Pedersen Commitments

Pedersen commitments [TPP91] let a committer bind to a value while keeping it hidden, and later open it for verification. The scheme has two core properties:

Perfect hiding: the commitment leaks no information about the message.
Computational binding: after committing, it is infeasible to open to a different message assuming the hardness of discrete logarithm in the chosen group.

Mathematical setting

Let $G$ be a cyclic group of prime order $p$ with two independent generators $g, h$ in $G$ . For binding, no party should know $lo g_{g} (h)$ . Messages and randomness are scalars in $Z_{p}$ .

To commit to $m \in Z_{p}$ with randomness $r \in Z_{p}$ , compute $C o m = g^{m} \cdot h^{r} \in G .$

The pair $(m, r)$ is an opening of $C o m$ . Verification checks $C o m = ? g^{m} \cdot h^{r} .$

Multi-message variant. For generators $g_{1}, ..., g_{n}$ and message vector $m = (m_{1}, ..., m_{n}) \in Z_{p}^{n}$ with randomness $r \in Z_{p}$ , define $C o m = g_{1}^{m_{1}} \cdot ... \cdot g_{n}^{m_{n}} \cdot h^{r} .$

Correctness is immediate from group laws.

Properties

Perfect hiding. For fixed $m$ , the distribution of $C o m$ is uniform in $G$ (because $h^{r}$ is uniform and independent of $m$ ). Hence $C o m$ reveals nothing about $m$ .
Computational binding. If an adversary finds two distinct openings $(m, r) \neq = (m^{'}, r^{'})$ for the same commitment: $g^{m} \cdot h^{r} = g^{m^{'}} \cdot h^{r^{'}}$ then $g^{m - m^{'}} = h^{r^{'} - r}$ . If $r \neq = r^{'}$ , this reveals $lo g_{g} (h) = (m - m^{'}) / (r^{'} - r) \in Z_{p}$ , contradicting the assumption that $lo g_{g} (h)$ is unknown. If $r = r^{'}$ , then $m = m^{'}$ follows immediately. Thus binding reduces to the discrete logarithm hardness in $G$ together with the unknown-log relationship between $g$ and $h$ .
Additive homomorphism. For commitments $C o m (m_{1}, r_{1})$ and $C o m (m_{2}, r_{2})$ , $C o m (m_{1}, r_{1}) \cdot C o m (m_{2}, r_{2}) = C o m (m_{1} + m_{2}, r_{1} + r_{2})$ . The multi-message variant is likewise additively homomorphic.

These algebraic properties make Pedersen commitments ideal for zero-knowledge proofs about sums, equalities, and linear relations among hidden values.

Applications

Sealed values: commit now, reveal later (e.g., bids, choices, randomness beacons).
Consistency checks: prove equality of hidden values across systems or that sums match.
Privacy-preserving protocols: a standard building block for NIZKs, voting, mix-nets, and confidential transactions.

Example


use dlog_sigma_primitives::pedersen::commitment::{ExtendedPedersen, Parameters};
use dlog_sigma_primitives::prelude::*;
use core_rng::OsRng;

fn main() {
let mut rng = OsRng;
// Choose a maximum supported message vector length and derive generators.
let list_len = 50;
let params = Parameters::<Curve>::new(list_len, &mut rng);

// Sample 40 messages (scalars) to commit.
let messages: Vec<<Curve as GroupScalar>::Scalar> =
  (0..40u64).map(|_| Curve::scalar_random(&mut rng)).collect();

// Variable-time, parallelized commitment (use const_commit for constant-time needs).
let (com, r) = ExtendedPedersen::var_commit(&params, &messages, &mut rng).unwrap().open();

// Verify with the provided opening (messages and randomness).
assert!(com
    .verify(&params, &messages, &r)
    .is_ok());
}

Notes:

Parameters should be sampled so that the generators have unknown discrete-log relation.
ExtendedPedersen retains the randomness r, which is useful when composing zero-knowledge proofs. The bare Pedersen type contains only the commitment element Com.
If constant-time behavior is required, prefer constant-time scalar multiplications (const_commit).

Keyboard shortcuts

pet-crypto-primitives-rs

Pedersen Commitments

Mathematical setting

Properties

Applications

Example