Pre-migration documentation. This site reflects the pre-migration state of the protocol. It’s mostly current, but a few edges may not match ZERA at launch. We’re finalizing the new, detailed ZERA docs now. Thanks for your patience.
Commitment Layer Architecture
Pedersen Commitments and Nilpotent Group Extensions
The commitment layer is the cryptographic foundation for privacy‑preserving monetary operations, providing perfect hiding and computational binding.
1. Introduction
Zero‑knowledge cash systems require a mechanism for parties to commit to transaction values without revealing those values to external observers. The commitment scheme must satisfy two fundamental properties: hiding and binding.
1.1 The Role of Commitments
The commitment layer enables homomorphic operations on hidden transaction amounts. Unlike hash‑based commitments that require revealing both the message and randomness during opening, Pedersen commitments support homomorphic operations that allow combining commitments without revealing underlying values.
2. Mathematical Foundations
2.1 Group‑Theoretic Prerequisites
Definition 1 (Cyclic Group): A group G is cyclic if there exists g ∈ G such that every element of G can be written as g^k for some integer k.
Definition 2 (Discrete Logarithm Problem): Given a cyclic group G of prime order q, a generator g, and an element h ∈ G, find x with 0 ≤ x ≤ q−1 such that g^x = h.
2.2 Security Properties
Definition 3 (Perfect Hiding): A commitment scheme is perfectly hiding if the commitment reveals no information about the committed message, even to a computationally unbounded adversary.
Definition 4 (Computational Binding): A commitment scheme is computationally binding if no polynomial‑time adversary can find two different messages that produce the same commitment, except with negligible probability.
3. Pedersen Commitment Scheme
3.1 Construction and Definition
Setup: Let G be a cyclic group of prime order q where the discrete logarithm problem is hard. Choose two generators g, h ∈ G such that log_g(h) is unknown to all parties.
Commitment: C(m, r) = g^m · h^r ∈ G
To commit to a message m ∈ Z_q, choose a random r ∈ Z_q and compute C(m, r) = g^m · h^r.
3.2 Perfect Hiding
3.3 Computational Binding
3.4 Additive Homomorphic Property
C(m1, r1) · C(m2, r2) = C(m1 + m2, r1 + r2)
This enables privacy‑preserving arithmetic on hidden values without revealing individual amounts.
4. Implementation Considerations
- Choose well‑vetted elliptic curves; ensure the discrete log remains hard.
- Generators g and h must be independent (unknown log_g(h)); use hash‑to‑curve.
- Use cryptographically secure randomness for r; implement constant‑time operations.
- Validate group membership and include comprehensive test vectors.
5. Nilpotent Group Extensions
5.1 Nilpotent Groups
Definition 5: A group G is nilpotent of class n if its lower central series terminates at step n: G = G1 ⊃ G2 ⊃ ... ⊃ G_(n+1) = 1, where G_(i+1) = [G_i, G] and [g, h] = ghg^-1 h^-1.
5.2 Commutator Identities
[g1^a1, ..., g_n^{a_n}] = [g1, ..., g_n]^{(a1 * a2 * ... * a_n)}
5.3 Multilinear Maps
Definition 6: A function e: G^n → G_T is n‑linear if for any a_i ∈ Z and g_i ∈ G:
e(g1^{a1}, ..., g_n^{a_n}) = e(g1, ..., g_n)^{(a1 * ... * a_n)}
This enables multilinear protocols without pairings and can offer efficiency and simplicity advantages.
6. Complexity & Security Summary
| Operation | Time | Space | Security |
|---|---|---|---|
| Commitment creation | O(log q) | O(1) | 128‑bit |
| Commitment opening | O(log q) | O(1) | 128‑bit |
| Homomorphic addition | O(1) | O(1) | 128‑bit |
| Nilpotent commutation | O(n * log q) | O(1) | Variable |
- Use CSRNG for r
- Validate subgroup membership
- Constant‑time implementations
- Use well‑vetted curves (Curve25519, P‑256)
- Ship test vectors
- Shor’s algorithm breaks discrete log in polynomial time
- Evaluate lattice‑based and hash‑based commitments
- Plan migration paths to post‑quantum primitives