The _public_ kernel circuit should inject a nonce into new note hashes

[iAmMichaelConnor]

We're not-yet injecting nonces into commitments which have been created by public functions.
@dbanks12 is currently working on doing this for private functions.

When a public function wants to insert a new note hash into the utxo tree, the public kernel circuit should inject a nonce (in the same way as is done for private functions).

• Public Function creates inner_note_hash with some preimage.
  • If the dapp knows in advance what the preimage will be (i.e. if the note's preimage is not derived at runtime) it can hold on to that preimage for later.
  • If the dapp doesn't know in advance what the preimage will be (because some of its values are derived at runtime), it will need to hold on to the info that it has. The rest of the preimage will need to be communicated to the dapp, e.g. as an unencrypted log, or by storing the preimage in public state (emitting as an unencrypted log would be preferable).
  • In both the above cases, the dapp can be given the tx_hash of the tx.
• The dapp can listen for the tx_hash, by subscribing to an event or polling. (This is a separate TODO!!!)
• The dapp might also need to listen for an explicit event topic (This is a separate TODO!!!)
• Once the tx_hash is seen, the accompanying L1 calldata for this tx will include:
  • nullifiers
  • new unique_siloed_note_hashes
  • info about public state transitions
  • logs
  • contract_address (known because this is a public function that's been executed)
• Given the tx_hash, logs, and already-known preimage data, the dapp can learn the nonce of this commitment:
  • Iterate through each note hash:

    brute_force_derive_nonce(...) {
        let preimage = ... // somehow assemble the preimage of the `inner_note_hash` from `log` and already-known preimage data.
        let target_inner_note_hash = h(...preimage);
        let target_siloed_note_hash = h(inner_note_hash, contract_address);
        for (unique_siloed_note_hash, i) in unique_siloed_note_hashes {
            let trial_nonce = h(nullifiers[0], i);
            let trial_siloed_note_hash = h(target_siloed_note_hash, trial_nonce);
            if (trial_siloed_note_hash === unique_siloed_note_hash) {
                // match found!!!
                return trial_nonce;
            }
        }
    }

Brute-forcing doesn't seem too terrible. If you already know the tx_hash, you'll only be trialling as many commitments as can be created by a single tx.

[dbanks12]

I believe this is blocked by #1420

[rahul-kothari]

also referenced in #4891

[benesjan]

@dbanks12 is this issue still planned to be tackled? I just stumbled upon it because it would allow us to decrease gate counts (see here). I could help tackling it if you don't have enough time to do that.

[iAmMichaelConnor]

I still think it needs to be tackled, and I reckon your team (Jan) is now perfectly placed to tackle it (whereas it'd be a big context-switch for david) :)