Pedersen Commitment

Abstract

The Pedersen Commitment is the technology which allows us to check the transfer amount is valid without revealing actual amount.

Details

This technology uses additivity of elliptic curve. Hiding the transfer amount as scalar of elliptic curve point and mixing random value refer as to blinding factor. Let's take a look the squence.

  1. Setup the parameters
  2. Hide the transfer amount
  3. Verify the transfer amount

Above sequence used for confidential transfer to keep the transfer amount secret.

Setup The Parameters

First of all, we'd like to setup the parameters we are going to use with the Pedersen Commitment. Selecting generator G over prime order elliptic curve group and randomness a less than order prime. Calculating H = aG and making H and G public. We can't predict the a value from H and G because of discrete logarithm.

VariableExplanationDerivation
pprime number-
arandom numbera ∈ Fp
C(x)elliptic curve function-
Ggenerator of elliptic curve pointG ∈ C(Fp)
Hgenerator made by random aH = aG

Hide The Transfer Amount

Let's assume that Alice has 10 balance and send Bob to 3. We need to check {Alice balance} - {transfer amount} = {Alice after balance} without revealing any information about Alice balance. Alice knows H, G and her balance so she computes following value.

  • Alice balance commitment $$ C(10) = 10H + x_1G $$
  • Transfer amount commitment $$ C(3) = 3H + x_2G $$
  • Alice after balance commitment $$ C(10 - 3) = 7H + x_3G $$

In above equation, x_1 ~ x_3 are called blinding factor and each blinding factor need to be set to hold {Alice balance} - {transfer amount} = {Alice after balance} equation. Let's say x_1 = 330, x_2 = 30 and x_3 = 300.

Verify The Transfer Amount

In previous section, Alice computes the following commitment.

$$ C(10, 330) = 10H + 330G $$ $$ C(3, 30) = 3H + 30G $$ $$ C(10 - 3, 300) = 7H + 300G $$

Let's check if Alice transfer amount is valid. The elliptic curve arithmetic supports additive so we can check {Alice balance} - {transfer amount} = {Alice after balance} as following.

$$ C(10, 330) - C(3, 30) - C(10 - 3, 300) = C(10 - 3 - 7, 330 - 30 - 300) = 0H + 0G = 0 $$

If above equation holds up, we can know the transfer amount is valid. Through this process, balance and transfer amount are encrypted by elliptic curve so no one can predict actual value from public information. This is how we conceal the transfer transaction and verify the validity.