A vector ECC Pedersen commitment is defined as a commitment to the vector v := (v_1, v_2, ..., v_m) of m scalars with blinding factor r as follows: C(v_1, v_2, ..., v_n, r) := r * H + v_1 * G_1 + v_2 * G_2 + ... + v_m * G_m,
where the output of C(...) is an elliptic curve point (the commitment C), and m+1 effectively independent elliptic curve generators H, G_1, G_2, ..., G_m are used, wherein nobody knows the discrete logarithm of any generator G_i or H w.r.t. to base point G (i.e., the elliptic curve's published generator), nor of any generator G_i w.r.t base point H.
Note: Knowledge of the m generators G_i w.r.t. the generator H enables violation of the commitment scheme's binding property (i.e., if known to the committer they enable them to to lie about which vector v they committed to).
The (sealed) commitment C can be shared publicly with any desired verifier (or multiple verifiers), and the NUMS points H and G_i (for i in [1, m]) are publicly pre-shared common parameters.
Note: These m+1 independent generators are called NUMS points (for Nothing-Up-My-Sleeve). They can be pre-generated and shared publicly, and may be reused across multiple commitments without any loss of security, as long as the associated discrete logarithms remain unknown to everybody.
Opening (Revealing) a Commitment:
The opening/revealing of a sealed vector ECC Pedersen commitment involves simply sharing the committed to secret vector v and the commitment's random blinding factor r with the verifier.
(Note: In interactive protocols using such commitments, if secrecy from any parties other than the verifier is necessary post-opening, then v and r should be sent to the verifier over a confidential channel.)
Verifying an Opened (Revealed) Commitment:
A verifier of an opened/revealed vector ECC Pedersen commitment simply recalculates the commitment's point C', using the revealed committed vector v and blinding factor r, and compares this recalculated point C' to the original sealed commitment's point C for equality. (The commitment is valid if these elliptic curve points are equal.)
Vector Pedersen Commitments over Elliptic Curves (Vector ECC Pedersen Commitments)
Support for generating (sealed) vector Pedersen commitments over elliptic curves, and verifying revealed vector Pedersen commitments.
Generation of a Vector ECC Pedersen Commitment:
A vector ECC Pedersen commitment is defined as a commitment to the vector
v := (v_1, v_2, ..., v_m)ofmscalars with blinding factorras follows:C(v_1, v_2, ..., v_n, r) := r * H + v_1 * G_1 + v_2 * G_2 + ... + v_m * G_m,C(...)is an elliptic curve point (the commitmentC), andm+1effectively independent elliptic curve generatorsH,G_1,G_2, ...,G_mare used, wherein nobody knows the discrete logarithm of any generatorG_iorHw.r.t. to base pointG(i.e., the elliptic curve's published generator), nor of any generatorG_iw.r.t base pointH.Note: Knowledge of the
mgeneratorsG_iw.r.t. the generatorHenables violation of the commitment scheme's binding property (i.e., if known to the committer they enable them to to lie about which vectorvthey committed to).The (sealed) commitment
Ccan be shared publicly with any desired verifier (or multiple verifiers), and the NUMS pointsHandG_i(for i in[1, m]) are publicly pre-shared common parameters.m+1independent generators are called NUMS points (for Nothing-Up-My-Sleeve). They can be pre-generated and shared publicly, and may be reused across multiple commitments without any loss of security, as long as the associated discrete logarithms remain unknown to everybody.Opening (Revealing) a Commitment:
vand the commitment's random blinding factorrwith the verifier.vandrshould be sent to the verifier over a confidential channel.)Verifying an Opened (Revealed) Commitment:
C', using the revealed committed vectorvand blinding factorr, and compares this recalculated pointC'to the original sealed commitment's pointCfor equality. (The commitment is valid if these elliptic curve points are equal.)