N * 32byte buffer such as
N >> M, where
Mis the number of the individual commitments. The rest of the slots is filled with random data deterministically generated from a single entropy source. The position
nfor a commitment with the identifier
idis computed as
n = id mod N, guaranteeing that no two commitments under the same protocol with a given
idmay be simultaneously present.
msgMunder protocols with corresponding unique ids
idMthe commitment procedure runs as follows:
N >> M, for instance
N = M * 2and allocate
32*Nbyte buffer (such that the maximum buffer length MUST not exceed 2^21, i. e 2 MB).
cIaccording to the per-message protocol,
n = idI mod N(if the protocol identifier is a hash, it should be converted into unsigned integer of appropriate dimensionality using little- endian notation),
nis not used, serialize a
cIhash into it using bitcoin-style hash serialization format; otherwise go to step 3 and generate a new
N' >> N.
seed_entropy || j, where both values are serialized as little-endian byte strings (the total length of resulting byte string for hashing should be 272 bits). The tagged hash procedure must run according to BIP-340  using UTF-8 representation of
LNPBP4:entropystring as the tag.
LNPBP4as the protocol-specific tag.
msgAunder this scheme and conceal the rest of the messages and protocols participating in the commitment has to publish the following data:
msgAand information about its protocol with id
msgMand information about their protocols with id
n = idA mod N, where
idAis the message-specific protocol id and
Nis the length of the commitment buffer in bytes divided on 32.
n's 32-byte slot of the commitment buffer; fail verification otherwise.
0x00) commitment buffer of the same length as the revealed commitment buffer, and re-running steps 4-6 from the commitment procedure . If the new buffer match per-byte the revealed commitment buffer, then the verification succeeded; otherwise it has failed.
1^8different protocols in average.