Pedersen commitment (with elliptic curves)

You are here:
< All Topics

A Pedersen commitment is a point C on an elliptic curve that is cryptographically binding to a data message m, but completely hides the message. A Pedersen commitment hides the message in an even stronger way than encryption. The curve point is completely random and contains no information at all about m. The message m cannot be decrypted from C. The curve point C is generated in a unique way using m and a random 256-bit integer r, called the blinding factor. Therefore, given m and r, it is easy to verify that the Pedersen commitment C is the correctly generated output. The Pedersen commitment generated from m and r is cryptographically binding to the message m because finding alternative inputs m* and r* for which the Pedersen commitment generates the same point C requires an infeasible amount of computation. The world’s most powerful computer cannot break the binding property of Pedersen commitments.


pedersen_setup() → G, H


G and H are randomly generated “base points” on the Ristretto group of Curve25519.   These parameters are generated independently using a hash function (details omitted).


pedersen_commit ([uint64_t] m, [uint256_t] r) → C


  • r is a random 256-bit integer called the blinding factor


  • m is a 64-bit integer that encodes the hidden message, i.e. asset amount/asset type.


  • mG and rH are formed by using the elliptic curve scalar multiplication operation: mG = ec_scalar_multiply(m, G) and rH = ec_scalar_multiply(r, H).


  • C is a point on the elliptic curve formed by applying the elliptic curve addition operation to mG and rH: C = ec_add(mG, rH)


  • The final Pedersen commitment is the point C and is encoded into 32 bytes.


Opening a Pedersen commitment: The Pedersen commitment is opened by revealing both the message m and the blinding factor r. The verification of a Pedersen commitment given m, r, and C simply checks that pedersen_commit(m, r) outputs the same point C.


Homomorphic addition: Two Pedersen commitments C1 = m1G + r1H and C2 = m2G + r2H are added using elliptic curve point addition to form the point C3 = C1 + C2. The point C3 is a Pedersen commitment to the 64-bit integer message m3 = m1 + m2 (as long as m3 < 2^64). The new blinding factor is the integer r3 = r1 + r2 mod p.

Previous Elliptic curves
Next ElGamal encryption over elliptic curves
Table of Contents