How to select $r$ in Pedersen commitment scheme?

Question

I'm implementing Pedersen commitment scheme in order to enhance entropy of a pre-image of a hash. I'm using secp256k1 for my curve parameters.

I am following naming conventions from here: What is a Pedersen commitment?

I am performing a commit $C = (m, r)$ and then another commit $C' = (m, r')$

Then I do the blind equality check $C - C' = (r - r')G.$

I got the blind equality check working, but only for some values of $r$. It looks like it works better when $r$ is a prime or when $r$ and $r'$ don't have common divisors.

What's the proper way to select $r$ values? Right now I am just selecting random values in between 0 and 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f

Hmm, I'm doing uint256 _r3 = submodP( _r1 , _r2 ). I'm not sure what $q$ is, to be honest. Maybe submodP is not enough on its own and I do need to $mod q$ on top of it. Thank you, I'll research that further. — Ilia Sidorenko, Mar 14 '22 at 19:56
For secp256k1, your group order $q$ is 115792089237316195423570985008687907852837564279074904382605163141518161494337. You should not be doing mod p and mod q, only mod q. — knaccc, Mar 15 '22 at 04:01
Hi @knaccc you're right. Turns out I was doing mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F and I had to just change it to mod 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 and it now works fine. That solved my issue. — Ilia Sidorenko, Mar 16 '22 at 13:05

Ievgeni · Answer 1 · 2022-03-14T17:15:40.893

1

According to this paper, $r$ ($t$ in the paper) should be picked uniformly at random in $\mathbb{Z}_q$ (i.e $\big\{0, \dots, (q-1)\big\}$), with $q$ the order of $\mathbb{G}$.

According to this link the order is:

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141

Then you have to select a random value in between $0$ and

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364140 include.

edited Mar 14 '22 at 17:15

answered Mar 14 '22 at 16:58

Ievgeni

2,585
1
10
32

That's a great paper, I'll research that further and figure out what I'm missing, thank you! – Ilia Sidorenko Mar 14 '22 at 19:57

score 0 · Accepted Answer · answered Mar 19 '22 at 04:06

I was doing mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F for $(r - r')$ and I just had to change it to mod 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141. Not an issue with $r$ selection per se, but with computing $(r - r')$.

How to select $r$ in Pedersen commitment scheme?

2 Answers2