This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Commitment scheme" – news ·newspapers ·books ·scholar ·JSTOR(October 2014) (Learn how and when to remove this message)

Acommitment scheme is acryptographic primitive that allows one to commit to a chosen value (or chosen statement) while keeping it hidden to others, with the ability to reveal the committed value later.^[1] Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes arebinding. Commitment schemes have important applications in a number ofcryptographic protocols including secure coin flipping,zero-knowledge proofs, andsecure computation.

A way to visualize a commitment scheme is to think of a sender as putting a message in a locked box, and giving the box to a receiver. The message in the box is hidden from the receiver, who cannot open the lock themselves. Since the receiver has the box, the message inside cannot be changed—merely revealed if the sender chooses to give them the key at some later time.

Interactions in a commitment scheme take place in two phases:

1. thecommit phase during which a value is chosen and committed to
2. thereveal phase during which the value is revealed by the sender, then the receiver verifies its authenticity

In the above metaphor, the commit phase is the sender putting the message in the box, and locking it. The reveal phase is the sender giving the key to the receiver, who uses it to open the box and verify its contents. The locked box is the commitment, and the key is the proof.

In simple protocols, the commit phase consists of a single message from the sender to the receiver. This message is calledthe commitment. It is essential that the specific value chosen cannot be extracted from the message by the receiver at that time (this is called thehiding property). A simple reveal phase would consist of a single message,the opening, from the sender to the receiver, followed by a check performed by the receiver. The value chosen during the commit phase must be the only one that the sender can compute and that validates during the reveal phase (this is called thebinding property).

The concept of commitment schemes was perhaps first formalized byGilles Brassard,David Chaum, andClaude Crépeau in 1988,^[2] as part of various zero-knowledge protocols forNP, based on various types of commitment schemes.^[3][4] But the concept was used prior to that without being treated formally.^[5][6] The notion of commitments appeared earliest in works byManuel Blum,^[7]Shimon Even,^[8] andAdi Shamir et al.^[9] The terminology seems to have been originated by Blum,^[6] although commitment schemes can be interchangeably calledbit commitment schemes—sometimes reserved for the special case where the committed value is abit. Prior to that, commitment via one-way hash functions was considered, e.g., as part of, say,Lamport signature, the original one-time one-bit signature scheme.

SupposeAlice and Bob want to resolve some dispute viacoin flipping. If they are physically in the same place, a typical procedure might be:

1. Alice "calls" the coin flip,
2. Bob flips the coin,
3. If Alice's call is correct, she wins, otherwise Bob wins.

If Alice and Bob are not in the same place a problem arises. Once Alice has "called" the coin flip, Bob can stipulate the flip "results" to be whatever is most desirable for him. Similarly, if Alice doesn't announce her "call" to Bob, after Bob flips the coin and announces the result, Alice can report that she called whatever result is most desirable for her. Alice and Bob can use commitments in a procedure that will allow both to trust the outcome:

1. Alice "calls" the coin flip but only tells Bob acommitment to her call,
2. Bob flips the coin and reports the result,
3. Alice reveals what she committed to,
4. Bob verifies that Alice's call matches her commitment,
5. If Alice's revelation matches the coin result Bob reported, Alice wins.

For Bob to be able to skew the results to his favor, he must be able to understand the call hidden in Alice's commitment. If the commitment scheme is a good one, Bob cannot skew the results. Similarly, Alice cannot affect the result if she cannot change the value she commits to.

A real-life application of this problem exists, when people (often in media) commit to a decision or give an answer in a "sealed envelope", which is then opened later. "Let's find out if that's what the candidate answered", for example on a game show, can serve as a model of this system.

One particular motivating example is the use of commitment schemes inzero-knowledge proofs. Commitments are used in zero-knowledge proofs for two main purposes: first, to allow the prover to participate in "cut and choose" proofs where the verifier will be presented with a choice of what to learn, and the prover will reveal only what corresponds to the verifier's choice. Commitment schemes allow the prover to specify all the information in advance, and only reveal what should be revealed later in the proof.^[10] Second, commitments are also used in zero-knowledge proofs by the verifier, who will often specify their choices ahead of time in a commitment. This allows zero-knowledge proofs to be composed in parallel without revealing additional information to the prover.^[11]

TheLamport signature scheme is adigital signature system that relies on maintaining two sets of secretdata packets, publishingverifiable hashes of the data packets, and then selectively revealing partial secret data packets in a manner that conforms specifically to the data to be signed. In this way, the prior public commitment to the secret values becomes a critical part of the functioning of the system.

Because the Lamport signature system cannot be used more than once, a system to combine many Lamport key-sets under a single public value that can be tied to a person and verified by others was developed. This system uses trees ofhashes to compress many published Lamport-key-commitment sets into a single hash value that can be associated with the prospective author of later-verified data.

Another important application of commitments is inverifiable secret sharing, a critical building block ofsecure multiparty computation. In asecret sharing scheme, each of several parties receive "shares" of a value that is meant to be hidden from everyone. If enough parties get together, their shares can be used to reconstruct the secret, but even a malicious cabal of insufficient size should learn nothing. Secret sharing is at the root of many protocols forsecure computation: in order to securely compute a function of some shared input, the secret shares are manipulated instead. However, if shares are to be generated by malicious parties, it may be important that those shares can be checked for correctness. In a verifiable secret sharing scheme, the distribution of a secret is accompanied by commitments to the individual shares. The commitments reveal nothing that can help a dishonest cabal, but the shares allow each individual party to check to see if their shares are correct.^[12]

Formal definitions of commitment schemes vary strongly in notation and in flavour. The first such flavour is whether the commitment scheme provides perfect or computational security with respect to the hiding or binding properties. Another such flavour is whether the commitment is interactive, i.e. whether both the commit phase and the reveal phase can be seen as being executed by acryptographic protocol or whether they are non-interactive, consisting of two algorithmsCommit andCheckReveal. In the latter caseCheckReveal can often be seen as a derandomised version ofCommit, with the randomness used byCommit constituting the opening information.

If the commitmentC to a valuex is computed asC:=Commit(x,open) withopen being the randomness used for computing the commitment, thenCheckReveal (C,x,open) reduces to simply verifying the equationC=Commit (x,open).

Using this notation and some knowledge aboutmathematical functions andprobability theory we formalise different versions of the binding and hiding properties of commitments. The two most important combinations of these properties are perfectly binding and computationally hiding commitment schemes and computationally binding and perfectly hiding commitment schemes. Note that no commitment scheme can be at the same time perfectly binding and perfectly hiding – a computationally unbounded adversary can simply generateCommit(x,open) for every value ofx andopen until finding a pair that outputsC, and in a perfectly binding scheme this uniquely identifiesx.

Letopen be chosen from a set of size${\displaystyle 2^k}$, i.e., it can be represented as ak bit string, and let${\displaystyle {\text{Commit}}_k}$ be the corresponding commitment scheme. As the size ofk determines the security of the commitment scheme it is called thesecurity parameter.

Then for allnon-uniformprobabilistic polynomial time algorithms that output${\displaystyle x,x^{\prime }}$ and${\displaystyle open,ope{n}^{\prime }}$ of increasing lengthk, the probability that${\displaystyle x\ne x^{\prime }}$ and${\displaystyle {\text{Commit}}_k(x,open)={\text{Commit}}_k(x^{\prime },ope{n}^{\prime })}$ is anegligible function ink.

This is a form ofasymptotic analysis. It is also possible to state the same requirement usingconcrete security: A commitment schemeCommit is${\displaystyle (t,ϵ)}$ secure, if for all algorithms that run in timet and output${\displaystyle x,x^{\prime },open,ope{n}^{\prime }}$ the probability that${\displaystyle x\ne x^{\prime }}$ and${\displaystyle \text{Commit}(x,open)=\text{Commit}(x^{\prime },ope{n}^{\prime })}$ is at most${\displaystyle ϵ}$.

Let${\displaystyle U_k}$ be the uniform distribution over the${\displaystyle 2^k}$ opening values for security parameterk. A commitment scheme is respectively perfect, statistical, or computational hiding, if for all${\displaystyle x\ne x^{\prime }}$ theprobability ensembles${\displaystyle \{{\text{Commit}}_k(x,U_k){\}}_{k\in \mathbb{N}}}$ and${\displaystyle \{{\text{Commit}}_k(x^{\prime },U_k){\}}_{k\in \mathbb{N}}}$ are equal,statistically close, orcomputationally indistinguishable.

It is impossible to realize commitment schemes in theuniversal composability(UC) framework. The reason is that UC commitment has to beextractable, as shown by Canetti and Fischlin^[13] and explained below.

The ideal commitment functionality, denoted here byF, works roughly as follows. CommitterC sends valuem toF, whichstores it and sends "receipt" to receiverR. Later,C sends "open" toF, which sendsm toR.

Now, assume we have a protocolπ that realizes this functionality. Suppose that the committerC is corrupted. In the UC framework, that essentially means thatC is now controlled by the environment, which attempts to distinguish protocol execution from the ideal process. Consider an environment that chooses a messagem and then tellsC to act as prescribed byπ, as if it has committed tom. Note here that in order to realizeF, the receiver must, after receiving a commitment, output a message "receipt". After the environment sees this message, it tellsC to open the commitment.

The protocol is only secure if this scenario is indistinguishable from the ideal case, where the functionality interacts with a simulatorS. Here,S has control ofC. In particular, wheneverR outputs "receipt",F has to do likewise. The only way to do that is forS to tellC to send a value toF. However, notethat by this point,m is not known toS. Hence, when the commitment is opened during protocol execution, it is unlikely thatF will open tom, unlessS can extractm from the messages it received from the environment beforeR outputs the receipt.

However a protocol that is extractable in this sense cannot be statistically hiding. Suppose such a simulatorS exists. Now consider anenvironment that, instead of corruptingC, corruptsR instead. Additionally it runs a copy ofS. Messages received fromC are fed intoS, and replies fromS are forwarded toC.

The environment initially tellsC to commit to a messagem. At some point in the interaction,S will commit to a valuem′. This message is handed toR, who outputsm′. Note that by assumption we havem' = mwith high probability. Now in the ideal process the simulator has to come up withm. But this is impossible, because at this point the commitment has not been opened yet, so the only messageR can have received in the ideal process is a "receipt" message. We thus have a contradiction.

A commitment scheme can either be perfectly binding (it is impossible for Alice to alter her commitment after she has made it, even if she has unbounded computational resources); or perfectly concealing (it is impossible for Bob to find out the commitment without Alice revealing it, even if he has unbounded computational resources); or formulated as an instance-dependent commitment scheme, which is either hiding or binding depending on the solution to another problem.^[14][15] A commitment scheme cannot be both perfectly hiding and perfectly binding at the same time.

Bit-commitment schemes are trivial to construct in therandom oracle model. Given ahash function H with a 3k bit output, to commit thek-bit messagem, Alice generates a randomk bit stringR and sends Bob H(R ||m). The probability that anyR′,m′ exist wherem′ ≠m such that H(R′ ||m′) = H(R ||m) is ≈ 2^−k, but to test any guess at the messagem Bob will need to make 2^k (for an incorrect guess) or 2^k-1 (on average, for a correct guess) queries to the random oracle.^[16] We note that earlier schemes based on hash functions, essentially can be thought of schemes based on idealization of these hash functions as random oracle.

One can create a bit-commitment scheme from anyone-way function that isinjective. The scheme relies on the fact that every one-way function can be modified (via theGoldreich-Levin theorem) to possess a computationallyhard-core predicate (while retaining the injective property).

Letf be an injective one-way function, withh a hard-core predicate. Then to commit to a bitb Alice picks a random inputx and sends the triple

${\displaystyle (h,f(x),b\oplus h(x))}$

to Bob, where${\displaystyle \oplus }$ denotes XOR,i.e., bitwise addition modulo 2. To decommit, Alice simply sendsx to Bob. Bob verifies by computingf(x) and comparing to the committed value. This scheme is concealing because for Bob to recoverb he must recoverh(x). Sinceh is a computationally hard-core predicate, recoveringh(x) fromf(x) with probability greater than one-half is as hard as invertingf. Perfect binding follows from the fact thatf is injective and thusf(x) has exactly one preimage.

Note that since we do not know how to construct a one-way permutation from any one-way function, this section reduces the strength of the cryptographic assumption necessary to construct a bit-commitment protocol.

In 1991Moni Naor showed how to create a bit-commitment scheme from acryptographically secure pseudorandom number generator.^[17] The construction is as follows. IfG is a pseudo-random generator such thatG takesn bits to 3n bits, then if Alice wants to commit to a bitb:

• Bob selects a random 3n-bit vectorR and sendsR to Alice.
• Alice selects a randomn-bit vectorY and computes the 3n-bit vectorG(Y).
• Ifb=1 Alice sendsG(Y) to Bob, otherwise she sends the bitwiseexclusive-or ofG(Y) andR to Bob.

To decommit Alice sendsY to Bob, who can then check whether he initially receivedG(Y) orG(Y)${\displaystyle \oplus }$R.

This scheme is statistically binding, meaning that even if Alice is computationally unbounded she cannot cheat with probability greater than 2⁻ⁿ. For Alice to cheat, she would need to find aY', such thatG(Y') =G(Y)${\displaystyle \oplus }$R. If she could find such a value, she could decommit by sending the truth andY, or send the opposite answer andY'. However,G(Y) andG(Y') are only able to produce 2ⁿ possible values each (that's 2²ⁿ) whileR is picked out of 2³ⁿ values. She does not pickR, so there is a 2²ⁿ/2³ⁿ = 2⁻ⁿ probability that aY' satisfying the equation required to cheat will exist.

The concealing property follows from a standard reduction, if Bob can tell whether Alice committed to a zero or one, he can also distinguish the output of the pseudo-random generatorG from true-random, which contradicts the cryptographic security ofG.

Alice chooses aring of prime orderp, with multiplicative generatorg.

Alice randomly picks a secret valuex from0 top − 1 to commit to and calculatesc =g^x and publishesc. Thediscrete logarithm problem dictates that fromc, it is computationally infeasible to computex, so under this assumption, Bob cannot computex. On the other hand, Alice cannot compute ax′ <>x, such thatg^x′ =c, so the scheme is binding.

This scheme isn't perfectly concealing as someone could find the commitment if he manages to solve thediscrete logarithm problem. In fact, this scheme isn't hiding at all with respect to the standard hiding game, where an adversary should be unable to guess which of two messages he chose were committed to - similar to theIND-CPA game. One consequence of this is that if the space of possible values ofx is small, then an attacker could simply try them all and the commitment would not be hiding.

A better example of a perfectly binding commitment scheme is one where the commitment is the encryption ofx under asemantically secure, public-key encryption scheme with perfect completeness, and the decommitment is the string of random bits used to encryptx. An example of an information-theoretically hiding commitment scheme is the Pedersen commitment scheme,^[18] which is computationally binding under the discrete logarithm assumption.^[19]Additionally to the scheme above, it uses another generatorh of the prime group and a random numberr. The commitment is set${\displaystyle c=g^x{h}^r}$.^[20]

These constructions are tightly related to and based on the algebraic properties of the underlying groups, and the notion originally seemed to be very much related to the algebra. However, it was shown that basing statistically binding commitment schemes on general unstructured assumption is possible, via the notion of interactive hashing for commitments from general complexity assumptions (specifically and originally, based on any one way permutation) as in.^[21]

Alice selects${\displaystyle N}$ such that${\displaystyle N=p\cdot q}$, where${\displaystyle p}$ and${\displaystyle q}$ are large secret prime numbers. Additionally, she selects a prime${\displaystyle e}$ such that${\displaystyle e>N^2}$ and${\displaystyle gcd(e,\varphi (N^2))=1}$. Alice then computes a public number${\displaystyle g_m}$ as an element of maximum order in the${\displaystyle {\mathbb{Z}}_{N^2}^{\ast }}$ group.^[22] Finally, Alice commits to her secret${\displaystyle m}$ by first generating a random number${\displaystyle r}$ from${\displaystyle {\mathbb{Z}}_{N^2}^{\ast }}$ and then by computing${\displaystyle c=m^e{g}_m^r}$.

The security of the above commitment relies on the hardness of the RSA problem and has perfect hiding and computational binding.^[23]

The Pedersen commitment scheme introduces an interesting homomorphic property that allows performing addition between two commitments. More specifically, given two messages${\displaystyle m_1}$ and${\displaystyle m_2}$ and randomness${\displaystyle r_1}$ and${\displaystyle r_2}$, respectively, it is possible to generate a new commitment such that:${\displaystyle C(m_1,r_1)\cdot C(m_2,r_2)=C(m_1+m_2,r_1+r_2)}$. Formally:

${\displaystyle C(m_1,r_1)\cdot C(m_2,r_2)=g^{m_1}{h}^{r_1}\cdot g^{m_2}{h}^{r_2}=g^{m_1+m_2}{h}^{r_1+r_2}=C(m_1+m_2,r_1+r_2)}$

To open the above Pedersen commitment to a new message${\displaystyle m_1+m_2}$, the randomness${\displaystyle r_1}$ and${\displaystyle r_2}$ has to be added.

Similarly, the RSA-based commitment mentioned above has a homomorphic property with respect to the multiplication operation. Given two messages${\displaystyle m_1}$ and${\displaystyle m_2}$ with randomness${\displaystyle r_1}$ and${\displaystyle r_2}$, respectively, one can compute:${\displaystyle C(m_1,r_1)\cdot C(m_2,r_2)=C(m_1\cdot m_2,r_1+r_2)}$. Formally:${\displaystyle C(m_1,r_1)\cdot C(m_2,r_2)=m_1^e{g}_m^{r_1}\cdot m_2^e{g}_m^{r_2}=(m_1\cdot m_2{)}^e{g}_m^{r_1+r_2}=C(m_1\cdot m_2,r_1+r_2)}$.

To open the above commitment to a new message${\displaystyle m_1\cdot m_2}$, the randomness${\displaystyle r_1}$ and${\displaystyle r_2}$ has to be added. This newly generated commitment is distributed similarly to a new commitment to${\displaystyle m_1\cdot m_2}$.

Some commitment schemes permit a proof to be given of only a portion of the committed value. In these schemes, the secret value${\displaystyle X}$ is a vector of many individually separable values.

${\displaystyle X=(x_1,x_2,...,x_n)}$

The commitment${\displaystyle C}$ is computed from${\displaystyle X}$ in the commit phase. Normally, in the reveal phase, the prover would reveal all of${\displaystyle X}$ and some additional proof data (such as${\displaystyle R}$ insimple bit-commitment). Instead, the prover is able to reveal any single value from the${\displaystyle X}$ vector, and create an efficient proof that it is the authentic${\displaystyle i}$th element of the original vector that created the commitment${\displaystyle C}$. The proof does not require any values of${\displaystyle X}$ other than${\displaystyle x_i}$ to be revealed, and it is impossible to create valid proofs that reveal different values for any of the${\displaystyle x_i}$ than the true one.^[24]

Vector hashing is a naive vector commitment partial reveal scheme based on bit-commitment. Values${\displaystyle m_1,m_2,...m_n}$ are chosen randomly. Individual commitments are created by hashing${\displaystyle y_1=H(x_1||m_1),y_2=H(x_2||m_2),...}$. The overall commitment is computed as

${\displaystyle C=H(y_1||y_2||...||y_n)}$

In order to prove one element of the vector${\displaystyle X}$, the prover reveals the values

${\displaystyle (i,y_1,y_2,...,y_{i-1},x_i,m_i,y_{i+1},...,y_n)}$

The verifier is able to compute${\displaystyle y_i}$ from${\displaystyle x_i}$ and${\displaystyle m_i}$, and then is able to verify that the hash of all${\displaystyle y}$ values is the commitment${\displaystyle C}$. Unfortunately the proof is${\displaystyle O(n)}$ in size and verification time. Alternately, if${\displaystyle C}$ is the set of all${\displaystyle y}$ values, then the commitment is${\displaystyle O(n)}$ in size, and the proof is${\displaystyle O(1)}$ in size and verification time. Either way, the commitment or the proof scales with${\displaystyle O(n)}$ which is not optimal.

A common example of a practical partial reveal scheme is aMerkle tree, in which a binary hash tree is created of the elements of${\displaystyle X}$. This scheme creates commitments that are${\displaystyle O(1)}$ in size, and proofs that are${\displaystyle O({\log }_{2}n)}$ in size and verification time. The root hash of the tree is the commitment${\displaystyle C}$. To prove that a revealed${\displaystyle x_i}$ is part of the original tree, only${\displaystyle {\log }_{2}n}$ hash values from the tree, one from each level, must be revealed as the proof. The verifier is able to follow the path from the claimed leaf node all the way up to the root, hashing in the sibling nodes at each level, and eventually arriving at a root node value that must equal${\displaystyle C}$.^[25]

A Kate-Zaverucha-Goldberg commitment usespairing-based cryptography to build a partial reveal scheme with${\displaystyle O(1)}$ commitment sizes, proof sizes, and proof verification time. In other words, as${\displaystyle n}$, the number of values in${\displaystyle X}$, increases, the commitments and proofs do not get larger, and the proofs do not take any more effort to verify.

A KZG commitment requires a predetermined set of parameters to create apairing, and a trusted trapdoor element. For example, aTate pairing can be used. Assume that${\displaystyle {\mathbb{G}}_1,{\mathbb{G}}_2}$ are the additive groups, and${\displaystyle {\mathbb{G}}_T}$ is the multiplicative group of the pairing. In other words, the pairing is the map${\displaystyle e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T}$. Let${\displaystyle t\in {\mathbb{F}}_p}$ be the trapdoor element (if${\displaystyle p}$ is the prime order of${\displaystyle {\mathbb{G}}_1}$ and${\displaystyle {\mathbb{G}}_2}$), and let${\displaystyle G}$ and${\displaystyle H}$ be the generators of${\displaystyle {\mathbb{G}}_1}$ and${\displaystyle {\mathbb{G}}_2}$ respectively. As part of the parameter setup, we assume that${\displaystyle G\cdot t^i}$ and${\displaystyle H\cdot t^i}$ are known and shared values for arbitrarily many positive integer values of${\displaystyle i}$, while the trapdoor value${\displaystyle t}$ itself is discarded and known to no one.

A KZG commitment reformulates the vector of values to be committed as a polynomial. First, we calculate a polynomial such that${\displaystyle p(i)=x_i}$ for all values of${\displaystyle x_i}$ in our vector.Lagrange interpolation allows us to compute that polynomial

Under this formulation, the polynomial now encodes the vector, where${\displaystyle p(0)=x_0,p(1)=x_1,...}$. Let${\displaystyle p_0,p_1,...,p_{n-1}}$ be the coefficients of${\displaystyle p}$, such that$p(x)=\sum _{i=0}^{n-1}{p}_i{x}^i$. The commitment is calculated as

${\displaystyle C=\sum _{i=0}^{n-1}{p}_{i}G{t}^i}$

This is computed simply as adot product between the predetermined values${\displaystyle G\cdot t^i}$ and the polynomial coefficients${\displaystyle p_i}$. Since${\displaystyle {\mathbb{G}}_1}$ is an additive group with associativity and commutativity,${\displaystyle C}$ is equal to simply${\displaystyle G\cdot p(t)}$, since all the additions and multiplications with${\displaystyle G}$ can be distributed out of the evaluation. Since the trapdoor value${\displaystyle t}$ is unknown, the commitment${\displaystyle C}$ is essentially the polynomial evaluated at a number known to no one, with the outcome obfuscated into an opaque element of${\displaystyle {\mathbb{G}}_1}$.

A KZG proof must demonstrate that the revealed data is the authentic value of${\displaystyle x_i}$ when${\displaystyle C}$ was computed. Let${\displaystyle y=x_i}$, the revealed value we must prove. Since the vector of${\displaystyle x_i}$ was reformulated into a polynomial, we really need to prove that the polynomial${\displaystyle p}$, when evaluated at${\displaystyle i}$, takes on the value${\displaystyle y}$. Simply, we just need to prove that${\displaystyle p(i)=y}$. We will do this by demonstrating that subtracting${\displaystyle y}$ from${\displaystyle p}$ yields a root at${\displaystyle i}$. Define the polynomial${\displaystyle q}$ as

${\displaystyle q(x)=\frac{p(x)-y}{x-i}}$

This polynomial is itself the proof that${\displaystyle p(i)=y}$, because if${\displaystyle q}$ exists, then${\displaystyle p(x)-y}$ is divisible by${\displaystyle x-i}$, meaning it has a root at${\displaystyle i}$, so${\displaystyle p(i)-y=0}$ (or, in other words,${\displaystyle p(i)=y}$). The KZG proof will demonstrate that${\displaystyle q}$ exists and has this property.

The prover computes${\displaystyle q}$ through the above polynomial division, then calculates the KZG proof value${\displaystyle \pi }$

${\displaystyle \pi =\sum _{i=0}^{n-1}{q}_{i}G{t}^i}$

This is equal to${\displaystyle G\cdot q(t)}$, as above. In other words, the proof value is the polynomial${\displaystyle q}$ again evaluated at the trapdoor value${\displaystyle t}$, hidden in the generator${\displaystyle G}$ of${\displaystyle {\mathbb{G}}_1}$.

This computation is only possible if the above polynomials were evenly divisible, because in that case the quotient${\displaystyle q}$ is a polynomial, not arational function. Due to the construction of the trapdoor, it is not possible to evaluate a rational function at the trapdoor value, only to evaluate a polynomial using linear combinations of the precomputed known constants of${\displaystyle G\cdot t^i}$. This is why it is impossible to create a proof for an incorrect value of${\displaystyle x_i}$.

To verify the proof, the bilinear map of thepairing is used to show that the proof value${\displaystyle \pi }$ summarizes a real polynomial${\displaystyle q}$ that demonstrates the desired property, which is that${\displaystyle p(x)-y}$ was evenly divided by${\displaystyle x-i}$. The verification computation checks the equality

${\displaystyle e(\pi ,H\cdot t-H\cdot i)\stackrel{?}{=}e(C-G\cdot y,H)}$

where${\displaystyle e}$ is the bilinear map function as above.${\displaystyle H\cdot t}$ is a precomputed constant,${\displaystyle H\cdot i}$ is computed based on${\displaystyle i}$.

By rewriting the computation in the pairing group${\displaystyle {\mathbb{G}}_T}$, substituting in${\displaystyle \pi =q(t)\cdot G}$ and${\displaystyle C=p(t)\cdot G}$, and letting${\displaystyle \tau (x)=e(G,H{)}^x}$ be a helper function for lifting into the pairing group, the proof verification is more clear.

${\displaystyle e(\pi ,H\cdot t-H\cdot i)=e(C-G\cdot y,H)}$

${\displaystyle e(G\cdot q(t),H\cdot t-H\cdot i)=e(G\cdot p(t)-G\cdot y,H)}$

${\displaystyle e(G\cdot q(t),H\cdot (t-i))=e(G\cdot (p(t)-y),H)}$

${\displaystyle e(G,H{)}^{q(t)\cdot (t-i)}=e(G,H{)}^{p(t)-y}}$

${\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}$

Assuming that the bilinear map is validly constructed, this demonstrates that${\displaystyle q(x)(x-i)=p(x)-y}$, without the validator knowing what${\displaystyle p}$ or${\displaystyle q}$ are. The validator can be assured of this because if${\displaystyle \tau (q(t)\cdot (t-i))=\tau (p(t)-y)}$, then the polynomials evaluate to the same output at the trapdoor value${\displaystyle x=t}$. This demonstrates the polynomials are identical, because, if the parameters were validly constructed, the trapdoor value is known to no one, meaning that engineering a polynomial to have a specific value at the trapdoor is impossible (according to theSchwartz–Zippel lemma). If${\displaystyle q(x)(x-i)=p(x)-y}$ is now verified to be true, then${\displaystyle q}$ is verified to exist, therefore${\displaystyle p(x)-y}$ must be polynomial-divisible by${\displaystyle (x-i)}$, so${\displaystyle p(i)-y=0}$ due to thefactor theorem. This proves that the${\displaystyle i}$th value of the committed vector must have equaled${\displaystyle y}$, since that is the output of evaluating the committed polynomial at${\displaystyle i}$.

Additionally, a KZG commitment can be extended to prove the values of any arbitrary${\displaystyle k}$ values of${\displaystyle X}$ (not just one value), with the proof size remaining${\displaystyle O(1)}$, but the proof verification time scales with${\displaystyle O(k)}$. The proof is the same, but instead of subtracting a constant${\displaystyle y}$, we subtract a polynomial that causes multiple roots, at all the locations we want to prove, and instead of dividing by${\displaystyle x-i}$ we divide by$\prod _{i}x-i$ for those same locations.^[26]

It is an interesting question inquantum cryptography ifunconditionally secure bit commitment protocols exist on the quantum level, that is, protocols which are (at least asymptotically) binding and concealing even if there are no restrictions on the computational resources. One could hope that there might be a way to exploit the intrinsic properties ofquantum mechanics, as in the protocols forunconditionally secure key distribution.

However, this is impossible, as Dominic Mayers showed in 1996(see this citation:^[27] for the original proof). Any such protocol can be reduced to a protocol where the system is in one of two pure states after the commitment phase, depending on the bit Alice wants to commit. If the protocol is unconditionally concealing, then Alice can unitarily transform these states into each other using the properties of theSchmidt decomposition, effectively defeating the binding property.

One subtle assumption of the proof is that the commit phase must be finished at some point in time. This leaves room for protocols that require a continuing information flow until the bit is unveiled or the protocol is cancelled, in which case it is not binding anymore.^[28] More generally, Mayers' proof applies only to protocols that exploitquantum physics but notspecial relativity. Kent has shown that there exist unconditionally secure protocols for bit commitment that exploit the principle ofspecial relativity stating that information cannot travel faster than light.^[29]

Physical unclonable functions (PUFs) rely on the use of a physical key with internal randomness, which is hard to clone or to emulate. Electronic, optical and other types of PUFs^[30] have been discussed extensively in the literature, in connection with their potential cryptographic applications including commitment schemes.^[31][32]

• Oblivious transfer
• Accumulator (cryptography)
• Key signing party
• Web of trust
• Zerocoin
• Anagrams — used by 17th-century natural philosophers to establish priority of a discovery without revealing it to others

• Quantum bit commitment on arxiv.org
• Kate-Zaverucha-Goldberg (KZG) Constant-Sized Polynomial Commitments - Alin Tomescu
• Kate polynomial commitments

• Public-key cryptography
• Zero-knowledge protocols
• Secret sharing
• Cryptographic primitives

• CS1: long volume value
• Articles with short description
• Short description is different from Wikidata
• Articles needing additional references from October 2014
• All articles needing additional references
• Pages with broken anchors