Author

Topic: Monero Pedersen commitments (Read 48 times)

jr. member
Activity: 46
Merit: 29
October 16, 2024, 09:01:32 AM
#4
Pedersen commitments in Monero use two different generator points to ensure security. One point masks the amount while the other point, with an unknown factor, ensures that the commitment remains secure. If the factor were known, it could potentially compromise the security by linking the commitments to the actual amounts.

If switch H to G and reduce the original equation we get this

C = (y + b)*G

using this it seems like everything should still work just fine. we still have the pseudo random mask y and shouldn't be able to calculate b from C. where would the vulnerability be if we could reduce the original equation like this?
?
Activity: -
Merit: -
October 16, 2024, 08:47:05 AM
#3
Pedersen commitments in Monero use two different generator points to ensure security. One point masks the amount while the other point, with an unknown factor, ensures that the commitment remains secure. If the factor were known, it could potentially compromise the security by linking the commitments to the actual amounts.
full member
Activity: 329
Merit: 197
Two-way squared
October 16, 2024, 06:02:28 AM
#2
If H = µG then µ is so-called discrete logarithm. The one who knows it can open commitment to an arbitrary value. And in particular, if H = G then µ = 1.

On the other paw, the purpose of this additional point is to ensure a hiding property. If we simplify the equation by removing it (and thus not using the masking field element), the commitment is still binding to the message, but doesn't hide it due to the lack of masking by randomness.
jr. member
Activity: 46
Merit: 29
October 15, 2024, 11:00:37 PM
#1
I've been reading zero to monero and just learned about Pedersen commitments. Im not sure if they use different equations or not but the one i learned is

C = yG + bH

y is the mask and b is the amount. H is some know generator point µG where µ is unknown.

Is µ truly unknown and if its not unknown is this a security vulnerability? Also whats the purpose of H? why cant G be used in its place?
Jump to: