From 1089f384fa4e4b94f310d7aa2292f8fe1e399b9e Mon Sep 17 00:00:00 2001
From: Vivek Arte <vivek@qed-it.com>
Date: Tue, 16 May 2023 16:42:55 +0530
Subject: [PATCH 1/4] making recommended changes to the circuit statement

---
 zip-0226.html | 4 ++--
 zip-0226.rst  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/zip-0226.html b/zip-0226.html
index b9426e8d9..10b634d7c 100644
--- a/zip-0226.html
+++ b/zip-0226.html
@@ -275,11 +275,11 @@
                     </ul>
                 </section>
                 <section id="asset-identifier-consistency-for-split-actions"><h4><span class="section-heading">Asset Identifier Consistency for Split Actions</span><span class="section-anchor"> <a rel="bookmark" href="#asset-identifier-consistency-for-split-actions"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
-                    <p>The following constraints must be added to prevent senders from changing the Asset Base for the output note in a Split Action:</p>
+                    <p>Senders must not be able to change the Asset Base for the output note in a Split Action. We do this via the following constraints:</p>
                     <ul>
                         <li>
                             <dl>
-                                <dt>The Value Commitment Integrity should be changed</dt>
+                                <dt>The Value Commitment Integrity should be changed:</dt>
                                 <dd>
                                     <ul>
                                         <li>Replace the input note value by a generic value,
diff --git a/zip-0226.rst b/zip-0226.rst
index ca18b7363..fe431704f 100644
--- a/zip-0226.rst
+++ b/zip-0226.rst
@@ -252,9 +252,9 @@ The following constraints must be added to ensure that the value commitment is c
 Asset Identifier Consistency for Split Actions
 ''''''''''''''''''''''''''''''''''''''''''''''
 
-The following constraints must be added to prevent senders from changing the Asset Base for the output note in a Split Action:
+Senders must not be able to change the Asset Base for the output note in a Split Action. We do this via the following constraints:
 
-- The Value Commitment Integrity should be changed
+- The Value Commitment Integrity should be changed:
     - Replace the input note value by a generic value, :math:`\mathsf{v}'`, as :math:`\mathsf{cv^{net}} = \mathsf{ValueCommit_rcv^{OrchardZSA}(v’ - v^new, \mathsf{AssetBase}^{\mathsf{Orchard}}_{\mathsf{AssetId}})}`
 - Add a boolean ``split_flag`` variable as an auxiliary witness. This variable is to be activated ``split_flag = 1`` if the Action in question has a Split Input and ``split_flag = 0`` if the Action is actually spending an input note:
     - If ``split_flag = 1`` then set :math:`\mathsf{v}' = 0` otherwise :math:`\mathsf{v}'=\mathsf{v^{old}}` from the auxiliary input.

From 20e4a1754e50add3e6a10ea85815f72dcb66535b Mon Sep 17 00:00:00 2001
From: Vivek Arte <vivek@qed-it.com>
Date: Sat, 20 May 2023 13:37:08 +0530
Subject: [PATCH 2/4] making explicit that the Orchard Asset Base should not be
 the identity

---
 zip-0226.html | 10 ++++++----
 zip-0226.rst  |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/zip-0226.html b/zip-0226.html
index 10b634d7c..e6acb8c33 100644
--- a/zip-0226.html
+++ b/zip-0226.html
@@ -122,7 +122,7 @@
                 <ul>
                     <li>
                         <span class="math">\(\mathsf{AssetBase}^{\mathsf{Orchard}} : \mathbb{P}*\)</span>
-                     is the unique element of the Pallas group <a id="footnote-reference-19" class="footnote_reference" href="#protocol-pallasandvesta">15</a> that identifies each Asset in the Orchard protocol, defined as the Asset Base in ZIP 227 <a id="footnote-reference-20" class="footnote_reference" href="#zip-0227">6</a>. The byte representation of the Asset Base is defined as
+                     is the unique element of the Pallas group <a id="footnote-reference-19" class="footnote_reference" href="#protocol-pallasandvesta">15</a> that identifies each Asset in the Orchard protocol, defined as the Asset Base in ZIP 227 <a id="footnote-reference-20" class="footnote_reference" href="#zip-0227">6</a>, a valid non-bottom group element that is not the identity. The byte representation of the Asset Base is defined as
                         <span class="math">\(\mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]} := \mathsf{repr}_{\mathbb{P}}(\mathsf{AssetBase}^{\mathsf{Orchard}})\)</span>
                     .</li>
                 </ul>
@@ -168,7 +168,7 @@
                      in that for Custom Assets, the Asset Base will be added as an input to the commitment computation. In the case where the Asset is the ZEC Asset, the commitment is computed identically to the Orchard note commitment, without making use of the ZEC Asset Base as an input. As we will see, the nested structure of the Sinsemilla-based commitment <a id="footnote-reference-29" class="footnote_reference" href="#protocol-concretesinsemillacommit">18</a> allows us to add the Asset Base as a final recursive step, and hence keep a single instance of the Sinsemilla hash function in the circuit for the note commitment verification.</p>
                     <p>The note commitment output is still indistinguishable from the original Orchard ZEC note commitments, by definition of the Sinsemilla hash function <a id="footnote-reference-30" class="footnote_reference" href="#protocol-concretesinsemillahash">17</a>. ZSA note commitments will therefore be added to the same Orchard Note Commitment Tree. In essence, we have:</p>
                     <div class="math">\(\mathsf{NoteCommit^{OrchardZSA}_{rcm}(repr_{\mathbb{P}}(g_d), repr_{\mathbb{P}}(pk_d), v, \rho, \psi, \mathsf{AssetBase}^{\mathsf{Orchard}})} \in \mathsf{NoteCommit^{Orchard}.Output}\)</div>
-                    <p>This definition can be viewed as a hypernym of the Orchard note commitment, and will allow maintaining a single commitment instance for the note commitment, which will be used both for pre-ZSA Orchard and ZSA notes.</p>
+                    <p>This definition can be viewed as a generalization of the Orchard note commitment, and will allow maintaining a single commitment instance for the note commitment, which will be used both for pre-ZSA Orchard and ZSA notes.</p>
                 </section>
             </section>
             <section id="value-commitment"><h3><span class="section-heading">Value Commitment</span><span class="section-anchor"> <a rel="bookmark" href="#value-commitment"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h3>
@@ -339,7 +339,9 @@
                                             <span class="math">\(\psi' = \psi^{old}\)</span>
                                         . (Otherwise
                                             <span class="math">\(\psi'\)</span>
-                                         should be sampled randomly.)</li>
+                                         should be sampled uniformly at random on
+                                            <span class="math">\(\mathbb{F}_{q_{\mathbb{P}}}\)</span>
+                                        .)</li>
                                     </ul>
                                 </dd>
                             </dl>
@@ -376,7 +378,7 @@
                 <ol type="1">
                     <li>We require that
                         <span class="math">\(\forall (\mathsf{AssetBase},\mathsf{v^{AssetBase}}) \in \mathsf{assetBurn}\ ,\ \mathsf{AssetBase} \neq \mathcal{V}^{\mathsf{Orchard}}\)</span>
-                    . That is, Native Assets are not allowed to be burnt.</li>
+                    . That is, ZEC or TAZ is not allowed to be burnt.</li>
                     <li>We require that for every
                         <span class="math">\(\forall (\mathsf{AssetBase},\mathsf{v^{AssetBase}}) \in \mathsf{assetBurn}\ ,\ \mathsf{v^{AssetBase}} \neq 0\)</span>
                     .</li>
diff --git a/zip-0226.rst b/zip-0226.rst
index fe431704f..763863162 100644
--- a/zip-0226.rst
+++ b/zip-0226.rst
@@ -102,7 +102,7 @@ Let :math:`\mathsf{Note^{OrchardZSA}}` be the type of a ZSA note, i.e.
 A ZSA note differs from an Orchard note [#protocol-notes]_ by additionally including the Asset Base, :math:`\mathsf{AssetBase}^{\mathsf{Orchard}}`. So a ZSA note is a tuple :math:`(\mathsf{g_d, pk_d, v, \rho, \psi, \mathsf{AssetBase}^{\mathsf{Orchard}}})`,
 where 
 
-- :math:`\mathsf{AssetBase}^{\mathsf{Orchard}} : \mathbb{P}*` is the unique element of the Pallas group [#protocol-pallasandvesta]_ that identifies each Asset in the Orchard protocol, defined as the Asset Base in ZIP 227 [#zip-0227]_. The byte representation of the Asset Base is defined as :math:`\mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]} := \mathsf{repr}_{\mathbb{P}}(\mathsf{AssetBase}^{\mathsf{Orchard}})`.
+- :math:`\mathsf{AssetBase}^{\mathsf{Orchard}} : \mathbb{P}*` is the unique element of the Pallas group [#protocol-pallasandvesta]_ that identifies each Asset in the Orchard protocol, defined as the Asset Base in ZIP 227 [#zip-0227]_, a valid non-bottom group element that is not the identity. The byte representation of the Asset Base is defined as :math:`\mathsf{asset\_base} : \mathbb{B}^{[\ell_{\mathbb{P}}]} := \mathsf{repr}_{\mathbb{P}}(\mathsf{AssetBase}^{\mathsf{Orchard}})`.
 
 Specifically, we define the note commitment scheme :math:`\mathsf{NoteCommit^{OrchardZSA}_{rcm}}` as follows:
 

From de46ec82d1625d88c7b301cf94329ab91a77285f Mon Sep 17 00:00:00 2001
From: Vivek Arte <vivek@qed-it.com>
Date: Tue, 23 May 2023 18:51:37 +0530
Subject: [PATCH 3/4] making recommended changes to the circuit statement
 section

---
 zip-0226.html | 2 +-
 zip-0226.rst  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/zip-0226.html b/zip-0226.html
index e6acb8c33..25e87dad8 100644
--- a/zip-0226.html
+++ b/zip-0226.html
@@ -264,7 +264,7 @@
                     </ul>
                 </section>
                 <section id="value-commitment-correctness"><h4><span class="section-heading">Value Commitment Correctness</span><span class="section-anchor"> <a rel="bookmark" href="#value-commitment-correctness"><img width="24" height="24" class="section-anchor" src="assets/images/section-anchor.png" alt=""></a></span></h4>
-                    <p>The following constraints must be added to ensure that the value commitment is computed using the witnessed Asset Base, as represented in the notes:</p>
+                    <p>The following constraints must be added to ensure that the value commitment is computed using the witnessed Asset Base:</p>
                     <ul>
                         <li>The fixed-base multiplication constraints between the value and the value base point of the value commitment,
                             <span class="math">\(\mathsf{cv}\)</span>
diff --git a/zip-0226.rst b/zip-0226.rst
index 763863162..b05ba4b3a 100644
--- a/zip-0226.rst
+++ b/zip-0226.rst
@@ -244,7 +244,7 @@ The following constraints must be added to ensure that the input and output note
 Value Commitment Correctness
 ''''''''''''''''''''''''''''
 
-The following constraints must be added to ensure that the value commitment is computed using the witnessed Asset Base, as represented in the notes:
+The following constraints must be added to ensure that the value commitment is computed using the witnessed Asset Base:
 
 - The fixed-base multiplication constraints between the value and the value base point of the value commitment, :math:`\mathsf{cv}`, is replaced with a variable-base multiplication between the two.
 - The witness to the value base point (as defined in the `asset base`_ equation) is the auxiliary input :math:`\mathsf{AssetBase}^{\mathsf{Orchard}}_{\mathsf{AssetId}}`.

From 0455d2b8f6409a75a0c2bdb1992246e73a6ac635 Mon Sep 17 00:00:00 2001
From: Vivek Arte <vivek@qed-it.com>
Date: Thu, 25 May 2023 11:09:54 +0530
Subject: [PATCH 4/4] updates to value commitment integrity based on PR#628
 comments

---
 zip-0226.html | 11 +++++++++--
 zip-0226.rst  |  5 +++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/zip-0226.html b/zip-0226.html
index 25e87dad8..812bfda14 100644
--- a/zip-0226.html
+++ b/zip-0226.html
@@ -296,11 +296,18 @@
                                 <dt>Add a boolean <code>split_flag</code> variable as an auxiliary witness. This variable is to be activated <code>split_flag = 1</code> if the Action in question has a Split Input and <code>split_flag = 0</code> if the Action is actually spending an input note:</dt>
                                 <dd>
                                     <ul>
-                                        <li>If <code>split_flag = 1</code> then set
+                                        <li>If
+                                            <span class="math">\(\texttt{split_flag} = 1\)</span>
+                                         then constrain
                                             <span class="math">\(\mathsf{v}' = 0\)</span>
-                                         otherwise
+                                         otherwise constrain
                                             <span class="math">\(\mathsf{v}'=\mathsf{v^{old}}\)</span>
                                          from the auxiliary input.</li>
+                                        <li>If
+                                            <span class="math">\(\texttt{split_flag} = 1\)</span>
+                                         then constrain
+                                            <span class="math">\(\mathsf{v^{old}} \neq 0\)</span>
+                                        .</li>
                                     </ul>
                                 </dd>
                             </dl>
diff --git a/zip-0226.rst b/zip-0226.rst
index b05ba4b3a..86f46cb2d 100644
--- a/zip-0226.rst
+++ b/zip-0226.rst
@@ -233,7 +233,7 @@ Circuit Statement
 Every *ZSA Action statement* is closely similar to the Orchard Action statement [#protocol-actionstatement]_, except for a few additions that ensure the security of the Asset Identifier system. We detail these changes below.
 
 Asset Base Equality
-'''''''''''''''''''''''''
+'''''''''''''''''''
 
 The following constraints must be added to ensure that the input and output note are of the same :math:`\mathsf{AssetBase}`:
 
@@ -257,7 +257,8 @@ Senders must not be able to change the Asset Base for the output note in a Split
 - The Value Commitment Integrity should be changed:
     - Replace the input note value by a generic value, :math:`\mathsf{v}'`, as :math:`\mathsf{cv^{net}} = \mathsf{ValueCommit_rcv^{OrchardZSA}(v’ - v^new, \mathsf{AssetBase}^{\mathsf{Orchard}}_{\mathsf{AssetId}})}`
 - Add a boolean ``split_flag`` variable as an auxiliary witness. This variable is to be activated ``split_flag = 1`` if the Action in question has a Split Input and ``split_flag = 0`` if the Action is actually spending an input note:
-    - If ``split_flag = 1`` then set :math:`\mathsf{v}' = 0` otherwise :math:`\mathsf{v}'=\mathsf{v^{old}}` from the auxiliary input.
+    - If :math:`\texttt{split_flag} = 1` then constrain :math:`\mathsf{v}' = 0` otherwise constrain :math:`\mathsf{v}'=\mathsf{v^{old}}` from the auxiliary input.
+    - If :math:`\texttt{split_flag} = 1` then constrain :math:`\mathsf{v^{old}} \neq 0`.
 - The Merkle Path Validity should check the existence of the note commitment as usual (and not like with dummy notes):
     - Check that (path, pos) is a valid Merkle path of depth :math:`\mathsf{MerkleDepth^Orchard}`, from :math:`\mathsf{cm^{old}}` to the anchor :math:`\mathsf{rt^{Orchard}}`.
 - The Nullifier Integrity will be changed to prevent the identification of notes