# Pedersen commitment (with elliptic curves)

A Pedersen commitment is a point *C* on an elliptic curve that is *cryptographically binding* to a data message *m*, but completely hides the message. A Pedersen commitment hides the message in an even stronger way than encryption. The curve point is completely random and contains no information at all about *m*. The message *m *cannot be decrypted from *C*. The curve point *C* is generated in a unique way using *m* and a random 256-bit integer *r*, called the *blinding factor*. Therefore, given *m *and *r*, it is easy to verify that the Pedersen commitment *C* is the correctly generated output. The Pedersen commitment generated from *m *and *r *is cryptographically binding to the message *m* because finding alternative inputs *m* *and *r* *for which the Pedersen commitment generates the same point *C* requires an infeasible amount of computation. The world’s most powerful computer cannot break the binding property of Pedersen commitments.

*pedersen_setup*() → *G*, *H*

*G* and *H* are randomly generated “base points” on the Ristretto group of Curve25519. These parameters are generated independently using a hash function (details omitted).

*pedersen_commit *([uint64_t] *m*, [uint256_t] *r*) → *C*

*r*is a random 256-bit integer called the blinding factor

*m*is a 64-bit integer that encodes the hidden message, i.e. asset amount/asset type.

*mG*and*rH*are formed by using the elliptic curve scalar multiplication operation:*mG = ec_scalar_multiply*(*m, G*) and*rH = ec_scalar_multiply*(*r, H*).

*C*is a point on the elliptic curve formed by applying the elliptic curve addition operation to*mG*and*rH: C = ec_add*(*mG, rH*)

- The final Pedersen commitment is the point
*C*and is encoded into 32 bytes.

*Opening a Pedersen commitment*: The Pedersen commitment is opened by revealing both the message *m *and the blinding factor *r*. The verification of a Pedersen commitment given *m, r*, and *C* simply checks that *pedersen_commit*(*m*, *r*) outputs the same point *C*.

*Homomorphic addition:* Two Pedersen commitments *C**1** = m**1**G + r**1**H* and *C**2** = m**2**G + r**2**H *are added using elliptic curve point addition to form the point *C**3** = C**1** + C**2*. The point *C**3* is a Pedersen commitment to the 64-bit integer message *m**3** = m**1** + m*2 (as long as *m**3* < 2^64). The new blinding factor is the integer* r**3** = r**1** + r**2* *mod* *p*.