account argument for liabilities only useful for account_nonce usage

[instagibbs]

If the nonce argument is used, the account argument is completely ignored as it's not needed(it's only used to create the sub-nonce), and then erroneously printed to stdout as being verified.

Hiding the account number inside the sub-nonce may actually be detrimental to validation of the proof since the sub-nonce could be replicated across users... previous iteration it was outside the sub nonce generation, may want to put it back in the future otherwise this may encourage account nonce to be used?

[shuckc]

Yes this is accurate - the account argument is only used when we derive a snapshot secret from the account secret. If the snapshot secret is provided directly it is unused, other than in the log message in question. We could change the tool to use a suitable message in each case. When working from an account secret:

Validated xxx,xxxxx sats for account nnnnn 

And when working from a snapshot secret:

Validated xxx,xxxxx sats for snapshot secret ssssssssss

Looking back at the history, we originally had the account number in the leaf hashes, so it was proven either way. It looks like after an internal crypto review, it was removed over possibly spurious concerns about pre-image weakness. Perhaps an unfortunate oversight, although it does allow liabilities to be proven with a snapshot secret, without the account number being revealed.