ZoKrates icon indicating copy to clipboard operation
ZoKrates copied to clipboard

Published 20 hours ago verified publisher icon Zokrates

Pedersen Commitment Implementation

Open bctax opened this issue 5 years ago • 3 comments

Hello, I m still curious on how to get pedersen commitments working as they might provide homomorphic operations.

My understanding is that their implementation should be relatively simple: Given the base point G and another point H, a message m and a blinding r, we just have to compute Comm(m,r)=m*G+r*H

However, what is not quite intuitive to me is: How to choose G and H. Can we use for G the generator of the jubjub curve? How to choose H?

field Gu = 16540640123574156134436876038791482806971768689494387082833631921987005038935
field Gv = 20819045374670962167435360035096875258406992893633759881276124905556507972311

bctax avatar Jul 23 '19 09:07 bctax

G and H are generated by iterate over x coordinate and check if there is a valid y-coordinate.

kunxian-xia avatar Jul 23 '19 09:07 kunxian-xia

However, G and H are public parameters for the commitment scheme right? Must both fullfill another criteria other than lying on the curve?

bctax avatar Jul 23 '19 10:07 bctax

Yes, G and H are setup parameters for the commitment scheme and public.

They must be on the curve and in the right subgroup. Furthermore, there must not be any link between G and H as this would introduce a trapdoor. You can use this function to sample new generator points: https://github.com/Zokrates/pycrypto/blob/master/zokrates_pycrypto/babyjubjub.py#L135

stefandeml avatar Aug 22 '19 21:08 stefandeml