This repository was archived by the owner on Dec 28, 2023. It is now read-only.
forked from mimblewimble/rust-secp256k1-zkp
-
Notifications
You must be signed in to change notification settings - Fork 1
Pedersen Formulas Summary
Gary Yu edited this page Aug 4, 2018
·
1 revision
As a summary of all previous pages about Pedersen Commitment, here list some useful formulas which could be reused in other pages frequently.
r*G + v*H
(ri*G + vi*H) = (roc*G + voc*H) + (ror*G + vor*H)
where
-
viis the input amount -
vocis the change output amount -
voris the receiver's output amount
And having:
ri = roc + rorvi = voc + vor
For convenient writing, we name:
-
roc*G + voc*Has change output -
ror*G + vor*Has receiver output.
(ri*G + vi*H) = (roc*G + voc*H) + (ror*G + vor*H) + (0*G + fee*H)
And having
vi = voc + vor + fee
(ri*G + vi*H) + excess = (roc*G + voc*H) + (ror*G + vor*H) + (0*G + fee*H)
where
-
excess = re*G,reis the secret for receiver output
(ri*G + vi*H) + (excess'+ offset*G) = (roc*G + voc*H) + (ror*G + vor*H) + (0+fee*H)
where splitting normal excess into 2 parts:
-
excess', a more popular name public excess, because it's published into transaction kernel as the public key for signature. -
offset, also named as kernel offset. It's published into transaction transparently, and miner sum all the offset of a block as total kernel offset and put it into block header.
And finally having these relations among them:
vi = voc + vor + fee-
excess' = (roc-ri-offset)*G + ror*G, this is very useful for calculating public excess -
change_output + receiver_output + (-offset*G + fee*H) = input + excess', this is the final form to check the balance. where:change_output = roc*G + voc*Hreceiver_output = ror*G + vor*H-
-offset*G + fee*H, a special commitment only for balance checking input = ri*G + vi*H
In the mutual coordination procedure of a confidential transaction, the sender tell receiver (roc-ri-offset)*G which is just one public key, without any private info leaking; the receiver generate secret ror and send public excess as the public key, also without any private info leaking.