# Commitments

## Syntax

:::{note} Definition: Commitment Scheme
:label: def-commitment-scheme

A *commitment scheme* $\mathsf{Com}$ is a pair of polynomial-time algorithms $(\mathsf{Setup}, \mathsf{Commit})$ where:

- $\mathsf{Setup}(1^\lambda) \rightarrow \mathit{pp}$ is a probabilistic algorithm that takes the security parameter as input and outputs public parameters $\mathit{pp}$ including the message space $\mathcal{M}$ and the randomness space $\mathcal{R}$.[^1]

- $\mathsf{Commit}(\mathit{pp}, m, r) \rightarrow C$ is a deterministic algorithm that takes public parameters $\mathit{pp}$, a message $m \in \mathcal{M}$, and randomness $r \in \mathcal{R}$ as input and outputs a commitment $C$.[^2]

[^1]: The security parameter $1^\lambda$ is often left implicit in algorithm inputs to simplify notation, e.g., writing $\mathsf{Setup}()$ instead of $\mathsf{Setup}(1^\lambda)$.

[^2]: Public parameters $\mathit{pp}$ are often left implicit in algorithm inputs to simplify notation, e.g., writing $\mathsf{Commit}(m, r)$ instead of $\mathsf{Commit}(\mathit{pp}, m, r)$.
:::

:::{tip} Example
:label: sec-toy-com

An example is the toy commitment scheme:

- $\mathsf{Setup}(1^\lambda) := (\mathcal{M} := \{0, 1\}^*, \mathcal{R} := \{0\})$
- $\mathsf{Commit}(\mathit{pp}, m, r) := m$
:::

## Security

:::{note} Game: Binding
:label: fig-break-com-bind

$$
\begin{array}{l}
\underline{\text{Game } \mathsf{ComBind}^{\mathsf{Com}}}:\\
\quad \mathit{pp} \leftarrow_R \mathsf{Setup}(1^\lambda) \\
\quad (m_0, m_1, r_0, r_1) \leftarrow \mathcal{A}(\mathit{pp}) \\
\quad C_0 \leftarrow \mathsf{Commit}(\mathit{pp}, m_0, r_0) \\
\quad C_1 \leftarrow \mathsf{Commit}(\mathit{pp}, m_1, r_1) \\
\quad \text{return } (C_0 = C_1) \wedge (m_0 \neq m_1)
\end{array}
$$
:::

:::{note} Definition: Binding
:label: def-binding

A commitment scheme $\mathsf{Com}$ is binding if for any PPT algorithm $\mathcal{A}$,

$$
\mathcal{A}antage{Bind}{\mathcal{A}, \mathsf{Com}} := \Pr[\mathsf{ComBind}_{\mathsf{Com}} = 1} = \mathrm{negl}.
$$

If $\mathcal{A}antage{Bind}{\mathcal{A}, \mathsf{Com}} = 0$, then the commitment scheme is said to be *perfectly binding*.
:::

:::{note} Game: Hiding
:label: fig-break-com-hid

$$
\begin{array}{l}
\underline{\text{Game } \mathsf{ComHide}^{\mathsf{Com}}}:\\
\quad \mathit{pp} \leftarrow_R \mathsf{Setup}(1^\lambda) \\
\quad (m_0, m_1) \leftarrow \mathcal{A}(\mathit{pp}) \\
\quad r \leftarrow_R \mathit{pp}.\mathcal{R} \\
\quad b \leftarrow_R \{0, 1\} \\
\quad C \leftarrow \mathsf{Commit}(\mathit{pp}, m_b, r) \\
\quad b' \leftarrow \mathcal{A}(\mathit{pp}, C) \\
\quad \text{return } (b = b')
\end{array}
$$
:::

:::{note} Definition: Hiding
:label: def-hiding

A commitment scheme $\mathsf{Com}$ is hiding if for any PPT algorithm $\mathcal{A}$,

$$
\mathcal{A}antage{Hide}{\mathcal{A}, \mathsf{Com}} := \left|\Pr[\mathsf{ComHide}_{\mathsf{Com}} = 1} - \frac{1}{2}\right| = \mathrm{negl}.
$$

If $\mathcal{A}antage{Hide}{\mathcal{A}, \mathsf{Com}} = 0$, then the commitment scheme is said to be *perfectly hiding*.
:::

Note that in $\mathsf{ComHide}_{\mathsf{Com}}$ the adversary $\mathcal{A}$ is run twice with different arguments, first to output two messages and then to output a bit.

## Exercises

:::{exercise}
:label: ex-toy-com-binding

Is the toy commitment scheme in [](#sec-toy-com) binding? Prove it.
:::

:::{dropdown} **Solution**

Yes, the toy commitment scheme is perfectly binding.

Proof by contradiction: Assume the binding game succeeds, i.e., $\mathsf{ComBind}_{\mathsf{Com}} = 1$.
This means:

- $C_0 = C_1$ (the commitments are equal)
- $m_0 \neq m_1$ (the messages are different)

However, by the definition of the toy commitment scheme:

- $C_0 = \mathsf{Commit}(\mathit{pp}, m_0, r_0) = m_0$
- $C_1 = \mathsf{Commit}(\mathit{pp}, m_1, r_1) = m_1$

Therefore, $C_0 = C_1$ implies $m_0 = m_1$, which contradicts $m_0 \neq m_1$.

Since no adversary can win the binding game, we have $\mathcal{A}antage{Bind}{\mathcal{A}, \mathsf{Com}} = 0$ for all adversaries $\mathcal{A}$.
The toy commitment scheme is therefore perfectly binding.
:::

:::{exercise}
:label: ex-strong-binding

A commitment scheme is *strongly binding* if it binds to *both* the message and randomness.
Formally define the strong binding game $\mathsf{ComStrongBind}_{\mathsf{Com}}$ by modifying $\mathsf{ComBind}_{\mathsf{Com}}$.
:::

:::{dropdown} **Solution**

The strong binding game $\mathsf{ComStrongBind}_{\mathsf{Com}}$ is defined as follows:

$$
\begin{array}{l}
\underline{\text{Game } \mathsf{ComStrongBind}^{\mathsf{Com}}}:\\
\quad \mathit{pp} \leftarrow_R \mathsf{Setup}(1^\lambda) \\
\quad (m_0, m_1, r_0, r_1) \leftarrow \mathcal{A}(\mathit{pp}) \\
\quad C_0 \leftarrow \mathsf{Commit}(\mathit{pp}, m_0, r_0) \\
\quad C_1 \leftarrow \mathsf{Commit}(\mathit{pp}, m_1, r_1) \\
\quad \text{return } (C_0 = C_1) \wedge ((m_0 \neq m_1) \vee (r_0 \neq r_1))
\end{array}
$$

The key difference from the regular binding game is in the return condition:

- Regular binding: $(C_0 = C_1) \wedge (m_0 \neq m_1)$
- Strong binding: $(C_0 = C_1) \wedge ((m_0 \neq m_1) \vee (r_0 \neq r_1))$

Strong binding prevents an adversary from finding the same commitment with either different messages OR different randomness.
:::

:::{exercise}
:label: ex-strong-binding-scenario

Describe a scenario where strong binding is important. (Optional)
:::

:::{dropdown} **Solution**

Strong binding is crucial when the randomness itself has semantic meaning in the protocol.

Consider the Taproot commitment scheme where the randomness space $\mathcal{R}$ is a group $\mathbb{G}$.
For hash function $\mathsf{H}$ and group generator $g$, the commitment is computed as:

$$
\mathsf{Commit}(m, R) = R \cdot g^{\mathsf{H.Eval}(\kappa, (R, m))}
$$

In this scheme, $m$ represents the root of a Merkle tree containing Tapscripts, and $R$ serves as an internal key.
Assume that the Tapscript language includes an opcode OP_INTERNALKEY that pushes $R$ onto the execution stack.

Without strong binding, an adversary could potentially find an alternative opening $(R', m)$ where $R' \neq R$ but still produces the same commitment $C$.
This would allow the adversary to execute scripts with OP_INTERNALKEY pushing their chosen $R'$ onto the stack instead of the original $R$.

Strong binding prevents this attack by ensuring that each commitment $C$ has a unique valid opening, making it impossible for an adversary to substitute a different internal key while maintaining the same commitment.
:::

:::{exercise}
:label: ex-hash-commitment

Design a hash-based commitment scheme $\mathsf{HashCom}[\mathsf{H}]$[^3] that is strongly binding when used with a collision-resistant hash function $\mathsf{H}$.
State and prove the security theorem.

Note: We do not yet have the tools to prove that $\mathsf{HashCom}[\mathsf{H}]$ is hiding; we will return to this in later chapters.

[^3]: The notation $\mathsf{Scheme}[\mathsf{Primitive}]$ indicates that the scheme is parameterized by a cryptographic primitive.
:::

:::{dropdown} **Solution**

Define the hash commitment scheme $\mathsf{HashCom}[\mathsf{H}]$ as follows:

- $\mathsf{Setup}(1^\lambda) := (\mathcal{M} := \{0, 1\}^*, \mathcal{R} := \{0, 1\}^\lambda, \kappa \leftarrow \mathsf{H.Gen}(1^\lambda))$
- $\mathsf{Commit}(\mathit{pp}, m, r) := \mathsf{H.Eval}(\kappa, r \| m)$

**Theorem:** Let $\mathsf{H}$ be a collision-resistant hash function. Then $\mathsf{HashCom}[\mathsf{H}]$ is strongly binding.
More precisely, for any PPT adversary $\mathcal{A}$ against the strong binding property of $\mathsf{HashCom}[\mathsf{H}]$, there exists a PPT adversary $\mathcal{B}$ against the collision resistance of $\mathsf{H}$ such that

$$
\mathcal{A}antage{StrongBind}{\mathcal{A}, \mathsf{HashCom}[\mathsf{H}]} = \mathcal{A}antage{Coll}{\mathcal{B}^\mathcal{A}_\mathsf{H}, \mathsf{H}}.
$$

**Proof:** We prove the contrapositive: if $\mathsf{HashCom}[\mathsf{H}]$ is not strongly binding, then $\mathsf{H}$ is not collision-resistant.

Assume $\mathsf{HashCom}[\mathsf{H}]$ is not strongly binding.
Then there exists a PPT adversary $\mathcal{A}$ that wins $\mathsf{ComStrongBind}_{\mathsf{HashCom}[\mathsf{H}]}$ with non-negligible probability, finding $(m_0, r_0)$ and $(m_1, r_1)$ such that:

- $\mathsf{H.Eval}(\kappa, r_0 \| m_0) = \mathsf{H.Eval}(\kappa, r_1 \| m_1)$
- Either $m_0 \neq m_1$ or $r_0 \neq r_1$

If either $m_0 \neq m_1$ or $r_0 \neq r_1$, then $r_0 \| m_0 \neq r_1 \| m_1$.
This means $\mathcal{A}$ has found a collision in $\mathsf{H}$: two different inputs that hash to the same output.

We can construct a PPT adversary $\mathcal{B}$ against the collision resistance of $\mathsf{H}$ that runs $\mathcal{A}$ and outputs $(r_0 \| m_0, r_1 \| m_1)$.
Since $\mathcal{A}$ succeeds with non-negligible probability and $\mathcal{B}$ is PPT (as it simply runs $\mathcal{A}$ once), $\mathcal{B}$ breaks collision resistance.

Therefore, if $\mathsf{H}$ is collision-resistant, then $\mathsf{HashCom}[\mathsf{H}]$ is strongly binding.
Note that strong binding implies regular binding, so this scheme is also binding.
:::

:::{exercise}
:label: ex-toy-com-hiding

Is the toy commitment scheme in [](#sec-toy-com) hiding? Prove it.
:::

:::{dropdown} **Solution**

No, the toy commitment scheme is not hiding.

We construct a PPT adversary $\mathcal{A}$ that wins the hiding game with probability 1:

1. $\mathcal{A}$ receives $\mathit{pp}$ from the setup.
2. $\mathcal{A}$ outputs two distinct messages: $m_0 = 0$ and $m_1 = 1$.
3. The game samples $b \leftarrow_R \{0, 1\}$ and computes $C = \mathsf{Commit}(\mathit{pp}, m_b, r) = m_b$.
4. $\mathcal{A}$ receives $C$ and outputs $b' = C$.
5. Since $C = m_b = b$ (because $m_0 = 0$ and $m_1 = 1$), we have $b' = b$.

Therefore, $\Pr[\mathsf{ComHide}_{\mathsf{Com}} = 1} = 1$, and

$$
\mathcal{A}antage{Hide}{\mathcal{A}, \mathsf{Com}} = \left|1 - \frac{1}{2}\right| = \frac{1}{2}
$$

which is not negligible.

Intuitively, the toy commitment scheme completely reveals the message, providing no hiding at all.
:::

:::{exercise}
:label: ex-hashcom-prime-hiding

Let $\mathsf{H}$ be a collision-resistant hash function and define the commitment scheme $\mathsf{HashCom'}[\mathsf{H}]$ as:

- $\mathsf{Setup}(1^\lambda) := (\mathcal{M} := \{0, 1\}, \mathcal{R} := \{0\}, \kappa \leftarrow \mathsf{H.Gen}(1^\lambda))$
- $\mathsf{Commit}(\mathit{pp}, m, r) := \mathsf{H.Eval}(\kappa, m)$

Note that $\mathsf{HashCom'}[\mathsf{H}]$ is binding. Is it hiding? Prove it.
:::

:::{dropdown} **Solution**

No, $\mathsf{HashCom'}[\mathsf{H}]$ is not hiding.
The issue is that there's no randomness in the commitment.

We construct a PPT adversary $\mathcal{A}$ that wins the hiding game with high probability:

1. $\mathcal{A}$ receives $\mathit{pp}$ containing $\kappa$.
2. $\mathcal{A}$ outputs $m_0 = 0$ and $m_1 = 1$.
3. The game samples $b \leftarrow_R \{0, 1\}$ and computes $C = \mathsf{H.Eval}(\kappa, m_b)$.
4. $\mathcal{A}$ receives $C$ and computes:
   - $h_0 = \mathsf{H.Eval}(\kappa, 0)$
   - $h_1 = \mathsf{H.Eval}(\kappa, 1)$
5. If $C = h_0$, output $b' = 0$; if $C = h_1$, output $b' = 1$.

Since $\mathsf{H}$ is collision-resistant, with overwhelming probability $\mathsf{H.Eval}(\kappa, 0) \neq \mathsf{H.Eval}(\kappa, 1)$.
Therefore, $\mathcal{A}$ correctly identifies $b$ with overwhelming probability, making the scheme not hiding.
:::
