diff --git a/book/src/SUMMARY.md b/book/src/SUMMARY.md
index 9adf58e9..55efc260 100644
--- a/book/src/SUMMARY.md
+++ b/book/src/SUMMARY.md
@@ -23,5 +23,6 @@
         - [Variable-base scalar multiplication](design/circuit/gadgets/ecc/var-base-scalar-mul.md)
       - [Sinsemilla](design/circuit/gadgets/sinsemilla.md)
         - [MerkleCRH](design/circuit/gadgets/sinsemilla/merkle-crh.md)
+        - [CommitIvk](design/circuit/gadgets/sinsemilla/commit-ivk.md)
       - [Lookup Range Check](design/circuit/gadgets/lookup_range_check.md)
       - [Decomposition](design/circuit/gadgets/decomposition.md)
diff --git a/book/src/design/circuit/gadgets/sinsemilla/commit-ivk.md b/book/src/design/circuit/gadgets/sinsemilla/commit-ivk.md
new file mode 100644
index 00000000..3cd56e9d
--- /dev/null
+++ b/book/src/design/circuit/gadgets/sinsemilla/commit-ivk.md
@@ -0,0 +1,76 @@
+# CommitIvk
+
+## Message decomposition
+$\mathsf{SinsemillaShortCommit}$ is used in the [$\mathsf{CommitIvk}$ function](https://zips.z.cash/protocol/protocol.pdf#concretesinsemillacommit). The input to $\mathsf{SinsemillaShortCommit}$ is:
+
+$$\mathsf{I2LEBSP}_{\ell_{\textsf{base}}^{\textsf{Orchard}}}(ak) || \mathsf{I2LEBSP}_{\ell_{\textsf{base}}^{\textsf{Orchard}}}(nk),$$
+
+where $\mathsf{ak, nk}$ are Pallas base field elements, and $\ell_{\textsf{base}}^{\textsf{Orchard}} = 255.$
+
+We break these inputs into the following `MessagePiece`s:
+
+$$
+\begin{aligned}
+a \text{ (250 bits)} &= \text{bits } 0..=249 \text{ of } \mathsf{ak} \\
+b \text{ (10 bits)}  &= b_0||b_1||b_2 \\
+                     &= (\text{bits } 250..=253 \text{ of } \mathsf{ak}) || (\text{bit } 254 \text{ of } \mathsf{ak}) || (\text{bits } 0..=4 \text{ of } \mathsf{nk}) \\
+c \text{ (240 bits)} &= \text{bits } 5..=244 \text{ of } \mathsf{nk} \\
+d \text{ (10 bits)}  &= d_0||d_1 \\
+                     &= (\text{bits } 245..=253 \text{ of } \mathsf{nk}) || (\text{bit } 254 \text{ of } \mathsf{nk})
+\end{aligned}
+$$
+
+$a,b,c,d$ are constrained by the $\textsf{SinsemillaHash}$ to be $250$ bits, $10$ bits, $240$ bits, and $10$ bits respectively.
+
+In a custom gate, we check this message decomposition by enforcing the following constraints:
+
+1. $b = b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2$
+<br>
+$b_0, b_2$ are witnessed outside this gate, and constrained to be $4$ bits and $5$ bits respectively. $b_1$ is witnessed and boolean-constrained in this gate:
+$$(b_1)(1 - b_1) = 0.$$
+From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
+$$b = b_0 + 2^4 \cdot b_1 + 2^5 \cdot b_2.$$
+
+2. $d = d_0 + 2^9 \cdot d_1$
+<br>
+$d_0$ is witnessed outside this gate, and constrained to be $9$ bits. $d_1$ is witnessed and boolean-constrained in this gate:
+$$(d_1)(1 - d_1) = 0.$$
+From these witnessed subpieces, we check that we recover the original `MessagePiece` input to the hash:
+$$d = d_0 + 2^9 \cdot d_1.$$
+
+We have now derived or witnessed every subpiece, and range-constrained every subpiece:
+- $b_0$ ($4$ bits) is witnessed and constrained outside the gate;
+- $b_1$ ($1$ bits) is witnessed and boolean-constrained in the gate;
+- $b_2$ ($5$ bits) is witnessed and constrained outside the gate;
+- $d_0$ ($9$ bits) is witnessed and constrained outside the gate;
+- $d_1$ ($1$ bits) is witnessed and boolean-constrained in the gate,
+and we use them to reconstruct the original field element inputs:
+
+3. $\textsf{ak} = a + 2^{250} \cdot b_0 + 2^{254} \cdot b_1$
+4. $\textsf{nk} = b_2 + 2^5 \cdot c + 2^{245} \cdot d_0 + 2^{254} \cdot d_1$
+
+## Canonicity
+The modulus of the Pallas base field is $p = 2^{254} + t_p,$ where $t_p = 45560315531419706090280762371685220353 < 2^{126}.$
+
+### $\textsf{ak} = a (250 \text{ bits}) || b_0 (4 \text{ bits}) || b_1 (1 \text{ bit})$
+We check that $\mathsf{I2LEBSP_{\ell_{base}^{Orchard}}(ak)}$ is a canonically-encoded $255$-bit value, i.e. $\textsf{ak} < p$. If the high bit is not set $b_1 = 0$, we are guaranteed that $\textsf{ak} < 2^{254}$. Thus, we are only interested in cases when $b_1 = 1 \implies \textsf{ak} \geq 2^{254}$. In these cases, we check that $\textsf{ak}_{0..=253} < t_p < 2^{126}$:
+
+1. $b_1 = 1 \implies b_0 = 0.$
+Since $b_1 = 1 \implies \textsf{ak}_{0..=253} < 2^{126},$ we know that $\textsf{ak}_{126..=253} = 0,$ and in particular $b_0 = \textsf{ak}_{250..=253} = 0.$ So, we constrain $$b_1 \cdot b_0 = 0.$$
+
+2. $b_1 = 1 \implies 0 \leq a < 2^{126}.$
+To check that $a < 2^{126}$, we use two constraints:
+
+    a) $0 \leq a < 2^{130}$. This is expressed in the custom gate as $$b_1 \cdot z_{13,a} = 0,$$ where $z_{13,a}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(a).$
+
+    b) $0 \leq a + 2^{130} - t_p < 2^{130}$. To check this, we decompose $a' = a + 2^{130} - t_p$ into thirteen 10-bit words (little-endian) using a running sum $z_{a'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$b_1 \cdot z_{13, a'} = 0.$$
+
+### $\textsf{nk} = b_2 (5 \text{ bits}) || c (240 \text{ bits}) || d_0 (9 \text{ bits}) || d_1 (1 \text{ bit})$
+We check that $\mathsf{I2LEBSP}_{\ell_{\textsf{base}}^{\textsf{Orchard}}}(nk)$ is a canonically-encoded $255$-bit value, i.e. $\textsf{nk} < p$. If the high bit is not set $d_1 = 0$, we are guaranteed that $nk < 2^{254}$. Thus, we are only interested in cases when $d_1 = 1 \implies nk \geq 2^{254}$. In these cases, we check that $\textsf{nk}_{0..=253} < t_p < 2^{126}$:
+
+1. $d_1 = 1 \implies 0 \leq b_2 + 2^5 \cdot c < 2^{126}.$
+To check that $0 \leq b_2 + 2^5 \cdot c < 2^{126}$, we use two constraints:
+
+    a) $0 \leq b_2 + 2^5 \cdot c < 2^{140}$. $b_2$ is already constrained individually to be a $5$-bit value. $z_{13, c}$ is the index-13 running sum output by $\textsf{SinsemillaHash}(c).$ By constraining $$d_1 \cdot z_{13,c} = 0,$$ we constrain $b_2 + 2^5 \cdot c < 2^{135} < 2^{140}.$
+
+    b) $0 \leq b_2 + 2^5 \cdot c + 2^{140} - t_p < 2^{140}$. To check this, we decompose $b' = b_2 + 2^5 \cdot c + 2^{140} - t_p$ into fourteen 10-bit words (little-endian) using a running sum $z_{b'}$, looking up each word in a $10$-bit lookup table. We then enforce in the custom gate that $$d_1 \cdot z_{14, b'} = 0.$$
\ No newline at end of file
diff --git a/book/src/design/circuit/gadgets/sinsemilla/commit_ivk.md b/book/src/design/circuit/gadgets/sinsemilla/commit_ivk.md
deleted file mode 100644
index 30404ce4..00000000
--- a/book/src/design/circuit/gadgets/sinsemilla/commit_ivk.md
+++ /dev/null
@@ -1 +0,0 @@
-TODO
\ No newline at end of file