Inferensys

Glossary

Commitment Scheme

A cryptographic primitive allowing a party to commit to a chosen value while keeping it hidden, with the ability to reveal the value later, ensuring the committer cannot change the value after committing.
Moody home-office setup in a converted highrise loft, analyst working late with multiple screens showing knowledge graph visualizations, city lights through large windows behind.
CRYPTOGRAPHIC PRIMITIVE

What is a Commitment Scheme?

A fundamental building block for secure multi-party computation and verifiable protocols, enabling a party to lock in a value without revealing it.

A commitment scheme is a cryptographic protocol that allows a sender to commit to a chosen value m while keeping it hidden from a receiver, and later reveal m in a way that proves the revealed value is exactly the one originally committed to. It enforces two critical properties: hiding, which prevents the receiver from learning anything about m before the reveal phase, and binding, which prevents the sender from changing m after committing.

The protocol operates in two distinct phases: a commit phase, where the sender produces a commitment C = Commit(m, r) using a random nonce r and sends C to the receiver, and a reveal phase, where the sender discloses m and r so the receiver can verify C. In secure aggregation protocols, commitment schemes are often combined with zero-knowledge proofs to enforce honest behavior, ensuring clients cannot adaptively modify their model updates after observing contributions from other participants.

CRYPTOGRAPHIC PRIMITIVES

Core Properties of Commitment Schemes

A commitment scheme is a fundamental cryptographic protocol that allows a party to commit to a chosen value while keeping it hidden, with the ability to reveal the value later. The scheme ensures the committer cannot change the value after committing. Two essential properties define its security.

01

Hiding Property

The hiding property ensures that the commitment reveals no information about the committed value. An adversary cannot distinguish a commitment to value m1 from a commitment to m2 with probability better than random guessing.

  • Computational Hiding: Security relies on the computational hardness of an underlying problem (e.g., discrete logarithm). A computationally unbounded adversary could break it.
  • Statistical/Perfect Hiding: Even a computationally unbounded adversary cannot learn the value. The distribution of commitments is identical for all messages.
  • Practical Example: In a sealed-bid auction, the hiding property prevents other bidders from seeing your bid before the deadline.
Perfect
Information-Theoretic Hiding
02

Binding Property

The binding property ensures the committer cannot change the committed value after sending the commitment. They cannot find two different values and corresponding opening information that both match the same commitment.

  • Computational Binding: Security relies on computational hardness. A powerful enough computer could theoretically find a collision.
  • Statistical/Perfect Binding: Even with infinite computational power, no two different values can map to the same commitment.
  • Critical Trade-off: A scheme cannot be simultaneously perfectly hiding and perfectly binding. One property must be computational while the other can be information-theoretic.
Collision-Resistant
Binding Guarantee
05

Commit-Reveal Protocol

A two-phase protocol pattern that leverages commitment schemes to ensure fairness and prevent front-running in decentralized systems.

  • Phase 1 (Commit): All participants broadcast a cryptographic commitment to their input or action.
  • Phase 2 (Reveal): After all commitments are received, participants reveal their original values. The protocol verifies each reveal against its commitment.
  • Failure Handling: If a participant refuses to reveal, they typically forfeit a deposit or are penalized.
  • Applications: Used in sealed-bid auctions, decentralized voting, and blockchain commit-reveal schemes to prevent miners from censoring or reordering transactions based on content.
2-Phase
Protocol Structure
06

Vector Commitments

An extension of standard commitment schemes that allows committing to an ordered sequence of values (m1, m2, ..., mn) while enabling efficient opening of individual positions without revealing the entire vector.

  • Positional Opening: Prove that mi is the value at position i with a proof size sublinear in the vector length n.
  • Merkle Trees: A classic example where the commitment is the Merkle root, and opening a leaf requires a logarithmic-sized Merkle proof.
  • Polynomial Commitments: Advanced schemes like KZG commitments allow opening at arbitrary points with constant-sized proofs, crucial for zk-SNARKs and verifiable secret sharing.
  • Role in Secure Aggregation: Used to commit to model update vectors, allowing efficient verification that a client's revealed update matches its original commitment.
COMMITMENT SCHEMES

Frequently Asked Questions

Explore the fundamental cryptographic primitive that enables a party to commit to a chosen value while keeping it hidden, with the ability to reveal it later. These questions address the mechanics, security properties, and applications of commitment schemes in secure aggregation and privacy-preserving machine learning.

A commitment scheme is a cryptographic primitive that allows a party (the committer) to bind themselves to a chosen value during a commit phase while keeping that value hidden from others, and later reveal it during a reveal phase in a way that proves they did not change it. The protocol functions like a digital sealed envelope: the committer locks a message inside a cryptographic container and hands it to a verifier. At a later time, the committer provides the key to open the container, proving the message was fixed from the start.

The scheme must satisfy two critical properties:

  • Hiding: The commitment reveals no information about the committed value before the reveal phase. An adversary cannot distinguish a commitment to 0 from a commitment to 1 with probability better than random guessing.
  • Binding: The committer cannot find two different values that produce the same commitment. Once committed, the value is irrevocably fixed.

A simple construction uses a cryptographic hash function: the committer selects a random nonce r, computes C = H(m || r), and publishes C. To reveal, they publish m and r. The verifier recomputes the hash and checks equality. The random nonce ensures hiding even for low-entropy messages, while collision resistance of the hash ensures binding.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.