Pedersen Commitment

What Is a Pedersen Commitment?

A Pedersen commitment is a cryptographic primitive that allows someone to commit to a chosen value while keeping it hidden from others. Once committed, the value cannot be changed: the committer is bound to it. Think of it like placing a number in a sealed envelope: nobody can read the number until you open the envelope, but you cannot swap the number after sealing it.

Introduced by Danish cryptographer Torben Pryds Pedersen in his 1991 paper at CRYPTO '91, the scheme was originally a building block for verifiable secret sharing. The commitment mechanism it introduced became independently famous and is now a cornerstone of privacy-preserving cryptocurrency protocols. It operates over the same secp256k1 elliptic curve used in Bitcoin, making it a natural fit for the Bitcoin ecosystem.

What makes Pedersen commitments special compared to simple hash-based commitments (like SHA-256) is that they support mathematical operations on committed values. You can add two commitments together and get a valid commitment to the sum of the underlying values: all without revealing what those values are.

How It Works

The scheme relies on two independent generator points on an elliptic curve, conventionally called G and H. The critical requirement is that nobody knows the discrete logarithm relationship between them: there is no known scalar k such that H = k * G. These are sometimes called "nothing-up-my-sleeve" points.

To commit to a value, the committer:

1. Chooses the secret value v they want to commit to
2. Generates a random blinding factor r (a 256-bit random scalar)
3. Computes the commitment: C = v * G + r * H
4. Publishes C (an elliptic curve point) while keeping v and r secret

To later reveal (or "open") the commitment, the committer shares both v and r. Anyone can verify by recomputing v * G + r * H and checking that it matches C.

# Pedersen commitment (pseudocode)
# Setup: G, H are independent generator points on secp256k1

v = 100000          # secret value (e.g., satoshis)
r = random_scalar() # blinding factor

C = v * G + r * H   # the commitment (a curve point)

# To verify an opening:
assert C == v * G + r * H

Hiding and Binding Properties

Pedersen commitments provide two security guarantees that work in complementary ways:

• Perfectly hiding: even with unlimited computing power, an observer cannot determine the committed value from the commitment alone. This is because the random blinding factor r uniformly randomizes the commitment across all possible curve points. For any commitment C and any target value v', there exists some blinding factor that would produce that same commitment.
• Computationally binding: finding two different openings (v, r) and (v', r') that produce the same commitment would require solving the discrete logarithm problem between G and H. Under the hardness assumption on secp256k1, this is computationally infeasible.

This asymmetry is important: hash-based commitments are the opposite (computationally hiding, perfectly binding). Pedersen commitments prioritize unconditional privacy over unconditional binding, which means that even a future quantum computer could not reveal historically committed values.

The Homomorphic Property

The most powerful feature of Pedersen commitments is additive homomorphism. Given two commitments:

C1 = v1 * G + r1 * H
C2 = v2 * G + r2 * H

# Adding the commitments:
C1 + C2 = (v1 + v2) * G + (r1 + r2) * H

The sum is itself a valid Pedersen commitment to (v1 + v2) with blinding factor (r1 + r2). This extends naturally to subtraction and arbitrary linear combinations. A verifier can confirm that the sum of output commitments minus the sum of input commitments equals zero, proving that no value was created or destroyed: all without learning any individual amount.

Use Cases

Confidential Transactions

The primary application of Pedersen commitments in the Bitcoin ecosystem is Confidential Transactions (CT), proposed by Gregory Maxwell in 2015. In a standard Bitcoin transaction, amounts are visible in plaintext. CT replaces each output amount with a 33-byte Pedersen commitment.

Validation works through the homomorphic property: the sum of input commitments must equal the sum of output commitments (plus any explicit fee). If the equation balances, no new coins were created. Transaction fees are typically committed as explicit amounts multiplied by H so that miners can still verify them.

Confidential Transactions are deployed on the Liquid Network, a Bitcoin sidechain where all L-BTC transfers use CT by default, making transaction amounts private. Liquid also extends the scheme to Confidential Assets, hiding the asset type in addition to the amount.

Range Proofs and Bulletproofs

Pedersen commitments alone have a subtle vulnerability: because elliptic curve arithmetic is modular, negative values wrap around. An attacker could create outputs committing to values like -5 and 7 that sum to 2 (equal to inputs), effectively creating coins from nothing. To prevent this, each commitment must include a range proof showing the committed value lies within a valid range (typically 0 to 2^64 - 1).

Bulletproofs, introduced by Bünz, Bootle, Boneh, Poelstra, Wuille, and Maxwell in 2017, are short non-interactive zero-knowledge proofs designed specifically for this purpose. A 64-bit range proof using bulletproofs is roughly 672 bytes, compared to approximately 5 KB with earlier Borromean ring signature approaches. Like Pedersen commitments themselves, bulletproofs rely only on the discrete logarithm assumption and require no trusted setup. For a deeper exploration of this topic, see our research on Taproot and Schnorr signatures.

Mimblewimble Protocols

Mimblewimble (implemented by Grin and Beam, both launched in January 2019) is built entirely on Pedersen commitments. In Mimblewimble, there are no addresses or scripts: every UTXO is simply a Pedersen commitment where the blinding factor doubles as the private key proving ownership.

Transaction validation checks that output commitments minus input commitments equal a "kernel excess": a point on the curve whose value component is zero, proving no inflation occurred. The kernel excess also serves as a public key for a Schnorr signature that the transacting parties must jointly produce.

Mimblewimble's "cut-through" feature leverages the homomorphic property: intermediate outputs that are created and then spent cancel out, allowing them to be removed entirely from the blockchain. This dramatically reduces chain size over time.

Lightning Network and Future Protocols

The current Lightning Network does not directly use Pedersen commitments. HTLCs rely on hash preimages rather than commitment schemes. However, the proposed upgrade to PTLCs (Point Time-Locked Contracts) uses elliptic curve point operations and adaptor signatures built on the same algebraic framework. PTLCs improve privacy by eliminating the shared payment hash visible across every hop, a benefit rooted in the same discrete-log-based math that makes Pedersen commitments work. For more on this evolution, see our research on PTLCs.

Why It Matters

Privacy is a fundamental challenge in public blockchain systems. Bitcoin transactions are pseudonymous but fully transparent: anyone can see amounts, trace flows, and perform chain analysis. Pedersen commitments provide a mathematically rigorous solution: they let the network verify that transactions are valid (no inflation, no negative amounts) without revealing what is being transacted.

For layer-2 protocols and sidechains like Spark, the algebraic properties of Pedersen commitments are part of a broader cryptographic toolkit that includes Schnorr signatures, threshold signatures, and adaptor signatures. These primitives share the same elliptic curve foundation and compose naturally. Understanding Pedersen commitments helps explain how protocols like FROST threshold signatures and MuSig2 multisignatures achieve their security guarantees.

Risks and Considerations

Quantum Vulnerability

The binding property of Pedersen commitments depends on the hardness of the discrete logarithm problem. A sufficiently powerful quantum computer running Shor's algorithm could break this assumption, allowing an attacker to open a commitment to a different value than originally intended. However, the hiding property is information-theoretically secure and remains safe even against quantum adversaries: historical committed values stay private regardless of future computational advances. Research into post-quantum cryptography is exploring lattice-based and hash-based alternatives.

Trusted Setup for Generators

The security of the scheme requires that nobody knows the discrete logarithm relationship between G and H. If someone knew k such that H = k * G, they could forge commitments: opening any commitment to any value they choose. In practice, H is typically derived via a hash-to-curve process from a publicly verifiable seed, providing a "nothing-up-my-sleeve" guarantee.

Space and Verification Overhead

Pedersen commitments replace 8-byte plaintext amounts with 33-byte elliptic curve points. Combined with the required range proofs (672+ bytes with bulletproofs), confidential transactions are significantly larger than transparent ones. This increases bandwidth, storage, and verification costs: a key tradeoff between privacy and efficiency that explains why confidential transactions are deployed on sidechains rather than Bitcoin's main chain.

No Amount Auditing

The perfect hiding property means that committed amounts are unconditionally private: not even the protocol developers or network operators can audit individual balances. While the homomorphic property ensures that total supply is preserved (inputs always equal outputs), verifying a specific account's balance requires the account holder's cooperation. Systems that need public auditability, such as stablecoin reserves, must design explicit disclosure mechanisms alongside Pedersen commitments.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.