[mehrdadn]

> They rely on the discrete logarithmic assumption

> Range proofs do not leak any information about the secret value

Could someone explain this? I can't say I followed the proof algorithm (don't have background on blinded Pederson commitments etc.), but to me these sound contradictory. If you're relying on a discrete log assumption then it means you are leaking information, but you hope it's not enough information to reconstruct the secret. It doesn't sound like an algorithm that truly doesn't leak information (like OTP).

[zodiac]

The does-not-leak-information property doesn't depend on the discrete log assumption, but the binding property does. I.e., if you have an oracle that solves the discrete log problem you can now open commitments in different ways, but if someone else generates a commitment you still can't tell what their secret input was.

One thing I found useful is section 2.2 of https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf, on blinding in RSA.

[mehrdadn]

Interesting, thanks!