Pedersen Commitment
Abstract
The Pedersen Commitment
is the technology which allows us to check the transfer amount is valid without revealing actual amount.
Details
This technology uses additivity of elliptic curve. Hiding the transfer amount as scalar of elliptic curve point and mixing random value refer as to blinding factor
. Let's take a look the squence.
- Setup the parameters
- Hide the transfer amount
- Verify the transfer amount
Above sequence used for confidential transfer to keep the transfer amount secret.
Setup The Parameters
First of all, we'd like to setup the parameters we are going to use with the Pedersen Commitment
. Selecting generator G
over prime order elliptic curve group and randomness a
less than order prime. Calculating H = aG
and making H
and G
public. We can't predict the a
value from H
and G
because of discrete logarithm.
Variable | Explanation | Derivation |
---|---|---|
p | prime number | - |
a | random number | a ∈ Fp |
C(x) | elliptic curve function | - |
G | generator of elliptic curve point | G ∈ C(Fp) |
H | generator made by random a | H = aG |
Hide The Transfer Amount
Let's assume that Alice has 10
balance and send Bob to 3
. We need to check {Alice balance} - {transfer amount} = {Alice after balance}
without revealing any information about Alice balance. Alice knows H
, G
and her balance so she computes following value.
- Alice balance commitment $$ C(10) = 10H + x_1G $$
- Transfer amount commitment $$ C(3) = 3H + x_2G $$
- Alice after balance commitment $$ C(10 - 3) = 7H + x_3G $$
In above equation, x_1 ~ x_3
are called blinding factor
and each blinding factor need to be set to hold {Alice balance} - {transfer amount} = {Alice after balance}
equation. Let's say x_1 = 330
, x_2 = 30
and x_3 = 300
.
Verify The Transfer Amount
In previous section, Alice computes the following commitment.
$$ C(10, 330) = 10H + 330G $$ $$ C(3, 30) = 3H + 30G $$ $$ C(10 - 3, 300) = 7H + 300G $$
Let's check if Alice transfer amount is valid. The elliptic curve arithmetic supports additive so we can check {Alice balance} - {transfer amount} = {Alice after balance}
as following.
$$ C(10, 330) - C(3, 30) - C(10 - 3, 300) = C(10 - 3 - 7, 330 - 30 - 300) = 0H + 0G = 0 $$
If above equation holds up, we can know the transfer amount is valid. Through this process, balance
and transfer amount
are encrypted by elliptic curve so no one can predict actual value from public information. This is how we conceal the transfer transaction and verify the validity.