<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="../print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> is a linearly homomorphic commitment scheme with perfect hiding,
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> are commitment schemes with perfect hiding, and
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathit">HomomorphicCommit</span></span></span></span></span> with a Pedersen commitment, and use it for
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">Commit</span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> with Sinsemilla, and use them
<p>Note that for <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span>, we also deviate from Sapling in two ways:</p>
<ul>
<li>We use <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">ShortCommit</span></span></span></span></span> to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> instead of a full PRF. This removes an
unnecessary (large) PRF primitive from the circuit, at the cost of requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">rivk</span></span></span></span></span> to be
part of the full viewing key.</li>
<li>We define <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span></span></span></span> as an integer in <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">1</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">P</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mclose">)</span></span></span></span>; that is, we exclude <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. For
Sapling, we relied on BLAKE2s to make <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">ivk</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> infeasible to produce, but it was still
technically possible. For Orchard, we get this by construction:
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> is not a valid x-coordinate for any Pallas point.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaShortCommit</span></span></span></span></span> internally maps points to field elements by replacing the identity (which
has no affine coordinates) with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. But <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">SinsemillaCommit</span></span></span></span></span> is defined using incomplete addition, and