PrimitiveWitness carries the list of UTXO in both forms: before and after salting. I have some intuition (:thanks: for the note on SaltedUtxos doc-string ) why/where this salt is not used, and I need a confirmation on it. So my guess is that we need to salt it when an UTXO gets into the output, and hence can be analyzed observing the posted proofs; but when it isn’t outputted (basically tracing of a lock script halting) it’s safe to use before salting.
Any additional insights into this are very welcome!
PS sorry for bad writing style, it’s my last message for today, but I wanted to post it to have a chance for an answer meanwhile
The ProofCollection consists of one proof for each of these program executions, along with the information necessary to derive the claims that those proofs assert the truths of. These claims concretely relate to salted_input_utxos_hash and salted_output_utxos_hash. These digests are necessary for verifying the individual proofs in the ProofCollection, but they disappear when the ProofCollection is raised into a SingleProof.
To ensure that these digests do not leak any information about the UTXOs, we add a salt before hashing.
That’s quite what I was thinking (thanks again to the diagram and the doc-string which were helpful). The question it left me with is a bit contrary: what are the conditions when it’s ok to use not a not salted UTXO, as it is used in a proof collection.
It is okay to use unsalted UTXO lists for anything that stays on the local machine and is never broadcast. (That said, if you are going to produce a SingleProof locally then you need salted UTXO lists because there is no other way to get a SingleProof, not counting Update or Merge steps. But that’s a detail.)
You want to use hashes of salted UTXO lists for anything that is sent over the wire, to guard against the loss of privacy that otherwise exists.
) why/where this salt is not used, and I need a confirmation on it. So my guess is that we need to salt it when an UTXO gets into the output, and hence can be analyzed observing the posted proofs; but when it isn’t outputted (basically tracing of a lock script halting) it’s safe to use before salting.