Glossary · Cryptography Layer

Commitment Scheme

コミットメント

Lock in a value (commit) so it can be revealed later (reveal). Binding (no tampering after commit) plus hiding (no leakage before reveal) make this the substrate of staged disclosure.

Definition

Classical commitment schemes fall into three families: (1) hash-based — H(m, r) over the value m and a random salt r; (2) Pedersen — group-theoretic g^m · h^r; (3) Kate/KZG — polynomial commitments.

In ZK systems, you commit to values, hand the verifier the commitments, and use a zero-knowledge proof to open only the slices you need. Commitments are the input-privacy backbone of ZK.

Binding resists post-hoc tampering, hiding blocks pre-disclosure leakage. Together they enable lock-in-now, reveal-on-demand workflows.

Lemma implementation

Lemma's attribute, model, and provenance commitments use Pedersen or KZG families. To enable per-attribute disclosure, attributes are bound through a vector or polynomial commitment that lets each attribute open independently.

Selective disclosure rides on top of commitment openings; the provenance chain is realized as a commitment chain.

Poseidon-based commitments keep in-circuit disclosure cost minimal.

Related terms
Zero-Knowledge Proof — ZKP
The proof primitive that opens commitments cleanly.
Selective Disclosure
Operationally, attribute-level commitment openings.
docHash — document content digest
The document identifier a commitment binds to.
Poseidon Hash
ZK-circuit-friendly commitment implementation.
Get started

Pin the value before you reveal it.

Book a Discovery Call → Download whitepaper