A fix on the non_interactive_output build function, forgot set the true last key path parameter.
fix the rewind_outputlocker and create_output_locker, the original "rewinding" mechanism doesn't work for the new design of OutputLocker which use SecuredPath.
To get the ephemeral key q = Hash(value || p*R), we need the private key p which need use the key_id_last_path in the PathMessage to derive from the wallet active account; but to get the PathMessage, we have to rewind the SecuredPath which need Hash(q) for the rewinding. This becomes a problem loop!
At this moment, I don't have a perfect design for this rewinding. Let's just use two nonces for that:
First nonce is Hash(R) for rewinding the key_id_last_path.
Second nonce is Hash(q) for rewinding the w.
(to be refactored in the future)
Recall the structure of PathMessage:
pub struct PathMessage {
/// The random 'w' of Pedersen commitment `r*G + w*H`
pub w: i64,
/// The last path index of the key identifier
pub key_id_last_path: u32,
}
A fix on the
non_interactive_outputbuild function, forgot set the true last key path parameter.fix the
rewind_outputlockerandcreate_output_locker, the original "rewinding" mechanism doesn't work for the new design ofOutputLockerwhich useSecuredPath.To get the ephemeral key
q = Hash(value || p*R), we need the private keypwhich need use thekey_id_last_pathin thePathMessageto derive from the wallet active account; but to get thePathMessage, we have to rewind theSecuredPathwhich needHash(q)for the rewinding. This becomes a problem loop!At this moment, I don't have a perfect design for this rewinding. Let's just use two nonces for that:
Hash(R)for rewinding thekey_id_last_path.Hash(q)for rewinding thew.(to be refactored in the future)
Recall the structure of
PathMessage: