Use ChaCha20 instead of ChaCha12

Despite being slower and only used for blinding values, its still 
extremely performant. 20 is far more standard and will avoid an eye 
raise from reviewers.

coins/monero/src/ringct/clsag/multisig.rs

@@ -5,7 +5,7 @@ use std::{
 };
 
 use rand_core::{RngCore, CryptoRng, SeedableRng};
-use rand_chacha::ChaCha12Rng;
+use rand_chacha::ChaCha20Rng;
 
 use zeroize::{Zeroize, ZeroizeOnDrop};
 
@@ -181,7 +181,7 @@ impl Algorithm<Ed25519> for ClsagMultisig {
     // process even if they have access to commitments (specifically, the ring index being signed
     // for, along with the mask which should not only require knowing the shared keys yet also the
     // input commitment masks)
-    let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"decoy_responses"));
+    let mut rng = ChaCha20Rng::from_seed(self.transcript.rng_seed(b"decoy_responses"));
 
     self.msg = Some(msg.try_into().expect("CLSAG message should be 32-bytes"));
 

coins/monero/src/wallet/send/multisig.rs

@@ -5,7 +5,7 @@ use std::{
 };
 
 use rand_core::{RngCore, CryptoRng, SeedableRng};
-use rand_chacha::ChaCha12Rng;
+use rand_chacha::ChaCha20Rng;
 
 use curve25519_dalek::{
   traits::Identity,
@@ -140,7 +140,7 @@ impl SignableTransaction {
     let decoys = Decoys::select(
       // Using a seeded RNG with a specific height, committed to above, should make these decoys
       // committed to. They'll also be committed to later via the TX message as a whole
-      &mut ChaCha12Rng::from_seed(transcript.rng_seed(b"decoys")),
+      &mut ChaCha20Rng::from_seed(transcript.rng_seed(b"decoys")),
       rpc,
       self.protocol.ring_len(),
       height,
@@ -288,7 +288,7 @@ impl SignMachine<Transaction> for TransactionSignMachine {
       sorted_images.sort_by(key_image_sort);
 
       self.signable.prepare_transaction(
-        &mut ChaCha12Rng::from_seed(self.transcript.rng_seed(b"transaction_keys_bulletproofs")),
+        &mut ChaCha20Rng::from_seed(self.transcript.rng_seed(b"transaction_keys_bulletproofs")),
         uniqueness(
           &sorted_images
             .iter()
@@ -312,7 +312,7 @@ impl SignMachine<Transaction> for TransactionSignMachine {
     }
     sorted.sort_by(|x, y| key_image_sort(&x.0, &y.0));
 
-    let mut rng = ChaCha12Rng::from_seed(self.transcript.rng_seed(b"pseudo_out_masks"));
+    let mut rng = ChaCha20Rng::from_seed(self.transcript.rng_seed(b"pseudo_out_masks"));
     let mut sum_pseudo_outs = Scalar::zero();
     while !sorted.is_empty() {
       let value = sorted.remove(0);

crypto/dleq/src/lib.rs

@@ -20,7 +20,7 @@ mod tests;
 
 pub(crate) fn challenge<T: Transcript, F: PrimeField>(transcript: &mut T) -> F {
   // From here, there are three ways to get a scalar under the ff/group API
-  // 1: Scalar::random(ChaCha12Rng::from_seed(self.transcript.rng_seed(b"challenge")))
+  // 1: Scalar::random(ChaCha20Rng::from_seed(self.transcript.rng_seed(b"challenge")))
   // 2: Grabbing a UInt library to perform reduction by the modulus, then determining endianess
   //    and loading it in
   // 3: Iterating over each byte and manually doubling/adding. This is simplest