As in Sapling, we require two kinds of commitment schemes in Orchard:
- is a linearly homomorphic commitment scheme with perfect hiding, and strong binding reducible to DL.
- and are commitment schemes with perfect hiding, and strong binding reducible to DL.
By "strong binding" we mean that the scheme is collision resistant on the input and randomness.
We instantiate with a Pedersen commitment, and use it for value commitments:
We instantiate and with Sinsemilla, and use them for all other commitments:
This is the same split (and rationale) as in Sapling, but using the more PLONK-efficient Sinsemilla instead of Bowe--Hopwood Pedersen hashes.
Note that we also deviate from Sapling by using to deriving instead of a full PRF. This removes an unnecessary (large) PRF primitive from the circuit, at the cost of requiring to be part of the full viewing key.