Pedersen commitments

A Pedersen commitment is a commitment scheme (see what a commitment scheme is if you haven’t read that yet) built directly out of group arithmetic instead of a hash function. That choice buys two things a hash commitment can’t give you: perfect hiding, and a homomorphic property that lets you add committed values without opening them.

It’s named for Torben P. Pedersen, who introduced the construction in “Non- Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” presented at CRYPTO ‘91 (Santa Barbara, August 11–15, 1991), published in Lecture Notes in Computer Science vol. 576, pp. 129–140 (Springer). In that paper the commitment wasn’t the end goal — it was one piece of a verifiable secret-sharing protocol, where a dealer splits a secret into shares such that each participant can check their own share is consistent without talking to anyone else, and any k of n participants can later reconstruct the secret while fewer than k learn nothing about it at all, in the strict Shannon-information sense. The commitment construction inside that protocol turned out to be useful on its own, and today it’s usually studied and deployed independently of the secret-sharing context it was born in — see History for how it sits in the broader zero- knowledge timeline, before and after 1991.

The construction

You need a group in which the discrete logarithm problem is believed to be hard: given two elements gg and hh of the group, finding the exponent xx such that h=gxh = g^x should be computationally infeasible. Two versions of this are in common use.

Classic version (multiplicative group mod p, as in the 1991 paper)

To commit to a message mZqm \in \mathbb{Z}_q:

Commit(m,r)=gmhrmodp,r$Zq\text{Commit}(m, r) = g^m \, h^r \bmod p, \qquad r \xleftarrow{\$} \mathbb{Z}_q

To open, reveal (m,r)(m, r); the verifier recomputes gmhrmodpg^m h^r \bmod p and checks it matches the commitment CC. The live demo on the homepage runs exactly this formula, over a 2048-bit safe-prime group.

Modern version (elliptic curve)

The same idea, written additively in an elliptic-curve group instead of a multiplicative group mod pp — this is the form you’ll see in most current cryptographic protocols and libraries:

Commit(m,r)=mG+rH\text{Commit}(m, r) = m G + r H

where GG is the curve’s standard base point, and HH is a second point with no known discrete log relative to GG — again produced via a public hash-to-curve procedure rather than picked out of a hat.

Why hiding is information-theoretic

This is the property that makes Pedersen commitments strictly stronger than a hash commitment, and the argument is short: rr is drawn uniformly at random from Zq\mathbb{Z}_q, and hh generates the entire order-qq subgroup. That means hrh^r is itself uniformly distributed over that whole subgroup — every element is equally likely. Multiplying by any fixed gmg^m is just a relabeling (a bijection on the subgroup), so C=gmhrC = g^m h^r is exactly uniformly distributed over the subgroup, for every possible value of mm.

Two different messages mm and mm' therefore produce commitments with identical probability distributions. No amount of computing power lets an observer distinguish which message produced a given CC, because CC genuinely carries zero information about mm — not “effectively zero,” but zero in the same sense a one-time pad carries zero information about its plaintext. That’s what “information-theoretic” (or “unconditional,” or “perfect”) hiding means: the guarantee holds against an attacker with unbounded computation, not just a computationally limited one.

Why binding is only computational

Binding is the flip side, and it can’t also be unconditional — see the trade-off discussed on the commitment scheme page. Here’s exactly what breaking it would require.

Suppose someone finds two different openings of the same commitment: (m,r)(m, r) and (m,r)(m', r') with mmm \ne m', both satisfying gmhrgmhr(modp)g^m h^r \equiv g^{m'} h^{r'} \pmod p. Rearranging:

gmmhrr(modp)g^{m - m'} \equiv h^{r' - r} \pmod p

If r=rr' = r, this forces gmm1g^{m-m'} \equiv 1, which (since gg has order qq) means mm(modq)m \equiv m' \pmod q — contradicting mmm \ne m'. So rrr' \ne r, which means rrr' - r is invertible mod qq, and we can solve directly for the discrete log of hh base gg:

x=loggh=(mm)(rr)1modqx = \log_g h = (m - m') \cdot (r' - r)^{-1} \bmod q

In other words: anyone who can break binding has just computed loggh\log_g h. Binding is therefore exactly as hard as the discrete logarithm problem in this group. Since gg and hh were generated with no known relation between them (see above), this reduces to a problem believed to be hard — but that belief is a computational assumption, not a mathematical certainty. If discrete log in this group ever becomes tractable (a sufficiently large quantum computer, say), binding breaks. Hiding wouldn’t be affected at all.

Try the binding sandbox to find such a collision by hand, on a toy-sized group small enough to brute-force — it makes concrete why this isn’t just “hard” in some vague sense.

The homomorphic property

Multiply two commitments together and you get a valid commitment to the sum of the underlying messages, with the randomness also summed:

Commit(m1,r1)Commit(m2,r2)=gm1hr1gm2hr2=gm1+m2hr1+r2=Commit(m1+m2,  r1+r2)\text{Commit}(m_1, r_1) \cdot \text{Commit}(m_2, r_2) = g^{m_1} h^{r_1} \cdot g^{m_2} h^{r_2} = g^{m_1 + m_2} h^{r_1 + r_2} = \text{Commit}(m_1 + m_2,\; r_1 + r_2)

Nobody needs to open either commitment for this to work — it’s pure group arithmetic. This is the property confidential transactions and range proofs are built on: a system can verify that committed inputs sum to committed outputs — proving no value was created or destroyed — without ever learning what any individual amount was.


Sources: T. P. Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” CRYPTO ‘91, LNCS vol. 576, pp. 129–140, Springer, 1991.