Cryptographic Commitment

A secure commitment scheme must have two core properties:

• Hiding: The commitment value (the hash digest) reveals no information about the original secret data.
• Binding: Once committed, the committer cannot change the original data to a different value. Any attempt to reveal a different value will fail verification.

These properties ensure the commitment acts as a sealed, tamper-proof envelope.

This is the standard two-phase protocol for using commitments:

1. Commit: A user generates a secret (e.g., a bid, a random number). They compute a cryptographic hash (like SHA-256) of the secret, producing a commitment. This hash is published to the network.
2. Reveal: Later, the user publishes the original secret data. Anyone can hash the revealed data and verify it matches the earlier published commitment.

This prevents front-running in auctions and enables fair random number generation.

Merkle trees are a hierarchical application of commitments. Each leaf node is a hash of a data block, and each non-leaf node is a hash of its child nodes' hashes. The single Merkle root at the top is a commitment to the entire dataset.

• Light Clients can verify a specific piece of data is included in a block using a compact Merkle proof, without downloading the entire chain.
• This structure is fundamental for blockchain headers and efficient data verification.

Commitment schemes are the essential building blocks for zero-knowledge proofs (ZKPs) like zk-SNARKs and zk-STARKs.

• They allow a prover to commit to a secret witness (e.g., a private key) without revealing it.
• The proof is then constructed to demonstrate knowledge of the committed value and that it satisfies certain constraints (e.g., a valid transaction).
• This enables private transactions and scalable rollups (ZK-Rollups).

A specific type of homomorphic commitment used extensively in confidential transactions (e.g., Monero, Mimblewimble).

• It allows values to be committed to in a way that they can be added together while remaining hidden.
• This enables the verification that the sum of inputs equals the sum of outputs in a transaction (confidential assets) without revealing the individual amounts.
• Relies on elliptic curve cryptography and a trusted setup for security.

A commitment scheme where the committed value is an ordered list or vector of elements. It allows for efficient proofs about specific positions within the vector.

• Verkle Trees, proposed for Ethereum state storage, use vector commitments (like KZG commitments) instead of Merkle trees.
• This drastically reduces proof sizes, enabling stateless clients and more efficient witnesses, which is critical for scaling.

The most fundamental type, where a secret value is hidden by its cryptographic hash. The prover sends the hash (the commitment) first, then later reveals the original value. This is computationally binding (hard to find a different input with the same hash) and computationally hiding (the hash reveals nothing about the input).

• Example: Committing to a bid in an auction or a random number before a dice roll.

An unconditionally hiding and computationally binding commitment scheme based on elliptic curve cryptography. It allows for homomorphic addition, meaning commitments to values A and B can be combined to create a commitment to (A + B) without revealing the individual values. This is crucial for confidential transactions.

• Key Property: Even with infinite computing power, the committed value remains hidden.

A commitment to a polynomial, enabling a prover to later reveal evaluations of the polynomial at specific points and prove they are consistent with the committed polynomial. This is the core cryptographic engine behind zk-SNARKs and zk-STARKs.

• Common Schemes: KZG commitments (used in Ethereum's EIP-4844) and FRI-based commitments.
• Use Case: Committing to the execution trace of a program in a zero-knowledge proof.

A commitment to an ordered list (vector) of values. It allows the prover to later open the commitment at a specific position, proving the value at that index. Merkle Trees are the most common form of vector commitment.

• Properties: Provides succinct proofs (a Merkle proof) that a specific element is part of the committed set.
• Application: Storing account states or transaction batches in a compact, verifiable way.

The first message in a three-step (commit, challenge, respond) interactive proof system. The prover sends a commitment to random values, which binds them to a specific proof path before receiving the verifier's random challenge. This prevents the prover from cheating by adapting their response.

• Role: Ensures the soundness of zero-knowledge proofs like Schnorr signatures.
• Mechanism: Often implemented using a hash function, binding the prover's initial randomness.

A commitment that can only be opened after a certain amount of computational work has been performed, effectively creating a time delay. This is based on verifiable delay functions (VDFs) or sequential hash puzzles.

• Property: Sequential in nature; the work cannot be parallelized.
• Application: Generating unbiased randomness (e.g., in proof-of-stake protocols) and preventing front-running.

Zero-knowledge proofs (ZKPs) rely heavily on commitment schemes to hide prover inputs while allowing verification. A Pedersen commitment or polynomial commitment (e.g., KZG) is used to commit to secret witness data. The prover then generates a proof that computations on the committed values are correct, enabling applications like private transactions (Zcash) and ZK-rollups without revealing underlying details.

Blockchains require unpredictable, bias-resistant randomness for consensus and applications. Commit-Reveal schemes are a standard solution:

• Commit Phase: Participants submit a hash (commitment) of their secret random number.
• Reveal Phase: Participants later reveal their numbers, which are combined. The initial commitment prevents them from changing their contribution after seeing others'. This is used in Ethereum's RANDAO and, when combined with a Verifiable Delay Function (VDF), creates strong, unpredictable randomness.

Cross-chain atomic swaps use a hashlock, a type of cryptographic commitment, to enable trustless trades. The process uses a Hashed Timelock Contract (HTLC):

1. Party A locks funds in a contract, committing to a secret preimage by publishing its hash.
2. Party B can claim these funds only by revealing the preimage, which also allows Party A to claim funds from Party B's chain. This ensures the swap either completes entirely for both parties or is refunded, with no intermediary.

In Optimistic Rollups, a sequencer commits to the new state root of the rollup chain by publishing it on the parent chain (e.g., Ethereum). This commitment is assumed valid (optimistic). During a challenge period, any watcher can compute a fraud proof if they detect invalid state transitions. The fraud proof demonstrates that the committed state root is inconsistent with the previously committed data and the rules of the virtual machine, forcing a rollback.

Light clients, which do not store the full blockchain, rely on commitments to efficiently verify chain data. They download and trust only the block headers, which contain commitments like the state root (Merkle root of all accounts) and transactions root. To verify a specific transaction or account state, a full node provides a Merkle proof—a path of hashes from the data to the committed root in the header. This allows secure verification with minimal data.

A secure commitment scheme must be collision-resistant, meaning it's computationally infeasible to find two different inputs (x and y) that produce the same commitment hash H(x) = H(y). A failure here allows an attacker to equivocate, committing to one value and later revealing another. Similarly, preimage resistance prevents reversing the hash to find the original secret after the commitment is published. Weak hash functions (like MD5, SHA-1) are vulnerable to these attacks, compromising the binding property.

The hiding property ensures the committed value remains secret until reveal. This relies critically on a high-entropy random nonce (salt). If the nonce is predictable, reused, or of low quality, an attacker can perform a brute-force search to guess the committed value. In protocols like Pedersen Commitments, the discrete log assumption secures the hiding. Poor randomness management is a common implementation flaw that leaks information before the intended reveal phase.

The security model assumes the committer cannot change their mind after the commitment is broadcast. However, implementation flaws can break this:

• Front-running: In blockchain contexts, a malicious validator might see a commitment in the mempool, compute the reveal, and front-run the original transaction.
• Time-Lock Puzzles: If a reveal is required within a specific block range, network congestion or targeted denial-of-service (DoS) attacks can prevent timely revelation, causing a protocol failure.
• Side-channel attacks on the commitment generation hardware/software can leak the secret.

Commitments are rarely used in isolation. Their security depends on the broader protocol:

• Commit-Reveal Schemes: Require secure channels for the reveal phase. If the reveal is intercepted or blocked, the commitment is useless.
• Binding in Smart Contracts: A contract must correctly verify that the revealed data hashes to the original commitment. Flawed verification logic is a common smart contract vulnerability.
• Data Availability: In scaling solutions like rollups, the commitment (e.g., a state root) is posted on-chain, but the underlying data must be available off-chain for verification. Data withholding attacks can make fraud proofs impossible.

Commitment schemes depend on specific cryptographic assumptions (e.g., hardness of discrete log, collision resistance). Cryptographic agility—the ability to migrate to new algorithms—is crucial. A hash function considered secure today (like SHA-256) may be broken by future advances in quantum computing or cryptanalysis. Systems must be designed to allow for upgrades to post-quantum cryptographic commitments without breaking the protocol's state or historical data integrity.

In systems like optimistic rollups, a single commitment (state root) represents a batch of transactions. Challenging an invalid commitment requires a fraud proof. This creates a verifier's dilemma: the cost of verifying every commitment may outweigh the reward for catching fraud, leading to apathy. A rational actor might assume someone else will verify. This economic imbalance can be exploited if the cost to publish a fraudulent commitment is low but the cost to challenge it is high, undermining the system's security.

A cryptographic hash function is a one-way function that maps data of arbitrary size to a fixed-size output (a digest). It is the most common tool for creating a commitment, as the hash of a secret value serves as the commitment string. Key properties include:

• Pre-image resistance: It is computationally infeasible to find the original input from its hash.
• Collision resistance: It is infeasible to find two different inputs that produce the same hash.
• Deterministic: The same input always yields the same output. Examples include SHA-256 and Keccak-256, which are used in Bitcoin and Ethereum, respectively.

A Merkle tree is a hierarchical data structure that uses cryptographic hashes to efficiently and securely verify the contents of large datasets. It is a powerful application of commitment schemes.

• Each leaf node is a hash of a data block.
• Non-leaf nodes are hashes of their child nodes.
• The Merkle root serves as a single, compact commitment to the entire dataset. This allows for Merkle proofs, where one can prove a specific piece of data is included in the set without revealing the whole set, a technique fundamental to blockchain light clients and data availability.

A Zero-Knowledge Proof is a cryptographic protocol where one party (the prover) can prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement. Commitments are a core component.

• The prover often commits to secret witness data.
• The proof demonstrates that the committed values satisfy a public constraint (e.g., a circuit).
• The commitment's hiding property keeps the witness secret, while its binding property ensures the proof is sound. This enables private transactions and scalable computations in protocols like zk-SNARKs and zk-STARKs.

A Pedersen Commitment is a specific type of commitment scheme with additive homomorphic properties, based on elliptic curve cryptography. It provides perfect hiding and computational binding.

• The commitment is formed as C = r*G + v*H, where v is the committed value, r is a blinding factor, and G, H are public generator points.
• Its homomorphic nature allows for operations on commitments (e.g., C1 + C2 commits to v1 + v2) without revealing the underlying values. This is crucial for confidential transactions in cryptocurrencies like Monero and Mimblewimble-based chains, where amounts must be hidden yet verifiable.

A Verifiable Random Function is a cryptographic primitive that produces a pseudorandom output and a proof for that output from a given input and secret key. It functions as a specialized, provable commitment to randomness.

• The output is deterministic yet unpredictable to anyone without the secret key.
• The proof allows anyone to verify the output was correctly generated without revealing the key. This is used in blockchain consensus mechanisms (e.g., Algorand, Cardano's Ouroboros Praos) for leader election and in smart contracts for generating provably fair random numbers.

Data Availability refers to the guarantee that all data necessary to validate a blockchain block is published and accessible to network participants. Cryptographic commitments are central to verifying this property.

• Block producers commit to the full block data (e.g., via a Merkle root).
• Light clients or other nodes can then use Data Availability Sampling (DAS) to probabilistically verify that the committed data is indeed available without downloading it entirely.
• If data is withheld, the commitment can be used to fraud-proof the invalid block. This is a critical security consideration for scaling solutions like Ethereum's danksharding.