In this article, we discuss a new approach to commitment schemes called extractable binding. Traditional commitment schemes are unwieldy and difficult to use in practical applications, so we propose a new definition that makes them more accessible. Our approach involves using an extractor-based binding definition, which allows us to extract the committed bit from the receiver’s view after the commitment phase in an imperceptible way. This is achieved through the use of a common random string (CRS) model, which is a relaxation of the standard trustless model where a classical string is uniformly sampled and published.
To understand how this works, imagine you have a magic trick where you want to commit to a certain value without anyone being able to tell what that value is. In this scenario, we use a series of rank-1 projections to extract the committed bit from the receiver’s view. The first projection outputs 0 if the commitment succeeds, and 1 if it fails. The second projection does the same thing, but on a different set of registers. If both projections output 0, we know that the commitment succeeded, and we can output ⊥ (a special symbol used to indicate the end of the commitment phase).
This approach has several advantages over traditional commitment schemes. Firstly, it is more efficient, as it only requires a single operation to extract the committed bit. Secondly, it is more secure, as it uses a common random string that is not predictable by any malicious party. Finally, it is more convenient, as it does not require any trusted setup or preprocessing.
However, there are also some limitations to our approach. For example, it is only guaranteed to work in the unclonable common random state model, which means that the CRS must be generated in a way that is not predictable by any malicious party. Additionally, the extractability of the committed bit is not guaranteed, and we leave formalizing this for future work.
In summary, our article proposes a new approach to commitment schemes called extractable binding. This approach uses an extractor-based binding definition, which allows us to extract the committed bit from the receiver’s view in an imperceptible way after the commitment phase. While it has several advantages over traditional commitment schemes, there are also some limitations that must be considered.