A bit commitment scheme is a two-phase protocol between a committer and a verifier. In the commit phase, the committer locks in a secret bit b by sending an encrypted or hashed value, called the commitment, to the verifier. At this point, the verifier cannot determine b (the hiding property). In the later reveal phase, the committer sends additional information that opens the commitment, allowing the verifier to check that the revealed bit matches the original commitment, preventing the committer from changing it (the binding property).
LABS
Glossary
Bit Commitment
Bit commitment is a foundational cryptographic protocol where one party commits to a secret bit or value, hiding it from others until a later reveal phase, ensuring the committed value cannot be changed.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is Bit Commitment?
Bit commitment is a fundamental cryptographic protocol that allows one party to commit to a chosen bit (0 or 1) to another party, with the ability to reveal it later, while ensuring the commitment is both binding and hiding.
The core security properties are non-negotiable. Hiding ensures the verifier gains zero knowledge about the bit before the reveal, typically achieved using a one-way function or encryption with a random nonce (also called a salt or blinding factor). Binding guarantees that once the commitment is sent, the committer cannot find two different openings for different bits, which is often enforced by the collision resistance of a cryptographic hash function like SHA-256. These properties make the protocol analogous to sealing a value in a locked box and handing it over, with only the committer holding the key.
Bit commitment is a critical building block for more complex protocols. It is the essential engine behind zero-knowledge proofs, where a prover commits to information before a challenge is issued. It underpins secure coin tossing over a network, verifiable random functions (VRFs), and many blockchain-specific mechanisms. In blockchain, a simplified form of commitment is seen in transactions: you commit to a set of inputs and outputs by publishing their hash in the mempool, and later reveal the full details when the transaction is mined, binding you to the original terms.
Practical implementations often use a hash-based commitment: commitment = H(nonce || bit), where H is a cryptographic hash function and || denotes concatenation. To reveal, the committer provides the (nonce, bit) pair. The verifier recomputes the hash to verify. This method is binding if the hash is collision-resistant and hiding if the nonce is sufficiently random. More advanced schemes, like Pedersen commitments, provide additional properties like homomorphism, allowing for commitments to be combined mathematically, which is vital for confidential transactions in cryptocurrencies like Monero.
The concept extends beyond single bits to string commitment or vector commitment, where an entire message or set of values is committed. In blockchain scalability solutions, such as rollups, commitments to batches of transactions (often as a Merkle root) are posted to a base layer like Ethereum. This acts as a powerful bit commitment to the entire batch state, allowing for trust-minimized verification and dispute resolution through fraud proofs or validity proofs.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How Bit Commitment Works
Bit commitment is a fundamental cryptographic protocol that allows one party to commit to a chosen bit (0 or 1) while keeping it hidden from others, with the ability to later reveal the committed bit in a way that is verifiable and binding.
A bit commitment scheme is a two-phase protocol between a committer and a verifier. In the commit phase, the committer locks in a secret bit b by generating and sending a piece of data called a commitment. This commitment, often a cryptographic hash, conceals the bit's value. In the subsequent reveal phase, the committer sends additional information (the opening) that allows the verifier to check that the revealed bit matches the original commitment. The scheme must satisfy two core properties: hiding, which ensures the commitment reveals no information about b, and binding, which prevents the committer from changing the bit after the commitment is sent.
The classic analogy is writing the bit on a piece of paper, locking it in a safe, and giving the safe to the verifier. Later, you provide the key. The safe's contents are hidden until opened, and you cannot change the note inside after handing over the safe, making the commitment binding. In practice, this is achieved using cryptographic functions. A simple method uses a cryptographic hash function H. To commit to bit b, the committer selects a random nonce r and computes the commitment c = H(b || r), sending only c. To reveal, they send the pair (b, r). The verifier recomputes H(b || r) and checks it equals c.
More robust implementations, essential for blockchain systems, often use Pedersen commitments or schemes based on the discrete logarithm problem. These provide perfect hiding and computational binding, or vice-versa, under specific cryptographic assumptions. This flexibility is crucial for advanced protocols like zero-knowledge proofs and confidential transactions. The binding property is typically enforced by the computational difficulty of finding collisions for the commitment function, making it infeasible for the committer to find two different openings (b, r) and (b', r') that hash to the same value c.
In blockchain and cryptocurrency contexts, bit commitment is a foundational building block. It is used directly in protocols like coin flipping and secure auctions, and forms the basis for more complex constructs. For instance, Merkle trees can be seen as a form of vector commitment, committing to a set of data. The concept is also integral to Lightning Network payment channels, where hashed timelock contracts (HTLCs) use a hash commitment to lock funds contingent on revealing a secret preimage. This ensures that a payment can be securely routed across untrusted nodes.
The security of a bit commitment scheme is defined by its resilience against a computationally bounded adversary. Hiding ensures the verifier cannot learn b from c faster than by brute force (computational hiding) or at all (perfect hiding). Binding ensures the committer cannot feasibly produce a valid opening for a different bit. These properties are often in tension; a scheme may be perfectly hiding but computationally binding, or perfectly binding but computationally hiding. The choice depends on the protocol's trust model and required security guarantees. Modern schemes strive for efficiency in both communication and computation, especially for use in scalable decentralized systems.
key-properties
BIT COMMITMENT
Key Cryptographic Properties
Bit commitment is a cryptographic protocol that allows one party to commit to a chosen value while keeping it hidden, with the ability to later reveal it in a way that proves the commitment was not altered.
01
The Core Protocol
A bit commitment scheme involves two phases: the commit phase and the reveal phase. In the commit phase, the sender (the committer) locks a secret value b (a bit or string) into a digital "envelope" called a commitment. They send this commitment to a receiver. In the reveal phase, the sender later opens the envelope by sending the original value b and any necessary opening key, allowing the receiver to verify it matches the initial commitment.
02
Hiding Property
The hiding property ensures the commitment reveals no information about the committed value b to the receiver before the reveal phase. The commitment must be computationally infeasible to invert, acting as a one-way function. This is typically achieved using cryptographic hash functions (e.g., commit = H(b, r) where r is a random nonce or salt) or encryption schemes.
03
Binding Property
The binding property guarantees that once the committer sends the commitment, they cannot change the committed value b to a different value b' during the reveal phase. The receiver must be able to verify with overwhelming probability that the revealed value is the one originally committed. A secure scheme must be either computationally binding (hard to find collisions) or perfectly binding (information-theoretically impossible).
04
Common Constructions
Two primary methods are used to construct commitment schemes:
- Hash-Based:
C = H(b || r). Simple and widely used, relying on the collision resistance of the hash functionH(e.g., SHA-256). - Pedersen Commitment:
C = g^b * h^rin a cyclic group. Provides perfect hiding and computational binding, and is additively homomorphic, making it essential for confidential transactions in cryptocurrencies like Monero.
05
Applications in Blockchain
Bit commitment is a foundational primitive for:
- Zero-Knowledge Proofs: Used to commit to witness values before proving statements about them.
- Coin Tossing & Fair Protocols: Enables secure remote decision-making.
- Sealed-Bid Auctions: Bids are committed before the opening phase.
- Lightning Network: HTLCs (Hashed Timelock Contracts) use hash-based commitments to secure payment channels.
06
Security Models & Variations
Schemes are analyzed under different adversarial models:
- Computational Security: Security holds if the adversary has bounded computational power (common for hash-based schemes).
- Information-Theoretic Security: Security holds against an adversary with unlimited power for one property (e.g., Pedersen is perfectly hiding). Variations include string commitment (for longer messages) and vector commitment (for committing to ordered lists).
etymology
CONCEPTUAL ROOTS
Etymology and Origin
The term 'bit commitment' originates from the foundational fields of cryptography and theoretical computer science, predating its critical application in blockchain technology.
The concept of a bit commitment scheme is a fundamental cryptographic primitive that allows one party, the committer, to seal a value (traditionally a single bit, hence 'bit') in a digital envelope. This act of commitment binds the committer to that value without revealing it, while the reveal phase allows them to later prove what was sealed. This two-phase protocol—commit then reveal—creates a binding and hiding promise, forming the bedrock for more complex secure computations.
Its origins lie in the work of cryptographic pioneers Manuel Blum and Shafi Goldwasser in the early 1980s, though the formalization is often attributed to a 1988 paper by Gilles Brassard, David Chaum, and Claude Crépeau. Initially explored for coin-flipping over the telephone and zero-knowledge proofs, bit commitment solved a core problem in distributed systems without trust: how to make a verifiable, secret promise. The 'bit' refers to the simplest unit of information, representing a binary choice (0 or 1), upon which more complex commitments are built.
In blockchain, this abstract primitive manifests concretely. When a miner hashes transaction data into a block header, they are effectively committing to that specific set of transactions. Any change would alter the Merkle root and break the cryptographic link. Similarly, a cryptographic hash function acts as a practical commitment scheme: publishing H(value) is the commitment, and later revealing the value that produces that hash is the proof. This mechanism underpins everything from transaction ordering to consensus algorithms and smart contract logic.
visual-explainer
CORE CONCEPT
Visual Explainer: The Two-Phase Protocol
A foundational cryptographic primitive that enables a party to commit to a chosen value while keeping it hidden, with the ability to later reveal it in a verifiable manner.
Bit commitment is a cryptographic protocol that allows one party, the committer, to seal a value (often a single bit, 0 or 1) in a digital "envelope." This process has two distinct phases. In the commit phase, the committer sends an encrypted or hashed version of their chosen bit, called a commitment, to a verifier. Crucially, this commitment reveals nothing about the hidden bit, binding the committer to their choice without disclosing it. The verifier cannot determine the bit's value from the commitment alone.
The second phase is the reveal phase. Here, the committer discloses the original bit and any additional secret information (like a random nonce or salt used in creating the commitment). The verifier can then use this revealed data to check the commitment against the original message. If the recomputed commitment matches the one received earlier, the verifier is assured that the committer did not change their bit after the initial commitment. This property is known as binding. The protocol's security relies on the computational difficulty of reversing the commitment function (e.g., finding a hash collision).
In practice, a simple bit commitment scheme can be constructed using a cryptographic hash function like SHA-256. The committer generates a random secret r (the salt) and computes the commitment as C = H(r || b), where b is the bit and || denotes concatenation. Sending C constitutes the commit. Later, to reveal, the committer sends the pair (r, b). The verifier recomputes H(r || b) and confirms it equals the original C. This ensures both hiding (from C alone) and binding (changing b would require finding a different r that hashes to the same C, a cryptographically hard problem).
The two-phase structure of commit-then-reveal is fundamental to many advanced protocols. It is the building block for zero-knowledge proofs, secure coin flipping, auction systems where bids must remain secret until opening, and consensus algorithms that require nodes to commit to a block proposal before broadcasting it. In blockchain contexts, it underpins mechanisms like Ethereum's RANDAO for verifiable randomness and certain layer-2 scaling solutions where transaction data is committed before being fully available.
A critical property of any bit commitment scheme is that it must be concealing and binding. A perfectly concealing scheme gives the verifier zero information about the bit from the commitment, while a computationally binding scheme makes it infeasible for the committer to open the commitment to two different values. Some schemes, like those using Pedersen commitments, offer additional properties like homomorphism, allowing commitments to be combined, which is useful in privacy-preserving cryptocurrencies and cryptographic voting systems.
examples
CRYPTOGRAPHIC PRIMITIVE
Examples and Use Cases
Bit commitment is a fundamental building block in cryptography, enabling parties to commit to a value without revealing it until a later time. Its properties are essential for secure protocols.
01
Fair Coin Tossing
Two parties can flip a fair coin over a distance without a trusted third party. Alice commits to her random bit (heads/tails) and sends the commitment to Bob. Bob then announces his guess. Finally, Alice reveals her bit, and the outcome is determined. The commitment prevents either party from changing their choice after learning the other's.
02
Zero-Knowledge Proofs (ZKPs)
Bit commitment is a core component in constructing zero-knowledge proofs. A prover commits to a secret value as part of the proof protocol. They can then interact with a verifier, revealing only specific properties about the committed value (e.g., it's a valid solution) without disclosing the value itself, ensuring both soundness and zero-knowledge.
03
Secure Voting & Auctions
Used in sealed-bid auctions and electronic voting to ensure tamper-resistance and privacy.
- Voting: A voter commits to their encrypted ballot. All commitments are published, preventing later alteration. Votes are revealed and tallied after the commitment phase closes.
- Auctions: Bidders commit to their bid amount. After all commitments are received, bids are revealed, proving the winner submitted the highest bid without early disclosure.
04
Blockchain Light Clients
Light clients (Simplified Payment Verification nodes) use commitments like Merkle roots to verify transaction inclusion without downloading the full chain. A block header contains a commitment (the root) to all transactions. The network can provide a Merkle proof that a specific transaction is committed to by that root, allowing for efficient and trust-minimized verification.
ecosystem-usage
BIT COMMITMENT
Ecosystem Usage in Blockchain
Bit commitment is a fundamental cryptographic primitive that allows a party to commit to a value (e.g., a bit, a secret) while keeping it hidden, with the ability to later reveal it in a way that is provably consistent with the original commitment.
01
Core Cryptographic Principle
A bit commitment scheme is a two-phase protocol between a committer and a verifier. In the commit phase, the committer uses a one-way function to generate a commitment string from their secret value and a random nonce (salt). This string is sent to the verifier, binding the committer to the value without revealing it. In the reveal phase, the committer discloses the original value and nonce, allowing the verifier to run the same function and verify the commitment's integrity. This ensures hiding (the value stays secret until reveal) and binding (the committer cannot change the value after committing).
02
Random Number Generation (RNG)
Bit commitment is crucial for creating provably fair and tamper-proof random number generators in blockchain applications like gaming and lotteries. A common method is the commit-reveal scheme:
- Multiple participants each generate a secret random number and publish its hash (the commitment).
- After all commitments are locked in, participants reveal their numbers.
- The final random result is computed from the combined revealed values. This prevents any participant from manipulating the outcome after seeing others' inputs, as their initial commitment binds them to their secret.
03
Sealed-Bid Auctions
In decentralized auctions, bit commitment ensures bid confidentiality and prevents front-running. Participants submit a commitment (hash) of their bid amount before the bidding period closes. This keeps bids secret, preventing others from adjusting their strategy based on visible information. After the commitment phase, bidders reveal their actual bids. The smart contract can then verify each revealed bid against its commitment and determine the winner. This process guarantees that no bidder can alter their bid after seeing competitors' commitments, enforcing fairness.
04
Layer 2 & Scaling Protocols
Bit commitment schemes are foundational to Layer 2 scaling solutions like optimistic rollups and zk-rollups. In optimistic rollups, the sequencer commits a hash (the state root) of the batch of transactions to Layer 1. This commitment acts as a compact promise about the new state. Validators can later challenge this commitment during the dispute period if they detect fraud. In zk-rollups, a validity proof (e.g., a zk-SNARK) is published alongside the state commitment, providing cryptographic assurance that the state transition is correct, making the commitment immediately verifiable.
05
Implementation: Hash-Based Commitment
The most common implementation uses a cryptographic hash function like SHA-256 or Keccak-256. The commitment C is generated as C = H(secret || nonce), where H is the hash function, secret is the value to commit to, || denotes concatenation, and nonce is a random number. The properties of the hash function provide:
- Hiding: Given
C, it's computationally infeasible to findsecret. - Binding: It's computationally infeasible to find a different pair (
secret',nonce') that hashes to the sameC. This simple construct is widely used in smart contracts for commit-reveal patterns.
06
Related Concept: Pedersen Commitment
A Pedersen Commitment is an advanced cryptographic commitment scheme offering information-theoretic hiding and computational binding under the discrete logarithm assumption. It uses elliptic curve groups. A commitment to a value v is created as C = v*G + r*H, where G and H are public generator points, and r is a secret blinding factor. Its key feature is homomorphism: commitments to v1 and v2 can be added to get a commitment to v1 + v2. This property is essential for confidential transactions in privacy-focused blockchains like Monero and in various zero-knowledge proof systems.
CRYPTOGRAPHIC PRIMITIVES
Comparison: Bit Commitment vs. Related Concepts
A feature comparison of bit commitment and other foundational cryptographic protocols, highlighting their distinct properties and use cases.
| Feature / Property | Bit Commitment | Encryption | Digital Signature | Zero-Knowledge Proof |
|---|---|---|---|---|
Primary Goal | Bind to a hidden value, reveal later | Ensure data confidentiality | Authenticate message origin and integrity | Prove statement truth without revealing underlying data |
Hiding Property | ||||
Binding Property | ||||
Requires Interaction (2+ rounds) | ||||
Reveal Phase | ||||
Typical Use Case | Fair coin toss, sealed-bid auctions | Secure communication | Transaction authorization | Identity verification, private transactions |
Core Mechanism | Commitment scheme (hash, encryption) | Symmetric/Asymmetric cipher | Signing with private key | Interactive/Non-interactive proof protocol |
security-considerations
BIT COMMITMENT
Security Considerations and Attack Vectors
Bit commitment is a fundamental cryptographic primitive that allows a party to commit to a chosen bit (or value) while keeping it hidden, with the ability to later reveal it in a way that proves it was not altered. Its security is critical for protocols like zero-knowledge proofs and blockchain consensus.
01
Hiding Property
The hiding property ensures the committed value remains secret until the reveal phase. A secure commitment scheme must be computationally binding or perfectly hiding, meaning no efficient adversary can learn any information about the committed bit from the commitment string alone. Weakness here allows an attacker to gain an unfair advantage by learning the secret early.
02
Binding Property
The binding property guarantees that once a commitment is made, the committer cannot change the value. The scheme must be computationally binding (an attacker cannot find two valid openings) or perfectly binding (only one value is possible). A failure allows equivocation, where a malicious party can adaptively reveal different values, breaking protocols like consensus or auctions.
03
Timing & Front-Running Attacks
In blockchain contexts, the time delay between commitment and reveal introduces vulnerabilities. A malicious actor can:
- Front-run by observing a commitment in the mempool, computing a favorable response, and submitting their own transaction first.
- **Perform a timing attack by analyzing the time taken to generate a commitment, which may leak information about the secret input.
04
Weak Randomness & Nonce Reuse
Most commitment schemes (e.g., Pedersen, hash-based) require a secret random nonce (blinding factor). Critical failures occur if:
- The nonce is predictable or reused, allowing an attacker to solve for the committed value.
- A weak pseudorandom number generator is used, making the nonce guessable. This directly compromises the hiding property.
05
Cryptographic Primitive Vulnerabilities
The security of the commitment rests on the underlying cryptographic assumptions. Key risks include:
- Hash Function Collisions: A broken hash function (e.g., compromised pre-image resistance) breaks binding in hash-based commitments.
- Discrete Log Assumption: Failures in groups used for commitments (like Pedersen in elliptic curves) can break both hiding and binding.
06
Implementation & Side-Channel Leaks
Even a theoretically sound scheme can be compromised by flawed implementation. Attack vectors include:
- Side-channel attacks (power analysis, timing) that leak the secret nonce or value during commitment generation.
- Incorrect serialization or encoding that allows for multiple valid interpretations of the committed data, breaking binding.
BIT COMMITMENT
Frequently Asked Questions (FAQ)
Bit commitment is a fundamental cryptographic primitive that allows a party to commit to a value (like a bit) while keeping it hidden, with the ability to later reveal it in a verifiable way. This section addresses common questions about its role in blockchain and cryptography.
Bit commitment is a cryptographic protocol that allows one party (the committer) to seal a chosen value (e.g., a bit, a number, or a secret) in a digital 'envelope' and send it to another party (the verifier), such that the committer cannot change the value later (binding), and the verifier cannot learn the value until it is opened (hiding). It works in two phases: the Commit Phase, where the committer sends a commitment string (often a hash of the secret combined with a random nonce or salt), and the Reveal Phase, where the committer later discloses the original secret and nonce, allowing the verifier to check the hash matches the initial commitment. This ensures the value was fixed at the time of commitment.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall