You are right to point out that the updated specification now correctly models the separation of concerns, allowing for the key generation to occur outside the critical section. The new pending_keys and keys_batch variables effectively create a contract that ensures the race condition I previously described is avoided.
I have updated the implementation to reflect this new design.
The
keys_batchpart if non-sense, since that one is an auxiliary variable.