For Confidential Transactions a Pedersen commitment is being used. The commitment preserves addition and the commutative property applies: $$C(\text{BF}_1, \text{data}_1) \oplus C(\text{BF}_2, \text{data}_1) = C(\text{BF}_1 + \text{BF}_2, \text{data}_1 + \text{data}_1)$$$\oplus$ doesn't denote XOR here but more generally "another type of addition operation"
How can I prove these properties and how do we get blinded factor?
Asked
Active
Viewed 3,486 times
1
1 Answers
9
First, we'll recap the Pedersen-Commitment scheme and then we'll show that it is indeed additively homomorphic. For reference, the original paper by Pedersen is free by now.
The commitment scheme
Let $q,p\in\mathbb P$ be primes such that $p=r\cdot q+1$, for some $r\in\mathbb N$. Let $q$ be the order of a subgroup of $\mathbb Z_p^*$ called $G_q$. Let $g,h\in G_q$ further be element of this group such that the $\log_g(h)$ is unknown to all parties.
A committer now commits to a value $s\in\mathbb Z_q$ by choosing a random $t\in\mathbb Z_q$ and publishing $$E(s,t)=g^s\cdot h^t\bmod p$$
He opens the commitment by simply publishing $(s,t)$ and he can't change the choice of $s$ if he published $E(s,t)$ except if he knows $\log_g(h)$ and somebody else obviously can't find out what $s$ is before the opening because it's blinded.
The homomorphic property
This assumes that you have committed to $s_1,s_2$ using $t_1,t_2$ as random blinding exponents. Now you can observe that (in $\mathbb Z_p^*$): \begin{eqnarray} E(s_1,t_1)\cdot E(s_2,t_2) & \equiv &(g^{s_1}\cdot h^{t_1})\cdot(g^{s_2}\cdot h^{t_2}) \\ & \equiv & (g^{s_1}\cdot g^{s_2})\cdot(h^{t_1}\cdot h^{t_2} \\ & \equiv & g^{s_1+s_2}\cdot h^{t_1+t_2} \\ & \equiv & E(s_1+s_2,t_1+t_2) \end{eqnarray}
You can create a new committment (as a sum) from two old ones, but then you also have to publish the new blinding exponent.
SEJPM
- 46,697
- 9
- 103
- 214