bind amount blinding factor to amount and address spend pubkey

src/carrot_core/carrot_enote_scan.cpp

@@ -57,16 +57,6 @@ static bool try_scan_carrot_non_coinbase_core(const CarrotEnoteV1 &enote,
     CarrotEnoteType &enote_type_out,
     janus_anchor_t &nominal_janus_anchor_out)
 {
-    // if cannot recompute C_a, then FAIL
-    if (!try_get_carrot_amount(s_sender_receiver,
-            enote.amount_enc,
-            enote.onetime_address,
-            enote.amount_commitment,
-            enote_type_out,
-            amount_out,
-            amount_blinding_factor_out))
-        return false;
-
     // k^o_g = H_n("..g..", s^ctx_sr, C_a)
     make_carrot_onetime_address_extension_g(s_sender_receiver,
         enote.amount_commitment,
@@ -83,6 +73,17 @@ static bool try_scan_carrot_non_coinbase_core(const CarrotEnoteV1 &enote,
         enote.amount_commitment,
         address_spend_pubkey_out);
 
+    // if cannot recompute C_a, then FAIL
+    if (!try_get_carrot_amount(s_sender_receiver,
+            enote.amount_enc,
+            enote.onetime_address,
+            address_spend_pubkey_out,
+            enote.amount_commitment,
+            enote_type_out,
+            amount_out,
+            amount_blinding_factor_out))
+        return false;
+
     // pid = pid_enc XOR m_pid, if applicable
     if (encrypted_payment_id)
         payment_id_out = decrypt_legacy_payment_id(*encrypted_payment_id, s_sender_receiver, enote.onetime_address);

src/carrot_core/enote_utils.cpp

@@ -260,12 +260,14 @@ void make_carrot_onetime_address(const crypto::public_key &address_spend_pubkey,
 }
 //-------------------------------------------------------------------------------------------------------------------
 void make_carrot_amount_blinding_factor(const crypto::hash &s_sender_receiver,
+    const rct::xmr_amount amount,
+    const crypto::public_key &address_spend_pubkey,
     const CarrotEnoteType enote_type,
     crypto::secret_key &amount_blinding_factor_out)
 {
-    // k_a = H_n(s^ctx_sr, enote_type)
+    // k_a = H_n(s^ctx_sr, a, K^j_s, enote_type)
     const auto transcript = sp::make_fixed_transcript<CARROT_DOMAIN_SEP_AMOUNT_BLINDING_FACTOR>(
-        static_cast<unsigned char>(enote_type));
+        amount, address_spend_pubkey, static_cast<unsigned char>(enote_type));
     derive_scalar(transcript.data(), transcript.size(), &s_sender_receiver, &amount_blinding_factor_out);
 }
 //-------------------------------------------------------------------------------------------------------------------
@@ -410,13 +412,18 @@ bool test_carrot_view_tag(const unsigned char s_sender_receiver_unctx[32],
 }
 //-------------------------------------------------------------------------------------------------------------------
 bool try_recompute_carrot_amount_commitment(const crypto::hash &s_sender_receiver,
-    const CarrotEnoteType nominal_enote_type,
     const rct::xmr_amount nominal_amount,
+    const crypto::public_key &nominal_address_spend_pubkey,
+    const CarrotEnoteType nominal_enote_type,
     const rct::key &amount_commitment,
     crypto::secret_key &amount_blinding_factor_out)
 {
-    // k_a' = H_n(s^ctx_sr, enote_type')
-    make_carrot_amount_blinding_factor(s_sender_receiver, nominal_enote_type, amount_blinding_factor_out);
+    // k_a' = H_n(s^ctx_sr, a', K^j_s', enote_type')
+    make_carrot_amount_blinding_factor(s_sender_receiver,
+        nominal_amount,
+        nominal_address_spend_pubkey,
+        nominal_enote_type,
+        amount_blinding_factor_out);
 
     // C_a' = k_a' G + a' H
     const rct::key nominal_amount_commitment = rct::commit(nominal_amount, rct::sk2rct(amount_blinding_factor_out));
@@ -428,6 +435,7 @@ bool try_recompute_carrot_amount_commitment(const crypto::hash &s_sender_receive
 bool try_get_carrot_amount(const crypto::hash &s_sender_receiver,
     const encrypted_amount_t &encrypted_amount,
     const crypto::public_key &onetime_address,
+    const crypto::public_key &address_spend_pubkey,
     const rct::key &amount_commitment,
     CarrotEnoteType &enote_type_out,
     rct::xmr_amount &amount_out,
@@ -441,8 +449,9 @@ bool try_get_carrot_amount(const crypto::hash &s_sender_receiver,
 
     // if C_a ?= k_a' G + a' H, then PASS
     if (try_recompute_carrot_amount_commitment(s_sender_receiver,
-            enote_type_out,
             amount_out,
+            address_spend_pubkey,
+            enote_type_out,
             amount_commitment,
             amount_blinding_factor_out))
         return true;
@@ -452,8 +461,9 @@ bool try_get_carrot_amount(const crypto::hash &s_sender_receiver,
 
     // if C_a ?= k_a' G + a' H, then PASS
     if (try_recompute_carrot_amount_commitment(s_sender_receiver,
-            enote_type_out,
             amount_out,
+            address_spend_pubkey,
+            enote_type_out,
             amount_commitment,
             amount_blinding_factor_out))
         return true;

src/carrot_core/enote_utils.h

@@ -186,12 +186,16 @@ void make_carrot_onetime_address(const crypto::public_key &address_spend_pubkey,
     crypto::public_key &onetime_address_out);
 /**
 * brief: make_carrot_amount_blinding_factor - create blinding factor for enote's amount commitment C_a
-*   k_a = H_n(s^ctx_sr, enote_type)
+*   k_a = H_n(s^ctx_sr, a, K^j_s, enote_type)
 * param: s_sender_receiver - s^ctx_sr
+* param: amount - a
+* param: address_spend_pubkey - K^j_s
 * param: enote_type - enote_type
 * outparam: amount_blinding_factor_out - k_a
 */
 void make_carrot_amount_blinding_factor(const crypto::hash &s_sender_receiver,
+    const rct::xmr_amount amount,
+    const crypto::public_key &address_spend_pubkey,
     const CarrotEnoteType enote_type,
     crypto::secret_key &amount_blinding_factor_out);
 /**
@@ -334,15 +338,17 @@ bool test_carrot_view_tag(const unsigned char s_sender_receiver_unctx[32],
 /**
 * brief: try_recompute_carrot_amount_commitment - test recreating the amount commitment for given enote_type and amount
 * param: s_sender_receiver - s^ctx_sr
-* param: nominal_enote_type - enote_type'
 * param: nominal_amount - a'
+* param: nominal_address_spend_pubkey - K^j_s'
+* param: nominal_enote_type - enote_type'
 * param: amount_commitment - C_a
 * outparam: amount_blinding_factor_out - k_a' = H_n(s^ctx_sr, enote_type')
 * return: true if successfully recomputed the amount commitment (C_a ?= k_a' G + a' H)
 */
 bool try_recompute_carrot_amount_commitment(const crypto::hash &s_sender_receiver,
-    const CarrotEnoteType nominal_enote_type,
     const rct::xmr_amount nominal_amount,
+    const crypto::public_key &nominal_address_spend_pubkey,
+    const CarrotEnoteType nominal_enote_type,
     const rct::key &amount_commitment,
     crypto::secret_key &amount_blinding_factor_out);
 /**
@@ -350,6 +356,7 @@ bool try_recompute_carrot_amount_commitment(const crypto::hash &s_sender_receive
 * param: s_sender_receiver - s^ctx_sr
 * param: encrypted_amount - a_enc
 * param: onetime_address - Ko
+* param: address_spend_pubkey - K^j_s
 * param: amount_commitment - C_a
 * outparam: enote_type_out - enote_type'
 * outparam: amount_out - a' = a_enc XOR m_a
@@ -359,6 +366,7 @@ bool try_recompute_carrot_amount_commitment(const crypto::hash &s_sender_receive
 bool try_get_carrot_amount(const crypto::hash &s_sender_receiver,
     const encrypted_amount_t &encrypted_amount,
     const crypto::public_key &onetime_address,
+    const crypto::public_key &address_spend_pubkey,
     const rct::key &amount_commitment,
     CarrotEnoteType &enote_type_out,
     rct::xmr_amount &amount_out,

src/carrot_core/payment_proposal.cpp

@@ -112,6 +112,8 @@ static void get_output_proposal_parts(const crypto::hash &s_sender_receiver,
         amount_blinding_factor_out = rct::rct2sk(rct::I);
     else
         make_carrot_amount_blinding_factor(s_sender_receiver,
+            amount,
+            destination_spend_pubkey,
             enote_type,
             amount_blinding_factor_out);