Should generate txout nonces deterministically

[apoelstra]

Makes testing easier and reduces dependency on strong random sources.

We only blind outputs when we have an unlocked wallet currently (I think) so we could just do a tagged hash of the commitment and the master wallet blinding key.

Unsure what we should use for the blinding factors themselves. A hash of the scriptPubKey + amount could work, but would result in equal commitments when people reused addresses, which we ought not to compromise privacy on even more..

[stepansnigirev]

Deterministic nonces would be great!
Here is an example what we do in Specter, but we can easily swap it with something else:

# root blinding seed of the wallet
seed = tagged_hash("liquid/blinding_seed", master_blinding_key)

# get unique enough seed for the transaction, doesn't rely on amounts / assets
# as they could be blinded by someone else and therefore unknown
txseed = tagged_hash("liquid/txseed", 
      seed
      + sum([inp.txid+inp.vout.to_bytes(4,'little') for inp in inputs])
      + sum([out.script_pubkey for out in outputs])
)

# generate blinding factors for all outputs
for i, out in enumerate(outputs):
    out.asset_blinding_factor = hashes.tagged_hash("liquid/abf", txseed+i.to_bytes(4,'little'))
    out.value_blinding_factor = hashes.tagged_hash("liquid/vbf", txseed+i.to_bytes(4,'little'))
    surj_proof_seed = hashes.tagged_hash("liquid/surjection_proof", txseed+i.to_bytes(4,'little'))
    range_proof_seed = hashes.tagged_hash("liquid/range_proof", txseed+i.to_bytes(4,'little'))

# now fix last vbf and blind
# ...

[apoelstra]

I like this idea.