Skip to main content

Module commitment

metamorphic_log

Module commitment 

Source
Expand description

Layer-3b: SHA3-512 hash-based commitments binding an index to a value.

A CONIKS directory does not store a raw (identity, value) pair at a tree position — it stores a commitment to the value. The commitment is binding (the directory cannot later open it to a different value) and hiding (the committed bytes reveal nothing about the value without the opening). A lookup proof reveals the value and its opening so the recipient can check the commitment binds to exactly that value.

This is the post-quantum half of the privacy layer: the binding property rests on SHA3-512 collision resistance (NIST Category 5), independent of the classical VRF. Even if the index-privacy VRF were broken, commitments would still bind.

§Construction (stable wire format — reproduce exactly for parity)

opening    = 32 random bytes (the per-commitment blinding nonce)
commitment = SHA3-512_with_context(context, opening (32) || value)

The fixed-length 32-byte opening sits first, so the (opening, value) boundary is unambiguous without a length prefix, and the metamorphic_crypto::hash::sha3_512_with_context framing binds the commitment to a versioned context label (CONIKS passes a per-namespace label, so commitments never collide or cross-verify between namespaces).

Hiding holds because the 32-byte opening is high-entropy and secret until revealed; binding holds because finding two (opening, value) pairs with the same SHA3-512 digest is infeasible.

Structs§

Commitment
A hiding, binding commitment to a value (a 64-byte SHA3-512 digest).
Opening
The opening (blinding nonce) for a Commitment. Revealing it, together with the value, lets anyone re-derive and check the commitment.

Constants§

COMMITMENT_LEN
Length of a commitment digest, in bytes (a SHA3-512 output).
COMMITMENT_OPENING_LEN
Length of a commitment opening (blinding nonce), in bytes.

Functions§

commit
Create a fresh commitment to value, sampling a random 32-byte opening from the OS CSPRNG. Returns (commitment, opening); keep the opening to reveal in a lookup proof.
commit_with_opening
Derive a commitment from a value and an explicit opening (deterministic).
verify_commitment
Check that commitment opens to value under opening and context.