A commit-reveal scheme is a two-phase cryptographic protocol designed to conceal sensitive information, such as a bid, vote, or random number, during a commitment phase before it is publicly disclosed in a subsequent reveal phase. In the first phase, a user generates a cryptographic commitment—typically a hash like keccak256(value, salt)—and broadcasts this hash to the network. This hash acts as a sealed, binding promise of the hidden data. The crucial property is that the commitment reveals nothing about the underlying value, yet it is cryptographically binding; the user cannot later reveal a different value than the one originally committed to without detection.
LABS
Glossary
Commit-Reveal Scheme
A commit-reveal scheme is a two-phase cryptographic protocol where participants first submit a commitment to a hidden value and later reveal the original value, preventing front-running and manipulation.
Chainscore © 2026
definition
CRYPTOGRAPHIC PROTOCOL
What is a Commit-Reveal Scheme?
A commit-reveal scheme is a two-phase cryptographic protocol used to conceal information temporarily before it is disclosed, ensuring fairness and preventing front-running in decentralized systems.
The protocol's second phase, the reveal, occurs after all participants have submitted their commitments. Here, users must publicly broadcast the original plaintext value and the secret salt used to create the hash. The network can then verify the reveal by re-hashing the submitted data and checking it matches the earlier commitment. This mechanism ensures fairness and prevents strategic manipulation. For example, in a blockchain auction, it stops participants from seeing others' bids and simply bidding slightly higher, a form of front-running. The scheme enforces that all decisions are made based on hidden information, which is only exposed when it can no longer influence the outcome.
Commit-reveal schemes are fundamental to many blockchain applications beyond auctions. They are used in random number generation (RNG) for smart contracts, where multiple parties commit random seeds to create a provably fair collective randomness. They also underpin private voting mechanisms in decentralized autonomous organizations (DAOs) and protect against transaction front-running on decentralized exchanges by hiding trade details in mempools. The security relies on the cryptographic properties of the hash function: its pre-image resistance ensures the value cannot be deduced from the hash, and its collision resistance guarantees a user cannot find two different inputs that produce the same commitment hash.
While highly effective, basic commit-reveal schemes have limitations. They require all participants to submit two transactions (commit and reveal), doubling gas costs and blockchain footprint. A significant drawback is participant dropout; if a user commits but fails to reveal, the process can stall, potentially requiring complex timeout mechanisms or slashing deposits to penalize non-revealers. More advanced variants, like timelock puzzles or schemes using verifiable delay functions (VDFs), address some of these issues. Despite its constraints, the commit-reveal pattern remains a cornerstone protocol for achieving fairness and privacy in transparent, adversarial environments like public blockchains.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How a Commit-Reveal Scheme Works
A commit-reveal scheme is a two-phase cryptographic protocol that prevents front-running and ensures fairness in blockchain applications by hiding information until a predetermined time.
A commit-reveal scheme is a two-phase cryptographic protocol designed to hide sensitive information, such as a bid, vote, or random number, until a predetermined time, preventing front-running and manipulation. In the commit phase, a participant generates a secret value, creates a cryptographic commitment (typically a hash like keccak256), and publishes only this commitment to the network. This commitment acts as a sealed envelope—it binds the participant to their secret without revealing it. The reveal phase occurs later, where the participant discloses the original secret value, allowing anyone to verify that it matches the earlier commitment by re-hashing it.
The core mechanism relies on the properties of cryptographic hash functions: pre-image resistance ensures the secret cannot be deduced from the commitment, and binding ensures the participant cannot reveal a different secret that produces the same hash. This makes the scheme cryptographically secure. Common implementations involve a simple structure: commitment = hash(secret, salt), where a random salt (nonce) prevents brute-force attacks against low-entropy secrets. Once the reveal transaction is broadcast, network nodes or a smart contract can execute the verification function verify(commitment, secret, salt) to validate the participant's honesty.
In blockchain contexts, commit-reveal is critical for applications requiring fairness and secrecy in open, transparent systems. Key use cases include on-chain voting (to prevent influence from early results), random number generation (where multiple participants commit values later combined for randomness), and auction mechanisms (to stop bidders from adjusting based on others' bids). For example, an English auction smart contract would require all bids as commitments in phase one, then reveal them in phase two, ensuring the highest committed bid wins without last-second sniping.
While effective, the scheme has operational trade-offs. It requires two transactions (commit and reveal), doubling gas costs and complexity. Participants must remain online to submit the reveal transaction, risking forfeiture if they fail. Furthermore, the need for a secure, random salt and the management of multiple commitment periods adds implementation overhead. These constraints make it suitable for high-stakes, batch-processed operations rather than real-time, frequent interactions, leading to hybrid models or alternative privacy solutions like zk-SNARKs for more complex state hiding.
key-features
MECHANISM BREAKDOWN
Key Features of Commit-Reveal
The commit-reveal scheme is a cryptographic two-phase protocol used to hide information on a transparent blockchain until a predetermined time, ensuring fairness and preventing front-running.
01
Two-Phase Protocol
The scheme operates in two distinct phases to separate the act of submission from the act of disclosure.
- Commit Phase: A user submits a cryptographic hash (the commitment) of their secret data (e.g., a vote, bid, or random number) to the blockchain.
- Reveal Phase: After a set period, the user must submit the original secret data. The network verifies it by hashing the revealed data and checking it matches the earlier commitment.
02
Cryptographic Binding & Hiding
The scheme's security relies on two properties of cryptographic hash functions.
- Binding: Once a commitment is published, the committer cannot find a different secret that produces the same hash, locking in their choice.
- Hiding: The commitment hash reveals zero information about the original secret, preventing others from learning the value before the reveal. This is typically achieved by hashing the secret with a random nonce (salt).
03
Prevents Front-Running & Manipulation
A primary application is securing on-chain auctions, voting, and random number generation by eliminating information advantages.
- In a blind auction, all bids are commitments. No participant can see others' bids and outbid them at the last moment.
- For on-chain randomness (RNG), participants commit random seeds. After all commitments are locked, they are revealed and combined, preventing anyone from manipulating the final result based on early knowledge.
04
Enforces Participant Accountability
The protocol creates strong cryptographic proof of a participant's initial choice.
- A user who fails to reveal their secret in the second phase forfeits any stake or deposit tied to the commitment.
- The revealed data serves as a verifiable proof that the committed value was determined before the deadline, which is crucial for provably fair systems. This makes cheating economically irrational.
05
Time-Locked Secrets
The scheme introduces a mandatory delay between commitment and revelation, creating a cryptographic time-lock.
- This delay window ensures all participants have an equal opportunity to submit their commitments without being influenced by others' secrets.
- The timeline is enforced by blockchain blocks, making the process trustless and deterministic. The commitment is effectively a promise that will be cryptographically enforced at a future block height.
06
Real-World Implementations
Commit-reveal is a foundational primitive in several major blockchain applications.
- Ethereum's RANDAO: A randomness beacon where validators commit hashes of random numbers in one epoch and reveal them in the next to generate a collective random seed.
- Blind Auctions (e.g., ENS): Used in domain name auctions to prevent sniping.
- ZK-Snark Setups: The trusted setup ceremony for generating public parameters uses a commit-reveal scheme to ensure no single participant knows the full toxic waste.
cryptographic-properties
CRYPTOGRAPHIC PRIMITIVE
Commit-Reveal Scheme
A two-phase protocol used to conceal information temporarily before its public disclosure, ensuring fairness and preventing front-running in decentralized systems.
A commit-reveal scheme is a cryptographic protocol that allows a participant to commit to a value (like a bid, vote, or random number) by publishing a cryptographic commitment, and later reveal the original value. The commitment, typically a hash digest like keccak256(value, salt), binds the participant to their initial choice without exposing it, preventing them from changing it after seeing others' commitments. This creates a fair, two-stage process essential for applications requiring secrecy with later verifiable disclosure.
The scheme's security relies on the hiding and binding properties of cryptographic hash functions. The hiding property ensures the original value cannot be deduced from the commitment hash. The binding property guarantees that once a commitment is published, the participant cannot find a different input (a different value or salt) that produces the same hash output, locking them into their initial choice. A cryptographically secure random salt (nonce) is crucial to prevent brute-force revelation of simple values.
In blockchain contexts, commit-reveal is a fundamental mechanism to mitigate front-running and information leakage. For example, in decentralized exchanges or auction smart contracts, users submit a hashed version of their trade or bid. Only after a commit phase concludes does a reveal phase begin, where users submit their original data. The contract verifies the hash matches the commitment, ensuring all actions were determined before any were revealed. This prevents adversaries from exploiting visible transaction data in the mempool.
Practical implementation requires careful design of phase timings and incentives. The commit phase must have a sufficient window for participation, while the reveal phase must allow committed participants time to submit their data, often with a penalty (like a locked bond) for those who commit but fail to reveal. This structure is used in ZK-rollup fraud proofs, random number generation (RNG), decentralized voting, and privacy-preserving transactions to coordinate actions without premature disclosure.
primary-use-cases
COMMIT-REVEAL SCHEME
Primary Use Cases
The commit-reveal scheme is a cryptographic two-phase protocol that enables secure, fair, and private interactions on transparent blockchains. It is a foundational mechanism for applications requiring secrecy or randomness in a public environment.
02
Secure Random Number Generation (RNG)
Generates provably fair and unpredictable randomness for applications like gaming and lotteries. Multiple participants each commit a secret random number. After all commits are locked in, they reveal their numbers. The final random value is derived from the combination of all revealed secrets, ensuring no single party can manipulate the outcome.
- Core Property: The commit phase creates a binding obligation, making the final result tamper-proof.
03
Sealed-Bid Auctions
Enables fair auctions where bids are kept secret until a deadline. Bidders commit a hash of their bid amount and a secret salt. After the bidding period closes, they reveal the bid and salt. The highest valid revealed bid wins. This prevents auction sniping and bid shading, as participants cannot see others' bids during the auction.
- Mechanism: The salt ensures the committed hash cannot be guessed, while allowing later verification.
04
Anti-Frontrunning in MEV
Protects user transactions from being exploited by Maximal Extractable Value (MEV) bots. Users can submit a transaction as a commit (a hash). Searchers or validators then include this commitment in a block without knowing its contents. The user later reveals the full transaction for execution. This blinds searchers, preventing them from frontrunning or sandwiching the trade based on its visible details.
05
On-Chain Gaming & Puzzles
Facilitates games where moves or solutions must be submitted secretly and simultaneously. Players commit to their move (e.g., a chess move or puzzle answer) without revealing it. After the commit phase, all players reveal simultaneously. This ensures fair play by preventing players from reacting to an opponent's move in a turn-based system, effectively creating a simultaneous reveal.
06
Technical Implementation & Components
Relies on specific cryptographic primitives and blockchain state management.
- Commitment: Typically a cryptographic hash like
keccak256(secret, data). - Reveal Phase: The original
secret(salt) anddataare published for verification. - Time Locks & Phases: Smart contracts enforce strict commit duration and reveal window.
- Gas Optimization: Techniques like storing only hash commitments minimize on-chain storage costs until the reveal.
ecosystem-usage
ECOSYSTEM USAGE & PROTOCOLS
Commit-Reveal Scheme
A cryptographic two-phase protocol used in blockchain systems to conceal sensitive information during a voting or submission period before revealing it in a verifiable way.
01
Core Cryptographic Mechanism
The scheme operates in two distinct phases. First, in the commit phase, a participant submits a cryptographic hash (the commitment) of their secret data, such as a bid or vote. Later, in the reveal phase, they broadcast the original data. The system verifies the reveal by hashing it and checking it matches the earlier commitment. This ensures data cannot be altered after submission.
02
Preventing Front-Running & Manipulation
A primary use case is in decentralized exchanges and auctions to prevent front-running. By hiding bid amounts or trade details until the reveal, the scheme stops other participants from copying or manipulating strategies based on visible information. This creates a fair, simultaneous reveal, similar to a sealed-bid auction.
03
On-Chain Random Number Generation
Commit-reveal is fundamental for generating provably fair random numbers on-chain, which are crucial for NFTs, gaming, and lotteries. Multiple participants commit hashes of secret seeds. After all commitments are locked, they reveal their seeds. The final random number is derived from the combination of all revealed seeds, preventing any last-minute manipulation.
04
Voting & Governance Applications
Used in DAO governance and consensus mechanisms to enable private voting or validator selection. Voters commit to their choice without revealing it, preventing coercion or vote-buying during the voting period. The integrity of each vote is cryptographically guaranteed upon reveal, ensuring a tamper-proof tally.
05
Technical Implementation & Hashes
The commitment is typically created by hashing the secret data with a random salt or nonce (e.g., commitment = keccak256(abi.encodePacked(secret, salt))). Revealing both the secret and salt allows verification. Using a salt prevents brute-force attacks where simple, common secrets could be guessed from the hash.
06
Challenges & The Reveal Incentive
A key challenge is ensuring participants complete the reveal phase. Systems often require a security deposit or bond that is slashed if a participant fails to reveal, creating a financial incentive. Without proper incentives, a participant could withhold their reveal, potentially stalling or breaking the protocol.
security-considerations
COMMIT-REVEAL SCHEME
Security Considerations & Limitations
While commit-reveal schemes are a fundamental cryptographic primitive for hiding information on transparent blockchains, they introduce specific security trade-offs and operational constraints that developers must account for.
01
Front-Running & Timing Attacks
The mandatory delay between the commit and reveal phases creates a vulnerability window. Malicious actors can monitor pending commits on the public mempool and front-run transactions by submitting their own commit with a higher gas fee, or by copying a revealed value before the original transaction is confirmed. This is particularly exploitable in auctions, voting, or random number generation. Mitigations include using a secure random nonce and employing batch reveals to reduce the attack surface.
02
Data Availability & Storage Costs
The scheme requires storing two transactions per piece of hidden data, doubling on-chain gas costs. The commit (hash) is small, but the reveal transaction must publish the full original data, which can be expensive for large inputs. Furthermore, all participants must remain online and funded to submit their reveal transaction within the set timeframe, or their committed funds may be forfeited, creating a denial-of-service risk.
03
Collusion and Trust Assumptions
In multi-party schemes (e.g., decentralized random beacons), the security model often assumes a threshold of honest participants. If a majority colludes, they can manipulate the outcome:
- Withhold Reveals: A coalition can refuse to reveal, forcing a reversion or a biased result.
- Selective Reveal: Adversaries can wait to see others' reveals before deciding to reveal their own, gaining an unfair advantage. This shifts trust from a single entity to a decentralized set, but does not eliminate it entirely.
04
Cryptographic Primitives & Hash Security
The scheme's security is entirely dependent on the cryptographic hash function (e.g., SHA-256, Keccak) used for the commit. It must be preimage-resistant so the original data cannot be deduced from the hash, and collision-resistant to prevent finding two different inputs that produce the same commit hash. The use of a cryptographically secure random salt (nonce) is critical to prevent brute-force guessing of simple inputs.
05
Reveal Phase Finality and Liveness
The protocol must define clear, immutable rules for the reveal window and consequences for non-revelation. Key limitations include:
- Fixed Time Windows: Setting an appropriate duration is difficult; too short risks liveness failures, too long increases exposure to market volatility or other state changes.
- Forfeiture Mechanisms: Slashing bonds for non-revelation adds complexity and must be implemented securely to avoid exploitation.
- Block Re-orgs: A chain reorganization during the reveal phase can invalidate commits or reveals, requiring careful state handling.
PRIVACY & COST TRADEOFFS
Comparison with Alternative Schemes
A comparison of the commit-reveal scheme against other common methods for hiding on-chain data, evaluating key properties for blockchain applications.
| Feature / Property | Commit-Reveal | Zero-Knowledge Proofs (ZKPs) | Trusted Execution Environments (TEEs) | Fully Public Data |
|---|---|---|---|---|
Data Privacy During Execution | ||||
On-Chain Finality Latency | 2+ blocks | < 1 block | < 1 block | < 1 block |
Computational Overhead | Low | Very High | Medium | None |
Cryptographic Trust Assumptions | None (transparent) | Math (zk-SNARK/STARK) | Hardware Manufacturer | None (transparent) |
On-Chain Storage Cost | 2x (commit + reveal) | 1x (proof + output) | 1x (encrypted output) | 1x |
Data Availability Guarantee | ||||
Example Use Case | Sealed-bid auctions, random number generation | Private transactions, identity verification | Confidential smart contracts | Public registries, transparent voting |
technical-implementation
TECHNICAL IMPLEMENTATION NOTES
Commit-Reveal Scheme
A foundational cryptographic technique for submitting information in two phases to ensure fairness and prevent front-running in decentralized systems.
A commit-reveal scheme is a two-phase cryptographic protocol where a user first publishes a commitment—a hashed, encrypted, or otherwise obfuscated version of their data—and later reveals the original data, allowing anyone to verify it matches the initial commitment. This process ensures the data cannot be changed after the commitment is made, a property known as binding, while also keeping it secret until the reveal phase, a property called hiding. It is a cornerstone for creating fair, transparent, and manipulation-resistant processes on-chain.
The scheme's primary use case is preventing front-running and information-based advantages in decentralized applications. For example, in a blind auction or a voting system, participants submit a hash of their bid or vote. Since the hash reveals nothing about the underlying value, no participant can strategically adjust their submission based on others'. Only after all commitments are collected does the reveal phase begin, where participants submit their original data. The contract then validates each reveal against its stored commitment hash.
Implementing a commit-reveal scheme requires careful management of cryptographic primitives and state. Typically, the keccak256 hash function is used to generate the commitment, often by hashing the secret data concatenated with a random salt (a nonce) to prevent brute-force guessing of simple values. The contract must store the commitment, usually mapped to the sender's address, and enforce strict phase timings. A critical consideration is ensuring the reveal transaction includes the exact preimage (original data and salt) that produces the stored hash.
While powerful, the scheme has notable limitations. It requires users to send two transactions (commit and reveal), doubling gas costs and complexity. There is also a free option problem: a user can choose not to reveal, potentially stalling the process. Mitigations include requiring a staked bond forfeited on non-revelation and using timelocks to automatically progress phases. Furthermore, the need for a secure, off-chain generated salt is paramount, as a predictable salt can compromise the hiding property.
Beyond auctions and voting, commit-reveal schemes enable random number generation (where multiple participants commit to seeds), fair lotteries, and privacy-preserving computations. They represent a shift from synchronous, transparent execution to a phased approach that decouples the act of decision-making from its publication. This pattern is essential for any on-chain mechanic where the order or content of transactions should not influence or be influenced by other participants in the same round.
When designing a system, developers must choose between a commit-reveal scheme and alternative privacy solutions like zk-SNARKs or trusted execution environments. Commit-reveal is often simpler and more gas-efficient for applications requiring temporary secrecy rather than permanent anonymity. Its elegance lies in using fundamental cryptographic hashing, a core primitive of blockchain itself, to create a level playing field, embodying the principle that system rules should be enforced by code, not by the speed or knowledge of a participant.
COMMIT-REVEAL SCHEME
Frequently Asked Questions (FAQ)
A commit-reveal scheme is a two-phase cryptographic protocol used to submit information without revealing it until a later time, ensuring fairness and preventing front-running in decentralized applications.
A commit-reveal scheme is a two-phase cryptographic protocol that allows a participant to commit to a value (like a bid, vote, or random number) by publishing a cryptographic hash of it, and later reveal the original value to prove their initial commitment. This prevents other participants from seeing and reacting to the information until after the commitment phase is closed, ensuring fairness in processes like auctions, voting, and random number generation on-chain. The scheme's security relies on the preimage resistance of the hash function, making it computationally infeasible to deduce the original value from the hash commitment.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall