Commit and Reveal: Adapting an Old Scheme for New Tricks

What happens on the blockchain stays on the blockchain.

PolySwarm is the first decentralized threat detection marketplace. By leveraging PolySwarm, antivirus companies and enterprises can dramatically expand and improve their protection coverage against new threats. PolySwarm makes this possible by providing a single access point to a global network of experts that compete to detect the latest threats.

At its core, PolySwarm is a prediction market design enabled by Ethereum smart contracts.

Healthy prediction markets must protect predictions among competitors — and PolySwarm is no exception.

In PolySwarm, Experts predict whether an artifact (file, URL, network traffic, etc.) is malicious or benign. It’s critical that this prediction is kept secret until the end of the prediction period, lest dishonest Experts copy the predictions of honest efforts, reaping reward without putting in the work.

The trouble is that without additional work, there are no secrets in blockchain.

To overcome this challenge, PolySwarm looks to an old cryptographic primitive: the commit-reveal scheme, otherwise simply referred to as a commitment scheme. In this article, we’ll explain the basics of commit-reveal and the important role it plays in PolySwarm technology.

What is a Commit-Reveal Scheme?

Commitment schemes provide an abundance of useful applications in the field of cryptography. In its simplest form, commitment schemes consist of two phases:

The commit phase, where a value is chosen and specified. The reveal phase, where the chosen value is revealed and verified.

Virtual Rock-Paper-Scissors

Figure A: An early Japanese variant of Rock-Paper-Scissors.

Alice and Bob live in separate countries and occasionally email back and forth. They want to play a game of rock-paper-scissors, but are unsure how to play it fairly.

Alice could begin the game by sending her choice to Bob, but if Bob received Alice’s play before sending his own, he would have an unfair advantage. Rock-paper-scissors isn’t much fun when you know what the opponent will play.

Alternatively, Alice could pick a play and tell Bob she had made her decision. Subsequently, Bob would then reveal his choice and Alice hers. The trouble here is Alice could then lie about what her original decision was and act on the knowledge of Bob’s play, again ruining the fun.

Evidently, there needs to be a way for both parties to commit to a choice without actually revealing it beforehand.

Commit-reveal schemes possess two properties that will enable Alice and Bob to play a fair game of rock-paper-scissors:

Hiding. Alice and Bob’s choices are hidden from one another. Binding. Neither Alice nor Bob can change their choices after the commitment has been made.

So, because Alice and Bob are smart, they use a commitment scheme to determine the winner of the game.

Figure B: Alice commits to a play (scissors) and delivers this commitment to Bob.

Alice puts her choice (scissors) along with a random value, or nonce, through a cryptographic hash. The nonce ensures that the output of the hash (called the digest) is unique (otherwise, scissors would always output the same value, making it trivial to invert the hash function).

Alice sends her digest to Bob, who carries out the same process. It’s computationally infeasible to calculate the input (called the pre-image) of a cryptographic digest, so Alice and Bob’s actual choices are safely concealed from each other despite having each others digest.

Figure C: Alice reveals her rock-paper-scissors play to Bob, Bob verifies against Alice’s commitment.

Once both parties have committed to their choices, they can then reveal their original, pre-hashed choices along with their nonce.

Finally, each party computes the counter-party’s digest, and ensures that it matches what their opponent committed to. Once commitments are verified, the rules of rock-paper-scissors is applied to their plays and a winner chosen!

Besides helping Alice and Bob play a fair game of rock-paper-scissors, commitment schemes have even greater applications in more complex cryptographic protocols.

Online auctions, gambling, contract signing, and secure database lookup mechanisms all take advantage of commitment schemes to ensure information is safely hidden until the time it can be revealed. With the recent advent of public computation environments, like Ethereum smart contracts, the importance of commitment schemes has grown even greater.

Commit-Reveal in PolySwarm

When an enterprise or end user (or Ambassador / MSSP acting on their behalf) submits an Artifact to the PolySwarm marketplace, PolySwarm Experts can choose to weigh in or opt out. If the experts submits a prediction (an “assertion”), they must accompany this assertion with PolySwarm Nectar (NCT). The amount of NCT they stake serves as an analogue for a confidence interval.

All Experts’ stakes are pooled with the rewards placed by each Ambassador on each Artifact. Once a decision is made as to the ground truth on the Artifact, all Experts with the correct prediction split the pot in proportion to how much they staked. The higher the stake, the greater their reward.

Figure D: PolySwarm’s Assertion and Payout mechanisms, coded into smart contracts.

For a more detailed explanation, see how it works.

Figure E: Alice commits to a yes/no (Boolean) answer and delivers this commitment to Bob (or more accurately, the PolySwarm marketplace).

PolySwarm Experts who want to make a determination on an Artifact run their malware determination, along with a nonce, through a Keccak hash function, and submit the resultant digest to the marketplace as an assertion on the Artifact. After an Expert has submitted an assertion, they can no longer change it.

Figure F: Alice, an Expert in the PolySwarm marketplace, reveals her assertion (benign, represented by a check) to the world.

Once the “assertion window” has been closed, Experts can reveal their original determination and nonce.

Those that made correct assertions are rewarded and those who were incorrect (or fail to reveal) forfeit their stakes.

In this way, PolySwarm prevents piggybacking and rewards honest market participation by incentivizing quality and unique malintent detection.

Wrapping Up

In order to ensure Experts receive fair compensation for their efforts, PolySwarm uses a commit-reveal scheme to protect the marketplace from those who would simply copy the determinations made by other Experts. This security, along with PolySwarm’s monetary rewards and the reputation that comes with a host of accurate predictions, incentivizes cybersecurity experts to join the PolySwarm marketplace and provide comprehensive enterprise coverage of threats.