book: Document why ivk != 0

book/src/design/commitments.md

@@ -23,6 +23,15 @@ $$\mathsf{cm} = \mathit{Commit}^{\mathsf{cm}}_{\mathsf{rcm}}(\text{rest of note}
 This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient
 Sinsemilla instead of Bowe--Hopwood Pedersen hashes.
 
-Note that we also deviate from Sapling by using $\mathit{ShortCommit}$ to deriving $\mathsf{ivk}$
-instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit,
-at the cost of requiring $\mathsf{rivk}$ to be part of the full viewing key.
+Note that for $\mathsf{ivk}$, we also deviate from Sapling in two ways:
+
+- We use $\mathit{ShortCommit}$ to derive $\mathsf{ivk}$ instead of a full PRF. This removes an
+  unnecessary (large) PRF primitive from the circuit, at the cost of requiring $\mathsf{rivk}$ to be
+  part of the full viewing key.
+- We define $\mathsf{ivk}$ as an integer in $[1, q_P)$; that is, we exclude $\mathsf{ivk} = 0$. For
+  Sapling, we relied on BLAKE2s to make $\mathsf{ivk} = 0$ infeasible to produce, but it was still
+  technically possible. For Orchard, we get this by construction:
+  - $0$ is not a valid x-coordinate for any Pallas point.
+  - $\mathit{ShortCommit}$ internally maps points to field elements by replacing the identity (which
+    has no affine coordinates) with $0$. But Sinsemilla is defined using incomplete addition, and
+    thus will never produce the identity.