Pedersen Commitment¶
Overview¶
The Pedersen Commitment is a cryptographic commitment scheme proposed by Torben Pryds Pedersen in 1992. It is primarily used in conjunction with elliptic curve cryptography and features strong binding based on the discrete logarithm problem and additive homomorphic properties.
The Pedersen Commitment is a homomorphic commitment protocol that satisfies perfect hiding and computational binding. Its perfect hiding property does not depend on any hardness assumption, while computational binding relies on the discrete logarithm assumption.
Core Formula¶
Basic Formula: C = rG + vH
Where: - C is the generated commitment value - G, H are generator points on a specific elliptic curve - r represents the blinding factor - v represents the original information (the value being committed)
Main Properties¶
Perfect Hiding: Given a commitment C, it is computationally impossible to infer the original value v. Perfect hiding does not depend on any hardness assumption.
Computational Binding: Once a commitment is created, the prover cannot computationally find another value v' that produces the same commitment value. Computational binding relies on the discrete logarithm assumption.
Additive Homomorphism: The sum of two Pedersen commitments equals the Pedersen commitment of the sum of the plaintexts. That is, C1 + C2 = (r1+r2)G + (v1+v2)H. This is one of the most important properties of the Pedersen Commitment.
Zero-Knowledge Proof Applications¶
Pedersen Commitments come in two common forms: 1. Non-zero-knowledge Pedersen Commitment: Does not provide zero-knowledge property 2. Zero-knowledge Pedersen Commitment: Combined with zero-knowledge proof technology
With Bulletproofs: Pedersen Commitments have important applications in zero-knowledge proofs (such as Bulletproofs), enabling proof of transaction validity without revealing transaction amounts.
Privacy Protection Applications¶
Privacy Coins: In blockchain technology, Pedersen Commitments are commonly used to implement transaction privacy protection. For example, in privacy coins like Monero and Grin, Pedersen Commitments are used to hide transaction amounts, protecting user privacy.
Confidential Transactions: Current implementations of confidential transactions in cryptocurrencies mainly include zk-SNARKs, zk-STARKs, and Bulletproofs, all of which leverage the properties of Pedersen Commitments.
Range Proofs: Combined with Bulletproofs, it can prove that a committed value falls within a certain range (such as transaction amount greater than 0) without revealing the specific value.
Comparison with Other Commitment Schemes¶
| Feature | Pedersen Commitment | Hash Commitment |
|---|---|---|
| Hiding | Perfect hiding | Computational hiding |
| Binding | Computational binding | Perfect binding |
| Homomorphism | Supported (additive) | Not supported |
| Efficiency | Requires elliptic curve operations | Only requires hash operations |
Recommended Reading¶
Related Concepts¶
- Elliptic Curve Cryptography
- Discrete Logarithm Problem
- Homomorphic Encryption
- Bulletproofs
- Monero
- Range Proofs