Commit-Reveal Scheme

The scheme operates in two distinct phases to hide and later prove a secret value.

• Commit Phase: A user generates a secret (e.g., a vote, bid, or random number) and publishes a cryptographic commitment, typically a hash like keccak256(secret, salt). This binds the user to their secret without revealing it.
• Reveal Phase: After all commitments are submitted, users publish their original secret and salt. The network verifies each reveal by hashing the provided data and checking it matches the earlier commitment.

This ensures the secret was predetermined and cannot be changed after seeing others' commits.

Used in DAOs and governance protocols to prevent voting bias and manipulation.

• Concealed Voting: Voters commit hashes of their choices. This prevents later voters from being influenced by early vote tallies.
• Fair Tallying: After the commit phase ends, voters reveal their votes. The final result is calculated from all valid reveals.
• Example: Snapshot and on-chain DAOs use commit-reveal to ensure vote privacy and integrity during sensitive proposals, preventing strategic last-minute swings.

A critical application for creating provably fair randomness in smart contracts, where all participants contribute.

• Process: Each participant commits a random number. After all commits are locked in, they reveal their numbers.
• Final Random Seed: The revealed numbers are combined (e.g., XOR'd) to generate a final, unpredictable random value that no single party could manipulate.
• Use Case: This method secures NFT minting lotteries, gaming outcomes, and validator selection in proof-of-stake networks, replacing insecure blockhash reliance.

Enables fair, front-running-resistant auctions on blockchain by keeping bids secret until a deadline.

• Bid Submission: Bidders commit a hash of their bid amount and a nonce.
• Bid Reveal: After the bidding period, winners reveal their actual bid to claim assets. Non-revealed bids forfeit their deposit.
• Advantage: Prevents participants from adjusting bids based on competitors' actions. Used in NFT platforms like Zora and decentralized domain name auctions to ensure optimal price discovery.

Mitigates Maximal Extractable Value (MEV) by obscuring transaction content from block builders until inclusion.

• Commit: Users submit a commitment to their transaction bundle.
• Reveal: The full transaction details are revealed only after the bundle is included in a block.
• Protocol Example: Flashbots SUAVE and other MEV mitigation systems employ commit-reveal schemes to create a fair, opaque mempool, preventing searchers and validators from front-running or sandwiching trades based on visible intent.

While powerful, the scheme introduces specific engineering challenges that must be addressed.

• Liveness Requirement: Participants must be online to reveal their secrets; failure results in lost funds or broken processes.
• Collusion Resistance: Schemes can be vulnerable if a majority of participants collude before the reveal phase.
• Gas & Cost: Requires two transactions (commit and reveal), doubling gas fees and user effort.
• Salt Security: A cryptographically secure random salt is mandatory; predictable salts allow brute-force attacks to uncover the secret before the reveal.

The inherent delay between the commit and reveal phases creates a vulnerability window. Malicious actors can monitor the mempool for commits, deduce their content (e.g., a high-value bid), and front-run with their own transaction. Mitigations include using cryptographic commitments (hashes) that hide the data and employing submarine sends or private mempools to obscure transaction visibility until reveal.

The scheme requires storing both the commitment (hash) and the later revealed data on-chain, effectively doubling the storage footprint for that operation. This increases gas costs and blockchain bloat. For applications with high-frequency commits (e.g., per-block voting), this can become prohibitively expensive, necessitating layer-2 solutions or alternative cryptographic primitives like zk-SNARKs.

A critical limitation is ensuring a participant cannot back out of a revealed value that doesn't benefit them. The system must enforce that the revealed plaintext hashes to the committed value. If the reveal fails this check, the transaction must revert, and the participant's stake (often in the form of a bond or deposit) can be slashed. Without economic penalties, the scheme lacks cryptographic fairness.

In voting or random number generation contexts, participants may collude to manipulate the outcome after seeing commits but before the reveal. An attacker could also create many fake identities (Sybil attacks) to submit commits, influencing the result. Defenses include participant whitelisting, proof-of-personhood systems, and using verifiable delay functions (VDFs) to enforce a mandatory wait time between commit and reveal.

A commit transaction included in one block could be orphaned by a chain reorganization. If the reveal transaction is mined in a different canonical chain, the original commitment may not exist, causing the reveal to fail. Applications must design for this uncertainty, potentially by only considering commits after a sufficient number of confirmations or using consensus mechanisms with fast finality.

Correctly implementing the commit-reveal state machine adds significant smart contract complexity. Errors in state transitions or hash verification can lead to locked funds. Furthermore, the reveal transaction must include the original data, which can hit block gas limits if the data is large (e.g., a complex bid). This often limits the scheme to concise inputs like integers or short strings.

The core tool enabling the commit phase. A participant generates a commitment by hashing their secret data with a random salt. The properties of a cryptographic hash function ensure:

• Pre-image resistance: The original data cannot be derived from the hash.
• Collision resistance: It's infeasible to find two different inputs that produce the same hash. This creates a binding and hiding promise of the future reveal.

A random value added to the data before hashing to create the commitment. The salt is crucial because:

• It prevents rainbow table attacks where common inputs can be pre-computed.
• It ensures the commitment is unique even if the secret data is the same across multiple rounds. During the reveal phase, both the original data and the salt must be disclosed to prove the commitment was valid.

An advanced cryptographic method related to commit-reveal. A Zero-Knowledge Proof allows one party (the prover) to prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. While commit-reveal eventually reveals the secret, ZKPs can prove properties about hidden data without ever revealing it, enabling applications like private transactions and identity verification.

A canonical real-world application of the commit-reveal scheme. In a sealed-bid blind auction:

• Commit Phase: All bidders submit a hash of their bid amount and a secret salt.
• Reveal Phase: After the bidding period closes, bidders publicly reveal their actual bid and salt. This process prevents participants from adjusting their bids based on others' actions, ensuring a fair and transparent outcome. It is directly analogous to mechanisms like Ethereum's ENS domain auctions.

Commit-reveal is a foundational technique for generating provably fair random numbers on-chain. The classic model involves multiple participants:

1. Each commits a hash of their secret number.
2. After all commitments are locked, participants reveal their numbers.
3. The final random seed is computed from the combined revealed secrets. This prevents any single party from manipulating the outcome, as they cannot know others' numbers before committing their own. Used in blockchain gaming and lotteries.

Used in decentralized governance to prevent voting coercion and vote buying. The process:

• Commit: Voters submit a commitment hash of their choice (e.g., Yes/No) and a salt.
• Reveal: In a later period, voters disclose their actual vote and salt to have it counted. This creates a time-locked secrecy period where votes are hidden, preventing malicious actors from targeting voters based on their choices before the vote concludes, thus protecting voter autonomy.