[Sapling] Specify commitment scheme for notes and values

[daira]

We are likely to use Pedersen hashes (#2234) for the Sapling circuit. It is convenient and efficient to reuse the Pedersen hash circuit implementation, and the optimizations worked out for it, for Pedersen commitments. So, I propose we define the note and value commitments for Sapling as PedersenCommit_r(x) = PedersenHash(x) + [r] H, for random r uniformly distributed on the Jubjub scalar field. Different generators can be used for each instance of the hash/commitment scheme in order to provide domain separation.

There are some details still to resolve:

• how the generators are chosen (probably by reusing the hash function into the group, GH);
• the Pedersen hash is only collision-resistant for constant-length inputs — we may either decide to fix this, or decide that it isn't a problem because the length is constant for each separated input domain.

[daira]

I suggest reserving a counter value of 0 as input to GH to derive H, and then counter values 1..n for the n windows. For hashes, we just omit counter value 0. Each hash or commitment scheme will have a different personalization string, e.g.:

• ZcashGHNotesTree for the Merkle tree over note commitments;
• ZcashGHInnerComm for the inner note commitments;
• ZcashGHOuterComm for the outer note commitments;
• ZcashGHValueComm for value commitments;
• ZcashGHDiversify for address diversification;
• ZcashGHUserToken for user-issued tokens.

[daira]

I wrote:

I suggest reserving a counter value of 0 as input to GH to derive H, and then counter values 1..n for the n windows. For hashes, we just omit counter value 0.

Actually that won't work because GH is partial. The cleanest way around this is probably to have two counter inputs where the second is the lowest integer for which GH produces an output.

[daira]

The constraint cost of a Pedersen commitment is the cost of a Pedersen hash over the input (2.666 constraints per bit including boolean constraints), plus a fixed-base scalar multiplication (750 constraints), an addition producing only the x-coordinate (4 constraints), and boolean-constraining r (252 constraints). So it is approximately 1006 constraints plus 2.666 constraints per bit.