Clear DefinitionsCommitment Scheme
2 min read
Pronunciation
[kuh-mit-muhnt skeem]
Analogy
A commitment scheme is like writing your prediction for a sports game, sealing it in an envelope, and giving it to a friend before the game starts. They can't see your prediction yet (hiding property), you can't change it after giving them the envelope (binding property), and once the game ends, you can open the envelope to prove you correctly predicted the outcome without any possibility of having changed your prediction.
Definition
A cryptographic primitive that allows a user to commit to a chosen value while keeping it hidden, with the ability to reveal the value later. Commitment schemes in blockchain enable binding agreements to values without revealing them until a predetermined time.
Key Points Intro
Commitment schemes create cryptographic promises to values that can be verified later.
Key Points
Provides both hiding (conceals the committed value) and binding (prevents changing the value) properties.
Enables proving knowledge of information without revealing it until a later time.
Typically implemented using hash functions or homomorphic encryption.
Supports advanced blockchain mechanisms like sealed-bid auctions and atomic swaps.
Example
In a blockchain-based sealed-bid auction, participants use commitment schemes to submit their bids. Each bidder creates a commitment to their bid amount by hashing it with a random value (salt), submitting only this hash during the bidding phase. When the auction closes, bidders reveal their actual bids and the salt, allowing everyone to verify the original commitments match the revealed values, ensuring no one could change their bid after seeing others.
Technical Deep Dive
Commitment schemes implement two primary operations: commit(value, [randomness]) → commitment and reveal(commitment, value, [randomness]) → true/false. Common implementations include: (1) Hash-based commitments, where C = H(m || r) with message m, random salt r, and cryptographic hash function H—simple but does not support operations on committed values; (2) Pedersen commitments, where C = g^m * h^r using group elements g,h—offering homomorphic properties and perfect hiding; and (3) Vector commitments that can efficiently prove inclusion of specific elements. In blockchain applications, commitment schemes enable several advanced protocols: time-locked puzzles releasing information after certain blocks; confidential transactions hiding amounts until execution; zero-knowledge contingent payments ensuring fair exchange; and voting systems preventing bandwagon effects. The binding property can be computational (secure against bounded adversaries) or perfect (secure against unbounded adversaries), with similar distinctions for the hiding property. The choice between perfect hiding with computational binding or vice versa represents a fundamental design trade-off.
Security Warning
When implementing hash-based commitments, always include sufficient randomness (salt) with the committed value to prevent dictionary attacks where an attacker tries common values to match the commitment. The salt should be high-entropy (at least 128 bits) and not reused across different commitments.
Caveat
While commitment schemes provide powerful cryptographic properties, they typically require interaction (commitment phase followed by reveal phase), which can complicate blockchain protocols requiring asynchronous or non-interactive operations. Additionally, users must securely store their opening values (original data and randomness), as losing this information prevents successful revelation later.
Commitment Scheme - Related Articles
No related articles for this term.