<labelid="sidebar-toggle"class="icon-button"for="sidebar-toggle-anchor"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<inputtype="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> is a linearly homomorphic commitment scheme with perfect hiding,
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> are commitment schemes with perfect hiding, and
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8889em;vertical-align:-0.1944em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> with a Pedersen commitment, and use it for
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6833em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> with Sinsemilla, and use them
<p>Note that for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>, we also deviate from Sapling in two ways:</p>
<li>We use <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> instead of a full PRF. This removes an
unnecessary (large) PRF primitive from the circuit, at the cost of requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">rivk</span></span></span></span></span> to be
<li>We define <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> as an integer in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">1</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.1667em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3283em;"><spanstyle="top:-2.55em;margin-left:-0.0359em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">P</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span>; that is, we exclude <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.6444em;"></span><spanclass="mord">0</span></span></span></span>. For
Sapling, we relied on BLAKE2s to make <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.6444em;"></span><spanclass="mord">0</span></span></span></span> infeasible to produce, but it was still
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6444em;"></span><spanclass="mord">0</span></span></span></span> is not a valid x-coordinate for any Pallas point.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaShortCommit</span></span></span></span></span> internally maps points to field elements by replacing the identity (which
has no affine coordinates) with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6444em;"></span><spanclass="mord">0</span></span></span></span>. But <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.6944em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaCommit</span></span></span></span></span> is defined using incomplete addition, and