Difference between Pedersen commitment and commitment based on ElGamal

Question

Does any of you know what is the difference between the Pedersen commitment and the commitment that uses the ElGamal encryption scheme?

For the sake of completeness, I recall what both of them look like.

Given two public and large primes $p$ and $q$ such that $q∣(p−1)$, and a (also public) generator $g$ of the order-$q$ subgroup $G \subset \mathbb{Z}^{⋆}_p$, and given two random (secret) values $a,r \in \mathbb Z_q$, we have that in order to commit to a message $m \in \mathbb{Z}_q$, we just have to compute the commitment $c=g^m h^r \pmod{p}$, where $h=g^a \pmod{p}$. Then, to open the commitment, we need the values $m$ and $r$ to be revealed, so that the commitment receiver can verify the commitment.

In the ElGamal encryption (for example, in the exponential version, which looks more like the Pedersen commitment) we also have a generator $g$ of a multiplicative group $G$ of order $q$, a private $x \in \mathbb{Z}_q$, and a public $h=g^x$. In order to encrypt a message $m$, we take a random $r \in \mathbb{Z}_q$ and compute $(g^r, g^m h^r)$. To me, the second part of the tuple looks very much like the Pedersen commitment.

The fact that any encryption scheme can be used as a commitment scheme is well-known. However, I often see the Pedersen commitment mentioned as something completely different to the commitment that uses an ElGamal encryption, and I was wondering whether here is any difference between the two, or they are actually the same.

Answer 1

The main difference is that Pedersen commitments are unconditionally hiding, as given $g^mh^r$ represents an information theoretic hiding commitment, i.e., even an unbounded adversary will not be able to figure out $m$.

In exponential ElGamal encryption, since you publish $(g^r,g^mh^r)$, this so obtained commitment is no longer unconditionally hiding, but only computational hiding. Note that an unbounded adversary can simply try all possible $r\in Z_q$ till it matches $g^r$ and then with this knowledge try all possible $m\in Z_q$ till it matches $g^mh^r$.

Now, if you would only publish the second component in ElGamal, i.e., $g^mh^r$, as commitment and discard the first, this actually is a Pedersen commitment (as the setting you use is identical - i.e., working in a prime order $q$ subgroup of $Z_p^*$). The problem is, that when using this modified type of ElGamal encryption and the person computing the commitment knows the secret key $x$ with $h=g^x$, the ciphertext component $g^mh^r$ is no longer a binding commitment. Observe that you then can choose an arbitrary $m'\in Z_q$ and solve the equation

$m+xr\equiv m'+xr' \pmod q$

for the only unknown $r'\in Z_q$, which implies that

$g^mh^r = g^{m'}h^{r'} \mod p$

holds and thus, the commitment to $(m,r)$ can be opened to other arbitrary values $(m',r')$ (thus not binding at all).

Note that in fact it is essential for Pedersen commitment that the parameters $g$ and $h$ need to be computed by a trusted third party such that the discrete log $a$ between $g$ and $h$ is unknown. Otherwise you would have the same problem as with this "take the second ciphertext component of ElGamal encryption" as commitment. If you want to have such a property you obtain a trapdoor commitment with trapdoor $a$ (which allows you to arbitrarily open the commitment if you know the trapdoor $a$ as discussed above).

Edit:

As Ricky Demer mentioned in his comments I assumed that the commitment is non-interactive. If the receiver chooses the parameters for the commitment scheme and sends them to the sender, then unconditional hiding is given (it must only be ensured that the sender does not know the dlog between $g$ and $h$).

As tylo mentioned in the comments it is also interesting to look at the binding properties of both approaches.

Pedersen commitments are computational binding under the dlog assumptions as seen above.

The exponential ElGamal version - publishing $(g^r,g^mh^r)$ - is, however, unconditionally binding as the first component $g^r$ uniquely determines $r$. Thus, this means that also $m$ in $g^mh^r$ is uniquely determined.