Skip to main content

Pedersen Commitments

The Pedersen commitment is a commitment scheme based on elliptic curve cryptography. The commitment itself is a point on a selected elliptic curve. The classic Pedersen commitment creates a commitment to a single value.

Pedersen Hash

In the verkle trie implementation we use Pedersen hashes rather than Pedersen commitments. The difference is that Pedersen hashes are used as a vector commitment to an ordered set of values - 256 values (v0,v1,...,v255)(v_0, v_1, ..., v_{255}) in verkle tries. The resulting digest is still an elliptic curve point - the Bandersnatch curve is specified in the verkle trie EIP. The Pedersen hash in the verkle trie implementation is defined as a multiscalar multiplication:

C=v0G0+v1G1+...+v255G255C = v_0 * G_0 + v_1 * G_1 + ... + v_{255} * G_{255}

  • C is the Pedersen hash, and is a Bandersnatch curve point
  • (G0,G1,...,G255)(G_0, G_1, ..., G_{255}) are the basis or pregenerated Bandersnatch curve points for use in computing Pedersen hashes
  • (v0,v1,...,v255)(v_0, v_1, ..., v_{255}) are scalar values Fp\in \mathbb{F}_p

p = 13108968793781547619861935127046491459309155893440570251786403306729687672801, a 253-bit prime. Hence viFpv_i \in \mathbb{F}_p must be a 252-bit number to avoid overflow and/or truncation.

Additive homomorphism

A special property that Pedersen commitments and hashes have, that keccak256 hashes do not, is additive homomorphism. Additive homomorphism means that for two Pedersen hashes C0C_0 for value set S0=(v0,...,v255)S_0 = (v_0, ..., v_{255}), and C1C_1 for value set S1=(w0,...,w255)S_1 = (w_0, ..., w_{255}).


C0+C1C_0 + C_1

=Pedersenhash(S0)+Pedersenhash(S1)=Pedersen\>hash(S_0) + Pedersen\>hash(S_1)

=(v0G0+v1G1+...+v255G255)+(w0G0+w1G1+...+w255G255)=(v_0 * G_0 + v_1 * G_1 + ... + v_{255} * G_{255}) + (w_0 * G_0 + w_1 * G_1 + ... + w_{255} * G_{255})

=((v0+w0)G0+(v1+w1)G1+...+(v255+w255)G255)=( (v_0 + w_0) * G_0 + (v_1 + w_1) * G_1 + ... + (v_{255} + w_{255}) * G_{255} )

=Pedersenhash(S0+S1)= Pedersen\>hash(S_0 + S_1)


We are able to add two or more Pedersen hashes together, and the result will be same as if we had generated a single Pedersen hash from the sum of committed values.

This is not true for keccak256 hashes: keccak256(v0)+keccak256(v1)keccak256(v0+v1)keccak256(v_0) + keccak256(v_1) \neq keccak256(v_0 + v_1)

Additive homomorphism enables multiple optimisations in verkle tries that are not possible in the Merkle Patricia trie, which we will point out in later sections.