# Orchard straw-protocol Circuit does one spend and one output (can be dummies). Assume that a note is $(g_d, pk_d, v, \rho, \psi, rcm).$ * $(\rho, \psi, rcm)$ are derived from $rseed$ in a note plaintext. Assume circuit size $\geq 2^m$ so that we can use $m$-bit tables for Sinsemilla and range checks. Probably $10 \leq m \leq 12$. The circuit is primarily composed of Sinsemilla hashes and scalar multiplications. We optimise by storing these in adjacent columns, so we can perform them (somewhat) in parallel. ## Circuit Public inputs: - $rt$ (part of the bundle, not specific to an action) - $cv^{balance}$ - Spent note: - $nf^{old}$ - $rk$ - New output: - $cm^{new}$ - $epk$? Auxiliary inputs: - Spent note: - $path$ : Merkle path - $pos$ : Position in tree - $g_d^{old} : E*$ - $pk_d^{old} : E*$ - $v^{old}$ - $\rho^{old}$, $\psi^{old}$, and $rcm^{old}$ - derived from $rseed$ outside the circuit - $\alpha$ - $rivk$ - $ak : E*$ - New output: - $g_d^{new} : E*$ - $pk_d^{new} : \mathbb{B}^{[l_E]}$ - $v^{new}$ - $\rho^{new}$, $\psi^{new}$, and $rcm^{new}$ - derived from $rseed$ outside the circuit - $esk$ (Optional) - $rcv^{balance}$ Circuit checks: - Type checks: - $g_d^{old}$ is an affine point on the curve - $g_d^{new}$ is an affine point on the curve - $ak$ is an affine point on the curve - $3 \times 1$ rows - $v^{old}$ is in range $\{0..2^{64}-1\}$ - $v^{new}$ is in range $\{0..2^{64}-1\}$ - These are constrained as Sinsemilla inputs for $NoteCommit$ - Note commitments - $cm^{old} = NoteCommit^{Orchard}_{rcm^{old}}(g_d^{old}, pk_d^{old}, v^{old}, \rho^{old}, \psi^{old})$ - $cm^{new} = NoteCommit^{Orchard}_{rcm^{new}}(g_d^{new}, pk_d^{new}, v^{new}, \rho^{new}, \psi^{new})$ - Committed data is $2 \times \ell_E + 64 + 2 \times \ell_F$ - TODO: Decide on point representation in commitment, and whether it is necessary to range-constrain coordinates. I think it is sufficient to constrain to $254$ bits. - $2 \times ceiling\left(\frac{2 \times 2 \times 255 + 64 + 2 \times 255}{m}\right)$ Sinsemilla $+ 2 \times FixedBaseMul_{full}$ other - $\approx 2 \times 145 = 290$ Sinsemilla ($m = 11$) $+ 2 \times 128 = 256$ other - $\approx 2 \times 160 = 320$ Sinsemilla ($m = 10$) $+ 2 \times 128 = 256$ other - Merkle tree - 32 layers of Sinsemilla (2 elements -> 1 element) - Either $v^{old} = 0$, or $(path, pos)$ is a valid Merkle path of depth 32 from $cm^{old}$ to $rt$. - $32 \times \left[1 + ceiling\left(\frac{2 \times \ell_F}{m}\right)\right]$ rows - $\approx 32 \times (1 + 47) = 1536$ Sinsemilla ($m = 11$) - $\approx 32 \times (1 + 51) = 1664$ Sinsemilla ($m = 10$) - Balance commitment (between the spend and output, signed 53/64-bit) - $cv^{net} = ValueCommit_{rcv^{net}}(v^{old} - v^{new})$ - $2 \times \left(FixedBaseMul_{i65} + FixedBaseMul_{full}\right)$ other - $\approx 2 \times (33 + 128) = 322$ other - Nullifier computation / integrity - $nf^{old} = [(Hash_{nk^{old}}(\rho^{old}) + \psi) \bmod p] \mathcal{K}^\mathsf{Orchard} + cm$ - $PoseidonHash_{1} + FixedBaseMul_{full} + 1$ other - $\approx 36 + 128 + 1 = 165$ other - Spend authority - $rk = SpendAuthSig.RandomizePublic(\alpha, ak) = [\alpha] \mathcal{G} + ak$ - $FixedBaseMul_{full} + 1$ other - $\approx 128 + 1 = 129$ other - Diversified address integrity - $ivk = Comm^{Orchardivk}_{rivk}(ak_x, nk)$ - Derive $ak$ such that its $x$-coordinate, and $nk$, and $ivk$, fit in $254$ bits. - Need to brute force this during key generation. - TODO: Decide whether we have a separate $nk$ - $ceiling\left(\frac{\ell_F + \ell_F}{m}\right)$ Sinsemilla $+ FixedBaseMul_{full}$ other - $\approx 47$ Sinsemilla ($m = 11$) $+ 128$ other - $\approx 51$ Sinsemilla ($m = 10$) $+ 128$ other - $pk_d^{old} = [ivk] g_d^{old}$ - $VariableBaseMul_{full}$ rows - $\approx 256$ rows - Arbitrary UDA support - Increase size of note commitment inputs by 255 bits each - $\approx 47$ Sinsemilla ($m = 11$) - $\approx 52$ Sinsemilla ($m = 10$) - Replace fixed-base mul with variable-base in balance commitment - $\approx 322$ other - Fudge factor for asset list handling - $\approx 50$ other Total, *not* taking into account parallelism; excludes "Ephemeral public key integrity": - $2035$ Sinsemilla ($m = 10$) $+ 1259$ other - $1018$ pairs of Sinsemilla + $630$ other - $1873$ Sinsemilla ($m = 11$) $+ 1259$ other - $1582$ Sinsemilla ($m = 12$) $+ 1259$ other - $1920$ Sinsemilla ($m = 11$) $+ 1631$ other with arbitrary UDAs We can do all of the Sinsemilla lookups ($1896$ rows for $m = 11$) in parallel with the rest of the circuit. This requires: - for Sinsemilla: - $2$ advice columns for the accumulator - $1$ advice column for the running scalar $z_i$ - $2$ advice columns for $P_i$ - $1$ advice column for the permuted input $A'$ to the lookup - $1$ advice column for the lookup product - $1$ advice column for the permuted table $S'$ - $3$ fixed columns for the table $S$ - $2$ advice columns for $\lambda_{1,i}$ and $\lambda_{2,i}$ - for another scalar mul (in parallel): - $2$ advice columns for the accumulator (copyable) - $1$ advice column for the running scalar (copyable) - $2$ advice columns for the base - $2$ advice columns for $\lambda_{1,i}$ and $\lambda_{2,i}$ - selector columns: - $1$ fixed column to select ECCLookup - $1$ fixed column to initialize / copy out the ECCLookup accumulator and scalar - $1$ fixed column to select scalar mul - $1$ fixed column for the Rescue round constant (Rescue could reuse other columns) - $2$ fixed columns for addition and multiplication selectors (possibly more) for a total of $17$ advice columns and at least $9$ fixed columns. Notes: - No small-order checks, since we are using a prime-order curve. - Validity of $pk_d^{new}$ is *not* checked in this circuit. - The order of the curve $r_E$ is just over $2^k$, so we represent scalars as $k$ bits, and do not need to check canonicity. - TODO: Decide whether to do that or use the full scalar range to get perfect (rather than statistical) hiding. ## Fixed bases * $\mathcal{K}^{\mathsf{Orchard}}$ * base for $\mathsf{NoteCommit^{Orchard}}$ * $\mathcal{V}$ and $\mathcal{R}$ bases for $\mathsf{ValueCommit^\mathsf{Orchard}}$ * $\mathcal{G}$ base for $\mathsf{SpendAuthSig}^\mathsf{Orchard}$ So that's $5$ bases, and we have just under $2^{10}$ table space available. So we can use $\mathsf{floor}(\log_2(1000/5)) = 7$-bit windows for fixed-base multiplication. ### Fixed-base windowing Suppose that we want to calculate $[x] G$ where $x = \sum\limits_{i=0}^m b_i \cdot 2^{ki}$, where $k$ is window width. This is equal to $\sum\limits_{i=0}^m \left([b_i] ([2^{ki}] G)\right)$.