orchard/book/src/design/commitment-tree.md

# Commitment tree

The commitment tree structure for Orchard is identical to Sapling:

- A single global commitment tree of fixed depth 32.
- Note commitments are appended to the tree in-order from the block.
- Valid Orchard anchors correspond to the global tree state at block boundaries (after all
  commitments from a block have been appended, and before any commitments from the next
  block have been appended).

The only difference is that we instantiate $\mathsf{MerkleCRH}^\mathsf{Orchard}$ with
Sinsemilla (whereas $\mathsf{MerkleCRH}^\mathsf{Sapling}$ used a Bowe--Hopwood Pedersen
hash).

## Uncommitted leaves

The fixed-depth incremental Merkle trees that we use (in Sprout and Sapling, and again in
Orchard) require specifying an "empty" or "uncommitted" leaf - a value that will never be
appended to the tree as a regular leaf.

- For Sprout (and trees composed of the outputs of bit-twiddling hash functions), we use
  the all-zeroes array; the probability of a real note having a colliding note commitment
  is cryptographically negligible.
- For Sapling, where leaves are $u$-coordinates of Jubjub points, we use the value $1$
  which is not the $u$-coordinate of any Jubjub point.

Orchard note commitments are the $x$-coordinates of Pallas points; thus we take the same
approach as Sapling, using a value that is not the $x$-coordinate of any Pallas point as the
uncommitted leaf value. We use the value $2$ for both Pallas and Vesta, because $2^3 + 5$ is
not a square in either $F_p$ or $F_q$:

```python
sage: p = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001
sage: q = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001
sage: EllipticCurve(GF(p), [0, 5]).count_points() == q
True
sage: EllipticCurve(GF(q), [0, 5]).count_points() == p
True
sage: Mod(13, p).is_square()
False
sage: Mod(13, q).is_square()
False
```

> Note: There are also no Pallas points with $x$-coordinate $0$, but we map the identity to
> $(0, 0)$ within the circuit. Although $\mathsf{SinsemillaCommit}$ cannot return the identity
> (the incomplete addition would return $\perp$ instead), it would arguably be confusing to
> rely on that.

## Considered alternatives

We considered splitting the commitment tree into several sub-trees:

- Bundle tree, that accumulates the commitments within a single bundle (and thus a single
  transaction).
- Block tree, that accumulates the bundle tree roots within a single block.
- Global tree, that accumulates the block tree roots.

Each of these trees would have had a fixed depth (necessary for being able to create
proofs). Chains that integrated Orchard could have decoupled the limits on
commitments-per-subtree from higher-layer constraints like block size, by enabling their
blocks and transactions to be structured internally as a series of Orchard blocks or txs
(e.g. a Zcash block would have contained  a `Vec<BlockTreeRoot>`, that each were appended
in-order).

The motivation for considering this change was to improve the lives of light client wallet
developers. When a new note is received, the wallet derives its incremental witness from
the state of the global tree at the point when the note's commitment is appended; this
incremental state then needs to be updated with every subsequent commitment in the block
in-order. Wallets can't get help from the server to create these for new notes without
leaking the specific note that was received.

We decided that this was too large a change from Sapling, and that it should be possible
to improve the Incremental Merkle Tree implementation to work around the efficiency issues
without domain-separating the tree.
book: Start adding Orchard design notes Some of this content may move into the concepts section, or possibly into a dedicated specification area, but for now the design section includes our choices alongside the reasoning. 2020-12-15 12:52:31 -08:00			`# Commitment tree`

book: Update commitment tree section with the design decision 2021-02-11 17:46:37 -08:00			`The commitment tree structure for Orchard is identical to Sapling:`
book: Start adding Orchard design notes Some of this content may move into the concepts section, or possibly into a dedicated specification area, but for now the design section includes our choices alongside the reasoning. 2020-12-15 12:52:31 -08:00
book: Update commitment tree section with the design decision 2021-02-11 17:46:37 -08:00			`- A single global commitment tree of fixed depth 32.`
			`- Note commitments are appended to the tree in-order from the block.`
			`- Valid Orchard anchors correspond to the global tree state at block boundaries (after all`
			`commitments from a block have been appended, and before any commitments from the next`
			`block have been appended).`
book: Start adding Orchard design notes Some of this content may move into the concepts section, or possibly into a dedicated specification area, but for now the design section includes our choices alongside the reasoning. 2020-12-15 12:52:31 -08:00
book: Update commitment tree section with the design decision 2021-02-11 17:46:37 -08:00			`The only difference is that we instantiate $\mathsf{MerkleCRH}^\mathsf{Orchard}$ with`
			`Sinsemilla (whereas $\mathsf{MerkleCRH}^\mathsf{Sapling}$ used a Bowe--Hopwood Pedersen`
			`hash).`
book: Note that we use 0 for uncommitted leaves in the commitment tree 2021-01-21 16:28:15 -08:00
			`## Uncommitted leaves`

			`The fixed-depth incremental Merkle trees that we use (in Sprout and Sapling, and again in`
			`Orchard) require specifying an "empty" or "uncommitted" leaf - a value that will never be`
			`appended to the tree as a regular leaf.`

			`- For Sprout (and trees composed of the outputs of bit-twiddling hash functions), we use`
			`the all-zeroes array; the probability of a real note having a colliding note commitment`
			`is cryptographically negligible.`
Apply editorial suggestions from code review Co-authored-by: Daira Hopwood <daira@jacaranda.org> 2021-01-21 17:52:05 -08:00			`- For Sapling, where leaves are $u$-coordinates of Jubjub points, we use the value $1$`
			`which is not the $u$-coordinate of any Jubjub point.`
book: Note that we use 0 for uncommitted leaves in the commitment tree 2021-01-21 16:28:15 -08:00
Apply editorial suggestions from code review Co-authored-by: Daira Hopwood <daira@jacaranda.org> 2021-01-21 17:52:05 -08:00			`Orchard note commitments are the $x$-coordinates of Pallas points; thus we take the same`
			`approach as Sapling, using a value that is not the $x$-coordinate of any Pallas point as the`
[book] commitment-tree.md: Update Uncommitted^Orchard from 0 -> 2. 2021-06-11 03:45:25 -07:00			`uncommitted leaf value. We use the value $2$ for both Pallas and Vesta, because $2^3 + 5$ is`
			`not a square in either $F_p$ or $F_q$:`
book: Note that we use 0 for uncommitted leaves in the commitment tree 2021-01-21 16:28:15 -08:00
			```python
			`sage: p = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001`
			`sage: q = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001`
			`sage: EllipticCurve(GF(p), [0, 5]).count_points() == q`
			`True`
			`sage: EllipticCurve(GF(q), [0, 5]).count_points() == p`
			`True`
[book] commitment-tree.md: Update Uncommitted^Orchard from 0 -> 2. 2021-06-11 03:45:25 -07:00			`sage: Mod(13, p).is_square()`
book: Note that we use 0 for uncommitted leaves in the commitment tree 2021-01-21 16:28:15 -08:00			`False`
[book] commitment-tree.md: Update Uncommitted^Orchard from 0 -> 2. 2021-06-11 03:45:25 -07:00			`sage: Mod(13, q).is_square()`
book: Note that we use 0 for uncommitted leaves in the commitment tree 2021-01-21 16:28:15 -08:00			`False`
			```
book: Update commitment tree section with the design decision 2021-02-11 17:46:37 -08:00
[book] commitment-tree.md: Update Uncommitted^Orchard from 0 -> 2. 2021-06-11 03:45:25 -07:00			`> Note: There are also no Pallas points with $x$-coordinate $0$, but we map the identity to`
			`> $(0, 0)$ within the circuit. Although $\mathsf{SinsemillaCommit}$ cannot return the identity`
			`> (the incomplete addition would return $\perp$ instead), it would arguably be confusing to`
			`> rely on that.`

book: Update commitment tree section with the design decision 2021-02-11 17:46:37 -08:00			`## Considered alternatives`

			`We considered splitting the commitment tree into several sub-trees:`

			`- Bundle tree, that accumulates the commitments within a single bundle (and thus a single`
			`transaction).`
			`- Block tree, that accumulates the bundle tree roots within a single block.`
			`- Global tree, that accumulates the block tree roots.`

			`Each of these trees would have had a fixed depth (necessary for being able to create`
			`proofs). Chains that integrated Orchard could have decoupled the limits on`
			`commitments-per-subtree from higher-layer constraints like block size, by enabling their`
			`blocks and transactions to be structured internally as a series of Orchard blocks or txs`
			(e.g. a Zcash block would have contained a `Vec<BlockTreeRoot>`, that each were appended
			`in-order).`

			`The motivation for considering this change was to improve the lives of light client wallet`
			`developers. When a new note is received, the wallet derives its incremental witness from`
			`the state of the global tree at the point when the note's commitment is appended; this`
			`incremental state then needs to be updated with every subsequent commitment in the block`
			`in-order. Wallets can't get help from the server to create these for new notes without`
			`leaking the specific note that was received.`

			`We decided that this was too large a change from Sapling, and that it should be possible`
			`to improve the Incremental Merkle Tree implementation to work around the efficiency issues`
			`without domain-separating the tree.`