Speeds up AEAD authenticated decryption failure when the wrong prekey is used, which can speed up scanning operations.
Code changes brief
Currently, AEAD authenticated decryption derives both the key and key commitment before checking if the key commitment is correct. This is wasteful; when scanning outputs, the vast majority will produce the wrong key commitment, so the key is never used.
This PR allows authenticated decryption to fail before deriving the key. This cuts the overall operation time by half.
Note that both the current and proposed designs are not constant-time operations! This means that an adversary with access to a timing side channel can use this information to determine which outputs a user controls.
PR intention
Speeds up AEAD authenticated decryption failure when the wrong prekey is used, which can speed up scanning operations.
Code changes brief
Currently, AEAD authenticated decryption derives both the key and key commitment before checking if the key commitment is correct. This is wasteful; when scanning outputs, the vast majority will produce the wrong key commitment, so the key is never used.
This PR allows authenticated decryption to fail before deriving the key. This cuts the overall operation time by half.
Note that both the current and proposed designs are not constant-time operations! This means that an adversary with access to a timing side channel can use this information to determine which outputs a user controls.