Pedersen commitment

PreviousFiat-Shamir transformation (or Fiat-Shamir heuristic)NextCommon Vulnerabilities in ZK Code

Last updated 1 year ago

Pedersen commitment

A Pedersen commitment is a cryptographic primitive used to commit to a chosen value while keeping it hidden from others, but with the capability to reveal the chosen value later. Pedersen commitments are commonly used in cryptographic protocols to achieve both confidentiality (hiding information) and commitment (ensuring information isn't changed later).

The Pedersen commitment has the properties of being both hiding (it's computationally infeasible to determine the committed value) and binding (once you've committed, you can't change your mind without detection).

Here's how it works:

Setup: Two large prime numbers $p$ and $q$ are chosen such that $q$ divides $p−1$ . Then, a cyclic group $G$ of order $q$ is selected with generator $g$ . A random $h$ is also chosen from $G$ such that no one knows the discrete logarithm of $h$ with respect to $g$ , i.e., no one knows $a$ where $h=g^a$ .
Commitment: To commit to a value $s$ with randomness $r$ , the commitment $C$ is calculated as: $C=g^s⋅h^r$
Opening: To open the commitment (i.e., to reveal the committed value), the committer provides the value $s$ and the randomness $r$ . The verifier then checks the commitment using the given $s$ and $r$ against the previously provided commitment $C$ .

The hiding property ensures that, given $C$ , it's computationally hard to deduce $s$ or $r$ . The binding property ensures that, once $C$ has been provided, it's computationally infeasible to find any other $s^′$ or $r^′$ such that the commitment could have been created with $s^′$ and $r^′$ (i.e., you can't find two different sets of values that result in the same commitment).

Pedersen commitments are used in a variety of cryptographic protocols and systems, especially in the context of zero-knowledge proofs and privacy-preserving mechanisms.

PreviousFiat-Shamir transformation (or Fiat-Shamir heuristic)NextCommon Vulnerabilities in ZK Code

Last updated 1 year ago

Here's how it works:

Setup: Two large prime numbers $p$ and $q$ are chosen such that $q$ divides $p−1$ . Then, a cyclic group $G$ of order $q$ is selected with generator $g$ . A random $h$ is also chosen from $G$ such that no one knows the discrete logarithm of $h$ with respect to $g$ , i.e., no one knows $a$ where $h=g^a$ .
Commitment: To commit to a value $s$ with randomness $r$ , the commitment $C$ is calculated as: $C=g^s⋅h^r$
Opening: To open the commitment (i.e., to reveal the committed value), the committer provides the value $s$ and the randomness $r$ . The verifier then checks the commitment using the given $s$ and $r$ against the previously provided commitment $C$ .

Pedersen commitments are used in a variety of cryptographic protocols and systems, especially in the context of zero-knowledge proofs and privacy-preserving mechanisms.