The everyday analogy is a sealed envelope. You write a value on a piece of paper, seal it in an envelope, and hand the envelope to someone else. They cannot read what is inside, so your value stays secret. But you also cannot swap the paper for a different one, because the envelope is in their possession. Later, you open it, and everyone can confirm what you committed to from the start.
A commitment scheme is the cryptographic version of that envelope, and it has two distinct phases. In the commit phase, you produce a commitment to your value and publish it. In the reveal phase, sometimes called opening, you disclose the original value plus any secret data needed to verify it. Anyone can then check that the revealed value matches the commitment you published earlier.
The Two Properties That Make It Work
A commitment scheme is only useful if it satisfies two properties at once, and they pull in opposite directions.
Hiding means the commitment reveals nothing about the value inside it. Looking at the published commitment, no one can figure out what you committed to. This is the sealed part of the envelope.
Binding means that once you have published a commitment, you cannot later open it to a different value than the one you committed to. You are bound to your original choice. This is the part that stops you swapping the paper.
Hiding without binding lets you cheat by changing your answer after seeing how things played out. Binding without hiding leaks your secret immediately, defeating the point of committing privately. A scheme worth using delivers both.
The Simplest Version: Hash-Based Commitments
The most accessible construction uses a cryptographic hash function. To commit to a value, you compute the hash of the value concatenated with a random number, often called a nonce or blinding factor. You publish that hash as your commitment. To reveal, you disclose both the original value and the random number, and anyone can recompute the hash and confirm it matches.
The properties come from the hash function. Binding holds because a good hash function is collision-resistant: you cannot find two different inputs that produce the same hash, so you cannot find a second value that opens to the same commitment. Hiding holds because the hash output looks random and the secret nonce prevents an attacker from simply hashing every candidate value to find a match.
That nonce is essential and a common point of failure. If you commit to a value from a small set, say a yes or no vote, and you omit the random blinding factor, an attacker can hash both possibilities and compare. The commitment would reveal your answer immediately, breaking hiding. The randomness is what makes the commitment opaque even when the space of possible values is tiny.
The Algebraic Version: Pedersen Commitments
For applications that need to do math on committed values, hash commitments are too rigid. The Pedersen commitment, built on the hardness of the discrete logarithm problem, is the workhorse here. It commits to a value using two public generators in a mathematical group, combining the value and a random blinding factor into a single group element.
Pedersen commitments have two features that make them valuable. First, they are perfectly hiding: even an adversary with unlimited computing power learns nothing about the committed value, because the blinding factor could map any value to that commitment. Their binding, by contrast, is computational, resting on the discrete-log assumption. Second, they are additively homomorphic: the commitment to a sum equals the combination of the individual commitments. You can prove that committed numbers add up correctly without ever opening them, which is why Pedersen commitments appear in confidential transaction systems that hide amounts while still proving the books balance.
There is a fundamental limit worth knowing: no commitment scheme can be both perfectly hiding and perfectly binding at the same time. One of the two is always computational, resting on a problem assumed to be hard. Hash commitments lean toward strong binding; Pedersen commitments lean toward perfect hiding. You choose based on which guarantee your application needs to be unconditional.
Where Commitments Show Up
Once you recognize the pattern, you see it across cryptography.
| Use case | What the commitment provides |
|---|---|
| Coin flipping over a distance | One party commits to a choice before the other calls it, so neither can cheat the outcome |
| Sealed-bid auctions | Bidders commit to amounts, then reveal together, so no one can adjust a bid after seeing others |
| Electronic voting | Voters commit to ballots that stay secret until tallying, while binding prevents later alteration |
| Zero-knowledge proofs | The prover commits to intermediate values, a building block of many proof protocols |
| Confidential transactions | Homomorphic commitments hide amounts while proving inputs equal outputs |
The coin-flip example is the classic teaching case, traced to a problem posed by Manuel Blum: how do two people who do not trust each other flip a fair coin over the telephone? One commits to heads or tails, the other calls it aloud, then the first reveals. Binding stops the committer from claiming whichever result wins, and hiding stops the caller from knowing the answer before calling. The whole fairness of the protocol rests on the commitment.
The Idea Beneath the Mechanism
What makes commitments elegant is that they separate two things we usually assume happen together: deciding on a value and disclosing it. Normally, to prove what you chose, you have to show it. A commitment lets you prove you have chosen, lock that choice irrevocably, and disclose it only when the time is right.
This separation is foundational. Many advanced protocols, including the proof systems that let one party convince another that a statement is true while revealing nothing else, are built from commitments at their core. They are also conceptually close to other primitives in the same family. A secret sharing scheme splits a value so it can be reconstructed only with enough pieces; a commitment seals a value so it can be revealed only by its owner at the right moment. Both are about controlling exactly when and how information becomes available.
You will rarely interact with a commitment scheme directly. But the next time a system claims it can verify your input was not tampered with, or prove a property of data it cannot read, a commitment is very likely doing the quiet work underneath. It is one of the small, sharp ideas that lets cryptography make guarantees about information without exposing the information itself.