We commit to:
- the value of the note.
- the asset ID of the note,
- the diversified payment address ,
- the diversified basepoint ,
The note commitment is generated using rate-5 Poseidon hashing with domain separator defined as the
Fq element constructed using:
ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q
The note commitment is then constructed using the above domain separator and hashing together the above contents along with the note blinding factor :
note_commitment = hash_5(ds, (rcm, v, ID, B_d, pk_d))
We commit to the diversified basepoint and payment address instead of the
diversifier itself, as in the circuit
OutputProof when we verify the integrity of
the derived ephemeral key , we need :
We save a hash-to-group in circuit by committing to the diversified basepoint instead of recomputing from the diversifier. See related discussion here from ZCash.