Inferensys

Glossary

Commitment Scheme

A cryptographic primitive that allows one to commit to a chosen value while keeping it hidden, with the ability to reveal the committed value later, ensuring the value cannot be changed after the commitment.
Moody home-office setup in a converted highrise loft, analyst working late with multiple screens showing knowledge graph visualizations, city lights through large windows behind.
CRYPTOGRAPHIC PRIMITIVE

What is a Commitment Scheme?

A commitment scheme is a fundamental cryptographic protocol that allows a sender to lock in a chosen value (the commitment) while keeping it hidden from a receiver, with the ability to reveal the value later in a way that proves it was not altered.

A commitment scheme is a cryptographic primitive that enables a party to commit to a chosen value while keeping it hidden from others, with the ability to reveal the committed value later. The scheme ensures the value cannot be changed after the commitment is made, functioning like a sealed, tamper-proof envelope. This two-phase protocol—commit and reveal—provides both hiding (secrecy) and binding (immutability) properties, making it essential for protocols requiring trustless coordination.

Commitment schemes are foundational to zero-knowledge proofs, verifiable secret sharing, and secure multi-party computation. A simple implementation uses a cryptographic hash function: the committer hashes the value concatenated with a random nonce, publishing the hash as the commitment. To reveal, they disclose the original value and nonce, allowing verification against the published hash. More advanced constructions, such as Pedersen commitments, provide information-theoretic hiding and computational binding, enabling their use in blockchain systems and privacy-preserving protocols.

COMMITMENT SCHEME

Core Cryptographic Properties

A cryptographic primitive that allows one to commit to a chosen value while keeping it hidden, with the ability to reveal the committed value later, ensuring the value cannot be changed after the commitment.

01

Hiding Property

The hiding property ensures the commitment reveals no information about the underlying value. An adversary cannot distinguish between commitments to two different values, even if they choose the values themselves. This is achieved through computational hiding (secure against polynomial-time adversaries) or statistical hiding (secure against unbounded adversaries).

  • Pedersen Commitments offer statistical hiding based on the discrete logarithm problem
  • Hash-based commitments provide computational hiding via preimage resistance
  • Essential for sealed-bid auctions and private voting systems
02

Binding Property

The binding property prevents the committer from opening the commitment to a different value than the one originally committed. Once a commitment is published, the committer is bound to the original value.

  • Computational binding: Secure against polynomial-time adversaries (Pedersen commitments)
  • Statistical binding: Secure against unbounded adversaries (hash-based commitments)
  • Violation would allow double-spending in cryptocurrencies or cheating in verifiable games
  • No scheme can simultaneously achieve both statistical hiding and statistical binding
03

Commit-Reveal Protocol

A two-phase protocol fundamental to blockchain systems and decentralized applications:

Phase 1 — Commit: The sender publishes C = Commit(v, r) where v is the value and r is a random nonce (blinding factor). The commitment C is broadcast to all parties.

Phase 2 — Reveal: The sender publishes (v, r). Any verifier can recompute Commit(v, r) and check it matches C.

  • Prevents front-running in decentralized exchanges
  • Enables fair lotteries and random beacon generation
  • Used in Submarine Swaps and Lightning Network atomic swaps
04

Pedersen Commitment

A homomorphic commitment scheme widely used in privacy-preserving protocols. Given generators g and h of a cyclic group where the discrete log relation is unknown:

C = g^v · h^r

Key properties:

  • Statistically hiding: h^r perfectly masks the value v
  • Computationally binding: Breaking binding requires solving the discrete logarithm problem
  • Additively homomorphic: Commit(v1, r1) · Commit(v2, r2) = Commit(v1+v2, r1+r2)

Used in Confidential Transactions (Monero, Elements), Bulletproofs, and zk-SNARK constructions.

05

Vector Commitments

A commitment to an ordered sequence of values (v₁, v₂, ..., vₙ) that allows opening individual positions without revealing the entire vector. The proof size is sublinear or constant relative to the vector length.

  • Merkle Trees: The classic vector commitment with O(log n) proofs
  • KZG Commitments: Constant-size proofs using polynomial commitments and bilinear pairings
  • Verkle Trees: Combine vector commitments with tree structures for efficient stateless clients

Critical for Ethereum's Verge upgrade, stateless blockchains, and verifiable databases.

06

Functional Commitments

A generalization allowing the committer to prove evaluations of a function on the committed data without revealing the data itself.

Types:

  • Polynomial Commitments: Commit to a polynomial and prove P(x) = y at any point
  • Inner Product Commitments: Prove the inner product of two committed vectors
  • Lookup Commitments: Prove a committed value exists in a committed table

These form the cryptographic backbone of modern zk-SNARK proving systems including Plonk, Halo2, and Marlin, enabling succinct verifiable computation.

CRYPTOGRAPHIC PRIMITIVE TAXONOMY

Comparison of Commitment Scheme Types

A feature-level comparison of the three fundamental commitment scheme constructions, evaluating their security properties, computational requirements, and suitability for different protocol contexts.

FeaturePedersen CommitmentHash-Based CommitmentPolynomial Commitment (KZG)

Binding Property

Computational (Discrete Log)

Computational (Collision Resistance)

Computational (q-SDH Assumption)

Hiding Property

Perfect (Information-Theoretic)

Computational (Preimage Resistance)

Computational (q-SDH Assumption)

Homomorphic

Proof Size

O(1) — Single group element

O(1) — Single hash output

O(1) — Single group element

Requires Trusted Setup

Post-Quantum Secure

Commitment Generation Cost

2 exponentiations

1 hash evaluation

1 multi-exponentiation + pairing

Batch Verification

COMMITMENT SCHEME FAQ

Frequently Asked Questions

Clear, technically precise answers to the most common questions about cryptographic commitment schemes, their properties, and their role in modern protocol design.

A commitment scheme is a cryptographic primitive that allows a prover to lock in a chosen value (the commitment) without revealing it, while guaranteeing they cannot change it later. The process has two phases: a commit phase, where the prover generates a commitment C = Commit(m, r) using a message m and random blinding factor r, and sends C to a verifier; and a reveal phase, where the prover discloses m and r, allowing the verifier to recompute C and confirm the original commitment matches. The scheme must satisfy two essential properties: hiding (the commitment reveals nothing about m before the reveal phase) and binding (the prover cannot find a different message m' that produces the same commitment C). This is often explained with the envelope analogy: writing a message, sealing it in an envelope, and handing it over commits you to the message without revealing it until the envelope is opened.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.