Pedersen Commitments over Elliptic Curves (ECC Pedersen Commitments)
Support for generating Pedersen commitments over elliptic curves, and verifying revealed Pedersen commitments.
In addition, support for additive homomorphic operations with such Pedersen commitments should be provided.
Generation of a Pedersen commitment over a configured elliptic curve (i.e., an ECC Pedersen commitment) for a big integer in Z_q (where q is the order of the curve's sub-group generated by its published generator G), produces a commitment C that is an elliptic curve point.
For commitment to a secret message s, provided as a big integer in Z_q, an ECC Pedersen commitment is calculated as: C(s, r) := s * G + r * H,
where the output C := C(s, r) is an elliptic curve point, r is a random blinding factor in the range [1, q-1], G is the configured elliptic curve's published generator point, and H is an effectively independent generator point for which nobody knows the discrete logarithm (w.r.t. base point G) having order equal to that of G.
Note: Knowledge of the discrete logarithm of H w.r.t. base point G enables violation of the commitment scheme's binding property by the committer (i.e., they can lie about which value they committed to). (Similarly no party should know the discrete logarithm of G w.r.t. base point H.)
The (sealed) commitment C can be shared publicly with any desired verifier (or multiple verifiers), and the NUMS point H is a publicly pre-shared common parameter.
Note: The additional generator H is called a NUMS point (for Nothing-Up-My-Sleeve). This can be pre-generated and shared publicly, and may be reused across multiple commitments without any loss of security, as long as the associated discrete logarithm w.r.t. the curve's published generator G remains unknown to everybody.
Opening (Revealing) a Commitment:
The opening/revealing of an ECC Pedersen commitment involves simply sharing the committed to secret value s and the commitment's random blinding factor r with the verifier.
(Note: In interactive protocols using such commitments, if secrecy from any parties other than the verifier is necessary post-opening, then s and r should be sent to the verifier over a confidential channel.)
Verifying an Opened (Revealed) Commitment (to a Verifier):
A verifier of an opened/revealed ECC Pedersen commitment simply recalculates the commitment's point C', using the revealed committed secret s and blinding factor r, and compares this recalculated point C' to the original sealed commitment's point C for equality. (The commitment is valid if these elliptic curve points are equal.)
Additive Homomorphic Operations:
Pedersen commitments feature an additive homomorphic property, which enables the calculation of a valid commitment to the sum of two committed secret values given two corresponding sealed commitments, by adding the two commitments' points C_1 and C_2 in the case of ECC Pedersen commitments.
The additive homomorphic relation, expressed using the additive group operation of elliptic curves and scalar addition is as follows: C(s_1, r_1) + C(s_2, r_2) = C(s_1 + s_2 mod q, r_1 + r_2 mod q),
where C(msg, blind) constructs an ECC Pedersen commitment, where s_1 and s_2 are secret messages (scalars) being committed to, r_1 and r_2 are the associated random blinding factors (scalars), and q is the order of the elliptic curve sub-group generated by G (i.e., the published generator point).
Dependencies
This feature depends on the completion of GI-15: Generate Independent Elliptic Curve Generator Points with Unknown Discrete Logarithm, since ECC Pedersen commitments require the generation of an independent generator point H for which neither the committing nor verifying party (or parties) know the associated discrete logarithm (i.e., with respect to the configured elliptic curve's published generator).
Pedersen Commitments over Elliptic Curves (ECC Pedersen Commitments)
Support for generating Pedersen commitments over elliptic curves, and verifying revealed Pedersen commitments. In addition, support for additive homomorphic operations with such Pedersen commitments should be provided.
Generation of an ECC Pedersen Commitment:
Generation of a Pedersen commitment over a configured elliptic curve (i.e., an ECC Pedersen commitment) for a big integer in
Z_q
(whereq
is the order of the curve's sub-group generated by its published generatorG
), produces a commitmentC
that is an elliptic curve point.For commitment to a secret message
s
, provided as a big integer inZ_q
, an ECC Pedersen commitment is calculated as:C(s, r) := s * G + r * H
,C := C(s, r)
is an elliptic curve point,r
is a random blinding factor in the range[1, q-1]
,G
is the configured elliptic curve's published generator point, andH
is an effectively independent generator point for which nobody knows the discrete logarithm (w.r.t. base pointG
) having order equal to that ofG
.Note: Knowledge of the discrete logarithm of
H
w.r.t. base pointG
enables violation of the commitment scheme's binding property by the committer (i.e., they can lie about which value they committed to). (Similarly no party should know the discrete logarithm ofG
w.r.t. base pointH
.)The (sealed) commitment
C
can be shared publicly with any desired verifier (or multiple verifiers), and the NUMS pointH
is a publicly pre-shared common parameter.H
is called a NUMS point (for Nothing-Up-My-Sleeve). This can be pre-generated and shared publicly, and may be reused across multiple commitments without any loss of security, as long as the associated discrete logarithm w.r.t. the curve's published generatorG
remains unknown to everybody.Opening (Revealing) a Commitment:
s
and the commitment's random blinding factorr
with the verifier.s
andr
should be sent to the verifier over a confidential channel.)Verifying an Opened (Revealed) Commitment (to a Verifier):
C'
, using the revealed committed secrets
and blinding factorr
, and compares this recalculated pointC'
to the original sealed commitment's pointC
for equality. (The commitment is valid if these elliptic curve points are equal.)Additive Homomorphic Operations:
C_1
andC_2
in the case of ECC Pedersen commitments.C(s_1, r_1) + C(s_2, r_2) = C(s_1 + s_2 mod q, r_1 + r_2 mod q)
,C(msg, blind)
constructs an ECC Pedersen commitment, wheres_1
ands_2
are secret messages (scalars) being committed to,r_1
andr_2
are the associated random blinding factors (scalars), andq
is the order of the elliptic curve sub-group generated byG
(i.e., the published generator point).Dependencies
H
for which neither the committing nor verifying party (or parties) know the associated discrete logarithm (i.e., with respect to the configured elliptic curve's published generator).