Allow multiple attachments per note and make them immutable

[PhilippGackstatter]

Recently, the need for append-only attachments came up where multiple faucets may need to add to a note's attachment without being able to overwrite the other faucet's already added data.

I think we can support append-only attachments via arrays relatively easily in the tx kernel.

One of the difficulties with using attachments more generally may be the following:

• A note creator sets NetworkTargetAccount attachment to make it a network note.
• Then an asset is added to that note that requires the faucet callback to add custom data to the attachment. Depending on what exactly the procedure call looks like, this will either fail or it will overwrite the previously set attachment. Both are bad.

In this case, we basically want to allow having both attachments. So the option is to allow multiple attachments per note, or convert the Word attachment into an Array attachment when necessary to make more room.

So, the current output_note_set_attachment tx kernel attachment API could be changed to:

pub proc output_note_append_attachment(note_idx, attachment_scheme, attachment_word_size, ATTACHMENT)

Then it would work like this:

• The note is created and the attachment defaults to NoteAttachmentContent::None.
• A note creator appends a NetworkTargetAccount (attachment_word_size = 1) attachment to make it a network note. Attachment becomes NoteAttachmentContent::Word, since the data can be represented as just a Word.
• An asset is added to the note, issuing faucet is called and it appends its custom data (attachment_word_size = 1) word to the attachment. Now the attachment becomes NoteAttachmentContent::Array([network_account_target, custom_data0]).
• Another faucet adds custom data and the attachment ends up being NoteAttachmentContent::Array([network_account_target, custom_data0, custom_data1]).

So, the attachment in general becomes effectively immutable and append-only. A nice UX benefit is that the internal representation (none, word, array) does not have to be chosen by the user but automatically by the kernel. In other words, the kernel automatically uses the minimal possible representation.

If attachment_word_size > 1 is passed, the ATTACHMENT is interpreted as an advice map key and the data is flattened and appended.

The downside of this approach is that it wouldn't be possible to overwrite an attachment (which is currently possible). But I'm not sure there are use cases that really require this? So this should be okay.

Another downside is that each attachment needs to set an attachment_scheme and once we have multiple attachments, the space in NoteMetadata is no longer sufficient to encode all of that. So maybe we'll need a header Word per attachment that contains the scheme (and the size of each flattened attachment). Though we can think about ways to make this more efficient by restricting the max number of assets or encoding multiple schemes/kinds into a global header.

[PhilippGackstatter]

Judging by all the calls to output_note::set_attachment in the code base I think it was a mistake to require the note_idx on top of the stack for set_attachement. The API of add_asset is actually more convenient in most cases: The note_idx is on the stack and assets are subsequently pushed on top, without having to move the note_idx. For set_attachment, we always need to movup:

protocol/crates/miden-agglayer/asm/agglayer/bridge/bridge_out.masm

Lines 512 to 520 in 17ff028

	loc_load.ATTACHMENT_KIND_LOC
	loc_load.ATTACHMENT_SCHEME_LOC
	# => [attachment_scheme, attachment_kind, NOTE_ATTACHMENT, note_idx, note_idx]
	movup.6
	# => [note_idx, attachment_scheme, attachment_kind, NOTE_ATTACHMENT, note_idx]
	exec.output_note::set_attachment
	# => [note_idx]

protocol/crates/miden-standards/asm/standards/notes/mint.masm

Lines 130 to 136 in 17ff028

	mem_load.ATTACHMENT_KIND_ADDRESS
	mem_load.ATTACHMENT_SCHEME_ADDRESS
	movup.6
	# => [note_idx, attachment_scheme, attachment_kind, ATTACHMENT, pad(18))]
	exec.output_note::set_attachment
	# => [pad(18))]

protocol/crates/miden-standards/asm/standards/notes/swap.masm

Lines 98 to 104 in 17ff028

	mem_load.ATTACHMENT_KIND_PTR
	mem_load.ATTACHMENT_SCHEME_PTR
	movup.14
	# => [note_idx, attachment_scheme, attachment_kind, ATTACHMENT, pad(8)]
	exec.output_note::set_attachment
	# => [pad(8)]

So, if we touch the API here again, let's move the note_idx to the deepest part of the inputs.

[bobbinth]

So, the current output_note_set_attachment tx kernel attachment API could be changed to:

pub proc output_note_append_attachment(note_idx, attachment_scheme, attachment_word_size, ATTACHMENT)

Judging by all the calls to output_note::set_attachment in the code base I think it was a mistake to require the note_idx on top of the stack for set_attachement.

I would also call the procedure add_attachment (to be consistent with add_asset), and IIUC, it would look something like:

> pub proc add_attachment(attachment_scheme, attachment_word_size, ATTACHMENT, note_idx)

Right?

Also, I'm assuming the following:

• attachment_word_size == 0 is not allowed.
• For attachment_word_size > 1, we'll need to validate if the ATTACHMENT actually "unhashes" to the specified number of word.

The downside of this approach is that it wouldn't be possible to overwrite an attachment (which is currently possible). But I'm not sure there are use cases that really require this? So this should be okay.

I think that's actually a benefit.

Another downside is that each attachment needs to set an attachment_scheme and once we have multiple attachments, the space in NoteMetadata is no longer sufficient to encode all of that.

I think we can make the number of attachments pretty small - e.g., 4 - 8 max. For example, we could reduce the size of AttachmentScheme to 16 bits and in this case we'd have enough space fro 4 attachment schemes in the 4th element of note metadata. We could also use the upper 32 bits of the 3rd element - and this would give us up to 6 attachments. If we reduce the scheme even more (e.g., 10 or 12 bits) we'd be able to fit more - but not sure it's needed.

---

One other thing I've been thinking about is whether putting attachments into NoteMetadata was the right choice. Metadata is supposed to be bounded-size description of the note - but attachments are more like note details. So, I'm wondering if the structure should be more like:

pub struct Note {
    header: NoteHeader,
    details: NoteDetails,
    attachments: Vec<NoteAttachment>,

    nullifier: Nullifier, // computed field
}

pub struct NoteHeader {
    note_id: NoteId,
    note_metadata: NoteMetadata,
}

pub struct NoteMetadata {
    sender: AccountId,
    note_type: NoteType,
    tag: NoteTag,
    attachments: NoteAttachmentHeader,
}

pub struct NoteAttachmentHeader {
    schemes: Vec<NoteAttachmentScheme>,
    commitment: Word,
}

There are probably some issues with the above design (it is meant to be more like a sketch) - but the overall idea is to start treating attachments more like we treat note details.

[PhilippGackstatter]

I would also call the procedure add_attachment (to be consistent with add_asset), and IIUC, it would look something like:

> pub proc add_attachment(attachment_scheme, attachment_word_size, ATTACHMENT, note_idx)

Right?

Agreed!

We can provide one convenient word-size wrapper in miden::protocol::output_note, i.e.:

# Internally passes attachment_word_size = 1
pub proc add_word_attachment(attachment_scheme, ATTACHMENT, note_idx)

# Exposes the raw API directly
pub proc add_attachment(attachment_scheme, attachment_word_size, ATTACHMENT, note_idx)

I think we can make the number of attachments pretty small - e.g., 4 - 8 max. For example, we could reduce the size of AttachmentScheme to 16 bits and in this case we'd have enough space fro 4 attachment schemes in the 4th element of note metadata. We could also use the upper 32 bits of the 3rd element - and this would give us up to 6 attachments.

Agreed, a few attachments should be sufficient. 16 bits does sound sufficient as well. A felt technically has space for only 63 bits, so maybe we need to use 16x3 from the 4th felt and 16 bits from the 3rd felt.

The attachment kind can either be set explicitly in metadata or be derived, if we reserve scheme = 0 to indicate absence of the attachment at the corresponding index.

One other thing I've been thinking about is whether putting attachments into NoteMetadata was the right choice. Metadata is supposed to be bounded-size description of the note - but attachments are more like note details.

Good point. I guess the reason we put it there was mainly because our discussion on the attachment started as an extension to the metadata, but taking that lens off it does fit better into or next to NoteDetails. This would make NoteMetadata fixed-size again.

I can't see any immediate issues with this approach, but I'd need to spend a bit more time thinking through that once we implement that. I think if we move it, we may (or may not) have to hash it into a different part of the overall note commitment, but that should be doable.

[bobbinth]

Agreed, a few attachments should be sufficient. 16 bits does sound sufficient as well. A felt technically has space for only 63 bits, so maybe we need to use 16x3 from the 4th felt and 16 bits from the 3rd felt.

If we put an upper bound on the scheme to be $2^{16}-2$, then we should be able to fit 4 schemes into a felt w/o risking overflow.

The attachment kind can either be set explicitly in metadata or be derived, if we reserve scheme = 0 to indicate absence of the attachment at the corresponding index.

Using 0 to indicate absence makes sense. We should probably make sure to enforce that there are no "gaps" - i.e., we don't have attachment at index 0 set to "none", but attachment at index 1 is not "none".

I can't see any immediate issues with this approach, but I'd need to spend a bit more time thinking through that once we implement that. I think if we move it, we may (or may not) have to hash it into a different part of the overall note commitment, but that should be doable.

I think one thing that would be very nice to have is that if there is only one single-word attachment, it would be "embedded" into the metadata. But I'm not sure how much complexity this would add.

[PhilippGackstatter]

Limiting the scheme to 2^16 - 2 works great, good idea.

I think overall there are two questions:

• Where do we store the attachment header info like attachment scheme and maybe attachment size?
• Where do we store the actual data of the attachments?

For the first, I think the way you defined the attachment header in note metadata should work, and we can keep the way we hash the current metadata commitment, i.e. hash(NOTE_METADATA_HEADER, NOTE_METADATA_ATTACHMENT).

For the second: Attachments are always public, independent of the underlying NoteType and so, OutputNote must contain the attachment, even in the Private variant:

protocol/crates/miden-protocol/src/transaction/outputs/notes.rs

Lines 337 to 342 in c05c5e6

	pub enum OutputNote {
	/// A public note with full details, size-validated.
	Public(PublicOutputNote),
	/// A note private header (for private notes).
	Private(PrivateNoteHeader),
	}

Here we have basically two options:

• Put the attachment data into NoteHeader.
• Put it into PrivateNoteHeader.

The NoteHeader is mainly useful as a cryptographic summary of a note. It is used in:

• OutputNoteCollection to compute the commitment over the entire collection.
• Delayed authentication for transactions.
• Included for each output note in TransactionHeader.
• At the batch and block level for input/output note tracking/erasure (InputOutputNoteTracker)

None of these required the full attachment data so far, but we have to make the attachment available elsewhere. In order to make the attachment available in OutputNote independent of the public/private type, we can include it in PrivateNoteHeader, which we can rename to PrivateOutputNote at that point.

Overall, we'd have:

// Collection wrapper for type safety and enforcing max allowed number of attachments
pub struct NoteAttachments(Vec<NoteAttachment>);

pub struct Note {
    header: NoteHeader,
    details: NoteDetails,
    attachments: NoteAttachments,

    nullifier: Nullifier, // computed field
}

pub struct PartialNote {
    header: NoteHeader,
    attachments: NoteAttachments,
    recipient_digest: Word,
    assets: NoteAssets,
}

// Previously `PrivateNoteHeader`
pub struct PrivateOutputNote {
    header: NoteHeader,
    attachments: NoteAttachments,
}

pub enum OutputNote {
    /// A public note with full details, size-validated.
    Public(PublicOutputNote),
    /// A private output note consisting of a header and attachments.
    Private(PrivateOutputNote),
}

impl OutputNote {
    // We can then implement this method.
    pub fn attachments(&self) -> &NoteAttachments { ... }
}

NoteHeader and NoteMetadata could look as you sketched it.
We should also be able to remove NoteMetadataHeader because the conversion from Word to NoteMetadata becomes possible again since it no longer contains the full NoteAttachment.

Including attachments in PartialNote should be a straightforward change in OutputNoteBuilder.

We also need to store the size of each attachment, but I'll write this up in another comment.

[PhilippGackstatter]

We also need to store the size of each attachment, the question is where.

In order to "deserialize" them into multiple attachments, the attachment_word_size of each is needed.

We can either try to pack it into the metadata or prefix the attachments with a header word.

Pack into Metadata (Option 1)

If we pack the scheme and size into metadata, it would keep the attachment data relatively clean: Just a concatenation of all attachment elements.

If we limit the total number of attachments to 4, we could pack it into metadata:

0th felt: [sender_id_suffix (56 bits) | 6 zero bits | note_type (2 bit)]
1st felt: [sender_id_prefix (64 bits)]
2nd felt: [attachment_3_word_size (8 bits) | attachment_2_word_size (8 bits) |
           attachment_1_word_size (8 bits) | attachment_0_word_size (8 bits) | note_tag (32 bits)]
3rd felt: [attachment_3_scheme (16 bits) | attachment_2_scheme (16 bits) |
           attachment_1_scheme (16 bits) | attachment_0_scheme (16 bits)]

Similar to attachment scheme, we can limit the size to be at most 254, so we retain a valid 2nd metadata felt.
The main limit is that each attachment can at most store 254 * WORD_SIZE * BYTES_PER_FELT = 8128 bytes. The overall limit of all attachments would be the existing 16 KiB.

If we want to double the limit, another option is to basically only allow specifying number of double words, but we'd have to find a way to still specify the single-word attachment case, which is doable.

If there are only one or two attachments, we could allow these to specify their word size in 16 bits since the rest would be unused, and then the limit would be less problematic. So, if num_attachments = 1 || num_attachments = 2, the 2nd felt could be interpreted as:

2nd felt: [attachment_1_word_size (16 bits) | attachment_0_word_size (16 bits) | note_tag (32 bits)]

The main idea is that this impose less of a hard limit for encrypted notes which only need a single, but large attachment.

Headers (Option 2)

The alternative is to prefix the attachment data with a header word. For instance, with a single-word attachment and a double-word attachment:

[HEADER, ATTACHMENT_1, ATTACHMENT_2[0], ATTACHMENT_2[1]]

In this case, header could be:

0th felt: [attachment_1_size (16 bits) | attachment_1_scheme (16 bits) |
           attachment_0_size (16 bits) | attachment_0_scheme (16 bits)]
1st felt: [attachment_3_size (16 bits) | attachment_3_scheme (16 bits) |
           attachment_2_size (16 bits) | attachment_2_scheme (16 bits)]
2nd felt: [attachment_5_size (16 bits) | attachment_5_scheme (16 bits) |
           attachment_4_size (16 bits) | attachment_4_scheme (16 bits)]
3rd felt: [attachment_7_size (16 bits) | attachment_7_scheme (16 bits) |
           attachment_6_size (16 bits) | attachment_6_scheme (16 bits)]

This has room for 8 attachments. In this option, there'd always be at least one header word. If num attachments is 0, this header is the empty word.

In case of a single-word attachment, we'd still add the header even though this info would technically have room in the metadata directly. The hash we'd need to compute to commit to it is: hash(NOTE_METADATA_HEADER, hash(ATTACHMENT_HEADER, ATTACHMENT)), so one extra hash compared to Option 1.

To optimize for the single-attachment, single-word case, we could technically encode the first attachment's size and scheme into the metadata and only put the second and later attachments size and scheme into the header.

Comparison

• Supported number of attachments
  • Option 1: 4 attachments
  • Option 2: 8 attachments, with the possibility to extend
• The metadata commitment in each option would be:
  • Empty attachment: hash(NOTE_METADATA_HEADER, EMPTY_WORD) in both options
  • Single-word attachment:
    • Option 1: hash(NOTE_METADATA_HEADER, ATTACHMENT).
    • Option 2: hash(NOTE_METADATA_HEADER, hash(ATTACHMENT_HEADER, ATTACHMENT)).
  • Multiple attachments
    • Option 1: hash(NOTE_METADATA_HEADER, ATTACHMENT), where ATTACHMENT is the sequential hash over the attachment elements.
    • Option 2: hash(NOTE_METADATA_HEADER, ATTACHMENT), where ATTACHMENT is the sequential hash over the attachment elements, including the header.
    • Both cases may not be an even number of words.
• Allowed schemes
  • Option 1: 0..=(u16::MAX - 1)
  • Option 2: 0..=u16::MAX - scheme is encoded in lower bits so no restriction needed
• Possible attachment sizes in words
  • Option 1: 0..=254
  • Option 2: 0..=(u16::MAX - 1) , though we would put a much lower limit on it, i.e. 512, which would match the current 16 KiB for NoteAttachmentArray.

So:

• Option 1 deals better with the single-word attachment case since it requires one less permutation. The other scenarios incur the same amount of work.
• The main benefit of Option 2 is that it allows more than 4 attachments and we could more easily allow (even) more attachments later by introducing another header (after the first 8 attachments).
• Both options have a more complicated version of themselves that optimizes things a bit, but is probably not worth it due to the complexity.

I'd lean towards the second option, because I'm not sure if 4 attachments are enough and because the first option would basically not allow increasing the limit later, and I like to retain that ability.

For the encrypted asset viewing use case one could add 4 assets before hitting the limit, which sounds low, but may be enough. But, I don't know of other use cases for multiple attachments.

Another advantage of Option 2 is that it allows a single attachment to take up the full allowed space of attachments (currently 16 KiB), which seems good for large single-attachment use cases like encrypted notes.

[bobbinth]

The structure described in #2555 (comment) looks great!

I'd lean towards the second option, because I'm not sure if 4 attachments are enough and because the first option would basically not allow increasing the limit later, and I like to retain that ability.

I'm actually leaning toward option 1: it feels cleaner and also fits well with the idea that notes should be relatively small (e.g., we also want to reduce maximum number of assets per note).

With 8KB max per attachment we indeed won't be able to "encrypt" all notes - but not sure if that's a big issue. In the worst case, it may be possible to encrypt note storage and note assets in separate attachments.

If we ever need more than 4 attachments, we could still use one of the 6 "unused" zeros in the 0th metadata felt to signal a different attachment scheme - though, granted, this would not be super elegant (i.e., we'd end up with two parallel attachment schemes).

[PhilippGackstatter]

I'm actually leaning toward option 1: it feels cleaner and also fits well with the idea that notes should be relatively small (e.g., we also want to reduce maximum number of assets per note).

I think both options are reasonable and the general idea of small notes is good as well, i.e. encourage users to not put too much stuff into one note. So, let's go with that option 👍.

If we ever need more than 4 attachments, we could still use one of the 6 "unused" zeros in the 0th metadata felt to signal a different attachment scheme

This makes me think whether we should define the first felt of note metadata like this:

[sender_id_suffix (56 bits) | reserved (2 bits) | note_type (2 bit) | version (4 bits)]

This is a safety measure to allow potential future changes to note metadata in non-breaking ways, like allowing different attachment schemes, larger metadata in general, whatever else may come up. Hopefully we'll never need it (like the version in account ID), but seems good to have.

Another thing we may want to do is reduce note type to 1 bit, if we're sure we don't need other types in the future (which I think we don't?).