Score:0

How to select $r$ in Pedersen commitment scheme?

nz flag

I'm implementing Pedersen commitment scheme in order to enhance entropy of a pre-image of a hash. I'm using secp256k1 for my curve parameters.

I am following naming conventions from here: What is a Pedersen commitment?

I am performing a commit $C = (m, r)$ and then another commit $C' = (m, r')$

Then I do the blind equality check $C - C' = (r - r')G.$

I got the blind equality check working, but only for some values of $r$. It looks like it works better when $r$ is a prime or when $r$ and $r'$ don't have common divisors.

What's the proper way to select $r$ values? Right now I am just selecting random values in between 0 and 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f

knaccc avatar
es flag
are you doing $r-r'\ mod\ q$?
nz flag
Hmm, I'm doing `uint256 _r3 = submodP( _r1 , _r2 )`. I'm not sure what $q$ is, to be honest. Maybe `submodP` is not enough on its own and I do need to $mod q$ on top of it. Thank you, I'll research that further.
knaccc avatar
es flag
For secp256k1, your group order $q$ is 115792089237316195423570985008687907852837564279074904382605163141518161494337. You should not be doing mod p and mod q, only mod q.
nz flag
Hi @knaccc you're right. Turns out I was doing `mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F` and I had to just change it to `mod 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141` and it now works fine. That solved my issue.
Score:1
cn flag

According to this paper, $r$ ($t$ in the paper) should be picked uniformly at random in $\mathbb{Z}_q$ (i.e $\big\{0, \dots, (q-1)\big\}$), with $q$ the order of $\mathbb{G}$.

According to this link the order is:

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141

Then you have to select a random value in between $0$ and

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364140 include.

nz flag
That's a great paper, I'll research that further and figure out what I'm missing, thank you!
Score:0
nz flag

I was doing mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F for $(r - r')$ and I just had to change it to mod 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141. Not an issue with $r$ selection per se, but with computing $(r - r')$.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.