Pedersen Commitment
==================

## Pedersen commitment:

$Gen(1^\lambda) \rightarrow ck$

$$
g \leftarrow \mathbb{G}\\
h = g^x\\
ck:=(\mathbb{G}, p, g, h)
$$



$Com_{ck}(m) \rightarrow c$

$$
c:=(g^r, g^mh^r)
$$

In [1]:
from klefki.types.algebra.concrete import EllipticCurveCyclicSubgroupSecp256k1 as ECC
from klefki.types.algebra.concrete import EllipticCurveGroupSecp256k1 as Curve
from klefki.types.algebra.concrete import FiniteFieldCyclicSecp256k1 as CF
from klefki.types.algebra.concrete import FiniteFieldSecp256k1 as F
from klefki.types.algebra.utils import randfield

G = ECC.G
H = Curve.lift_x(F(1234567))


### $\Sigma$-protocol

Consider a commitment $A$ opening to m to be part of the statement. The prover computes a random commitment $B = Com_{ck}(m; s)$ and sends it to the veriﬁer, which answer with a random challenge $x$. The prover then sends opening information $z$ to the veriﬁer, which checks the commitment $A^x B$ opens to m using randomness $z$.

$s \leftarrow \mathbb{Z}_p$
$B=Com_{ck}(m;s)$
$$
P \rightarrow V: B
$$

In [2]:
m = randfield(CF)
r = randfield(CF)

A = G ** m + H ** r

In [3]:
s = randfield(CF)


B = G ** s * H ** r

$x \leftarrow \mathbb{Z}_p$

$$
P \leftarrow V: x
$$

In [4]:
e = randfield(CF)


$z = me + s; x = re + r$

$$
P \rightarrow V: z, x
$$

In [5]:
z = m*e + s
x = r*e + r

Accept $\iff$ $B \in \mathbf{G}, z \in \mathbb{Z}_p$

$$
Com_{zk}(z;x) = A^eB
$$

In [6]:
G ** z * H ** x == A ** e * B

True

## Implementation

In [7]:
from klefki.zkp.pedersen import PedersonCommitment

In [8]:
m = randfield(CF)
r = randfield(CF)

s = randfield(CF)
e = randfield(CF)
P = PedersonCommitment(G, G@x)

In [9]:
P.commit(m, s, r)

(EllipticCurveGroupSecp256k1::(FiniteFieldSecp256k1::95771222117816217708881718807102509821103072166124819222082477513876662725682, FiniteFieldSecp256k1::53661793544851906685934263011221278489726293543098276914896008858465175439843),
 EllipticCurveGroupSecp256k1::(FiniteFieldSecp256k1::107315303072799722099306478109414610521287886973667896909794767258433800028050, FiniteFieldSecp256k1::65312734962547475331689058599869986212444955695058691182448999284027641641400))

In [11]:
P.challenge(e)

(FiniteFieldCyclicSecp256k1::23643352095792902942260486383647479275018271565072204755251354959235782403354,
 FiniteFieldCyclicSecp256k1::79992057350724792021210372166131167454666993855658342235582282000606307835950)

In [12]:
P.proof()

True

In [13]:
m1 = randfield(CF)


P.trapdoor(m1, x)

In [15]:
P.challenge(e)
P.proof()

True