fix: remove redundant to/memo from DecryptionData

dankrad · dankrad · commit b785d3ba5997 · 2026-04-07T16:21:39.000+03:00
The `to` and `memo` fields in `DecryptionData` were redundant: the on-chain `ZoneInbox` already decrypts the ciphertext via AES-256-GCM and can derive these values directly from the plaintext. Remove them from the struct and use the decrypted values on-chain instead of comparing against sequencer-supplied duplicates. Saves 52 bytes of calldata per encrypted deposit (20-byte address + 32-byte memo). Closes #357 Made-with: Cursor
diff --git a/crates/primitives/src/abi.rs b/crates/primitives/src/abi.rs
@@ -378,12 +378,11 @@ macro_rules! define_abi {
             }
 
             /// Decryption data provided by the sequencer for encrypted deposits.
+            /// The decrypted (to, memo) are derived on-chain from the AES-GCM decryption.
             #[derive(Debug)]
             struct DecryptionData {
                 bytes32 sharedSecret;
                 uint8 sharedSecretYParity;
-                address to;
-                bytes32 memo;
                 ChaumPedersenProof cpProof;
             }
 
diff --git a/crates/tempo-zone/src/builder.rs b/crates/tempo-zone/src/builder.rs
@@ -690,8 +690,6 @@ mod tests {
             decryptions: vec![abi::DecryptionData {
                 sharedSecret: B256::ZERO,
                 sharedSecretYParity: 0x02,
-                to: sender,
-                memo: B256::ZERO,
                 cpProof: abi::ChaumPedersenProof {
                     s: B256::ZERO,
                     c: B256::ZERO,
diff --git a/crates/tempo-zone/src/l1.rs b/crates/tempo-zone/src/l1.rs
@@ -1205,7 +1205,7 @@ impl L1BlockDeposits {
                             )
                             .await?;
 
-                        let recipient = if authorized {
+                        let _recipient = if authorized {
                             debug!(
                                 target: "zone::engine",
                                 recipient = %dec.to,
@@ -1228,8 +1228,6 @@ impl L1BlockDeposits {
                         let decryption = abi::DecryptionData {
                             sharedSecret: dec.proof.shared_secret,
                             sharedSecretYParity: dec.proof.shared_secret_y_parity,
-                            to: recipient,
-                            memo: dec.memo,
                             cpProof: abi::ChaumPedersenProof {
                                 s: dec.proof.cp_proof_s,
                                 c: dec.proof.cp_proof_c,
@@ -1257,8 +1255,6 @@ impl L1BlockDeposits {
                         let decryption = abi::DecryptionData {
                             sharedSecret: proof.shared_secret,
                             sharedSecretYParity: proof.shared_secret_y_parity,
-                            to: d.sender,
-                            memo: B256::ZERO,
                             cpProof: abi::ChaumPedersenProof {
                                 s: proof.cp_proof_s,
                                 c: proof.cp_proof_c,
@@ -1278,8 +1274,6 @@ impl L1BlockDeposits {
                     let decryption = abi::DecryptionData {
                         sharedSecret: B256::ZERO,
                         sharedSecretYParity: 0x02,
-                        to: d.sender,
-                        memo: B256::ZERO,
                         cpProof: abi::ChaumPedersenProof {
                             s: B256::ZERO,
                             c: B256::ZERO,
diff --git a/crates/tempo-zone/tests/advance_tempo.rs b/crates/tempo-zone/tests/advance_tempo.rs
@@ -38,8 +38,6 @@ sol! {
     struct DecryptionData {
         bytes32 sharedSecret;
         uint8 sharedSecretYParity;
-        address to;
-        bytes32 memo;
         ChaumPedersenProof cpProof;
     }
 }
diff --git a/crates/tempo-zone/tests/assets/zone-test-genesis.json b/crates/tempo-zone/tests/assets/zone-test-genesis.json
diff --git a/docs/pages/protocol/privacy/crypto-review.md b/docs/pages/protocol/privacy/crypto-review.md
diff --git a/docs/pages/protocol/privacy/overview.md b/docs/pages/protocol/privacy/overview.md
@@ -1230,18 +1230,18 @@ This ensures deposits are processed in the exact order they were made, regardles
 
 **On-chain decryption verification:**
 
-The zone can verify encrypted deposit decryption on-chain without the sequencer revealing their private key. The sequencer provides the ECDH shared secret alongside the decrypted data:
+The zone can verify encrypted deposit decryption on-chain without the sequencer revealing their private key. The sequencer provides the ECDH shared secret and a proof of correct derivation:
 
 ```solidity
 struct DecryptionData {
     bytes32 sharedSecret;       // ECDH shared secret (x-coordinate of privSeq * ephemeralPub)
     uint8 sharedSecretYParity;  // Y coordinate parity of the shared secret point (0x02 or 0x03)
-    address to;                 // Decrypted recipient
-    bytes32 memo;               // Decrypted memo
     ChaumPedersenProof cpProof; // Proof of correct shared secret derivation
 }
 ```
 
+The decrypted `(to, memo)` are derived on-chain from the AES-GCM decryption of the ciphertext and do not need to be supplied by the sequencer.
+
 Verification works by leveraging the AES-GCM authentication tag:
 
 1. Sequencer computes: `sharedSecret = ECDH(sequencerPriv, ephemeralPub)`
@@ -1387,11 +1387,12 @@ bytes32 aesKey = _hkdfSha256(
     ed.encrypted.tag
 );
 
-// Step 5: Verify decrypted plaintext matches claimed (to, memo)
+// Step 5: Decode the decrypted (to, memo) from the plaintext
 // Plaintext is packed as [address(20 bytes)][memo(32 bytes)][padding(12 bytes)] = 64 bytes
+address decryptedTo;
+bytes32 decryptedMemo;
 if (valid && decryptedPlaintext.length == ENCRYPTED_PAYLOAD_PLAINTEXT_SIZE) {
-    (address decryptedTo, bytes32 decryptedMemo) = EncryptedDepositLib.decodePlaintext(decryptedPlaintext);
-    valid = (decryptedTo == dec.to && decryptedMemo == dec.memo);
+    (decryptedTo, decryptedMemo) = EncryptedDepositLib.decodePlaintext(decryptedPlaintext);
 } else {
     valid = false;
 }
@@ -1403,8 +1404,8 @@ if (!valid) {
     emit EncryptedDepositFailed(currentHash, ed.sender, ed.token, ed.amount);
 } else {
     // Decryption succeeded - mint correct zone-side TIP-20 to decrypted recipient
-    IZoneToken(ed.token).mint(dec.to, ed.amount);
-    emit EncryptedDepositProcessed(currentHash, ed.sender, dec.to, ed.token, ed.amount, dec.memo);
+    IZoneToken(ed.token).mint(decryptedTo, ed.amount);
+    emit EncryptedDepositProcessed(currentHash, ed.sender, decryptedTo, ed.token, ed.amount, decryptedMemo);
 }
 ```
 
diff --git a/docs/pages/protocol/privacy/prover-design.md b/docs/pages/protocol/privacy/prover-design.md
@@ -160,11 +160,10 @@ pub enum DepositType {
 }
 
 /// Mirrors the Solidity `DecryptionData` struct from IZone.sol
-/// Provided by the sequencer for each encrypted deposit
+/// Provided by the sequencer for each encrypted deposit.
+/// The decrypted (to, memo) are derived on-chain from AES-GCM decryption.
 pub struct DecryptionData {
     pub shared_secret: B256,  // ECDH shared secret (x-coordinate)
-    pub to: Address,          // Decrypted recipient
-    pub memo: B256,           // Decrypted memo
     pub cp_proof: ChaumPedersenProof, // Proof of correct shared secret derivation
 }
 
diff --git a/docs/specs/src/zone/IZone.sol b/docs/specs/src/zone/IZone.sol
@@ -137,11 +137,11 @@ struct ChaumPedersenProof {
 ///      without exposing the sequencer's private key.
 ///      The sequencer's public key is looked up from the deposit's keyIndex on-chain,
 ///      so it does not need to be included here.
+///      The decrypted (to, memo) are derived on-chain from the AES-GCM decryption and
+///      do not need to be supplied by the sequencer.
 struct DecryptionData {
     bytes32 sharedSecret; // ECDH shared secret (x-coordinate of privSeq * ephemeralPub)
     uint8 sharedSecretYParity; // Y coordinate parity of the shared secret point (0x02 or 0x03)
-    address to; // Decrypted recipient
-    bytes32 memo; // Decrypted memo
     ChaumPedersenProof cpProof; // Proof of correct shared secret derivation
 }
 
diff --git a/docs/specs/src/zone/ZoneInbox.sol b/docs/specs/src/zone/ZoneInbox.sol
@@ -257,13 +257,14 @@ contract ZoneInbox is IZoneInbox {
                         ed.encrypted.tag
                     );
 
-                // Step 4: Verify decrypted plaintext matches claimed (to, memo)
+                // Step 4: Decode the decrypted (to, memo) from the plaintext
                 // Plaintext is packed as [address(20 bytes)][memo(32 bytes)][padding(12 bytes)]
                 // Must be exactly ENCRYPTED_PAYLOAD_PLAINTEXT_SIZE (64) bytes
+                address decryptedTo;
+                bytes32 decryptedMemo;
                 if (valid && decryptedPlaintext.length == ENCRYPTED_PAYLOAD_PLAINTEXT_SIZE) {
-                    (address decryptedTo, bytes32 decryptedMemo) =
+                    (decryptedTo, decryptedMemo) =
                         EncryptedDepositLib.decodePlaintext(decryptedPlaintext);
-                    valid = (decryptedTo == dec.to && decryptedMemo == dec.memo);
                 } else {
                     valid = false;
                 }
@@ -278,9 +279,9 @@ contract ZoneInbox is IZoneInbox {
                     emit EncryptedDepositFailed(currentHash, ed.sender, ed.token, ed.amount);
                 } else {
                     // Decryption succeeded - mint the correct zone-side TIP-20 to the decrypted recipient
-                    IZoneToken(ed.token).mint(dec.to, ed.amount);
+                    IZoneToken(ed.token).mint(decryptedTo, ed.amount);
                     emit EncryptedDepositProcessed(
-                        currentHash, ed.sender, dec.to, ed.token, ed.amount, dec.memo
+                        currentHash, ed.sender, decryptedTo, ed.token, ed.amount, decryptedMemo
                     );
                 }
             }
diff --git a/docs/specs/test/zone/ZoneBridge.t.sol b/docs/specs/test/zone/ZoneBridge.t.sol
@@ -964,8 +964,6 @@ contract ZoneBridgeTest is BaseTest {
             decs[i] = DecryptionData({
                 sharedSecret: bytes32(uint256(0xDEAD)),
                 sharedSecretYParity: 0x02,
-                to: decryptedTo,
-                memo: decryptedMemo,
                 cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
             });
         }
@@ -1087,7 +1085,7 @@ contract ZoneBridgeTest is BaseTest {
         _sequencerObserveEncryptedDeposit(alice, netAmount, 0, payload);
         _setupEncryptionKeyMockOnZone(0, encKeyX, encKeyYParity);
 
-        // Even with shouldSucceed=false, we need a to/memo for DecryptionData (values don't matter)
+        // Even with shouldSucceed=false, we still call the relay helper
         bytes32 newProcessedHash =
             _sequencerRelayEncryptedDepositsToL2(address(0xBEEF), bytes32("wrong"), false);
 
@@ -1193,8 +1191,6 @@ contract ZoneBridgeTest is BaseTest {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xDEAD)),
             sharedSecretYParity: 0x02,
-            to: decryptedTo,
-            memo: decryptedMemo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
 
@@ -1306,15 +1302,11 @@ contract ZoneBridgeTest is BaseTest {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xDEAD)),
             sharedSecretYParity: 0x02,
-            to: aliceRecipient,
-            memo: aliceMemo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
         decs[1] = DecryptionData({
             sharedSecret: bytes32(uint256(0xBEEF)),
             sharedSecretYParity: 0x02,
-            to: bobRecipient,
-            memo: bobMemo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(3)), c: bytes32(uint256(4)) })
         });
 
@@ -1326,30 +1318,11 @@ contract ZoneBridgeTest is BaseTest {
             address(l1Portal), PORTAL_CURRENT_DEPOSIT_QUEUE_HASH_SLOT, hash2
         );
 
-        // Mock precompiles — we use broad mocks since vm.mockCall matches any input
-        // For the success path, we need AES-GCM to return the correct plaintext.
-        // Since vm.mockCall with just the selector matches ALL calls, we mock for the LAST
-        // decryption (bobRecipient). For aliceRecipient we set up mock before advanceTempo,
-        // but vm.mockCall replaces: we need a workaround.
-        //
-        // Since Foundry's vm.mockCall uses last-registered-wins for the same address+selector,
-        // and encrypted deposits are processed sequentially, we can't differentiate two calls
-        // to the same precompile with different expected outputs using selector-only mocking.
-        //
-        // Workaround: mock both precompiles to return bobRecipient's plaintext.
-        // Alice's deposit will fail the plaintext check (dec.to != decryptedTo), causing a bounce.
-        // We test a simpler scenario: mock for aliceRecipient so BOTH succeed with the same plaintext.
-        //
-        // Actually, the cleanest approach: make both deposits decrypt to the same recipient/memo.
-        // This tests key rotation without needing differentiated mocks.
-
-        // Use same recipient/memo for both decryptions
+        // Mock precompiles to return the same plaintext for both deposits.
+        // Since vm.mockCall with just the selector matches ALL calls, both encrypted
+        // deposits will decrypt to the same (sharedRecipient, sharedMemo).
         address sharedRecipient = address(0x700);
         bytes32 sharedMemo = bytes32("shared-secret");
-        decs[0].to = sharedRecipient;
-        decs[0].memo = sharedMemo;
-        decs[1].to = sharedRecipient;
-        decs[1].memo = sharedMemo;
 
         vm.etch(CHAUM_PEDERSEN_VERIFY, hex"00");
         vm.etch(AES_GCM_DECRYPT, hex"00");
diff --git a/docs/specs/test/zone/ZoneInbox.t.sol b/docs/specs/test/zone/ZoneInbox.t.sol
@@ -494,8 +494,6 @@ contract ZoneInboxTest is Test {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xdeadbeef)),
             sharedSecretYParity: 0x02,
-            to: recipient,
-            memo: memo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
 
@@ -547,8 +545,6 @@ contract ZoneInboxTest is Test {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xdeadbeef)),
             sharedSecretYParity: 0x02,
-            to: address(0x500),
-            memo: bytes32("memo"),
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
 
@@ -594,8 +590,6 @@ contract ZoneInboxTest is Test {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xabcd)),
             sharedSecretYParity: 0x02,
-            to: recipient,
-            memo: encMemo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
 
@@ -652,8 +646,6 @@ contract ZoneInboxTest is Test {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(1)),
             sharedSecretYParity: 0x02,
-            to: address(0x500),
-            memo: bytes32("memo"),
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
 
@@ -780,8 +772,6 @@ contract ZoneInboxTest is Test {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xbad)),
             sharedSecretYParity: 0x02,
-            to: address(0x500),
-            memo: bytes32("memo"),
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
 
@@ -797,9 +787,7 @@ contract ZoneInboxTest is Test {
     /// @notice Helper: set up an encrypted deposit flow where AES-GCM returns a specific plaintext
     function _setupEncryptedDepositWithPlaintext(
         bytes memory mockPlaintext,
-        bool aesValid,
-        address recipient,
-        bytes32 memo
+        bool aesValid
     )
         internal
         returns (QueuedDeposit[] memory deposits, DecryptionData[] memory decs)
@@ -843,8 +831,6 @@ contract ZoneInboxTest is Test {
         decs[0] = DecryptionData({
             sharedSecret: bytes32(uint256(0xdeadbeef)),
             sharedSecretYParity: 0x02,
-            to: recipient,
-            memo: memo,
             cpProof: ChaumPedersenProof({ s: bytes32(uint256(1)), c: bytes32(uint256(2)) })
         });
     }
@@ -864,7 +850,7 @@ contract ZoneInboxTest is Test {
         }
 
         (QueuedDeposit[] memory deposits, DecryptionData[] memory decs) =
-            _setupEncryptedDepositWithPlaintext(shortPlaintext, true, recipient, memo);
+            _setupEncryptedDepositWithPlaintext(shortPlaintext, true);
 
         vm.prank(sequencer);
         inbox.advanceTempo("", deposits, decs, new EnabledToken[](0));
@@ -887,7 +873,7 @@ contract ZoneInboxTest is Test {
         }
 
         (QueuedDeposit[] memory deposits, DecryptionData[] memory decs) =
-            _setupEncryptedDepositWithPlaintext(longPlaintext, true, recipient, memo);
+            _setupEncryptedDepositWithPlaintext(longPlaintext, true);
 
         vm.prank(sequencer);
         inbox.advanceTempo("", deposits, decs, new EnabledToken[](0));
@@ -905,7 +891,7 @@ contract ZoneInboxTest is Test {
         bytes memory emptyPlaintext = new bytes(0);
 
         (QueuedDeposit[] memory deposits, DecryptionData[] memory decs) =
-            _setupEncryptedDepositWithPlaintext(emptyPlaintext, true, recipient, memo);
+            _setupEncryptedDepositWithPlaintext(emptyPlaintext, true);
 
         vm.prank(sequencer);
         inbox.advanceTempo("", deposits, decs, new EnabledToken[](0));
@@ -924,7 +910,7 @@ contract ZoneInboxTest is Test {
         bytes memory correctPlaintext = EncryptedDepositLib.encodePlaintext(recipient, memo);
 
         (QueuedDeposit[] memory deposits, DecryptionData[] memory decs) =
-            _setupEncryptedDepositWithPlaintext(correctPlaintext, true, recipient, memo);
+            _setupEncryptedDepositWithPlaintext(correctPlaintext, true);
 
         vm.prank(sequencer);
         inbox.advanceTempo("", deposits, decs, new EnabledToken[](0));

Original file line number	Diff line number	Diff line change
`@@ -378,12 +378,11 @@ macro_rules! define_abi {`
`378`	`378`	`}`
`379`	`379`
`380`	`380`	`/// Decryption data provided by the sequencer for encrypted deposits.`
	`381`	`+ /// The decrypted (to, memo) are derived on-chain from the AES-GCM decryption.`
`381`	`382`	`#[derive(Debug)]`
`382`	`383`	`struct DecryptionData {`
`383`	`384`	`bytes32 sharedSecret;`
`384`	`385`	`uint8 sharedSecretYParity;`
`385`		`- address to;`
`386`		`- bytes32 memo;`
`387`	`386`	`ChaumPedersenProof cpProof;`
`388`	`387`	`}`
`389`	`388`
Original file line number	Diff line number	Diff line change
`@@ -38,8 +38,6 @@ sol! {`
`38`	`38`	`struct DecryptionData {`
`39`	`39`	`bytes32 sharedSecret;`
`40`	`40`	`uint8 sharedSecretYParity;`
`41`		`- address to;`
`42`		`- bytes32 memo;`
`43`	`41`	`ChaumPedersenProof cpProof;`
`44`	`42`	`}`
`45`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -160,11 +160,10 @@ pub enum DepositType {`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	/// Mirrors the Solidity `DecryptionData` struct from IZone.sol
`163`		`-/// Provided by the sequencer for each encrypted deposit`
	`163`	`+/// Provided by the sequencer for each encrypted deposit.`
	`164`	`+/// The decrypted (to, memo) are derived on-chain from AES-GCM decryption.`
`164`	`165`	`pub struct DecryptionData {`
`165`	`166`	`pub shared_secret: B256, // ECDH shared secret (x-coordinate)`
`166`		`- pub to: Address, // Decrypted recipient`
`167`		`- pub memo: B256, // Decrypted memo`
`168`	`167`	`pub cp_proof: ChaumPedersenProof, // Proof of correct shared secret derivation`
`169`	`168`	`}`
`170`	`169`