【安全技术】佩德森承诺

Pedersen commitments were originally described as part of Pedersen’s verifiable secret-sharing scheme in 1992. Section 3 of the Pedersen paper notes that the commitment scheme is “very similar” to a scheme proposed by Bos, Chaum, and Purdy in an unpublished set of notes proposing a voting system.

Pedersen commitments are simple. Committing to a value requires only two modular exponentiations and a multiplication. Because a random value is required for each commitment, commitments are non-deterministic. And, because Pedersen commitments rely heavily on group structure, they inherit a large number of useful properties that allow for useful operations and proofs for the committed values.

Pedersen’s original proposal described the commitment in terms of order-$q$

subgroups of ${\mathbb{Z}}_p^{\ast }$

, but we will describe it in more generic terms, as it is applicable to any group $G$

where the discrete logarithm problem is believed to be hard (such as elliptic curve groups).

Definition #

Start with a finite group $G$

of prime order $q$

, where $q$

is suitably large. For instance, we can use an order-$q$

subgroup the multiplicative group ${\mathbb{Z}}_p^{\ast }$

where $q$

divides $p$

, or an elliptic curve group or subgroup. Select two generators $g,h$

of $G$

such that ${\log }_g\left(h\right)$

is not known. The parameters of the commitment scheme are $(G,q,g,h)$

.

To generate a commitment $c\in G$

to a secret integer $s$

, where $0<s<q$

, randomly sample $t\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q$

and compute:

$$c=C_{g,h}(s,t)=g^s{h}^t$$

(When $g,h$

are clear from context, we can simply write $C(s,t)$

.)

To open the commitment, simply reveal $s$

and $t$

.

Intuition as to Why Pedersen Commitments are Binding #

Suppose Alice has sent Bob a commitment $c=C(s,t)$

to a value $s$

. She now wants to cheat by sending Bob an opening for $c$

that corresponds to $s^{\prime }\ne s$

. In other words, she wants to break the binding property of Pedersen commitments.

That means Alice has to find $t^{\prime }$

such that $g^{s^{\prime }}{h}^{t^{\prime }}=c$

. Since $g^{s^{\prime }}$

and $c$

are already fixed, Alice is left to solve $h^{t^{\prime }}=c{g}^{-s^{\prime }}$

. In other words, she needs to compute $t^{\prime }={\log }_h\left(c{g}^{-s^{\prime }}\right)$

. Since the discrete logarithm problem is supposed to be hard in $G$

, Alice will have a difficult time finding $t^{\prime }$

.

Before committing to a value, Alice can also look for distinct pairs $(s,t),(s^{\prime },t^{\prime })$

such that $C(s,t)=C(s^{\prime },t^{\prime })$

, without regard for the specific values of $s$

and $s^{\prime }$

. This is also equivalent to computing a discrete logarithm in $G$

. As the Pedersen paper points out: given $C(s,t)=C(s^{\prime },t^{\prime })$

, where $s^{\prime }\ne s$

, then $t^{\prime }\ne t$

, and it is possible to compute the discrete logarithm of $h$

with respect to $g$

:

$${\log }_g\left(h\right)=\frac{s-s^{\prime }}{t^{\prime }-t}(\mathrm{mod}q)$$

To summarize, breaking the binding property of Pedersen commitments is equivalent to solving the discrete log problem.

Intuition as to Why Pedersen Commitments are Hiding #

Suppose Alice has sent Bob a commitment $c=C(s,t)$

to a value $s$

. Bob wants to cheat by figuring out $s$

, or at least something about $s$

, from $c$

.

Remember that $t$

is sampled uniformly at random, and so every value of $t$

is equally likely to be chosen, which means every value of $h^t$

is equally likely. Since $h$

is a generator of $G$

, that means that $t$

“selects” every element of $G$

uniformly at random.

If Bob is able to gain any advantage in guessing the value of $s$

or $g^s$

from $c$

, then he necessarily gains an advantage in guessing $t$

or $h^t$

. However, $t$

is selected uniformly at random, so $h^t$

is a uniform random element of $G$

. You can’t gain information about a uniform random distribution.

The Additive Property #

Given two commitments, $c_1=C(s_1,t_2)=g^{s_1}{h}^{t_1}$

and $c_2=C(s_2,t_2)=g^{s_2}{h}^{t_2}$

, the product of $c_1$

and $c_2$

is $g^{s_1+s_2}{h}^{t_1+t_2}=C(s_1+s_2,t_1+t_2)$

. That is, the product of any two Pedersen commitments is a commitment to the sum of the committed values.

This also allows for scalar multiplication through exponentiation; $C{(x,y)}^n=C(nx,ny)$

.

This additive property can be incredibly useful. It allows for a variety of operations to be performed on committed values before revealing them. Systems like Bulletproofs, for instance, exploit this property of the Pedersen scheme to commit to entire vectors of values at once, aggregating the commitments into a single value.

Useful Algorithms and Properties of Pedersen Commitments #

Proof of Knowledge of Secret #

Given a commitment $A=C_{g,h}(x,y)=g^x{h}^y$

, Alice can demonstrate to Bob that she knows $x$

and $y$

without revealing either $x$

or $y$

. This is a useful protocol for protecting against the additive properties of Pedersen commitments being used maliciously. The protocol works as follows:

$$\begin{array}{ccc}\text{Alice}& & \text{Bob}\\ t_1,t_2\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q& & \\ T=g^{t_1}{h}^{t_2}& & \\ & \phantom{\stackrel{}{}}\underset{\phantom{}}{\overset{T}{\to }}& \\ & & k\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q\\ & \phantom{\stackrel{}{}}\underset{\phantom{}}{\overset{k}{\leftarrow }}& \\ s_1=x\cdot k+t_1,s_2=y\cdot k+t_2& & \\ & \phantom{\stackrel{}{}}\underset{\phantom{}}{\overset{s_1,s_2}{\to }}& \\ & & g^{s_1}{h}^{s_2}\stackrel{?}{=}{A}^{k}T\end{array}$$

This works because:

$$g^{s_1}{h}^{s_2}=g^{xk+t_1}{h}^{yk+t_2}=g^{xk}{h}^{yk}{g}^{t_1}{h}^{t_2}={\left(g^x{h}^y\right)}^{k}T=A^{k}T$$

This is secure because, in order to trick Bob, Alice needs to break the discrete log problem.

A straightforward application of the Fiat-Shamir transform can turn this into a non-interactive proof. If Alice selects $k=\mathsf{H}\mathsf{a}\mathsf{s}\mathsf{h}(g\Vert h\Vert A\Vert T)$

, where the output of $\mathsf{H}\mathsf{a}\mathsf{s}\mathsf{h}()$

has the same bit length as $q$

, she can proceed as though $k$

were selected uniformly at random. Bob can compute $k$

in the same way, and verify the rest of the proof from there.

An Easy Proof of Equal Commitments #

Given two commitments to a secret $s$

using the same set of generators, call them $c_1=C(s,t_1)$

and $c_2=C(s,t_2)$

, where $t_2\ne t_1$

, Alice can easily show that both $c_1$

and $c_2$

commit to the same value. The simplest way, given by Pedersen, is for Alice to reveal $r=t_1-t_2(\mathrm{mod}q)$

to Bob.

This works because Bob can check that

$$c_1{c}_2^{-1}=g^s{h}^{t_1}{g}^{-s}{h}^{-t_2}=g^{s-s}{h}^{t_1-t_2}=h^{t_1-t_2}=h^r$$

Proof of Equal Commitments with Different Binding Generators #

Suppose Alice has $c_1=C_{g_1,h}(s,t_1)$

and $c_2=C_{g_2,h}(s,t_2)$

, possibly with $g_1\ne g_2$

. Alice can prove to Bob that $c_1$

and $c_2$

commit to the same value.

Alice starts by selecting random integers $r_1,r_2,r_3\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q$

, then computing $c_3=C_{g_1,h}(r_1,r_2)=g_1^{r_1}{h}^{r_2}$

and $c_4=C_{g_2,h}(r_1,r_3)=g_2^{r_1}{h}^{r_3}$

. She sends $c_3,c_4$

to Bob.

Bob selects a random challenge value $k\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q$

and sends it to Alice.

Alice computes $z_1=ks+r_1$

, $z_2=k{t}_1+r_2$

, and $z_3=k{t}_2+r_3$

in ${\mathbb{Z}}_q$

and sends $z_1,z_2,z_3$

to Bob.

Bob then checks that $c_3{c}_1^k=C_{g_1,h}(z_1,z_2)$

and $c_4{c}_2^k=C_{g_2,h}(z_1,z_3)$

. If the condition holds, Bob accepts the proof as valid.

This works because:

$$c_3{c}_1^k=\left(g_1^{r_1}{h}^{r_2}\right){\left(g_1^s{h}^{t_1}\right)}^k=g_1^{r_1}{h}^{r_2}{g}_1^{ks}{h}^{k{t}_1}=g_1^{ks+r_1}{h}^{k{t}_1+r_2}=g_1^{z_1}{h}^{z_2}=C_{g_1,h}(z_1,z_2)$$

and

$$c_4{c}_2^k=\left(g_2^{r_1}{h}^{r_3}\right){\left(g_2^s{h}^{t_2}\right)}^k=g_2^{r_1}{h}^{r_3}{g}_2^{ks}{h}^{k{t}_2}=g_2^{ks+r_1}{h}^{k{t}_2+r_3}=g_2^{z_1}{h}^{z_3}=C_{g_2,h}(z_1,z_3)$$

In diagram form: #

$$\begin{array}{ccc}\text{Alice}& & \text{Bob}\\ r_1,r_2,r_3\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q& & \\ c_3=C_{g_1,h}(r_1,r_2),c_4=C_{g_2,h}(r_1,r_3)& & \\ & \phantom{\stackrel{}{}}\underset{\phantom{}}{\overset{c_3,c_4}{\to }}& \\ & & k\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q\\ & \phantom{\stackrel{}{}}\underset{\phantom{}}{\overset{k}{\leftarrow }}& \\ z_1=ks+r_1\\ z_2=k{t}_1+r_2\\ z_3=k{t}_2+r_3& & \\ & \phantom{\stackrel{}{}}\underset{\phantom{}}{\overset{z_1,z_2,z_3}{\to }}& \\ & & c_3{c}_1^k\stackrel{?}{=}C(z_1,z_2)\\ & & c_4{c}_2^k\stackrel{?}{=}C(z_1,z_3)\end{array}$$

Again, this can be made non-interactive through the use of a Fiat-Shamir transform. Alice can use $k=\mathsf{H}\mathsf{a}\mathsf{s}\mathsf{h}(g_1\Vert g_2\Vert h\Vert c_1\Vert c_2\Vert c_3\Vert c_4)$

, again selecting a hash so that $k$

and $q$

have the same bit length.

While this construction is more complicated, it has the benefit of allowing for commitments to be made when $g_1\ne g_2$

.

Proof of Squared Commitments #

We can use the equality of commitments proof above to commit to both a secret $s$

and its square.

Suppose Alice has a random $t_1$

and corresponding commitment $c_1=C_{g,h}(s,t_1)=g^s{h}^{t_1}$

. Alice can select a random $t_2$

and compute $c_2=C_{c_1,h}(s,t_2)={\left(c_1\right)}^s{h}^{t_2}$

Note that $c_2=C_{c_1,h}(s,t_2)={\left(c_1\right)}^s{h}^{t_2}={\left(g^s{h}^{t_1}\right)}^s{h}^{t_2}=g^{s^2}{h}^{s{t}_1+t_2}=C_{g,h}(s^2,s{t}_1+t_2)$

, so $c_2$

is a commitment to $s^2$

in base $g$

.

Once $c_1$

has been generated, Alice can easily generate $c_2$

, provide both values to Bob, and use the equality proof above to demonstrate that $c_2$

commits to the square of the value committed to by $c_1$

.

Security Considerations #

Generator Selection #

Suppose that Alice knows $l={\log }_g\left(h\right)$

and has a commitment $c=C(s,t)=g^s{h}^t$

.

Then Alice can rewrite the commitment as $c=g^s{h}^t$

as $c=g^s{\left(g^l\right)}^t=g^s{g}^{tl}=g^{s+tl}$

. Let $s^{\prime }=s+l$

and $t^{\prime }=t-1$

. She can the fraudulently “open” the commitment $c$

by sending $(s^{\prime },t^{\prime })$

. This will appear as a valid opening to Bob, since:

$$g^{s^{\prime }}{h}^{t^{\prime }}=g^{s+1}{\left(g^l\right)}^{t-1}=g^{s+l}{g}^{l(t-1)}=g^{s+l}{g}^{tl-l}=g^{s+tl}=g^{s+tl}=c$$

If the discrete logarithm of $h$

with respect to $g$

is known to Alice (or if an insecure group is chosen that makes computing the discrete log easy), the binding property is lost.

This is why it is important to ensure that generators $g$

and $h$

are selected independently. Ideally, $g$

and $h$

should be chosen independently from one another using a nothing-up-my-sleeve construction. For instance, $g$

and $h$

can be selected using an agreed-upon PRF and algorithm D.3.1 from the ANSI X9.62 standard (“Finding a Point on an Elliptic Curve”).

Random Number Generator Issues #

In selecting the hiding value $t\stackrel{\mathrm{\$}}{\leftarrow }{\mathbb{Z}}_q$

, it is important that $t$

be truly uniform.

Suppose there is an attack on the process used to generate $t$

, and we have a set of commitments $c_1,c_2,\dots ,c_n$

to secrets $s_1,s_2,\dots ,s_n$

, not necessarily distinct. An attacker can then attack each $h^{t_i}$

and recover the corresponding values for $g^{s_i}$

. From this, the attacker can quickly identify repeated commitments to the same value. In cases where commitments are suspected of having a simple linear relationship (e.g. $s_i=k\cdot s_j$

or $s_i=s_j+k$

for some known value of $k$

), these relationships can be recovered as well by examining $g^{s_i}{g}^k$

and ${\left(g^{s_i}\right)}^k$

.

References #

• [Pedersen91] Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing (1991).
• [ANSIX962] ANS X9.62-1998, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) (1998).