# Pedersen and Pederson vector commitments ## Pedersen commitment Pedersen commitment is a technique widely used in zero knowledge proofs and multiparty computation protocols. Preliminary knowledge of finite fields, cryptogtaphic groups required to grasp this post. Would like to commit to $x \in F^n$ * Let g, h be commitment and verification keys, * $g, h \in G$ are chosen at random using Pseudo Random Generator(PRG) * noone knows such x that $g^x = h$, so DLOG is hard * $G$ is a cyclic group * |G| = |F| size of group matches the size of field Pedersen commitment C = $g^x \in$ G Pedersen commitment properties: * **binding** Given a commitment C, noone can open it to two distinct values $x_1,x_2 (x_1 != x_2)$. One can open it to $x_1$ if and only if one knows $x_1$ such that $g^{x_1} = h$ In a nutshell, assuming DLOG is hard, noone can open C to more than one value * **hiding** * $Com(m) = g^m*h^z$ is **blinded Pedersen commitment** * m is a message $\in F^n$ * $z$ is picked at random from F * $h^z$ is a blinding factor Blinded Pedersen commitment is **perfectly hiding** meaning a commitment reveals no information about $m$ * **homomorphic** Given Com(a), Com(b) (without knowing a and b) it is easy to compute Com(a+b) = Com(a) * Com(b) ## Pedersen vector commitments Pederson vector commitments are used to commit to a vector of field elements. Pedersen vector commitments are **compressing** means they take an input vector of field elements and yields a single group element Would like to commit to vector u = $(u_1, u_2,...u_n) \in F^n$ Commitment key is n group elements, k = $(g_1...g_n)$ $\in$ G * Commitment is a product <k,u> * C = $\prod_{i=1}^n g_i^{u_i}$ is **unblinded** Pedersen vector commitment to $u_i$ aka MSM (multi scalar multiplication) assuming DLog is hard in G * C = $\prod_{i=1}^n g_i^{u_i}h^r$ is **blinded** Pederson vector commitment, $h^r$ is a blinding factor Computing MSM is expensive. There are various ways to mitigate this issue. One of them is to utilize GPU hardware.