As in Sapling, we require two kinds of commitment schemes in Orchard:
- is a linearly homomorphic commitment scheme with perfect hiding, and strong binding reducible to DL.
- and are commitment schemes with perfect hiding, and strong binding reducible to DL.
By "strong binding" we mean that the scheme is collision resistant on the input and randomness.
We instantiate with a Pedersen commitment, and use it for value commitments:
We instantiate and with Sinsemilla, and use them for all other commitments:
This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient Sinsemilla instead of Bowe--Hopwood Pedersen hashes.
Note that for , we also deviate from Sapling in two ways:
- We use to derive instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit, at the cost of requiring to be part of the full viewing key.
- We define as an integer in ; that is, we exclude . For
Sapling, we relied on BLAKE2s to make infeasible to produce, but it was still
technically possible. For Orchard, we get this by construction:
- is not a valid x-coordinate for any Pallas point.
- internally maps points to field elements by replacing the identity (which has no affine coordinates) with . But is defined using incomplete addition, and thus will never produce the identity.