1

I was reading up on Pedersen commitment over at this website: https://asecuritysite.com/encryption/ped, where they calculate $h=g^s \bmod p$, and they say that $s$ must be a secret.

I wonder why this is a requirement? Since verifiers will know the value of both $h$ and $g$ anyways, and a random value $r$ is used for creating the commitment, I don't see why $s$ must be kept secret?

AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
Sequinex
  • 13
  • 2

1 Answers1

2

I wonder why this is a requirement?

If the prover knows what $s$ is, they can open the commitment to any value they want.

Suppose that the commitment was $c = g^x h^r$, where $x$ is the originally committed value.

Then, if the prover knows $s$, then he can take an arbitrary value $y$ and compute $r' = r + s^{-1}(x - y)$; then, he can open the commitment as $c = g^y h^{r'}$

This would be accepted as a valid opening, because $g^xh^r = g^{x+sr} = g^{x + s(r' - s^{-1}(x-y))} = g^{y + sr'} = g^y h^{r'}$, and so he has successfully opened the commitment to a value selected after the commitment was published.

poncho
  • 147,019
  • 11
  • 229
  • 360
  • Thanks for your answer, but I don't see why this is possible, since the value of r' depends on the value of x, which has not yet been published? – Sequinex May 15 '21 at 15:20
  • Is it because the prover can brute force values of x and r that satisfy the equation? @poncho – Sequinex May 15 '21 at 15:29
  • @Sequinex: no brute force is necessary; to select a specific value $y$, all he need to do is plug the original $r$, $x, y$ and $s$ into the equation I gave - that gives him that value that $r'$ needs to be. – poncho May 15 '21 at 17:13