update the hard-coded tests, which added on to the number of lines changed.

[joncinque]

Looks great! I checked to make sure there are no more uses of Transcript::new anywhere (except in TranscriptProtocol)

[joncinque]

nit: just so I'm sure I understand, we're not differentiating this for different networks, ie testnet vs devnet vs mainnet?

If we wanted to be pedantic, we may want to include the genesis hash in the domain, but this should be fine

[samkim-crypto]

Yeah we encountered this issue for alpenglow BLS as well and I thought about this briefly. I think it adds a lot of extra complications if we differentiate between testnet, devnet, and mb. We probably need to add different features (in both solana-zk-sdk and agave) that has different hardcoded domain separator targeted at different networks and validators will need to deploy network specific builds of the zk-elgamal proof program.

I guess we can have the program directly look up the genesis hash inside the program and add it as an input to the verification function, but this probably adds another set of complications. I think keeping it uniform across different networks probably simplifies testing and maintenance.

[joncinque]

Yep that's fine, just wanted to make sure

[samkim-crypto]

Thanks for the review and let me merge this for now. If you feel strongly about anything related to the nit comment above, then I'll make sure to address it in a follow up 🙏

[PaulLaux]

This PR indeed resolves #b10 from the QEDIT audit.

Consider the following additions:

• The in-code documentation might not be visible enough. A mention in README.md or SECURITY.md will provide more visibility to this subject.
• Consider personalization for testnet/devnet.
• Consider adding a WASM function to expose TRANSCRIPT_DOMAIN.