We are likely to use Pedersen hashes (#2234) for the Sapling circuit. It is convenient and efficient to reuse the Pedersen hash circuit implementation, and the optimizations worked out for it, for Pedersen commitments. So, I propose we define the note and value commitments for Sapling as PedersenCommitr(x) = PedersenHash(x) + [r] H, for random r uniformly distributed on the Jubjub scalar field. Different generators can be used for each instance of the hash/commitment scheme in order to provide domain separation.
There are some details still to resolve:
how the generators are chosen (probably by reusing the hash function into the group, GH);
the Pedersen hash is only collision-resistant for constant-length inputs — we may either decide to fix this, or decide that it isn't a problem because the length is constant for each separated input domain.
The text was updated successfully, but these errors were encountered:
I suggest reserving a counter value of 0 as input to GH to derive H, and then counter values 1..n for the n windows. For hashes, we just omit counter value 0. Each hash or commitment scheme will have a different personalization string, e.g.:
ZcashGHNotesTree for the Merkle tree over note commitments;
The constraint cost of a Pedersen commitment is the cost of a Pedersen hash over the input (2.666 constraints per bit including boolean constraints), plus a fixed-base scalar multiplication (750 constraints), an addition producing only the x-coordinate (4 constraints), and boolean-constraining r (252 constraints). So it is approximately 1006 constraints plus 2.666 constraints per bit.