1

I'm implementing Pedersen commitment scheme in order to enhance entropy of a pre-image of a hash. I'm using secp256k1 for my curve parameters.

I am following naming conventions from here: What is a Pedersen commitment?

I am performing a commit $C = (m, r)$ and then another commit $C' = (m, r')$

Then I do the blind equality check $C - C' = (r - r')G.$

I got the blind equality check working, but only for some values of $r$. It looks like it works better when $r$ is a prime or when $r$ and $r'$ don't have common divisors.

What's the proper way to select $r$ values? Right now I am just selecting random values in between 0 and 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f

Ievgeni
  • 2,653
  • 1
  • 13
  • 35
Ilia Sidorenko
  • 165
  • 8

2 Answers2

1

According to this paper, $r$ ($t$ in the paper) should be picked uniformly at random in $\mathbb{Z}_q$ (i.e $\big\{0, \dots, (q-1)\big\}$), with $q$ the order of $\mathbb{G}$.

According to this link the order is:

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141

Then you have to select a random value in between $0$ and

FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364140 include.

Ievgeni
  • 2,653
  • 1
  • 13
  • 35
0

I was doing mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F for $(r - r')$ and I just had to change it to mod 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141. Not an issue with $r$ selection per se, but with computing $(r - r')$.

Ilia Sidorenko
  • 165
  • 8