Refactor `aux` into `NoteAttachment` and simplify `NoteTag`

[PhilippGackstatter]

Coming out of #1449, this is a concrete proposal for how to refactor the NoteTag as well as the aux value in NoteMetadata to NoteAttachment, that allows storing more data than a single Felt.

The new structure could look like this, expressed in Rust with explanatory comments:

// We no longer need the encrypted note type because an encrypted note is a private note with its
// encrypted content attached. At the protocol level, there is no need to represent encrypted notes.
// We can provide a convenience procedure in `miden` lib to create encrypted notes that would create
// a private note, encrypt the note content and attach it to the note.
//
// At the same time, we gain the network note type. This is needed at some level (meaning not
// necessarily here) to differentiate local and network note metadata in the tx kernel so it knows
// how to encode these two (because they are different - see below).
pub enum NoteType {
    Private,
    Public,
    Network,
}

// Note metadata is different for local and network notes.
//
// Encodes to a total of two words METADATA_0 and METADATA_1 and the note commitment is updated to
// be computed as hash(NOTE_ID, hash(METADATA_0, METADATA_1))
pub enum NoteMetadata {
    Local(LocalNoteMetadata),
    Network(NetworkNoteMetadata),
}

/// The optional attachment to a note intended for local execution.
pub enum NoteAttachment {
    /// A raw [`Word`] that is used as-is when computing the note commitment.
    Raw(Word),
    /// Arbitrary data whose sequential hash is used when computing the note commitment.
    ///
    /// At most 2^12 words (= 2^14 felts = 2^16 bytes assuming 4 bytes per felt).
    /// (Let me know if you have different opinions, I picked this rather arbitrarily)
    Commitment(Vec<Felt>),
}

/// Represents a tag for a note intended for local execution.
/// 
/// Encodes to [tag_variant (1 bit) | is_public (1 bit) | tag_data (30 bits)]
/// `is_public` defines whether the note tag requires the note to be public.
/// This addresses the comment from here:
/// https://github.com/0xMiden/miden-base/pull/1322#discussion_r2108348981
/// 
/// It would be nice to not need the `is_public`, and my question is whether this could be done
/// by allowing clients to filter at the node API level by tag + note visibility?
/// 
/// Despite the space being available in note metadata, I don't think there's value in increasing
/// the note tag width beyond 32 bits, as 32 bits already allow for narrowing down the number of
/// notes to a high enough degree.
pub enum NoteTag {
    /// The partial account ID prefix of the intended receiver of the note.
    PartialAccountId {
        is_public: bool,
        /// The partial account id.
        ///
        /// Uses https://docs.rs/ux/ - we could do our own newtype wrappers as well.
        id: ux::u30,
    },

    /// A specific use case of a note.
    ///
    /// For instance, a SWAP note is not targeted at a specific account for consumption, instead it
    /// is a note for a certain use case.
    ///
    /// For such a SWAP note, this could encode the first 14 bits of the SWAP script root as a
    /// use case identifier (leaks the note's script, but any use case identifier essentially does
    /// that and this avoids having to come up with manual use case IDs), and the remaining 16 bits
    /// using 8 bits of the offered asset faucet ID and 8 bits of the requested asset faucet ID.
    UseCase {
        is_public: bool,
        /// The identifier of the use case.
        id: ux::u14,
        /// The payload of the use case.
        payload: u16,
    },
}

/// The metadata of a note for consumption in a local transaction.
///
/// Encodes to the following two words:
///
/// ```text
/// 0th felt: [sender_id_suffix (56 bits) | 6 zero bits | note_type (2 bits)]
/// 1st felt: [sender_id_prefix (64 bits)]
/// 2nd felt: [25 zero bits | has_attachment (1 bit) | note_execution_hint_tag (6 bits)
///            | note_execution_hint_payload (32 bits)]
/// 3rd felt: [32 zero bits | note_tag (32 bits)]
/// 4th-7th felt: NOTE_ATTACHMENT (either its raw or commitment representation)
/// ```
///
/// Note that the id suffix/prefix order is swapped compared to the current note metadata.
/// I think this is now more consistent since the more significant element (prefix) is at a more
/// significant element index, like here:
/// - https://github.com/0xMiden/miden-base/blob/d129f34f1a338473fe58dc81cc3cb4598e1f1914/crates/miden-lib/src/transaction/inputs.rs#L399
/// - https://github.com/0xMiden/miden-base/blob/d129f34f1a338473fe58dc81cc3cb4598e1f1914/crates/miden-lib/src/transaction/inputs.rs#L180-L181
pub struct LocalNoteMetadata {
    sender: AccountId,
    note_type: NoteType,
    tag: NoteTag,
    attachement: Option<NoteAttachment>,
    // I don't think we even need this for local notes?
    execution_hint: NoteExecutionHint,
}

/// The metadata of a note for consumption in a network transaction.
///
/// Encodes to the following two words:
///
/// ```text
/// 0th felt: [sender_id_suffix (56 bits) | 6 zero bits | note_type (2 bits)]
/// 1st felt: [sender_id_prefix (64 bits)]
/// 3rd felt: [target_id_suffix (56 bits) | 8 zero bits]
/// 2nd felt: [target_id_prefix (64 bits)]
/// 4th felt: [26 zero bits | note_execution_hint_tag (6 bits) | note_execution_hint_payload (32 bits)]
/// 5th felt: [64 zero bits]
/// 6th felt: [64 zero bits]
/// 7th felt: [64 zero bits]
/// ```
///
/// Since network notes do not support note attachments, the metadata encoding can make use of the
/// space in which the attachment is encoded for local notes.
/// 
/// Felt 0 and 1 are identical for local and network note metadata:
/// - Extracting the sender is easy independent of note type.
/// - Note Type is at the same position, which is required to deserialize note metadata into the
///   correct type.
/// 
/// The note execution hint and tag are uninteresting (?) for programmatic access, so are less
/// important to be easily extractable.
pub struct NetworkNoteMetadata {
    sender: AccountId,
    /// Enforce that it is of type AccountStorageMode::Network
    target: AccountId,
    note_type: NoteType,
    // This could also be expanded to one entire felt instead of just 36 bits, though can be done
    // separately if desired.
    execution_hint: NoteExecutionHint,
}

Impact on kernel APIs

Due to differentiating between local and network notes more strongly (no note tag for network notes, account target ID for network notes, possibly removing execution hint for local notes), we'd need different APIs in miden::output_note (and corresponding kernel procedures):

#! Creates a new note intended for local execution and returns the index of the note.
#!
#! Inputs:  [note_type, tag, ATTACHMENT, RECIPIENT]
#! Outputs: [note_idx]
pub proc create_local
    # validate note_type is one of private, public
    #
    # lookup ATTACHMENT in advice provider
    # if absent, set attachment_size = 0
    # if present, set attachment_size = num elements in advice map entry
    #     compute sequential commitment and validate it matches ATTACHMENT
    #     i think this is necessary to prevent a malicious remote prover from swapping the advice
    #     map entries and cause different data to be attached to a public note
    #
    # attachment_size is used to compute the fee for an attachment which should scale with its size
    #     this should be covered by the same fee that covers bytes of public notes
    #
    # set has_metadata to attachment_size != 0 for use in the note metadata
    # it must be committed to because without it, in the raw attachment case, a malicious remote
    # prover could add an advice map entry whose key is ATTACHMENT, it would be attached to the
    # note and the account owner would pay the fee for it (the fee is not committed to by tx summary)
end

#! Creates a new note intended for network execution and returns the index of the note.
#!
#! Inputs:  [target_id_prefix, target_id_suffix, RECIPIENT]
#! Outputs: [note_idx]
pub proc create_network
    # set note_type to network
    # validate target ID has AccountStorageMode::Network
    # ...
end

For retrieving metadata we have input_note_get_metadata and output_note_get_metadata, which could have identical outputs:

#! Inputs:  [is_active_note, note_index, pad(14)]
#! Outputs: [note_type, sender_id_prefix, sender_id_suffix, has_attachment, ATTACHMENT, pad(8)]
pub proc input_note_get_metadata
    # abstract over both note types and return has_attachment (false for network notes) and
    # ATTACHMENT (empty word for network notes).
end

This assumes that the remaining metadata is uninteresting to be accessed programmatically. The alternative is to have local and network variants for metadata, but that seems undesirable.

Impact on note creation

Because note metadata differentiates between local and network execution, every note type will have to choose which modes it supports. This could be represented as a standard enum:

pub enum NoteExecution {
    Local,
    Network,
}

Then, taking P2ID note as an example, create_p2id_note takes an additional note_execution: NoteExecution parameter and constructs NoteMetadata::Local or NoteMetadata::Network accordingly.

There are probably better ways to do this. I'm thinking about a builder approach for notes indepenently of this issue, but it lends itself well for this, too. E.g. there could be LocalP2idNote and NetworkP2IdNote builder types and the former would allow setting a note tag or attachment, while the latter does not, reflecting the underlying note metadata differences.

Summary

• Convert aux in NoteMetadata into a general NoteAttachment, supporting either a raw Word or a sequential-hash commitment over arbitrary data.
• Remove the (mostly unused) encrypted note type at the protocol level; encrypted notes become private notes whose encrypted payload is stored in the attachment.
• Introduce an explicit Network note type and separate LocalNoteMetadata and NetworkNoteMetadata encodings, each occupying two metadata words but using the space differently (local notes: attachments and tags; network notes: target account fields). Hence, note metadata encoding increases from one to two words.
• Refactor NoteTag into two variants (PartialAccountId, UseCase).
• Update kernel APIs to distinguish local vs network note creation: local notes accept tag + attachment; network notes accept a target account instead of tag/attachment.
• Unify metadata-retrieval functions so both local and network notes return a consistent shape.

Open Questions

• Are there alternatives that do not require splitting output_note::create into two variants?
• What should be the max size of note attachment?
• Can we avoid is_public in the NoteTag? Is it sufficient to do this filtering at the node level?
• Do we need NoteExecutionHint for notes that are locally executed? It seems we'd have to run the NoteConsumptionChecker in many cases anyway, though there is a bit of value in not running it e.g. for timelocked notes.
• Should network notes encode NoteExecutionHint as a full felt to allow for more elaborate conditions? To me, it's unclear if we could make good use of that, though.
• Depending on how the "encrypt and hash" functionality works, does it produce the same hash as sequentially hashing the data? If not, the commitment computed by output_note_create_local would be different, as it needs to assume some standard way of hashing.

[PhilippGackstatter]

The above allows for basically two kinds of use cases:

• For notes like the partial swap note SWAPP, users can attach arbitrary amounts of public data to a private note.
  • If my assumptions in `NoteTag` requirements and simplification #1449 (reply in thread) are correct, then for the SWAPP note this could actually be less than a Word worth of data. This can be stored in the ATTACHMENT word directly when calling output_note::create_local, i.e. the NoteAttachment::Raw variant in Rust terms.
• The other use case is encrypted private notes. This would roughly look like this:

  begin
      # push recipient
      # => [RECIPIENT]
  
      # push type and tag
      # => [
      #   note_type = Private,
      #   tag = PartialAccountId,
      #   RECIPIENT
      # ]
      # call convenience procedure `create_encrypted`
      exec.miden::output_note::create_encrypted
      # => [note_idx]
  end
  
  # could be defined in miden::output_note
  pub proc create_encrypted
      # push note details (out of scope)
      # this creates the ATTACHMENT
      # note: this procedure does not yet exist
      exec.::std::crypto::...::encrypt_and_hash
      # => [...]
  
      # rearrange stack
      # ...
      # => [
      #   note_type = Private,
      #   tag = PartialAccountId,
      #   ATTACHMENT = encrypted note details,
      #   RECIPIENT
      # ]
      exec.output_note::create_local
      # => [note_idx]
  end
  

[bobbinth]

Looks great! Thank you for writing this up! A few preliminary questions:

pub enum NoteMetadata {
    Local(LocalNoteMetadata),
    Network(NetworkNoteMetadata),
}

Here, the Local variant would be for both private and public notes, right?

/// The optional attachment to a note intended for local execution.
pub enum NoteAttachment {
    /// A raw [`Word`] that is used as-is when computing the note commitment.
    Raw(Word),
    /// Arbitrary data whose sequential hash is used when computing the note commitment.
    ///
    /// At most 2^12 words (= 2^14 felts = 2^16 bytes assuming 4 bytes per felt).
    /// (Let me know if you have different opinions, I picked this rather arbitrarily)
    Commitment(Vec<Felt>),
}

Allowing $2^{16}$ bytes per note feels like a bit too much. I'd probably limit it to 4KB or 8KB (i.e., 256 or 512 words respectively).

It would be nice to not need the is_public, and my question is whether this could be done
by allowing clients to filter at the node API level by tag + note visibility?

I think it simplifies things to keep the number of "queryable" fields small - so, I wouldn't add visibility as one of the fields we can query by. At the same time, I wonder if the value of being able to specify not visibility via a tag is high enough. Maybe tags can be just 32 bits of arbitrary data by which users can query notes.

Separately, I do think we probably want to have tags for network notes. The primary use case for this is something like discussed in 0xMiden/miden-client#1544 (comment) (i.e., a user may need to find a specific network note).

// I don't think we even need this for local notes?
execution_hint: NoteExecutionHint,

Yes, I'm not sure this is needed. I know we use this in the client - but maybe there we can refactor things to not rely on execution hints (cc @igamigo)

[bobbinth]

A few more thoughts on this (in part informed by thinking about #2120):

• It seems like including a tag for all note types would be valuable because users may want to query the network not just for "local" notes but for network notes as well.
• We do need network notes which are "use-case" based (e.g., the PSWAP note could also be processed by the network).
• I do wonder if having a more uniform approach to defining metadata would be better.

So, here is a potential alternative approach:

/// This stays as in the original proposal
pub enum NoteType {
    Private,
    Public,
    Network,
}

/// This would still be encoded as two words with sender, note_type, tag, and attachment discriminant
/// going into the first word, and the attachment payload going into the second one.
pub struct NoteMetadata {
    sender: AccountId,
    note_type: NoteType,
    // this tag would be used purely for note discovery; for example, the network transaction builder
    // would probably just ignore it
    tag: NoteTag,
    attachement: NoteAttachment,
}

/// This would define the data that can be attached to a note. The set of attachment variants could be
/// increased over time via improvement proposals.
///
/// This would reduce to potentially 3 components:
/// - Some type description of the contained data (e.g., discriminant + the size of the attachment).
/// - Either a single word or a commitment to the underlying data.
/// - If data requires more than a word, then the actual underlying data.
#[non_exhaustive]
pub enum NoteAttachment {
    /// A note with no attachments (e.g., a simple P2ID note)
    Empty,

    /// The attachment is an un-typed word.
    Value(Word),

    /// An arbitrary list of field elements. The second metadata word would contain the commitment
    /// to this data.
    List(Vec<Felt>),

    /// The attachment contains encrypted contents of the note. The second metadata word contain
    /// the commitment to this data.
    Encrypted(Vec<Word>),

    /// The attachment contains data expected by the network to execute the note
    /// against a specific network account.
    ///
    /// Execution hint could be a full felt - or even two felts.
    NetworkAccount { target: AccountId, execution_hint: NoteExecutionHint }

    /// A hypothetical attachment variant for facilitation swaps at the network level.
    NetworkSwap { ... },
}

The main drawback I see with this is that it is possible to create a mismatch - e.g., a network note with Empty attachment, but:

• I'm not sure we need to enforce this at the protocol level
• At other levels, we could probably have helper functions/structs that aid in construction of valid notes.

[PhilippGackstatter]

Note Metadata

Looks good! I think having note metadata consist of some common parts (e.g. sender) and having the attachment function as an extension makes sense structurally. The downside you mentioned seems not ideal, but minor.

If we go with having parts of the metadata be the same, and different attachment types, then I think we don't need to introduce NoteType::Network and can just leave it at Private and Public, which is simpler. "Network notes" can be identified via matches!(note_metadata.attachment(), NoteAttachment::NetworkAccount { .. }).

From what I can tell, a must have requirement is that the tx kernel is aware of each attachment type so that it can validate the integrity of the attachment. Otherwise, the advice data is not safe from manipulation. Because of that, in my ideal world, we could keep the number of attachment variants low, so the kernel is only aware of the absolute must haves (e.g. no in-protocol SWAP).

Thinking deeper into the impact on miden and $kernel APIs for this, I think there are two reasonable options.
In both cases, we retain a single output_note_create kernel procedure (instead of having local and network variants).

Unified attachment API

Here we only change the signature of output_note_create kernel procedure to allow adding an attachment:

#! Inputs:  [tag, note_type, attachment_type, ATTACHMENT, RECIPIENT, pad(5)]
#! Outputs: [note_idx, pad(15)]
pub proc output_note_create
    # validates the attachment with respect to advice data
    # validates that note is public if attachment_type is network account and similar invariants
end

Split attachment API

Here we keep the signature of output_note_create kernel procedure to the minimal necessary data:

#! Inputs:  [tag, note_type, RECIPIENT, pad(10)]
#! Outputs: [note_idx, pad(15)]
pub proc output_note_create
    # creates a note whose attachment is of type NoteAttachment::Empty
end

Additionally, we'd have an API to change the note attachment of a note:

#! Inputs:  [note_idx, attachment_type, ATTACHMENT, pad(10)]
#! Outputs: [pad(16)]
pub proc output_note_set_attachment
    # overwrite the attachment of the note with the given idx
    # validates the attachment with respect to advice data
    # validates that note is public if attachment_type is network account and similar invariants
end

API comparison

The unified approach should be more efficient, as it allows specifying everything at once and requiring a single kernel call to create a note with attachment. It comes at the cost of being more complex to use for simple cases where one would simply want a NoteAttachment::Empty.
The split approach is nicer in this regard, as it untangles the attachment from the note, but requires two kernel calls to create a note with an attachment.

In both cases, I think we would have wrapper procedures in miden lib anyway to simplify creating notes for "standard" use cases, e.g. network notes using NoteAttachment::NetworkAccount or encrypted notes using NoteAttachment::Encrypted. So, users would rarely need to call the raw kernel procedure themselves. Hence, the unified approach seems better for efficiency reasons. Another advantage for the unified approach is that the consistency of, e.g. note_type and attachment_type can be validated, e.g. NoteAttachment::NetworkAccount requires NoteType::Public, etc.

Output Note Creation APIs

We could essentially have a miden::output_note API per NoteAttachment variant. Some of these could be:

#! Creates a note with an empty attachment.
#! Caters towards the basic use cases (e.g. P2ID and friends).
#!
#! Inputs:  [tag, note_type, RECIPIENT]
#! Outputs: [note_idx]
pub proc create

#! Wraps the kernel procedure for power users.
#!
#! Inputs:  [tag, note_type, attachment_type, ATTACHMENT, RECIPIENT]
#! Outputs: [note_idx]
pub proc create_raw

#! Creates a note targeted at a network account.
#!
#! Inputs:  [target_id_prefix, target_id_suffix, tag, execution_hint, RECIPIENT]
#! Outputs: [note_idx]
pub proc create_network

#! Creates a note with an attachment of type Encrypted.
#!
#! Inputs:  [tag, note_type, ENCRYPTION_KEY, RECIPIENT]
#! Outputs: [note_idx]
pub proc create_encrypted

The nice thing is that these are just convenience APIs and they are at the standards level, not the kernel level. That keeps the number of kernel APIs required to support all of this to a minimum.

Encoding

I think the NoteMetadata could encode to two words like this:

0th felt: [sender_id_suffix (56 bits) | attachment_type (4 bits) | 3 zero bits | note_type (1 bit)]
1st felt: [sender_id_prefix (64 bits)]
2nd felt: [32 zero bits | note_tag (32 bits)]
3rd felt: [64 zero bits]
4th-7th felt: NOTE_ATTACHMENT

• This reserves space for 16 possible attachment types, and keeping 3 zero bits reserved for future use in either attachment type or note type.
• Going with only NoteType::{Private, Public} would require only a single bit.
• It leaves one entire felt unused for future purposes, too.

Note Tag

At the same time, I wonder if the value of being able to specify not visibility via a tag is high enough.

I mostly included is_public because you mentioned it in a comment, but I think we probably don't need to enforce it. I'm also not a builder, though.

It seems like we could either define note tags to be completely arbitrary, e.g. NoteTag(u32) or have some minimal structure to it, e.g. "targeted at an account" or "use case note".

Arbitrary tags

In miden objects/protocol, we'd simply define:

pub struct NoteTag(u32);

Lightly structured tags

This could basically be what I mentioned before without is_public, so:

pub enum NoteTag {
    /// The partial account ID prefix of the intended receiver of the note.
    /// Uses https://docs.rs/ux/ - we could do our own newtype wrappers as well.
    PartialAccountId {
        /// The partial account id.
        id: ux::u31,
    },

    /// A specific use case of a note.
    ///
    /// For instance, a SWAP note is not targeted at a specific account for consumption, instead it
    /// is a note for a certain use case.
    ///
    /// For such a SWAP note, this could encode the first 14 bits of the SWAP script root as a
    /// use case identifier (leaks the note's script, but any use case identifier essentially does
    /// that and this avoids having to come up with manual use case IDs), and the remaining 16 bits
    /// using 8 bits of the offered asset faucet ID and 8 bits of the requested asset faucet ID.
    UseCase {
        id: ux::u15,
        /// The payload of the use case.
        payload: u16,
    },
}

Structure

I think in both cases, we'd want to give builders some standard way of constructing tags. E.g. answering questions like: How do I create a tag for a note targeted at a private account? Assuming that's true, the question is where that structure should be provided. In the second case, it is enshrined into the NoteTag definition itself, while in the first case, it could be a standard implemented in miden-standards, conceptually as an extension trait to NoteTags. It could then have the methods like we pretty much have now:

• from_local_account_id(account_id: AccountId,tag_len: u8)
• new_use_case(use_case_id: ux::u15, payload: u16)

I'm thinking the second approach might overall be better, again keeping the protocol (tx kernel) simpler as it does not have to enforce any tag invariants and allowing for easier evolution of "tag standards" over time.

cc @igamigo @mmagician in case you have thoughts on the note tag structuring (or anything else)

[igamigo]

// I don't think we even need this for local notes?
execution_hint: NoteExecutionHint,

Yes, I'm not sure this is needed. I know we use this in the client - but maybe there we can refactor things to not rely on execution hints (cc @igamigo)

Yes, I think we could safely remove this pretty much without any consequences.

I don't have too many comments on the structuring as of now, except that the direction is nice for usecases like the one in 0xMiden/miden-client#1544. It would still feel unclean to allow for mismatches as the one Bobbin described (empty attachments on a network note) unless it hides some usecase or consequence that I'm not aware of. So in this regard I think minimizing this complexity (and the complexity within the kernel itself and pushing it more to standards as Philipp suggested) is a good idea. Additionally, upon quickly drafting a couple alternatives, it doesn't feel too easy to avoid cases like this without maybe a more profound refactor at least.

[partylikeits1983]

I really like the general direction of unifying metadata + attachments and keeping the kernel surface small, but I have two thoughts after reading through this:

1. MASM ergonomics: It’s already pretty painful to create notes from MASM. Whatever we do at the kernel/standards level, ideally we'd avoid pushing more knobs (attachment_type, execution hints, etc.) directly into the MASM-facing APIs. As long as this doesn't make note creation in MASM significantly more difficult, then this refactor is a big value add.

2. Although not directly related to this issue, since @bobbinth listed NetworkSwap as a variant in the NoteAttachment enum in this comment, I might as well write this thought down here: For the PSWAP/SWAP / in-protocol DEX story, I don’t see a clear answer yet to price-overlap cases. E.g. a 1 ETH buy at 3000 USDC crossing a 1 ETH sell at 2900 USDC leaves 100 USDC surplus. Who receives that surplus, if the two notes are executed against each other by the ntx builder?

[PhilippGackstatter]

The main drawback I see with this is that it is possible to create a mismatch - e.g., a network note with Empty attachment

If we keep NoteType::Network, we could validate that the provided attachment is NoteAttachment::NetworkAccount in the kernel. If we don't have it, we can validate that if NoteAttachment::NetworkAccount is used, the note type is "public". So if the kernel is aware of the attachment types, which I think it must be, then we can validate a few things.

---

Thinking more about network note use cases after reviewing #2123, I wanted to explore how the MINT note would look like with these APIs. I was worried this would end up being very complex, because,naively, using the specialized APIs in miden::output_note for creating local and network notes, will make note scripts that support creating both types a bit more difficult. This closely relates to @partylikeits1983's ergonomics comments.

Taking the MINT note as an example, it could create a P2ID note targeted at a network account or a local account. If we go strictly with the unified approach I mentioned, then everything has to be provided in one call, and so this implies different APIs per attachment type, as I mentioned in the last post. Considering the MINT note supports private and public output notes, which have different branches, the naive logic would look like (pseudo MASM):

if is_private_output_note {
  if is_network_target {
      panic!("unsupported")
  } else {
      # create private note
      exec.miden::output_note::create
  }
} else {
  if is_network_target {
      # create network note
      exec.miden::output_note::create_network
  } else {
      # create public note
      exec.miden::output_note::create
  }
}

Writing it that way seems pretty complex and it would be nice to be able to avoid this. One alternative is to use the create_raw API mentioned in the last post, conceptually like this:

(tag, note_type, attachment) = if is_public_output_note && is_network_target {
  # returns NoteAttachmentType::NetworkAccount { ... }
  attachment = exec.miden::output_note::network_target_attachment(target_id, exec_hint)
  # tag is unimportant (?)
  (0, NoteType::Public, attachment)
} else {
  # returns NoteAttachmentType::Empty
  attachment = exec.miden::output_note::empty_attachment
  tag = NoteTag::from_local_account_id(target_id)
  (tag, NoteType::Private, attachment)
};

if is_private_output_note {
  # handle private logic
  exec.miden::output_note::create_raw(tag, note_type, attachment, ...)
} else {
  # handle public logic
  exec.miden::output_note::create_raw(tag, note_type, attachment, ...)
}

This untangles the logic and still uses only one kernel call for creating the note with its attachment.

This makes me a bit more confident that the unified approach should work well even for complex scenarios, though of course this is just one example.

[bobbinth]

Looks like we are almost there with the design! A few assorted comments (not comprehensive):

If we go with having parts of the metadata be the same, and different attachment types, then I think we don't need to introduce NoteType::Network and can just leave it at Private and Public, which is simpler. "Network notes" can be identified via matches!(note_metadata.attachment(), NoteAttachment::NetworkAccount { .. }).

I think this should work. If we want to make the kernel "attachment-aware", we could validate in the kernel that notes with NoteAttachment::NetworkAccount are always public. We could even go a step further and encode note type into attachment type - e.g., any attachment type that starts with a 0 must be public, and any attachment type that starts with 1 must be private - but I'm not sure if this is a good idea.

0th felt: [sender_id_suffix (56 bits) | attachment_type (4 bits) | 3 zero bits | note_type (1 bit)]
1st felt: [sender_id_prefix (64 bits)]
2nd felt: [32 zero bits | note_tag (32 bits)]
3rd felt: [64 zero bits]
4th-7th felt: NOTE_ATTACHMENT

I was thinking of attachment_type a bit differently:

1. I think we need to allow for more variants in the future. I'd probably allocate a full byte for it.
2. For some types, we'd probably want to encode the number of elements in the attachment data (so that we don't need to encode the length separately). This probably doesn't need to be more than 2 bytes (and in practice, we are unlikely to allow attachments of $2^{16}$ elements).

To accommodate the above, we could use the upper 32 bits of the second elements. Basically, these 32 bits would look something like this:

[8 zero bits, 8 attachment type bits, 16 attachment length bits]

It seems like we could either define note tags to be completely arbitrary, e.g. NoteTag(u32) or have some minimal structure to it, e.g. "targeted at an account" or "use case note".

The more I think about it, the more it seems like the tags should be just arbitrary 32 bits of data. We could still provide some convenience functions to create/parse "well-known" tag formats though.

MASM ergonomics: It’s already pretty painful to create notes from MASM. Whatever we do at the kernel/standards level, ideally we'd avoid pushing more knobs (attachment_type, execution hints, etc.) directly into the MASM-facing APIs. As long as this doesn't make note creation in MASM significantly more difficult, then this refactor is a big value add.

Not a direct reply to this, but I think we should start providing "note constructors". For example, we could have miden::standards::notes::p2id::new procedure that would take a set of parameters and create a P2ID note by calling miden::protocol::output_note::create and other relevant procedures. Same would go for other note types.

Although not directly related to this issue, since @bobbinth listed NetworkSwap as a variant in the NoteAttachment enum in this comment, I might as well write this thought down here: For the PSWAP/SWAP / in-protocol DEX story, I don’t see a clear answer yet to price-overlap cases. E.g. a 1 ETH buy at 3000 USDC crossing a 1 ETH sell at 2900 USDC leaves 100 USDC surplus. Who receives that surplus, if the two notes are executed against each other by the ntx builder?

In this case, the surplus could be claimed by the block producer. In the current case, this would be our centralized node, but once we decentralize, it would be whoever is able to produce the next block. This could be another revenue stream for "miners".

[PhilippGackstatter]

We could even go a step further and encode note type into attachment type - e.g., any attachment type that starts with a 0 must be public, and any attachment type that starts with 1 must be private - but I'm not sure if this is a good idea.

I think that's possible, but probably just a different way of doing things. If we have validation per attachment type, it would be completely up to the attachment to validate the note to which it is attached. Each one would likely enforce what note types are allowed, so this can be enforced at the attachment type level or at by each attachment. My light preference would be to let every attachment fully handle its own validation.

2. For some types, we'd probably want to encode the number of elements in the attachment data

Is it strictly necessary to have the size of the attachment data? I was thinking we could get away with just having the commitment to it, and whatever number of felts hash to that commitment is valid. So, a malicious user cannot practically attach anything other than the actual data to the note without it becoming invalid. And when we validate the attachment in the VM, we'd use adv.push_mapvaln from which we get the length. I think this is the same line of thought as with the note inputs and whether having their length is needed or not (#2036 (comment)). I wanted to avoid this so we wouldn't have to encode the size in the note metadata, but maybe I'm not seeing some benefit to having this.