May I ask that the parameter requirement of Pedersen commitment?
For $g^{x~modq}h^{r~modq}mod p$, does p depends on q? Or does it only depend on the security parameter desired? How large will the p needs to be given q?
Thanks!
Asked
Active
Viewed 44 times
0
js wang
- 381
- 1
- 10
1 Answers
1
does p depends on q?
Well, yes (actually, I'd phrase it as $q$ depends on $p$, but that's really the same thing).
$q$ needs to be the size of the subgroup generated by $g$ and $h$. Because of how the math works, that means that $q$ must be a factor of $p-1$. If it's not, then there will not be a $q$-sized subgroup in $\mathbb{Z}_p^*$ (and so $g, h$ cannot generate a subgroup of that size). In that sense, the value that $q$ can be depends on $p$.
Now, these details do change if we do Pedersen commitments in Elliptic Curve groups (because the size of the group is not necessarily $p-1$, but an integer $n$ that is not too far from $p$). But, the same basic principle will apply.
poncho
- 154,064
- 12
- 239
- 382