## Table of contents

## Open Table of contents

## What it is

A commitment scheme ensures that a value one has committed to can’t be changed after the fact (i.e. one can’t cheat by pretending that (s)he has committed to a different value).

The commitment scheme enforces two important properties:

- The value that was committed to is hidden (i.e. no information leak)
- Once a value was committed to, it can’t be changed

## How it works

In our example of a Hash-Based Commitment scheme we have two parties, Alice and Bob.

Alice commits to a value she then sends to Bob who checks that Alice in fact committed to the correct value.

As the name implies, we’ll be using a cryptographic hash function $H$ in this construction.

The first thing Alice does is deciding on which value $v$ she wants to commit to. The value $v$ could be any value like one sampled randomly form $\mathbb{Z}$:

$v \overset{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}$Next up, Alice samples another random value $r$ from $\mathbb{Z}$:

$r \overset{{\scriptscriptstyle\$}}{\leftarrow} \mathbb{Z}$Both values will be concatenated (indicated via $\mathbin\Vert$) and hashed via the hash function $H$ to produce the commitment $c$:

$c = H(v \mathbin\Vert r)$The value $c$ can now be shared with Bob.

Once Bob wants to verify which value $v$ Alice committed to, he requests $v$ as well as $r$ from Alice. He can then check if:

$H(v \mathbin\Vert r) \overset{?}{=} c$## Why it works

Given that cryptographic hash functions will produce a randomly looking output that also ensure one-wayness (i.e. given the output, one cannot determine the input) Bob can’t figure out which value Alice committed to.

The usage of the random value $r$ during hashing further ensures that Bob can’t “reverse-engineer” Alice’s value $v$ by iterating over all possible values and creating a hash for each value to produce a lookup-table.

Because these measures guarantee that no information regarding Alice’s value $v$ is leaked, we can say that the aforementioned property #1 a commitment scheme needs to adhere to is satisfied.

Next, we should note that a cryptographic hash function aims to provide collision resistance, meaning that any potential input value maps to one and only one output.

Because Bob knows the hash function’s output $c$ before Alice reveals $v$ and $r$, Alice would need to find a collision $H(v' \mathbin\Vert r') = H(v \mathbin\Vert r)$ to be able to convince Bob that she committed to $v'$ (using also $r'$) rather than $v$ (and $r$ respectively).

Given the likelihood of this happening is negligible for a cryptographic hash function, Alice won’t be able to convince Bob that she committed to another value. Given this we can see that the commitment scheme presented here also adheres to the aforementioned property #2.