A Pedersen Commitment is a cryptographic commitment scheme that allows a prover to commit to a secret value (e.g., a transaction amount) by publishing a commitment value, which hides the original data but can later be opened to verify its authenticity. It is perfectly hiding, meaning the commitment reveals zero information about the committed value, and computationally binding, meaning it is infeasible for the committer to later open the commitment to a different value. This is achieved using a mathematical construction based on discrete logarithms within a cryptographic group, such as an elliptic curve.
LABS
Glossary
Pedersen Commitment
A Pedersen commitment is a cryptographic scheme that allows a user to commit to a secret value without revealing it, providing both hiding and binding properties.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is a Pedersen Commitment?
A cryptographic scheme that allows one to commit to a chosen value while keeping it hidden, with the ability to later reveal it.
The core mechanism relies on two public generators, G and H, of a prime-order group where the discrete log relationship between them is unknown. To commit to a value v, the committer selects a random blinding factor r and computes the commitment C = v*G + r*H. The pair (v, r) is the opening, kept secret initially. The randomness r ensures the same value v produces a completely different, unpredictable commitment each time, providing the hiding property. The binding property stems from the difficulty of finding two different pairs (v, r) and (v', r') that hash to the same commitment C.
In blockchain systems, particularly those focused on privacy like Monero and Mimblewimble, Pedersen Commitments are fundamental. They are used to encrypt transaction amounts in Confidential Transactions, allowing network nodes to verify that the sum of inputs equals the sum of outputs (ensuring no new money is created) without knowing the actual amounts. This is done by exploiting the homomorphic property of the commitments: the sum of input commitments minus the sum of output commitments equals a commitment to zero, which can be publicly verified.
Beyond simple value hiding, Pedersen Commitments form the basis for more advanced zero-knowledge proof systems. Their additive homomorphism allows for the construction of range proofs (e.g., Bulletproofs) that demonstrate a committed value lies within a specific interval (e.g., is non-negative and doesn't overflow) without revealing it. This is critical for preventing overflow attacks in private payment systems. The scheme is named after its inventor, cryptographer Torben Pryds Pedersen, who introduced it in 1991.
When implementing Pedersen Commitments, careful parameter selection is crucial. The generators G and H must be chosen in a trusted setup where no one knows the discrete logarithm of H with respect to G (i.e., no one knows x such that H = x*G). If this secret were known, the binding property would be broken. Furthermore, the random blinding factor r must be a cryptographically secure random number; reusing it for different commitments to the same value compromises privacy, as the commitments would be identical.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How Does a Pedersen Commitment Work?
A technical breakdown of the cryptographic protocol that allows one to commit to a value while keeping it secret, later revealing it for verification.
A Pedersen commitment is a cryptographic scheme that allows a party to commit to a chosen value (or set of values) while keeping it hidden, with the ability to later reveal the committed value for verification. It is a binding and hiding commitment scheme, meaning the committer cannot change the value after the fact (binding), and the commitment itself reveals no information about the value (hiding). The scheme is additively homomorphic, allowing mathematical operations on commitments to be performed without revealing the underlying data, a property foundational to confidential transactions and zero-knowledge proofs.
The protocol works by leveraging a cryptographic group, typically an elliptic curve. To commit to a secret value v, the committer selects a random blinding factor r. The commitment C is computed as C = v*G + r*H, where G is a standard generator point and H is a second, independent generator point whose discrete logarithm relationship to G is unknown. The randomness r ensures the commitment is perfectly hiding—even for the same value v, different r produces a completely different, unpredictable commitment C. The committer then sends C to a verifier.
Later, to open or reveal the commitment, the committer discloses the original pair (v, r). The verifier recalculates v*G + r*H and checks if it matches the original commitment C. If it matches, the commitment is successfully opened, proving the committer knew v and r all along. The binding property relies on the discrete logarithm assumption; changing the committed value after the fact would require solving for a relationship between G and H, which is computationally infeasible.
The additive homomorphism is a critical feature: given two commitments C1 = v1*G + r1*H and C2 = v2*G + r2*H, their sum C3 = C1 + C2 is a valid commitment to the sum of the values (v1 + v2) with the sum of the blinding factors (r1 + r2). This allows systems to prove that committed values satisfy certain equations (e.g., that the sum of transaction inputs equals the sum of outputs, with no new money created) without revealing the individual amounts, as utilized in Confidential Transactions for Bitcoin-like blockchains.
In practice, Pedersen commitments are a core component in privacy-focused blockchain protocols like Mimblewimble and Bulletproofs. In Mimblewimble, they obscure transaction amounts and enable efficient blockchain pruning. Bulletproofs are short, efficient zero-knowledge proofs that can demonstrate a committed value lies within a certain range (e.g., is a positive number), which is essential for preventing overflow attacks in confidential transaction systems without requiring a trusted setup.
key-features
PEDERSEN COMMITMENT
Key Features
Pedersen commitments are cryptographic primitives that allow one to commit to a value while keeping it hidden, with the ability to later reveal it. They are fundamental for privacy in blockchain systems.
01
Information-Theoretic Hiding
A Pedersen commitment is information-theoretically hiding, meaning that even with unlimited computational power, an observer cannot learn anything about the committed value from the commitment itself. This is achieved by using a random blinding factor that perfectly masks the data.
02
Computational Binding
The commitment is computationally binding under the discrete logarithm assumption. This means a computationally bounded committer cannot change the committed value after the fact. Finding two different pairs of value and blinding factor that produce the same commitment is as hard as solving the discrete log problem.
03
Additive Homomorphism
A core property enabling complex private computations. The sum of two commitments is a commitment to the sum of their values, using the sum of their blinding factors.
- Example:
Commit(a) + Commit(b) = Commit(a + b)This allows for private balance verification and confidential transactions without revealing individual amounts.
04
Zero-Knowledge Proof Compatibility
Pedersen commitments are the building block for zero-knowledge proofs like Bulletproofs and range proofs. They allow a prover to demonstrate knowledge of the committed value and blinding factor, or to prove properties about the value (e.g., it is non-negative) without revealing it.
05
Elliptic Curve Implementation
In practice, Pedersen commitments are implemented using elliptic curve cryptography. The commitment C is computed as C = v*G + r*H, where:
vis the secret value.ris the secret blinding factor.GandHare independent public generators on the curve. This provides efficiency and compatibility with other crypto systems like Schnorr signatures.
06
Application: Confidential Transactions
Used in privacy-focused blockchains like Monero and Mimblewimble-based chains (Grin, Beam). Pedersen commitments hide transaction amounts, while the homomorphic property allows the network to verify that no money was created out of thin air by checking that the sum of input commitments equals the sum of output commitments.
examples
PEDERSEN COMMITMENT
Examples & Use Cases
Pedersen commitments are a foundational cryptographic primitive enabling privacy and scalability. Their core properties—hiding and binding—make them essential for verifiable, confidential transactions.
04
Commitment to Polynomials
In advanced cryptographic protocols like KZG polynomial commitments (used in Ethereum's EIP-4844 for data blobs), the core idea is an extension of Pedersen commitments. A polynomial's coefficients are committed to using a structured reference string, creating a short, verifiable fingerprint. This enables efficient data availability sampling and proof of correct computation.
05
Atomic Swaps & Scriptless Scripts
Enables trustless cross-chain trades and complex smart contract logic without leaving explicit scripts on-chain. By using adaptor signatures on Pedersen commitments, parties can create conditional payments. The revelation of a secret to claim one commitment automatically reveals the secret to claim another, enabling atomicity and reducing on-chain footprint.
06
Voting & Auction Systems
Provides receipt-freeness and coercion-resistance in cryptographic voting, or bid secrecy in auctions. A voter/bidder submits a commitment to their choice. Later, they can reveal it for tallying, but the commitment itself reveals no information. The binding property prevents changing the vote/bid after the fact, while hiding protects privacy during the commitment phase.
technical-details
CRYPTOGRAPHIC PRIMITIVE
Technical Details & Properties
A deep dive into the mathematical properties and technical implementation of the Pedersen Commitment scheme, a foundational cryptographic tool for privacy.
A Pedersen Commitment is a cryptographic commitment scheme that allows a party to commit to a chosen value while keeping it hidden, with the ability to later reveal the value in a provable manner. It is a binding and hiding commitment, constructed using a group of prime order and two independent generators. The core operation is C = v*G + r*H, where v is the secret value, r is a secret blinding factor, and G and H are the public generators. This structure ensures the commitment C reveals nothing about v (hiding) and that the committer cannot later claim they committed to a different value v' (binding) under standard cryptographic assumptions.
The scheme's security relies on the discrete logarithm problem and the assumed difficulty of finding a relationship between the two generators G and H. If an adversary could find a scalar x such that H = x*G, the commitment would no longer be binding. Therefore, H must be generated in a trusted setup or via a nothing-up-my-sleeve number to ensure its independence from G. This property of perfect hiding and computational binding makes it ideal for applications like confidential transactions, where amounts can be hidden while still allowing network validation.
A critical property is homomorphism. Given two commitments C1 = v1*G + r1*H and C2 = v2*G + r2*H, their sum C3 = C1 + C2 is a commitment to the sum of the values (v1 + v2) with the combined blinding factor (r1 + r2). This enables powerful cryptographic protocols: - Range proofs (e.g., Bulletproofs) can prove a committed value is within a range without revealing it. - In blockchain systems like Mimblewimble, it allows the verification that transaction inputs equal outputs (∑C_inputs - ∑C_outputs = 0*G + r*H) without revealing any amounts, ensuring confidentiality and correctness.
security-considerations
PEDERSEN COMMITMENT
Security Considerations
Pedersen commitments are cryptographic primitives that provide information-theoretic hiding and computational binding, making them a cornerstone for privacy in blockchain protocols.
01
Information-Theoretic Hiding
A Pedersen commitment perfectly conceals the committed value. Even with unlimited computational power, an adversary cannot learn any information about the secret from the commitment alone. This property relies on the randomness (blinding factor) and the discrete logarithm assumption in the underlying group.
- Key Property: Unconditional secrecy of the committed data.
- Analogy: Like a sealed envelope; you cannot see the message inside without opening it.
02
Computational Binding
It is computationally infeasible to find two different messages that produce the same commitment. An adversary cannot change the committed value after the fact without breaking the discrete logarithm problem.
- Security Assumption: Relies on the hardness of finding discrete logs in the chosen elliptic curve group (e.g., secp256k1).
- Implication: Once published, a commitment is a cryptographically binding promise to a specific value.
03
Requirement for Randomness
The security of the hiding property is entirely dependent on a secret, cryptographically strong random number called the blinding factor. If this factor is predictable, reused, or has low entropy, the commitment becomes vulnerable.
- Failure Mode: Reusing a blinding factor for two different values leaks information, as
C1 - C2reveals the difference between the values. - Best Practice: Use a secure, verifiable random function (VRF) or a cryptographic hash with sufficient entropy to generate the blinding factor.
04
Parameter Selection & Trusted Setup
Pedersen commitments require publicly agreed-upon generator points (G, H) on an elliptic curve. The security assumption is that no one knows the discrete logarithm relationship between G and H (i.e., no one knows x such that H = xG).
- Trusted Setup: If this relationship is known, the binding property is broken, allowing commitments to be opened to arbitrary values.
- Mitigation: Use publicly verifiable, transparent setup ceremonies (like those used in zk-SNARKs) or leverage elliptic curves where this relationship is assumed to be unknown.
05
Non-Interactive Zero-Knowledge Proofs
Pedersen commitments are often combined with zero-knowledge proofs (ZKPs) like Bulletproofs or zk-SNARKs to prove statements about the committed value (e.g., range proofs) without revealing it. The security of the overall system then depends on both the commitment scheme and the soundness of the proof system.
- Example: A confidential transaction uses a Pedersen commitment to hide the amount and a Bulletproof to prove it is a non-negative number.
- Composite Security: A vulnerability in either component compromises the entire privacy guarantee.
06
Quantum Resistance Considerations
The computational binding of standard Pedersen commitments, which relies on the discrete logarithm problem, is not secure against a sufficiently powerful quantum computer due to Shor's algorithm. The information-theoretic hiding property, however, remains secure.
- Post-Quantum Cryptography: To maintain binding security in a post-quantum world, protocols may need to migrate to quantum-resistant commitment schemes based on lattice problems or hash functions.
- Current State: For near-term blockchain applications, the quantum threat to binding is considered theoretical but is a critical long-term design consideration.
CRYPTOGRAPHIC PROPERTIES
Comparison with Other Commitment Schemes
A comparison of Pedersen Commitments against other foundational cryptographic commitment schemes, highlighting key security and performance trade-offs.
| Feature | Pedersen Commitment | Hash-Based Commitment | RSA Commitment (Fiat-Shamir) |
|---|---|---|---|
Hiding Property | Unconditionally (Perfectly) | Computationally | Computationally |
Binding Property | Computationally (DLP) | Unconditionally (Collision-Resistant) | Computationally (Factoring) |
Additive Homomorphism | |||
Requires Trusted Setup | |||
Typical Commitment Size | 256-512 bits | 256 bits | 2048-4096 bits |
Verification Complexity | O(1) (Pairing/Group Op) | O(1) (Hash) | O(1) (Modular Exp) |
Common Use Case | Confidential Transactions, ZKPs | Digital Signatures, Merkle Trees | Older Identification Protocols |
PEDERSEN COMMITMENT
Frequently Asked Questions
A cryptographic primitive enabling private transactions on blockchains. These questions address its core mechanics, applications, and relationship to other privacy technologies.
A Pedersen Commitment is a cryptographic scheme that allows a prover to commit to a secret value (like an amount) by publishing a commitment value, which can later be revealed and verified without exposing the secret prematurely. It works by using a mathematical relationship involving the secret value v, a random blinding factor r, and public generator points G and H on an elliptic curve. The commitment C is computed as C = v*G + r*H. The prover sends C to a verifier. Later, to open the commitment, the prover reveals v and r. The verifier recomputes v*G + r*H and confirms it matches the original C. The blinding factor r ensures the commitment is hiding (the value is secret) and the binding property ensures the prover cannot later change the committed value.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall