A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.[1] Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.
A way to visualize a commitment scheme is to think of a sender as putting a message in a locked box, and giving the box to a receiver. The message in the box is hidden from the receiver, who cannot open the lock themselves. Since the receiver has the box, the message inside cannot be changed - merely revealed if the sender chooses to give them the key at some later time.
Interactions in a commitment scheme take place in two phases:
In the above metaphor, the commit phase is the sender putting the message in the box, and locking it. The reveal phase is the sender giving the key to the receiver, who uses it to open the box and verify its contents. The locked box is the commitment, and the key is the proof.
In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is called the commitment. It is essential that the specific value chosen cannot be extracted from the message by the receiver at that time (this is called the hiding property). A simple reveal phase would consist of a single message, the opening, from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called the binding property).
The concept of commitment schemes was perhaps first formalized by Gilles Brassard, David Chaum, and Claude Crépeau in 1988,[2] as part of various zero-knowledge protocols for NP, based on various types of commitment schemes.[3] [4] But the concept was used prior to that without being treated formally.[5] [6] The notion of commitments appeared earliest in works by Manuel Blum,[7] Shimon Even,[8] and Adi Shamir et al.[9] The terminology seems to have been originated by Blum, although commitment schemes can be interchangeably called bit commitment schemes—sometimes reserved for the special case where the committed value is a bit. Earlier to that, commitment via one-way hash functions was considered, e.g., as part of, say, Lamport signature, the original one-time one-bit signature scheme.
Suppose Alice and Bob want to resolve some dispute via coin flipping. If they are physically in the same place, a typical procedure might be:
If Alice and Bob are not in the same place a problem arises. Once Alice has "called" the coin flip, Bob can stipulate the flip "results" to be whatever is most desirable for him. Similarly, if Alice doesn't announce her "call" to Bob, after Bob flips the coin and announces the result, Alice can report that she called whatever result is most desirable for her. Alice and Bob can use commitments in a procedure that will allow both to trust the outcome:
For Bob to be able to skew the results to his favor, he must be able to understand the call hidden in Alice's commitment. If the commitment scheme is a good one, Bob cannot skew the results. Similarly, Alice cannot affect the result if she cannot change the value she commits to.
A real-life application of this problem exists, when people (often in media) commit to a decision or give an answer in a "sealed envelope", which is then opened later. "Let's find out if that's what the candidate answered", for example on a game show, can serve as a model of this system.
One particular motivating example is the use of commitment schemes in zero-knowledge proofs. Commitments are used in zero-knowledge proofs for two main purposes: first, to allow the prover to participate in "cut and choose" proofs where the verifier will be presented with a choice of what to learn, and the prover will reveal only what corresponds to the verifier's choice. Commitment schemes allow the prover to specify all the information in advance, and only reveal what should be revealed later in the proof.[10] Second, commitments are also used in zero-knowledge proofs by the verifier, who will often specify their choices ahead of time in a commitment. This allows zero-knowledge proofs to be composed in parallel without revealing additional information to the prover.[11]
The Lamport signature scheme is a digital signature system that relies on maintaining two sets of secret data packets, publishing verifiable hashes of the data packets, and then selectively revealing partial secret data packets in a manner that conforms specifically to the data to be signed. In this way, the prior public commitment to the secret values becomes a critical part of the functioning of the system.
Because the Lamport signature system cannot be used more than once, a system to combine many Lamport key-sets under a single public value that can be tied to a person and verified by others was developed. This system uses trees of hashes to compress many published Lamport-key-commitment sets into a single hash value that can be associated with the prospective author of later-verified data.
Another important application of commitments is in verifiable secret sharing, a critical building block of secure multiparty computation. In a secret sharing scheme, each of several parties receive "shares" of a value that is meant to be hidden from everyone. If enough parties get together, their shares can be used to reconstruct the secret, but even a malicious cabal of insufficient size should learn nothing. Secret sharing is at the root of many protocols for secure computation: in order to securely compute a function of some shared input, the secret shares are manipulated instead. However, if shares are to be generated by malicious parties, it may be important that those shares can be checked for correctness. In a verifiable secret sharing scheme, the distribution of a secret is accompanied by commitments to the individual shares. The commitments reveal nothing that can help a dishonest cabal, but the shares allow each individual party to check to see if their shares are correct.[12]
Formal definitions of commitment schemes vary strongly in notation and in flavour. The first such flavour is whether the commitment scheme provides perfect or computational security with respect to the hiding or binding properties. Another such flavour is whether the commitment is interactive, i.e. whether both the commit phase and the reveal phase can be seen as being executed by a cryptographic protocol or whether they are non-interactive, consisting of two algorithms Commit and CheckReveal. In the latter case CheckReveal can often be seen as a derandomised version of Commit, with the randomness used by Commit constituting the opening information.
If the commitment C to a value x is computed as C:=Commit(x,open) with open being the randomness used for computing the commitment, then CheckReveal (C,x,open) reduces to simply verifying the equation C=Commit (x,open).
Using this notation and some knowledge about mathematical functions and probability theory we formalise different versions of the binding and hiding properties of commitments. The two most important combinations of these properties are perfectly binding and computationally hiding commitment schemes and computationally binding and perfectly hiding commitment schemes. Note that no commitment scheme can be at the same time perfectly binding and perfectly hiding – a computationally unbounded adversary can simply generate Commit(x,open) for every value of x and open until finding a pair that outputs C, and in a perfectly binding scheme this uniquely identifies x.
Let open be chosen from a set of size
2k
Commitk
Then for all non-uniform probabilistic polynomial time algorithms that output
x,x'
open,open'
x ≠ x'
Commitk(x,open)=Commitk(x',open')
This is a form of asymptotic analysis. It is also possible to state the same requirement using concrete security: A commitment scheme Commit is
(t,\epsilon)
x,x',open,open'
x ≠ x'
Commit(x,open)=Commit(x',open')
\epsilon
Let
Uk
2k
x ≠ x'
\{Commitk(x,Uk)\}k\in\N
\{Commitk(x',Uk)\}k\in\N
It is impossible to realize commitment schemes in the universal composability(UC) framework. The reason is that UC commitment has to be extractable, as shown by Canetti and Fischlin[13] and explained below.
The ideal commitment functionality, denoted here by F, works roughly as follows. Committer C sends value m to F, whichstores it and sends "receipt" to receiver R. Later, C sends "open" toF, which sends m to R.
Now, assume we have a protocol π that realizes this functionality. Suppose that the committer C is corrupted. In the UC framework, that essentially means that C is now controlled by the environment, which attempts to distinguish protocol execution from the ideal process. Consider an environment that chooses a message m and then tells C to act as prescribed by π, as if it has committed to m. Note here that in order to realize F, the receiver must, after receiving a commitment, output a message "receipt". After the environment sees this message, it tells C to open the commitment.
The protocol is only secure if this scenario is indistinguishable from the ideal case, where the functionality interacts with a simulator S. Here, S has control of C. In particular, whenever R outputs "receipt", F has to do likewise. The only way to do that is for S to tell C to send a value to F. However, notethat by this point, m is not known to S. Hence, when the commitment is opened during protocol execution, it is unlikely that F will open to m, unless S can extract m from the messages it received from the environment before R outputs the receipt.
However a protocol that is extractable in this sense cannot be statistically hiding. Suppose such a simulator S exists. Now consider anenvironment that, instead of corrupting C, corrupts R instead. Additionally it runs a copy of S. Messages received from C are fed into S, and replies from S are forwarded to C.
The environment initially tells C to commit to a message m. At some point in the interaction, S will commit to a value m′. This message is handed to R, who outputs m′. Note that by assumption we have m' = m with high probability. Now in the ideal process the simulator has to come up with m. But this is impossible, because at this point the commitment has not been opened yet, so the only message R can have received in the ideal process is a "receipt" message. We thus have a contradiction.
A commitment scheme can either be perfectly binding (it is impossible for Alice to alter her commitment after she has made it, even if she has unbounded computational resources); or perfectly concealing (it is impossible for Bob to find out the commitment without Alice revealing it, even if he has unbounded computational resources); or formulated as an instance-dependent commitment scheme, which is either hiding or binding depending on the solution to another problem.[14] [15] A commitment scheme cannot be both perfectly hiding and perfectly binding at the same time.
Bit-commitment schemes are trivial to construct in the random oracle model. Given a hash function H with a 3k bit output, to commit the k-bit message m, Alice generates a random k bit string R and sends Bob H(R||m). The probability that any R′, m′ exist where m′ ≠ m such that H(R′||m′) = H(R||m) is ≈ 2−k, but to test any guess at the message m Bob will need to make 2k (for an incorrect guess) or 2k-1 (on average, for a correct guess) queries to the random oracle. We note that earlier schemes based on hash functions, essentially can be thought of schemes based on idealization of these hash functions as random oracle.
One can create a bit-commitment scheme from any one-way function that is injective. The scheme relies on the fact that every one-way function can be modified (via the Goldreich-Levin theorem) to possess a computationally hard-core predicate (while retaining the injective property).
Let f be an injective one-way function, with h a hard-core predicate. Then to commit to a bit b Alice picks a random input x and sends the triple
(h,f(x),b ⊕ h(x))
⊕
Note that since we do not know how to construct a one-way permutation from any one-way function, this section reduces the strength of the cryptographic assumption necessary to construct a bit-commitment protocol.
In 1991 Moni Naor showed how to create a bit-commitment scheme from a cryptographically secure pseudorandom number generator.[16] The construction is as follows. If G is a pseudo-random generator such that G takes n bits to 3n bits, then if Alice wants to commit to a bit b:
To decommit Alice sends Y to Bob, who can then check whether he initially received G(Y) or G(Y)
⊕
This scheme is statistically binding, meaning that even if Alice is computationally unbounded she cannot cheat with probability greater than 2−n. For Alice to cheat, she would need to find a Y', such that G(Y') = G(Y)
⊕
The concealing property follows from a standard reduction, if Bob can tell whether Alice committed to a zero or one, he can also distinguish the output of the pseudo-random generator G from true-random, which contradicts the cryptographic security of G.
Alice chooses a ring of prime order p, with multiplicative generator g.
Alice randomly picks a secret value x from 0 to p - 1 to commit to and calculates c = gx and publishes c. The discrete logarithm problem dictates that from c, it is computationally infeasible to compute x, so under this assumption, Bob cannot compute x. On the other hand, Alice cannot compute a x <> x, such that gx = c, so the scheme is binding.
This scheme isn't perfectly concealing as someone could find the commitment if he manages to solve the discrete logarithm problem. In fact, this scheme isn't hiding at all with respect to the standard hiding game, where an adversary should be unable to guess which of two messages he chose were committed to - similar to the IND-CPA game. One consequence of this is that if the space of possible values of x is small, then an attacker could simply try them all and the commitment would not be hiding.
A better example of a perfectly binding commitment scheme is one where the commitment is the encryption of x under a semantically secure, public-key encryption scheme with perfect completeness, and the decommitment is the string of random bits used to encrypt x. An example of an information-theoretically hiding commitment scheme is the Pedersen commitment scheme,[17] which is computationally binding under the discrete logarithm assumption.[18] Additionally to the scheme above, it uses another generator h of the prime group and a random number r. The commitment is set
c=gxhr
These constructions are tightly related to and based on the algebraic properties of the underlying groups, and the notion originally seemed to be very much related to the algebra. However, it was shown that basing statistically binding commitment schemes on general unstructured assumption is possible, via the notion of interactive hashing for commitments from general complexity assumptions (specifically and originally, based on any one way permutation) as in.[20]
Alice selects
N
N=p ⋅ q
p
q
e
e>N2
gcd(e,\phi(N2))=1
gm
* | |
\Z | |
N2 |
m
r
* | |
\Z | |
N2 |
c=me
r | |
g | |
m |
The security of the above commitment relies on the hardness of the RSA problem and has perfect hiding and computational binding.[22]
The Pedersen commitment scheme introduces an interesting homomorphic property that allows performing addition between two commitments. More specifically, given two messages
m1
m2
r1
r2
C(m1,r1) ⋅ C(m2,r2)=C(m1+m2,r1+r2)
C(m1,r1) ⋅ C(m2,r2)=
m1 | |
g |
r1 | |
h |
⋅
m2 | |
g |
r2 | |
h |
=
m1+m2 | |
g |
r1+r2 | |
h |
=C(m1+m2,r1+r2)
To open the above Pedersen commitment to a new message
m1+m2
r1
r2
Similarly, the RSA-based commitment mentioned above has a homomorphic property with respect to the multiplication operation. Given two messages
m1
m2
r1
r2
C(m1,r1) ⋅ C(m2,r2)=C(m1 ⋅ m2,r1+r2)
C(m1,r1) ⋅ C(m2,r2)=
e | |
m | |
1 |
r1 | |
g | |
m |
⋅
e | |
m | |
2 |
r2 | |
g | |
m |
=(m1 ⋅
e | |
m | |
2) |
r1+r2 | |
g | |
m |
=C(m1 ⋅ m2,r1+r2)
To open the above commitment to a new message
m1 ⋅ m2
r1
r2
m1 ⋅ m2
Some commitment schemes permit a proof to be given of only a portion of the committed value. In these schemes, the secret value
X
X=(x1,x2,...,xn)
C
X
X
R
X
i
C
X
xi
xi
Vector hashing is a naive vector commitment partial reveal scheme based on bit-commitment. Values
m1,m2,...mn
y1=H(x1||m1),y2=H(x2||m2),...
C=H(y1||y2||...||yn)
X
(i,y1,y2,...,yi-1,xi,mi,yi+1,...,yn)
yi
xi
mi
y
C
O(n)
C
y
O(n)
O(1)
O(n)
A common example of a practical partial reveal scheme is a Merkle tree, in which a binary hash tree is created of the elements of
X
O(1)
O(log2{n})
C
xi
log2{n}
C
A Kate-Zaverucha-Goldberg commitment uses pairing-based cryptography to build a partial reveal scheme with
O(1)
n
X
A KZG commitment requires a predetermined set of parameters to create a pairing, and a trusted trapdoor element. For example, a Tate pairing can be used. Assume that
G1,G2
GT
e:G1 x G2 → GT
t\inFp
p
G1
G2
G
H
G1
G2
G ⋅ ti
H ⋅ ti
i
t
A KZG commitment reformulates the vector of values to be committed as a polynomial. First, we calculate a polynomial such that
p(i)=xi
xi
n-1 | |
p(x)=\sum | |
i=0 |
xi\prod0\leq
x-j | |
i-j |
p(0)=x0,p(1)=x1,...
p0,p1,...,pn-1
p
n-1 | |
C=\sum | |
i=0 |
piGti
G ⋅ ti
pi
G1
C
G ⋅ p(t)
G
t
C
G1
A KZG proof must demonstrate that the revealed data is the authentic value of
xi
C
y=xi
xi
p
i
y
p(i)=y
y
p
i
q
q(x)= | p(x)-y |
x-i |
p(i)=y
q
p(x)-y
x-i
i
p(i)-y=0
p(i)=y
q
The prover computes
q
\pi
n-1 | |
\pi=\sum | |
i=0 |
qiGti
G ⋅ q(t)
q
t
G
G1
This computation is only possible if the above polynomials were evenly divisible, because in that case the quotient
q
G ⋅ ti
xi
To verify the proof, the bilinear map of the pairing is used to show that the proof value
\pi
q
p(x)-y
x-i
e(\pi,H ⋅ t-H ⋅ i) \stackrel{?}{=} e(C-G ⋅ y,H)
e
H ⋅ t
H ⋅ i
i
By rewriting the computation in the pairing group
GT
\pi=q(t) ⋅ G
C=p(t) ⋅ G
\tau(x)=e(G,H)x
e(\pi,H ⋅ t-H ⋅ i)=e(C-G ⋅ y,H)
e(G ⋅ q(t),H ⋅ t-H ⋅ i)=e(G ⋅ p(t)-G ⋅ y,H)
e(G ⋅ q(t),H ⋅ (t-i))=e(G ⋅ (p(t)-y),H)
e(G,H)q(t) ⋅ (t-i)=e(G,H)p(t)
\tau(q(t) ⋅ (t-i))=\tau(p(t)-y)
Assuming that the bilinear map is validly constructed, this demonstrates that
q(x)(x-i)=p(x)-y
p
q
\tau(q(t) ⋅ (t-i))=\tau(p(t)-y)
x=t
q(x)(x-i)=p(x)-y
q
p(x)-y
(x-i)
p(i)-y=0
i
y
i
Additionally, a KZG commitment can be extended to prove the values of any arbitrary
k
X
O(1)
O(k)
y
x-i
It is an interesting question in quantum cryptography if unconditionally secure bit commitment protocols exist on the quantum level, that is, protocols which are (at least asymptotically) binding and concealing even if there are no restrictions on the computational resources. One could hope that there might be a way to exploit the intrinsic properties of quantum mechanics, as in the protocols for unconditionally secure key distribution.
However, this is impossible, as Dominic Mayers showed in 1996 (see[26] for the original proof). Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of the Schmidt decomposition, effectively defeating the binding property.
One subtle assumption of the proof is that the commit phase must be finished at some point in time. This leaves room for protocols that require a continuing information flow until the bit is unveiled or the protocol is cancelled, in which case it is not binding anymore.[27] More generally, Mayers' proof applies only to protocols that exploit quantum physics but not special relativity. Kent has shown that there exist unconditionally secure protocols for bit commitment that exploit the principle of special relativity stating that information cannot travel faster than light.[28]
Physical unclonable functions (PUFs) rely on the use of a physical key with internal randomness, which is hard to clone or to emulate. Electronic, optical and other types of PUFs[29] have been discussed extensively in the literature, in connection with their potential cryptographic applications including commitment schemes.[30] [31]