$Commit^{ivk}$

Message decomposition

$SinsemillaShortCommit$ is used in the $Commit^{ivk}$ function. The input to $SinsemillaShortCommit$ is:

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (nk),$

where $ak$ , $nk$ are Pallas base field elements, and $ℓ_{base}^{Orchard p} = 255.$

Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into chunks:

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) I2LEBSP_{ℓ_{base}^{Orchard p}} (nk) = a ∣∣ b_{0} ∣∣ b_{1} = (bits 0..=249 of ak) ∣∣ (bits 250..=253 of ak) ∣∣ (bit 254 of ak) = b_{2} ∣∣ c ∣∣ d_{0} ∣∣ d_{1} = (bits 0..=4 of nk) ∣∣ (bits 5..=244 of nk) ∣∣ (bits 245..=253 of nk) ∣∣ (bit 254 of nk)$

Then we recompose the chunks into message pieces:

$Length (bits) 2501024010 Piece a b = b_{0} ∣∣ b_{1} ∣∣ b_{2} c d = d_{0} ∣∣ d_{1}$

Each message piece is constrained by $SinsemillaHash$ to its stated length. Additionally, $ak$ and $nk$ are witnessed as field elements, so we know they are canonical. However, we need additional constraints to enforce that:

The chunks are the correct bit lengths (or else they could overlap in the decompositions and allow the prover to witness an arbitrary $SinsemillaShortCommit$ message).
The chunks contain the canonical decompositions of $ak$ and $nk$ (or else the prover could witness an input to $SinsemillaShortCommit$ that is equivalent to $ak$ and $nk$ but not identical).

Some of these constraints can be implemented with reusable circuit gadgets. We define a custom gate controlled by the selector $q_{Commit^{ivk}}$ to hold the remaining constraints.

Bit length constraints

Chunks $a$ and $c$ are directly constrained by Sinsemilla. For the remaining chunks, we use the following constraints:

$Degree 33 Constraint short_lookup_range_check (b_{0}, 4) short_lookup_range_check (b_{2}, 5) short_lookup_range_check (d_{0}, 9) q_{Commit^{ivk}} \cdot bool_check (b_{1}) = 0 q_{Commit^{ivk}} \cdot bool_check (d_{1}) = 0$

where $bool_check (x) = x \cdot (1 - x)$ and $short_lookup_range_check ()$ is a short lookup range check.

Decomposition constraints

We have now derived or witnessed every subpiece, and range-constrained every subpiece:

$a$ ( $250$ bits) is witnessed and constrained outside the gate;
$b_{0}$ ( $4$ bits) is witnessed and constrained outside the gate;
$b_{1}$ ( $1$ bits) is witnessed and boolean-constrained in the gate;
$b_{2}$ ( $5$ bits) is witnessed and constrained outside the gate;
$c$ ( $240$ bits) is witnessed and constrained outside the gate;
$d_{0}$ ( $9$ bits) is witnessed and constrained outside the gate;
$d_{1}$ ( $1$ bits) is witnessed and boolean-constrained in the gate.

We can now use them to reconstruct both the (chunked) message pieces, and the original field element inputs:

$b d ak nk = b_{0} + 2^{4} \cdot b_{1} + 2^{5} \cdot b_{2} = d_{0} + 2^{9} \cdot d_{1} = a + 2^{250} \cdot b_{0} + 2^{254} \cdot b_{1} = b_{2} + 2^{5} \cdot c + 2^{245} \cdot d_{0} + 2^{254} \cdot d_{1}$

$Degree 2222 Constraint q_{Commit^{ivk}} \cdot (b - (b_{0} + b_{1} \cdot 2^{4} + b_{2} \cdot 2^{5})) = 0 q_{Commit^{ivk}} \cdot (d - (d_{0} + d_{1} \cdot 2^{9})) = 0 q_{Commit^{ivk}} \cdot (a + b_{0} \cdot 2^{250} + b_{1} \cdot 2^{254} - ak) = 0 q_{Commit^{ivk}} \cdot (b_{2} + c \cdot 2^{5} + d_{0} \cdot 2^{245} + d_{1} \cdot 2^{254} - nk) = 0$

Canonicity checks

At this point, we have constrained $I2LEBSP_{ℓ_{base}^{Orchard p}} (ak)$ and $I2LEBSP_{ℓ_{base}^{Orchard p}} (nk)$ to be 255-bit values, with top bits $b_{1}$ and $d_{1}$ respectively. We have also constrained:

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) I2LEBSP_{ℓ_{base}^{Orchard p}} (nk) = ak (mod q_{P}) = nk (mod q_{P})$

where $q_{P}$ is the Pallas base field modulus. The remaining constraints will enforce that these are indeed canonically-encoded field elements, i.e.

$I2LEBSP_{ℓ_{base}^{Orchard p}} (ak) I2LEBSP_{ℓ_{base}^{Orchard p}} (nk) < q_{P} < q_{P}$

The Pallas base field modulus has the form $q_{P} = 2^{254} + t_{P}$ , where $t_{P} = 0x224698fc094cf91b992d30ed00000001$ is 126 bits. We therefore know that if the top bit is not set, then the remaining bits will always comprise a canonical encoding of a field element. Thus the canonicity checks below are enforced if and only if $b_{1} = 1$ (for $ak$ ) or $d_{1} = 1$ (for $nk$ ).

In the constraints below we use a base- $2^{10}$ variant of the method used in libsnark (originally from [SVPBABW2012, Appendix C.1]) for range constraints $0 \leq x < t$ :

Let $t^{'}$ be the smallest power of $2^{10}$ greater than $t$ .

Enforce $0 \leq x < t^{'}$ .

Let $x^{'} = x + t^{'} - t$ .

Enforce $0 \leq x^{'} < t^{'}$ .

$ak$ with $b_{1} = 1 ⟹ ak \geq 2^{254}$

In these cases, we check that $ak_{0.. = 253} < t_{P}$ :

$b_{1} = 1 ⟹ b_{0} = 0.$

Since $b_{1} = 1 ⟹ ak_{0.. = 253} < t_{P} < 2^{126},$ we know that $ak_{126.. = 253} = 0,$ and in particular $b_{0} := ak_{250.. = 253} = 0.$
$b_{1} = 1 ⟹ 0 \leq a < t_{P} .$

To check that $a < t_{P}$ , we use two constraints:

a) $0 \leq a < 2^{130}$ . This is expressed in the custom gate as $b_{1} \cdot z_{a, 13} = 0,$ where $z_{a, 13}$ is the index-13 running sum output by $SinsemillaHash (a) .$

b) $0 \leq a + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $a^{'} = a + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{a^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $b_{1} \cdot z_{a^{'}, 13} = 0.$

$Degree 3323 Constraint q_{Commit^{ivk}} \cdot b_{1} \cdot b_{0} = 0 q_{Commit^{ivk}} \cdot b_{1} \cdot z_{a, 13} = 0 q_{Commit^{ivk}} \cdot (a + 2^{130} - t_{P} - a^{'}) = 0 q_{Commit^{ivk}} \cdot b_{1} \cdot z_{a^{'}, 13} = 0$

$nk$ with $d_{1} = 1 ⟹ nk \geq 2^{254}$

In these cases, we check that $nk_{0.. = 253} < t_{P}$ :

$d_{1} = 1 ⟹ d_{0} = 0.$

Since $d_{1} = 1 ⟹ nk_{0.. = 253} < t_{P} < 2^{126},$ we know that $nk_{126.. = 253} = 0,$ and in particular $d_{0} := nk_{245.. = 253} = 0.$
$d_{1} = 1 ⟹ 0 \leq b_{2} + 2^{5} \cdot c < t_{P} .$

To check that $0 \leq b_{2} + 2^{5} \cdot c < t_{P}$ , we use two constraints:

a) $0 \leq b_{2} + 2^{5} \cdot c < 2^{140}$ . $b_{2}$ is already constrained individually to be a $5$ -bit value. $z_{c, 13}$ is the index-13 running sum output by $SinsemillaHash (c) .$ By constraining $d_{1} \cdot z_{c, 13} = 0,$ we constrain $b_{2} + 2^{5} \cdot c < 2^{135} < 2^{140} .$

b) $0 \leq b_{2} + 2^{5} \cdot c + 2^{140} - t_{P} < 2^{140}$ . To check this, we decompose $b_{2} c^{'} = b_{2} + 2^{5} \cdot c + 2^{140} - t_{P}$ into fourteen 10-bit words (little-endian) using a running sum $z_{b_{2} c^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $d_{1} \cdot z_{b_{2} c^{'}, 14} = 0.$

$Degree 3323 Constraint q_{Commit^{ivk}} \cdot d_{1} \cdot d_{0} = 0 q_{Commit^{ivk}} \cdot d_{1} \cdot z_{c, 13} = 0 q_{Commit^{ivk}} \cdot (b_{2} + c \cdot 2^{5} + 2^{140} - t_{P} - b_{2} c^{'}) = 0 q_{Commit^{ivk}} \cdot d_{1} \cdot z_{b_{2} c^{'}, 14} = 0$

Region layout

The constraints controlled by the $q_{Commit^{ivk}}$ selector are arranged across 9 advice columns, requiring two rows.

$ak nk a c b d b_{0} d_{0} b_{1} d_{1} b_{2} z_{a, 13} z_{c, 13} a^{'} b_{2} c^{'} z_{a^{'}, 13} z_{b_{2} c^{'}, 14} q_{Commit^{ivk}} 10$

The Orchard Book