On The Blockchain, How Do I Keep Things Secret, But Can Reveal The Secret To You Some time In The…
On The Blockchain, How Do I Keep Things Secret, But Can Reveal The Secret To You Sometime In The Future (or Never)?
Here is the method I outline [link].
After a Blockchain Meeting in 2017, I did a fun interview with Blockchain Beyonce [here]:
In the interview I outlined a problem with an online bet, and which was cancelled by the betting company (as they said they had made a mistake with the odds). Well, let’s see if we can make a bet by Bob, without the betting company (Alice The Bookie) knowing the bet, but to provide the commitment to the bet.
With a public blockchain, the data we apply will be stored forever, and we must thus be careful about what we put on it. But let’s say I want to implement a Fixed Odds betting system on the Blockchain, but I don’t want to show my bookie — or anyone else — the games I have bet on. For this we can use perfect secrecy, such as with the Pedersen commitment. First let me take the fixtures for this Saturday:
Aberdeen v Heart of Midlothian
Celtic v Dundee
Hamilton Academical v Kilmarnock
Now, Bob The Punter has to agree with Alice The Bookie that he will take her odds for the matches, and pays £1 for each bet. But Alice The Bookie will not be able to see the bets that Bob is making. Alice The Bookie posts her odds on the Blockchain, so that she makes her commitments, and which can be seen by everyone who uses the Blockchain.
With the Pedersen commitment, Bob The Punter then creates three messages:
Msg1 = “Aberdeen v Heart of Midlothian. Aberdeen to win”
Msg2 = ”Celtic v Dundee. Celtic to win”
Msg3 = “Hamilton Academical v Kilmarnock. A score draw”.
In the Pedersen Commitment, Bob now takes two large prime numbers (p and q) and creates a generator value (g) which is of the order of q and a subgroup of Z∗p. Then s becomes a secret from 0 to Zq, and he calculates:
h=g^s(mod p)
The values of (p,q,g,h) are public values, and Bob can post these on the Blockchain, along with his commitments to the bets. Before the matches start, Bob now creates a commitment for each bet (m1, m2 and m3) and with a random number for each (r1, r2 and r3):
c1=g^m1 h^r1 (mod p)
c2=g^m2 h^r2 (mod p)
c3=g^m3 h^r3 (mod p)
Bob then puts these commitments (c,r) onto the blockchain, and which will inform Alice that he has made the bets, and she will take payments for them.
After the match, if Bob has won, he sends Alice the winning bets (m1, m2 and/or m3) and she checks against:
c=g^m h^r (mod p)
If the values match, then Alice knows that Bob has made the commitment to the bet, and she will pay out. If Alice doesn’t pay, we can create a smart contract which will check the commitments, or even bring in a trusted person — Trent — to arbitrate on the commitments. If the bets go down, Bob will not reveal his secret bets, and no-one will ever know the bets he made. If Alice The Bookie keeps the messages secret, the bets will not be reveal to anyone else.
Thus, with the Pedersen Commitment, we hide the message that is to be revealed, and where the recipient will not know the message until we reveal it.
Here is the method I outline [link].
So what?
In our world, we give away too much information, and need to build a world which respects the rights to privacy, while also being trusted. I’ve implemented the Pedersen Commitment in discrete logarithms here (as our research group is based in John Napier’s Tower), but I could also have used elliptic curve methods, or even ElGamal. The basic principle remains the same, where I commit to something, and then can prove the commitment at some time in the future (or not at all), and you can’t tell what my secret is, until I reveal the commitment.