From a34450b66da45de60ae8d5c256352c910e640673 Mon Sep 17 00:00:00 2001 From: Sergey Kaunov Date: Thu, 27 Jun 2024 06:34:17 +0300 Subject: [PATCH] Update pedersen.md Am not absolutely sure, but looks like a typo to me. --- content/docs/zkdocs/commitments/pedersen.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/zkdocs/commitments/pedersen.md b/content/docs/zkdocs/commitments/pedersen.md index 0004d98..348dff5 100644 --- a/content/docs/zkdocs/commitments/pedersen.md +++ b/content/docs/zkdocs/commitments/pedersen.md @@ -35,7 +35,7 @@ Suppose Alice has sent Bob a commitment $c=C\left(s,t\right)$ to a value $s$. Sh That means Alice has to find $t'$ such that $g^{s'}h^{t'}=c$. Since $g^{s'}$ and $c$ are already fixed, Alice is left to solve $h^{t'}=cg^{-s'}$. In other words, she needs to compute $t'=\log\_{h}\left(cg^{-s'}\right)$. Since the discrete logarithm problem is supposed to be hard in $G$, Alice will have a difficult time finding $t'$. -Before committing to a value, Alice can also look for distinct pairs $\left(s,t\right),\left(s',t'\right)$ such that $C\left(s,t\right)=C\left(s',t'\right)$, without regard for the specific values of $s$ and $s'$. This is _also_ equivalent to computing a discrete logarithm in $G$. As the Pedersen paper points out: given $C\left(s,t\right)=C\left(s',s'\right)$, where $s'\neq s$, then $t'\neq t$, and it is possible to compute the discrete logarithm of $h$ with respect to $g$: +Before committing to a value, Alice can also look for distinct pairs $\left(s,t\right),\left(s',t'\right)$ such that $C\left(s,t\right)=C\left(s',t'\right)$, without regard for the specific values of $s$ and $s'$. This is _also_ equivalent to computing a discrete logarithm in $G$. As the Pedersen paper points out: given $C\left(s,t\right)=C\left(s',t'\right)$, where $s'\neq s$, then $t'\neq t$, and it is possible to compute the discrete logarithm of $h$ with respect to $g$: $$ \log\_{g}\left(h\right)=\frac{s-s'}{t'-t}\pmod{q}