lssa/docs/specs.md

# LEE v0.3 specifications for Key Agreement

## LEE v0.3 basic types and constants

```rust
/// The ML-KEM-768 KEM ciphertext produced during encapsulation (1088 bytes) of a message.
/// `EphemeralPublicKey` is used to not confuse the ciphertext of an encrypted private account.
type EphemeralPublicKey = [u8; 1088];

/// Private account Viewing Public Key is a ML-KEM-768 encapsulation key (1184 bytes).
type ViewingPublicKey = [u8; 1184];
/// The ML-KEM-768 shared secret (32 bytes).
type SharedSecretKey = [u8; 32];

struct EncryptedAccountData {
    ciphertext: Ciphertext,
    epk: EphemeralPublicKey,
    view_tag: u8,           // 1-byte view tag
}
```

#### Key agreement and shared secret

When creating a private account output, the sender uses the recipient's viewing public key to encapsulate a random message that is used to establish a shared secret between the sender and recipient:

- Sender: $(\mathsf{ss},\, \mathsf{epk}) = \mathsf{encapsulate}(\mathsf{vpk\_recipient})$. The 1088-byte ciphertext `epk` is included in the transaction as the `EphemeralPublicKey` field.
- Receiver: $\mathsf{ss} = \mathsf{decapsulate}(\mathsf{epk},\, vsk.d,\, vsk.z)$

where `vpk` is the receiver's `ViewingPublicKey` and `(vsk.d, vsk.z)` are the two 32-byte halves of the receiver's `ViewingSecretKey`.

#### KDF

```rust
fn kdf(
    shared_secret: &SharedSecretKey,    // 32-byte output of the KEM
    commitment: &Commitment,            // 32-byte output commitment
    output_index: u32,                  // index of this output within the tx (LE)
) -> [u8; 32] {
    let mut bytes = Vec::new();
    bytes.extend_from_slice(b"NSSA/v0.2/KDF-SHA256/");
    bytes.extend_from_slice(&shared_secret.0);
    bytes.extend_from_slice(&commitment.to_byte_array());
    bytes.extend_from_slice(&output_index.to_le_bytes());
    sha256(bytes)
}
```

### Circuit input

```rust
pub enum InputAccountIdentity {
    /// Public account. The guest reads pre/post state from program_outputs and emits no
    /// commitment, ciphertext, or nullifier.
    Public,

    /// Initialization of a standalone private account the caller owns.
    /// Pre-state must be Account::default().
    /// AccountId = AccountId::from_private(npk(nsk), identifier).
    PrivateAuthorizedInit {
        ssk: SharedSecretKey,
        nsk: NullifierSecretKey,
        identifier: Identifier,
    },

    /// Update of an existing standalone private account the caller owns.
    /// Membership proof for the current on-chain commitment is required.
    PrivateAuthorizedUpdate {
        ssk: SharedSecretKey,
        nsk: NullifierSecretKey,
        membership_proof: MembershipProof,
        identifier: Identifier,
    },

    /// Initialization of a standalone private account the caller does not own
    /// (e.g. a recipient who does not yet exist on chain). No nsk, no membership proof.
    PrivateUnauthorized {
        npk: NullifierPublicKey,
        ssk: SharedSecretKey,
        identifier: Identifier,
    },

    /// Initialization of a private PDA.
    /// Authorization comes via Claim::Pda(seed) or the caller's pda_seeds.
    /// The identifier diversifies the PDA within the (program_id, seed, npk) family.
    PrivatePdaInit {
        npk: NullifierPublicKey,
        ssk: SharedSecretKey,
        identifier: Identifier,
        /// When `Some((seed, authority_program_id))`, the circuit binds this position via
        /// `AccountId::for_private_pda(authority_program_id, seed, npk, identifier) == pre_state.account_id`
        /// rather than requiring a `Claim::Pda` or caller `pda_seeds`. The `pre_state` must
        /// have `is_authorized == false`.
        seed: Option<(PdaSeed, ProgramId)>,
    },

    /// Update of an existing private PDA. npk is derived from nsk.
    /// Membership proof is required.
    PrivatePdaUpdate {
        ssk: SharedSecretKey,
        nsk: NullifierSecretKey,
        membership_proof: MembershipProof,
        identifier: Identifier,
        /// When `Some((seed, authority_program_id))`, the circuit binds this position via
        /// `AccountId::for_private_pda(authority_program_id, seed, npk, identifier) == pre_state.account_id`
        /// rather than requiring a caller `pda_seeds`. The `pre_state` must have
        /// `is_authorized == false`.
        seed: Option<(PdaSeed, ProgramId)>,
    },
}
```

The `ssk` field carries the **shared secret key** — the 32-byte shared secret used to encrypt the post-state. Note that the key protocol uses `ssk` for "spending secret key" (the master key that derives `nsk` and `vsk`); here `ssk` means the per-output KEM shared secret. It is established via ML-KEM-768:

- Sender: `(ssk, epk) = encapsulate(vpk)`
- Receiver: `ssk = decapsulate(epk, vsk.d, vsk.z)`

where `epk` is the ML-KEM-768 ciphertext (1088 bytes) stored as the `EphemeralPublicKey`, `vpk` is the recipient's `ViewingPublicKey` (1184 bytes), and `(vsk.d, vsk.z)` are the 32-byte seed halves of the recipient's `ViewingSecretKey`.

## Encrypted private account discovery and tagging

### Ephemeral view tags

Each private account output includes a 1-byte view tag to allow wallets to quickly filter outputs before attempting decryption:

$$\mathsf{ViewTag} = \mathsf{SHA256}(\text{"/LEE/v0.3/ViewTag/"} \;||\; \mathsf{Npk} \;||\; \mathsf{Vpk})[0]$$

where `Npk` is the 32-byte nullifier public key and `Vpk` is the 1184 byte `ViewingPublicKey` of the recipient. On average only 1 in 256 outputs will pass this filter for a given account, avoiding expensive ML-KEM decapsulation on irrelevant outputs.

### Private account discovery with viewing keys

1. For each encrypted output, compute the expected view tag from `(Npk, Vpk)`. Skip if it does not match.
2. Decapsulate using ML-KEM-768: `ss = decapsulate(epk, vsk.d, vsk.z)`.
3. Run `kdf(ss, commitment, output_index)` to derive the symmetric key.
4. Decrypt the ciphertext with ChaCha20.
5. Parse the 81-byte header to recover `PrivateAccountKind`.
6. Parse the remaining bytes to recover the `Account`.
7. Recompute the account ID from the kind and verify that `Commitment::new(account_id, account)` equals the on-chain commitment. Discard on mismatch (false positive).

```rust
fn private_account_discovery(
    tx: &PrivacyPreservingTransaction,
    vsk: &ViewingSecretKey,
    npk: &NullifierPublicKey,
    vpk: &ViewingPublicKey,
) -> Vec<(PrivateAccountKind, Account)> {
    let expected_tag = EncryptedAccountData::compute_view_tag(npk, vpk);
    let mut discovered = Vec::new();

    for (output_index, (encrypted_account, commitment)) in tx.message.encrypted_private_post_states
        .iter()
        .zip(&tx.message.new_commitments)
        .enumerate()
    {
        if encrypted_account.view_tag != expected_tag {
            continue;
        }
        let ss = SharedSecretKey::decapsulate(&encrypted_account.epk, &vsk.d, &vsk.z);
        if let Some((kind, account)) = EncryptionScheme::decrypt(
            &encrypted_account.ciphertext, &ss, commitment, output_index as u32
        ) {
            let account_id = AccountId::for_private_account(npk, &kind);
            if Commitment::new(&account_id, &account) == *commitment {
                discovered.push((kind, account));
            }
        }
    }
    discovered
}
```
addressing comments 2026-05-29 16:28:55 -04:00			`# LEE v0.3 specifications for Key Agreement`
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00
addressing comments 2026-05-29 16:28:55 -04:00			`## LEE v0.3 basic types and constants`
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00
			```rust
			`/// The ML-KEM-768 KEM ciphertext produced during encapsulation (1088 bytes) of a message.`
			/// `EphemeralPublicKey` is used to not confuse the ciphertext of an encrypted private account.
			`type EphemeralPublicKey = [u8; 1088];`

			`/// Private account Viewing Public Key is a ML-KEM-768 encapsulation key (1184 bytes).`
			`type ViewingPublicKey = [u8; 1184];`
			`/// The ML-KEM-768 shared secret (32 bytes).`
			`type SharedSecretKey = [u8; 32];`

			`struct EncryptedAccountData {`
			`ciphertext: Ciphertext,`
			`epk: EphemeralPublicKey,`
			`view_tag: u8, // 1-byte view tag`
			`}`
			```

			`#### Key agreement and shared secret`

			`When creating a private account output, the sender uses the recipient's viewing public key to encapsulate a random message that is used to establish a shared secret between the sender and recipient:`

			- Sender: $(\mathsf{ss},\, \mathsf{epk}) = \mathsf{encapsulate}(\mathsf{vpk\_recipient})$. The 1088-byte ciphertext `epk` is included in the transaction as the `EphemeralPublicKey` field.
addressing comments 2026-05-29 16:28:55 -04:00			`- Receiver: $\mathsf{ss} = \mathsf{decapsulate}(\mathsf{epk},\, vsk.d,\, vsk.z)$`
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00
addressing comments 2026-05-29 16:28:55 -04:00			where `vpk` is the receiver's `ViewingPublicKey` and `(vsk.d, vsk.z)` are the two 32-byte halves of the receiver's `ViewingSecretKey`.
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00
			`#### KDF`

			```rust
			`fn kdf(`
			`shared_secret: &SharedSecretKey, // 32-byte output of the KEM`
			`commitment: &Commitment, // 32-byte output commitment`
			`output_index: u32, // index of this output within the tx (LE)`
			`) -> [u8; 32] {`
			`let mut bytes = Vec::new();`
			`bytes.extend_from_slice(b"NSSA/v0.2/KDF-SHA256/");`
			`bytes.extend_from_slice(&shared_secret.0);`
			`bytes.extend_from_slice(&commitment.to_byte_array());`
			`bytes.extend_from_slice(&output_index.to_le_bytes());`
			`sha256(bytes)`
			`}`
			```

			`### Circuit input`

			```rust
			`pub enum InputAccountIdentity {`
			`/// Public account. The guest reads pre/post state from program_outputs and emits no`
			`/// commitment, ciphertext, or nullifier.`
			`Public,`

			`/// Initialization of a standalone private account the caller owns.`
			`/// Pre-state must be Account::default().`
			`/// AccountId = AccountId::from_private(npk(nsk), identifier).`
			`PrivateAuthorizedInit {`
			`ssk: SharedSecretKey,`
			`nsk: NullifierSecretKey,`
			`identifier: Identifier,`
			`},`

			`/// Update of an existing standalone private account the caller owns.`
			`/// Membership proof for the current on-chain commitment is required.`
			`PrivateAuthorizedUpdate {`
			`ssk: SharedSecretKey,`
			`nsk: NullifierSecretKey,`
			`membership_proof: MembershipProof,`
			`identifier: Identifier,`
			`},`

			`/// Initialization of a standalone private account the caller does not own`
			`/// (e.g. a recipient who does not yet exist on chain). No nsk, no membership proof.`
			`PrivateUnauthorized {`
			`npk: NullifierPublicKey,`
			`ssk: SharedSecretKey,`
			`identifier: Identifier,`
			`},`

			`/// Initialization of a private PDA.`
			`/// Authorization comes via Claim::Pda(seed) or the caller's pda_seeds.`
			`/// The identifier diversifies the PDA within the (program_id, seed, npk) family.`
			`PrivatePdaInit {`
			`npk: NullifierPublicKey,`
			`ssk: SharedSecretKey,`
			`identifier: Identifier,`
addressing comments 2026-05-29 16:28:55 -04:00			/// When `Some((seed, authority_program_id))`, the circuit binds this position via
			/// `AccountId::for_private_pda(authority_program_id, seed, npk, identifier) == pre_state.account_id`
			/// rather than requiring a `Claim::Pda` or caller `pda_seeds`. The `pre_state` must
			/// have `is_authorized == false`.
			`seed: Option<(PdaSeed, ProgramId)>,`
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00			`},`

			`/// Update of an existing private PDA. npk is derived from nsk.`
			`/// Membership proof is required.`
			`PrivatePdaUpdate {`
			`ssk: SharedSecretKey,`
			`nsk: NullifierSecretKey,`
			`membership_proof: MembershipProof,`
			`identifier: Identifier,`
addressing comments 2026-05-29 16:28:55 -04:00			/// When `Some((seed, authority_program_id))`, the circuit binds this position via
			/// `AccountId::for_private_pda(authority_program_id, seed, npk, identifier) == pre_state.account_id`
			/// rather than requiring a caller `pda_seeds`. The `pre_state` must have
			/// `is_authorized == false`.
			`seed: Option<(PdaSeed, ProgramId)>,`
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00			`},`
			`}`
			```

			The `ssk` field carries the shared secret key — the 32-byte shared secret used to encrypt the post-state. Note that the key protocol uses `ssk` for "spending secret key" (the master key that derives `nsk` and `vsk`); here `ssk` means the per-output KEM shared secret. It is established via ML-KEM-768:

			- Sender: `(ssk, epk) = encapsulate(vpk)`
addressing comments 2026-05-29 16:28:55 -04:00			- Receiver: `ssk = decapsulate(epk, vsk.d, vsk.z)`
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00
addressing comments 2026-05-29 16:28:55 -04:00			where `epk` is the ML-KEM-768 ciphertext (1088 bytes) stored as the `EphemeralPublicKey`, `vpk` is the recipient's `ViewingPublicKey` (1184 bytes), and `(vsk.d, vsk.z)` are the 32-byte seed halves of the recipient's `ViewingSecretKey`.
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00
			`## Encrypted private account discovery and tagging`

			`### Ephemeral view tags`

			`Each private account output includes a 1-byte view tag to allow wallets to quickly filter outputs before attempting decryption:`

			`$$\mathsf{ViewTag} = \mathsf{SHA256}(\text{"/LEE/v0.3/ViewTag/"} \;\|\|\; \mathsf{Npk} \;\|\|\; \mathsf{Vpk})[0]$$`

addressing comments 2026-05-29 16:28:55 -04:00			where `Npk` is the 32-byte nullifier public key and `Vpk` is the 1184 byte `ViewingPublicKey` of the recipient. On average only 1 in 256 outputs will pass this filter for a given account, avoiding expensive ML-KEM decapsulation on irrelevant outputs.
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00
			`### Private account discovery with viewing keys`

			1. For each encrypted output, compute the expected view tag from `(Npk, Vpk)`. Skip if it does not match.
addressing comments 2026-05-29 16:28:55 -04:00			2. Decapsulate using ML-KEM-768: `ss = decapsulate(epk, vsk.d, vsk.z)`.
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00			3. Run `kdf(ss, commitment, output_index)` to derive the symmetric key.
			`4. Decrypt the ciphertext with ChaCha20.`
			5. Parse the 81-byte header to recover `PrivateAccountKind`.
			6. Parse the remaining bytes to recover the `Account`.
			7. Recompute the account ID from the kind and verify that `Commitment::new(account_id, account)` equals the on-chain commitment. Discard on mismatch (false positive).

			```rust
			`fn private_account_discovery(`
			`tx: &PrivacyPreservingTransaction,`
			`vsk: &ViewingSecretKey,`
			`npk: &NullifierPublicKey,`
			`vpk: &ViewingPublicKey,`
			`) -> Vec<(PrivateAccountKind, Account)> {`
			`let expected_tag = EncryptedAccountData::compute_view_tag(npk, vpk);`
			`let mut discovered = Vec::new();`

			`for (output_index, (encrypted_account, commitment)) in tx.message.encrypted_private_post_states`
			`.iter()`
			`.zip(&tx.message.new_commitments)`
			`.enumerate()`
			`{`
			`if encrypted_account.view_tag != expected_tag {`
			`continue;`
			`}`
addressing comments 2026-05-29 16:28:55 -04:00			`let ss = SharedSecretKey::decapsulate(&encrypted_account.epk, &vsk.d, &vsk.z);`
added updated specs for pq encryption 2026-05-22 18:07:29 -04:00			`if let Some((kind, account)) = EncryptionScheme::decrypt(`
			`&encrypted_account.ciphertext, &ss, commitment, output_index as u32`
			`) {`
			`let account_id = AccountId::for_private_account(npk, &kind);`
			`if Commitment::new(&account_id, &account) == *commitment {`
			`discovered.push((kind, account));`
			`}`
			`}`
			`}`
			`discovered`
			`}`
			```