<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="../print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">s</span><spanclass="mord mathnormal">h</span></span></span></span> is a keyed circuit-efficient hash (such as Rescue).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a cryptographic hash into the group (such as BLAKE2s with simplified SWU).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span> is a fixed base, independent of any others returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is a base unique to this output.
<li>For non-zero-valued notes, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span>. As with <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.980548em;vertical-align:-0.286108em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathsf">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.3361079999999999em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">S</span><spanclass="mord mathsf mtight">i</span><spanclass="mord mathsf mtight"style="margin-right:0.01389em;">g</span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.286108em;"><span></span></span></span></span></span></span></span></span></span></span> in Sprout,
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> includes the nullifiers of any Orchard notes being spent in the same action.
Given that an action consists of a single spend and a single output, we set <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> to
be the nullifier of the spent note.</li>
<li>For zero-valued notes, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is constrained by the circuit to a fixed base independent
of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span> and any others returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span> is sender-controlled randomness. It is not required to be unique, and in practice
is derived from both <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal">ρ</span></span></span></span> and a sender-selected random value <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span>:
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">n</span><spanclass="mord mathsf"style="margin-right:0.06944em;">f</span></span></span></span></span> is a blinding scalar, similarly generated as
<p>The note plaintext includes <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">s</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">e</span><spanclass="mord mathsf">d</span></span></span></span></span> in place of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">ψ</span></span></span></span>, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">n</span><spanclass="mord mathsf"style="margin-right:0.06944em;">f</span></span></span></span></span>, and
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf"style="margin-right:0.01389em;">r</span><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span>. <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> is omitted entirely from the action:</p>
<ul>
<li>Consensus nodes directly derive <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mopen">(</span><spanclass="mord mathnormal">ρ</span><spanclass="mclose">)</span></span></span></span> and provide it as a public input to the
circuit (which ignores it for zero-valued notes, as with the commitment tree anchor).</li>
<li>The recipient can recompute the correct <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span> given their additional knowledge of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span></span></span></span>.</li>
<p>We care about several security properties for our nullifiers:</p>
<ul>
<li>
<p><strong>Balance:</strong> can I forge money?</p>
</li>
<li>
<p><strong>Note Privacy:</strong> can I gain information about notes only from the public block chain?</p>
<ul>
<li>This describes notes sent in-band.</li>
</ul>
</li>
<li>
<p><strong>Note Privacy (OOB):</strong> can I gain information about notes sent out-of-band, only from
the public block chain?</p>
<ul>
<li>In this case, we assume privacy of the channel over which the note is sent, and that
the adversary does not have access to any notes sent to the same address which are
then spent (so that the nullifier is on the block chain somewhere).</li>
</ul>
</li>
<li>
<p><strong>Spend Unlinkability:</strong> given the incoming viewing key for an address, and not the full
viewing key, can I (possibly the sender) detect spends of any notes sent to that address?</p>
<ul>
<li>We're giving <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span><spanclass="mord mathnormal"style="margin-right:0.03588em;">v</span><spanclass="mord mathnormal"style="margin-right:0.03148em;">k</span></span></span></span> to the attacker and allowing it to be the sender in order to make
this property as strong as possible: they will have <em>all</em> the notes sent to that
address.</li>
</ul>
</li>
<li>
<p><strong>Faerie Resistance:</strong> can I perform a Faerie Gold attack (i.e. cause notes to be
<p>We assume (and instantiate elsewhere) the following primitives:</p>
<ul>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span></span></span></span> is an elliptic curve (such as Pallas).</li>
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.07153em;">K</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.13889em;">F</span></span></span></span> is the note encryption key derivation function.</li>
</ul>
<p>For our chosen design, our desired security properties rely on the following assumptions:</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.8888799999999999em;vertical-align:-0.19444em;"></span><spanclass="mord">†</span></span></span></span> We additionally assume that for any input <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">x</span></span></span></span>,
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mopen">{</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">s</span><spanclass="mord"><spanclass="mord mathnormal">h</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.33610799999999996em;"><spanstyle="top:-2.5500000000000003em;margin-left:0em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mtight"><spanclass="mord mtight"><spanclass="mord mathsf mtight">n</span><spanclass="mord mathsf mtight">k</span></span></span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mopen">(</span><spanclass="mord mathnormal">x</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">:</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.73354em;vertical-align:-0.0391em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">∈</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal"style="margin-right:0.05764em;">E</span><spanclass="mclose">}</span></span></span></span> gives a scalar in an adequate range for
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.83333em;vertical-align:-0.15em;"></span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord mathnormal"style="margin-right:0.02778em;">D</span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.32833099999999993em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.08125em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight"style="margin-right:0.05764em;">E</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span></span></span></span>. (Otherwise, <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span><spanclass="mord mathnormal">a</span><spanclass="mord mathnormal">s</span><spanclass="mord mathnormal">h</span></span></span></span> could be trivial, e.g. independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">n</span><spanclass="mord mathsf">k</span></span></span></span></span>.)</p>
<p><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.69444em;vertical-align:0em;"></span><spanclass="mord"style="color:red;"><spanclass="mord text"style="color:red;"><spanclass="mord"style="color:red;">⚠</span><spanclass="mord textsf"style="color:red;">Caution</span></span></span></span></span></span>: be skeptical of the claims in this table about what
problem(s) each security property depends on. They may not be accurate and are definitely
<li><spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.78055em;vertical-align:-0.09722em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.0593em;">G</span></span></span></span></span> is an fixed independent base, independent of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathcal"style="margin-right:0.07382em;">I</span></span></span></span></span> and any others
returned by <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68333em;vertical-align:0em;"></span><spanclass="mord mathnormal">G</span><spanclass="mord mathnormal"style="margin-right:0.08125em;">H</span></span></span></span>.</li>
value, without directly depending on <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> (which in its native type is a base
field element, not a group element). We decided instead to follow Sapling by defining an
intermediate representation of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.44444em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathsf">c</span><spanclass="mord mathsf">m</span></span></span></span></span> as a group element, that is only used in
