pedersen-commitment.md 2.13 KB
Newer Older
erciccione's avatar
erciccione committed
1 2
---
entry: "Pedersen Commitment"
3
terms: ["commitments", "commitment", "pedersen", "pedersen-commitment", "pedersen-commitments"]
el00ruobuob's avatar
el00ruobuob committed
4
summary: "Pedersen commitments are cryptographic algorythms that allow a prover to commit to a certain value without revealing it or being able to change it"
erciccione's avatar
erciccione committed
5 6
---

el00ruobuob's avatar
el00ruobuob committed
7
{% include untranslated.html %}
erciccione's avatar
erciccione committed
8 9
### The Basics

el00ruobuob's avatar
el00ruobuob committed
10 11
Pedersen commitments are cryptographic algorythms that allow a prover to commit to a certain value without revealing it or being able to change it.

erciccione's avatar
erciccione committed
12 13 14 15 16 17 18 19
When you spend Monero, the value of the inputs that you are spending and the value of the outputs you are sending are encrypted and opaque to everyone except the recipient of each of those outputs. Pedersen commitments allow you to send Monero without revealing the value of the transactions. Pedersen commitments also make it possible for people to verify that transactions on the blockchain are valid and not creating Monero out of thin air.

### What It Means

As long as the encrypted output amounts created, which include an output for the recipient and a change output back to the sender, and the unencrypted transaction fee is equal to the sum of the inputs that are being spent, it is a legitimate transaction and can be confirmed to not be creating Monero out of thin air.

Pedersen commitments mean that the sums can be verified as being equal, but the Monero value of each of the sums and the Monero value of the inputs and outputs individually are undeterminable. Pedersen commitments also mean that even the ratio of one input to another, or one output to another is undeterminable.

el00ruobuob's avatar
el00ruobuob committed
20
It is unclear which inputs are really being spent as the ring signature lists both the real inputs being spent and decoy inputs, therefore you don't actually know which input Pedersen commitments need to be summed. That's okay, because the @RingCT ring signature only has to prove that for one combination of the inputs the outputs are equal to the sum of the inputs. For mathematical reasons, this is impossible to forge.
erciccione's avatar
erciccione committed
21 22 23 24

### In-depth Information

See information in [Ring Confidential Transactions paper](https://eprint.iacr.org/2015/1098.pdf) by Shen Noether of the Monero Research Lab.