Pedersen commitments
A Pedersen commitment is a commitment scheme (see what a commitment scheme is if you haven’t read that yet) built directly out of group arithmetic instead of a hash function. That choice buys two things a hash commitment can’t give you: perfect hiding, and a homomorphic property that lets you add committed values without opening them.
It’s named for Torben P. Pedersen, who introduced the construction in “Non- Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” presented at CRYPTO ‘91 (Santa Barbara, August 11–15, 1991), published in Lecture Notes in Computer Science vol. 576, pp. 129–140 (Springer). In that paper the commitment wasn’t the end goal — it was one piece of a verifiable secret-sharing protocol, where a dealer splits a secret into shares such that each participant can check their own share is consistent without talking to anyone else, and any k of n participants can later reconstruct the secret while fewer than k learn nothing about it at all, in the strict Shannon-information sense. The commitment construction inside that protocol turned out to be useful on its own, and today it’s usually studied and deployed independently of the secret-sharing context it was born in — see History for how it sits in the broader zero- knowledge timeline, before and after 1991.
The construction
You need a group in which the discrete logarithm problem is believed to be hard: given two elements and of the group, finding the exponent such that should be computationally infeasible. Two versions of this are in common use.
Classic version (multiplicative group mod p, as in the 1991 paper)
- is a large prime, a large prime dividing .
- and are generators of the subgroup of order inside .
- Critically, nobody knows — the exponent with . Both parties can trust this if and were generated by a public, nothing-up-my- sleeve procedure (for example, hashing a fixed string into the group) rather than chosen by anyone who might have picked for a known .
To commit to a message :
To open, reveal ; the verifier recomputes and checks it matches the commitment . The live demo on the homepage runs exactly this formula, over a 2048-bit safe-prime group.
Modern version (elliptic curve)
The same idea, written additively in an elliptic-curve group instead of a multiplicative group mod — this is the form you’ll see in most current cryptographic protocols and libraries:
where is the curve’s standard base point, and is a second point with no known discrete log relative to — again produced via a public hash-to-curve procedure rather than picked out of a hat.
Why hiding is information-theoretic
This is the property that makes Pedersen commitments strictly stronger than a hash commitment, and the argument is short: is drawn uniformly at random from , and generates the entire order- subgroup. That means is itself uniformly distributed over that whole subgroup — every element is equally likely. Multiplying by any fixed is just a relabeling (a bijection on the subgroup), so is exactly uniformly distributed over the subgroup, for every possible value of .
Two different messages and therefore produce commitments with identical probability distributions. No amount of computing power lets an observer distinguish which message produced a given , because genuinely carries zero information about — not “effectively zero,” but zero in the same sense a one-time pad carries zero information about its plaintext. That’s what “information-theoretic” (or “unconditional,” or “perfect”) hiding means: the guarantee holds against an attacker with unbounded computation, not just a computationally limited one.
Why binding is only computational
Binding is the flip side, and it can’t also be unconditional — see the trade-off discussed on the commitment scheme page. Here’s exactly what breaking it would require.
Suppose someone finds two different openings of the same commitment: and with , both satisfying . Rearranging:
If , this forces , which (since has order ) means — contradicting . So , which means is invertible mod , and we can solve directly for the discrete log of base :
In other words: anyone who can break binding has just computed . Binding is therefore exactly as hard as the discrete logarithm problem in this group. Since and were generated with no known relation between them (see above), this reduces to a problem believed to be hard — but that belief is a computational assumption, not a mathematical certainty. If discrete log in this group ever becomes tractable (a sufficiently large quantum computer, say), binding breaks. Hiding wouldn’t be affected at all.
Try the binding sandbox to find such a collision by hand, on a toy-sized group small enough to brute-force — it makes concrete why this isn’t just “hard” in some vague sense.
The homomorphic property
Multiply two commitments together and you get a valid commitment to the sum of the underlying messages, with the randomness also summed:
Nobody needs to open either commitment for this to work — it’s pure group arithmetic. This is the property confidential transactions and range proofs are built on: a system can verify that committed inputs sum to committed outputs — proving no value was created or destroyed — without ever learning what any individual amount was.
Sources: T. P. Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” CRYPTO ‘91, LNCS vol. 576, pp. 129–140, Springer, 1991.