Which groups to use for Pedersen Commitments

Question

I have been reading about Pedersen Commitments, and have come across some contradictory examples, which is confusing.

Just focusing on simple commitment of scalars (not EC points or vectors), then I have read this:

Why is the Pedersen commitment perfectly hiding?

which states:

Public parameters - 2 primes , such that =2+1, and 2 elements ₁,₂∈ℤ∗ of order (i.e ₁,₂ are generators of a q-ordered sub-group of ℤ∗).

Secret parameter - ∈ℤ

The scheme - chooses ∈ℤ at random and sends the commitment =₁₂(mod). Then reveals ′,′ and accepts iff =′₁′₂(mod).

and then I have read this version of the scheme:

https://tlu.tarilabs.com/cryptography/bulletproofs-protocols/MainReport.html#pedersen-commitments-and-elliptic-curve-pedersen-commitments

which states:

Let q be a large prime and p be a large safe prime such that p=2q+1

Let h be a random generator of cyclic group such that h is an element of ℤ^*_q

Let a be a random value and element of ℤ^*_q and calculate g such that g=ha

Let r (the blinding factor) be a random value and element of ℤ^*_p

The commitment to value x is then determined by calculating C(x,r)=h^rg^x , which is called the Pedersen Commitment.

The generator h and resulting number g are known as the commitment bases and should be shared along with C(x,r), with whomever wishes to open the value.

My question is this:

p and q seem to be the same in each example.

In the first example, notice how the secret value is modulo q, the subgroup, whereas in the second example, the secret value, x, is not modulo anything. Which is correct?

Also, in the first example, the blinding factor, r, is modulo the subgroup q, but in the second example, r is modulo the larger group p. Again, which is correct?

I've also seen another variant where everything is modulo the larger group, not the subgroup.

Which variant is correct and does it matter?

Answer 1

In general, the second explanation is a bit sloppier, however both appear to gloss over a crucial detail:

In the first example, notice how the secret value is modulo q, the subgroup, whereas in the second example, the secret value, x, is not modulo anything. Which is correct?

Pedersen commitments only work if $x$ is in the range $(0, q-1)$; given an opening for a value $x$, it is trivial to open it as the value $x+q$. In practice, this is not important (if we need to commit to a large value, we just commit to the hash); however in this case the first one is more correct.

Also, in the first example, the blinding factor, r, is modulo the subgroup q, but in the second example, r is modulo the larger group p. Again, which is correct?

The proof that Pedersen commitments is perfectly hiding relies on the idea that the value $r$ is chosen uniformly in the range $[0, q-1]$. Now, it turns out that both examples do this; the first example makes this explicit, while the second example selects $r$ randomly in the range $[1, 2q-1]$; the computation $h^r \bmod p$ will effectively perform a $r \bmod q$ operation (as $r$ is the size of the subgroup that $h$ generates), which will map the effective value of $r$ to the range $[0, q-1]$, with each effective value having precisely two preimages, and since all preimages are equiprobable, the effective $r$ will be chosen uniformly in the desired range. This is correct, but not as straight-forward as one would hope (and also a tiny amount less efficient than needed).

Now, the crucial detail that both examples gloss over (unless they cover it in parts of the text you did not quote); it is essential that the committer does not know the discrete log $h$ (or $g_2$) with respect to $g$ (or $g_1$); that is, he does not know the value $x$ s.t. $h = g^x \pmod p$.

If he does know that value, then he can open the commitment to any value he wants; this is less than ideal for a commitment scheme.

The first example just says "there are two generators $g_1, g_2$" without saying where they came from, or who selected them.

The second example says "pick a random $a$, and set $g = h^a \bmod p$ without saying who picks $a$.

This needs to be spelled out; perhaps by either:

• Specifying that the verifier picks $g$ and $h$, or

• Specifying that they are selected via an appropriate public process; for example, compute $g = (\text{hash}(\text{'g'})) ^2 \bmod p$ and $h = (\text{hash}(\text{'h'})) ^2 \bmod p$ (for an appropriately long hash function)