Implement Pedersen commit/open from scratch in Python over a prime-order subgroup of $(\mathbb{Z}/p\mathbb{Z})^*$ (or, for stretch, an elliptic curve). Demonstrate hiding empirically by showing two different messages with fresh randomness produce statistically indistinguishable commitment distributions, and demonstrate the binding reduction by showing that a colluding committer who *does* know $\log_g h$ can break binding — and that without that knowledge, even an adversary who tries millions of randomizations cannot. Your code must be small enough to be auditable in one sitting (under 200 lines) and your write-up must justify each design choice with a citation back to the relevant lemma from this module.
A test run might look like:
$ python test_pedersen.py
Group setup: p = 2147483647, q = 1073741789, g = 4, h = 9
Honest open : OK (1000/1000)
Additive homomorphism : OK (1000/1000)
Hiding chi-squared (commit to 0 vs 1) : p = 0.342 -> indistinguishable
Brute-force binding attempt (10^6 random r') : 0 collisions
$ python break_binding.py
Knowing log_g(h) = 17, second opening for c = 91827364:
honest: m = 42, r = 591018
malicious: m' = 43, r' = 591001
open(c, m, r) = True
open(c, m', r') = True <-- binding broken because we knew the trapdoor.
coincurve or pure-Python point arithmetic. Verify the same homomorphism and hiding tests pass.