<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>As in Sapling, we require two kinds of commitment schemes in Pollard:</p>
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mord mathnormal">p</span><spanclass="mord mathnormal">h</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">c</span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">t</span></span></span></span> is a linearly homomorphic commitment scheme with perfect hiding, and
strong binding reducible to DL.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">t</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">S</span><spanclass="mord mathnormal">h</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mord mathnormal">t</span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">t</span></span></span></span> are commitment schemes with perfect hiding, and strong
binding reducible to DL.</li>
</ul>
<p>By "strong binding" we mean that the scheme is collision resistant on the input and
randomness.</p>
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mord mathnormal">p</span><spanclass="mord mathnormal">h</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">c</span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">t</span></span></span></span> with a Pedersen commitment, and use it for value
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">t</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">S</span><spanclass="mord mathnormal">h</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mord mathnormal">t</span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">t</span></span></span></span> with Sinsemilla, and use them for all other
<p>This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient
Sinsemilla instead of Bowe-Hopwood Pedersen hashes.</p>
<p>Note that we also deviate from Sapling by using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">S</span><spanclass="mord mathnormal">h</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">r</span><spanclass="mord mathnormal">t</span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">m</span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal">t</span></span></span></span> to deriving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span>
instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit,
at the cost of requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span> to be part of the full viewing key.</p>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">s</span><spanclass="mord mathnormal">h</span></span></span></span> is a keyed circuit-efficient hash (such as Rescue).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> is unique to this output. As with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.980548em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3361079999999999em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">S</span><spanclass="mord mathsf mtight">i</span><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">g</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span></span> in Sprout, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes
the nullifiers of any Orchard notes being spent.
<ul>
<li>If spends and outputs are merged / combined, then we always have a nullifier
(internally derived from a real or dummy note), and can rely on the nullifier
derivation process to prevent an adversary from choosing dummy nullifiers arbitrarily.</li>
<li>If spends and outputs are <em>not</em> merged, then <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> should probably also include
unique information from other parts of the transaction as well.</li>
<li>TODO: Decide which of the above two cases will be used, and update this.</li>
</ul>
</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is sender-controlled randomness. It is not required to be unique, and in practice
is derived from a sender-selected random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span>.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span> is an fixed independent base.</li>
<p>The nullifier commits to the note value via <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> in order to domain-separate
nullifiers for zero-valued notes from other notes.</p>
<p>We care about several security properties for our nullifiers:</p>
<ul>
<li>
<p><strong>Balance:</strong> can I forge money?</p>
</li>
<li>
<p><strong>Note Privacy:</strong> can I gain information about notes only from the public block chain?</p>
<ul>
<li>This describes notes sent in-band.</li>
</ul>
</li>
<li>
<p><strong>Note Privacy (OOB):</strong> can I gain information about notes sent out-of-band, only from
the public block chain?</p>
<ul>
<li>In this case, we assume privacy of the channel over which the note is sent, and that
the adversary does not have access to any notes sent to the same address which are
then spent (so that the nullifier is on the block chain somewhere).</li>
</ul>
</li>
<li>
<p><strong>Spend Unlinkability:</strong> given the incoming viewing key for an address, and not the full
viewing key, can I (possibly the sender) detect spends of any notes sent to that address?</p>
<ul>
<li>We're giving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> to the attacker and allowing it to be the sender in order to make
this property as strong as possible: they will have <em>all</em> the notes sent to that
address.</li>
</ul>
</li>
<li>
<p><strong>Faerie Resistance:</strong> can I perform a Faerie Gold attack (i.e. cause notes to be
accepted that are unspendable)?</p>
</li>
</ul>
<p>We assume (and instantiate elsewhere) the following primitives:</p>
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a cryptographic hash into the group (such as BLAKE2s with simplified SWU), used
to derive all fixed independent bases.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span> is an elliptic curve (such as Pallas).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> is the note encryption key derivation function.</li>
</ul>
<p>For our chosen design, our desired security properties rely on the following assumptions:</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.1166619999999998em;vertical-align:-0.275331em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">s</span><spanclass="mord mathnormal">h</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8413309999999999em;"><spanstyle="top:-2.424669em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.275331em;"><span></span></span></span></span></span></span></span></span></span> is computational Diffie-Hellman using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> for the key derivation, with
one-time ephemeral keys. This assumption is heuristically weaker than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> but stronger
than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>.</p>
<p>We omit <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.02778em;">O</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.02778em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">G</span><spanclass="mord mathnormal mtight"style="margin-right:0.08125em;">H</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> as a security assumption because we only rely on the random oracle
applied to fixed inputs defined by the protocol, i.e. to generate the fixed base
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span>, not to attacker-specified inputs.</p>
<blockquote>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">†</span></span></span></span> We additionally assume that for any input <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">s</span><spanclass="mord"><spanclass="mord mathnormal">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">n</span><spanclass="mord mathsf mtight">k</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">:</span></span><spanclass="base"><spanclass="strut"style="height:0.5782em;vertical-align:-0.0391em;"></span><spanclass="mrel">></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span><spanclass="mclose">}</span></span></span></span> gives a scalar in an adequate range for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. (Otherwise, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">s</span><spanclass="mord mathnormal">h</span></span></span></span>
could be trivial, e.g. independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span></span></span></span>.)</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"style="color:red;"><spanclass="mord text"style="color:red;"><spanclass="mord"style="color:red;">⚠</span><spanclass="mord textsf"style="color:red;">Caution</span></span></span></span></span></span>: be skeptical of the claims in this table about what
problem(s) each security property depends on. They may not be accurate and are definitely
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is calculated by the sender as <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span>, and would be provided in the action.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span> is an fixed independent base, independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span> and any others
returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</li>
</ul>
<p>For the options that use <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>, when spending a note,</p>
<ul>
<li>if it's a real note, then <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is as computed for that note, so it is a unique RO output;</li>
<li>if it's a dummy note, we enforce that it is some fixed base independent of other bases.</li>
value, without directly depending on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> (which in its native type is a base
field element, not a group element). We decided instead to follow Sapling by defining an
intermediate representation of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> as a group element, that is only used in