fix: remove redundant to/memo from DecryptionData

The `to` and `memo` fields in `DecryptionData` were redundant: the
on-chain `ZoneInbox` already decrypts the ciphertext via AES-256-GCM
and can derive these values directly from the plaintext. Remove them
from the struct and use the decrypted values on-chain instead of
comparing against sequencer-supplied duplicates.

Saves 52 bytes of calldata per encrypted deposit (20-byte address +
32-byte memo).

Closes #357

Made-with: Cursor

Author: dankrad

crates/primitives/src/abi.rs

@@ -378,12 +378,11 @@ macro_rules! define_abi {
             }
 
             /// Decryption data provided by the sequencer for encrypted deposits.
+            /// The decrypted (to, memo) are derived on-chain from the AES-GCM decryption.
             #[derive(Debug)]
             struct DecryptionData {
                 bytes32 sharedSecret;
                 uint8 sharedSecretYParity;
-                address to;
-                bytes32 memo;
                 ChaumPedersenProof cpProof;
             }
 

crates/tempo-zone/src/builder.rs

@@ -690,8 +690,6 @@ mod tests {
             decryptions: vec![abi::DecryptionData {
                 sharedSecret: B256::ZERO,
                 sharedSecretYParity: 0x02,
-                to: sender,
-                memo: B256::ZERO,
                 cpProof: abi::ChaumPedersenProof {
                     s: B256::ZERO,
                     c: B256::ZERO,

crates/tempo-zone/src/l1.rs

@@ -1205,7 +1205,7 @@ impl L1BlockDeposits {
                             )
                             .await?;
 
-                        let recipient = if authorized {
+                        let _recipient = if authorized {
                             debug!(
                                 target: "zone::engine",
                                 recipient = %dec.to,
@@ -1228,8 +1228,6 @@ impl L1BlockDeposits {
                         let decryption = abi::DecryptionData {
                             sharedSecret: dec.proof.shared_secret,
                             sharedSecretYParity: dec.proof.shared_secret_y_parity,
-                            to: recipient,
-                            memo: dec.memo,
                             cpProof: abi::ChaumPedersenProof {
                                 s: dec.proof.cp_proof_s,
                                 c: dec.proof.cp_proof_c,
@@ -1257,8 +1255,6 @@ impl L1BlockDeposits {
                         let decryption = abi::DecryptionData {
                             sharedSecret: proof.shared_secret,
                             sharedSecretYParity: proof.shared_secret_y_parity,
-                            to: d.sender,
-                            memo: B256::ZERO,
                             cpProof: abi::ChaumPedersenProof {
                                 s: proof.cp_proof_s,
                                 c: proof.cp_proof_c,
@@ -1278,8 +1274,6 @@ impl L1BlockDeposits {
                     let decryption = abi::DecryptionData {
                         sharedSecret: B256::ZERO,
                         sharedSecretYParity: 0x02,
-                        to: d.sender,
-                        memo: B256::ZERO,
                         cpProof: abi::ChaumPedersenProof {
                             s: B256::ZERO,
                             c: B256::ZERO,

crates/tempo-zone/tests/advance_tempo.rs

@@ -38,8 +38,6 @@ sol! {
     struct DecryptionData {
         bytes32 sharedSecret;
         uint8 sharedSecretYParity;
-        address to;
-        bytes32 memo;
         ChaumPedersenProof cpProof;
     }
 }

docs/pages/protocol/privacy/crypto-review.md

@@ -1230,18 +1230,18 @@ This ensures deposits are processed in the exact order they were made, regardles
 
 **On-chain decryption verification:**
 
-The zone can verify encrypted deposit decryption on-chain without the sequencer revealing their private key. The sequencer provides the ECDH shared secret alongside the decrypted data:
+The zone can verify encrypted deposit decryption on-chain without the sequencer revealing their private key. The sequencer provides the ECDH shared secret and a proof of correct derivation:
 
 ```solidity
 struct DecryptionData {
     bytes32 sharedSecret;       // ECDH shared secret (x-coordinate of privSeq * ephemeralPub)
     uint8 sharedSecretYParity;  // Y coordinate parity of the shared secret point (0x02 or 0x03)
-    address to;                 // Decrypted recipient
-    bytes32 memo;               // Decrypted memo
     ChaumPedersenProof cpProof; // Proof of correct shared secret derivation
 }
 ```
 
+The decrypted `(to, memo)` are derived on-chain from the AES-GCM decryption of the ciphertext and do not need to be supplied by the sequencer.
+
 Verification works by leveraging the AES-GCM authentication tag:
 
 1. Sequencer computes: `sharedSecret = ECDH(sequencerPriv, ephemeralPub)`
@@ -1387,11 +1387,12 @@ bytes32 aesKey = _hkdfSha256(
     ed.encrypted.tag
 );
 
-// Step 5: Verify decrypted plaintext matches claimed (to, memo)
+// Step 5: Decode the decrypted (to, memo) from the plaintext
 // Plaintext is packed as [address(20 bytes)][memo(32 bytes)][padding(12 bytes)] = 64 bytes
+address decryptedTo;
+bytes32 decryptedMemo;
 if (valid && decryptedPlaintext.length == ENCRYPTED_PAYLOAD_PLAINTEXT_SIZE) {
-    (address decryptedTo, bytes32 decryptedMemo) = EncryptedDepositLib.decodePlaintext(decryptedPlaintext);
-    valid = (decryptedTo == dec.to && decryptedMemo == dec.memo);
+    (decryptedTo, decryptedMemo) = EncryptedDepositLib.decodePlaintext(decryptedPlaintext);
 } else {
     valid = false;
 }
@@ -1403,8 +1404,8 @@ if (!valid) {
     emit EncryptedDepositFailed(currentHash, ed.sender, ed.token, ed.amount);
 } else {
     // Decryption succeeded - mint correct zone-side TIP-20 to decrypted recipient
-    IZoneToken(ed.token).mint(dec.to, ed.amount);
-    emit EncryptedDepositProcessed(currentHash, ed.sender, dec.to, ed.token, ed.amount, dec.memo);
+    IZoneToken(ed.token).mint(decryptedTo, ed.amount);
+    emit EncryptedDepositProcessed(currentHash, ed.sender, decryptedTo, ed.token, ed.amount, decryptedMemo);
 }
 ```
 

docs/pages/protocol/privacy/overview.md

@@ -160,11 +160,10 @@ pub enum DepositType {
 }
 
 /// Mirrors the Solidity `DecryptionData` struct from IZone.sol
-/// Provided by the sequencer for each encrypted deposit
+/// Provided by the sequencer for each encrypted deposit.
+/// The decrypted (to, memo) are derived on-chain from AES-GCM decryption.
 pub struct DecryptionData {
     pub shared_secret: B256,  // ECDH shared secret (x-coordinate)
-    pub to: Address,          // Decrypted recipient
-    pub memo: B256,           // Decrypted memo
     pub cp_proof: ChaumPedersenProof, // Proof of correct shared secret derivation
 }
 

docs/pages/protocol/privacy/prover-design.md

@@ -137,11 +137,11 @@ struct ChaumPedersenProof {
 ///      without exposing the sequencer's private key.
 ///      The sequencer's public key is looked up from the deposit's keyIndex on-chain,
 ///      so it does not need to be included here.
+///      The decrypted (to, memo) are derived on-chain from the AES-GCM decryption and
+///      do not need to be supplied by the sequencer.
 struct DecryptionData {
     bytes32 sharedSecret; // ECDH shared secret (x-coordinate of privSeq * ephemeralPub)
     uint8 sharedSecretYParity; // Y coordinate parity of the shared secret point (0x02 or 0x03)
-    address to; // Decrypted recipient
-    bytes32 memo; // Decrypted memo
     ChaumPedersenProof cpProof; // Proof of correct shared secret derivation
 }
 

docs/specs/src/zone/IZone.sol

@@ -257,13 +257,14 @@ contract ZoneInbox is IZoneInbox {
                         ed.encrypted.tag
                     );
 
-                // Step 4: Verify decrypted plaintext matches claimed (to, memo)
+                // Step 4: Decode the decrypted (to, memo) from the plaintext
                 // Plaintext is packed as [address(20 bytes)][memo(32 bytes)][padding(12 bytes)]
                 // Must be exactly ENCRYPTED_PAYLOAD_PLAINTEXT_SIZE (64) bytes
+                address decryptedTo;
+                bytes32 decryptedMemo;
                 if (valid && decryptedPlaintext.length == ENCRYPTED_PAYLOAD_PLAINTEXT_SIZE) {
-                    (address decryptedTo, bytes32 decryptedMemo) =
+                    (decryptedTo, decryptedMemo) =
                         EncryptedDepositLib.decodePlaintext(decryptedPlaintext);
-                    valid = (decryptedTo == dec.to && decryptedMemo == dec.memo);
                 } else {
                     valid = false;
                 }
@@ -278,9 +279,9 @@ contract ZoneInbox is IZoneInbox {
                     emit EncryptedDepositFailed(currentHash, ed.sender, ed.token, ed.amount);
                 } else {
                     // Decryption succeeded - mint the correct zone-side TIP-20 to the decrypted recipient
-                    IZoneToken(ed.token).mint(dec.to, ed.amount);
+                    IZoneToken(ed.token).mint(decryptedTo, ed.amount);
                     emit EncryptedDepositProcessed(
-                        currentHash, ed.sender, dec.to, ed.token, ed.amount, dec.memo
+                        currentHash, ed.sender, decryptedTo, ed.token, ed.amount, decryptedMemo
                     );
                 }
             }

docs/specs/src/zone/ZoneInbox.sol

@@ -964,8 +964,6 @@ contract ZoneBridgeTest is BaseTest {
             decs[i] = DecryptionData({
                 sharedSecret: bytes32(uint256(0xDEAD)),
                 sharedSecretYParity: 0x02,
-                to: decryptedTo,
-                memo: decryptedMemo,
                 cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
             });
         }
@@ -1087,7 +1085,7 @@ contract ZoneBridgeTest is BaseTest {
         _sequencerObserveEncryptedDeposit(alice, netAmount, 0, payload);
         _setupEncryptionKeyMockOnZone(0, encKeyX, encKeyYParity);
 
-        // Even with shouldSucceed=false, we need a to/memo for DecryptionData (values don't matter)
+        // Even with shouldSucceed=false, we still call the relay helper
         bytes32 newProcessedHash =
             _sequencerRelayEncryptedDepositsToL2(address(0xBEEF), bytes32("wrong"), false);
 
@@ -1193,8 +1191,6 @@ contract ZoneBridgeTest is BaseTest {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xDEAD)),
             sharedSecretYParity: 0x02,
-            to: decryptedTo,
-            memo: decryptedMemo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
 
@@ -1306,15 +1302,11 @@ contract ZoneBridgeTest is BaseTest {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xDEAD)),
             sharedSecretYParity: 0x02,
-            to: aliceRecipient,
-            memo: aliceMemo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
         decs[1] = DecryptionData({
             sharedSecret: bytes32(uint256(0xBEEF)),
             sharedSecretYParity: 0x02,
-            to: bobRecipient,
-            memo: bobMemo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(3)), c: bytes32(uint256(4)) })
         });
 
@@ -1326,30 +1318,11 @@ contract ZoneBridgeTest is BaseTest {
             address(l1Portal), PORTAL_CURRENT_DEPOSIT_QUEUE_HASH_SLOT, hash2
         );
 
-        // Mock precompiles — we use broad mocks since vm.mockCall matches any input
-        // For the success path, we need AES-GCM to return the correct plaintext.
-        // Since vm.mockCall with just the selector matches ALL calls, we mock for the LAST
-        // decryption (bobRecipient). For aliceRecipient we set up mock before advanceTempo,
-        // but vm.mockCall replaces: we need a workaround.
-        //
-        // Since Foundry's vm.mockCall uses last-registered-wins for the same address+selector,
-        // and encrypted deposits are processed sequentially, we can't differentiate two calls
-        // to the same precompile with different expected outputs using selector-only mocking.
-        //
-        // Workaround: mock both precompiles to return bobRecipient's plaintext.
-        // Alice's deposit will fail the plaintext check (dec.to != decryptedTo), causing a bounce.
-        // We test a simpler scenario: mock for aliceRecipient so BOTH succeed with the same plaintext.
-        //
-        // Actually, the cleanest approach: make both deposits decrypt to the same recipient/memo.
-        // This tests key rotation without needing differentiated mocks.
-
-        // Use same recipient/memo for both decryptions
+        // Mock precompiles to return the same plaintext for both deposits.
+        // Since vm.mockCall with just the selector matches ALL calls, both encrypted
+        // deposits will decrypt to the same (sharedRecipient, sharedMemo).
         address sharedRecipient = address(0x700);
         bytes32 sharedMemo = bytes32("shared-secret");
-        decs[0].to = sharedRecipient;
-        decs[0].memo = sharedMemo;
-        decs[1].to = sharedRecipient;
-        decs[1].memo = sharedMemo;
 
         vm.etch(CHAUM_PEDERSEN_VERIFY, hex"00");
         vm.etch(AES_GCM_DECRYPT, hex"00");