Merge remote-tracking branch 'origin/artem/viewing-key-binding' into artem/keccak-speedup

lee/state_machine/core/src/encryption/shared_key_derivation.rs

@@ -80,26 +80,29 @@ impl SharedSecretKey {
         (Self(ss_bytes), EphemeralPublicKey(ct.to_vec()))
     }
 
-    /// Deterministically encapsulate a shared secret toward `ek` for use in tests.
+    /// Deterministically encapsulate a shared secret toward `ek` with a given
+    /// `esk` and `output_index`.
     ///
-    /// The shared secret has no secret entropy — it is fully determined by `ek`,
+    /// This function runs inside the privacy-preserving circuit, generating
-    /// `message_hash`, and `output_index`, all of which are public. This makes it
+    /// the shared secret for ciphertext generation.
-    /// unsuitable for real encryption but useful for producing stable, reproducible
-    /// shared secrets in unit tests. Use a distinct `output_index` per output to
-    /// avoid EPK collisions across multiple outputs in the same test.
     ///
-    /// For production use [`Self::encapsulate`], which draws randomness from the OS.
+    /// Important: since `ek` is assumed to be public, the uniqueness of the
+    /// secret is reliant upon the uniqueness of the ephemeral secret key for
+    /// a note in a given position. It is hence important to generate it
+    /// with high entropy, for which the prover is responsible.
     #[must_use]
     pub fn encapsulate_deterministic(
         ek: &MlKem768EncapsulationKey,
-        message_hash: &[u8; 32],
+        esk: &[u8; 32],
         output_index: u32,
     ) -> (Self, EphemeralPublicKey) {
         use risc0_zkvm::sha::{Impl, Sha256 as _};
 
-        let mut input = [0_u8; 32 + 4];
+        const PREFIX: &[u8; 21] = b"/LEE/v0.3/KDF-ML-KEM/";
-        input[0..32].copy_from_slice(message_hash);
+        let mut input = [0; 21 + 32 + 4];
-        input[32..36].copy_from_slice(&output_index.to_le_bytes());
+        input[0..21].copy_from_slice(PREFIX);
+        input[21..53].copy_from_slice(esk);
+        input[53..57].copy_from_slice(&output_index.to_le_bytes());
         let hash = Impl::hash_bytes(&input);
         let m: ml_kem::B32 =
             ml_kem::array::Array::try_from(hash.as_bytes()).expect("SHA-256 output is 32 bytes");

program_methods/guest/src/bin/privacy_preserving_circuit/output.rs

@@ -282,6 +282,14 @@ fn emit_private_output(
     let commitment_post = Commitment::new(account_id, &post_with_updated_nonce);
 
     let (shared_secret, epk) = SharedSecretKey::encapsulate_deterministic(vpk, esk, *output_index);
+
+    // Currently the view tag is properlty generated for all accounts.
+    // To increase privacy, this will be changed in the later version
+    // to only be generated explicitly for initialized accounts and
+    // fed by the prover directly for updated accounts.
+    //
+    // See issue 573:
+    // https://github.com/logos-blockchain/logos-execution-zone/issues/573
     let view_tag = EncryptedAccountData::compute_view_tag(npk, vpk);
 
     let encrypted_account = EncryptionScheme::encrypt(