diff --git a/lee/state_machine/core/src/encryption/mod.rs b/lee/state_machine/core/src/encryption/mod.rs
index f3895924..34c596af 100644
--- a/lee/state_machine/core/src/encryption/mod.rs
+++ b/lee/state_machine/core/src/encryption/mod.rs
@@ -125,12 +125,12 @@ impl EncryptionScheme {
         commitment: &Commitment,
         output_index: u32,
     ) -> [u8; 32] {
-        let mut bytes = Vec::new();
-
-        bytes.extend_from_slice(b"LEE/v0.2/KDF-SHA256/");
-        bytes.extend_from_slice(&shared_secret.0);
-        bytes.extend_from_slice(&commitment.to_byte_array());
-        bytes.extend_from_slice(&output_index.to_le_bytes());
+        const PREFIX: &[u8; 20] = b"LEE/v0.2/KDF-SHA256/";
+        let mut bytes = [0_u8; 20 + 32 + 32 + 4];
+        bytes[0..20].copy_from_slice(PREFIX);
+        bytes[20..52].copy_from_slice(&shared_secret.0);
+        bytes[52..84].copy_from_slice(&commitment.to_byte_array());
+        bytes[84..88].copy_from_slice(&output_index.to_le_bytes());
 
         Impl::hash_bytes(&bytes).as_bytes().try_into().unwrap()
     }
diff --git a/lee/state_machine/core/src/encryption/shared_key_derivation.rs b/lee/state_machine/core/src/encryption/shared_key_derivation.rs
index 2c046cbf..71bcf144 100644
--- a/lee/state_machine/core/src/encryption/shared_key_derivation.rs
+++ b/lee/state_machine/core/src/encryption/shared_key_derivation.rs
@@ -97,9 +97,9 @@ impl SharedSecretKey {
     ) -> (Self, EphemeralPublicKey) {
         use risc0_zkvm::sha::{Impl, Sha256 as _};
 
-        let mut input = Vec::with_capacity(36);
-        input.extend_from_slice(message_hash);
-        input.extend_from_slice(&output_index.to_le_bytes());
+        let mut input = [0_u8; 32 + 4];
+        input[0..32].copy_from_slice(message_hash);
+        input[32..36].copy_from_slice(&output_index.to_le_bytes());
         let hash = Impl::hash_bytes(&input);
         let m: ml_kem::B32 =
             ml_kem::array::Array::try_from(hash.as_bytes()).expect("SHA-256 output is 32 bytes");