pedersen

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

README

Pedersen Commitments

Pedersen commitments are perfectly hiding and computationally binding (under the discrete logarithm assumption) over a prime-order group. This package implements a two-generator instantiation with additive homomorphism and re-randomisation support.

Overview

  • Common reference string: two independent generators g and h of the same prime-order group.
  • Commitment to scalar message $m$ with randomness $r$: $C = g^m \cdot h^r$.
  • Additive homomorphism: multiplying commitments corresponds to adding messages; commitments can be re-randomised without changing the message.
  • All types implement CBOR encoding for transport and persistence.

Types

  • Key: holds generators g and h; constructor rejects identity elements and identical generators.
  • Message: wraps the scalar message in the group’s field.
  • Witness: randomness used to hide the message.
  • Commitment: prime-group element representing $g^m \cdot h^r$.
  • Scheme: wires the committer and verifier around a fixed Key.

Algorithms

  • Commit(message, prng): samples a fresh witness from the scalar field and returns (commitment, witness) where $commitment = g^{message} \cdot h^{witness}$.
  • CommitWithWitness(message, witness): deterministic commitment using caller-supplied randomness.
  • Verify(commitment, message, witness): recomputes $g^{message} \cdot h^{witness}$ and compares with the provided commitment.
  • ReRandomise(commitment, key, prng): blinds an existing commitment with fresh randomness, returning the updated commitment and witness.

Homomorphism

Multiplying two commitments combines their messages and randomness additively. Scalar multiplication by a Message scales the committed value. These operations make the scheme suitable for simple aggregation or linear proof systems.

Documentation

Overview

Package pedersen provides pedersen commitments are perfectly hiding and computationally binding.

See README.md for details.

Index

Constants

View Source 
const Name commitments.Name = "pedersen"

Name identifies the Pedersen commitment scheme.

Variables

View Source 
var (
	ErrInvalidArgument = errs.New("invalid arguments")
	ErrFailed          = errs.New("failed")
	ErrSerialisation   = errs.New("serialisation/deserialisation failed")
)

Functions

This section is empty.

Types

type Commitment 

type Commitment[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] struct {
	// contains filtered or unexported fields
}

Commitment represents a Pedersen commitment value held in the prime order group.

func NewCommitment 

func NewCommitment[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]](v E) (*Commitment[E, S], error)

NewCommitment wraps the provided group element as a commitment, rejecting the identity element.

func (*Commitment[E, S]) Bytes 

func (c *Commitment[E, S]) Bytes() []byte

Bytes serialises the commitment to its canonical byte representation.

func (*Commitment[E, S]) Clone 

func (c *Commitment[E, S]) Clone() *Commitment[E, S]

Clone returns a deep copy of the commitment.

func (*Commitment[E, S]) Equal 

func (c *Commitment[E, S]) Equal(other *Commitment[E, S]) bool

Equal reports whether both commitments hold the same group element (and handles nils).

func (*Commitment[E, S]) HashCode 

func (c *Commitment[E, S]) HashCode() base.HashCode

HashCode returns a hash of the commitment for use in maps or sets.

func (*Commitment[E, S]) MarshalCBOR 

func (c *Commitment[E, S]) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes the commitment into CBOR format.

func (*Commitment[E, S]) Op 

func (c *Commitment[E, S]) Op(other *Commitment[E, S]) *Commitment[E, S]

Op combines two commitments using the group operation.

func (*Commitment[E, S]) ReRandomise 

func (c *Commitment[E, S]) ReRandomise(key *Key[E, S], prng io.Reader) (*Commitment[E, S], *Witness[S], error)

ReRandomise samples fresh randomness and blinds the commitment, returning the new commitment and witness.

func (*Commitment[E, S]) ReRandomiseWithWitness 

func (c *Commitment[E, S]) ReRandomiseWithWitness(key *Key[E, S], r *Witness[S]) (*Commitment[E, S], error)

ReRandomiseWithWitness blinds the commitment using the provided witness randomness.

func (*Commitment[E, S]) ScalarOp 

func (c *Commitment[E, S]) ScalarOp(message *Message[S]) *Commitment[E, S]

ScalarOp raises the commitment to the given message scalar.

func (*Commitment[E, S]) UnmarshalCBOR 

func (c *Commitment[E, S]) UnmarshalCBOR(data []byte) error

UnmarshalCBOR decodes a CBOR commitment into the receiver.

func (*Commitment[E, S]) Value 

func (c *Commitment[E, S]) Value() E

Value returns the underlying group element of the commitment.

type Committer 

type Committer[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] struct {
	// contains filtered or unexported fields
}

Committer produces Pedersen commitments using the provided key.

func (*Committer[E, S]) Commit 

func (c *Committer[E, S]) Commit(message *Message[S], prng io.Reader) (*Commitment[E, S], *Witness[S], error)

Commit samples fresh randomness and commits to a message, returning the commitment and witness.

func (*Committer[E, S]) CommitWithWitness 

func (c *Committer[E, S]) CommitWithWitness(message *Message[S], witness *Witness[S]) (*Commitment[E, S], error)

CommitWithWitness commits to a message using caller-supplied witness randomness.

type CommitterOption 

type CommitterOption[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] = func(*Committer[E, S]) error

CommitterOption is a functional option for configuring committers.

type Key 

type Key[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] struct {
	// contains filtered or unexported fields
}

Key holds the generators defining a Pedersen commitment CRS.

func NewCommitmentKey 

func NewCommitmentKey[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]](g, h E) (*Key[E, S], error)

NewCommitmentKey validates and constructs a Pedersen key from two independent generators.

func (*Key[E, S]) Bytes 

func (k *Key[E, S]) Bytes() []byte

Bytes concatenates the encoded generators.

func (*Key[E, S]) G 

func (k *Key[E, S]) G() E

G returns the first generator.

func (*Key[E, S]) Group 

func (k *Key[E, S]) Group() algebra.PrimeGroup[E, S]

Group exposes the prime group structure shared by the generators.

func (*Key[E, S]) H 

func (k *Key[E, S]) H() E

H returns the second generator used for hiding randomness.

func (*Key[E, S]) MarshalCBOR 

func (k *Key[E, S]) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes the key into CBOR format.

func (*Key[E, S]) UnmarshalCBOR 

func (k *Key[E, S]) UnmarshalCBOR(data []byte) error

UnmarshalCBOR decodes a CBOR-encoded key into the receiver.

type Message 

type Message[S algebra.PrimeFieldElement[S]] struct {
	// contains filtered or unexported fields
}

Message wraps a scalar plaintext committed with Pedersen commitments.

func NewMessage 

func NewMessage[S algebra.PrimeFieldElement[S]](v S) *Message[S]

NewMessage constructs a message from the provided scalar value.

func (*Message[S]) Add 

func (m *Message[S]) Add(other *Message[S]) *Message[S]

Add performs field addition with another message.

func (*Message[S]) Bytes 

func (m *Message[S]) Bytes() []byte

Bytes serialises the message to bytes using the scalar encoding.

func (*Message[S]) Clone 

func (m *Message[S]) Clone() *Message[S]

Clone returns a deep copy of the message.

func (*Message[S]) Equal 

func (m *Message[S]) Equal(other *Message[S]) bool

Equal reports whether the two messages represent the same scalar (and handles nils).

func (*Message[S]) HashCode 

func (m *Message[S]) HashCode() base.HashCode

HashCode returns a hash of the message value.

func (*Message[S]) MarshalCBOR 

func (m *Message[S]) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes the message into CBOR format.

func (*Message[S]) Mul 

func (m *Message[S]) Mul(other *Message[S]) *Message[S]

Mul multiplies two messages in the underlying field.

func (*Message[S]) Op 

func (m *Message[S]) Op(other *Message[S]) *Message[S]

Op adds another message in the underlying field.

func (*Message[S]) OtherOp 

func (m *Message[S]) OtherOp(other *Message[S]) *Message[S]

OtherOp multiplies with another message in the field.

func (*Message[S]) UnmarshalCBOR 

func (m *Message[S]) UnmarshalCBOR(data []byte) error

UnmarshalCBOR decodes a CBOR message into the receiver.

func (*Message[S]) Value 

func (m *Message[S]) Value() S

Value returns the underlying scalar.

type Scheme 

type Scheme[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] struct {
	// contains filtered or unexported fields
}

Scheme wires together the Pedersen CRS with its committer and verifier.

func NewScheme 

func NewScheme[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]](key *Key[E, S]) (*Scheme[E, S], error)

NewScheme validates and constructs a Pedersen commitment scheme from the provided key.

func (*Scheme[E, S]) Committer 

func (s *Scheme[E, S]) Committer(opts ...CommitterOption[E, S]) (*Committer[E, S], error)

Committer returns a committer configured with the scheme key.

func (*Scheme[E, S]) Group 

func (s *Scheme[E, S]) Group() algebra.PrimeGroup[E, S]

Group returns the prime group used by the scheme.

func (*Scheme[E, S]) Key 

func (s *Scheme[E, S]) Key() *Key[E, S]

Key exposes the scheme CRS.

func (*Scheme[_, _]) Name 

func (*Scheme[_, _]) Name() commitments.Name

Name returns the identifier of the Pedersen commitment scheme.

func (*Scheme[E, S]) Verifier 

func (s *Scheme[E, S]) Verifier(opts ...VerifierOption[E, S]) (*Verifier[E, S], error)

Verifier returns a verifier compatible with commitments produced by this scheme.

type Verifier 

type Verifier[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] struct {
	commitments.GenericVerifier[*Committer[E, S], *Witness[S], *Message[S], *Commitment[E, S]]
}

Verifier checks Pedersen commitments against provided messages and witnesses.

type VerifierOption 

type VerifierOption[E algebra.PrimeGroupElement[E, S], S algebra.PrimeFieldElement[S]] = func(*Verifier[E, S]) error

VerifierOption is a functional option for configuring verifiers.

type Witness 

type Witness[S algebra.PrimeFieldElement[S]] struct {
	// contains filtered or unexported fields
}

Witness holds the randomness used to hide the committed message.

func NewWitness 

func NewWitness[S algebra.PrimeFieldElement[S]](v S) (*Witness[S], error)

NewWitness constructs a witness, rejecting zero values to prevent degenerate commitments.

func (*Witness[S]) Add 

func (w *Witness[S]) Add(other *Witness[S]) *Witness[S]

Add performs field addition with another witness.

func (*Witness[S]) Clone 

func (w *Witness[S]) Clone() *Witness[S]

Clone returns a deep copy of the witness.

func (*Witness[S]) Equal 

func (w *Witness[S]) Equal(other *Witness[S]) bool

Equal reports whether the two witnesses hold the same scalar (and handles nils).

func (*Witness[S]) HashCode 

func (w *Witness[S]) HashCode() base.HashCode

HashCode returns a hash of the witness value.

func (*Witness[S]) MarshalCBOR 

func (w *Witness[S]) MarshalCBOR() ([]byte, error)

MarshalCBOR encodes the witness into CBOR format.

func (*Witness[S]) Mul 

func (w *Witness[S]) Mul(other *Witness[S]) *Witness[S]

Mul multiplies two witnesses in the underlying field.

func (*Witness[S]) Op 

func (w *Witness[S]) Op(other *Witness[S]) *Witness[S]

Op adds two witnesses in the field.

func (*Witness[S]) OtherOp 

func (w *Witness[S]) OtherOp(other *Witness[S]) *Witness[S]

OtherOp multiplies with another witness in the field.

func (*Witness[S]) UnmarshalCBOR 

func (w *Witness[S]) UnmarshalCBOR(data []byte) error

UnmarshalCBOR decodes a CBOR witness into the receiver.

func (*Witness[S]) Value 

func (w *Witness[S]) Value() S

Value returns the witness scalar.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.