Given 3 nodes `n1`

, `n2`

, and `n3`

, each with known pubkeys `n1.K = n1.k*G`

, `n2.K = n2.k*g`

, and `n3.K = n3.k*G`

, the caller provides

```
* ephemeral_key: The initial ephemeral pubkey, R1
* commitment: The real input commitment C0
* payloads:
1. E1(p1)
2. E1(E2(p2))
3. E1(E2(E3(p3)))
```

`n1`

then computes shared secret `s1 = ECDH(n1.k, R1)`

. Using `s1`

, the node decrypts the 3 payloads to get `p1`

, `E2(p2)`

, and `E2(E3(p3))`

. It reads the excess `x1`

from `p1`

.

`n1`

then calls `n2`

with

```
* ephemeral_key: R2 = BLIND(s1, R1)
* commitment: C1 = C0 + x1*G
* payloads:
1. E2(p2)
2. E2(E3(p3))
```

`n2`

computes shared secret `s2 = ECDH(n2.k, R2)`

. Using `s2`

, it decrypts the 2 payloads to get `p2`

and `E3(p2)`

. It reads the excess `x2`

from `p2`

.

`n2`

then calls `n3`

with

```
* ephemeral_key: R3 = BLIND(s2, R2)
* commitment: C2 = C1 + x2*G
* payloads:
1. E3(p3)
```

`n3`

computes shared secret `s3 = ECDH(n3.k, R3)`

. Using `s3`

, it decrypts the remaining payload to get `p3`

. It reads the excess `x3`

and rangeproof `Π`

.

`n3`

computes the final commitment as `C3 = C2 + x3*G`

and verifies the rangeproof `Π`

.

This can be seen in action in this test I wrote.