`NoteInputs`'s trial unhashing produces incorrect results

[igamigo]

In the client (0xMiden/miden-client#1454), a couple of tests were failing with some checks related to the NoteScreener. Specifically, P2IDE inputs were not matching. When looking at why, we saw the note inputs length for the P2IDE note was 3. This had happened before so we looked at the recent changes regarding note inputs and found the following:

• The values stored in the advice map are inputs.to_elements(), which pads the note inputs to the next multiple of WORD_SIZE * 2. For a P2IDE note, that's 8.
• In this test, the code was first creating a P2IDE note with reclaim height but no timelock, the inputs of which would be [suffix, prefix, reclaim_height, 0], padding produces [suffix, prefix, reclaim_height, 0, 0, 0, 0, 0].
• When the note is reconstructed, read_note_inputs_from_adv_map looks at that padded vector and picks the last non-zero entry to guess the original length. Because the 4th element is zero, the “last non-zero” is the third element, so it tries [suffix, prefix, reclaim_height].
• NoteInputs::new pads that 3‑element list to eight elements before hashing, resulting in [suffix, prefix, reclaim_height, 0, 0, 0, 0, 0] again. The commitment therefore matches and the shorter vector is accepted.

Unless I'm missing something, this approach of unhashing would not work unless we were able to persist the non-padded inputs commitment all the way through to an output note that another user can use as an input note.

Related to the above, I think if we had had a test like the one we outlined in #1363 this might have been caught here; although it depends on the last note input(s) being purposefully 0. We caught it because we left some static checks on the NoteScreener (that we were plannign to remove with the changes done on the NoteConsumptionChecker).

Curious about why the previous approach of passing the length as the first element was not enough. Maybe we can roll back to that version until a more permanent solution lands.

[PhilippGackstatter]

This can be reproduced with the test_public_note_creation_with_script_from_datastore if we swap the last two input values, so that the last value is a zero and add an assertion to check that the reconstructed number of note inputs match the number of original ones, which will result in:

assertion `left == right` failed: Number of output note inputs should match expected number of inputs
  left: 7
  right: 8

To solve this, I think we can either:

• roll back to include num_inputs,
• or require that the input entries in the advice inputs are unpadded, and pad the inputs when hashing instead. I think this could be done by:
  • changing NoteInputs::to_elements to return self.values, e.g. the unpadded values.
  • and when hashing note inputs, replace pipe_preimage_to_memory with rpo::prepare_hasher_state where pad_inputs = 1 and then run rpo::hash_memory_with_state.
    • Maybe write_inputs_to_memory is even the only place that would require this, because we don't hash note inputs in the kernel from iirc, and miden::note::compute_inputs_commitment is already doing this.
• (What I suggested in Trial Unhashing in extract_note_inputs May Be Unnecessary #2036 (comment) doesn't work because we couldn't correctly reconstruct the original number of note inputs, but would always get a number that is divisible by 8).

I think the first option is probably the quickest fix, but the second option might be cleaner at the cost of presumably costing more cycles.

[bobbinth]

I think the first option is probably the quickest fix, but the second option might be cleaner at the cost of presumably costing more cycles.

I agree that the second option is cleaner, but it is a much bigger refactoring - so, I think we should leave it for v0.13 release. For now, if we can make it work, I'd go for the first option, or:

There is another option, it is equally as "hacky" as the first option, but may be even even quicker:

• In the miden::note::build_recipient we can put the num_inputs variable into the advice map under the key hash(INPUTS_COMMITMENT).
• Then, on the Rust side, we could read it the inputs length from the advice provider by hashing INPUTS_COMMITMENT and then looking up the corresponding value in the advice map.

[bobbinth]

Closed by #2066.