Pedersen Commitments over Elliptic Curves (ECC Pedersen Commitments)
Support for generating Pedersen commitments over elliptic curves, and verifying revealed Pedersen commitments.
In addition, support for additive homomorphic operations with such Pedersen commitments should be provided.
Generation of a Pedersen commitment over a configured elliptic curve (i.e., an ECC Pedersen commitment) for a big integer in Z_q (where q is the order of the curve's sub-group generated by its published generator G), produces a commitment C that is an elliptic curve point.
For commitment to a secret message s, provided as a big integer in Z_q, an ECC Pedersen commitment is calculated as: C(s, r) := s * G + r * H,
where the output C := C(s, r) is an elliptic curve point, r is a random blinding factor in the range [1, q-1], G is the configured elliptic curve's published generator point, and H is an effectively independent generator point for which nobody knows the discrete logarithm (w.r.t. base point G) having order equal to that of G.
Note: Knowledge of the discrete logarithm of H w.r.t. base point G enables violation of the commitment scheme's binding property by the committer (i.e., they can lie about which value they committed to). (Similarly no party should know the discrete logarithm of G w.r.t. base point H.)
The (sealed) commitment C can be shared publicly with any desired verifier (or multiple verifiers), and the NUMS point H is a publicly pre-shared common parameter.
Note: The additional generator H is called a NUMS point (for Nothing-Up-My-Sleeve). This can be pre-generated and shared publicly, and may be reused across multiple commitments without any loss of security, as long as the associated discrete logarithm w.r.t. the curve's published generator G remains unknown to everybody.
Opening (Revealing) a Commitment:
The opening/revealing of an ECC Pedersen commitment involves simply sharing the committed to secret value s and the commitment's random blinding factor r with the verifier.
(Note: In interactive protocols using such commitments, if secrecy from any parties other than the verifier is necessary post-opening, then s and r should be sent to the verifier over a confidential channel.)
Verifying an Opened (Revealed) Commitment (to a Verifier):
A verifier of an opened/revealed ECC Pedersen commitment simply recalculates the commitment's point C', using the revealed committed secret s and blinding factor r, and compares this recalculated point C' to the original sealed commitment's point C for equality. (The commitment is valid if these elliptic curve points are equal.)
Additive Homomorphic Operations:
Pedersen commitments feature an additive homomorphic property, which enables the calculation of a valid commitment to the sum of two committed secret values given two corresponding sealed commitments, by adding the two commitments' points C_1 and C_2 in the case of ECC Pedersen commitments.
The additive homomorphic relation, expressed using the additive group operation of elliptic curves and scalar addition is as follows: C(s_1, r_1) + C(s_2, r_2) = C(s_1 + s_2 mod q, r_1 + r_2 mod q),
where C(msg, blind) constructs an ECC Pedersen commitment, where s_1 and s_2 are secret messages (scalars) being committed to, r_1 and r_2 are the associated random blinding factors (scalars), and q is the order of the elliptic curve sub-group generated by G (i.e., the published generator point).
Dependencies
This feature depends on the completion of GI-15: Generate Independent Elliptic Curve Generator Points with Unknown Discrete Logarithm, since ECC Pedersen commitments require the generation of an independent generator point H for which neither the committing nor verifying party (or parties) know the associated discrete logarithm (i.e., with respect to the configured elliptic curve's published generator).
Pedersen Commitments over Elliptic Curves (ECC Pedersen Commitments)
Support for generating Pedersen commitments over elliptic curves, and verifying revealed Pedersen commitments. In addition, support for additive homomorphic operations with such Pedersen commitments should be provided.
Generation of an ECC Pedersen Commitment:
Generation of a Pedersen commitment over a configured elliptic curve (i.e., an ECC Pedersen commitment) for a big integer in
Z_q(whereqis the order of the curve's sub-group generated by its published generatorG), produces a commitmentCthat is an elliptic curve point.For commitment to a secret message
s, provided as a big integer inZ_q, an ECC Pedersen commitment is calculated as:C(s, r) := s * G + r * H,C := C(s, r)is an elliptic curve point,ris a random blinding factor in the range[1, q-1],Gis the configured elliptic curve's published generator point, andHis an effectively independent generator point for which nobody knows the discrete logarithm (w.r.t. base pointG) having order equal to that ofG.Note: Knowledge of the discrete logarithm of
Hw.r.t. base pointGenables violation of the commitment scheme's binding property by the committer (i.e., they can lie about which value they committed to). (Similarly no party should know the discrete logarithm ofGw.r.t. base pointH.)The (sealed) commitment
Ccan be shared publicly with any desired verifier (or multiple verifiers), and the NUMS pointHis a publicly pre-shared common parameter.His called a NUMS point (for Nothing-Up-My-Sleeve). This can be pre-generated and shared publicly, and may be reused across multiple commitments without any loss of security, as long as the associated discrete logarithm w.r.t. the curve's published generatorGremains unknown to everybody.Opening (Revealing) a Commitment:
sand the commitment's random blinding factorrwith the verifier.sandrshould be sent to the verifier over a confidential channel.)Verifying an Opened (Revealed) Commitment (to a Verifier):
C', using the revealed committed secretsand blinding factorr, and compares this recalculated pointC'to the original sealed commitment's pointCfor equality. (The commitment is valid if these elliptic curve points are equal.)Additive Homomorphic Operations:
C_1andC_2in the case of ECC Pedersen commitments.C(s_1, r_1) + C(s_2, r_2) = C(s_1 + s_2 mod q, r_1 + r_2 mod q),C(msg, blind)constructs an ECC Pedersen commitment, wheres_1ands_2are secret messages (scalars) being committed to,r_1andr_2are the associated random blinding factors (scalars), andqis the order of the elliptic curve sub-group generated byG(i.e., the published generator point).Dependencies
Hfor which neither the committing nor verifying party (or parties) know the associated discrete logarithm (i.e., with respect to the configured elliptic curve's published generator).