Commitments

As in Sapling, we require two kinds of commitment schemes in Orchard:

• $HomomorphicCommit$ is a linearly homomorphic commitment scheme with perfect hiding, and strong binding reducible to DL.
• $Commit$ and $ShortCommit$ are commitment schemes with perfect hiding, and strong binding reducible to DL.

By "strong binding" we mean that the scheme is collision resistant on the input and randomness.

We instantiate $HomomorphicCommit$ with a Pedersen commitment, and use it for value commitments:

$$\mathsf{cv}={HomomorphicCommit}_{\mathsf{rcv}}^{\mathsf{cv}}(v)$$

We instantiate $Commit$ and $ShortCommit$ with Sinsemilla, and use them for all other commitments:

$$\mathsf{ivk}={ShortCommit}_{\mathsf{rivk}}^{\mathsf{ivk}}(\mathsf{ak},\mathsf{nk})$$ $$\mathsf{cm}={Commit}_{\mathsf{rcm}}^{\mathsf{cm}}(\text{rest of note})$$

This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient Sinsemilla instead of Bowe--Hopwood Pedersen hashes.

Note that for $\mathsf{ivk}$, we also deviate from Sapling in two ways:

• We use $ShortCommit$ to derive $\mathsf{ivk}$ instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit, at the cost of requiring $\mathsf{rivk}$ to be part of the full viewing key.
• We define $\mathsf{ivk}$ as an integer in $[1,q_P)$; that is, we exclude $\mathsf{ivk}=0$. For Sapling, we relied on BLAKE2s to make $\mathsf{ivk}=0$ infeasible to produce, but it was still technically possible. For Orchard, we get this by construction:
  • $0$ is not a valid x-coordinate for any Pallas point.
  • $\mathsf{SinsemillaShortCommit}$ internally maps points to field elements by replacing the identity (which has no affine coordinates) with $0$. But $\mathsf{SinsemillaCommit}$ is defined using incomplete addition, and thus will never produce the identity.