# Pedersen and ElGamal Commitments

This section introduces commitment schemes based on the discrete logarithm and DDH assumptions, including Pedersen commitments and ElGamal commitments.

## Pedersen Commitment Scheme

:::{note} Definition: Pedersen Commitment Scheme
:label: pedersen-commitment

Let $\mathcal{G}$ be a group generation algorithm. The Pedersen commitment scheme $\mathsf{PedCom}[\mathcal{G}]$ is defined as follows:

- $\mathsf{Setup}(1^\lambda) \rightarrow \mathsf{params}$: Run $(\mathbb{G}, p, g) \leftarrow \mathcal{G}(1^\lambda)$, sample $h \xleftarrow{\$} \mathbb{G} \setminus \{1_\mathbb{G}\}$, and output $\mathsf{params} = ((\mathbb{G}, p, g), h, \mathcal{M} := \mathbb{Z}_p, \mathcal{R} := \mathbb{Z}_p)$.
- $\mathsf{Commit}(\mathsf{params}, m, r) \rightarrow C$: Parse $\mathsf{params} = ((\mathbb{G}, p, g), h, \mathcal{M}, \mathcal{R})$. For message $m \in \mathcal{M}$ and randomness $r \in \mathcal{R}$, output $C = g^m h^r$.
:::

:::{tip}
Pedersen commitments are *homomorphic*: for commitments $C_1 = \mathsf{Commit}(\mathsf{params}, m_1, r_1)$ and $C_2 = \mathsf{Commit}(\mathsf{params}, m_2, r_2)$, we have

$$
C_1 \cdot C_2 = g^{m_1 + m_2} h^{r_1 + r_2} = \mathsf{Commit}(\mathsf{params}, m_1 + m_2, r_1 + r_2).
$$
:::

## Security Properties of Pedersen Commitments

:::{important} Theorem: Pedersen Commitments are Binding
:label: thm-pedersen-binding

Let $\mathcal{G}$ be a group generation algorithm for which the discrete logarithm problem is hard, then the Pedersen commitment scheme $\mathsf{PedCom}[\mathcal{G}]$ is binding.

More precisely, for any PPT adversary $\mathcal{A}$ against the binding property of $\mathsf{PedCom}[\mathcal{G}]$, there exists a PPT adversary $\mathcal{B}$ against the discrete logarithm problem such that

$$
\mathsf{Adv}_{\mathcal{A}, \mathsf{PedCom}}^{\mathsf{Bind}} = \mathsf{Adv}_{\mathcal{B}, \mathcal{G}}^{\mathsf{DL}}.
$$
:::

The proof is left as an exercise (see Exercise {ref}`ex-pedersen-binding`).

:::{important} Theorem: Pedersen Commitments are Hiding
:label: thm-pedersen-hiding

The Pedersen commitment scheme $\mathsf{PedCom}[\mathcal{G}]$ is perfectly hiding.

More precisely, for any (possibly unbounded) adversary $\mathcal{A}$,

$$
\mathsf{Adv}_{\mathcal{A}, \mathsf{PedCom}}^{\mathsf{Hid}} = 0.
$$
:::

The proof is left as an exercise (see Exercise {ref}`ex-pedersen-hiding`).

## ElGamal Commitment Scheme

:::{note} Definition: ElGamal Commitment Scheme
:label: elgamal-commitment

Let $\mathcal{G}$ be a group generation algorithm. The ElGamal commitment scheme $\mathsf{ElGamalCom}[\mathcal{G}]$ is defined as follows:

- $\mathsf{Setup}(1^\lambda) \rightarrow \mathsf{params}$: Run $(\mathbb{G}, p, g) \leftarrow \mathcal{G}(1^\lambda)$, sample $h \xleftarrow{\$} \mathbb{G} \setminus \{1_\mathbb{G}\}$, and output $\mathsf{params} = ((\mathbb{G}, p, g), h, \mathcal{M} := \mathbb{Z}_p, \mathcal{R} := \mathbb{Z}_p)$.
- $\mathsf{Commit}(\mathsf{params}, m, r) \rightarrow C$: Parse $\mathsf{params} = ((\mathbb{G}, p, g), h, \mathcal{M}, \mathcal{R})$. For message $m \in \mathcal{M}$ and randomness $r \in \mathcal{R}$, output $C = (g^r, h^{m+r})$.
:::

:::{important} Theorem: ElGamal Commitments are Hiding
:label: thm-elgamal-hiding

Let $\mathcal{G}$ be a group generation algorithm for which the DDH problem is hard, then the ElGamal commitment scheme $\mathsf{ElGamalCom}[\mathcal{G}]$ is hiding.

More precisely, for any PPT adversary $\mathcal{A}$ against the hiding property of $\mathsf{ElGamalCom}[\mathcal{G}]$, there exists a PPT adversary $\mathcal{B}$ against DDH such that

$$
\mathsf{Adv}_{\mathcal{A}, \mathsf{ElGamalCom}}^{\mathsf{Hide}} = 2 \cdot \mathsf{Adv}_{\mathcal{B}, \mathcal{G}}^{\mathsf{DDH}}.
$$
:::

The proof is left as an exercise (see Exercise {ref}`ex-elgamal-hiding`).

## Exercises

:::{exercise}
:label: ex-pedersen-binding

Argue that Pedersen commitments are binding under the DL assumption (Theorem {ref}`thm-pedersen-binding`).

:::{dropdown} **Proof**
Let $\mathcal{A}$ be an adversary that breaks the binding property of Pedersen commitments. That is, $\mathcal{A}$ outputs $(m_0, r_0, m_1, r_1)$ such that $m_0 \neq m_1$ and $g^{m_0}h^{r_0} = g^{m_1}h^{r_1}$.

We construct a PPT reduction $\mathcal{B}$ that breaks DL as follows:
- $\mathcal{B}$ receives $((\mathbb{G}, p, g), h)$ where $h = g^z$ for unknown $z$.
- $\mathcal{B}$ runs $\mathcal{A}$ with parameters $\mathsf{params} = ((\mathbb{G}, p, g), h)$.
- When $\mathcal{A}$ outputs $(m_0, r_0, m_1, r_1)$, we have $g^{m_0}h^{r_0} = g^{m_1}h^{r_1}$.
- This implies $g^{m_0 - m_1} = h^{r_1 - r_0}$, so $g^{m_0 - m_1} = g^{z(r_1 - r_0)}$.
- If $r_0 = r_1$, then $g^{m_0 - m_1} = 1$, which contradicts $m_0 \neq m_1$ (since $g$ generates $\mathbb{G}$).
- Therefore $r_0 \neq r_1$, and we can compute $z = \frac{m_0 - m_1}{r_1 - r_0} \bmod p$.
- $\mathcal{B}$ outputs $z$.

The reduction is perfect: whenever $\mathcal{A}$ succeeds in breaking binding, $\mathcal{B}$ succeeds in computing the discrete log. Therefore, $\mathsf{Adv}_{\mathcal{B}, \mathcal{G}}^{\mathsf{DL}} = \mathsf{Adv}_{\mathcal{A}, \mathsf{PedCom}}^{\mathsf{Bind}}$.
:::
:::

:::{exercise}
:label: ex-pedersen-trapdoor

(Optional) Knowledge of the discrete logarithm $x$ such that $g^x = h$ allows efficiently producing a Pedersen commitment $C$ such that $\mathsf{Commit}(\mathsf{params}, m, r) = \mathsf{Commit}(\mathsf{params}, mx \bmod p, r - 1 \bmod p)$. Why does this not violate Theorem {ref}`thm-pedersen-binding`?

*Hint*: We have the relationship $g^m h^r = g^m (g^x)^r = g^{m + xr} = g^{mx} (g^x)^{r-1} = g^{mx} h^{r-1}$.

:::{dropdown} **Solution**
This does not violate the binding theorem because knowing $x = \log_g h$ means the DL problem has been solved for this instance. The binding theorem only claims that *if* the DL problem is hard, *then* the commitment scheme is binding. Since the hypothesis is not satisfied, the theorem makes no claim about binding.

This highlights that Pedersen commitments rely crucially on the setup assumption that no one knows the discrete logarithm relationship between $g$ and $h$.
:::
:::

:::{exercise}
:label: ex-pedersen-hiding

Argue that Pedersen commitments are perfectly hiding (Theorem {ref}`thm-pedersen-hiding`).

:::{dropdown} **Proof**
For any message $m \in \mathbb{Z}_p$, the commitment $C = g^m h^r$ is uniformly distributed over $\mathbb{G}$ when $r$ is chosen uniformly from $\mathbb{Z}_p$.

Since $h \in \mathbb{G} \setminus \{1_\mathbb{G}\}$ and $\mathbb{G}$ has prime order $p$, $h$ generates $\mathbb{G}$ (every non-identity element generates a prime-order group). Thus the map $r \mapsto h^r$ is a bijection from $\mathbb{Z}_p$ to $\mathbb{G}$.

For fixed $m$, the map $r \mapsto g^m h^r$ is also a bijection from $\mathbb{Z}_p$ to $\mathbb{G}$. Therefore, for any two messages $m_0, m_1$, the distributions of $\mathsf{Commit}(\mathsf{params}, m_0, r)$ and $\mathsf{Commit}(\mathsf{params}, m_1, r)$ for uniform $r$ are both uniform over $\mathbb{G}$.
:::
:::

:::{exercise}
:label: ex-elgamal-hiding

(Optional) Prove that ElGamal commitments are hiding under the DDH assumption (Theorem {ref}`thm-elgamal-hiding`).

:::{dropdown} **Proof**
Let $\mathcal{A}$ be an adversary against the hiding property of ElGamal. We construct a PPT reduction $\mathcal{B}$ against DDH:

- $\mathcal{B}$ receives $((\mathbb{G}, p, g), A, B, C)$ where $A = g^a$, $B = g^b$, and either $C = g^{ab}$ or $C = g^c$ for random $c$.
- $\mathcal{B}$ sets $h = B$ and gives $\mathsf{params} = ((\mathbb{G}, p, g), h)$ to $\mathcal{A}$.
- When $\mathcal{A}$ outputs $(m_0, m_1)$, $\mathcal{B}$ chooses $e \xleftarrow{\$} \{0, 1\}$ and computes the commitment $(A, B^{m_e} \cdot C)$.
- $\mathcal{B}$ gives this commitment to $\mathcal{A}$.
- When $\mathcal{A}$ outputs $e'$, $\mathcal{B}$ outputs $1$ if $e' = e$ and $0$ otherwise.

**Analysis:**

- When $C = g^{ab}$ (real tuple): The commitment $(A, B^{m_e} \cdot C) = (g^a, g^{b \cdot m_e} \cdot g^{ab}) = (g^a, g^{b(m_e + a)}) = (g^a, h^{m_e + a})$. This is a valid ElGamal commitment to $m_e$ with randomness $r = a$. Thus $\mathcal{B}$ perfectly simulates the hiding game, so $\left|\Pr[e = e' \mid C = g^{ab}] - \frac{1}{2}\right| = \mathsf{Adv}_{\mathcal{A}, \mathsf{ElGamalCom}}^{\mathsf{Hide}}$.
- When $C = g^c$ (random tuple): The commitment is $(A, B^{m_e} \cdot C) = (g^a, g^{bm_e + c})$. Since $c$ is uniformly random and independent of everything else, the second component is uniformly random in $\mathbb{G}$. The commitment reveals no information about $e$, so $\Pr[e = e' \mid C = g^c] = \frac{1}{2}$.

For the DDH advantage, let $d \in \{0, 1\}$ be the bit indicating whether the DDH tuple is real ($d = 1$ if $C = g^{ab}$, $d = 0$ if $C = g^c$), and let $d'$ be $\mathcal{B}$'s output bit. Recall that $\mathcal{B}$ outputs $d' = 1$ if $e' = e$ and $d' = 0$ otherwise.

$$
\begin{align*}
\mathsf{Adv}_{\mathcal{B}, \mathcal{G}}^{\mathsf{DDH}} &= \left|\Pr[d' = d] - \frac{1}{2}\right|\\
\Pr[d' = d] &= \Pr[d' = 1 \wedge d = 1] + \Pr[d' = 0 \wedge d = 0]\\
&= \Pr[d' = 1 \mid d = 1] \cdot \Pr[d = 1] + \Pr[d' = 0 \mid d = 0] \cdot \Pr[d = 0]\\
&= \frac{1}{2} \Pr[d' = 1 \mid C = g^{ab}] + \frac{1}{2} \Pr[d' = 0 \mid C = g^c]\\
&= \frac{1}{2} \Pr[d' = 1 \mid C = g^{ab}] + \frac{1}{2}(1 - \Pr[d' = 1 \mid C = g^c])\\
&= \frac{1}{2} \Pr[d' = 1 \mid C = g^{ab}] + \frac{1}{2} - \frac{1}{2}\Pr[d' = 1 \mid C = g^c]
\end{align*}
$$

Therefore:

$$
\begin{align*}
\mathsf{Adv}_{\mathcal{B}, \mathcal{G}}^{\mathsf{DDH}} &= \left|\frac{1}{2} \Pr[d' = 1 \mid C = g^{ab}] - \frac{1}{2}\Pr[d' = 1 \mid C = g^c]\right|\\
&= \frac{1}{2} \left|\Pr[d' = 1 \mid C = g^{ab}] - \Pr[d' = 1 \mid C = g^c]\right|\\
&= \frac{1}{2} \left|\Pr[e = e' \mid C = g^{ab}] - \Pr[e = e' \mid C = g^c]\right|\\
&= \frac{1}{2} \left|\Pr[e = e' \mid C = g^{ab}] - \frac{1}{2}\right|\\
&= \frac{1}{2} \cdot \mathsf{Adv}_{\mathcal{A}, \mathsf{ElGamalCom}}^{\mathsf{Hide}}
\end{align*}
$$

This gives us: $\mathsf{Adv}_{\mathcal{A}, \mathsf{ElGamalCom}}^{\mathsf{Hide}} = 2 \cdot \mathsf{Adv}_{\mathcal{B}, \mathcal{G}}^{\mathsf{DDH}}$. $\mathcal{B}$ is PPT if $\mathcal{A}$ is.
:::
:::