Hiding Property

Hiding can be achieved at different security levels. Information-theoretic hiding guarantees secrecy even against an adversary with unlimited computational power, relying on perfect randomness. Computational hiding assumes the adversary's power is bounded, relying on the hardness of problems like the discrete logarithm. Most practical blockchain systems, such as those using Pedersen commitments, employ computational hiding for efficiency.

The Hiding Property works in tandem with the Binding Property to form a secure commitment scheme. While hiding ensures the value is concealed, binding ensures the committer cannot later change the value to a different one. A secure scheme must satisfy both properties. Some constructions, like Pedersen commitments, achieve perfect hiding and computational binding, while others may have different trade-offs.

Hiding is essential for zero-knowledge proofs (ZKPs) and zk-SNARKs. Commitments hide the prover's secret witness data while allowing them to prove statements about it. For example, in a transaction, you can commit to an amount and a blinding factor, proving the amount is within valid range without revealing it. This enables confidential transactions in protocols like Zcash and various Layer 2 scaling solutions.

A simple hiding commitment can be constructed using a cryptographic hash function: commitment = H(value || randomness). The randomness (or nonce/salt) is crucial for hiding; without it, hashing a small set of possible values is vulnerable to a brute-force attack. This hash-based commitment provides computational hiding under the assumption that the hash function behaves like a random oracle and the randomness is kept secret.

The blinding factor (a random number) is the primary mechanism enabling the hiding property. In a Pedersen commitment C = v*G + r*H, the value v is multiplied by the generator G, and the blinding factor r is multiplied by another generator H. Without knowledge of r, it is computationally infeasible to determine v from C, even if v is known to be from a small set, because r*H acts as a perfectly random mask.

• Confidential Transactions: Hides transaction amounts (e.g., Mimblewimble, Zcash).
• Merkle Tree Leaf Hiding: Commits to data in a leaf without revealing it until a proof is provided.
• Commit-Reveal Schemes: Used in voting, auctions, or random number generation to prevent front-running.
• ZK-Rollups: Hides state transition details while proving their validity to the main chain.

A homomorphic commitment scheme that allows values to be committed to and later revealed without exposing them initially. It's a cornerstone for confidential transactions.

• How it works: Uses elliptic curve points. A commitment to value v is C = v*G + r*H, where G and H are public generators and r is a secret blinding factor.
• Key property: Perfectly hiding and computationally binding. Given commitment C, it's impossible to determine v without r.
• Primary use: Monero and Mimblewimble-based protocols (e.g., Grin, Beam) use it to hide transaction amounts while allowing for public verification.

A zero-knowledge proof system that enables one party to prove possession of hidden information without revealing it.

• Hiding mechanism: The witness (private inputs like transaction details) is used to generate a proof, but only the proof and public inputs are revealed. The witness remains completely hidden.
• Property: Provides zero-knowledge, a stronger form of hiding where even the structure of the secret data is concealed.
• Blockchain example: Zcash uses zk-SNARKs to hide transaction sender, receiver, and amount while proving the transaction is valid.

Structures that commit to a set of data, allowing a prover to reveal specific elements while hiding the rest.

• Merkle Tree: A hash-based tree where the root hash commits to all leaf data. To prove inclusion of one leaf, you reveal only the Merkle path (a few hashes), hiding all other leaves.
• Vector Commitments: More advanced schemes (e.g., using Kate/Zaverucha-Goldberg commitments) that allow proving properties about a vector at a specific position without revealing other positions.
• Application: Used in privacy-preserving rollups and anonymous credentials to prove membership in a set without exposing the full set.

A type of digital signature where a signer from a group can produce a signature, but it's cryptographically infeasible to determine which member signed.

• Hiding property: Hides the signer's identity within an anonymity set (the ring). The signature proves the signer is a valid ring member without revealing which one.
• Key component: Uses a combination of the signer's private key and the public keys of other decoy members (the ring) to create the signature.
• Primary use: Monero uses Ring Signatures (specifically Ring Confidential Transactions) to obfuscate the source of funds in a transaction.

The Elliptic Curve Digital Signature Algorithm can be adapted with commitments to hide transaction details before they are finalized.

• Commitment to k: In ECDSA, a random nonce k is used. If k is predictable or reused, the private key can be leaked. Protocols like ECDSA with Commitment first commit to k (hiding it), then later reveal it during signature generation.
• Application: Used in multi-party computation (MPC) for wallets and threshold signatures, where multiple parties jointly generate a signature without any single party knowing the full private key or the nonce.
• Purpose: Hides critical intermediate values during the signing process to prevent key extraction attacks.

A mechanism that generates a unique, one-time destination address for each transaction, hiding the recipient's main public address on the blockchain.

• How hiding is achieved: The sender uses the recipient's public view key and spend key to derive a unique stealth address. Only the recipient, using their private view key, can scan the blockchain to find and spend funds sent to these hidden addresses.
• Effect: Breaks the link on-chain between the recipient's public identity and the transaction output.
• Implementation: A core privacy feature in Monero and proposed as an enhancement for Ethereum (ERC-5564).

The hiding property is essential for zero-knowledge proofs, where a prover commits to a secret value (e.g., a private key or transaction amount) and proves a statement about it without revealing the value itself. This enables private transactions and identity verification.

• Example: In Zcash, the hiding property of Pedersen commitments allows users to prove they have sufficient funds for a transaction without revealing the amount or the source.

Blockchains use the hiding property to implement confidential transactions, where transaction amounts are encrypted on-chain. A commitment scheme hides the actual value while allowing the network to verify that inputs equal outputs, preventing inflation.

• Core Mechanism: Pedersen commitments are a standard tool, where a commitment to an amount v is C = v*G + r*H. The random blinding factor r ensures the value v is perfectly hidden.

The hiding property secures the commit-reveal schemes used in consensus mechanisms and voting. Participants first commit to a choice (e.g., a block hash or vote) using a hidden commitment. They later reveal it, ensuring choices cannot be altered and preventing front-running.

• Application: Used in Ethereum's RANDAO for beacon chain randomness and in DAO governance for private voting.

While Merkle trees primarily provide binding, the hiding property can be incorporated for privacy. A commitment to a Merkle root can hide the contents of the underlying data set until a specific leaf (e.g., a transaction) needs to be revealed with a proof.

• Use Case: This is a key component in zk-SNARKs and privacy-focused Layer 2 solutions, where the state of the system is committed to without exposing all data.

Fair on-chain games and lotteries rely on the hiding property to prevent cheating. All players submit hidden commitments to their moves or numbers. After all commitments are locked, they are simultaneously revealed, ensuring no player can change their input based on others' choices.

A commitment scheme cannot be perfectly binding and perfectly hiding simultaneously. Perfect Hiding means the commitment reveals zero information about the value. Computational Hiding relies on cryptographic assumptions (like discrete log).

• Pedersen Commitments: Perfectly hiding, computationally binding.
• Hash-based Commitments (e.g., H(r||value)): Computationally hiding, perfectly binding. The choice depends on the application's security model.