Pedersen Commitment
  • Only one possible value results in commitment:
    It is “binding”
    • Once u is revealed, commitment C can be verfied.
    • Binding: C can’t be changed for a given secret u.
    • Information leak: Two equal values equal identical commitments.

  • Random factor makes commitment “hiding”.
    • Different commitment regardless of value u.
    • Assumes generator of point H is unknown.

  • Broken commitment scheme:
    • Generator e of point H is known.
    • Value u can be modified, commitment remains identical.
  • ECDSA can be likened to a commitment scheme which can only be “broken” by owner of secret `e`.

  • R point:
    • Random point (blinding).
    • R point x-coordinate represented on left & right of equation.
    • Equation can only be balanced with secret e.

  • Signed message z:
    • For a given random point R, z is committed to on left side of equation.

  • ECDSA Validation:
    • z, r_x, s and public key P required to validate signature.
DER Encoding
  • libsecp256k1 replaced OpenSSL
    • OpenSSL suffers from encoding ambiguity across systems.
    • libsecp256k1 removes this dependency from project.

  • Strict encoding (BIP66)
    • Removes encoding malleability: Consensus enforced encoding standard.
    • Removes ECDSA malleability: low s values enforced.

  • DER signature is 70-72 Bytes long.
    • r_x length: 32/33 Bytes
      • 256bit signed value, no leading nulls
    • s length: 31/32 Bytes
      • Low s values enforced, no leading nulls