I think Pedersen commitments are a gentle starting point for teaching cryptography to anyone!
A **commitment** is a sealed envelope with a message m in it such that:
1. no one can tell what m is in it (hiding)
2. no one can open it to a different m (binding)
Pedersen below π
Commitments are very useful: e.g., randomness beacons.
- Each player commits to a random message m_i
- All players exchange their commitments C_i
- All players open their commitments or they're penalized
Final random value = sum of all opened m_i's
(Problematic design, I know)
My point? Pedersen commitments have many applications.
They are also v. simple:
You need:
1. a prime-order group (e.g., elliptic curve)
2. two elements G, H in this group s.t. nobody knows the relation between them
i.e., the discrete logarithm \tau of H w.r.t. G π
First, it is very easy to explain why the envelope is "binding": i.e., attacker cannot open it in two different ways.
=> it would allow the attacker to compute \tau, which is supposed to be very hard in (say) elliptic curves π
Note that binding holds only under a *computational* assumption.
i.e., it is in fact *possible* to open the envelope to two different messages
it's just *hard* to: such an algorithm would immediately give an algorithm that solves discrete logarithms faster than currently known.
Second, it is very easy to explain why the envelope is "hiding": i.e., no one can tell what m is inside.
=> because, really, Pedersen commitments are just polynomial commitments:
committing to m using randomness r <=> committing to f(X) = m + Xr as C = f(tau) G π
Crucially, C hides f(X), and therefore hides (m, r), because there are a bazillion other polynomials f'(X) = m' + X r' with m' != m such that f'(tau) = f(tau).
So, it could be that:
- C commits to m as C = f(tau) G
- C commits to m' also as C = f'(tau) G = f(tau) G
Can't tell!
(FYI: "Bazillion" is a technical term for p, where p is the order of the group.)
You can also guess what my next point was going to be...
Pedersen commitments are a gateway drug into KZG commitments! ()
But that's for another time!
6.51K
60
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.