Pedersen Commitment

The basic tool that Confidential Transactions is based on. A commitment scheme lets you keep a piece of data secret but commit to it so that you cannot change it later. Two properties need to be satisfied: binding and hiding. Binding makes sure that commitments cannot be changed later, while hiding ensures that adversaries are unable to find the original value.

A simple commitment scheme can be constructed using a cryptographic hash, by hashing together the data and a blinding factor, and revealing the hash:

commitment = SHA256( blinding_factor || data )

This hash is the commitment, and the operation cannot be reversed to reveal the original data. The data can be later revealed together with the blinding factor and can be verified by hashing them with the same hashing algorithm. 

The blinding factor is present because, without one, the data could be potentially guessed, –if the data is small and simple– by comparing the guess to the commitment.

A Pedersen commitment works like the above but with an additional property: commitments can be added. The sum of a set of commitments is the same as a commitment to the sum of the data, with a blinding key set as the sum of the blinding keys. 

C(BF1, data1) + C(BF2, data2) == C(BF1 + BF2, data1 + data2)