<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>We instantiate <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathit">H</span><spanclass="mord mathit">o</span><spanclass="mord mathit">m</span><spanclass="mord mathit">o</span><spanclass="mord mathit">m</span><spanclass="mord mathit">o</span><spanclass="mord mathit">r</span><spanclass="mord mathit">p</span><spanclass="mord mathit">h</span><spanclass="mord mathit">i</span><spanclass="mord mathit">c</span><spanclass="mord mathit">C</span><spanclass="mord mathit">o</span><spanclass="mord mathit">m</span><spanclass="mord mathit">m</span><spanclass="mord mathit">i</span><spanclass="mord mathit">t</span></span></span></span></span> with a Pedersen commitment, and use it for
Sinsemilla instead of Bowe--Hopwood Pedersen hashes.</p>
<p>Note that we also deviate from Sapling by using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">S</span><spanclass="mord mathit">h</span><spanclass="mord mathit">o</span><spanclass="mord mathit">r</span><spanclass="mord mathit">t</span><spanclass="mord mathit">C</span><spanclass="mord mathit">o</span><spanclass="mord mathit">m</span><spanclass="mord mathit">m</span><spanclass="mord mathit">i</span><spanclass="mord mathit">t</span></span></span></span></span> to deriving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span>
instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit,
at the cost of requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span> to be part of the full viewing key.</p>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> is a keyed circuit-efficient PRF (such as Rescue or Poseidon).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> is unique to this output. As with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.980548em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3361079999999999em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">S</span><spanclass="mord mathsf mtight">i</span><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">g</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span></span> in Sprout, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes
the nullifiers of any Orchard notes being spent in the same action. Given that an action
consists of a single spend and a single output, we set <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> to be the nullifier of the
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is sender-controlled randomness. It is not required to be unique, and in practice
is derived from both <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> and a sender-selected random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span>:
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span> is a fixed independent base.</li>
<p>The note plaintext includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span> in place of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span>, and
omits <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> (which is a public part of the action).</p>
<li>We're giving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span> to the attacker and allowing it to be the sender in order
to make this property as strong as possible: they will have <em>all</em> the notes sent to that
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a cryptographic hash into the group (such as BLAKE2s with simplified SWU), used
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span> is an elliptic curve (such as Pallas).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> is the note encryption key derivation function.</li>
</ul>
<p>For our chosen design, our desired security properties rely on the following assumptions:</p>
<p>We omit <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.02778em;">O</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.02778em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">G</span><spanclass="mord mathnormal mtight"style="margin-right:0.08125em;">H</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> as a security assumption because we only rely on the random oracle
applied to fixed inputs defined by the protocol, i.e. to generate the fixed base
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span>, not to attacker-specified inputs.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">†</span></span></span></span> We additionally assume that for any input <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>,
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">n</span><spanclass="mord mathsf mtight">k</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">:</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span><spanclass="mclose">}</span></span></span></span> gives a scalar in an adequate range for
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. (Otherwise, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> could be trivial, e.g. independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span></span></span></span>.)</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"style="color:red;"><spanclass="mord text"style="color:red;"><spanclass="mord"style="color:red;">⚠</span><spanclass="mord textsf"style="color:red;">Caution</span></span></span></span></span></span>: be skeptical of the claims in this table about what
problem(s) each security property depends on. They may not be accurate and are definitely
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">H</span><spanclass="mord mathit">a</span><spanclass="mord mathit">s</span><spanclass="mord mathit">h</span></span></span></span></span> is a keyed circuit-efficient hash (such as Rescue).</p>
</li>
<li>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span> is an fixed independent base, independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span> and any others
returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</p>
</li>
<li>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0593em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">v</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span></span> is a pair of fixed independent bases (independent of all others), where
the specific choice of base depends on whether the note has zero value.</p>
</li>
<li>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a base unique to this output.</p>
<ul>
<li>For non-zero-valued notes, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span>. As with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.980548em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3361079999999999em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">S</span><spanclass="mord mathsf mtight">i</span><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">g</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span></span> in Sprout,
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes the nullifiers of any Orchard notes being spent in the same action.</li>
<li>For zero-valued notes, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is constrained by the circuit to a fixed base independent
of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span> and any others returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</li>
<p>In order to satisfy the <strong>Balance</strong> security property, we require that the circuit must be
able to enforce that only one nullifier is accepted for a given note. As in Sprout and
Sapling, we achieve this by ensuring that the nullifier deterministically depends only on
values committed to (directly or indirectly) by the note commitment. As in Sapling,
this involves arguing that:</p>
<ul>
<li>There can be only one <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span> for a given <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">a</span><spanclass="mord mathit">d</span><spanclass="mord mathit">d</span><spanclass="mord mathit">r</span></span></span></span></span>. This is true because
the circuit checks that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathsf">p</span><spanclass="mord"><spanclass="mord mathsf">k</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span></span>, and the mapping
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.70544em;vertical-align:-0.011em;"></span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">↦</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span></span> is an injection for any <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.63888em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">g</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01389em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathsf mtight">d</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span></span>.
(<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span> is in the base field of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span>, which must be smaller than its scalar field,
as is the case for Pallas.)</li>
<li>There can be only one <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span></span></span></span> for a given <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">i</span><spanclass="mord mathsf"style="margin-right:0.01389em;">v</span><spanclass="mord mathsf">k</span></span></span></span></span>. This is true because the
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight0625emvertical-align-019444emspanspan-classmord-mathnormalρspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight0625emvertical-align-019444emspanspan-classmord-mathnormalρspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span></a></h3>
<p><strong>Faerie Resistance</strong> requires that nullifiers be unique. This is primarily achieved by
taking a unique value (checked for uniqueness by the public consensus rules) as an input
to the nullifier. However, it is also necessary to ensure that the transformations applied
to this value preserve its uniqueness. Meanwhile, to achieve <strong>Spend Unlinkability</strong>, we
require that the nullifier does not reveal any information about the unique value it is
derived from.</p>
<p>The design alternatives fall into two categories in terms of how they balance these
requirements:</p>
<ul>
<li>
<p>Publish a unique value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> at note creation time, and blind that value within the
<li>This is similar to the approach taken in Sprout and Sapling, which both implemented
nullifiers as PRF outputs; Sprout uses the compression function from SHA-256, while
Sapling uses BLAKE2s.</li>
</ul>
</li>
<li>
<p>Derive a unique base <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> from some unique value, publish that unique base at note
creation time, and then blind the base (either additively or multiplicatively) during
nullifier computation.</p>
</li>
</ul>
<p>For <strong>Spend Unlinkability</strong>, the only value unknown to the adversary is <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span></span></span></span>, and
the cryptographic assumptions only involve the first term (other terms like <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span>
or <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">n</span><spanclass="mord mathsf"style="margin-right:0.06944em;">f</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span> cannot be extracted directly from the observed nullifiers,
but can be subtracted from them). We therefore ensure that the first term does not commit
directly to the note (to avoid a DL-breaking adversary from immediately breaking <strong>SU</strong>).</p>
<p>We were considering using a design involving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> with the goal of eliminating all usages
of a PRF inside the circuit, for two reasons:</p>
<ul>
<li>Instantiating <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> with a traditional hash function is expensive in the circuit.</li>
<li>We didn't want to solely rely on an algebraic hash function satisfying <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to
<p>However, those designs rely on both <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.02778em;">O</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.02778em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathnormal mtight">G</span><spanclass="mord mathnormal mtight"style="margin-right:0.08125em;">H</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> and <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> for <strong>Faerie Resistance</strong>, while
still requiring <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> for <strong>Spend Unlinkability</strong>. (There are two designs for which this
is not the case, but they rely on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1.2605469999999999em;vertical-align:-0.293531em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9670159999999999em;"><spanstyle="top:-2.4064690000000004em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span><spanstyle="top:-3.1809080000000005em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">†</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.293531em;"><span></span></span></span></span></span></span></span></span></span> for <strong>Note Privacy (OOB)</strong> which was not
acceptable).</p>
<p>By contrast, several designs involving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> (including the chosen design) have weaker
assumptions for <strong>Faerie Resistance</strong> (only relying on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal">L</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>), and <strong>Spend Unlinkability</strong>
does not require <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">P</span><spanclass="mord mathnormal"style="margin-right:0.00773em;">R</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to hold: they can fall back on the same <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> assumption as the
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> designs (along with an additional assumption about the output of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> which is easily
satisfied).</p>
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight08888799999999999emvertical-align-019444emspanspan-classmord-mathnormal-stylemargin-right003588emψspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight08888799999999999emvertical-align-019444emspanspan-classmord-mathnormal-stylemargin-right003588emψspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span></a></h3>
<p>Most of the designs include either a multiplicative blinding term <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">θ</span><spanclass="mclose">]</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>, or an
additive blinding term <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">n</span><spanclass="mord mathsf"style="margin-right:0.06944em;">f</span></span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span>, in order to achieve perfect
<strong>Note Privacy (OOB)</strong> (to an adversary who does not know the note). The chosen design is
effectively using <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span><spanclass="mclose">]</span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span> for this purpose; a DL-breaking adversary only
perfect to statistical, but given that <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is from a distribution statistically close
to uniform on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">[</span><spanclass="mord">0</span><spanclass="mpunct">,</span><spanclass="mspace"style="margin-right:0.16666666666666666em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="mclose">)</span></span></span></span>, this is statistically close to better than <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8141079999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord">2</span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.8141079999999999em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight">−</span><spanclass="mord mtight">1</span><spanclass="mord mtight">2</span><spanclass="mord mtight">8</span></span></span></span></span></span></span></span></span></span></span></span>. The benefit
is that it does not require an additional scalar multiplication, making it more efficient
inside the circuit.</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span>'s derivation has two motivations:</p>
<ul>
<li>Deriving from a random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span> enables multiple derived values to be
conveyed to the recipient within an action (such as the ephemeral secret <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">e</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">k</span></span></span></span></span>,
per <ahref="https://zips.z.cash/zip-0212">ZIP 212</a>), while keeping the note plaintext short.</li>
<li>Mixing <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> into the derivation ensures that the sender can't repeat <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> across two
notes, which could have enabled spend linkability attacks in some designs.</li>
</ul>
<p>The note that is committed to, and which the circuit takes as input, only includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span>
(i.e. the circuit does not check the derivation from <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span>). However, an
adversarial sender is still constrained by this derivation, because the recipient
recomputes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> during note decryption. If an action were created using an arbitrary
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> (for which the adversary did not have a corresponding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span>), the
recipient would derive a note commitment that did not match the action's commitment field,
and reject it (as in Sapling).</p>
<h3><aclass="header"href="#use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight044444emvertical-align0emspanspan-classmordspan-classmord-mathsfcspanspan-classmord-mathsfmspanspanspanspanspan"id="use-of-span-classkatexspan-classkatex-html-aria-hiddentruespan-classbasespan-classstrut-styleheight044444emvertical-align0emspanspan-classmordspan-classmord-mathsfcspanspan-classmord-mathsfmspanspanspanspanspan">Use of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span></a></h3>
<p>The nullifier commits to the note value via <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> for two reasons:</p>
<ul>
<li>It domain-separates nullifiers for zero-valued notes from other notes. This is necessary
because we do not require zero-valued notes to exist in the commitment tree.</li>
<li>Designs that bind the nullifier to <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">n</span><spanclass="mord mathsf mtight">k</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span> require <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01968em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> to achieve
<strong>Faerie Resistance</strong> (and similarly where <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathit">H</span><spanclass="mord mathit">a</span><spanclass="mord mathit">s</span><spanclass="mord mathit">h</span></span></span></span></span> is applied to a value derived from
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>). Adding <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> to the nullifier avoids this assumption: all of the bases
used to derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> are fixed and independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span>, and so the
nullifier can be viewed as a Pedersen hash where the input includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> directly.</li>
</ul>
<p>The <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.9223379999999999em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathit">C</span><spanclass="mord mathit">o</span><spanclass="mord mathit">m</span><spanclass="mord mathit">m</span><spanclass="mord mathit">i</span><spanclass="mord mathit">t</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.9223379999999999em;"><spanstyle="top:-3.1362300000000003em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">n</span><spanclass="mord mathsf mtight"style="margin-right:0.06944em;">f</span></span></span></span></span></span></span></span></span></span></span></span></span> variants were considered to avoid directly depending on
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> (which in its native type is a base field element, not a group element). We
decided instead to follow Sapling by defining an intermediate representation of
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> as a group element, that is only used in nullifier computation. The circuit
already needs to compute <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span>, so this improves performance by removing</p>
<p>We also considered variants that used a choice of fixed bases <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.151392em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.0593em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.03588em;">v</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span></span> to provide
domain separation for zero-valued notes. The most performant design (similar to the chosen
design) does not achieve <strong>Faerie Resistance</strong> for an adversary that knows the recipient's
full viewing key (<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> could be brute-forced to cancel out <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.13889em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">n</span><spanclass="mord mathsf mtight">k</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span>,
causing a collision), and the other variants require assuming <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.84444em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">C</span><spanclass="mord mathnormal">o</span><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.01968em;">l</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.01968em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.13889em;">F</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span> as mentioned above.</p>
