# MASP Note Encryption (without FMD)

## Note Structure

Say Alice `transact`

s via the `Transaction.circom`

circuit and the recipient of both output commitments is Bob. We have the following desiderata:

- If I possess Alice’s viewing key, I should be able to see the internal data of the two output commitments.
- If I possess Bob’s viewing key, I should be able to see all the internal data of the output commitments.

This allows:

- Recipients to spend MASP commitments transferred to them.
- Regulators and outside observers to view BOTH sent and received funds of any party they hold the viewing keys of.

Note due to our MASP key design, even if regulators know the blinding of a commitment, they still cannot spend the output commitment, because they do not have the proof authorizing key, `ak`

, which is needed to create a valid ZKP.

### Note Data

Each note corresponds to an output commitment. The data contained in a note is simply the internal data of the output commitment:

- AssetID
- TokenID
- Amount
- DestinationChainID
- PublicKey_X
- PublicKey_Y
- blinding

## Encrypting the Note

Each note is encrypted twice, once with Alice’s public key and once with Bob’s public key. More specifically the encryption process works as follows. We will use a similar design to zkopru (opens in a new tab).

### Encrypting with Alice’s Public Key

- Alice generates an ephemeral babyjubjub keypair
`(esk, epk)`

. - Alice computes
`esk[pk_A]`

and uses this as the secret key in`chacha20`

symmetric encryption scheme to encrypt the note. - Alice posts the encryption along with
`epk`

on the blockchain.

### Encrypting with Bob’s Public Key

- Bob generates an ephemeral babyjubjub keypair
`(esk, epk)`

. - Bob computes
`esk[pk_B]`

and uses this as the secret key in`chacha20`

symmetric encryption scheme to encrypt the note. - Bob posts the encryption along with
`epk`

on the blockchain.

## Decrypting Notes

We will use a similar design to zkopru:

zkopru-network/zkopru (opens in a new tab)

Note `esk[pk] = vk[epk]`

, so anyone with the viewing key can compute `vk[epk]`

and use `chacha20`

to decrypt notes.

Potential recipients can decrypt new encrypted notes on the blockchain, compute the `Record`

commitment from the internal data, and see if it matches the output commitment posted on the blockchain. If so, this note/commitment is meant for the recipient. Eventually, we will have relayers take care of a lot of the note encryption and decryption work so each individual does not have to do it.