Pedersen Commitments
The Pedersen commitment is a commitment scheme based on elliptic curve cryptography. The commitment itself is a point on a selected elliptic curve. The classic Pedersen commitment creates a commitment to a single value.
Pedersen Hash
In the verkle trie implementation we use Pedersen hashes rather than Pedersen commitments. The difference is that Pedersen hashes are used as a vector commitment to an ordered set of values - 256 values in verkle tries. The resulting digest is still an elliptic curve point - the Bandersnatch curve is specified in the verkle trie EIP. The Pedersen hash in the verkle trie implementation is defined as a multiscalar multiplication:
- C is the Pedersen hash, and is a Bandersnatch curve point
- are the basis or pregenerated Bandersnatch curve points for use in computing Pedersen hashes
- are scalar values
p = 13108968793781547619861935127046491459309155893440570251786403306729687672801, a 253-bit prime. Hence must be a 252-bit number to avoid overflow and/or truncation.
Additive homomorphism
A special property that Pedersen commitments and hashes have, that keccak256 hashes do not, is additive homomorphism. Additive homomorphism means that for two Pedersen hashes for value set , and for value set .
We are able to add two or more Pedersen hashes together, and the result will be same as if we had generated a single Pedersen hash from the sum of committed values.
This is not true for keccak256 hashes:
Additive homomorphism enables multiple optimisations in verkle tries that are not possible in the Merkle Patricia trie, which we will point out in later sections.