orchard

IMPORTANT: This library is being actively developed and should not be used in production software.

Requires Rust 1.56.1+.

You may use this package under the Bootstrap Open Source Licence, version 1.0, or at your option, any later version. See the file COPYING for more details, and LICENSE-BOSL for the terms of the Bootstrap Open Source Licence, version 1.0.

The purpose of the BOSL is to allow commercial improvements to the package while ensuring that all improvements are open source. See here for why the BOSL exists.

Concepts

Preliminaries

User Documentation

Creating keys and addresses

Creating notes

Spending notes

Integration into an existing chain

Design

General design notes

Requirements

Keep the design close to Sapling, while eliminating aspects we don't like.

Non-requirements

Delegated proving with privacy from the prover.
- We know how to do this, but it would require a discrete log equality proof, and the most efficient way to do this would be to do RedDSA and this at the same time, which means more work for e.g. hardware wallets.

Open issues

Should we have one memo per output, or one memo per transaction, or 0..n memos?
- Variable, or (1 or n), is a potential privacy leak.
- Need to consider the privacy issue related to light clients requesting individual memos vs being able to fetch all memos.

Note structure

TODO: UDAs: arbitrary vs whitelisted

Typed variables vs byte encodings

For Sapling, we have encountered multiple places where the specification uses typed variables to define the consensus rules, but the C++ implementation in zcashd relied on byte encodings to implement them. This resulted in subtly-different consensus rules being deployed than were intended, for example where a particular type was not round-trip encodable.

In Orchard, we avoid this by defining the consensus rules in terms of the byte encodings of all variables, and being explicit about any types that are not round-trip encodable. This makes consensus compatibility between strongly-typed implementations (such as this crate) and byte-oriented implementations easier to achieve.

Keys and addresses

Orchard keys and payment addresses are structurally similar to Sapling. The main change is that Orchard keys use the Pallas curve instead of Jubjub, in order to enable the future use of the Pallas-Vesta curve cycle in the Orchard protocol. (We already use Vesta as the curve on which Halo 2 proofs are computed, but this doesn't yet require a cycle.)

Using the Pallas curve and making the most efficient use of the Halo 2 proof system involves corresponding changes to the key derivation process, such as using Sinsemilla for Pallas-efficient commitments. We also take the opportunity to remove all uses of expensive general-purpose hashes (such as BLAKE2s) from the circuit.

We make several structural changes, building on the lessons learned from Sapling:

The nullifier private key $nsk$ is removed. Its purpose in Sapling was as defense-in-depth, in case RedDSA was found to have weaknesses; an adversary who could recover $ask$ would not be able to spend funds. In practice it has not been feasible to manage $nsk$ much more securely than a full viewing key, as the computational power required to generate Sapling proofs has made it necessary to perform this step on the same device that is creating the overall transaction (rather than on a more constrained device like a hardware wallet). We are also more confident in RedDSA now.
$nk$ is now a field element instead of a curve point, making it more efficient to generate nullifiers.
$ovk$ is now derived from $fvk$ , instead of being derived in parallel. This places it in a similar position within the key structure to $ivk$ , and also removes an issue where two full viewing keys could be constructed that have the same $ivk$ but different $ovk$ s. Users still have control over whether $ovk$ is used when constructing a transaction.
All diversifiers now result in valid payment addresses, due to group hashing into Pallas being specified to be infallible. This removes significant complexity from the use cases for diversified addresses.
The fact that Pallas is a prime-order curve simplifies the protocol and removes the need for cofactor multiplication in key agreement. Unlike Sapling, we define public (including ephemeral) and private keys used for note encryption to exclude the zero point and the zero scalar. Without this change, the implementation of the Orchard Action circuit would need special cases for the zero point, since Pallas is a short Weierstrass rather than an Edwards curve. This also has the advantage of ensuring that the key agreement has "contributory behaviour" — that is, if either party contributes a random scalar, then the shared secret will be random to an observer who does not know that scalar and cannot break Diffie–Hellman.

Other than the above, Orchard retains the same design rationale for its keys and addresses as Sapling. For example, diversifiers remain at 11 bytes, so that a raw Orchard address is the same length as a raw Sapling address.

Orchard payment addresses do not have a stand-alone string encoding. Instead, we define "unified addresses" that can bundle together addresses of different types, including Orchard. Unified addresses have a Human-Readable Part of "u" on Mainnet, i.e. they will have the prefix "u1". For specifications of this and other formats (e.g. for Orchard viewing and spending keys), see section 5.6.4 of the NU5 protocol specification [#NU5-orchardencodings].

Hierarchical deterministic wallets

When designing Sapling, we defined a BIP 32-like mechanism for generating hierarchical deterministic wallets in ZIP 32. We decided at the time to stick closely to the design of BIP 32, on the assumption that there were Bitcoin use cases that used both hardened and non-hardened derivation that we might not be aware of. This decision created significant complexity for Sapling: we needed to handle derivation separately for each component of the expanded spending key and full viewing key (whereas for transparent addresses there is only a single component in the spending key).

Non-hardened derivation enables creating a multi-level path of child addresses below some parent address, without involving the parent spending key. The primary use case for this is HD wallets for transparent addresses, which use the following structure defined in BIP 44:

(H) BIP 44
- (H) Coin type: Zcash
  - (H) Account 0
    - (N) Normal addresses
      - (N) Address 0
      - (N) Address 1...
    - (N) Change addresses
      - (N) Change address 0
      - (N) Change address 1...
  - (H) Account 1...

Shielded accounts do not require separating change addresses from normal addresses, because addresses are not revealed in transactions. Similarly, there is also no need to generate a fresh spending key for every transaction, and in fact this would cause a linear slow-down in wallet scanning. But for users who do want to generate multiple addresses per account, they can generate the following structure, which does not use non-hardened derivation:

(H) ZIP 32
- (H) Coin type: Zcash
  - (H) Account 0
    - Diversified address 0
    - Diversified address 1...
  - (H) Account 1...

Non-hardened derivation is therefore only required for use-cases that require the ability to derive more than one child layer of addresses. However, in the years since Sapling was deployed, we have not seen any such use cases appear.

Therefore, for Orchard we only define hardened derivation, and do so with a much simpler design than ZIP 32. All derivations produce an opaque binary spending key, from which the keys and addresses are then derived. As a side benefit, this makes key formats shorter. (The formats that will actually be used in practice for Orchard will correspond to the simpler Sapling formats in the protocol specification, rather than the longer and more complicated "extended" ones defined by ZIP 32.)

Actions

In Sprout, we had a single proof that represented two spent notes and two new notes. This was necessary in order to faciliate spending multiple notes in a single transaction (to balance value, an output of one JoinSplit could be spent in the next one), but also provided a minimal level of arity-hiding: single-JoinSplit transactions all looked like 2-in 2-out transactions, and in multi-JoinSplit transactions each JoinSplit looked like a 1-in 1-out.

In Sapling, we switched to using value commitments to balance the transaction, removing the min-2 arity requirement. We opted for one proof per spent note and one (much simpler) proof per output note, which greatly improved the performance of generating outputs, but removed any arity-hiding from the proofs (instead having the transaction builder pad transactions to 1-in, 2-out).

For Orchard, we take a combined approach: we define an Orchard transaction as containing a bundle of actions, where each action is both a spend and an output. This provides the same inherent arity-hiding as multi-JoinSplit Sprout, but using Sapling value commitments to balance the transaction without doubling its size.

TODO: Depending on the circuit cost, we may switch to having an action internally represent either a spend or an output. Externally spends and outputs would still be indistinguishable, but the transaction would be larger.

Memo fields

TODO: One memo per tx vs one memo per output

Commitments

As in Sapling, we require two kinds of commitment schemes in Orchard:

$HomomorphicCommit$ is a linearly homomorphic commitment scheme with perfect hiding, and strong binding reducible to DL.
$Commit$ and $ShortCommit$ are commitment schemes with perfect hiding, and strong binding reducible to DL.

By "strong binding" we mean that the scheme is collision resistant on the input and randomness.

We instantiate $HomomorphicCommit$ with a Pedersen commitment, and use it for value commitments:

$cv = HomomorphicCommit_{rcv}^{cv} (v)$

We instantiate $Commit$ and $ShortCommit$ with Sinsemilla, and use them for all other commitments:

$ivk = ShortCommit_{rivk}^{ivk} (ak, nk)$ $cm = Commit_{rcm}^{cm} (rest of note)$

This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient Sinsemilla instead of Bowe--Hopwood Pedersen hashes.

Note that for $ivk$ , we also deviate from Sapling in two ways:

We use $ShortCommit$ to derive $ivk$ instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit, at the cost of requiring $rivk$ to be part of the full viewing key.
We define $ivk$ as an integer in $[1, q_{P})$ ; that is, we exclude $ivk = 0$ . For Sapling, we relied on BLAKE2s to make $ivk = 0$ infeasible to produce, but it was still technically possible. For Orchard, we get this by construction:
- $0$ is not a valid x-coordinate for any Pallas point.
- $SinsemillaShortCommit$ internally maps points to field elements by replacing the identity (which has no affine coordinates) with $0$ . But $SinsemillaCommit$ is defined using incomplete addition, and thus will never produce the identity.

Commitment tree

The commitment tree structure for Orchard is identical to Sapling:

A single global commitment tree of fixed depth 32.
Note commitments are appended to the tree in-order from the block.
Valid Orchard anchors correspond to the global tree state at block boundaries (after all commitments from a block have been appended, and before any commitments from the next block have been appended).

The only difference is that we instantiate $MerkleCRH^{Orchard}$ with Sinsemilla (whereas $MerkleCRH^{Sapling}$ used a Bowe--Hopwood Pedersen hash).

Uncommitted leaves

The fixed-depth incremental Merkle trees that we use (in Sprout and Sapling, and again in Orchard) require specifying an "empty" or "uncommitted" leaf - a value that will never be appended to the tree as a regular leaf.

For Sprout (and trees composed of the outputs of bit-twiddling hash functions), we use the all-zeroes array; the probability of a real note having a colliding note commitment is cryptographically negligible.
For Sapling, where leaves are $u$ -coordinates of Jubjub points, we use the value $1$ which is not the $u$ -coordinate of any Jubjub point.

Orchard note commitments are the $x$ -coordinates of Pallas points; thus we take the same approach as Sapling, using a value that is not the $x$ -coordinate of any Pallas point as the uncommitted leaf value. We use the value $2$ for both Pallas and Vesta, because $2^{3} + 5$ is not a square in either $F_{p}$ or $F_{q}$ :

sage: p = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001
sage: q = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001
sage: EllipticCurve(GF(p), [0, 5]).count_points() == q
True
sage: EllipticCurve(GF(q), [0, 5]).count_points() == p
True
sage: Mod(13, p).is_square()
False
sage: Mod(13, q).is_square()
False

Note: There are also no Pallas points with $x$ -coordinate $0$ , but we map the identity to $(0, 0)$ within the circuit. Although $SinsemillaCommit$ cannot return the identity (the incomplete addition would return $⊥$ instead), it would arguably be confusing to rely on that.

Considered alternatives

We considered splitting the commitment tree into several sub-trees:

Bundle tree, that accumulates the commitments within a single bundle (and thus a single transaction).
Block tree, that accumulates the bundle tree roots within a single block.
Global tree, that accumulates the block tree roots.

Each of these trees would have had a fixed depth (necessary for being able to create proofs). Chains that integrated Orchard could have decoupled the limits on commitments-per-subtree from higher-layer constraints like block size, by enabling their blocks and transactions to be structured internally as a series of Orchard blocks or txs (e.g. a Zcash block would have contained a Vec<BlockTreeRoot>, that each were appended in-order).

The motivation for considering this change was to improve the lives of light client wallet developers. When a new note is received, the wallet derives its incremental witness from the state of the global tree at the point when the note's commitment is appended; this incremental state then needs to be updated with every subsequent commitment in the block in-order. Wallets can't get help from the server to create these for new notes without leaking the specific note that was received.

We decided that this was too large a change from Sapling, and that it should be possible to improve the Incremental Merkle Tree implementation to work around the efficiency issues without domain-separating the tree.

Nullifiers

The nullifier design we use for Orchard is

$nf = Extract_{P} ([(F_{nk} (ρ) + ψ) mod p] G + cm),$

where:

$F$ is a keyed circuit-efficient PRF (such as Rescue or Poseidon).
$ρ$ is unique to this output. As with $h_{Sig}$ in Sprout, $ρ$ includes the nullifiers of any Orchard notes being spent in the same action. Given that an action consists of a single spend and a single output, we set $ρ$ to be the nullifier of the spent note.
$ψ$ is sender-controlled randomness. It is not required to be unique, and in practice is derived from both $ρ$ and a sender-selected random value $rseed$ : $ψ = KDF^{ψ} (ρ, rseed) .$
$G$ is a fixed independent base.
$Extract_{P}$ extracts the $x$ -coordinate of a Pallas curve point.

This gives a note structure of

$(a dd r, v, ρ, ψ, rcm) .$

The note plaintext includes $rseed$ in place of $ψ$ and $rcm$ , and omits $ρ$ (which is a public part of the action).

Security properties

We care about several security properties for our nullifiers:

Balance: can I forge money?
Note Privacy: can I gain information about notes only from the public block chain?
- This describes notes sent in-band.
Note Privacy (OOB): can I gain information about notes sent out-of-band, only from the public block chain?
- In this case, we assume privacy of the channel over which the note is sent, and that the adversary does not have access to any notes sent to the same address which are then spent (so that the nullifier is on the block chain somewhere).
Spend Unlinkability: given the incoming viewing key for an address, and not the full viewing key, can I (possibly the sender) detect spends of any notes sent to that address?
- We're giving $ivk$ to the attacker and allowing it to be the sender in order to make this property as strong as possible: they will have all the notes sent to that address.
Faerie Resistance: can I perform a Faerie Gold attack (i.e. cause notes to be accepted that are unspendable)?
- We're giving the full viewing key to the attacker and allowing it to be the sender in order to make this property as strong as possible: they will have all the notes sent to that address, and be able to derive every nullifier.

We assume (and instantiate elsewhere) the following primitives:

$GH$ is a cryptographic hash into the group (such as BLAKE2s with simplified SWU), used to derive all fixed independent bases.
$E$ is an elliptic curve (such as Pallas).
$KDF$ is the note encryption key derivation function.

For our chosen design, our desired security properties rely on the following assumptions:

$Balance Note Privacy Note Privacy (OOB) Spend Unlinkability Faerie Resistance DL_{E} HashDH_{E}^{KDF} Near perfect ‡ DDH_{E}^{†} \lor PRF_{F} DL_{E}$

$HashDH_{E}^{KDF}$ is computational Diffie-Hellman using $KDF$ for the key derivation, with one-time ephemeral keys. This assumption is heuristically weaker than $DDH_{E}$ but stronger than $DL_{E}$ .

We omit $R O_{GH}$ as a security assumption because we only rely on the random oracle applied to fixed inputs defined by the protocol, i.e. to generate the fixed base $G$ , not to attacker-specified inputs.

$†$ We additionally assume that for any input $x$ , ${F_{nk} (x) : nk \in E}$ gives a scalar in an adequate range for $DDH_{E}$ . (Otherwise, $F$ could be trivial, e.g. independent of $nk$ .)

$‡$ Statistical distance $< 2^{- 167.8}$ from perfect.

Considered alternatives

$⚠ Caution$ : be skeptical of the claims in this table about what problem(s) each security property depends on. They may not be accurate and are definitely not fully rigorous.

The entries in this table omit the application of $Extract_{P}$ , which is an optimization to halve the nullifier length. That optimization requires its own security analysis, but because it is a deterministic mapping, only Faerie Resistance could be affected by it.

In the above alternatives:

$Hash$ is a keyed circuit-efficient hash (such as Rescue).
$I$ is an fixed independent base, independent of $G$ and any others returned by $GH$ .
$G_{v}$ is a pair of fixed independent bases (independent of all others), where the specific choice of base depends on whether the note has zero value.
$H$ is a base unique to this output.
- For non-zero-valued notes, $H = GH (ρ)$ . As with $h_{Sig}$ in Sprout, $ρ$ includes the nullifiers of any Orchard notes being spent in the same action.
- For zero-valued notes, $H$ is constrained by the circuit to a fixed base independent of $I$ and any others returned by $GH$ .

Rationale

In order to satisfy the Balance security property, we require that the circuit must be able to enforce that only one nullifier is accepted for a given note. As in Sprout and Sapling, we achieve this by ensuring that the nullifier deterministically depends only on values committed to (directly or indirectly) by the note commitment. As in Sapling, this involves arguing that:

There can be only one $ivk$ for a given $addr$ . This is true because the circuit checks that $p k_{d} = [ivk] g_{d}$ , and the mapping $ivk \mapsto [ivk] g_{d}$ is an injection for any $g_{d}$ . ( $ivk$ is in the base field of $E$ , which must be smaller than its scalar field, as is the case for Pallas.)
There can be only one $nk$ for a given $ivk$ . This is true because the circuit checks that $ivk = ShortCommit_{rivk}^{ivk} (ak, nk)$ where $ShortCommit$ is binding (see Commitments).

Use of $ρ$

Faerie Resistance requires that nullifiers be unique. This is primarily achieved by taking a unique value (checked for uniqueness by the public consensus rules) as an input to the nullifier. However, it is also necessary to ensure that the transformations applied to this value preserve its uniqueness. Meanwhile, to achieve Spend Unlinkability, we require that the nullifier does not reveal any information about the unique value it is derived from.

The design alternatives fall into two categories in terms of how they balance these requirements:

Publish a unique value $ρ$ at note creation time, and blind that value within the nullifier computation.
- This is similar to the approach taken in Sprout and Sapling, which both implemented nullifiers as PRF outputs; Sprout uses the compression function from SHA-256, while Sapling uses BLAKE2s.
Derive a unique base $H$ from some unique value, publish that unique base at note creation time, and then blind the base (either additively or multiplicatively) during nullifier computation.

For Spend Unlinkability, the only value unknown to the adversary is $nk$ , and the cryptographic assumptions only involve the first term (other terms like $cm$ or $[rnf] I$ cannot be extracted directly from the observed nullifiers, but can be subtracted from them). We therefore ensure that the first term does not commit directly to the note (to avoid a DL-breaking adversary from immediately breaking SU).

We were considering using a design involving $H$ with the goal of eliminating all usages of a PRF inside the circuit, for two reasons:

Instantiating $PRF_{F}$ with a traditional hash function is expensive in the circuit.
We didn't want to solely rely on an algebraic hash function satisfying $PRF_{F}$ to achieve Spend Unlinkability.

However, those designs rely on both $R O_{GH}$ and $DL_{E}$ for Faerie Resistance, while still requiring $DDH_{E}$ for Spend Unlinkability. (There are two designs for which this is not the case, but they rely on $DDH_{E}^{†}$ for Note Privacy (OOB) which was not acceptable).

By contrast, several designs involving $ρ$ (including the chosen design) have weaker assumptions for Faerie Resistance (only relying on $DL_{E}$ ), and Spend Unlinkability does not require $PRF_{F}$ to hold: they can fall back on the same $DDH_{E}$ assumption as the $H$ designs (along with an additional assumption about the output of $F$ which is easily satisfied).

Use of $ψ$

Most of the designs include either a multiplicative blinding term $[θ] H$ , or an additive blinding term $[rnf] I$ , in order to achieve perfect Note Privacy (OOB) (to an adversary who does not know the note). The chosen design is effectively using $[ψ] G$ for this purpose; a DL-breaking adversary only learns $F_{nk} (ρ) + ψ (mod p)$ . This reduces Note Privacy (OOB) from perfect to statistical, but given that $ψ$ is from a distribution statistically close to uniform on $[0, q)$ , this is statistically close to better than $2^{- 128}$ . The benefit is that it does not require an additional scalar multiplication, making it more efficient inside the circuit.

$ψ$ 's derivation has two motivations:

Deriving from a random value $rseed$ enables multiple derived values to be conveyed to the recipient within an action (such as the ephemeral secret $esk$ , per ZIP 212), while keeping the note plaintext short.
Mixing $ρ$ into the derivation ensures that the sender can't repeat $ψ$ across two notes, which could have enabled spend linkability attacks in some designs.

The note that is committed to, and which the circuit takes as input, only includes $ψ$ (i.e. the circuit does not check the derivation from $rseed$ ). However, an adversarial sender is still constrained by this derivation, because the recipient recomputes $ψ$ during note decryption. If an action were created using an arbitrary $ψ$ (for which the adversary did not have a corresponding $rseed$ ), the recipient would derive a note commitment that did not match the action's commitment field, and reject it (as in Sapling).

Use of $cm$

The nullifier commits to the note value via $cm$ for two reasons:

It domain-separates nullifiers for zero-valued notes from other notes. This is necessary because we do not require zero-valued notes to exist in the commitment tree.
Designs that bind the nullifier to $F_{nk} (ρ)$ require $Coll_{F}$ to achieve Faerie Resistance (and similarly where $Hash$ is applied to a value derived from $H$ ). Adding $cm$ to the nullifier avoids this assumption: all of the bases used to derive $cm$ are fixed and independent of $G$ , and so the nullifier can be viewed as a Pedersen hash where the input includes $ρ$ directly.

The $Commit^{nf}$ variants were considered to avoid directly depending on $cm$ (which in its native type is a base field element, not a group element). We decided instead to follow Sapling by defining an intermediate representation of $cm$ as a group element, that is only used in nullifier computation. The circuit already needs to compute $cm$ , so this improves performance by removing

We also considered variants that used a choice of fixed bases $G_{v}$ to provide domain separation for zero-valued notes. The most performant design (similar to the chosen design) does not achieve Faerie Resistance for an adversary that knows the recipient's full viewing key ( $ψ$ could be brute-forced to cancel out $F_{nk} (ρ)$ , causing a collision), and the other variants require assuming $Coll_{F}$ as mentioned above.

Signatures

Orchard signatures are an instantiation of RedDSA with a cofactor of 1.

TODO:

Should it be possible to sign partial transactions?
- If we're going to merge down all the signatures into a single one, and also want this, we need to ensure there's a feasible MPC.

Circuit

Gadgets

We will use formulae for curve arithmetic using affine coordinates on short Weierstrass curves, derived from section 4.1 of Hüseyin Hışıl's thesis.

Incomplete addition

Inputs: $P = (x_{p}, y_{p}), Q = (x_{q}, y_{q})$
Output: $R = P ⸭ Q = (x_{r}, y_{r})$

The formulae from Hışıl's thesis are:

$x_{3} = (\frac{y _{1} - y _{2}}{x _{1} - x _{2}})^{2} - x_{1} - x_{2}$
$y_{3} = \frac{y _{1} - y _{2}}{x _{1} - x _{2}} \cdot (x_{1} - x_{3}) - y_{1}$

Rename:

$(x_{1}, y_{1})$ to $(x_{q}, y_{q})$
$(x_{2}, y_{2})$ to $(x_{p}, y_{p})$
$(x_{3}, y_{3})$ to $(x_{r}, y_{r})$ .

Let $λ = \frac{y _{q} - y _{p}}{x _{q} - x _{p}} = \frac{y _{p} - y _{q}}{x _{p} - x _{q}}$ , which we implement as

$λ \cdot (x_{p} - x_{q}) = y_{p} - y_{q}$

Also,

$x_{r} = λ^{2} - x_{q} - x_{p}$
$y_{r} = λ \cdot (x_{q} - x_{r}) - y_{q}$

which is equivalent to

$x_{r} + x_{q} + x_{p} = λ^{2}$

Assuming $x_{p} \neq = x_{q}$ ,

$and ⟹ ⟹ ⟹ (x_{r} + x_{q} + x_{p}) \cdot (x_{p} - x_{q})^{2} (x_{r} + x_{q} + x_{p}) \cdot (x_{p} - x_{q})^{2} y_{r} y_{r} + y_{q} (y_{r} + y_{q}) \cdot (x_{p} - x_{q}) = = = = = λ^{2} \cdot (x_{p} - x_{q})^{2} (λ \cdot (x_{p} - x_{q}))^{2} λ \cdot (x_{q} - x_{r}) - y_{q} λ \cdot (x_{q} - x_{r}) λ \cdot (x_{p} - x_{q}) \cdot (x_{q} - x_{r})$

Substituting for $λ \cdot (x_{p} - x_{q})$ , we get the constraints:

$(x_{r} + x_{q} + x_{p}) \cdot (x_{p} - x_{q})^{2} - (y_{p} - y_{q})^{2} = 0$
- Note that this constraint is unsatisfiable for $P ⸭ (- P)$ (when $P \neq = O$ ), and so cannot be used with arbitrary inputs.
$(y_{r} + y_{q}) \cdot (x_{p} - x_{q}) - (y_{p} - y_{q}) \cdot (x_{q} - x_{r}) = 0$

Complete addition

$O O (x_{p}, y_{p}) (x, y) (x, y) (x_{p}, y_{p}) + + + + + + O (x_{q}, y_{q}) O (x, y) (x, - y) (x_{q}, y_{q}) = O = (x_{q}, y_{q}) = (x_{p}, y_{p}) = [2] (x, y) = O = (x_{p}, y_{p}) ⸭ (x_{q}, y_{q}), if x_{p} \neq = x_{q} .$

Suppose that we represent $O$ as $(0, 0)$ . ( $0$ is not an $x$ -coordinate of a valid point because we would need $y^{2} = x^{3} + 5$ , and $5$ is not square in $F_{q}$ . Also $0$ is not a $y$ -coordinate of a valid point because $- 5$ is not a cube in $F_{q}$ .)

$P + Q (x_{p}, y_{p}) + (x_{q}, y_{q}) λ x_{r} y_{r} = R = (x_{r}, y_{r}) = \frac{y _{q} - y _{p}}{x _{q} - x _{p}} = λ^{2} - x_{p} - x_{q} = λ (x_{p} - x_{r}) - y_{p}$

For the doubling case, Hışıl's thesis tells us that $λ$ has to instead be computed as $\frac{3 x ^{2}}{2 y}$ .

Define $inv0 (x) = {0, 1/ x, if x = 0 otherwise.$

Witness $α, β, γ, δ, λ$ where:

$α = β = γ = δ = λ = inv0 (x_{q} - x_{p}) inv0 (x_{p}) inv0 (x_{q}) {inv0 (y_{q} + y_{p}), 0, if x_{q} = x_{p} otherwise ⎩ ⎨ ⎧ \frac{y _{q} - y _{p}}{x _{q} - x _{p}}, \frac{3 x _{p} ^{2}}{2 y _{p}} 0, if x_{q} \neq = x_{p} if x_{q} = x_{p} \land y_{p} \neq = 0 otherwise.$

Constraints

$Degree 456666444444 Constraint q_{add} \cdot (x_{q} - x_{p}) \cdot ((x_{q} - x_{p}) \cdot λ - (y_{q} - y_{p})) q_{add} \cdot (1 - (x_{q} - x_{p}) \cdot α) \cdot (2 y_{p} \cdot λ - 3 x_{p}^{2}) q_{add} \cdot x_{p} \cdot x_{q} \cdot (x_{q} - x_{p}) \cdot (λ^{2} - x_{p} - x_{q} - x_{r}) q_{add} \cdot x_{p} \cdot x_{q} \cdot (x_{q} - x_{p}) \cdot (λ \cdot (x_{p} - x_{r}) - y_{p} - y_{r}) q_{add} \cdot x_{p} \cdot x_{q} \cdot (y_{q} + y_{p}) \cdot (λ^{2} - x_{p} - x_{q} - x_{r}) q_{add} \cdot x_{p} \cdot x_{q} \cdot (y_{q} + y_{p}) \cdot (λ \cdot (x_{p} - x_{r}) - y_{p} - y_{r}) q_{add} \cdot (1 - x_{p} \cdot β) \cdot (x_{r} - x_{q}) q_{add} \cdot (1 - x_{p} \cdot β) \cdot (y_{r} - y_{q}) q_{add} \cdot (1 - x_{q} \cdot γ) \cdot (x_{r} - x_{p}) q_{add} \cdot (1 - x_{q} \cdot γ) \cdot (y_{r} - y_{p}) q_{add} \cdot (1 - (x_{q} - x_{p}) \cdot α - (y_{q} + y_{p}) \cdot δ) \cdot x_{r} q_{add} \cdot (1 - (x_{q} - x_{p}) \cdot α - (y_{q} + y_{p}) \cdot δ) \cdot y_{r} = = = = = = = = = = = = 000000000000 Meaning x_{q} \neq = x_{p} ⟹ λ = \frac{y _{q} - y _{p}}{x _{q} - x _{p}} {x_{q} = x_{p} \land y_{p} \neq = 0 ⟹ λ = \frac{3 x _{p} ^{2}}{2 y _{p}} x_{q} = x_{p} \land y_{p} = 0 ⟹ x_{p} = 0 x_{p} \neq = 0 \land x_{q} \neq = 0 \land x_{q} \neq = x_{p} ⟹ x_{r} = λ^{2} - x_{p} - x_{q} x_{p} \neq = 0 \land x_{q} \neq = 0 \land x_{q} \neq = x_{p} ⟹ y_{r} = λ \cdot (x_{p} - x_{r}) - y_{p} x_{p} \neq = 0 \land x_{q} \neq = 0 \land y_{q} \neq = - y_{p} ⟹ x_{r} = λ^{2} - x_{p} - x_{q} x_{p} \neq = 0 \land x_{q} \neq = 0 \land y_{q} \neq = - y_{p} ⟹ y_{r} = λ \cdot (x_{p} - x_{r}) - y_{p} x_{p} = 0 ⟹ x_{r} = x_{q} x_{p} = 0 ⟹ y_{r} = y_{q} x_{q} = 0 ⟹ x_{r} = x_{p} x_{q} = 0 ⟹ y_{r} = y_{p} x_{q} = x_{p} \land y_{q} = - y_{p} ⟹ x_{r} = 0 x_{q} = x_{p} \land y_{q} = - y_{p} ⟹ y_{r} = 0$

Max degree: 6

Analysis of constraints

Propositions:

$(1) (2) (3) (4) (5) (6) x_{q} \neq = x_{p} ⟹ λ = (y_{q} - y_{p}) / (x_{q} - x_{p}) (x_{q} = x_{p}) \land y_{p} \neq = 0 ⟹ λ = 3 x_{p}^{2} /2 y_{p} (x_{p} \neq = 0) \land (x_{q} \neq = 0) \land ((x_{q} \neq = x_{p}) \lor (y_{q} \neq = - y_{p})) ⟹ (x_{r} = λ^{2} - x_{p} - x_{q}) \land (y_{r} = λ \cdot (x_{p} - x_{r}) - y_{p}) x_{p} = 0 ⟹ (x_{r}, y_{r}) = (x_{q}, y_{q}) x_{q} = 0 ⟹ (x_{r}, y_{r}) = (x_{p}, y_{p}) x_{q} = x_{p} \land y_{q} = - y_{p} ⟹ (x_{r}, y_{r}) = (0, 0)$

Cases:

$(x_{p}, y_{p}) + (x_{q}, y_{q}) = (x_{r}, y_{r})$

Note that we rely on the fact that $0$ is not a valid $x$ -coordinate or $y$ -coordinate of a point on the Pallas curve other than $O$ .

$(0, 0) + (0, 0)$
- Completeness:
  
  $(1) (2) (3) (4) (5) (6) holds because x_{q} = x_{p} holds because y_{p} = 0 holds because x_{p} = 0 holds because (x_{r}, y_{r}) = (x_{q}, y_{q}) = (0, 0) holds because (x_{r}, y_{r}) = (x_{p}, y_{p}) = (0, 0) holds because (x_{r}, y_{r}) = (0, 0) .$
- Soundness: $(x_{r}, y_{r}) = (0, 0)$ is the only solution to $(6) .$
$(x, y) + (0, 0)$ for $(x, y) \neq = (0, 0)$
- Completeness:
  
  $(1) (2) (3) (4) (5) (6) holds because x_{q} \neq = x_{p}, therefore λ = (y_{q} - y_{p}) / (x_{q} - x_{p}) is a solution holds because x_{q} \neq = x_{p}, therefore α = (x_{q} - x_{p})^{- 1} is a solution holds because x_{q} = 0 holds because x_{p} \neq = 0, therefore β = x_{p}^{- 1} is a solution holds because (x_{r}, y_{r}) = (x_{p}, y_{p}) holds because x_{q} \neq = x_{p}, therefore α = (x_{q} - x_{p})^{- 1} and δ = 0 is a solution.$
- Soundness: $(x_{r}, y_{r}) = (x_{p}, y_{p})$ is the only solution to $(5) .$
$(0, 0) + (x, y)$ for $(x, y) \neq = (0, 0)$
- Completeness:
  
  $(1) (2) (3) (4) (5) (6) holds because x_{q} \neq = x_{p}, therefore λ = (y_{q} - y_{p}) / (x_{q} - x_{p}) is a solution holds because x_{q} \neq = x_{p}, therefore α = (x_{q} - x_{p})^{- 1} is a solution holds because x_{p} = 0 holds because x_{p} = 0 only when (x_{r}, y_{r}) = (x_{q}, y_{q}) holds because x_{q} \neq = 0, therefore γ = x_{q}^{- 1} is a solution holds because x_{q} \neq = x_{p}, therefore α = (x_{q} - x_{p})^{- 1} and δ = 0 is a solution.$
- Soundness: $(x_{r}, y_{r}) = (x_{q}, y_{q})$ is the only solution to $(4) .$
$(x, y) + (x, y)$ for $(x, y) \neq = (0, 0)$
- Completeness:
  
  $(1) (2) (3) (4) (5) (6) holds because x_{q} = x_{p} holds because x_{q} = x_{p} \land y_{p} \neq = 0, therefore λ = 3 x_{p}^{2} /2 y_{p} is a solution holds because x_{r} = λ^{2} - x_{p} - x_{q} \land y_{r} = λ \cdot (x_{p} - x_{r}) - y_{p} in this case holds because x_{p} \neq = 0, therefore β = x_{p}^{- 1} is a solution holds because x_{p} \neq = 0, therefore γ = x_{q}^{- 1} is a solution holds because x_{q} = x_{p} and y_{q} \neq = - y_{p}, therefore α = 0 and δ = (y_{q} + y_{p})^{- 1} is a solution.$
- Soundness: $λ$ is computed correctly, and $(x_{r}, y_{r}) = (λ^{2} - x_{p} - x_{q}, λ \cdot (x_{p} - x_{r}) - y_{p})$ is the only solution.
$(x, y) + (x, - y)$ for $(x, y) \neq = (0, 0)$
- Completeness:
  
  $(1) (2) (3) (4) (5) (6) holds because x_{q} = x_{p} holds because x_{q} = x_{p} \land y_{p} \neq = 0, therefore λ = 3 x_{p}^{2} /2 y_{p} is a solution (although λ is not used in this case) holds because x_{q} = x_{p} and y_{q} = - y_{p} holds because x_{p} \neq = 0, therefore β = x_{p}^{- 1} is a solution holds because x_{q} \neq = 0, therefore γ = x_{q}^{- 1} is a solution holds because (x_{r}, y_{r}) = (0, 0)$
- Soundness: $(x_{r}, y_{r}) = (0, 0)$ is the only solution to $(6) .$
$(x_{p}, y_{p}) + (x_{q}, y_{q})$ for $(x_{p}, y_{p}) \neq = (0, 0)$ and $(x_{q}, y_{q}) \neq = (0, 0)$ and $x_{p} \neq = x_{q}$
- Completeness:
  
  $(1) (2) (3) (4) (5) (6) holds because x_{q} \neq = x_{p}, therefore λ = (y_{q} - y_{p}) / (x_{q} - x_{p}) is a solution holds because x_{q} \neq = x_{p}, therefore α = (x_{q} - x_{p})^{- 1} is a solution holds because x_{r} = λ^{2} - x_{p} - x_{q} \land y_{r} = λ \cdot (x_{p} - x_{r}) - y_{p} in this case holds because x_{p} \neq = 0, therefore β = x_{p}^{- 1} is a solution holds because x_{q} \neq = 0, therefore γ = x_{q}^{- 1} is a solution holds because x_{q} \neq = x_{p}, therefore α = (x_{q} - x_{p})^{- 1} and δ = 0 is a solution.$
- Soundness: $λ$ is computed correctly, and $(x_{r}, y_{r}) = (λ^{2} - x_{p} - x_{q}, λ \cdot (x_{p} - x_{r}) - y_{p})$ is the only solution.

Fixed-base scalar multiplication

There are $6$ fixed bases in the Orchard protocol:

$K^{Orchard}$ , used in deriving the nullifier;
$G^{Orchard}$ , used in spend authorization;
$R$ base for $NoteCommit^{Orchard}$ ;
$V$ and $R$ bases for $ValueCommit^{Orchard}$ ; and
$R$ base for $Commit^{ivk}$ .

Decompose scalar

We support fixed-base scalar multiplication with three types of scalars:

Full-width scalar

A $255$ -bit scalar from $F_{q}$ . We decompose a full-width scalar $α$ into $85$ $3$ -bit windows:

$α = k_{0} + k_{1} \cdot (2^{3})^{1} + \dots + k_{84} \cdot (2^{3})^{84}, k_{i} \in [0.. 2^{3}) .$

The scalar multiplication will be computed correctly for $k_{0..84}$ representing any integer in the range $[0, 2^{255})$ .

$Degree 9 Constraint q_{scalar-fixed} \cdot (i = 0 \sum 7 w - i) = 0$

We range-constrain each $3$ -bit word of the scalar decomposition using a polynomial range-check constraint: $Degree 9 Constraint q_{decompose-base-field} \cdot range_check (word, 2^{3}) = 0$ where $range_check (word, range) = word \cdot (1 - word) \dots (range - 1 - word) .$

Base field element

We support using a base field element as the scalar in fixed-base multiplication. This occurs, for example, in the scalar multiplication for the nullifier computation of the Action circuit $DeriveNullifie r_{nk} = Extract_{P} ([(PR F_{nk}^{nfOrchard} (ρ) + ψ) mod q_{P}] K^{Orchard} + cm)$ : here, the scalar $[(PR F_{nk}^{nfOrchard} (ρ) + ψ) mod q_{P}]$ is the result of a base field addition.

Decompose the base field element $α$ into three-bit windows, and range-constrain each window, using the short range decomposition gadget in strict mode, with $W = 85, K = 3.$

If $k_{0..84}$ is witnessed directly then no issue of canonicity arises. However, because the scalar is given as a base field element here, care must be taken to ensure a canonical representation, since $2^{255} > p$ . That is, we must check that $0 \leq α < p,$ where $p$ the is Pallas base field modulus $p = 2^{254} + t_{p} = 2^{254} + 45560315531419706090280762371685220353.$ Note that $t_{p} < 2^{130} .$

To do this, we decompose $α$ into three pieces: $α = α_{0} (252 bits) ∣∣ α_{1} (2 bits) ∣∣ α_{2} (1 bit) .$

We check the correctness of this decomposition by: $Degree 532 Constraint q_{canon-base-field} \cdot range_check (α_{1}, 2^{2}) = 0 q_{canon-base-field} \cdot range_check (α_{2}, 2^{1}) = 0 q_{canon-base-field} \cdot (z_{84} - (α_{1} + α_{2} \cdot 2^{2})) = 0$ If the MSB $α_{2} = 0$ is not set, then $α < 2^{254} < p .$ However, in the case where $α_{2} = 1$ , we must check:

$α_{2} = 1 ⟹ α_{1} = 0;$
$α_{2} = 1 ⟹ α_{0} < t_{p}$ :
- $α_{2} = 1 ⟹ 0 \leq α_{0} < 2^{130}$ ,
- $α_{2} = 1 ⟹ 0 \leq α_{0} + 2^{130} - t_{p} < 2^{130}$

To check that $0 \leq α_{0} < 2^{130},$ we make use of the three-bit running sum decomposition:

Firstly, we constrain $α_{0}$ to be a $132$ -bit value by enforcing its high $120$ bits to be all-zero. We can get $alpha_0_hi_120$ from the decomposition: $z_{44} ⟹ alpha_0_hi_120 = k_{44} + 2^{3} k_{45} + \dots + 2^{3 \cdot (84 - 44)} k_{84} = z_{44} - 2^{3 \cdot (84 - 44)} k_{84} = z_{44} - 2^{3 \cdot (40)} z_{84} .$
Then, we constrain bits $130.. = 131$ of $α_{0}$ to be zeroes; in other words, we constrain the three-bit word $k_{43} = α [129.. = 131] = α_{0} [129.. = 131] \in {0, 1} .$ We make use of the running sum decomposition to obtain $k_{43} = z_{43} - z_{44} \cdot 2^{3} .$

Define $α_{0}^{'} = α_{0} + 2^{130} - t_{p}$ . To check that $0 \leq α_{0}^{'} < 2^{130},$ we use 13 ten-bit lookups, where we constrain the $z_{13}$ running sum output of the lookup to be $0$ if $α_{2} = 1.$ $Degree 3343 Constraint q_{canon-base-field} \cdot α_{2} \cdot α_{1} = 0 q_{canon-base-field} \cdot α_{2} \cdot alpha_0_hi_120 = 0 q_{canon-base-field} \cdot α_{2} \cdot k_{43} \cdot (1 - k_{43}) = 0 q_{canon-base-field} \cdot α_{2} \cdot z_{13} (lookup (α_{0}^{'}, 13)) = 0 Comment α_{2} = 1 ⟹ α_{1} = 0 Constrain α_{0} to be a 132-bit value Constrain α_{0} [130.. = 131] to 0 α_{2} = 1 ⟹ 0 \leq α_{0}^{'} < 2^{130}$

Short signed scalar

A short signed scalar is witnessed as a magnitude $m$ and sign $s$ such that $s \in {- 1, 1} m \in [0, 2^{64}) v^{old} - v^{new} = s \cdot m .$

This is used for $ValueCommi t^{Orchard}$ . We want to compute $ValueCommi t_{rcv}^{Orchard} (v^{old} - v^{new}) = [v^{old} - v^{new}] V + [rcv] R$ , where $- (2^{64} - 1) \leq v^{old} - v^{new} \leq 2^{64} - 1$

$v^{old}$ and $v^{new}$ are each already constrained to $64$ bits (by their use as inputs to $NoteCommi t^{Orchard}$ ).

Decompose the magnitude $m$ into three-bit windows, and range-constrain each window, using the short range decomposition gadget in strict mode, with $W = 22, K = 3.$

We have two additional constraints: $Degree 33 Constraint q_{scalar-fixed-short} \cdot bool_check (k_{21}) = 0 q_{scalar-fixed-short} \cdot (s^{2} - 1) = 0 Comment The last window must be a single bit. The sign must be 1 or - 1.$ where $bool_check (x) = x \cdot (1 - x)$ .

Load fixed base

Then, we precompute multiples of the fixed base $B$ for each window. This takes the form of a window table: $M [0.. W) [0..8)$ such that:

for the first (W-1) rows $M [0.. (W - 1)) [0..8)$ : $M [w] [k] = [(k + 2) \cdot (2^{3})^{w}] B$
in the last row $M [W - 1] [0..8)$ : $M [w] [k] = [k \cdot (2^{3})^{w} - j = 0 \sum 83 2^{3 j + 1}] B$

The additional $(k + 2)$ term lets us avoid adding the point at infinity in the case $k = 0$ . We offset these accumulated terms by subtracting them in the final window, i.e. we subtract $j = 0 \sum W - 2 2^{3 j + 1}$ .

Note: Although an offset of $(k + 1)$ would naively suffice, it introduces an edge case when $k_{0} = 7, k_{1} = 0$ . In this case, the window table entries evaluate to the same point:

$M [0] [k_{0}] = [(7 + 1) * (2^{3})^{0}] B = [8] B,$

$M [1] [k_{1}] = [(0 + 1) * (2^{3})^{1}] B = [8] B .$

In fixed-base scalar multiplication, we sum the multiples of $B$ at each window (except the last) using incomplete addition. Since the point doubling case is not handled by incomplete addition, we avoid it by using an offset of $(k + 2) .$

For each window of fixed-base multiples $M [w] = (M [w] [0], \dots, M [w] [7]), w \in [0.. (W - 1))$ :

Define a Lagrange interpolation polynomial $L_{x} (k)$ that maps $k \in [0..8)$ to the $x$ -coordinate of the multiple $M [w] [k]$ , i.e. $L_{x} (k) = ⎩ ⎨ ⎧ ([(k + 2) \cdot (2^{3})^{w}] B)_{x} ([k \cdot (2^{3})^{w} - j = 0 \sum 83 2^{3 j + 1}] B)_{x} for w \in [0.. (W - 1)); for w = 84; and$
Find a value $z_{w}$ such that $z_{w} + (M [w] [k])_{y}$ is a square $u^{2}$ in the field, but the wrong-sign $y$ -coordinate $z_{w} - (M [w] [k])_{y}$ does not produce a square.

Repeating this for all $W$ windows, we end up with:

an $W \times 8$ table $L_{x}$ storing $8$ coefficients interpolating the $x -$ coordinate for each window. Each $x$ -coordinate interpolation polynomial will be of the form $L_{x} [w] (k) = c_{0} + c_{1} \cdot k + c_{2} \cdot k^{2} + \dots + c_{7} \cdot k^{7},$ where $k \in [0..8), w \in [0..85)$ and $c_{k}$ 's are the coefficients for each power of $k$ ; and
a length- $W$ array $Z$ of $z_{w}$ 's.

We load these precomputed values into fixed columns whenever we do fixed-base scalar multiplication in the circuit.

Fixed-base scalar multiplication

Given a decomposed scalar $α$ and a fixed base $B$ , we compute $[α] B$ as follows:

For each $k_{w}, w \in [0..85), k_{w} \in [0..8)$ in the scalar decomposition, witness the $x$ - and $y$ -coordinates $(x_{w}, y_{w}) = M [w] [k_{w}] .$
Check that $(x_{w}, y_{w})$ is on the curve: $y_{w}^{2} = x_{w}^{3} + b$ .
Witness $u_{w}$ such that $y_{w} + z_{w} = u_{w}^{2}$ .
For all windows but the last, use incomplete addition to sum the $M [w] [k_{w}]$ 's, resulting in $[α - k_{84} \cdot (2^{3})^{84} + j = 0 \sum 83 2^{3 j + 1}] B$ .
For the last window, use complete addition $M [83] [k_{83}] + M [84] [k_{84}]$ and return the final result.

Note: complete addition is required in the final step to correctly map $[0] B$ to a representation of the point at infinity, $(0, 0)$ ; and also to handle a corner case for which the last step is a doubling.

Constraints: $Degree 843 Constraint q_{mul-fixed} \cdot (L_{x} [w] (k_{w}) - x_{w}) = 0 q_{mul-fixed} \cdot (y_{w}^{2} - x_{w}^{3} - b) = 0 q_{mul-fixed} \cdot (u_{w}^{2} - y_{w} - Z [w]) = 0$

where $b = 5$ (from the Pallas curve equation).

Signed short exponent

Recall that the signed short exponent is witnessed as a $64 -$ bit magnitude $m$ , and a sign $s \in 1, - 1 .$ Using the above algorithm, we compute $P = [m] B$ . Then, to get the final result $P^{'},$ we conditionally negate $P$ using $(x, y) \mapsto (x, s \cdot y)$ .

Constraints: $Degree 3 Constraint q_{mul-fixed-short} \cdot (s \cdot P_{y} - P_{y}^{'}) = 0$

Layout

$x_{P} x_{P, 0} x_{P, 1} x_{P, 2} ⋮ y_{P} y_{P, 0} y_{P, 1} y_{P, 2} ⋮ x_{QR} x_{Q, 1} = x_{P, 0} x_{Q, 2} = x_{R, 1} ⋮ y_{QR} y_{Q, 1} = y_{P, 0} y_{Q, 2} = y_{R, 1} ⋮ u u_{0} u_{1} u_{2} ⋮ window window_{0} window_{1} window_{2} ⋮ L_{0.. = 7} L_{0.. = 7, 0} L_{0.. = 7, 1} L_{0.. = 7, 1} ⋮ fixed_z fixed_z_{0} fixed_z_{1} fixed_z_{2} ⋮$

Note: this doesn't include the last row that uses complete addition. In the implementation this is allocated in a different region.

Variable-base scalar multiplication

In the Orchard circuit we need to check $p k_{d} = [ivk] g_{d}$ where $ivk \in [0, p)$ and the scalar field is $F_{q}$ with $p < q$ .

We have $p = 2^{254} + t_{p}$ and $q = 2^{254} + t_{q}$ , for $t_{p}, t_{q} < 2^{128}$ .

Witness scalar

We're trying to compute $[α] T$ for $α \in [0, q)$ . Set $k = α + t_{q}$ and $n = 254$ . Then we can compute

$[2^{254} + (α + t_{q})] T = [2^{254} + (α + t_{q}) - (2^{254} + t_{q})] T = [α] T$

provided that $α + t_{q} \in [0, 2^{n + 1})$ , i.e. $α < 2^{n + 1} - t_{q}$ which covers the whole range we need because in fact $2^{255} - t_{q} > q$ .

Thus, given a scalar $α$ , we witness the boolean decomposition of $k = α + t_{q} .$ (We use big-endian bit order for convenient input into the variable-base scalar multiplication algorithm.)

$k = k_{254} \cdot 2^{254} + k_{253} \cdot 2^{253} + \dots + k_{0} .$

Variable-base scalar multiplication

We use an optimized double-and-add algorithm, copied from "Faster variable-base scalar multiplication in zk-SNARK circuits" with some variable name changes:

Acc := [2] T
for i from n-1 down to 0 {
    P := k_{i+1} ? T : −T
    Acc := (Acc + P) + Acc
}
return (k_0 = 0) ? (Acc - T) : Acc

It remains to check that the x-coordinates of each pair of points to be added are distinct.

When adding points in a prime-order group, we can rely on Theorem 3 from Appendix C of the Halo paper, which says that if we have two such points with nonzero indices wrt a given odd-prime order base, where the indices taken in the range $- (q - 1) /2.. (q - 1) /2$ are distinct disregarding sign, then they have different x-coordinates. This is helpful, because it is easier to reason about the indices of points occurring in the scalar multiplication algorithm than it is to reason about their x-coordinates directly.

So, the required check is equivalent to saying that the following "indexed version" of the above algorithm never asserts:

acc := 2
for i from n-1 down to 0 {
    p = k_{i+1} ? 1 : −1
    assert acc ≠ ± p
    assert (acc + p) ≠ acc    // X
    acc := (acc + p) + acc
    assert 0 < acc ≤ (q-1)/2
}
if k_0 = 0 {
    assert acc ≠ 1
    acc := acc - 1
}

The maximum value of acc is:

    <--- n 1s --->
  1011111...111111
= 1100000...000000 - 1

= $2^{n + 1} + 2^{n} - 1$

The assertion labelled X obviously cannot fail because $p \neq = 0$ . It is possible to see that acc is monotonically increasing except in the last conditional. It reaches its largest value when $k$ is maximal, i.e. $2^{n + 1} + 2^{n} - 1$ .

So to entirely avoid exceptional cases, we would need $2^{n + 1} + 2^{n} - 1 < (q - 1) /2$ . But we can use $n$ larger by $c$ if the last $c$ iterations use complete addition.

The first $i$ for which the algorithm using only incomplete addition fails is going to be $252$ , since $2^{252 + 1} + 2^{252} - 1 > (q - 1) /2$ . We need $n = 254$ to make the wraparound technique above work.

sage: q = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001
sage: 2^253 + 2^252 - 1 < (q-1)//2
False
sage: 2^252 + 2^251 - 1 < (q-1)//2
True

So the last three iterations of the loop ( $i = 2..0$ ) need to use complete addition, as does the conditional subtraction at the end. Writing this out using ⸭ for incomplete addition (as we do in the spec), we have:

Acc := [2] T
for i from 253 down to 3 {
    P := k_{i+1} ? T : −T
    Acc := (Acc ⸭ P) ⸭ Acc
}
for i from 2 down to 0 {
    P := k_{i+1} ? T : −T
    Acc := (Acc + P) + Acc  // complete addition
}
return (k_0 = 0) ? (Acc + (-T)) : Acc  // complete addition

Constraint program for optimized double-and-add (incomplete addition)

Define a running sum $z_{j} = \sum_{i = j}^{n} (k_{i} \cdot 2^{i - j})$ , where $n = 254$ and:

$z_{n + 1} = 0, z_{n} = k_{n}, (most significant bit) z_{0} = k .$

$Initialize A_{254} = [2] T . for i from 254 down to 4 : bool_check (k_{i}) = 0 z_{i} = 2 z_{i + 1} + k_{i} x_{P, i} = x_{T} y_{P, i} = (2 k_{i} - 1) \cdot y_{T} (conditionally negate) λ_{1, i} \cdot (x_{A, i} - x_{P, i}) = y_{A, i} - y_{P, i} λ_{1, i}^{2} = x_{R, i} + x_{A, i} + x_{P, i} (λ_{1, i} + λ_{2, i}) \cdot (x_{A, i} - x_{R, i}) = 2 y_{A, i} λ_{2, i}^{2} = x_{A, i - 1} + x_{R, i} + x_{A, i} λ_{2, i} \cdot (x_{A, i} - x_{A, i - 1}) = y_{A, i} + y_{A, i - 1},$

where $x_{R, i} = (λ_{1, i}^{2} - x_{A, i} - x_{T}) .$ The helper $bool_check (x) = x \cdot (1 - x)$ . After substitution of $x_{P, i}, y_{P, i}, x_{R, i}, y_{A, i}$ , and $y_{A, i - 1}$ , this becomes:

$Initialize A_{254} = [2] T . for i from 254 down to 4 : // let k_{i} = z_{i} - 2 z_{i + 1} // let y_{A, i} = \frac{( λ _{1, i} + λ _{2, i} ) \cdot ( x _{A, i} - ( λ _{1, i}^{2} - x _{A, i} - x _{T} ))}{2} bool_check (k_{i}) = 0 λ_{1, i} \cdot (x_{A, i} - x_{T}) = y_{A, i} - (2 k_{i} - 1) \cdot y_{T} λ_{2, i}^{2} = x_{A, i - 1} + λ_{1, i}^{2} - x_{T} {λ_{2, i} \cdot (x_{A, i} - x_{A, i - 1}) = y_{A, i} + y_{A, i - 1}, λ_{2, 4} \cdot (x_{A, 4} - x_{A, 3}) = y_{A, 4} + y_{A, 3}^{witnessed}, if i > 4 if i = 4.$

Here, $y_{A, 3}^{witnessed}$ is assigned to a cell. This is unlike previous $y_{A, i}$ 's, which were implicitly derived from $λ_{1, i}, λ_{2, i}, x_{A, i}, x_{T}$ , but never actually assigned.

The bits $k_{3 \dots 1}$ are used in three further steps, using complete addition:

$for i from 3 down to 1 : // let k_{i} = z_{i} - 2 z_{i + 1} bool_check (k_{i}) = 0 (x_{A, i - 1}, y_{A, i - 1}) = ((x_{A, i}, y_{A, i}) + (x_{T}, y_{T})) + (x_{A, i}, y_{A, i})$

If the least significant bit $k_{0} = 1,$ we set $B = O,$ otherwise we set $B = - T$ . Then we return $A + B$ using complete addition.

Let $B = {(0, 0), (x_{T}, - y_{T}), if k_{0} = 1, otherwise.$

Output $(x_{A, 0}, y_{A, 0}) + B$ .

(Note that $(0, 0)$ represents $O$ .)

Circuit design

We need six advice columns to witness $(x_{T}, y_{T}, λ_{1}, λ_{2}, x_{A, i}, z_{i})$ . However, since $(x_{T}, y_{T})$ are the same, we can perform two incomplete additions in a single row, reusing the same $(x_{T}, y_{T})$ . We split the scalar bits used in incomplete addition into $hi$ and $l o$ halves and process them in parallel. This means that we effectively have two for loops:

the first, covering the $hi$ half for $i$ from $254$ down to $130$ , with a special case at $i = 130$ ; and
the second, covering the $l o$ half for the remaining $i$ from $129$ down to $4$ , with a special case at $i = 4$ .

$x_{T} x_{T} x_{T} ⋮ x_{T} y_{T} y_{T} y_{T} ⋮ y_{T} z^{hi} z_{255} = 0 z_{254} z_{253} ⋮ z_{130} x_{A}^{hi} x_{A, 254} = 2 [T]_{x} x_{A, 253} ⋮ x_{A, 130} x_{A, 129} λ_{1}^{hi} y_{A, 254} = 2 [T]_{y} λ_{1, 254} λ_{1, 253} ⋮ λ_{1, 130} y_{A, 129} λ_{2}^{hi} λ_{2, 254} λ_{2, 253} ⋮ λ_{2, 130} q_{1}^{hi} 100 ⋮ 0 q_{2}^{hi} 011 ⋮ 0 q_{3}^{hi} 000 ⋮ 1 z^{l o} z_{130} z_{129} z_{128} ⋮ z_{5} z_{4} x_{A}^{l o} x_{A, 129} x_{A, 128} ⋮ x_{A, 5} x_{A, 4} x_{A, 3} λ_{1}^{l o} y_{A, 129} λ_{1, 129} λ_{1, 128} ⋮ λ_{1, 5} λ_{1, 4} y_{A, 3} λ_{2}^{l o} λ_{2, 129} λ_{2, 128} ⋮ λ_{2, 5} λ_{2, 4} q_{1}^{l o} 100 ⋮ 00 q_{2}^{l o} 011 ⋮ 10 q_{3}^{l o} 000 ⋮ 01$

For each $hi$ and $l o$ half, we have three sets of gates. Note that $i$ is going from $255.. = 3$ ; $i$ is NOT indexing the rows.

$q_{1} = 1$

This gate is only used on the first row (before the for loop). We check that $λ_{1}, λ_{2}$ are initialized to values consistent with the initial $y_{A} .$ $Degree 3 Constraint q_{1} \cdot (y_{A, n}^{witnessed} - y_{A, n}) = 0$ where $y_{A, n} y_{A, n}^{witnessed} = \frac{( λ _{1, n} + λ _{2, n} ) \cdot ( x _{A, n} - ( λ _{1, n}^{2} - x _{A, n} - x _{T} ))}{2}, is witnessed.$

$q_{2} = 1$

This gate is used on all rows corresponding to the for loop except the last.

$Degree 223433 Constraint q_{2} \cdot (x_{T, c u r} - x_{T, n e x t}) = 0 q_{2} \cdot (y_{T, c u r} - y_{T, n e x t}) = 0 q_{2} \cdot bool_check (k_{i}) = 0, where k_{i} = z_{i} - 2 z_{i + 1} q_{2} \cdot (λ_{1, i} \cdot (x_{A, i} - x_{T, i}) - y_{A, i} + (2 k_{i} - 1) \cdot y_{T, i}) = 0 q_{2} \cdot (λ_{2, i}^{2} - x_{A, i - 1} - λ_{1, i}^{2} + x_{T, i}) = 0 q_{2} \cdot (λ_{2, i} \cdot (x_{A, i} - x_{A, i - 1}) - y_{A, i} - y_{A, i - 1}) = 0$ where $y_{A, i} y_{A, i - 1} = \frac{( λ _{1, i} + λ _{2, i} ) \cdot ( x _{A, i} - ( λ _{1, i}^{2} - x _{A, i} - x _{T} ))}{2}, = \frac{( λ _{1, i - 1} + λ _{2, i - 1} ) \cdot ( x _{A, i - 1} - ( λ _{1, i - 1}^{2} - x _{A, i - 1} - x _{T} ))}{2},$

$q_{3} = 1$

This gate is used on the final iteration of the for loop, handling the special case where we check that the output $y_{A}$ has been witnessed correctly. $Degree 3433 Constraint q_{3} \cdot bool_check (k_{i}) = 0, where k_{i} = z_{i} - 2 z_{i + 1} q_{3} \cdot (λ_{1, i} \cdot (x_{A, i} - x_{T, i}) - y_{A, i} + (2 k_{i} - 1) \cdot y_{T, i}) = 0 q_{3} \cdot (λ_{2, i}^{2} - x_{A, i - 1} - λ_{1, i}^{2} + x_{T, i}) = 0 q_{3} \cdot (λ_{2, i} \cdot (x_{A, i} - x_{A, i - 1}) - y_{A, i} - y_{A, i - 1}^{witnessed}) = 0$ where $y_{A, i} y_{A, i - 1}^{witnessed} = \frac{( λ _{1, i} + λ _{2, i} ) \cdot ( x _{A, i} - ( λ _{1, i}^{2} - x _{A, i} - x _{T} ))}{2}, is witnessed.$

Overflow check

$z_{i}$ cannot overflow for any $i \geq 1$ , because it is a weighted sum of bits only up to $2^{n - 1} = 2^{253}$ , which is smaller than $p$ (and also $q$ ).

However, $z_{0} = α + t_{q}$ can overflow $[0, p)$ .

Since overflow can only occur in the final step that constrains $z_{0} = 2 \cdot z_{1} + k_{0}$ , we have $z_{0} = k (mod p)$ . It is then sufficient to also check that $z_{0} = α + t_{q} (mod p)$ (so that $k = α + t_{q} (mod p)$ ) and that $k \in [t_{q}, p + t_{q})$ . These conditions together imply that $k = α + t_{q}$ as an integer, and so $2^{254} + k = α (mod q)$ as required.

Note: the bits $k_{254..0}$ do not represent a value reduced modulo $q$ , but rather a representation of the unreduced $α + t_{q}$ .

Optimized check for $k \in [t_{q}, p + t_{q})$

Since $t_{p} + t_{q} < 2^{130}$ , we have $[t_{q}, p + t_{q}) = [t_{q}, t_{q} + 2^{130}) \cup [2^{130}, 2^{254}) \cup ([2^{254}, 2^{254} + 2^{130}) \cap [p + t_{q} - 2^{130}, p + t_{q})) .$

We may assume that $k = α + t_{q} (mod p)$ .

Therefore, $k \in [t_{q}, p + t_{q}) \Leftrightarrow \Leftrightarrow \Leftrightarrow (k \in [t_{q}, t_{q} + 2^{130}) \lor k \in [2^{130}, 2^{254})) \lor (k \in [2^{254}, 2^{254} + 2^{130}) \land k \in [p + t_{q} - 2^{130}, p + t_{q})) (k_{254} = 0 ⟹ (k \in [t_{q}, t_{q} + 2^{130}) \lor k \in [2^{130}, 2^{254}))) \land (k_{254} = 1 ⟹ (k \in [2^{254}, 2^{254} + 2^{130}) \land k \in [p + t_{q} - 2^{130}, p + t_{q})) (k_{254} = 0 ⟹ (α \in [0, 2^{130}) \lor k \in [2^{130}, 2^{254})) \land (k_{254} = 1 ⟹ (k \in [2^{254}, 2^{254} + 2^{130}) \land (α + 2^{130}) mod p \in [0, 2^{130}))) Ⓐ$

Given $k \in [2^{254}, 2^{254} + 2^{130})$ , we prove equivalence of $k \in [p + t_{q} - 2^{130}, p + t_{q})$ and $(α + 2^{130}) mod p \in [0, 2^{130})$ as follows:

shift the range by $2^{130} - p - t_{q}$ to give $k + 2^{130} - p - t_{q} \in [0, 2^{130})$ ;

observe that $k + 2^{130} - p - t_{q}$ is guaranteed to be in $[2^{130} - t_{p} - t_{q}, 2^{131} - t_{p} - t_{q})$ and therefore cannot overflow or underflow modulo $p$ ;

using the fact that $k = α + t_{q} (mod p)$ , observe that $(k + 2^{130} - p - t_{q}) mod p = (α + t_{q} + 2^{130} - p - t_{q}) mod p = (α + 2^{130}) mod p$ .

(We can see in a different way that this is correct by observing that it checks whether $α mod p \in [p - 2^{130}, p)$ , so the upper bound is aligned as we would expect.)

Now, we can continue optimizing from $Ⓐ$ :

$k \in [t_{q}, p + t_{q}) \Leftrightarrow \Leftrightarrow (k_{254} = 0 ⟹ (α \in [0, 2^{130}) \lor k \in [2^{130}, 2^{254})) \land (k_{254} = 1 ⟹ (k \in [2^{254}, 2^{254} + 2^{130}) \land (α + 2^{130}) mod p \in [0, 2^{130}))) (k_{254} = 0 ⟹ (α \in [0, 2^{130}) \lor k_{253..130} are not all 0)) \land (k_{254} = 1 ⟹ (k_{253..130} are all 0 \land (α + 2^{130}) mod p \in [0, 2^{130})))$

Constraining $k_{253..130}$ to be all- $0$ or not-all- $0$ can be implemented almost "for free", as follows.

Recall that $z_{i} = \sum_{h = i}^{n} (k_{h} \cdot 2^{h - i})$ , so we have:

$z_{130} z_{130} z_{130} - k_{254} \cdot 2^{124} = = = \sum_{h = 130}^{254} (k_{h} \cdot 2^{h - 130}) k_{254} \cdot 2^{254 - 130} + \sum_{h = 130}^{253} (k_{h} \cdot 2^{h - 130}) \sum_{h = 130}^{253} (k_{h} \cdot 2^{h - 130})$

So $k_{253..130}$ are all $0$ exactly when $z_{130} = k_{254} \cdot 2^{124}$ .

Finally, we can merge the $130$ -bit decompositions for the $k_{254} = 0$ and $k_{254} = 1$ cases by checking that $(α + k_{254} \cdot 2^{130}) mod p \in [0, 2^{130})$ .

Overflow check constraints

Let $s = α + k_{254} \cdot 2^{130}$ . The constraints for the overflow check are:

$z_{0} k_{254} = 1 ⟹ (z_{130} k_{254} = 0 ⟹ (z_{130} = α + t_{q} (mod p) = 2^{124} \land s mod p \in [0, 2^{130})) \neq = 0 \lor s mod p \in [0, 2^{130}))$

Define $inv0 (x) = {0, 1/ x, if x = 0 otherwise.$

Witness $η = inv0 (z_{130})$ , and decompose $s mod p$ as $s_{129..0}$ .

Then the needed gates are:

$Degree 22335 Constraint q_mul^{overflow} \cdot (s - (α + k_{254} \cdot 2^{130})) = 0 q_mul^{overflow} \cdot (z_{0} - α - t_{q}) = 0 q_mul^{overflow} \cdot (k_{254} \cdot (z_{130} - 2^{124})) = 0 q_mul^{overflow} \cdot (k_{254} \cdot (s - i = 0 \sum 129 2^{i} \cdot s_{i}) / 2^{130}) = 0 q_mul^{overflow} \cdot ((1 - k_{254}) \cdot (1 - z_{130} \cdot η) \cdot (s - i = 0 \sum 129 2^{i} \cdot s_{i}) / 2^{130}) = 0$ where $(s - i = 0 \sum 129 2^{i} \cdot s_{i}) / 2^{130}$ can be computed by another running sum. Note that the factor of $1/ 2^{130}$ has no effect on the constraint, since the RHS is zero.

Running sum range check

We make use of a $10$ -bit lookup range check in the circuit to subtract the low $130$ bits of $s$ . The range check subtracts the first $13 \cdot 10$ bits of $s,$ and right-shifts the result to give $(s - i = 0 \sum 129 2^{i} \cdot s_{i}) / 2^{130} .$

Sinsemilla

Overview

Sinsemilla is a collision-resistant hash function and commitment scheme designed to be efficient in algebraic circuit models that support lookups, such as PLONK or Halo 2.

The security properties of Sinsemilla are similar to Pedersen hashes; it is not designed to be used where a random oracle, PRF, or preimage-resistant hash is required. The only claimed security property of the hash function is collision-resistance for fixed-length inputs.

Sinsemilla is roughly 4 times less efficient than the algebraic hashes Rescue and Poseidon inside a circuit, but around 19 times more efficient than Rescue outside a circuit. Unlike either of these hashes, the collision resistance property of Sinsemilla can be proven based on cryptographic assumptions that have been well-established for at least 20 years. Sinsemilla can also be used as a computationally binding and perfectly hiding commitment scheme.

The general approach is to split the message into $k$ -bit pieces, and for each piece, select from a table of $2^{k}$ bases in our cryptographic group. We combine the selected bases using a double-and-add algorithm. This ends up being provably as secure as a vector Pedersen hash, and makes advantageous use of the lookup facility supported by Halo 2.

Description

This section is an outline of how Sinsemilla works: for the normative specification, refer to §5.4.1.9 Sinsemilla Hash Function in the protocol spec. The incomplete point addition operator, ⸭, that we use below is also defined there.

Let $G$ be a cryptographic group of prime order $q$ . We write $G$ additively, with identity $O$ , and using $[m] P$ for scalar multiplication of $P$ by $m$ .

Let $k \geq 1$ be an integer chosen based on efficiency considerations (the table size will be $2^{k}$ ). Let $n$ be an integer, fixed for each instantiation, such that messages are $kn$ bits, where $2^{n} \leq \frac{q - 1}{2}$ . We use zero-padding to the next multiple of $k$ bits if necessary.

$Setup$ : Choose $Q$ and $P [0.. 2^{k} - 1]$ as $2^{k} + 1$ independent, verifiably random generators of $G$ , using a suitable hash into $G$ , such that none of $Q$ or $P [0.. 2^{k} - 1]$ are $O$ .

In Orchard, we define $Q$ to be dependent on a domain separator $D$ . The protocol specification uses $Q (D)$ in place of $Q$ and $S (m)$ in place of $P [m]$ .

$Hash (M)$ :

Split $M$ into $n$ groups of $k$ bits. Interpret each group as a $k$ -bit little-endian integer $m_{i}$ .
let $Acc_{0} := Q$
for $i$ from $0$ up to $n - 1$ :
- let $Acc_{i + 1} := (Acc_{i} ⸭ P [m_{i + 1}]) ⸭ Acc_{i}$
return $Acc_{n}$

Let $ShortHash (M)$ be the $x$ -coordinate of $Hash (M)$ . (This assumes that $G$ is a prime-order elliptic curve in short Weierstrass form, as is the case for Pallas and Vesta.)

It is slightly more efficient to express a double-and-add $[2] A + R$ as $(A + R) + A$ . We also use incomplete additions: it is shown in the Sinsemilla security argument that in the case where $G$ is a prime-order short Weierstrass elliptic curve, an exceptional case for addition would lead to finding a discrete logarithm, which can be assumed to occur with negligible probability even for adversarial input.

Use as a commitment scheme

Choose another generator $H$ independently of $Q$ and $P [0.. 2^{k} - 1]$ .

The randomness $r$ for a commitment is chosen uniformly on $[0, q)$ .

Let $Commit_{r} (M) = Hash (M) ⸭ [r] H$ .

Let $ShortCommit_{r} (M)$ be the $x -coordinate$ of $Commit_{r} (M)$ . (This again assumes that $G$ is a prime-order elliptic curve in short Weierstrass form.)

Note that unlike a simple Pedersen commitment, this commitment scheme ( $Commit$ or $ShortCommit$ ) is not additively homomorphic.

Efficient implementation

The aim of the design is to optimize the number of bits that can be processed for each step of the algorithm (which requires a doubling and addition in $G$ ) for a given table size. Using a single table of size $2^{k}$ group elements, we can process $k$ bits at a time.

Constraint program

Let $P = {(j, x_{P [j]}, y_{P [j]}) for j \in {0.. 2^{k} - 1}}$ .

Input: $m_{1.. = n}$ . (The message words are 1-indexed here, as in the protocol spec, but we start the loop from $i = 0$ so that $(x_{A, i}, y_{A, i})$ corresponds to $Acc_{i}$ in the protocol spec.)

Output: $(x_{A, n}, y_{A, n})$ .

$(x_{A, 0}, y_{A, 0}) = Q$
for $i$ from $0$ up to $n - 1$ :
- $y_{P, i} = y_{A, i} - λ_{1, i} \cdot (x_{A, i} - x_{P, i})$
- $x_{R, i} = λ_{1, i}^{2} - x_{A, i} - x_{P, i}$
- $2 \cdot y_{A, i} = (λ_{1, i} + λ_{2, i}) \cdot (x_{A, i} - x_{R, i})$
- $(m_{i + 1}, x_{P, i}, y_{P, i}) \in P$
- $λ_{2, i}^{2} = x_{A, i + 1} + x_{R, i} + x_{A, i}$
- $λ_{2, i} \cdot (x_{A, i} - x_{A, i + 1}) = y_{A, i} + y_{A, i + 1}$

PLONK / Halo 2 constraints

Message decomposition

We have an $n$ -bit message $m = m_{1} + 2^{k} m_{2} + ... + 2^{k \cdot (n - 1)} m_{n}$ . (Note that the message words are 1-indexed as in the protocol spec.)

Initialise the running sum $z_{0} = α$ and define $z_{i + 1} := \frac{z _{i} - m _{i + 1}}{2 ^{K}}$ . We will end up with $z_{n} = 0.$

Rearranging gives us an expression for each word of the original message $m_{i + 1} = z_{i} - 2^{k} \cdot z_{i + 1}$ , which we can look up in the table.

In other words, $z_{n - i} = h = 0 \sum i - 1 2^{kh} \cdot m_{h + 1}$ .

For a little-endian decomposition as used here, the running sum is initialized to the scalar and ends at 0. For a big-endian decomposition as used in variable-base scalar multiplication, the running sum would start at 0 and end with recovering the original scalar.

The running sum only applies to message words within a single field element, i.e. if $n \geq PrimeField :: NUM_BITS$ then we will have several disjoint running sums. A longer message can be constructed by splitting the message words across several field elements, and then running several instances of the constraints below. An additional $q_{S 2}$ selector is set to $0$ for the last step of each element, except for the last element where it is set to $2$ .

In order to support chaining multiple field elements without a gap, we will use a slightly more complicated expression for $m_{i + 1}$ that effectively forces $z_{n}$ to zero for the last step of each element, as indicated by $q_{S 2}$ . This allows the cell that would have been $z_{n}$ to be used to reinitialize the running sum for the next element.

Generator lookup table

The Sinsemilla circuit makes use of $2^{10}$ pre-computed random generators. These are loaded into a lookup table: $t ab l e_{i d x} 012 ⋮ 2^{10} - 1 t ab l e_{x} x_{P [0]} x_{P [1]} x_{P [2]} ⋮ x_{P [2^{10} - 1]} t ab l e_{y} y_{P [0]} y_{P [1]} y_{P [2]} ⋮ y_{P [2^{10} - 1]}$

Layout

Note: $q_{S 3}$ is synthesized from $q_{S 1}$ and $q_{S 2}$ ; it is shown here only for clarity. $Step 012 ⋮ n - 1 0^{'} 1^{'} 2^{'} ⋮ n - 1^{'} n^{'} x_{A} x_{Q} x_{A, 1} x_{A, 2} ⋮ x_{A, n - 1} x_{A, 0}^{'} x_{A, 1}^{'} x_{A, 2}^{'} ⋮ x_{A, n - 1}^{'} x_{A, n}^{'} x_{P} x_{P [m_{1}]} x_{P [m_{2}]} x_{P [m_{3}]} ⋮ x_{P [m_{n}]} x_{P [m_{1}^{'}]} x_{P [m_{2}^{'}]} x_{P [m_{3}^{'}]} ⋮ x_{P [m_{n}^{'}]} bi t s z_{0} z_{1} z_{2} ⋮ z_{n - 1} z_{0}^{'} z_{1}^{'} z_{2}^{'} ⋮ z_{n - 1}^{'} λ_{1} λ_{1, 0} λ_{1, 1} λ_{1, 2} ⋮ λ_{1, n - 1} λ_{1, 0}^{'} λ_{1, 1}^{'} λ_{1, 2}^{'} ⋮ λ_{1, n - 1}^{'} y_{A, n} λ_{2} λ_{2, 0} λ_{2, 1} λ_{2, 2} ⋮ λ_{2, n - 1} λ_{2, 0}^{'} λ_{2, 1}^{'} λ_{2, 2}^{'} ⋮ λ_{2, n - 1}^{'} q_{S 1} 11111111110 q_{S 2} 11110111120 q_{S 3} 00000000020 q_{S 4} 10000000000 fixed_y_Q y_{Q} 0000000000$

$x_{Q}$ , $z_{0}$ , $z_{0}^{'}$ , etc. would be copied in using equality constraints.

Optimized Sinsemilla gate

$For i \in [0, n), let x_{R, i} Y_{A, i} y_{P, i} m_{i + 1} q_{S 3} = = = = = λ_{1, i}^{2} - x_{A, i} - x_{P, i} (λ_{1, i} + λ_{2, i}) \cdot (x_{A, i} - x_{R, i}) Y_{A, i} /2 - λ_{1, i} \cdot (x_{A, i} - x_{P, i}) z_{i} - 2^{k} \cdot (q_{S 2, i} - q_{S 3, i}) \cdot z_{i + 1} q_{S 2} \cdot (q_{S 2} - 1)$

The Halo 2 circuit API can automatically substitute $y_{P, i}$ , $x_{R, i}$ , $y_{A, i}$ , and $y_{A, i + 1}$ , so we don't need to do that manually.

$x_{A, 0} = x_{Q}$
$2 \cdot y_{Q} = Y_{A, 0}$
for $i$ from $0$ up to $n - 1$ :
- $(m_{i + 1}, x_{P, i}, y_{P, i}) \in P$
- $λ_{2, i}^{2} = x_{A, i + 1} + x_{R, i} + x_{A, i}$
- $4 \cdot λ_{2, i} \cdot (x_{A, i} - x_{A, i + 1}) = 2 \cdot Y_{A, i} + (2 - q_{S 3}) \cdot Y_{A, i + 1} + 2 q_{S 3} \cdot y_{A, n}$

Note that each term of the last constraint is multiplied by $4$ relative to the constraint program given earlier. This is a small optimization that avoids divisions by $2$ .

By gating the lookup expression on $q_{S 1}$ , we avoid the need to fill in unused cells with dummy values to pass the lookup argument. The optimized lookup value (using a default index of $0$ ) is:

$(q_{S 1} \cdot m_{i + 1}, q_{S 1} \cdot x_{P, i} + (1 - q_{S 1}) \cdot x_{P, 0}, q_{S 1} \cdot y_{P, i} + (1 - q_{S 1}) \cdot y_{P, 0})$

This increases the degree of the lookup argument to $6$ .

$Degree 4635 Constraint q_{S 4} \cdot (2 \cdot y_{Q} - Y_{A, 0}) = 0 q_{S 1, i} \Rightarrow (m_{i + 1}, x_{P, i}, y_{P, i}) \in P q_{S 1, i} \cdot (λ_{2, i}^{2} - (x_{A, i + 1} + x_{R, i} + x_{A, i})) q_{S 1, i} \cdot (4 \cdot λ_{2, i} \cdot (x_{A, i} - x_{A, i + 1}) - (2 \cdot Y_{A, i} + (2 - q_{S 3, i}) \cdot Y_{A, i + 1} + 2 \cdot q_{S 3, i} \cdot y_{A, n})) = 0$

MerkleCRH

Message decomposition

$SinsemillaHash$ is used in the $MerkleCR H^{Orchard}$ hash function. The input to $SinsemillaHash$ is:

$l ⋆ ∣∣ left ⋆ ∣∣ right ⋆,$

where:

$l ⋆ = I2LEBSP_{10} (l) = I2LEBSP_{10} (MerkleDepth^{Orchard} - 1 - layer)$ ,
$left ⋆ = I2LEBSP_{ℓ_{Merkle}^{Orchard}} (left)$ ,
$right ⋆ = I2LEBSP_{ℓ_{Merkle}^{Orchard}} (right)$ ,

with $ℓ_{Merkle}^{Orchard} = 255.$ $left$ and $right$ are allowed to be non-canonical $255$ -bit encodings.

We break these inputs into the following MessagePieces:

$a (250 bits) b (20 bits) c (250 bits) = a_{0} ∣∣ a_{1} = l ⋆ ∣∣ (bits 0.. = 239 of left) = b_{0} ∣∣ b_{1} ∣∣ b_{2} = (bits 240.. = 249 of left) ∣∣ (bits 250.. = 254 of left) ∣∣ (bits 0.. = 4 of right) = bits 5.. = 254 of right$

$a, b, c$ are constrained by the $SinsemillaHash$ to be $250$ bits, $20$ bits, and $250$ bits respectively.

In a custom gate, we check this message decomposition by enforcing the following constraints:

$a_{0} = l$
$z_{1, a}$ , the index-1 running sum output of $SinsemillaHash (a)$ , is copied into the gate. $z_{1, a}$ has been constrained by the $SinsemillaHash$ to be $240$ bits. We recover the subpieces $a_{0}, a_{1}$ using $a, z_{1, a}$ : $z_{1, a} ⟹ a_{0} = \frac{a - a _{0}}{2 ^{10}} = a_{1} = a - z_{1, a} \cdot 2^{10} .$ $l + 1$ is loaded into a fixed column at each layer of the hash. It is used both as a gate selector, and to fix the value of $l$ . We check that $a_{0} = (l + 1) - 1.$

Note: The reason for using $l + 1$ instead of $l$ is that $l = 0$ when $layer = 31$ (hashing two leaves). We cannot have a zero-valued selector, since a constraint gated by a zero-valued selector is never checked.

$b_{1} + 2^{5} \cdot b_{2} = z_{1, b}$
$z_{1, b}$ , the index-1 running sum output of $SinsemillaHash (b)$ , is copied into the gate. $z_{1, b}$ has been constrained by the $SinsemillaHash$ to be $10$ bits. We witness the subpieces $b_{1}, b_{2}$ outside this gate, and constrain them each to be $5$ bits. Inside the gate, we check that $b_{1} + 2^{5} \cdot b_{2} = z_{1, b} .$ We also recover the subpiece $b_{0}$ using $(b, z_{1, b})$ : $z_{1, b} ⟹ b_{0} = \frac{b - b _{0.. = 10}}{2 ^{10}} = b - (z_{1, b} \cdot 2^{10}) .$

We have now derived or witnessed every subpiece, and range-constrained every subpiece:

$a_{0}$ ( $10$ bits), derived as $a_{0} = a - 2^{10} \cdot z_{1, a}$ ;
$a_{1}$ ( $240$ bits), equal to $z_{1, a}$ ;
$b_{0}$ ( $10$ bits), derived as $b_{0} = b - 2^{10} \cdot z_{1, b}$ ;
$b_{1}$ ( $5$ bits) is witnessed and constrained outside the gate;
$b_{2}$ ( $5$ bits) is witnessed and constrained outside the gate;
$b_{1} + 2^{5} \cdot b_{2}$ is constrained to equal $z_{1, b}$ , and we use them to reconstruct the original field element inputs:

$left = a_{1} + 2^{240} \cdot b_{0} + 2^{254} \cdot b_{1}$
$right = b_{2} + 2^{5} \cdot c$

Circuit components

The Orchard circuit spans $10$ advice columns while the $Sinsemilla$ chip only uses $5$ advice columns. We distribute the path hashing evenly across two $Sinsemilla$ chips to make better use of the available circuit area. Since the output from the previous layer hash is copied into the next layer hash, we maintain continuity even when moving from one chip to the other.

$Commit^{ivk}$

Message decomposition

$SinsemillaShortCommit$ is used in the $Commit^{ivk}$ function. The input to $SinsemillaShortCommit$ is:

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (nk),$

where $ak$ , $nk$ are Pallas base field elements, and $ℓ_{base}^{Orchard p} = 255.$

Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into chunks:

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) I2LEBSP_{ℓ_{base}^{Orchard p}} (nk) = a ∣∣ b_{0} ∣∣ b_{1} = (bits 0..=249 of ak) ∣∣ (bits 250..=253 of ak) ∣∣ (bit 254 of ak) = b_{2} ∣∣ c ∣∣ d_{0} ∣∣ d_{1} = (bits 0..=4 of nk) ∣∣ (bits 5..=244 of nk) ∣∣ (bits 245..=253 of nk) ∣∣ (bit 254 of nk)$

Then we recompose the chunks into message pieces:

$Length (bits) 2501024010 Piece a b = b_{0} ∣∣ b_{1} ∣∣ b_{2} c d = d_{0} ∣∣ d_{1}$

Each message piece is constrained by $SinsemillaHash$ to its stated length. Additionally, $ak$ and $nk$ are witnessed as field elements, so we know they are canonical. However, we need additional constraints to enforce that:

The chunks are the correct bit lengths (or else they could overlap in the decompositions and allow the prover to witness an arbitrary $SinsemillaShortCommit$ message).
The chunks contain the canonical decompositions of $ak$ and $nk$ (or else the prover could witness an input to $SinsemillaShortCommit$ that is equivalent to $ak$ and $nk$ but not identical).

Some of these constraints can be implemented with reusable circuit gadgets. We define a custom gate controlled by the selector $q_{Commit^{ivk}}$ to hold the remaining constraints.

Bit length constraints

Chunks $a$ and $c$ are directly constrained by Sinsemilla. For the remaining chunks, we use the following constraints:

$Degree 33 Constraint short_lookup_range_check (b_{0}, 4) short_lookup_range_check (b_{2}, 5) short_lookup_range_check (d_{0}, 9) q_{Commit^{ivk}} \cdot bool_check (b_{1}) = 0 q_{Commit^{ivk}} \cdot bool_check (d_{1}) = 0$

where $bool_check (x) = x \cdot (1 - x)$ and $short_lookup_range_check ()$ is a short lookup range check.

Decomposition constraints

We have now derived or witnessed every subpiece, and range-constrained every subpiece:

$a$ ( $250$ bits) is witnessed and constrained outside the gate;
$b_{0}$ ( $4$ bits) is witnessed and constrained outside the gate;
$b_{1}$ ( $1$ bits) is witnessed and boolean-constrained in the gate;
$b_{2}$ ( $5$ bits) is witnessed and constrained outside the gate;
$c$ ( $240$ bits) is witnessed and constrained outside the gate;
$d_{0}$ ( $9$ bits) is witnessed and constrained outside the gate;
$d_{1}$ ( $1$ bits) is witnessed and boolean-constrained in the gate.

We can now use them to reconstruct both the (chunked) message pieces, and the original field element inputs:

$b d ak nk = b_{0} + 2^{4} \cdot b_{1} + 2^{5} \cdot b_{2} = d_{0} + 2^{9} \cdot d_{1} = a + 2^{250} \cdot b_{0} + 2^{254} \cdot b_{1} = b_{2} + 2^{5} \cdot c + 2^{245} \cdot d_{0} + 2^{254} \cdot d_{1}$

$Degree 2222 Constraint q_{Commit^{ivk}} \cdot (b - (b_{0} + b_{1} \cdot 2^{4} + b_{2} \cdot 2^{5})) = 0 q_{Commit^{ivk}} \cdot (d - (d_{0} + d_{1} \cdot 2^{9})) = 0 q_{Commit^{ivk}} \cdot (a + b_{0} \cdot 2^{250} + b_{1} \cdot 2^{254} - ak) = 0 q_{Commit^{ivk}} \cdot (b_{2} + c \cdot 2^{5} + d_{0} \cdot 2^{245} + d_{1} \cdot 2^{254} - nk) = 0$

Canonicity checks

At this point, we have constrained $I2LEBSP_{ℓ_{base}^{Orchard p}} (ak)$ and $I2LEBSP_{ℓ_{base}^{Orchard p}} (nk)$ to be 255-bit values, with top bits $b_{1}$ and $d_{1}$ respectively. We have also constrained:

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) I2LEBSP_{ℓ_{base}^{Orchard p}} (nk) = ak (mod q_{P}) = nk (mod q_{P})$

where $q_{P}$ is the Pallas base field modulus. The remaining constraints will enforce that these are indeed canonically-encoded field elements, i.e.

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) I2LEBSP_{ℓ_{base}^{Orchard p}} (nk) < q_{P} < q_{P}$

The Pallas base field modulus has the form $q_{P} = 2^{254} + t_{P}$ , where $t_{P} = 0x224698fc094cf91b992d30ed00000001$ is 126 bits. We therefore know that if the top bit is not set, then the remaining bits will always comprise a canonical encoding of a field element. Thus the canonicity checks below are enforced if and only if $b_{1} = 1$ (for $ak$ ) or $d_{1} = 1$ (for $nk$ ).

In the constraints below we use a base- $2^{10}$ variant of the method used in libsnark (originally from [SVPBABW2012, Appendix C.1]) for range constraints $0 \leq x < t$ :

Let $t^{'}$ be the smallest power of $2^{10}$ greater than $t$ .

Enforce $0 \leq x < t^{'}$ .

Let $x^{'} = x + t^{'} - t$ .

Enforce $0 \leq x^{'} < t^{'}$ .

$ak$ with $b_{1} = 1 ⟹ ak \geq 2^{254}$

In these cases, we check that $ak_{0.. = 253} < t_{P}$ :

$b_{1} = 1 ⟹ b_{0} = 0.$

Since $b_{1} = 1 ⟹ ak_{0.. = 253} < t_{P} < 2^{126},$ we know that $ak_{126.. = 253} = 0,$ and in particular $b_{0} := ak_{250.. = 253} = 0.$
$b_{1} = 1 ⟹ 0 \leq a < t_{P} .$

To check that $a < t_{P}$ , we use two constraints:

a) $0 \leq a < 2^{130}$ . This is expressed in the custom gate as $b_{1} \cdot z_{a, 13} = 0,$ where $z_{a, 13}$ is the index-13 running sum output by $SinsemillaHash (a) .$

b) $0 \leq a + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $a^{'} = a + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{a^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $b_{1} \cdot z_{a^{'}, 13} = 0.$

$Degree 3323 Constraint q_{Commit^{ivk}} \cdot b_{1} \cdot b_{0} = 0 q_{Commit^{ivk}} \cdot b_{1} \cdot z_{a, 13} = 0 q_{Commit^{ivk}} \cdot (a + 2^{130} - t_{P} - a^{'}) = 0 q_{Commit^{ivk}} \cdot b_{1} \cdot z_{a^{'}, 13} = 0$

$nk$ with $d_{1} = 1 ⟹ nk \geq 2^{254}$

In these cases, we check that $nk_{0.. = 253} < t_{P}$ :

$d_{1} = 1 ⟹ d_{0} = 0.$

Since $d_{1} = 1 ⟹ nk_{0.. = 253} < t_{P} < 2^{126},$ we know that $nk_{126.. = 253} = 0,$ and in particular $d_{0} := nk_{245.. = 253} = 0.$
$d_{1} = 1 ⟹ 0 \leq b_{2} + 2^{5} \cdot c < t_{P} .$

To check that $0 \leq b_{2} + 2^{5} \cdot c < t_{P}$ , we use two constraints:

a) $0 \leq b_{2} + 2^{5} \cdot c < 2^{140}$ . $b_{2}$ is already constrained individually to be a $5$ -bit value. $z_{c, 13}$ is the index-13 running sum output by $SinsemillaHash (c) .$ By constraining $d_{1} \cdot z_{c, 13} = 0,$ we constrain $b_{2} + 2^{5} \cdot c < 2^{135} < 2^{140} .$

b) $0 \leq b_{2} + 2^{5} \cdot c + 2^{140} - t_{P} < 2^{140}$ . To check this, we decompose $b_{2} c^{'} = b_{2} + 2^{5} \cdot c + 2^{140} - t_{P}$ into fourteen 10-bit words (little-endian) using a running sum $z_{b_{2} c^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $d_{1} \cdot z_{b_{2} c^{'}, 14} = 0.$

$Degree 3323 Constraint q_{Commit^{ivk}} \cdot d_{1} \cdot d_{0} = 0 q_{Commit^{ivk}} \cdot d_{1} \cdot z_{c, 13} = 0 q_{Commit^{ivk}} \cdot (b_{2} + c \cdot 2^{5} + 2^{140} - t_{P} - b_{2} c^{'}) = 0 q_{Commit^{ivk}} \cdot d_{1} \cdot z_{b_{2} c^{'}, 14} = 0$

Region layout

The constraints controlled by the $q_{Commit^{ivk}}$ selector are arranged across 9 advice columns, requiring two rows.

$ak nk a c b d b_{0} d_{0} b_{1} d_{1} b_{2} z_{a, 13} z_{c, 13} a^{'} b_{2} c^{'} z_{a^{'}, 13} z_{b_{2} c^{'}, 14} q_{Commit^{ivk}} 10$

NoteCommit

Message decomposition

$SinsemillaCommit$ is used in the $NoteCommit$ function. The input to $SinsemillaCommit$ is:

$g ⋆_{d} ∣∣ pk ⋆_{d} ∣∣ I2LEBSP_{64} (v) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ),$

where:

$g ⋆_{d}, pk ⋆_{d}$ are representations of Pallas curve points, with $255$ bits used for the $x$ -coordinate and $1$ bit used for the $y$ -coordinate.
$ρ, ψ$ are Pallas base field elements.
$v$ is a $64$ -bit value.
$ℓ_{base}^{Orchard p} = 255.$

Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into chunks:

$g ⋆_{d} pk ⋆_{d} I2LEBSP_{64} (v) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) = a ∣∣ b_{0} ∣∣ b_{1} ∣∣ b_{2} = (bits 0..=249 of x (g_{d})) ∣∣ (bits 250..=253 of x (g_{d})) ∣∣ (bit 254 of x (g_{d})) ∣∣ (\tilde{y} bit of g_{d}) = b_{3} ∣∣ c ∣∣ d_{0} ∣∣ d_{1} = (bits 0..=3 of x (p k_{d})) ∣∣ (bits 4..=253 of x (p k_{d})) ∣∣ (bit 254 of x (p k_{d})) ∣∣ (\tilde{y} bit of p k_{d}) = d_{2} ∣∣ d_{3} ∣∣ e_{0} = (bits 0..=7 of v) ∣∣ (bits 8..=57 of v) ∣∣ (bits 58..=63 of v) = e_{1} ∣∣ f ∣∣ g_{0} = (bits 0..=3 of ρ) ∣∣ (bits 4..=253 of ρ) ∣∣ (bit 254 of ρ) = g_{1} ∣∣ g_{2} ∣∣ h_{0} ∣∣ h_{1} = (bits 0..=8 of ψ) ∣∣ (bits 9..=248 of ψ) ∣∣ (bits 249..=253 of ψ) ∣∣ (bit 254 of ψ)$

Then we recompose the chunks into message pieces:

$Length (bits) 25010250601025025010 Piece a b = b_{0} ∣∣ b_{1} ∣∣ b_{2} ∣∣ b_{3} c d = d_{0} ∣∣ d_{1} ∣∣ d_{2} ∣∣ d_{3} e = e_{0} ∣∣ e_{1} f g = g_{0} ∣∣ g_{1} ∣∣ g_{2} h = h_{0} ∣∣ h_{1} ∣∣ h_{2}$

where $h_{2}$ is 4 zero bits (corresponding to the padding applied by the Sinsemilla $pad$ function).

Each message piece is constrained by $SinsemillaHash$ to its stated length. Additionally:

$g_{d}$ and $p k_{d}$ are witnessed and checked to be valid elliptic curve points.
$v$ is witnessed as a field element, but its decomposition is sufficient to constrain it to be a 64-bit value.
$ρ$ and $ψ$ are witnessed as field elements, so we know they are canonical.

However, we need additional constraints to enforce that:

The chunks are the correct bit lengths (or else they could overlap in the decompositions and allow the prover to witness an arbitrary $SinsemillaCommit$ message).
The chunks contain the canonical decompositions of $g_{d}$ , $p k_{d}$ , $ρ$ , and $ψ$ (or else the prover could witness multiple equivalent inputs to $SinsemillaCommit$ ).

Some of these constraints are implemented with a reusable circuit gadget, $short_lookup_range_check ()$ . We define custom gates for the remainder. Since these gates use simple boolean selectors activated on different rows, their selectors are eligible for combining, reducing the overall proof size.

Message piece decomposition

We check the decomposition of each message piece in its own region. There is no need to check the whole pieces:

$a$ ( $250$ bits) is witnessed and constrained outside the gate;
$c$ ( $250$ bits) is witnessed and constrained outside the gate;
$f$ ( $250$ bits) is witnessed and constrained outside the gate;

The following helper gates are defined:

$bool_check (x) = x \cdot (1 - x)$ .
$short_lookup_range_check ()$ is a short lookup range check.

$b = b_{0} ∣∣ b_{1} ∣∣ b_{2} ∣∣ b_{3}$

$b$ has been constrained to be $10$ bits by the Sinsemilla hash.

Region layout

$A_{6} b A_{7} b_{0} b_{2} A_{8} b_{1} b_{3} q_{NoteCommit, b} 10$

Constraints

$Degree 332 Constraint q_{NoteCommit, b} \cdot bool_check (b_{1}) = 0 q_{NoteCommit, b} \cdot bool_check (b_{2}) = 0 q_{NoteCommit, b} \cdot (b - (b_{0} + b_{1} \cdot 2^{4} + b_{2} \cdot 2^{5} + b_{3} \cdot 2^{6})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (b_{0}, 4)$
$short_lookup_range_check (b_{3}, 4)$

$d = d_{0} ∣∣ d_{1} ∣∣ d_{2} ∣∣ d_{3}$

$d$ has been constrained to be $60$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} d A_{7} d_{0} d_{2} A_{8} d_{1} d_{3} q_{NoteCommit, d} 10$

Constraints

$Degree 332 Constraint q_{NoteCommit, d} \cdot bool_check (d_{0}) = 0 q_{NoteCommit, d} \cdot bool_check (d_{1}) = 0 q_{NoteCommit, d} \cdot (d - (d_{0} + d_{1} \cdot 2 + d_{2} \cdot 2^{2} + d_{3} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (d_{2}, 8)$
$d_{3}$ is equality-constrained to $z_{d, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (d),$ constrained by the hash to be $50$ bits.

$e = e_{0} ∣∣ e_{1}$

$e$ has been constrained to be $10$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} e A_{7} e_{0} A_{8} e_{1} q_{NoteCommit, e} 1$

Constraints

$Degree 2 Constraint q_{NoteCommit, e} \cdot (e - (e_{0} + e_{1} \cdot 2^{6})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (e_{0}, 6)$
$short_lookup_range_check (e_{1}, 4)$

$g = g_{0} ∣∣ g_{1} ∣∣ g_{2}$

$g$ has been constrained to be $250$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} g g_{1} A_{7} g_{0} g_{2} q_{NoteCommit, g} 10$

Constraints

$Degree 32 Constraint q_{NoteCommit, g} \cdot bool_check (g_{0}) = 0 q_{NoteCommit, g} \cdot (g - (g_{0} + g_{1} \cdot 2 + g_{2} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (g_{1}, 9)$
$g_{2}$ is equality-constrained to $z_{g, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (g),$ constrained by the hash to be 240 bits.

$h = h_{0} ∣∣ h_{1} ∣∣ h_{2}$

$h$ has been constrained to be $10$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} h A_{7} h_{0} A_{8} h_{1} q_{NoteCommit, h} 1$

Constraints

$Degree 32 Constraint q_{NoteCommit, h} \cdot bool_check (h_{1}) = 0 q_{NoteCommit, h} \cdot (h - (h_{0} + h_{1} \cdot 2^{5})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (h_{0}, 5)$

Field element checks

All message pieces and subpieces have been range-constrained by the earlier decomposition gates. They are now used to:

constrain each field element $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d}))$ , $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d}))$ , $I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ)$ , and $I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ)$ to be 255-bit values, with top bits $b_{1}$ , $d_{0}$ , $g_{0}$ , and $h_{1}$ respectively.
constrain $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) = x (g_{d}) (mod q_{P}) = x (p k_{d}) (mod q_{P}) = ρ (mod q_{P}) = ψ (mod q_{P})$ where $q_{P}$ is the Pallas base field modulus.
check that these are indeed canonically-encoded field elements, i.e. $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) < q_{P} < q_{P} < q_{P} < q_{P}$

In the constraints below we use a base- $2^{10}$ variant of the method used in libsnark (originally from [SVPBABW2012, Appendix C.1]) for range constraints $0 \leq x < t$ :

Let $t^{'}$ be the smallest power of $2^{10}$ greater than $t$ .

Enforce $0 \leq x < t^{'}$ .

Let $x^{'} = x + t^{'} - t$ .

Enforce $0 \leq x^{'} < t^{'}$ .

$x (g_{d})$ with $b_{1} = 1 ⟹ x (g_{d}) \geq 2^{254}$

Recall that $x (g_{d}) = a + 2^{250} \cdot b_{0} + 2^{254} \cdot b_{1}$ . When the top bit $b_{1}$ is set, we check that $x (g_{d})_{0.. = 253} < t_{P}$ :

$b_{1} = 1 ⟹ b_{0} = 0.$

Since $b_{1} = 1 ⟹ x (g_{d})_{0.. = 253} < t_{P} < 2^{126},$ we know that $x (g_{d})_{126.. = 253} = 0,$ and in particular $b_{0} := x (g_{d})_{250.. = 253} = 0.$
$b_{1} = 1 ⟹ 0 \leq a < t_{P} .$

To check that $a < t_{P}$ , we use two constraints:

a) $0 \leq a < 2^{130}$ . This is expressed in the custom gate as $b_{1} \cdot z_{a, 13} = 0,$ where $z_{a, 13}$ is the index-13 running sum output by $SinsemillaHash (a) .$

b) $0 \leq a + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $a^{'} = a + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{a^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $b_{1} \cdot z_{a^{'}, 13} = 0.$

Region layout

$A_{6} x (g_{d}) A_{7} b_{0} b_{1} A_{8} a a^{'} A_{9} z_{a, 13} z_{a^{'}, 13} q_{NoteCommit, x (g_{d})} 10$

Constraints

$Degree 23323 Constraint q_{NoteCommit, x (g_{d})} \cdot (a + b_{0} \cdot 2^{250} + b_{1} \cdot 2^{254} - x (g_{d})) = 0 q_{NoteCommit, x (g_{d})} \cdot b_{1} \cdot b_{0} = 0 q_{NoteCommit, x (g_{d})} \cdot b_{1} \cdot z_{a, 13} = 0 q_{NoteCommit, x (g_{d})} \cdot (a + 2^{130} - t_{P} - a^{'}) = 0 q_{NoteCommit, x (g_{d})} \cdot b_{1} \cdot z_{a^{'}, 13} = 0$

$x (p k_{d})$ with $d_{0} = 1 ⟹ x (p k_{d}) \geq 2^{254}$

Recall that $x (p k_{d}) = b_{3} + 2^{4} \cdot c + 2^{254} \cdot d_{0}$ . When the top bit $d_{0}$ is set, we check that $x (p k_{d})_{0.. = 253} < t_{P}$ :

$d_{0} = 1 ⟹ 0 \leq b_{3} + 2^{4} \cdot c < t_{P} .$

To check that $0 \leq b_{3} + 2^{4} \cdot c < t_{P},$ we use two constraints:

a) $0 \leq b_{3} + 2^{4} \cdot c < 2^{140} .$ $b_{3}$ is already constrained individually to be a $4$ -bit value. $z_{c, 13}$ is the index-13 running sum output by $SinsemillaHash (c) .$ By constraining $d_{0} \cdot z_{c, 13} = 0,$ we constrain $b_{3} + 2^{4} \cdot c < 2^{134} < 2^{140} .$

b) $0 \leq b_{3} + 2^{4} \cdot c + 2^{140} - t_{P} < 2^{140}$ . To check this, we decompose $b_{3} c^{'} = b_{3} + 2^{4} \cdot c + 2^{140} - t_{P}$ into fourteen 10-bit words (little-endian) using a running sum $z_{b_{3} c^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $d_{0} \cdot z_{b_{3} c^{'}, 14} = 0.$

Region layout

$A_{6} x (p k_{d}) A_{7} b_{3} d_{0} A_{8} c b_{3} c^{'} A_{9} z_{c, 13} z_{b_{3} c^{'}, 14} q_{NoteCommit, x (p k_{d})} 10$

Constraints

$Degree 2323 Constraint q_{NoteCommit, x (p k_{d})} \cdot (b_{3} + c \cdot 2^{4} + d_{0} \cdot 2^{254} - x (p k_{d}) = 0 q_{NoteCommit, x (p k_{d})} \cdot d_{0} \cdot z_{c, 13} = 0 q_{NoteCommit, x (p k_{d})} \cdot (b_{3} + c \cdot 2^{4} + 2^{140} - t_{P} - b_{3} c^{'}) = 0 q_{NoteCommit, x (p k_{d})} \cdot d_{0} \cdot z_{b_{3} c^{'}, 14} = 0$

$v = d_{2} + 2^{8} \cdot d_{3} + 2^{58} \cdot e_{0}$

Region layout

$A_{6} v a l u e A_{7} d_{2} A_{8} d_{3} A_{9} e_{0} q_{NoteCommit, v a l u e} 1$

Constraints

$Degree 2 Constraint q_{NoteCommit, v a l u e} \cdot (d_{2} + d_{3} \cdot 2^{8} + e_{0} \cdot 2^{58} - value) = 0$

$ρ$ with $g_{0} = 1 ⟹ ρ \geq 2^{254}$

Recall that $ρ = e_{1} + 2^{4} \cdot f + 2^{254} \cdot g_{0}$ . When the top bit $g_{0}$ is set, we check that $ρ_{0.. = 253} < t_{P}$ :

$g_{0} = 1 ⟹ 0 \leq e_{1} + 2^{4} \cdot f < t_{P} .$

To check that $0 \leq e_{1} + 2^{4} \cdot f < t_{P},$ we use two constraints:

a) $0 \leq e_{1} + 2^{4} \cdot f < 2^{140} .$ $e_{1}$ is already constrained individually to be a $4$ -bit value. $z_{f, 13}$ is the index-13 running sum output by $SinsemillaHash (f) .$ By constraining $g_{0} \cdot z_{f, 13} = 0,$ we constrain $e_{1} + 2^{4} \cdot f < 2^{134} < 2^{140} .$

b) $0 \leq e_{1} + 2^{4} \cdot f + 2^{140} - t_{P} < 2^{140}$ . To check this, we decompose $e_{1} f^{'} = e_{1} + 2^{4} \cdot f + 2^{140} - t_{P}$ into fourteen 10-bit words (little-endian) using a running sum $z_{e_{1} f^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $g_{0} \cdot z_{e_{1} f^{'}, 14} = 0.$

Region layout

$A_{6} ρ A_{7} e_{1} g_{0} A_{8} f e_{1} f^{'} A_{9} z_{f, 13} z_{e_{1} f^{'}, 14} q_{NoteCommit, ρ} 10$

Constraints

$Degree 2323 Constraint q_{NoteCommit, ρ} \cdot (e_{1} + f \cdot 2^{4} + g_{0} \cdot 2^{254} - ρ) = 0 q_{NoteCommit, ρ} \cdot g_{0} \cdot z_{f, 13} = 0 q_{NoteCommit, ρ} \cdot (e_{1} + f \cdot 2^{4} + 2^{140} - t_{P} - e_{1} f^{'}) = 0 q_{NoteCommit, ρ} \cdot g_{0} \cdot z_{e_{1} f^{'}, 14} = 0$

$ψ$ with $h_{1} = 1 ⟹ ψ \geq 2^{254}$

Recall that $ψ = g_{1} + 2^{9} \cdot g_{2} + 2^{249} \cdot h_{0} + 2^{254} \cdot h_{1}$ . When the top bit $h_{1}$ is set, we check that $ψ_{0.. = 253} < t_{P}$ :

$h_{1} = 1 ⟹ h_{0} = 0.$

Since $h_{1} = 1 ⟹ ψ_{0.. = 253} < t_{P} < 2^{126},$ we know that $ψ_{126.. = 253} = 0,$ and in particular $h_{0} := ψ_{249.. = 253} = 0.$
$h_{1} = 1 ⟹ 0 \leq g_{1} + 2^{9} \cdot g_{2} < t_{P} .$

To check that $0 \leq g_{1} + 2^{9} \cdot g_{2} < t_{P},$ we use two constraints:

a) $0 \leq g_{1} + 2^{9} \cdot g_{2} < 2^{140} .$ $g_{1}$ is already constrained individually to be a $9$ -bit value. $z_{g, 13}$ is the index-13 running sum output by $SinsemillaHash (g) .$ By constraining $h_{1} \cdot z_{g, 13} = 0,$ we constrain $g_{1} + 2^{9} \cdot g_{2} < 2^{129} < 2^{130} .$

b) $0 \leq g_{1} + 2^{9} \cdot g_{2} + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $g_{1} g_{2}^{'} = g_{1} + 2^{9} \cdot g_{2} + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{g_{1} g_{2}^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $h_{1} \cdot z_{g_{1} g_{2}^{'}, 13} = 0.$

Region layout

$A_{6} ψ h_{0} A_{7} g_{1} h_{1} A_{8} g_{2} g_{1} g_{2}^{'} A_{9} z_{g, 13} z_{g_{1} g_{2}^{'}, 13} q_{NoteCommit, ψ} 10$

Constraints

$Degree 23323 Constraint q_{NoteCommit, ψ} \cdot (g_{1} + g_{2} \cdot 2^{9} + h_{0} \cdot 2^{249} + h_{1} \cdot 2^{254} - ψ) = 0 q_{NoteCommit, ψ} \cdot h_{1} \cdot h_{0} = 0 q_{NoteCommit, ψ} \cdot h_{1} \cdot z_{g, 13} = 0 q_{NoteCommit, ψ} \cdot (g_{1} + g_{2} \cdot 2^{9} + 2^{130} - t_{P} - g_{1} g_{2}^{'}) = 0 q_{NoteCommit, ψ} \cdot h_{1} \cdot z_{g_{1} g_{2}^{'}, 13} = 0$

$y$ -coordinate checks

Note that only the $\tilde{y}$ LSB of the $y$ -coordinates $y (g_{d}), y (p k_{d})$ was input to the hash, while the other bits of the $y$ -coordinate were unused. However, we must still check that the witnessed $\tilde{y}$ bit matches the original point's $y$ -coordinate. The checks for $y (g_{d}), y (p k_{d})$ will follow the same format. For each $y$ -coordinate, we witness:

$y = LSB ∣∣ k_{0} ∣∣ k_{1} ∣∣ k_{2} ∣∣ k_{3} = LSB ∣∣ (bits 1.. = 9 of y) ∣∣ (bits 10.. = 249 of y) ∣∣ (bits 250.. = 253 of y) ∣∣ (bit 254 of y),$

where $LSB$ is $b_{2}$ for $y (g_{d})$ , and $d_{1}$ for $y (p k_{d})$ . Let $j = LSB + 2 \cdot k_{0} + 2^{10} \cdot k_{1} .$ We decompose $j$ to be $250$ bits using a strict $25 -$ word ten-bit lookup. The running sum outputs allow us to susbstitute $k_{1} = z_{j, 1} .$

Recall that $b_{2} = \tilde{y} (g_{d})$ and $d_{1} = \tilde{y} (p k_{d})$ were pieces input to the Sinsemilla hash and have already been boolean-constrained. $k_{0}$ and $k_{2}$ are constrained outside this gate to $9$ and $4$ bits respectively. To constrain the remaining chunks, we use the following constraints:

$Degree 3 Constraint q_{NoteCommit, y} \cdot bool_check (k_{3}) = 0$

Then, to check that the decomposition was correct: $Degree 22 Constraint q_{NoteCommit, y} \cdot (j - (LSB + k_{0} \cdot 2 + k_{1} \cdot 2^{10})) = 0 q_{NoteCommit, y} \cdot (y - (j + k_{2} \cdot 2^{250} + k_{3} \cdot 2^{254})) = 0$

$y (g_{d})$ with $k_{3} = 1 ⟹ y (g_{d}) \geq 2^{254}$

In these cases, we check that $y (g_{d})_{0.. = 253} < t_{P}$ :

$k_{3} = 1 ⟹ k_{2} = 0.$

Since $k_{3} = 1 ⟹ y (g_{d})_{0.. = 253} < t_{P} < 2^{126},$ we know that $y (g_{d})_{126.. = 253} = 0,$ and in particular $k_{2} := y (g_{d})_{250.. = 253} = 0.$
$k_{3} = 1 ⟹ 0 \leq j < t_{P} .$

To check that $j < t_{P}$ , we use two constraints:

a) $0 \leq j < 2^{130}$ . This is expressed in the custom gate as $k_{3} \cdot z_{j, 13} = 0,$ where $z_{j, 13}$ is the index-13 running sum output by the $10$ -bit lookup decomposition of $j$ .

b) $0 \leq j + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $j^{'} = j + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{j^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $k_{3} \cdot z_{j^{'}, 13} = 0.$

Region layout

$A_{5} y j A_{6} \tilde{y} k_{1} A_{7} k_{0} z_{j, 13} A_{8} k_{2} j^{'} A_{9} k_{3} z_{j^{'}, 13} q_{NoteCommit, y} 10$

Constraints

$Degree 3323 Constraint q_{NoteCommit, y} \cdot k_{3} \cdot k_{2} = 0 q_{NoteCommit, y} \cdot k_{3} \cdot z_{j, 13} = 0 q_{NoteCommit, y} \cdot (j + 2^{130} - t_{P} - j^{'}) = 0 q_{NoteCommit, y} \cdot k_{3} \cdot z_{j^{'}, 13} = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (k_{0}, 9)$
$short_lookup_range_check (k_{2}, 4)$

$y (p k_{d})$

This can be checked in exactly the same way as $y (g_{d})$ , with $b_{2}$ replaced by $d_{1}$ .

Decomposition

Given a field element $α$ , these gadgets decompose it into $W$ $K$ -bit windows $α = k_{0} + 2^{K} \cdot k_{1} + 2^{2 K} \cdot k_{2} + \dots + 2^{(W - 1) K} \cdot k_{W - 1}$ where each $k_{i}$ a $K$ -bit value.

This is done using a running sum $z_{i}, i \in [0.. W) .$ We initialize the running sum $z_{0} = α,$ and compute subsequent terms $z_{i + 1} = \frac{z _{i} - k _{i}}{2 ^{K}} .$ This gives us:

$z_{0} z_{1} z_{2} ↓ z_{W} = α = k_{0} + 2^{K} \cdot k_{1} + 2^{2 K} \cdot k_{2} + 2^{3 K} \cdot k_{3} + \dots, = (z_{0} - k_{0}) / 2^{K} = k_{1} + 2^{K} \cdot k_{2} + 2^{2 K} \cdot k_{3} + \dots, = (z_{1} - k_{1}) / 2^{K} = k_{2} + 2^{K} \cdot k_{3} + \dots, ⋮ (in strict mode) = (z_{W - 1} - k_{W - 1}) / 2^{K} = 0 (because z_{W - 1} = k_{W - 1})$

Strict mode

Strict mode constrains the running sum output $z_{W}$ to be zero, thus range-constraining the field element to be within $W \cdot K$ bits.

In strict mode, we are also assured that $z_{W - 1} = k_{W - 1}$ gives us the last window in the decomposition.

Lookup decomposition

This gadget makes use of a $K$ -bit lookup table to decompose a field element $α$ into $K$ -bit words. Each $K$ -bit word $k_{i} = z_{i} - 2^{K} \cdot z_{i + 1}$ is range-constrained by a lookup in the $K$ -bit table.

The region layout for the lookup decomposition uses a single advice column $z$ , and two selectors $q_{l oo k u p}$ and $q_{r u nnin g} .$ $z z_{0} z_{1} ⋮ z_{n - 1} z_{n} q_{lookup} 11 ⋮ 10 q_{running} 11 ⋮ 10$

Short range check

Using two $K$ -bit lookups, we can range-constrain a field element $α$ to be $n$ bits, where $n \leq K .$ To do this:

Constrain $0 \leq α < 2^{K}$ to be within $K$ bits using a $K$ -bit lookup.
Constrain $0 \leq α \cdot 2^{K - n} < 2^{K}$ to be within $K$ bits using a $K$ -bit lookup.

The short variant of the lookup decomposition introduces a $q_{bi t s hi f t}$ selector. The same advice column $z$ has here been renamed to $word$ for clarity: $word α α^{'} 2^{K - n} q_{lookup} 110 q_{running} 000 q_{bitshift} 010$

where $α^{'} = α \cdot 2^{K - n} .$ Note that $2^{K - n}$ is assigned to a fixed column at keygen, and copied in at proving time. This is used in the gate enabled by the $q_{bitshift}$ selector to check that $α$ was shifted correctly: $Degree 2 Constraint q_{bitshift} \cdot (α^{'} - (α \cdot 2^{K - n}))$

Combined lookup expression

Since the lookup decomposition and its short variant both make use of the same lookup table, we combine their lookup input expressions into a single one:

$q_{lookup} \cdot (q_{running} \cdot (z_{i} - 2^{K} \cdot z_{i + 1}) + (1 - q_{running}) \cdot word)$

where $z_{i}$ and $word$ are the same cell (but distinguished here for clarity of usage).

Short range decomposition

For a short range (for instance, $[0, range)$ where $range \leq 8$ ), we can range-constrain each word using a degree- $range$ polynomial constraint instead of a lookup: $range_check (w or d, r an g e) = word \cdot (1 - word) \dots (range - 1 - word) .$

The Orchard Book