Pedersen Formulas Summary - garyyu/rust-secp256k1-zkp GitHub Wiki

As a summary of all previous pages about Pedersen Commitment, here list some useful formulas which could be reused in other pages frequently.

1. Generic form:

r*G + v*H

2. Balanced form, with 1 input and 2 outputs:

(ri*G + vi*H) = (roc*G + voc*H) + (ror*G + vor*H)

where

  • vi is the input amount
  • voc is the change output amount
  • vor is the receiver's output amount

And having:

  • ri = roc + ror
  • vi = voc + vor

For convenient writing, we name:

  • roc*G + voc*H as change output
  • ror*G + vor*H as receiver output.

3. Balanced form with fee, 1 input and 2 outputs, plus 1 fee:

(ri*G + vi*H) = (roc*G + voc*H) + (ror*G + vor*H) + (0*G + fee*H)

And having

  • vi = voc + vor + fee

4. Balanced form with excess, 1 input and 2 outputs, plus 1 fee:

(ri*G + vi*H) + excess = (roc*G + voc*H) + (ror*G + vor*H) + (0*G + fee*H)

where

  • excess = re*G, re is the secret for receiver output

5. Balanced form with excess and offset, 1 input and 2 outputs, plus 1 fee:

(ri*G + vi*H) + (excess'+ offset*G) = (roc*G + voc*H) + (ror*G + vor*H) + (0+fee*H)

where splitting normal excess into 2 parts:

  • excess', a more popular name public excess, because it's published into transaction kernel as the public key for signature.
  • offset, also named as kernel offset. It's published into transaction transparently, and miner sum all the offset of a block as total kernel offset and put it into block header.

And finally having these relations among them:

  • vi = voc + vor + fee
  • excess' = (roc-ri-offset)*G + ror*G, this is very useful for calculating public excess
  • change_output + receiver_output + (-offset*G + fee*H) = input + excess', this is the final form to check the balance. where:
    • change_output = roc*G + voc*H
    • receiver_output = ror*G + vor*H
    • -offset*G + fee*H, a special commitment only for balance checking
    • input = ri*G + vi*H

In the mutual coordination procedure of a confidential transaction, the sender tell receiver (roc-ri-offset)*G which is just one public key, without any private info leaking; the receiver generate secret ror and send public excess as the public key, also without any private info leaking.