In cryptography, a commitment scheme is a two-phase protocol consisting of a commit phase and a reveal phase. During the commit phase, a party (the committer) generates a commitment—a short, fixed-size value derived from a secret message—and sends it to a receiver. This act "locks in" the secret. The scheme provides two essential security properties: hiding, which ensures the commitment reveals no information about the secret, and binding, which prevents the committer from later revealing a different secret than the one originally committed to.
LABS
Glossary
Commitment
A commitment is a compact cryptographic proof, such as a Merkle root or polynomial commitment, posted to a settlement layer to bind and summarize data from a modular chain for verification.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is a Commitment?
A commitment is a fundamental cryptographic primitive that allows one party to bind themselves to a chosen value while keeping it hidden, with the ability to later reveal it in a verifiable way.
Commitment schemes are implemented using cryptographic hash functions, such as SHA-256, in a construction known as a hash commitment. To commit to a value v, the committer typically generates a random nonce r and computes the commitment as C = H(r || v), where H is the hash function. The committer sends C to the verifier. Later, to reveal the commitment, they send the pair (r, v). The verifier can then recompute the hash to confirm it matches the original commitment C, verifying both the value and the committer's inability to change it.
In blockchain systems, commitments are a foundational building block. They are used in Merkle trees to commit to sets of transactions in a block header, in zero-knowledge proofs like zk-SNARKs to hide private inputs, and in privacy protocols such as confidential transactions. The concept is also central to verifiable delay functions (VDFs) and certain consensus mechanisms. By providing a way to prove prior knowledge or intent without immediate disclosure, commitments enable trustless interaction, data integrity, and advanced privacy features across decentralized networks.
key-features
CRYPTOGRAPHIC PRIMITIVE
Key Features of Commitments
A cryptographic commitment is a fundamental building block that allows one party to commit to a chosen value while keeping it hidden, with the ability to later reveal it in a verifiable way.
01
Hiding Property
The hiding property ensures the committed value remains secret until it is revealed. This is typically achieved by combining the secret with a random nonce (or blinding factor) before hashing. For example, commitment = Hash(secret, nonce). Without the nonce, an attacker could brute-force guess the secret by comparing hashes.
02
Binding Property
The binding property guarantees that once a commitment is published, the committer cannot change the underlying value. They are bound to the original secret. If the commitment scheme is secure, finding a different (secret', nonce') that produces the same commitment hash is computationally infeasible, a property linked to collision resistance.
03
Common Implementation: Pedersen Commitment
A Pedersen Commitment is an additive homomorphic scheme used in confidential transactions (e.g., Mimblewimble). It uses elliptic curve points: C = r*G + v*H, where v is the value, r is a blinding factor, and G, H are generator points. It allows for zero-knowledge proofs of transaction validity without revealing amounts.
04
Common Implementation: Merkle Tree Commitment
A Merkle Tree commits to a set of data (like transactions in a block) by producing a single root hash. This root acts as the commitment. To prove inclusion of a specific piece of data, one provides a Merkle proof (a path of sibling hashes). This is foundational for blockchain headers and light client verification.
05
Application: Verifiable Delay Functions (VDFs)
Commitment schemes are crucial in Verifiable Delay Functions. A prover commits to a random value, then spends a prescribed amount of sequential work (the delay) to compute the VDF output. They then reveal the initial commitment and the proof. The verifier can quickly check that the output is correct and that the delay was enforced, preventing precomputation attacks.
06
Application: Commit-Reveal Schemes
A commit-reveal scheme is a two-phase protocol used in voting, auctions, or random number generation to prevent front-running.
- Commit Phase: Participants submit a hash of their choice (value + salt).
- Reveal Phase: Participants later reveal the original value and salt. The system verifies the hash matches the earlier commitment. This ensures choices are fixed and cannot be changed based on others' actions.
how-it-works
CRYPTOGRAPHIC PRIMITIVES
How Commitments Work
A technical breakdown of cryptographic commitments, the foundational building blocks for privacy, scalability, and security in modern blockchain protocols.
A cryptographic commitment is a digital protocol that allows one party to commit to a chosen value while keeping it hidden, with the ability to later reveal the value in a way that is verifiably consistent with the initial commitment. This creates a binding and hiding promise, often implemented using a commitment scheme like a hash function. The committer sends a commitment string (e.g., commit = Hash(value, secret_nonce)) to a verifier. Later, to open the commitment, they reveal the original value and secret_nonce, allowing the verifier to recompute the hash and confirm it matches the initial commitment, proving the value was not altered.
The security of a commitment scheme rests on two core properties: hiding and binding. The hiding property ensures the commitment string reveals no information about the committed value before it is opened, protecting privacy. The binding property guarantees that once a commitment is sent, the committer cannot change the underlying value to a different one when they later open it, ensuring integrity. These properties are typically achieved through cryptographic assumptions, such as the collision resistance of hash functions or the hardness of discrete log problems in schemes like Pedersen commitments.
In blockchain systems, commitments are a critical primitive enabling advanced functionality. They are the core mechanism behind Merkle trees, where data blocks are hashed into a single root commitment, allowing for efficient and verifiable proofs of inclusion. zk-SNARKs and other zero-knowledge proofs rely heavily on commitments to hide user inputs while proving statement validity. Confidential transactions use commitments like Pedersen commitments to encrypt transaction amounts on-ledger. Furthermore, data availability sampling in scaling solutions like danksharding involves committing to large data blobs with a small fingerprint, such as a KZG polynomial commitment.
A common practical example is a sealed-bid auction. A bidder computes a commitment to their bid amount using a random nonce and submits only the commitment. This hides their bid from other participants (hiding) while locking them into their offer (binding). Once all commitments are received and the bidding period ends, bidders reveal their bids and nonces. The auctioneer can then verify each revealed bid against its earlier commitment, ensuring no one changed their bid after seeing others' commitments, thereby guaranteeing a fair and transparent outcome.
Beyond basic hash-based commitments, advanced schemes offer additional properties. Vector commitments allow committing to an ordered list of values and later opening a proof for a specific element at position i. Polynomial commitments, such as KZG commitments, enable a prover to commit to a polynomial and later generate succinct proofs that the polynomial evaluates to a specific value at a given point, which is fundamental to modern zk-rollups. Homomorphic commitments allow mathematical operations to be performed on committed values without opening them, enabling private computations, as seen in some confidential asset protocols.
types-of-commitments
MECHANISMS
Types of Cryptographic Commitments
A cryptographic commitment is a digital analog of a sealed envelope, binding a user to a secret value without revealing it until a later reveal phase. Different schemes are optimized for specific properties like efficiency, privacy, or functionality.
01
Hash-Based Commitment
The most fundamental type, where a secret value is hidden by its cryptographic hash. The committer sends the hash digest H(value, salt) as the commitment. To open it, they reveal the original value and salt (nonce) for verification.
- Properties: Computationally binding, hiding under collision resistance.
- Example: Used in Bitcoin's transaction Merkle trees and simple lotteries.
02
Pedersen Commitment
An unconditionally hiding and computationally binding commitment scheme based on elliptic curve cryptography. It commits to a value v using a blinding factor r: C = v*G + r*H, where G and H are public generator points.
- Key Feature: Additive Homomorphism - the sum of commitments equals the commitment of the sum, enabling confidential transactions (e.g., Monero, Mimblewimble).
03
Polynomial Commitment
A commitment to a polynomial, allowing the prover to later reveal evaluations of the polynomial at specific points and provide proofs of correctness. This is a core primitive in Succinct Non-interactive ARguments of Knowledge (SNARKs) and Zero-Knowledge Rollups.
- Schemes: KZG commitments (used in Ethereum's EIP-4844) and FRI-based commitments are common implementations.
04
Vector Commitment
A commitment to an ordered sequence of values (a vector). It allows proving that a specific value is at a certain position in the committed vector without revealing the entire set. Merkle Trees are a widely used form of vector commitment.
- Application: Essential for verifiable databases, blockchain state proofs, and authenticated data structures.
05
zk-SNARK Commitment
In the zk-SNARK pipeline, a commitment scheme is often used within the Polynomial IOP (Interactive Oracle Proof) layer. The prover commits to polynomials encoding the witness and circuit constraints. Popular choices include IPA (Inner Product Argument) commitments, as used in Halo2 and zkEVM implementations, which don't require a trusted setup.
06
Timelock Commitment
A commitment that can only be opened after a specific amount of time has passed, enforced by a computational puzzle (e.g., repeated hashing) or a cryptographic primitive like a Verifiable Delay Function (VDF).
- Use Case: Preventing front-running in auctions, generating unbiased randomness beacons (e.g., Ethereum's RANDAO + VDF).
ecosystem-usage
IMPLEMENTATION PATTERNS
Commitments in Practice
A cryptographic commitment is a foundational primitive. In practice, it's implemented through specific schemes and used to build higher-level protocols.
02
Vector Commitments
A vector commitment scheme allows committing to an ordered list of messages. It enables succinct proofs for a specific element at a given position. Unlike Merkle trees, some schemes like KZG commitments allow for constant-sized proofs.
- Key Property: Can support proofs for individual positions.
- Primary Use: Data availability sampling in Ethereum's danksharding, verifiable databases.
03
Polynomial Commitments
A polynomial commitment allows a prover to commit to a polynomial and later reveal evaluations of that polynomial with a proof. The KZG commitment scheme is a prominent example, relying on trusted setup.
- Key Property: Enables efficient proof of polynomial evaluation.
- Primary Use: Core cryptographic engine for zk-SNARKs and data availability proofs in Ethereum's Proto-Danksharding (EIP-4844).
04
Commitment in ZK Proofs
In zero-knowledge proofs, commitments are used to bind the prover to a witness before the proof is generated, ensuring they cannot change it. This is often the first step in protocols like Groth16 and PLONK.
- Key Property: Hides the witness while guaranteeing consistency.
- Process: The prover commits to secret inputs; the verifier uses the commitment in the challenge phase.
05
Commitment in Rollups
Rollups post state commitments (often Merkle roots) to their parent chain (L1). This acts as a succinct summary of the rollup's state, which can be disputed or verified.
- Optimistic Rollups: Post commitments with a fraud-proof window.
- ZK-Rollups: Post validity proofs that cryptographically verify the correctness of the state transition, which inherently includes a commitment to the new state.
06
Pedersen Commitment
A Pedersen Commitment is an information-theoretically hiding and computationally binding commitment scheme based on discrete logarithms. It is additively homomorphic, meaning the commitment to the sum of two values equals the sum of their individual commitments.
- Key Property: Perfect hiding and homomorphism.
- Primary Use: Confidential transactions (e.g., Monero, Mimblewimble), blinding factors in cryptographic protocols.
role-in-modular-stack
DATA AVAILABILITY & VALIDITY
Role in the Modular Stack
In a modular blockchain architecture, the separation of execution, settlement, consensus, and data availability layers creates a critical need for verifiable proofs that link state transitions across the system. This is the role of commitments.
A commitment is a cryptographic proof that cryptographically binds a dataset—such as a block of transactions or a state root—to a compact, verifiable digest. In the modular stack, these commitments act as the connective tissue between layers. For instance, a rollup's execution layer produces a new state root and commits to its transaction data, publishing this commitment (often as a Merkle root or KZG commitment) to a data availability layer like Celestia or EigenDA. This allows any verifier to check that the data exists without downloading it all, a property known as data availability sampling.
The security of the entire system hinges on the cryptographic soundness of these commitments. A fraud proof or validity proof (zk-proof) does not verify the execution from scratch; instead, it verifies that the execution was performed correctly relative to the committed data and starting state. If the data is unavailable (data withholding attack), these fraud proofs cannot be constructed, and the system cannot challenge invalid state transitions. Therefore, the commitment scheme must be binding (the prover cannot claim a different dataset) and often hiding (the digest reveals no information about the underlying data).
Different layers employ specialized commitments optimized for their function. The consensus layer (e.g., a Layer 1 like Ethereum) may commit to the rollup's state root in its own blockchain, finalizing it. Settlement layers use these commitments to verify proofs and resolve disputes. Data availability layers use them to enable light clients to verify data availability. This creates a chain of trust: a zk-rollup's validity proof commits to a state change; that proof is verified on a settlement layer which commits to the proof's validity; and the entire sequence is anchored in a robust consensus layer, with data availability guaranteed separately.
security-considerations
GLOSSARY TERM
Security Considerations & Trust Assumptions
A commitment is a cryptographic promise to a specific value, allowing it to be revealed and verified later without alteration. In blockchain systems, commitments are fundamental primitives for ensuring data integrity and enabling privacy.
01
Cryptographic Hash as a Commitment
The most common form of commitment is a hash commitment. A prover generates a cryptographic hash (e.g., SHA-256) of a secret value and publishes the hash digest. Later, they reveal the original value. Anyone can verify the commitment by hashing the revealed value and checking it matches the original digest. This ensures the value was not changed after the commitment was made.
02
Hiding & Binding Properties
A secure commitment scheme must provide two core security properties:
- Hiding: The commitment digest reveals no information about the committed value before it is opened.
- Binding: It is computationally infeasible for the committer to find a different value that produces the same commitment digest, preventing them from changing their mind. These properties are essential for trustless protocols.
03
Trust Assumptions in Commitments
Commitments reduce trust assumptions but do not eliminate them. Security depends on:
- Cryptographic Assumptions: The hash function (e.g., SHA-256) must be collision-resistant and pre-image resistant.
- Randomness: Many schemes require a secure random nonce (or salt) to ensure hiding. If the nonce is predictable, the commitment may leak information.
- Implementation: The protocol must correctly generate, store, and verify the commitments.
04
Applications in Blockchain
Commitments are used throughout blockchain architecture:
- Merkle Trees: Leaf hashes commit to transaction data; the root hash commits to the entire state.
- Confidential Transactions: Pedersen commitments hide transaction amounts while allowing balance verification.
- ZK-SNARKs/STARKs: Commit to public inputs and a proof.
- Light Clients: Block headers commit to the chain's history via state roots.
05
Vulnerabilities & Attacks
Key security risks include:
- Hash Function Break: A cryptographic breakthrough that finds collisions compromises binding.
- Weak Randomness: A predictable nonce can allow an attacker to brute-force the committed value.
- Timing Attacks: Side-channel attacks during commitment generation or verification.
- Data Availability: A valid commitment (like a Merkle root) is useless if the underlying data is withheld, a core challenge in fraud-proof systems.
06
Commitment vs. Promise
In blockchain contexts, distinguish a cryptographic commitment from a social or economic promise:
- Cryptographic Commitment: A mathematically verifiable, immutable pledge (e.g., a hash).
- Economic/Social Promise: A pledge enforced by game theory or legal contracts (e.g., a validator's promise to behave honestly). Many protocols, like Proof-of-Stake, use both: a cryptographic commitment to a block and a financial stake that can be slashed for breaking a promise.
CRYPTOGRAPHIC PRIMITIVES
Comparison of Commitment Schemes
A technical comparison of common cryptographic commitment schemes used in blockchain protocols for binding to a value while keeping it hidden.
| Feature / Property | Pedersen Commitment | Merkle Tree Commitment | Vector Commitment | Polynomial Commitment |
|---|---|---|---|---|
Cryptographic Basis | Discrete Logarithm (Elliptic Curve) | Cryptographic Hash Function (e.g., SHA-256) | Cryptographic Hash Function / Pairings | Algebraic Polynomials (KZG, IPA) |
Hiding Property | Unconditionally (Perfectly) Hiding | Computationally Hiding | Computationally Hiding | Computationally Hiding |
Binding Property | Computationally Binding | Computationally Binding | Computationally Binding | Unconditionally (Perfectly) Binding |
Proof Size (Single Element) | O(1) - 32-48 bytes | O(log n) - ~1-2 KB | O(1) - ~48 bytes | O(1) - 48-96 bytes |
Aggregation Support | ||||
Vector / Batch Opening | ||||
Trusted Setup Required | ||||
Primary Use Case | Confidential Transactions, ZKPs | Data Integrity, Merkle Proofs | Stateless Clients, Verifiable Databases | ZK-SNARKs, Scalable Blockchains |
COMMITMENT
Frequently Asked Questions
A commitment is a cryptographic proof that binds a prover to a specific piece of data without revealing the data itself. This section answers common questions about how commitments work in blockchain systems like Ethereum and their critical role in scaling and privacy.
A cryptographic commitment is a digital scheme that allows one party to commit to a chosen value (or set of data) while keeping it hidden, with the ability to later reveal the value in a verifiable way. It works in two phases: the Commit Phase, where the committer generates a short, fixed-size binding value (the commitment) using a one-way function like a hash, and the Reveal Phase, where the original data and any necessary opening proof are disclosed for verification. This ensures hiding (the commitment reveals nothing about the data) and binding (the committer cannot later change the committed data). In blockchains, commitments are fundamental to protocols like zk-SNARKs and data availability solutions such as KZG commitments.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall