implementing pedersen commtiment using lib sodium

cn flag

Hi I want to implement pedersen commitment ontop of lib sodium
Below is what I am trying to do:
comm1: m1G+r1H
comm2: m2G+r2H
comm3: (m1+m2)G+(r1+r2)H
comm4: comm1+comm2

and comm3 should equals comm4
And here is my code:

unsigned char x[crypto_core_ristretto255_HASHBYTES];
randombytes_buf(x, sizeof x);

unsigned char g[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_from_hash(g, x); //compute G

unsigned char h[crypto_core_ristretto255_BYTES];
unsigned char x2[crypto_core_ristretto255_HASHBYTES];
randombytes_buf(x2, sizeof x2);
crypto_core_ristretto255_from_hash(h, x2); //compute H

unsigned char r1[crypto_core_ristretto255_SCALARBYTES];
unsigned char hr1[crypto_core_ristretto255_BYTES];
unsigned char gm1[crypto_core_ristretto255_BYTES];

crypto_core_ristretto255_scalar_random(r1); //generate r1

 if (crypto_scalarmult_ristretto255(hr1, r1, h) != 0) { //compute r1*H
    return -1;

unsigned char m1[crypto_core_ristretto255_SCALARBYTES];
randombytes_buf(m1, sizeof m1); //generate m1

// Compute b = a^k
if (crypto_scalarmult_ristretto255(gm1, m1, g) != 0) { //compute m1*G
    return -1;
unsigned char comm1[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm1, gm1, hr1); //compute comm1 = m1*G+r1*H

unsigned char r2[crypto_core_ristretto255_SCALARBYTES];
unsigned char hr2[crypto_core_ristretto255_BYTES];
unsigned char gm2[crypto_core_ristretto255_BYTES];

crypto_core_ristretto255_scalar_random(r2); //generate r2
if (crypto_scalarmult_ristretto255(hr2, r2, h) != 0) { //compute r2*H
    return -1;

unsigned char m2[crypto_core_ristretto255_SCALARBYTES];
randombytes_buf(m2, sizeof m2); //generate m2

if (crypto_scalarmult_ristretto255(gm2, m2, g) != 0) { //compute m2*G
    return -1;
unsigned char comm2[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm2, gm2, hr2); //compute comm2 = m2*G+r2*H

unsigned char r3[crypto_core_ristretto255_SCALARBYTES];
unsigned char hr3[crypto_core_ristretto255_BYTES];
unsigned char gm3[crypto_core_ristretto255_BYTES];
unsigned char m3[crypto_core_ristretto255_SCALARBYTES];
crypto_core_ristretto255_scalar_add(m3, m1, m2); //compute m3 = (m1+m2)
crypto_core_ristretto255_scalar_add(r3, r2, r1);//compute r3 = (r1+r2)
if (crypto_scalarmult_ristretto255(hr3, r3, h) != 0) { //compute r3*H
    return -1;
if (crypto_scalarmult_ristretto255(gm3, m3, g) != 0) {//compute m3*G
    return -1;
unsigned char comm3[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm3, gm3, hr3); //compute comm3 = m3*G+r3*H
unsigned char comm4[crypto_core_ristretto255_BYTES];
crypto_core_ristretto255_add(comm4, comm1, comm2); //compute comm4 = comm1+comm2
cout<<"sodium cmp: "<<sodium_memcmp(comm3, comm4, sizeof comm3)<<endl;

However, the does not equals 0
Would be truly appreciate having someone provide some insight into any potential mistakes I might be making based on the information I provided above?

poncho avatar
my flag
You're using memcmp. I am unfamiliar with how ristretto represents things internally; however if it uses projective coordinates, there are multiple ways of representing the same curve point, and memcmp (which sodium_memcmp is presumably a wrapper around) would consider two different representations of the same point as different I would expect ristretto to have a function to compare two points of equality - you might want to try that.
js wang avatar
cn flag
Thanks for the help, but i found the issue I should use crypto_core_ristretto255_scalar_random(m) to get the random scalar m
cn flag

Sorry, I have found the issue, I should use crypto_core_ristretto255_scalar_random(m) to get the random scalar m.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.