Commitment procedure

A commitment procedure is a cryptographic two-party protocol that enables one party to commit to a value to the other party without revealing anything about this value. This value can then be revealed later. A commitment procedure can be compared to putting a slip of paper with the value in a locked box and giving the box to the recipient. Without the key, the recipient cannot find out anything about the value on the slip. The sender can no longer change the value because the box is no longer in his possession. To uncover, the sender sends the recipient the key to the box. Commitment procedures are important primitives that are used, for example, in secure multi-party calculations or zero-knowledge protocols .

A classic application for a commitment is tossing a coin over the phone. Alice and Bob want to toss a coin, but because the two of them cannot see each other over the phone and do not want to trust each other, the usual protocol "one says, the other tosses" does not work. One possible solution would be for Alice to communicate her choice to a trusted third party who, after Bob reports the result, determines the winner. With a bit commitment, the problem can be solved without a third party by Alice sending a commitment to Bob on her election. Bob cannot learn anything about Alice's choice from the commitment, but Alice is now fixed and cannot change her choice afterwards. Now Bob flips the coin and tells Alice the result, whereupon Alice opens the commitment. So they both know the winner. A realization is possible , for example, using cryptographic hash functions .

description

A commitment process consists of two phases. In the first, the commitment is generated with which Alice commits herself to a value. In the second phase, the commitment is revealed. In order for the procedure to be correct, it is required that the original value must be restored after the commitment has been revealed (viability) .

Commit phase

Alice generates a commitment and additional information for the value she wants to commit to, which allows it to be revealed. Often this additional information is the coincidence that was used to generate the commitment. She sends the commitment to Bob and is now set to the value, while Bob learns nothing about it from the commitment.

Reveal phase

Alice now sends her value and the additional information to Bob. Bob can now understand that the commitment actually belongs to the value.

Security features

Binding

It must not be possible to subsequently uncover a commitment for another value.

Hiding

The commitment must not allow any conclusions to be drawn about the value on which the party has committed itself.

Individual evidence

^ Gilles Brassard, David Chaum, and Claude Crépeau: Minimum Disclosure Proofs of Knowledge . In: Journal of Computer and System Sciences . tape 37 , 1988, pp. 156-189 ( mcgill.ca [PDF]).
↑ Manuel Blum: Coin Flipping by Telephone . In: Proceedings of CRYPTO . 1981, p. 11–15 ( cmu.edu [PDF]).

[1] Gilles Brassard, David Chaum, and Claude Crépeau: Minimum Disclosure Proofs of Knowledge . In: Journal of Computer and System Sciences . tape 37 , 1988, pp. 156-189 ( mcgill.ca [PDF]).

[2] Manuel Blum: Coin Flipping by Telephone . In: Proceedings of CRYPTO . 1981, p. 11–15 ( cmu.edu [PDF]).