Commit-Reveal Scheme

The scheme operates in two distinct, time-bound phases:

• Commit Phase: Participants submit a cryptographic hash (the commitment) of their secret data (e.g., a bid, vote, or random number). This hash acts as a sealed, unchangeable promise.
• Reveal Phase: After the commit period ends, participants must submit their original secret data. The system verifies it matches the earlier hash. Submissions failing this check are invalidated.

The scheme relies on the one-way properties of cryptographic hash functions like SHA-256 or Keccak.

• Binding: Once a commitment is made, the participant cannot change the revealed value without detection, as it would produce a different hash.
• Hiding: The commitment hash reveals no information about the original secret data, keeping it confidential during the commit phase. This is typically achieved by hashing the secret with a random salt (nonce).

This is a primary application in decentralized systems. By hiding transaction details (like price in a decentralized exchange auction) until the reveal phase, the scheme prevents malicious actors from observing pending transactions and front-running them with higher gas fees. All commitments are effectively submitted simultaneously from the network's perspective.

Commit-reveal is foundational for on-chain randomness. Multiple participants commit hashes of secret numbers. After all commitments are locked in, they reveal their numbers. The final random value is a function (e.g., XOR) of all revealed secrets. This prevents any last-mover advantage, as no participant can bias the outcome after seeing others' reveals.

The scheme ensures secrecy and integrity in processes like:

• Private Voting: Voters commit to their choice, preventing coercion based on early results. Votes are only tallied after the reveal phase.
• Blind Auctions: Bidders commit to their bid amount. No one knows the bids during the commit phase, eliminating strategic bidding based on others' offers. The highest valid revealed bid wins.

Key practical challenges include:

• Gas Costs: Requires two transactions (commit and reveal), doubling gas fees for participants.
• Reveal Incentives: Systems must incentivize or penalize users to complete the reveal phase; unrevealed commitments can stall processes.
• Timing Attacks: The sequence of reveal transactions can sometimes leak information, mitigated by using a reveal deadline instead of a specific order.

Essential for creating provably fair randomness in blockchain applications like gaming and lotteries. Multiple participants each commit a secret random number. After all commits are locked in, they reveal their numbers. The final random value is a function (e.g., XOR) of all revealed secrets.

• Prevents manipulation: No single party can bias the outcome after seeing others' inputs.
• Transparent verification: Anyone can verify the final result against the committed hashes.
• Common in: NFT minting mechanics, gaming dApps, and validator selection.

A foundational concept for secure authentication without exposing secrets. A client hashes a password (commit) and sends it to a server for storage. Later, during login, the client sends the actual password (reveal), and the server hashes it to verify it matches the stored commitment.

• Prevents exposure: The secret is never transmitted or stored in plaintext.
• Basis for: Zero-knowledge proofs and secure multi-party computation (MPC) protocols, where parties commit to private inputs before a joint computation.

While powerful, commit-reveal schemes have inherent trade-offs that affect their design:

• Reveal Incentives: Systems must ensure participants have an incentive to complete the reveal phase; otherwise, transactions can fail.
• Gas Costs: Requires two transactions (commit and reveal), doubling gas fees for users.
• Latency: Introduces a delay between commitment and execution, unsuitable for real-time applications.
• Data Availability: All committed data must eventually be published on-chain for verification, increasing blockchain bloat.

The scheme's two-phase nature creates a window for manipulation. Malicious actors can monitor the commitment phase on-chain, then front-run the reveal phase by submitting their own transaction with a higher gas fee to claim an advantage. This is a critical risk in applications like decentralized exchanges or NFT mints where order matters. Mitigations include using cryptographic salts and enforcing strict, short reveal periods.

Storing commitments on-chain, even as hashes, incurs gas costs. For high-frequency applications, this can be prohibitively expensive. Furthermore, the reveal data (the original preimage) must be reliably broadcast and included in a block; network congestion or miner censorship can cause valid reveals to fail. This makes the scheme unsuitable for real-time, low-latency operations without careful fee management and incentive design.

In voting or random number generation, participants may collude during the reveal phase to bias the outcome. A Sybil attack, where one entity controls multiple identities, can be particularly damaging if the commit phase has no cost or identity proof. Defenses include requiring staked collateral (slashed for non-revelation), using verifiable random functions (VRFs), or implementing decentralized identity solutions to limit influence.

The scheme's security rests entirely on the properties of the cryptographic hash function (e.g., SHA-256, Keccak). It assumes the function is preimage-resistant (cannot reverse the hash) and collision-resistant (cannot find two inputs with the same hash). A breakthrough in cryptanalysis or the advent of quantum computing could theoretically break these assumptions, compromising all pending commitments. Using robust, future-resistant hash functions is essential.

From a UX perspective, requiring users to make two transactions (commit and reveal) doubles the interaction cost and complexity. Users must securely store their secret and the corresponding salt between phases, which can lead to loss of funds or voting power if forgotten. This friction limits adoption for consumer-facing dApps and necessitates robust wallet integration and clear user education to prevent errors.

The scheme's effectiveness varies by consensus mechanism. On Proof-of-Work chains, miners have significant control over transaction ordering, impacting fairness. On high-throughput chains, the reveal window must be calibrated to chain finality times. Layer 2 solutions and private mempools can also interfere with the scheme's transparency assumptions. Design must be tailored to the specific execution environment's guarantees and constraints.

A form of digital signature where the message is blinded (obscured) before it is signed, so the signer cannot see the content. The signature can later be verified against the original, unblinded message.

• Core Use: Enabling privacy-preserving authentication and digital cash systems.
• Example: In an e-voting system, a voter can get a ballot signed by an authority without revealing their vote, preserving anonymity.

A mechanism to guarantee that transactions are ordered in a block according to the order they were received, preventing front-running and Miner Extractable Value (MEV). Commit-Reveal is a common technique to achieve this.

• Core Use: Protecting users from predatory trading bots that exploit transaction ordering.
• Example: In a decentralized exchange auction, users submit committed bids; all are revealed simultaneously to determine the final, fair price.

A one-way cryptographic function that maps data of arbitrary size to a fixed-size output (a hash or digest). It is deterministic, collision-resistant, and pre-image resistant.

• Core Use: The foundational tool for creating the commitment in a Commit-Reveal scheme. The hash of the secret data is submitted first.
• Example: SHA-256 is used in Bitcoin's Proof-of-Work and to commit to transaction data in Merkle Trees.

A random value added to data before it is hashed, ensuring the resulting hash is unique even for identical inputs. It prevents precomputation attacks like rainbow tables.

• Core Use: Strengthening commitments and password storage by adding entropy.
• Example: In a Commit-Reveal scheme, a user commits H(salt + secret). Revealing both the salt and secret allows verification while preventing others from guessing the secret from the hash.