Commitment scheme
A commitment scheme is a fundamental cryptographic primitive that enables a committer to bind themselves to a chosen value (such as a message or bit) while concealing it from a receiver during a commitment phase, followed by a reveal phase where the value can be disclosed and verified.[1] The scheme operates in two main stages: in the commit stage, the committer generates a commitment string using the value, randomness, and possibly a key, which is sent to the receiver; in the open stage, the committer provides the value and auxiliary information to allow the receiver to verify it against the commitment.[2] Security relies on two core properties: hiding, ensuring the commitment reveals no information about the value (either computationally or statistically), and binding, preventing the committer from opening the commitment to a different value after submission.[1] These properties can be achieved computationally (under assumptions like the hardness of discrete logarithms) or unconditionally, depending on the scheme.[2]
The concept of commitment schemes emerged in the early 1980s, with early implicit uses in protocols like mental poker by Shamir, Rivest, and Adleman in 1981, but was formally introduced by Manuel Blum in 1982 as part of a coin-flipping protocol over telephone to solve "impossible problems" in a fair manner without trust.[2][3] Blum's work highlighted commitments as a tool for two-party computation, where one party commits to a random bit to simulate a fair coin flip, preventing cheating.[3] Subsequent developments formalized the primitive in interactive settings, with security definitions refined in the late 1980s and 1990s.[2]
Notable constructions include the Pedersen commitment scheme, proposed by Torben P. Pedersen in 1991 as part of a verifiable secret-sharing protocol, which uses elliptic curve groups for an additively homomorphic commitment that is perfectly hiding and computationally binding under the discrete logarithm assumption.[4] In Pedersen's scheme, a commitment to a value v with blinding factor r is computed as C = g^v \cdot h^r \mod p, where g and h are generators, allowing efficient verification and composition for applications like zero-knowledge proofs.[4] Other variants include statistically hiding schemes based on hash functions or lattices, and non-interactive versions using the Fiat-Shamir heuristic.[1]
Commitment schemes are essential building blocks in advanced cryptographic protocols, including zero-knowledge proofs (e.g., in the Goldreich-Micali-Wigderson and Brassard-Chaum-Crépeau frameworks), secure multiparty computation, verifiable secret sharing, and electronic voting systems, where they ensure fairness by allowing parties to pre-commit without revealing intentions prematurely.[2] Their versatility has led to ongoing research into quantum-resistant versions and optimizations for blockchain applications, such as in privacy-preserving transactions.[1]
Fundamentals
Definition
A commitment scheme is a cryptographic primitive that allows a sender to bind to a chosen value or message while keeping it hidden from a receiver, with the ability to later reveal the value in a way that can be verified as authentic and unchanged. This mechanism ensures the sender cannot alter the committed value after the commitment phase, providing a foundation for secure multi-party interactions in cryptography.
Intuitively, a commitment scheme resembles placing a secret inside a locked, opaque safe: the sender can deliver the safe to the receiver without disclosing the contents, and at a later point, provide the key to open it, proving the original value was inside without any modifications. The concept was first introduced by Manuel Blum in 1982, in the context of enabling fair coin flipping between two parties communicating over an insecure channel like a telephone, where one party commits to a random bit before the other guesses it.[5]
Formally, a commitment scheme is specified by three algorithms, typically required to run in probabilistic polynomial time:
-
A commitment algorithm \Commit, which takes as input a message m from a specified message space \mathcal{M} and a string of randomness r from a randomness space \mathcal{R}, and outputs a commitment c \in \mathcal{C}.
-
An opening algorithm (often called \Open or \Reveal), which on input m and r simply outputs the pair (m, r).
-
A verification algorithm \Verify, which takes c, m, and r as input and outputs 1 (accept) if c = \Commit(m, r) and 0 (reject) otherwise.
This structure guarantees that any valid opening of a commitment uniquely recovers the committed message.[6]
Commitment schemes are often categorized as bit commitment schemes, which handle single bits (m \in \{0,1\}), or string commitment schemes, which support longer messages (m \in \{0,1\}^n for n > 1); the latter can typically be constructed from the former by committing to each bit separately and concatenating the commitments. Such schemes serve as essential building blocks in protocols like zero-knowledge proofs.
Basic Protocol
A commitment scheme operates through a standard two-phase protocol between a sender, also known as the committer, and a receiver. This protocol enables the sender to bind to a chosen message while initially concealing it from the receiver.[1]
In the commit phase, the sender selects a message m from the message space and generates suitable randomness r, then computes the commitment c = \text{Commit}(m, r) using the scheme's commitment algorithm. The sender transmits c to the receiver, who acknowledges receipt to confirm the commitment has been established.[7][1]
In the reveal phase, the sender discloses the message m and the randomness r to the receiver. The receiver then executes the verification algorithm \text{Verify}(c, m, r); if it accepts, the receiver recovers m as the opened value, otherwise the reveal is rejected as invalid.[7][1]
The following pseudocode outlines the protocol flow, assuming the commitment scheme provides \text{Commit} and \text{Verify} algorithms as defined in the scheme's specification:
Commit Phase:
Sender:
- Choose message m ∈ MessageSpace
- Generate randomness r ∈ RandomnessSpace
- Compute c ← Commit(m, r)
- Send c to Receiver
Receiver:
- Receive c
- Send acknowledgment to Sender
Reveal Phase:
Sender:
- Send (m, r) to Receiver
Receiver:
- Receive (m, r)
- If Verify(c, m, r) = accept, output m
- Else, reject the reveal
Commit Phase:
Sender:
- Choose message m ∈ MessageSpace
- Generate randomness r ∈ RandomnessSpace
- Compute c ← Commit(m, r)
- Send c to Receiver
Receiver:
- Receive c
- Send acknowledgment to Sender
Reveal Phase:
Sender:
- Send (m, r) to Receiver
Receiver:
- Receive (m, r)
- If Verify(c, m, r) = accept, output m
- Else, reject the reveal
This protocol assumes an honest receiver who follows the steps without deviation and does not address mechanisms for handling early termination or abort by either party.[1][8]
Security Properties
Binding
In a commitment scheme, the binding property guarantees that the committer cannot produce two different valid openings for the same commitment value c, thereby preventing equivocation. This ensures the integrity of the committed value once the commitment phase is complete. Formally, in the binding game, an adversary \mathcal{A} is given access to the commitment algorithm and attempts to output a commitment c along with two distinct messages m \neq m' and openings r, r' such that both \mathsf{Verify}(c, m, r) and \mathsf{Verify}(c, m', r') accept; the scheme is binding if no probabilistic polynomial-time (PPT) adversary succeeds except with negligible probability in the security parameter \lambda.[9][10]
Binding can be categorized by the strength of the security guarantee. Computational binding holds against PPT adversaries, relying on the assumed hardness of underlying computational problems, as established in early constructions based on one-way functions. Statistical binding strengthens this to ensure that even unbounded adversaries succeed only with negligible probability, providing information-theoretic security against equivocation. Perfect binding goes further, making it impossible for any adversary—bounded or unbounded—to find two valid openings for the same commitment, such that the committed value is uniquely determined by c.[9][10]
This property is crucial in protocols like coin flipping, where it prevents a party from altering their choice after committing, as originally motivated in Blum's seminal work on fair coin flipping by telephone.[5] The binding property complements the hiding property by focusing on the committer's inability to cheat, rather than the receiver's inability to learn the message prematurely.[9]
Hiding
The hiding property in a commitment scheme ensures that the receiver learns no information about the committed message until the reveal phase. This property is essential for maintaining secrecy during the commitment stage, preventing the receiver from gaining any advantage in guessing or influencing the committed value.
Computational hiding is the standard security notion, requiring that no probabilistic polynomial-time (PPT) adversary can distinguish a commitment to message m from a commitment to a different message m' with non-negligible advantage. Formally, in the hiding security game, the adversary selects two equal-length messages m_0 and m_1; a challenger flips a random bit b and computes the commitment c to m_b, sending c to the adversary, who then outputs a guess b' for b. For the scheme to be computationally hiding, the adversary's success probability must be at most \frac{1}{2} + \nu(\lambda), where \nu is a negligible function in the security parameter \lambda.[9]
Perfect hiding strengthens this to hold against unbounded adversaries, meaning the distributions of commitments to any two messages are statistically identical, revealing no information even information-theoretically. An example is the one-time pad, where the commitment is the message XORed with a uniformly random string of equal length, resulting in a uniform output independent of the message. The Pedersen commitment scheme achieves perfect hiding in groups where the discrete logarithm problem is hard: to commit to message m, the committer selects a random r and computes c = g^m h^r, where g and h are generators; since r is random, c is uniformly distributed in the group regardless of m.[4][9]
Statistical hiding is an intermediate notion between computational and perfect hiding, where the statistical distance between commitment distributions for different messages is negligible (e.g., $2^{-\Omega(\lambda)}). This holds against unbounded adversaries but allows a small, quantifiable leakage. Constructions achieving statistical hiding, such as those based on any one-way function via interactive hashing, ensure the receiver's view for commitments to bit 0 and bit 1 are statistically close to uniform.[11]
There is a fundamental trade-off in commitment schemes: statistical (or perfect) hiding is incompatible with statistical (or perfect) binding, as the former requires commitments to be statistically close for different messages, while the latter requires them to be computationally separable only. Thus, perfect binding schemes can only achieve computational hiding, and perfectly hiding schemes achieve only computational binding.[9]
Composability Limitations
A fundamental limitation of commitment schemes arises when they are integrated into larger cryptographic protocols under the universal composability (UC) framework, which requires security to hold even in arbitrary composed environments. While commitment schemes can satisfy standalone hiding and binding properties, no two-party UC-secure commitment scheme exists in the plain model without additional setup assumptions.[12] This impossibility, proven by Canetti and Fischlin, stems from the inability to simultaneously ensure extractability (for binding) and equivocality (for hiding) in a way that withstands concurrent and adaptive attacks across protocol compositions without trusted infrastructure.[12]
The result highlights deeper challenges related to black-box versus non-black-box constructions. Black-box approaches, which access primitives only as oracles without inspecting their internals, cannot achieve UC security for commitments in the standard model, as demonstrated by separations showing that such reductions fail to handle the simulation requirements of the UC framework.[13] Non-black-box techniques, which may rewrite or analyze the code of underlying primitives, are often necessary but complicate proofs and increase reliance on specific assumptions.
To mitigate these composability issues, UC-secure commitment schemes can be constructed in models with setup, such as the common reference string (CRS) model, where a trusted string is publicly available to all parties.[12] Alternatively, the random oracle (RO) model allows non-interactive commitments to be upgraded to UC-secure variants by modeling hash functions as ideal oracles, preserving properties like perfect binding when starting from suitable base schemes.[14] These setups enable equivocality through simulation of the reference string or oracle responses, though they introduce dependencies on the trustworthiness of the setup phase.
These limitations have significant implications for protocol design: commitment schemes proven secure in isolation may inadvertently leak information or enable attacks when embedded in multi-protocol systems, such as secure multiparty computation or zero-knowledge proofs.[12] Designers must therefore incorporate setup assumptions or hybrid models from the outset to ensure composable security, prioritizing UC analysis over standalone notions to avoid subtle composition failures.[15]
Applications
Coin Flipping by Telephone
Coin flipping by telephone refers to a cryptographic protocol that enables two parties, such as Alice and Bob, to fairly generate a random bit over an insecure communication channel like a telephone, without requiring mutual trust. This primitive ensures that neither party can bias the outcome, addressing scenarios where physical presence is impossible, such as deciding possession of assets after a divorce. The concept was introduced by Manuel Blum in 1981 as a foundational example demonstrating the power of cryptographic protocols to solve "impossible" problems in distributed settings.[16]
The protocol leverages a commitment scheme to achieve fairness. Alice first samples a random bit b \in \{0, 1\} and computes a commitment c to b using the commitment algorithm, along with randomness r; she sends c to Bob. Bob then samples his own random bit b' \in \{0, 1\} and sends it to Alice. Finally, Alice reveals b and r to Bob, who verifies that c opens correctly to b; if valid, both parties compute the coin flip outcome as b \oplus b', where \oplus denotes bitwise XOR. This process ensures the final bit is uniformly random and unpredictable by either party in advance.[9]
The security of the protocol relies on the hiding and binding properties of the underlying commitment scheme. Hiding guarantees that Bob learns nothing about Alice's bit b from the commitment c, preventing him from choosing b' to force a desired outcome (e.g., always winning a bet). Binding ensures that Alice cannot later open c to a different bit after observing Bob's b', thus prohibiting her from biasing the result in her favor. These properties collectively make the protocol secure against cheating by either participant, assuming the commitment scheme is computationally secure.[9]
If the commitment scheme lacks binding, Alice could exploit ambiguity in c to reveal a bit that matches her preference after seeing b', always ensuring b \oplus b' = 1 (or her desired value), thereby breaking fairness. Conversely, without hiding, Bob could infer b from c and select b' accordingly to control the outcome, rendering the coin flip predictable and biased. Blum's original work highlighted these vulnerabilities to underscore the necessity of robust commitment primitives for such protocols.[16]
Zero-Knowledge Proofs
Commitment schemes are integral to the construction of zero-knowledge proofs, enabling the prover to demonstrate knowledge of a witness without revealing it. In the classic zero-knowledge proof for graph isomorphism, introduced by Goldwasser, Micali, and Rackoff, the prover commits to a randomly permuted version of one input graph using a commitment scheme, thereby hiding the isomorphism witness. Upon receiving a verifier challenge specifying which graph to match, the prover opens the commitment accordingly, proving consistency without exposing the full isomorphism. This protocol relies on the hiding property of commitments to ensure that the transcript reveals no information beyond the validity of the statement, allowing a simulator to produce indistinguishable views.[17]
The Fiat-Shamir heuristic utilizes commitments to convert interactive zero-knowledge proofs into non-interactive variants within the random oracle model. In this paradigm, the prover generates an initial commitment to a random value that masks the witness, then computes the verifier's challenge as a hash of the commitment and public inputs, followed by a response that verifies the proof. Commitments here serve dual roles: hiding the witness during the commitment phase and providing binding to prevent malleability in the response, thus preserving both soundness and zero-knowledge when instantiated with a secure hash function modeled as a random oracle.[18]
Soundness in zero-knowledge proofs is amplified through parallel repetition, where multiple independent instances of the protocol are executed simultaneously, each employing distinct commitments to uncorrelated random values. This approach exponentially reduces the soundness error—for instance, if a single repetition has soundness error 1/2, k parallel repetitions yield error at most 2^{-k}—by leveraging the statistical independence ensured by fresh commitments across instances. The hiding property of these commitments also supports simulator extractability in the amplified protocol.
Digital Signatures
Commitment schemes play a foundational role in constructing secure digital signature schemes by providing mechanisms to bind a signer to a message while optionally concealing its content during the signing process. In particular, they enable one-time signatures and privacy-preserving variants, ensuring non-repudiation through binding properties and user privacy through hiding. This integration allows signatures to achieve provable security under standard cryptographic assumptions, such as the existence of one-way functions.[19]
A prominent example is the Lamport one-time signature scheme, which relies on one-way functions to create commitments to individual bits of a message digest. The signer's public key consists of 256 (for a 256-bit hash) pairs of values: for each bit position i, a pair (\alpha_i^0, \alpha_i^1) where \alpha_i^0 = f(s_i^0) and \alpha_i^1 = f(s_i^1), with f a one-way function and s_i^b random secrets for bit b. To sign a message m, the signer computes the hash h = H(m) and, for each bit h_i, reveals the secret s_i^{h_i} corresponding to that bit, forming the signature. Verification checks that f(s_i^{h_i}) = \alpha_i^{h_i} for all i and that H(m) = h. This setup uses the one-way function f as a commitment mechanism: the public key commits to all possible bit values in advance, and revealing the appropriate preimage binds the signature to the specific message hash without allowing forgery, as inverting f is computationally infeasible. The scheme is secure for one use, as reusing keys risks revealing unused secrets and enabling forgeries.[19]
In blind signature schemes, commitment schemes explicitly hide the message from the signer during the protocol, allowing the user to obtain a valid signature on a concealed input. A canonical construction, such as Fischlin's round-optimal scheme in the common reference string model, begins with the user generating a commitment U = \mathsf{Com}(m; r) to the message m using a non-interactive, perfectly binding, and computationally hiding commitment scheme. The user sends U to the signer, who produces a standard signature \sigma on U using an underlying signature scheme. The user then extracts a blind signature on m by combining \sigma with an extractable commitment to the pair (m, U), accompanied by a non-interactive zero-knowledge proof of validity. This ensures the signer learns nothing about m (blindness), as the commitment hides it, while the final signature verifies normally on m. The protocol achieves concurrent security under general assumptions like trapdoor permutations.[20]
The security of these commitment-based signatures hinges on the core properties of the underlying commitments. The binding property prevents the signer from disavowing the signature, as the commitment fixes the signed value (e.g., message hash or blinded input) immutably, enabling non-repudiation: once signed, the signer cannot produce a different valid opening without breaking binding. Conversely, the hiding property protects user privacy by concealing the message content from the signer during issuance, crucial in applications like anonymous credentials where linkage must be avoided. In hash-and-sign paradigms, such as those extending RSA or ECDSA, the hash function itself serves as a simple statistically binding commitment to the message, with the signature applied to the hash value; this reduces the problem to signing short commitments while inheriting hiding from the collision resistance of the hash. These properties collectively ensure existential unforgeability against adaptive chosen-message attacks, as proven in the security reductions of the respective schemes.[19][20]
Verifiable Secret Sharing
Verifiable secret sharing (VSS) allows a dealer to distribute shares of a secret to n participants such that each can independently verify the correctness of their share without learning the secret, and cheaters can be detected during reconstruction. Commitment schemes are integral to VSS, enabling the dealer to publicly commit to the underlying sharing polynomial in a way that binds the shares while hiding the secret. This prevents malicious dealers from distributing inconsistent shares and dishonest participants from contributing invalid ones during pooling.[21]
Feldman's 1987 scheme realizes VSS using commitments based on the discrete logarithm assumption in a prime-order subgroup of \mathbb{Z}_p^*, where p is a large prime. The dealer selects a degree-t polynomial Q(x) = s + a_1 x + \cdots + a_t x^t \mod p, with secret s = Q(0), and chooses a generator g. The dealer broadcasts commitments to the coefficients as C_0 = g^s, C_j = g^{a_j} for j = 1 to t, all in the subgroup. These commitments are perfectly binding and computationally hiding under the discrete logarithm assumption, as recovering s or the a_j from the commitments requires solving the discrete logarithm problem.[21]
Verification proceeds non-interactively: the dealer privately sends share \sigma_i = Q(i) \mod p to participant P_i (identified by public value i \in \{1, \dots, n\}). Participant P_i checks the linear relation
g^{\sigma_i} \stackrel{?}{=} \prod_{j=0}^t C_j^{i^j} \mod p.
This equation holds if \sigma_i matches the committed polynomial, confirming the share's validity without exposing other shares or coefficients. Failed verifications indicate a cheating dealer, allowing the protocol to abort.[21]
The hiding property safeguards the secret, as an adversary with at most t shares or the commitments cannot compute s due to the hardness of discrete logarithms. The binding property ensures the dealer cannot equivocate by providing inconsistent shares, as any mismatch fails the verification checks. During reconstruction, at least t+1 participants broadcast their verified shares \sigma_k. Each broadcast share is publicly verified using the commitments via the same relation g^{\sigma_k} \stackrel{?}{=} \prod_{j=0}^t C_j^{k^j} \mod p; invalid contributions from cheaters are rejected. The remaining valid shares then enable Lagrange interpolation to recover s = Q(0), with the commitments facilitating detection of dishonesty without compromising efficiency.[21]
Constructions
Random Oracle Model
In the random oracle model (ROM), cryptographic hash functions are idealized as random oracles: publicly queryable functions that, on distinct inputs, output uniformly random and independent values from their range.[22] This model facilitates proofs of security for protocols relying on hash functions by abstracting away implementation details. A canonical bit commitment scheme in the ROM uses this idealization to achieve both hiding and binding properties through a simple protocol.
The protocol operates as follows: Given a security parameter \lambda, to commit to a bit b \in \{0,1\}, the committer selects a random string r \leftarrow \{0,1\}^\lambda and computes the commitment c = H(r \| b), where H is the random oracle and \| denotes concatenation; c is then sent to the receiver. To reveal the commitment (decommit), the committer sends b and r, and the receiver verifies by recomputing H(r \| b) and checking equality with c. If verification passes, b is accepted as the committed value. This construction ensures the commitment is non-interactive and efficient, requiring only oracle evaluations.[9]
The scheme provides computational binding, stemming from the collision resistance of the random oracle: It is infeasible for a computationally bounded adversary to produce a commitment c that opens to two distinct bits b_0 \neq b_1 via pairs (r_0, b_0) and (r_1, b_1) such that H(r_0 \| b_0) = H(r_1 \| b_1) = c. The success probability is at most O(q^2 / 2^\lambda), where q is the adversary's number of oracle queries (polynomially bounded in \lambda), which is negligible. Hiding is statistical, as the distribution of c is computationally indistinguishable from uniform random for any fixed b, with distinguishing advantage at most q / 2^\lambda (also negligible); this holds because oracle outputs are random unless the adversary queries the exact input r \| b, an event of low probability. The scheme thus realizes the standard security notions of commitment protocols in this idealized setting.[9]
A sketch of the hiding proof proceeds by hybrid argument: Consider a modified oracle that outputs a fixed value (say, all zeros) on the committed input r \| b while behaving randomly elsewhere; the real and modified worlds are indistinguishable except if the adversary queries exactly r \| b (the "hit" event), which occurs with probability at most q / 2^\lambda. In the modified world, c is independent of b, yielding perfect hiding; by hybrid indistinguishability, the real scheme inherits near-perfect hiding. Binding follows directly from the oracle's collision probability, bounded by the birthday paradox.[9]
While the ROM yields clean security proofs, it remains a heuristic tool: Replacing the ideal oracle with a concrete hash function (e.g., SHA-256) does not guarantee preservation of security, as there exist schemes secure in the ROM but insecure in the standard model upon instantiation.[23]
One-Way Permutations
A foundational construction for a bit-commitment scheme relies on the existence of a one-way permutation f: \{0,1\}^n \to \{0,1\}^n, providing a perfectly hiding and computationally binding protocol. To commit to a bit b \in \{0,1\}, the sender selects a random x \leftarrow \{0,1\}^n. If b = 0, the commitment is c = (x, f(x)); if b = 1, the sender computes y = f(x) and sets c = (y, f(y)). The sender sends c to the receiver. To reveal the bit, the sender transmits b and the corresponding preimage: for b = 0, send x and verify f(x) matches the second component with the first equal to x; for b = 1, send x such that f(x) matches the first component and f(f(x)) matches the second. This protocol is non-interactive in the commitment phase and ensures the receiver can verify the opening unambiguously.[24]
The hiding property is perfect: the distribution of c is identical for both bits, as it always yields a uniform pair (u, f(u)) for random u \in \{0,1\}^n, owing to the bijectivity of f. Specifically, when b = 0, u = x is uniform; when b = 1, u = f(x) is also uniform since f is a permutation. Thus, no information about b is leaked, even to an unbounded adversary. The binding property is computational: a cheating sender cannot open c to both bits with non-negligible probability, as doing so would require finding a preimage under f for the first component of c to switch between openings.[24]
The formal proof of binding proceeds by reduction to the one-wayness of f. Suppose an efficient adversary \mathcal{A} can commit to c = (u, v) (with v = f(u)) and later open to both 0 and 1 with probability \delta(n) > \negl(n). To open to 0, \mathcal{A} provides x_0 = u such that f(x_0) = v, which is trivial. To open to 1, \mathcal{A} provides x_1 such that f(x_1) = u and f(f(x_1)) = v. Thus, x_1 is a preimage of u under f. A simulator can use \mathcal{A} to invert f on input u by running the commitment and extraction phases, succeeding with probability \delta(n), contradicting the one-wayness of f unless \delta(n) is negligible. Hiding follows directly from the uniform distribution equivalence, independent of computational assumptions.[24]
This bit-commitment scheme extends to committing to strings of length \ell by independently committing to each bit using fresh random x_i for i = [1](/page/1) to \ell, and concatenating the individual commitments into a single c = c_1 || \cdots || c_\ell. Openings are performed component-wise, preserving both perfect hiding and computational binding under the same assumptions, with security parameters scaling linearly in \ell. The overall communication cost is O(\ell n) bits.[24]
Pseudo-Random Generators
A commitment scheme can be constructed from any pseudorandom generator (PRG) that stretches an n-bit seed to a $3n-bit output string. In this protocol, the receiver first generates and sends a random $3n-bit string R = (r_1, \dots, r_{3n}) to the committer, where each r_i \in \{0,1\}. The committer, aiming to commit to a bit b \in \{0,1\}, selects a random n-bit seed s and computes the PRG output B(s) = (B_1(s), \dots, B_{3n}(s)), where B: \{0,1\}^n \to \{0,1\}^{3n} is the PRG. The commitment string d = (d_1, \dots, d_{3n}) is then formed as d_i = B_i(s) if r_i = 0, and d_i = B_i(s) \oplus b if r_i = 1. The committer sends d to the receiver. To reveal, the committer sends s and b; the receiver verifies that d_i = B_i(s) for all i with r_i = 0, and d_i = B_i(s) \oplus b for all i with r_i = 1, accepting b if consistent.[24]
The scheme achieves computational hiding because the commitment d is computationally indistinguishable for b=0 and b=1. Specifically, when b=0, d = B(s), which is pseudorandom by the PRG security definition. For b=1, d is obtained by flipping the bits of B(s) in the positions where r_i=1, which occur in approximately half the positions on average. A hybrid argument demonstrates indistinguishability: consider intermediates where flips are applied to subsets of the r_i=1 positions. Any distinguisher between consecutive hybrids would contradict the PRG's pseudorandomness, as it would effectively distinguish a pseudorandom string from one with selectively flipped bits in a random subset, reducing to PRG security. Thus, no polynomial-time adversary can distinguish the distributions with non-negligible advantage.[24]
The scheme provides computational binding, ensuring the committer cannot open d to both bits except with negligible probability. To violate binding, the committer would need two seeds s_0, s_1 such that B_i(s_0) = B_i(s_1) for all i with r_i=0, and B_i(s_0) = B_i(s_1) \oplus 1 for all i with r_i=1. The expected number of such positions i with r_i=1 is $1.5n, and the probability of finding such colliding seeds is at most $2^{-n}, as it requires the PRG outputs to match exactly on the non-flipped positions while differing precisely by 1 on the flipped ones, which is infeasible under the PRG's indistinguishability from random (implying pairwise independence-like properties against inversion). This hardness traces back to the underlying one-way function used to build the PRG.[24]
This construction demonstrates that bit commitments exist if pseudorandom generators exist, and since PRGs can be built from any one-way function, commitments follow from the minimal assumption of one-way functions (a weaker condition than one-way permutations, which enable direct constructions without PRGs). The seminal result establishing PRGs from arbitrary one-way functions uses a multi-stage stretching process to amplify security, confirming the broad applicability of this approach.[25]
Discrete Logarithm
The Pedersen commitment scheme, proposed by Torben P. Pedersen in 1991 as part of a verifiable secret sharing protocol, constructs a commitment mechanism based on the hardness of the discrete logarithm problem in a cyclic multiplicative group G of prime order q. The scheme assumes the existence of two group generators g and h, where the discrete logarithm \log_g h is computationally infeasible to compute. To commit to a message m \in \mathbb{Z}_q, the committer selects a random blinding factor r \in \mathbb{Z}_q and computes the commitment as a single group element c = g^m \cdot h^r \mod p, where p is the modulus defining G. The commitment phase outputs c, while the reveal phase discloses m and r to allow verification.[26]
Verification of the opening is straightforward and deterministic: the receiver checks whether c = g^m \cdot h^r \mod p. If the equation holds, the opening is accepted as valid. This protocol ensures efficient computation and constant-size commitments, making it suitable for applications requiring non-interactive commitments in discrete logarithm-based settings. The choice of h as a generator independent of g (in the sense that their discrete logarithm is hidden) is crucial for the security properties.[26]
The scheme provides perfect (information-theoretic) hiding: for any fixed m, the distribution of c is uniform over the subgroup generated by g, as the random r blinds the commitment completely, revealing no information about m even to an unbounded adversary. In contrast, the binding property is computational: it is infeasible for a probabilistic polynomial-time adversary to find two valid openings (m, r) and (m', r') with m \neq m' such that g^m \cdot h^r = g^{m'} \cdot h^{r'}, because any such collision would enable computation of the discrete logarithm \log_g h = (m - m') / (r' - r). This reduction establishes binding security under the standard discrete logarithm assumption.[27]
The construction generalizes naturally to any finite cyclic group where the discrete logarithm problem is believed to be hard, including elliptic curve groups over finite fields, which offer improved efficiency due to smaller key sizes while maintaining equivalent security levels. For instance, implementations often use secp256k1 or BLS12-381 curves for practical deployments. This flexibility has made the scheme a foundational primitive in cryptographic protocols relying on discrete logarithm-based assumptions.[26]
RSA Assumption
A commitment scheme based on the RSA assumption provides perfect hiding with computational binding, inverting the security properties of schemes based on the discrete logarithm assumption. In this construction, the receiver generates an RSA modulus N = pq where p and q are large primes, selects a prime exponent e > N (ensuring \gcd(e, \phi(N)) = 1), and chooses a random \mu \in \mathbb{Z}_N^*. The public parameters are (N, e, \mu).[28]
To commit to a value x (viewed as an element of \mathbb{Z}_e), the sender selects a random r \in \mathbb{Z}_N^* and computes the commitment c = \mu^x \cdot r^e \mod N. The sender sends c to the receiver and later reveals x and r during the opening phase. The receiver verifies the opening by checking that x \in \mathbb{Z}_e and c \equiv \mu^x \cdot r^e \pmod{N}. This protocol is a variant attributed to Fujisaki and Okamoto, adapted to leverage the RSA structure for bit or small integer commitments.[29][28]
The hiding property is perfect because the map r \mapsto r^e \mod N is a bijection on \mathbb{Z}_N^* (due to \gcd(e, \phi(N)) = 1), making r^e uniformly random in \mathbb{Z}_N^* regardless of x. Thus, c is uniformly distributed in \mathbb{Z}_N^* for any fixed x, revealing no information about the committed value even to an unbounded adversary.[28]
Binding is computational: if the sender can open the same c to two different values x \neq x', then \mu^{x - x'} \equiv (r'/r)^e \pmod{N}, allowing computation of an e-th root modulo N (solving the RSA problem). This breaks the RSA assumption, which posits that given (N, e) and y \in \mathbb{Z}_N^*, computing z such that z^e \equiv y \pmod{N} is hard without the factorization of N. The verification equation is:
c \equiv \mu^x \cdot r^e \pmod{N}
This trade-off complements discrete logarithm-based schemes, which typically offer perfect binding but only computational hiding.[28]
Homomorphic Commitments
Homomorphic commitments extend standard commitment schemes by allowing algebraic operations on committed values without revealing the underlying messages, preserving the core security properties of hiding and binding. These properties enable computations in cryptographic protocols where participants interact with committed data directly, such as aggregating values while maintaining confidentiality. Seminal constructions rely on algebraic structures like cyclic groups, where the homomorphism arises from group operations.[30]
A prominent example of an additively homomorphic commitment is the Pedersen scheme, introduced in the context of verifiable secret sharing. In this scheme, commitments are formed in a cyclic group of prime order q generated by g, with an additional generator h = g^\alpha where \alpha is a secret value known only to the committer or via a common reference string. To commit to a message m \in \mathbb{Z}_q, the committer selects a random r \in \mathbb{Z}_q and computes C(m, r) = g^m h^r. The additive homomorphism satisfies:
C(m_1, r_1) \cdot C(m_2, r_2) = g^{m_1} h^{r_1} \cdot g^{m_2} h^{r_2} = g^{m_1 + m_2} h^{r_1 + r_2} = C(m_1 + m_2, r_1 + r_2),
allowing the combination of two commitments to yield a valid commitment to the sum of the messages with the sum of the openings. This property holds under the discrete logarithm assumption, ensuring computational binding and perfect hiding. The homomorphism does not compromise security, as the binding relies on the hardness of extracting discrete logs, while hiding follows from the uniform distribution of h^r independent of m.[4][31]
Multiplicative homomorphic commitments, often derived from ElGamal-based constructions, enable multiplication or exponentiation on committed values. In an ElGamal-style commitment over a cyclic group with generator g and public key h = g^x for secret x, committing to m involves choosing random r and outputting (g^r, h^r \cdot g^m). The multiplicative property allows operations such as raising the commitment to a power: [C(m, r)]^k = C(k \cdot m, k \cdot r), or combining components multiplicatively to commit to products in appropriate settings. These schemes achieve computational hiding and perfect binding, with the homomorphism preserving security by inheriting the decisional Diffie-Hellman assumption from the underlying ElGamal encryption paradigm.[31][32]
Such homomorphic properties find critical applications in secure multi-party computation (MPC), where parties can perform additions or multiplications on committed inputs to compute functions like sums or products without decryption. For instance, in committed MPC protocols, additively homomorphic commitments ensure input consistency and output verifiability by allowing linear combinations during the computation phase, reducing communication overhead while upholding malicious security. The preservation of hiding prevents leakage during these operations, and binding ensures no party can alter committed values post-homomorphic combination, making these schemes foundational for efficient, privacy-preserving distributed protocols.[30][33]
Partial and Structured Commitments
Vector Commitments
Vector commitments are a cryptographic primitive that generalize standard commitment schemes to ordered sequences of values, enabling a committer to bind to a vector \mathbf{v} = (v_1, \dots, v_n) while permitting selective disclosure of individual elements at chosen positions i, verified against the commitment without revealing the entire vector.[34]
In the basic protocol, the commitment is formed by applying a collision-resistant hash function H to the concatenation of the vector elements, yielding C = H(v_1 || \dots || v_n), though this naive approach requires revealing the full vector for any verification; for efficient partial openings, a Merkle-like tree is constructed with hashed elements as leaves, and the root hash serves as the compact commitment C.[34][35]
Partial revelation at position i involves providing the value v_i along with a proof of inclusion, such as an authentication path in the Merkle-like structure, which allows a verifier to recompute the commitment root and confirm consistency without accessing unrevealed elements.[34]
The binding property holds due to the collision resistance of H, ensuring the committer cannot open conflicting values at the same position after committing, while hiding protects unrevealed positions by relying on the one-wayness or random oracle model behavior of the hash function.[34]
These schemes are efficient for large-scale vectors in blockchain systems and data availability protocols, where they enable succinct proofs for verifying specific data portions without full storage, as utilized in Filecoin's Proof of Replication for storage integrity.[34]
Merkle Trees
A Merkle tree provides a concrete construction for vector commitments using a binary hash tree, allowing a committer to bind to an ordered sequence of values while enabling efficient partial openings. Originally proposed by Ralph Merkle in 1987 as part of a digital signature scheme, it structures data hierarchically to support verification of individual elements with logarithmic proof sizes.[36]
In the construction, the leaves of the tree correspond to the vector elements \vec{v} = (v_1, \dots, v_n), typically for n = 2^k to form a complete binary tree; each leaf is often prefixed with its index or hashed individually for domain separation. Internal nodes are computed recursively by hashing the concatenation of their child nodes using a collision-resistant hash function H, with the root serving as the commitment C. This yields the equation for the root h:
h = H(\text{left} \parallel \text{right})
applied bottom-up from the leaves to the root. The commitment size is constant, independent of n.[34]
To open position i to value v_i, the committer reveals v_i along with the authentication path: the sequence of sibling hashes from the leaf at i to the root. The verifier recomputes the root by iteratively hashing v_i (or H(v_i)) with the provided siblings and confirms it matches C; this process requires O(\log n) hashes and proof size.[34]
The scheme achieves computational binding via the collision resistance of H, making it infeasible for an adversary to produce two vectors opening to the same root at any position (with negligible probability under the collision-resistant hash assumption). Computational hiding follows from the one-wayness of H, as the root reveals no information about the committed values. Position binding ensures that openings to the same index cannot yield conflicting values. For size-hiding, the construction can incorporate randomization by padding the vector to a fixed power-of-two length with random dummies and permuting indices before tree building, concealing the true vector length from the root.[34][37]
Merkle trees find prominent application in blockchain light clients, such as Bitcoin's simplified payment verification (SPV) mode, where clients verify transaction inclusion by obtaining a Merkle proof against the block header's root without downloading full blocks, enabling resource-constrained devices to interact with the network securely.
Polynomial Commitments
Polynomial commitments are cryptographic primitives that enable a prover to commit to a low-degree polynomial over a field while allowing efficient verification of evaluations at arbitrary points without revealing the full polynomial. These schemes are essential for succinct proof systems, such as those in zero-knowledge SNARKs, where proofs of polynomial evaluations must be compact and verifiable quickly. Unlike general vector commitments, polynomial commitments exploit the algebraic structure of polynomials to achieve sublinear proof sizes and verification times, typically constant in the degree.
The Kate–Zaverucha–Goldberg (KZG) scheme, introduced in 2010, is a foundational pairing-based construction for polynomial commitments. It relies on a trusted setup to generate a structured reference string (SRS) consisting of group elements g, g^\alpha, g^{\alpha^2}, \dots, g^{\alpha^d} in a bilinear group \mathbb{G}_1, where g is a generator, \alpha is a secret scalar, and d bounds the maximum polynomial degree. To commit to a polynomial P(X) = \sum_{i=0}^d p_i X^i of degree at most d, the committer computes the commitment c = g^{P(\alpha)} = \prod_{i=0}^d (g^{\alpha^i})^{p_i}. This commitment is constant-sized, independent of d, and hides the polynomial under the discrete logarithm assumption.[38]
To open the commitment at a point x, revealing P(x), the prover computes the quotient polynomial Q(Y) = \frac{P(Y) - P(x)}{Y - x}, which has degree at most d-1, and generates the proof \pi = g^{Q(\alpha)}. Verification proceeds using the bilinear pairing e: \mathbb{G}_1 \times \mathbb{G}_2 \to \mathbb{G}_T, where the SRS also provides corresponding elements in \mathbb{G}_2, such as h^{ \alpha - x } for h a generator in \mathbb{G}_2. The verifier checks the equation
e(c, h) = e(\pi, h^{\alpha - x}) \cdot e(g, h)^{P(x)},
which holds by bilinearity since the left side is e(g, h)^{P(\alpha)} and the right side expands to e(g, h)^{Q(\alpha) \cdot (\alpha - x) + P(x)} = e(g, h)^{P(\alpha)}. This pairing check is efficient, requiring constant time.[38]
The security of the KZG scheme derives from the d-strong Diffie-Hellman (SDH) assumption in pairing groups for binding, ensuring no two distinct polynomials commit to the same value, and the discrete logarithm assumption for hiding. Equivalently, in the context of the structured reference string, binding can be analyzed under the knowledge-of-coefficient assumption, which posits that any adversary producing a valid commitment and opening must know the underlying discrete logarithms (coefficients) of the SRS elements. As a special case, polynomial commitments subsume vector commitments by interpreting vector entries as polynomial coefficients evaluated at fixed points.[38]
Recent extensions have explored multilinear variants of polynomial commitments, adapting bilinear constructions to multilinear maps or towers of extensions for polynomials over small fields, as presented at Eurocrypt 2025.[39]
Advanced Variants
Quantum Commitments
Quantum bit commitment schemes leverage quantum mechanics to achieve potentially information-theoretic security in committing to a bit, extending classical commitments by using qubits for the hiding phase. Unlike classical schemes, quantum versions face fundamental obstacles due to quantum principles. In 1997, Dominic Mayers proved that unconditionally secure quantum bit commitment is impossible, showing that the committer can always cheat by exploiting entanglement and the reversibility of quantum operations.
The no-go theorem arises from the no-cloning theorem, which prevents perfect copying of unknown quantum states, combined with the ability to create entangled states. Specifically, the committer can prepare an entangled pair where one qubit is sent to the receiver while keeping the other; later, after the reveal phase begins, the committer measures her qubit in a basis chosen based on the desired output bit, effectively allowing her to choose the committed value post-commitment without detection. This attack undermines both hiding (receiver cannot distinguish commitments) and binding (committer cannot change her mind) properties simultaneously in any perfect protocol. A comprehensive review confirms this impossibility holds for all quantum protocols without additional assumptions.[40]
Despite the impossibility of perfect quantum bit commitment, conditional constructions provide security under specific physical constraints. In the noisy storage model, protocols are secure assuming the adversary's quantum memory is imperfect and introduces noise during storage, limiting the committer's ability to preserve entangled states faithfully. Wehner et al. demonstrated in 2008 that bit commitment and related primitives like oblivious transfer can be realized in this model, with security proofs against general attacks. Experimental implementations have validated these protocols using imperfect quantum memories.
Relativistic quantum bit commitment schemes, developed in the 2010s, enforce security via timing constraints imposed by the speed of light, preventing cheating strategies that require simultaneous actions at distant locations. These protocols involve multiple parties or locations to create causal separation, ensuring the committer cannot measure or manipulate states in time to alter the commitment. Kent's foundational work in 1999 laid the groundwork, with practical variants emerging later, such as those achieving 24-hour commitment times through distributed quantum communication.
A representative protocol example for the hiding phase in quantum bit commitment uses the quantum one-time pad for concealment. The committer Alice encodes her bit b by preparing the state |b\rangle and applying random Pauli operators: X^{r} Z^{s} |b\rangle, where r, s \in \{0,1\} are secret bits, then sends the encoded qubit to the receiver Bob. For binding and reveal, Alice later discloses r and s, allowing Bob to apply the inverse Z^{s} X^{r} and measure in the computational basis to recover b. While this ensures hiding via the randomness of the pad, the binding relies on measurement collapse; however, without assumptions like noisy storage, entanglement attacks violate binding as per Mayers' no-go.[40] In conditional settings, such as noisy storage, the protocol's security is preserved if Bob's storage degrades the necessary entanglement.
Physical Unclonable Functions
Physical unclonable functions (PUFs) are hardware-based primitives that exploit manufacturing variations in physical devices to generate unique, unpredictable responses to specific challenges, serving as a foundation for commitment schemes in hardware-entrusted cryptography. Introduced in the early 2000s, PUFs operate as mappings from challenges to responses where the output depends on inherent randomness in the device's microstructure, such as silicon delays or optical scattering patterns, making exact replication infeasible even with identical blueprints. For instance, silicon PUFs measure timing differences in circuit paths, while optical PUFs analyze speckle patterns from laser illumination through embedded particles. These properties enable PUFs to function as tamper-evident identifiers without storing secret keys, relying instead on the device's physical uniqueness.
In commitment protocols using PUFs, the committer selects a random challenge c and computes the response r = \text{PUF}(c), then binds the message m (e.g., a bit b) to this pair, often via XOR or hashing, to form the commitment \text{commit}(m) = (c \oplus f(m), r), where f is a one-way function; the PUF device or auxiliary data is transferred to the receiver. During revelation, the committer provides m and helper information to allow verification of r against the PUF evaluation on the derived challenge, accounting for minor noise in responses due to environmental factors. This setup ensures the commitment is hardware-bound, with protocols often requiring the physical transfer or controlled access to the PUF to prevent simulation.
The security of PUF-based commitments derives from the device's uniqueness for binding—preventing the committer from altering m post-commitment, as alternative responses for the same challenge are unpredictable with probability at most $2^{-\lambda} for security parameter \lambda—and from challenge randomness for hiding, ensuring the receiver learns nothing about m before opening. In the universal composability framework, these properties hold statistically against malicious PUFs under assumptions of tamper-evidence and restricted access, with binding achieved via the PUF's unclonability even in noisy models where response errors are bounded (e.g., Hamming distance less than a threshold). Unlike quantum settings facing fundamental no-go theorems for unconditionally secure commitments, PUF protocols provide practical classical alternatives through hardware trust.
Applications of PUF-based commitments emerged in the 2000s for device authentication, where a device commits to its identity via a PUF response, enabling secure key exchange without pre-shared secrets, and for tamper-proof storage in supply chains or IoT, ensuring data integrity against physical modifications. These schemes support oblivious transfer and zero-knowledge proofs in secure multiparty computation, particularly in resource-constrained environments.
Limitations include vulnerability to physical attacks, such as invasive probing to extract challenge-response pairs or modeling attacks that approximate the PUF function using machine learning on observed pairs, potentially breaking binding after querying O(2^{\lambda/2}) responses. Noise in responses necessitates error-correcting codes, increasing overhead, and protocols assume honest PUF generation, failing if adversaries control manufacturing.
Post-Quantum Commitments
Post-quantum commitment schemes provide security against quantum adversaries, relying on mathematical problems believed to be hard even for quantum computers, such as those derived from lattice problems. These schemes address the vulnerabilities of classical commitments based on discrete logarithm or RSA assumptions, which can be broken by quantum algorithms like Shor's. Lattice-based constructions, in particular, form a cornerstone of post-quantum cryptography due to their versatility and efficiency in various protocols.[41]
A prominent approach to lattice-based commitments uses the Learning With Errors (LWE) problem, where commitments are often constructed via trapdoor sampling to ensure hiding properties while maintaining binding through the hardness of lattice problems. For instance, efficient additively homomorphic commitment schemes can be built from structured lattice assumptions like the Short Integer Solution (SIS) problem, allowing configurable security as either statistically binding and computationally hiding or vice versa. These schemes achieve practical efficiency, with proof sizes reduced by a factor of approximately 4 and commitment sizes by 6 compared to prior lattice constructions. Another example is a commitment scheme based on the Short Pad Learning With Errors (spLWE) assumption, which provides post-quantum security with statistical binding and computational hiding.[42][43]
Recent advancements include the Greyhound scheme, the first concretely efficient polynomial commitment scheme from standard lattice assumptions, enabling proofs for polynomial evaluations of degree up to $2^{20} with proof sizes of just 1 KB and sublinear verifier runtime. Greyhound supports three-round protocols for bounded-degree polynomials and integrates with systems like LaBRADOR for succinct zero-knowledge proofs, making it suitable for post-quantum applications requiring compact verification. In blockchain contexts, lattice-based key-value commitment schemes address scalability by aggregating transaction values across chains, enabling secure cross-chain data sharing under module-LWE assumptions without growing commitment sizes with the number of keys.[44][45]
These schemes inherit quantum resistance from underlying lattice assumptions like LWE and SIS, which lack efficient quantum algorithms for solution. Variants offer statistical binding for unconditional security against computationally bounded adversaries or statistical hiding for information-theoretic privacy, configurable based on the protocol needs. For example, spLWE-based commitments achieve statistical binding while remaining computationally hiding against quantum attacks.[41][43]
Emerging work in 2025 has introduced group action-based frameworks for commitments, using re-randomization and randomness extraction to construct perfectly hiding or binding schemes from non-commutative group actions, instantiated post-quantum via the Lattice Isomorphism Problem (LIP). These support dual-mode and homomorphic properties, repairing prior code-based schemes and enabling advanced applications like blind signatures. Additionally, post-quantum commitments tailored for multi-party computation (MPC) emphasize integration with MPC protocols for long-term security, analyzing how lattice-based variants enhance privacy in distributed settings against quantum adversaries. Furthermore, a July 2025 analysis examined the post-quantum security of Bitcoin's Taproot as a commitment scheme, highlighting its vulnerabilities to quantum attacks and potential mitigations.[46][47][48]