The commitment tree structure for Orchard is identical to Sapling:
- A single global commitment tree of fixed depth 32.
- Note commitments are appended to the tree in-order from the block.
- Valid Orchard anchors correspond to the global tree state at block boundaries (after all commitments from a block have been appended, and before any commitments from the next block have been appended).
The only difference is that we instantiate with Sinsemilla (whereas used a Bowe--Hopwood Pedersen hash).
The fixed-depth incremental Merkle trees that we use (in Sprout and Sapling, and again in Orchard) require specifying an "empty" or "uncommitted" leaf - a value that will never be appended to the tree as a regular leaf.
- For Sprout (and trees composed of the outputs of bit-twiddling hash functions), we use the all-zeroes array; the probability of a real note having a colliding note commitment is cryptographically negligible.
- For Sapling, where leaves are -coordinates of Jubjub points, we use the value which is not the -coordinate of any Jubjub point.
Orchard note commitments are the -coordinates of Pallas points; thus we take the same approach as Sapling, using a value that is not the -coordinate of any Pallas point as the uncommitted leaf value. It happens that is the smallest such value for both Pallas and Vesta, because is not a square in either or :
sage: p = 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001 sage: q = 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001 sage: EllipticCurve(GF(p), [0, 5]).count_points() == q True sage: EllipticCurve(GF(q), [0, 5]).count_points() == p True sage: Mod(5, p).is_square() False sage: Mod(5, q).is_square() False
We considered splitting the commitment tree into several sub-trees:
- Bundle tree, that accumulates the commitments within a single bundle (and thus a single transaction).
- Block tree, that accumulates the bundle tree roots within a single block.
- Global tree, that accumulates the block tree roots.
Each of these trees would have had a fixed depth (necessary for being able to create
proofs). Chains that integrated Orchard could have decoupled the limits on
commitments-per-subtree from higher-layer constraints like block size, by enabling their
blocks and transactions to be structured internally as a series of Orchard blocks or txs
(e.g. a Zcash block would have contained a
Vec<BlockTreeRoot>, that each were appended
The motivation for considering this change was to improve the lives of light client wallet developers. When a new note is received, the wallet derives its incremental witness from the state of the global tree at the point when the note's commitment is appended; this incremental state then needs to be updated with every subsequent commitment in the block in-order. Wallets can't get help from the server to create these for new notes without leaking the specific note that was received.
We decided that this was too large a change from Sapling, and that it should be possible to improve the Incremental Merkle Tree implementation to work around the efficiency issues without domain-separating the tree.