Note Commitments
We commit to:
- the value of the note.
- the asset ID of the note,
- the diversified transmission key ,
- the diversified basepoint ,
The note commitment is generated using rate-5 Poseidon hashing with domain separator defined as the Fq
element constructed using:
ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q
The note commitment is then constructed using the above domain separator and hashing together the above contents along with the note blinding factor :
note_commitment = hash_6(ds, (rcm, v, ID, B_d, pk_d, ck_d))
The note blinding factor is derived from the rseed
32-byte value in the
note. Define prf_expand(label, key, input)
as BLAKE2b-512 with
personalization label
, key key
, and input input
. The note blinding factor
is derived as:
rcm = from_le_bytes(prf_expand(b"Penumbra_DeriRcm", rseed, 4)) mod q
We commit to the diversified basepoint and payment address instead of the
diversifier itself, as in the circuit OutputProof
when we verify the integrity of
the derived ephemeral key , we need :
.
We save a hash-to-group in circuit by committing to the diversified basepoint instead of recomputing from the diversifier. See related discussion here from ZCash.