A Pedersen commitment is a cryptographic scheme that allows one to commit to a chosen value while keeping it hidden, with the ability to later reveal the value in a way that is provably binding to the original commitment. It is a type of homomorphic commitment, meaning commitments to different values can be combined (added) to produce a valid commitment to the sum of those values. This property is expressed as Commit(a) + Commit(b) = Commit(a + b), which is fundamental for protocols requiring privacy and verification, such as confidential transactions and zero-knowledge proofs.
LABS
Glossary
Pedersen Commitment
A Pedersen commitment is a cryptographic scheme that allows a prover to commit to a secret value, hiding it while later being able to reveal and verify it, forming a core component of confidential transactions and zero-knowledge protocols.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is a Pedersen Commitment?
A foundational cryptographic tool for creating binding yet hidden commitments to data, essential for privacy in blockchain systems.
The scheme operates over a cryptographic group, typically an elliptic curve. To commit to a secret value v, one computes C = v*G + r*H, where G is a standard generator, H is a second independent generator (whose discrete log relationship to G is unknown), and r is a randomly chosen blinding factor. The commitment C reveals nothing about v due to the randomness of r (the property of hiding), but it is impossible to later open C to a different value v' without knowing the discrete log of H relative to G (the property of binding). The blinding factor r must be revealed alongside v to verify the opening.
In blockchain contexts, Pedersen commitments are a core component of confidential transaction protocols, like those used in Monero and Mimblewimble. They allow the encryption of transaction amounts so that Commit(amount1) + Commit(amount2) = Commit(amount3) can be publicly verified without revealing the actual values, proving that no money was created or destroyed. This enables strong financial privacy while maintaining the integrity of the ledger's accounting, as the sum of inputs equals the sum of outputs plus fees.
The security of a Pedersen commitment relies on the Discrete Logarithm Problem (DLP) being hard in the chosen group. If one could find the relationship H = k*G, the binding property would be broken, as the committer could generate different pairs (v, r) that open to the same commitment C. Therefore, the parameter H must be generated in a publicly verifiable, nothing-up-my-sleeve manner to ensure trust in its independence from G. This setup is often achieved through a secure hash function or a public ceremony.
Beyond confidential transactions, Pedersen commitments serve as a building block for more complex cryptographic protocols. They are used in zero-knowledge range proofs (to prove a committed number lies within a specific interval without revealing it), verifiable secret sharing, and various multi-party computation (MPC) schemes. Their additive homomorphism makes them exceptionally useful for constructing proofs about aggregated data while preserving the privacy of individual data points within a blockchain's transparent environment.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How Does a Pedersen Commitment Work?
A detailed explanation of the cryptographic mechanism that enables data to be hidden while remaining verifiably bound to a specific value.
A Pedersen commitment is a cryptographic commitment scheme that allows a prover to commit to a secret value v by publishing a commitment C, which is a point on an elliptic curve, without revealing v. The commitment is generated using a publicly agreed-upon generator point G and a second, independent blinding generator H. The prover selects a random blinding factor r and computes the commitment as C = v*G + r*H. The properties of elliptic curve cryptography ensure that C reveals nothing about v (hiding) and that the prover cannot later claim a different value v' was committed (binding).
The scheme's security relies on the Discrete Logarithm Problem (DLP) on the chosen elliptic curve. The hiding property is unconditionally secure if the points G and H are chosen such that their discrete logarithm relationship is unknown (i.e., no one knows a scalar x where H = x*G). This means even a computationally unbounded adversary cannot deduce v from C. The binding property is computationally secure, relying on the assumed hardness of the DLP; forging a commitment for a different value would require solving the discrete log.
To later open or verify the commitment, the prover reveals the original pair (v, r). Any verifier can then recompute v*G + r*H and check that it matches the published commitment C. This simple open-and-verify mechanism is fundamental to its utility. Pedersen commitments are additively homomorphic, meaning the commitment to the sum of two values equals the sum of their individual commitments: Commit(v1 + v2) = Commit(v1) + Commit(v2). This property is crucial for protocols requiring private computations on committed values, such as confidential transactions.
In blockchain applications like Monero and Mimblewimble, Pedersen commitments are used to encrypt transaction amounts. Instead of publishing plaintext values, outputs are represented as commitments C. The homomorphic property allows the network to verify that the sum of input commitments equals the sum of output commitments (plus a commitment to the fee), proving no new money was created, all while keeping the actual amounts hidden. The blinding factor r ensures that even identical amounts produce unique, unlinkable commitments, providing strong privacy.
While powerful, standard Pedersen commitments have limitations. They are not succinct for complex statements and lack a built-in zero-knowledge proof system for arbitrary predicates. This led to the development of more advanced vector commitments and polynomial commitments like KZG commitments, which build upon similar principles but enable efficient proofs about committed data. Nevertheless, the elegance and provable security of the original Pedersen construction make it a cornerstone of privacy-preserving cryptography.
key-features
CRYPTOGRAPHIC PRIMITIVE
Key Features of Pedersen Commitments
Pedersen commitments are a foundational cryptographic tool that allow a party to commit to a value while keeping it hidden, with the ability to later reveal it and prove the commitment was not altered.
01
Information-Theoretic Hiding
A Pedersen commitment is information-theoretically hiding. This means that, given only the commitment C, it is impossible for any observer—even one with unlimited computational power—to learn any information about the committed value v. The blinding factor r perfectly masks v within the commitment structure C = v*G + r*H.
02
Computational Binding
A Pedersen commitment is computationally binding under the Discrete Logarithm Problem (DLP) assumption. This means it is computationally infeasible for the committer to later open the same commitment C to two different values (v, r) and (v', r') where v ≠ v'. Finding such a collision would require solving the DLP on the elliptic curve.
03
Additive Homomorphism
Pedersen commitments are additively homomorphic. The sum of commitments to two values is a commitment to the sum of those values. Given C1 = Commit(v1, r1) and C2 = Commit(v2, r2), then C1 + C2 = Commit(v1 + v2, r1 + r2). This property is fundamental for:
- Confidential Transactions: Hiding transaction amounts.
- Zero-Knowledge Proofs: Proving statements about committed values without revealing them.
04
Blinding Factor (Randomness)
Every commitment requires a secret blinding factor r (a random scalar). This randomness is crucial for security:
- It ensures the hiding property; without it, commitments to small, known values would be guessable.
- It prevents brute-force attacks on the committed value.
- The committer must keep
rsecret until they choose to open the commitment by revealing the pair(v, r).
05
Elliptic Curve Implementation
In practice, Pedersen commitments are implemented on elliptic curve groups. The commitment C = v*G + r*H is an elliptic curve point, where:
Gis a standard, publicly known generator point.His a second, independently chosen generator point (sometimes called a 'nothing-up-my-sleeve' number).vandrare scalars (integers). This structure provides efficiency and compatibility with other elliptic curve-based protocols like Schnorr signatures.
06
Application: Confidential Transactions
A primary use case is in Confidential Transactions (e.g., in Monero, Mimblewimble). Pedersen commitments hide transaction amounts while allowing the network to verify that no money was created out of thin air. The homomorphic property enables this: the sum of input commitments minus output commitments must equal a commitment to zero (the fee), proving conservation of value.
visual-explainer
CRYPTOGRAPHIC PRIMITIVES
Visualizing the Commitment Process
A conceptual walkthrough of how a Pedersen Commitment functions, from value selection to verification, illustrating its core properties of hiding and binding.
The process begins when a prover selects a secret value they wish to commit to, such as a transaction amount v. To create the commitment, they also generate a secret random blinding factor r. Using a publicly agreed-upon elliptic curve, the prover computes the commitment C as C = v*G + r*H, where G and H are two independent, publicly known generator points. This single piece of data, C, is then published or sent to a verifier. Crucially, due to the properties of the elliptic curve and the randomness of r, the original value v is completely hidden; C reveals nothing about the committed amount.
The hiding property is visually akin to placing the secret value inside a locked box (C) and handing it over. Anyone can see the box but cannot discern its contents. Later, to open the commitment, the prover must reveal both the original secret value v and the blinding factor r to the verifier. The verifier then performs the same calculation: v*G + r*H. If the result matches the original commitment C, the commitment is successfully verified. This demonstrates the binding property: the prover cannot find a different pair of values (v', r') that produce the same commitment C without solving the discrete logarithm problem, which is computationally infeasible.
This mechanism is foundational for confidential transactions in blockchain protocols like Mimblewimble and Monero. In such systems, transaction amounts are hidden within Pedersen Commitments, preserving financial privacy while still allowing the network to verify that no money is created out of thin air. The verifier can check mathematical relationships between commitments—for example, that the sum of input commitments equals the sum of output commitments plus a commitment to the fee—without learning any actual amounts. This enables additive homomorphism, where commitments to v1 and v2 can be added to create a valid commitment to v1 + v2, a property essential for verifying balance correctness in zero-knowledge.
examples
PEDERSEN COMMITMENT
Real-World Examples & Use Cases
Pedersen commitments are a cryptographic primitive enabling privacy and scalability. Here are key applications where they are used in practice.
01
Confidential Transactions
Used in privacy-focused cryptocurrencies like Monero and Mimblewimble-based chains (e.g., Grin, Beam). Pedersen commitments hide transaction amounts by committing to the value v as C = v*G + r*H, where r is a secret blinding factor. This allows network nodes to verify that no money is created out of thin air (by proving the sum of input commitments equals the sum of output commitments) without revealing the actual amounts.
- Key Property: Homomorphic - commitments can be added, enabling balance verification on encrypted data.
02
Zero-Knowledge Proof Systems
Serves as a fundamental building block in zk-SNARKs and zk-STARKs. Pedersen commitments are used to create polynomial commitments or to bind prover values before generating a proof. Their homomorphic and hiding properties are essential for constructing efficient proofs about private data, such as proving you have a secret number within a range (bulletproofs) without revealing it.
- Example: Zcash's earlier Sapling protocol used Pedersen commitments within its circuit to hide transaction values.
03
Commitment Schemes in Layer 2
Employed in optimistic rollups and validiums for state commitment. The sequencer publishes a Pedersen commitment (often a Merkle root of commitments) to the latest state rollup on-chain. This compact commitment allows anyone with the data to verify state transitions off-chain, while the on-chain contract only needs to store the small commitment hash, drastically reducing gas costs.
- Scalability Benefit: The fixed size of the commitment (e.g., 32 bytes) enables massive data compression compared to posting full transaction data.
04
Verifiable Secret Sharing (VSS)
Critical for Distributed Key Generation (DKG) protocols, such as those used in threshold signature schemes (e.g., for multi-party computation wallets). A dealer can commit to a secret polynomial using Pedersen commitments and distribute shares to participants. The commitments allow participants to verify the correctness of their received shares without learning the secrets of others, ensuring the protocol is robust against malicious dealers.
- Security Impact: Prevents a single party from learning or controlling the entire private key.
05
Mix Networks & Voting
Provides receipt-freeness and coercion-resistance in cryptographic voting systems. A voter can commit to their encrypted ballot using a Pedersen commitment. Later, they can prove the vote was cast correctly without revealing the link between their identity and the specific vote, as the blinding factor breaks this link. This ensures both ballot secrecy and public verifiability of the tally.
- Application: Found in academic e-voting protocols like Civitas and Helios with enhanced privacy extensions.
06
Atomic Swaps & Scriptless Scripts
Enables privacy-preserving cross-chain swaps without explicit, visible smart contract conditions. Using the homomorphic property, two parties can create adaptor signatures based on Pedersen commitments to a secret. This allows them to atomically exchange secrets (and thus claim funds on different chains) in a way that is indistinguishable from a regular signature to external observers, hiding the swap's occurrence.
- Advantage: Reduces on-chain footprint and improves privacy compared to hash-time-lock contract (HTLC) based swaps.
ecosystem-usage
PRACTICAL APPLICATIONS
Ecosystem Usage: Who Uses Pedersen Commitments?
Pedersen commitments are a foundational cryptographic primitive enabling privacy and integrity in distributed systems. Their core properties—hiding and binding—make them essential for specific protocols and applications.
03
Secure Multi-Party Computation (MPC)
MPC protocols use Pedersen commitments to ensure participants follow the protocol correctly. A party can commit to their secret input at the start. Later, when they are required to reveal a derived value, they can open the commitment to prove they used the originally committed secret, preventing cheating. This is key for threshold signature schemes and private voting.
04
Cryptographic Voting & Audits
In end-to-end verifiable voting systems, a voter's ballot is encrypted and represented as a Pedersen commitment. This allows for public verification that all cast votes are included in the final tally (ballot stuffing prevention) without revealing individual votes. Auditors can confirm the sum of commitments matches the commitment of the final result.
06
Confidential Assets & Issuance
Protocols like Confidential Transactions (CT) and Confidential Assets leverage Pedersen commitments to hide both the amount and the type of asset being transferred. Unique asset tags are embedded within the commitment, allowing the ledger to differentiate between commitments to Bitcoin, a token, or a custom asset while keeping all details private.
CRYPTOGRAPHIC PROPERTIES
Comparison: Pedersen vs. Other Commitment Schemes
A feature comparison of Pedersen Commitments against other foundational cryptographic commitment schemes, highlighting their security assumptions, performance, and use cases.
| Feature / Property | Pedersen Commitment | Hash-Based Commitment | RSA Commitment (Fujisaki-Okamoto) |
|---|---|---|---|
Cryptographic Assumption | Discrete Logarithm Problem | Cryptographic Hash Function (e.g., SHA-256) | RSA Problem & Integer Factorization |
Hiding Property | Unconditionally (Perfectly) Hiding | Computationally Hiding | Computationally Hiding |
Binding Property | Computationally Binding | Unconditionally (Perfectly) Binding | Computationally Binding |
Additive Homomorphism | |||
Requires Trusted Setup | |||
Typical Use Case | Confidential Transactions, ZKPs | Digital Signatures, Merkle Trees | Verifiable Encryption, E-Voting |
Performance (Commit/Open) | Fast (Two Group Exps) | Very Fast (One Hash) | Slow (Large Modular Exps) |
FAQ
Common Misconceptions About Pedersen Commitments
Pedersen commitments are a foundational cryptographic primitive for privacy, but their properties are often misunderstood. This section clarifies frequent points of confusion regarding their security, functionality, and applications in blockchain systems.
No, a Pedersen commitment is not an encryption scheme. Encryption is designed to conceal data so it can be later revealed and decrypted by an authorized party. A commitment scheme has a different purpose: it allows you to bind yourself to a secret value (like a bid or a vote) without revealing it, and then later open the commitment to prove you knew that specific value all along. The commitment C itself does not contain the information needed to recover the secret; it is a one-way cryptographic binding.
CRYPTOGRAPHIC PRIMITIVES
Technical Deep Dive
A foundational cryptographic tool enabling private transactions and scalable proofs by committing to data without revealing it.
A Pedersen Commitment is a cryptographic scheme that allows one to commit to a chosen value while keeping it hidden, with the ability to later reveal the value and prove the commitment was not altered. It works by using a mathematical construction based on elliptic curve cryptography. To commit to a secret value v, a random blinding factor r is chosen. The commitment C is computed as C = v*G + r*H, where G and H are two distinct, publicly known generators on an elliptic curve. The properties of the curve ensure that C reveals nothing about v (hiding) and that it is computationally infeasible to find two different pairs (v, r) that produce the same commitment C (binding).
PEDERSEN COMMITMENT
Frequently Asked Questions (FAQ)
A cryptographic primitive for hiding information while allowing for later verification, foundational to privacy in blockchain protocols like Zcash and Monero.
A Pedersen Commitment is a cryptographic scheme that allows a prover to commit to a secret value without revealing it, while later being able to reveal and verify that value. It is a perfectly hiding and computationally binding commitment scheme, meaning the commitment reveals zero information about the secret (hiding), and it is infeasible for the prover to later claim they committed to a different value (binding). It works by using a generator of an elliptic curve group and a secret blinding factor, creating a commitment that appears random.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall