Commit-Reveal Scheme

The scheme operates in two distinct phases:

• Commit Phase: A user submits a cryptographic hash (the commitment) of their secret data (e.g., a bid, vote, or random number). This hash is recorded on-chain, binding the user to their secret without revealing it.
• Reveal Phase: In a later transaction, the user reveals the original secret data. The network verifies it by hashing the revealed data and checking it matches the initial commitment.

This is the primary security benefit. By hiding the actual data in the first phase, it becomes impossible for malicious actors (like validators or other users) to observe a pending transaction and front-run it with a more favorable one. This is critical for decentralized exchanges (DEXs) during order submission and for fair random number generation in lotteries or games.

The initial hash commitment acts as a cryptographic proof of prior knowledge. A user cannot change their revealed data after seeing others' submissions, as the hash would not match. This binding property ensures all participants are locked into their initial choice, creating a provably fair process for auctions, voting, or any scenario requiring sealed inputs.

To prevent brute-force attacks where an attacker guesses simple secrets, a salt (a random number) is concatenated with the secret data before hashing.

• Example: commitment = hash(vote + salt). The salt is revealed alongside the original data. This ensures even predictable inputs (like "yes" or "no") produce a unique, unguessable hash, protecting user privacy during the commit phase.

• Decentralized Exchanges (DEXs): Hiding trade sizes and prices to prevent MEV extraction.
• On-Chain Voting & Governance: Keeping ballots secret until a voting period ends.
• Random Number Generation (RNG): Multiple participants commit to random seeds, which are later revealed to compute a final, unbiased random number.
• Sealed-Bid Auctions: Ensuring all bids are submitted secretly and opened simultaneously.

• Reveal Incentives: Systems must incentivize users to return and reveal their data, often via deposits slashed for non-revelation.
• Time Windows: The reveal phase must have a defined deadline after which commitments expire.
• Gas Costs: Requires two transactions (commit and reveal), doubling base gas fees for the user.
• Data Storage: The scheme requires the chain to store commitments, adding to state bloat.

Ensures vote privacy and prevents strategic voting by hiding choices until the reveal phase. This prevents voters from being influenced by early results.

• Key Mechanism: Voters submit a hash of their vote (commit). After the voting period, they reveal the original vote and secret for validation.
• Example: DAOs use this for sensitive proposals, like treasury allocations or parameter changes, to achieve unbiased outcomes.

Generates provably fair and unpredictable random numbers on-chain, critical for gaming, lotteries, and NFT minting.

• Key Mechanism: Multiple participants commit a secret number. After all commits are locked in, they reveal them. The final random value is a function of all revealed secrets, making it tamper-proof.
• Example: Blockchain-based prediction markets use commit-reveal to determine event outcomes without relying on a trusted oracle.

Prevents bid sniping and front-running by keeping all bids confidential until the auction concludes.

• Key Mechanism: Bidders commit a hash of their bid amount and a secret. After the bidding period ends, they reveal their actual bid. The highest valid revealed bid wins.
• Example: Used in NFT auctions (e.g., Art Blocks) to ensure participants submit their true maximum bid without fear of being outbid at the last second.

Mitigates Maximal Extractable Value (MEV) by obfuscating transaction details from block builders until they are included in a block.

• Key Mechanism: Users submit a commitment to a trade. Sequencers or validators order these commitments without knowing the trade details. The specifics are revealed only after the block is proposed.
• Example: Protocols like Shutter Network use a threshold encryption variant of commit-reveal to protect DEX trades from harmful MEV.

Prevents bots and sybil attacks by requiring a proof of participation that is only verifiable after a snapshot or claim period.

• Key Mechanism: Eligible users commit to a claim. The eligibility criteria (e.g., snapshot of token holders) is only applied or revealed after the commit phase, preventing gaming of the system.
• Example: Some airdrop mechanisms hide the final claim contract address or merkle root until the last moment to ensure a fair distribution.

Creates time-locked or conditionally-releasable commitments for advanced smart contract logic, such as escrow or challenge periods.

• Key Mechanism: A secret is committed, acting as a key. The committed value can only be used to unlock funds or trigger an action upon its correct revelation.
• Example: Used in cross-chain bridges or atomic swaps, where revealing a secret on one chain proves an action was completed on another, finalizing the swap.

The inherent delay between the commit phase and the reveal phase creates a vulnerability window. A malicious actor monitoring the mempool can observe a valid reveal transaction, copy its data, and submit their own transaction with a higher gas fee to have it processed first, stealing the intended outcome. This is a classic front-running attack. Mitigations include using submarine sends or committing to a future block number.

The scheme requires storing the committed hash on-chain, which is cheap, but later storing the full revealed data, which can be expensive. For large datasets (e.g., complex game moves or detailed votes), the gas cost for the reveal transaction can become prohibitive. This creates a denial-of-service risk where participants may choose not to reveal due to cost, breaking the protocol's logic.

A cryptographic hash function (like SHA-256 or Keccak) is used to create the commitment. While pre-image resistance makes finding the original input from a hash infeasible, if the input space is small (e.g., a number 1-10), an attacker can brute-force all possible inputs, compute their hashes, and discover the secret before the reveal. This necessitates using a sufficiently large and random salt (nonce) to enlarge the search space.

The protocol's correctness depends on participants being live and willing to submit their reveal transaction within the designated time window. If a participant goes offline or refuses to reveal, the process can stall. This requires careful design of slashing mechanisms, timeout periods, and economic incentives to ensure participants follow through, adding complexity to the system's game theory.

Commit-reveal is optimal for scenarios where all secrets are revealed simultaneously (e.g., voting, random number generation). It is poorly suited for applications requiring ongoing privacy or selective disclosure. Once revealed, the data is permanently public on-chain. For private computations, zero-knowledge proofs or secure multi-party computation are more appropriate cryptographic tools.

Common bugs break the scheme's security:

• Weak Randomness: Using a predictable or block-dependent value as the salt.
• Hash Malleability: Not ensuring the revealed data matches the exact pre-image format committed.
• Replay Attacks: Failing to include a unique identifier, allowing a commit/reveal to be replayed in a different context.
• Gas Limit Issues: Reveal transaction exceeding block gas limit for complex data.

A cryptographic method where one party (the prover) can prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. It enables privacy and scalability.

• Key Use: Private transactions (e.g., Zcash) and scaling solutions (zk-Rollups).
• Contrast with Commit-Reveal: While commit-reveal hides data temporarily, ZKPs can hide it permanently while still proving correctness.

A cryptographic function that produces a random output and a proof of that output's correctness. Anyone can verify the proof using the public key, ensuring the randomness was generated fairly and was not manipulated.

• Key Use: On-chain randomness for applications like proof-of-stake leader election (Algorand) and NFT minting.
• Relation to Commit-Reveal: VRFs provide a trust-minimized, single-step alternative to multi-round commit-reveal schemes for generating verifiable randomness.

A form of digital signature where the message is blinded (hidden) before it is signed, so the signer cannot see the content. The signature can later be verified against the original, unblinded message.

• Key Use: Privacy-preserving digital cash (e.g., Chaumian eCash) and anonymous voting systems.
• Relation to Commit-Reveal: It's a complementary privacy technique; a commit-reveal might be used to submit the blinded message, while the blind signature provides authorization without disclosure.

A one-way cryptographic function that maps data of arbitrary size to a fixed-size output (a hash or digest). It is deterministic, collision-resistant, and pre-image resistant.

• Core Properties:
  • Deterministic: Same input always yields same hash.
  • Pre-image Resistance: Cannot reverse the hash to find the input.
  • Avalanche Effect: A tiny change in input creates a completely different hash.
• Foundation for Commit-Reveal: The commit phase uses a hash (e.g., SHA-256) to lock in a secret value without exposing it.

A cryptographic protocol that enables multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other. The security holds even if some parties are malicious.

• Key Use: Private auctions, federated learning, and threshold signature schemes for wallet security.
• Contrast with Commit-Reveal: MPC allows for collaborative computation on private data, whereas commit-reveal is often a two-phase submission protocol for a single secret.

A method of encrypting a message so that it can only be decrypted after a specific amount of time has passed, typically enforced by requiring the solution to a computational puzzle that takes a predictable duration to solve.

• Key Use: Time-released secrets, sealed-bid auctions, and blockchain protocol upgrades.
• Relation to Commit-Reveal: Can be used as a sophisticated commit mechanism where the 'reveal' is forced by the passage of time or computational work, adding a temporal guarantee.