1. Introduction
Pedersen Commitments are at the heart of how Monero conceals transaction amounts. The notion of a confidential transaction as enabled by Pedersen Commitments were outlined and defined by Gregory Maxwell in [1]. In what follows we first introduce the notion of a group homomorphism (of which the Pedersen Commitment map is a particular instance), we then define the Pedersen Commitment map, and finally present the mechanisms of a confidential transaction enabled by a such a map.
2. Group homomorphism
Let and
be 2 groups with respective group operations
and
. A function
is called a group homomorphism if and only if
In other terms, operating on 2 elements in and then applying
is equivalent to applying
on each element separately and then operating on the 2 outputs in
.
We now introduce a specific instance of a group homomorphism that we will invoke when concealing transaction amounts with Monero as part of the confidential transaction construct. In particular, we conduct arithmetic in the subgroup of the elliptic curve group
introduced in part 5 (refer to the post entitled Elliptic Curve Groups for an introduction to this topic)
Let , and let
where
denotes element-wise addition in modulo
arithmetic over
It is a known result in group theory that if is a generator of a cyclic group
of order
, then there are
elements of the group that have order
(
is the euler function introduced in part 1). In our case, the generator
of
has prime order
. Moreover
(since
is prime). Hence we can find
other generators of
. Let
be another generator such that the DL (discrete logarithm) of
with respect to
is unknown. We define the Pedersen Commitment map (which we will later use to build a confidential transaction) as follows:
We claim that the map is additively homomorphic. To see why, let
We then have:
(where denotes
over
)
hence is homomorphic.