<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>The nullifier private key <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nsk</span></span></span></span></span> is removed. Its purpose in Sapling was as
recover <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ask</span></span></span></span></span> would not be able to spend funds. In practice it has not been
feasible to manage <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nsk</span></span></span></span></span> much more securely than a full viewing key, as the
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span> is now a field element instead of a curve point, making it more efficient
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ovk</span></span></span></span></span> is now derived from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">fvk</span></span></span></span></span>, instead of being derived in parallel.
This places it in a similar position within the key structure to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>, and
same <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> but different <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ovk</span></span></span></span></span>s. Users still have control over whether
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ovk</span></span></span></span></span> is used when constructing a transaction.</p>
<p>When designing Sapling, we defined a <ahref="https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki">BIP 32</a>-like mechanism for generating hierarchical
deterministic wallets in <ahref="https://zips.z.cash/zip-0032">ZIP 32</a>. We decided at the time to stick closely to the design
of BIP 32, on the assumption that there were Bitcoin use cases that used both hardened and
non-hardened derivation that we might not be aware of. This decision created significant
complexity for Sapling: we needed to handle derivation separately for each component of
the expanded spending key and full viewing key (whereas for transparent addresses there is
only a single component in the spending key).</p>
<p>Non-hardened derivation enables creating a multi-level path of child addresses below some
parent address, without involving the parent spending key. The primary use case for this
is HD wallets for transparent addresses, which use the following structure defined in
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> is a linearly homomorphic commitment scheme with perfect hiding,
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> are commitment schemes with perfect hiding, and
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> with a Pedersen commitment, and use it for
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> with Sinsemilla, and use them
<p>Note that for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>, we also deviate from Sapling in two ways:</p>
<ul>
<li>We use <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> instead of a full PRF. This removes an
unnecessary (large) PRF primitive from the circuit, at the cost of requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rivk</span></span></span></span></span> to be
part of the full viewing key.</li>
<li>We define <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> as an integer in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">1</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">P</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span>; that is, we exclude <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. For
Sapling, we relied on BLAKE2s to make <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> infeasible to produce, but it was still
technically possible. For Orchard, we get this by construction:
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is not a valid x-coordinate for any Pallas point.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaShortCommit</span></span></span></span></span> internally maps points to field elements by replacing the identity (which
has no affine coordinates) with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. But <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaCommit</span></span></span></span></span> is defined using incomplete addition, and
<p>The only difference is that we instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9334479999999998em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">MerkleCRH</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9334479999999998em;"><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">Orchard</span></span></span></span></span></span></span></span></span></span></span></span> with
Sinsemilla (whereas <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9334479999999998em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">MerkleCRH</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9334479999999998em;"><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">Sapling</span></span></span></span></span></span></span></span></span></span></span></span> used a Bowe--Hopwood Pedersen
<p>The fixed-depth incremental Merkle trees that we use (in Sprout and Sapling, and again in
Orchard) require specifying an "empty" or "uncommitted" leaf - a value that will never be
appended to the tree as a regular leaf.</p>
<ul>
<li>For Sprout (and trees composed of the outputs of bit-twiddling hash functions), we use
the all-zeroes array; the probability of a real note having a colliding note commitment
is cryptographically negligible.</li>
<li>For Sapling, where leaves are <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">u</span></span></span></span>-coordinates of Jubjub points, we use the value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">1</span></span></span></span>
which is not the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">u</span></span></span></span>-coordinate of any Jubjub point.</li>
</ul>
<p>Orchard note commitments are the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinates of Pallas points; thus we take the same
approach as Sapling, using a value that is not the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate of any Pallas point as the
uncommitted leaf value. It happens that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is the smallest such value for both Pallas and
Vesta, because <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.897438em;vertical-align:-0.08333em;"></span><spanclass="mord"><spanclass="mord">0</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight">3</span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">+</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">5</span></span></span></span> is not a square in either <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.969438em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">p</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.969438em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.15139200000000003em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">q</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span>:</p>
<pre><codeclass="language-python">sage: p = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> is a keyed circuit-efficient PRF (such as Rescue or Poseidon).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> is unique to this output. As with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.980548em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord mathsf">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3361079999999999em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">Sig</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span> in Sprout, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes
the nullifiers of any Orchard notes being spent in the same action. Given that an action
consists of a single spend and a single output, we set <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> to be the nullifier of the
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is sender-controlled randomness. It is not required to be unique, and in practice
is derived from both <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> and a sender-selected random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span>:
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span> is a fixed independent base.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">Extract</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33222299999999994em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathbb mtight">P</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> extracts the <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>-coordinate of a Pallas curve point.</li>
<p>The note plaintext includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span> in place of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rcm</span></span></span></span></span>, and
omits <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> (which is a public part of the action).</p>
<li>We're giving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> to the attacker and allowing it to be the sender in order
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a cryptographic hash into the group (such as BLAKE2s with simplified SWU), used
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span> is an elliptic curve (such as Pallas).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">KD</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> is the note encryption key derivation function.</li>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.1726709999999998em;vertical-align:-0.247em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">HashDH</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9256709999999999em;"><spanstyle="top:-2.4530000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span><spanstyle="top:-3.1473400000000002em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.02778em;">KD</span><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.247em;"><span></span></span></span></span></span></span></span></span></span> is computational Diffie-Hellman using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">KD</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> for the key derivation, with
one-time ephemeral keys. This assumption is heuristically weaker than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">DD</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> but stronger
<p>We omit <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.02778em;">O</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.02778em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">G</span><spanclass="mord mathnormal mtight"style="margin-right:0.08125em;">H</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> as a security assumption because we only rely on the random oracle
applied to fixed inputs defined by the protocol, i.e. to generate the fixed base
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span>, not to attacker-specified inputs.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">†</span></span></span></span> We additionally assume that for any input <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>,
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">:</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span><spanclass="mclose">}</span></span></span></span> gives a scalar in an adequate range for
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">DD</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. (Otherwise, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> could be trivial, e.g. independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span>.)</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"style="color:red;"><spanclass="mord text"style="color:red;"><spanclass="mord"style="color:red;">⚠</span><spanclass="mord textsf"style="color:red;">Caution</span></span></span></span></span></span>: be skeptical of the claims in this table about what
problem(s) each security property depends on. They may not be accurate and are definitely
<p>The entries in this table omit the application of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">Extract</span></span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33222299999999994em;"><spanstyle="top:-2.5500000000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathbb mtight">P</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>,
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Hash</span></span></span></span></span> is a keyed circuit-efficient hash (such as Rescue).</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span> is an fixed independent base, independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span> and any others
returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0593em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">v</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> is a pair of fixed independent bases (independent of all others), where
the specific choice of base depends on whether the note has zero value.</p>
</li>
<li>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a base unique to this output.</p>
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes the nullifiers of any Orchard notes being spent in the same action.</li>
<li>For zero-valued notes, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is constrained by the circuit to a fixed base independent
of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span> and any others returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</li>
<li>There can be only one <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> for a given <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">addr</span></span></span></span></span>. This is true because
the circuit checks that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathsf">p</span><spanclass="mord"><spanclass="mord mathsf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>, and the mapping
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.70544em;vertical-align:-0.011em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">↦</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> is an injection for any <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.63888em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>.
(<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> is in the base field of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span>, which must be smaller than its scalar field,
<li>There can be only one <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span> for a given <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>. This is true because the
where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> is binding (see <ahref="design/commitments.html">Commitments</a>).</li>
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight0625emvertical-align-019444emspanspan-classmord-mathnormalρspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight0625emvertical-align-019444emspanspan-classmord-mathnormalρspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span></a></h3>
<p><strong>Faerie Resistance</strong> requires that nullifiers be unique. This is primarily achieved by
taking a unique value (checked for uniqueness by the public consensus rules) as an input
to the nullifier. However, it is also necessary to ensure that the transformations applied
to this value preserve its uniqueness. Meanwhile, to achieve <strong>Spend Unlinkability</strong>, we
require that the nullifier does not reveal any information about the unique value it is
derived from.</p>
<p>The design alternatives fall into two categories in terms of how they balance these
requirements:</p>
<ul>
<li>
<p>Publish a unique value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> at note creation time, and blind that value within the
<li>This is similar to the approach taken in Sprout and Sapling, which both implemented
nullifiers as PRF outputs; Sprout uses the compression function from SHA-256, while
Sapling uses BLAKE2s.</li>
</ul>
</li>
<li>
<p>Derive a unique base <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> from some unique value, publish that unique base at note
creation time, and then blind the base (either additively or multiplicatively) during
<p>For <strong>Spend Unlinkability</strong>, the only value unknown to the adversary is <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">nk</span></span></span></span></span>, and
the cryptographic assumptions only involve the first term (other terms like <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span>
or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.06944em;">rnf</span></span><spanclass="mclose">]</span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span> cannot be extracted directly from the observed nullifiers,
but can be subtracted from them). We therefore ensure that the first term does not commit
directly to the note (to avoid a DL-breaking adversary from immediately breaking <strong>SU</strong>).</p>
<p>We were considering using a design involving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> with the goal of eliminating all usages
<li>Instantiating <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">PR</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> with a traditional hash function is expensive in the circuit.</li>
<li>We didn't want to solely rely on an algebraic hash function satisfying <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">PR</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to
still requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">DD</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> for <strong>Spend Unlinkability</strong>. (There are two designs for which this
is not the case, but they rely on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.2605469999999999em;vertical-align:-0.293531em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">DD</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9670159999999999em;"><spanstyle="top:-2.4064690000000004em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span><spanstyle="top:-3.1809080000000005em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">†</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.293531em;"><span></span></span></span></span></span></span></span></span></span> for <strong>Note Privacy (OOB)</strong> which was not
<p>By contrast, several designs involving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> (including the chosen design) have weaker
assumptions for <strong>Faerie Resistance</strong> (only relying on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>), and <strong>Spend Unlinkability</strong>
does not require <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">PR</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to hold: they can fall back on the same <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">DD</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> assumption as the
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> designs (along with an additional assumption about the output of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> which is easily
satisfied).</p>
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight08888799999999999emvertical-align-019444emspanspan-classmord-mathnormal-stylemargin-right003588emψspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight08888799999999999emvertical-align-019444emspanspan-classmord-mathnormal-stylemargin-right003588emψspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span></a></h3>
<p>Most of the designs include either a multiplicative blinding term <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">θ</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>, or an
additive blinding term <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.06944em;">rnf</span></span><spanclass="mclose">]</span><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span>, in order to achieve perfect
effectively using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span><spanclass="mclose">]</span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span> for this purpose; a DL-breaking adversary only
perfect to statistical, but given that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is from a distribution statistically close
to uniform on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mclose">)</span></span></span></span>, this is statistically close to better than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">128</span></span></span></span></span></span></span></span></span></span></span></span>. The benefit
is that it does not require an additional scalar multiplication, making it more efficient
inside the circuit.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span>'s derivation has two motivations:</p>
<li>Deriving from a random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span> enables multiple derived values to be
conveyed to the recipient within an action (such as the ephemeral secret <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">esk</span></span></span></span></span>,
per <ahref="https://zips.z.cash/zip-0212">ZIP 212</a>), while keeping the note plaintext short.</li>
<li>Mixing <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> into the derivation ensures that the sender can't repeat <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> across two
notes, which could have enabled spend linkability attacks in some designs.</li>
</ul>
<p>The note that is committed to, and which the circuit takes as input, only includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span>
(i.e. the circuit does not check the derivation from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span>). However, an
adversarial sender is still constrained by this derivation, because the recipient
recomputes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> during note decryption. If an action were created using an arbitrary
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> (for which the adversary did not have a corresponding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rseed</span></span></span></span></span>), the
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight044444emvertical-align0emspanspan-classmordspan-classmord-mathsfcmspanspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight044444emvertical-align0emspanspan-classmordspan-classmord-mathsfcmspanspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span></a></h3>
<p>The nullifier commits to the note value via <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> for two reasons:</p>
<li>Designs that bind the nullifier to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span> require <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01968em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to achieve
<strong>Faerie Resistance</strong> (and similarly where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Hash</span></span></span></span></span> is applied to a value derived from
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>). Adding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> to the nullifier avoids this assumption: all of the bases
used to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> are fixed and independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span>, and so the
nullifier can be viewed as a Pedersen hash where the input includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> directly.</li>
<p>The <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9223379999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">Commit</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9223379999999999em;"><spanstyle="top:-3.1362300000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight"style="margin-right:0.06944em;">nf</span></span></span></span></span></span></span></span></span></span></span></span></span> variants were considered to avoid directly depending on
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> (which in its native type is a base field element, not a group element). We
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span> as a group element, that is only used in nullifier computation. The circuit
already needs to compute <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">cm</span></span></span></span></span>, so this improves performance by removing</p>
<p>We also considered variants that used a choice of fixed bases <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0593em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">v</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to provide
full viewing key (<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> could be brute-forced to cancel out <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">nk</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span>,
causing a collision), and the other variants require assuming <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01968em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> as mentioned above.</p>