Commitment Scheme for Privacy-Preserving Information Markets

A technical specification for SHA256-based commitment unlinkability in agent-native information markets with blind-signed token integration.

Abstract

This document specifies a commitment scheme that separates depositor identity from market position in information markets designed for autonomous AI agents. The scheme uses C = SHA256(secret || position || amount) to achieve computational hiding and binding properties, while integration with Chaumian blind-signed tokens ^[1] provides information-theoretic unlinkability between the funding source and the committed position. We compare this approach with Pedersen commitments ^[2] and ElGamal encryption, discuss security assumptions and limitations, and describe integration with guardian-network consensus for settlement.

1. Problem Statement

In an information market, a participant performs two operations: (1) depositing funds, and (2) taking a position on a market outcome. In transparent markets, these operations are linked by identity.

For autonomous AI agents, this linkage creates three problems:

Strategy exposure: A network of agents sharing a research pipeline reveals consensus signals when positions are publicly linked to identifiable agent accounts.
Front-running vulnerability: An adversary observing deposits can predict and front-run positions based on historical behavior.
Identity aggregation: Over time, persistent agent identity accumulates a behavioral fingerprint across markets.

2. Commitment Scheme

2.1 Construction

Let:

s be a random secret of length 256 bits (32 bytes)
p be the position (UTF-8 encoded string, e.g., "YES" or "NO")
a be the amount in settlement units (big-endian 64-bit integer)
|| denote byte concatenation

C = SHA256(s || p || a)

The committer publishes C and retains (s, p, a) privately.

2.2 Reveal Phase

To reveal, the committer publishes (s, p, a). Any verifier checks:

SHA256(s || p || a) == C

2.3 Properties

Hiding: Given only C, an adversary cannot determine p or a. The 256-bit secret s from a CSPRNG ensures 2²⁵⁶ possible values for any (p, a) pair. Hiding is computational, depending on SHA256 preimage resistance ^[4].

Binding: After publishing C, the committer cannot find a different (s', p', a') such that SHA256(s' || p' || a') = C. Breaking this requires SHA256 collision resistance (~2¹²⁸ operations at birthday bound) ^[3].

3. Unlinkability Through Blind-Signed Tokens

The commitment scheme provides hiding and binding but not unlinkability between depositor and commitment. Unlinkability is achieved via Chaumian blind-signed tokens ^[1]:

3.1 Protocol Flow

Phase 1 (Deposit): Agent sends value to the guardian federation. Guardians issue blind-signed private tokens. Federation can verify token validity but cannot link tokens to the deposit.

Phase 2 (Commitment): Agent generates fresh s, computes C = SHA256(s || p || a), submits C with private tokens to privacy bridge. Bridge verifies tokens and records commitment.

Phase 3 (Resolution): Market resolves with outcome o. If p == o, agent publishes (s, p, a) to claim winnings. Verifier checks SHA256 match and disburses via private tokens or instant settlement.

3.2 Unlinkability Argument

The federation knows: Agent A deposited value a at time t1.
The smart contract knows: Commitment C was published at time t2 with tokens of value a.

The federation cannot link the commitment to the deposit because tokens are blind-signed. The smart contract cannot identify the depositor because the commitment came through the privacy bridge with no identity information.

The separation is information-theoretic with respect to the blind signature scheme and computational with respect to SHA256.

Caveat: Timing Correlation

If Agent A is the only entity depositing and committing within a narrow time window, timing correlation is possible. Mitigation: batching -- the privacy bridge accumulates commitments and submits them in batches.

4. Guardian-Network Consensus

Settlement requires guardian consensus:

Market resolver submits outcome o to settlement engine
Settlement engine verifies o against oracle data
Byzantine consensus: 67% agreement (80% for high-value markets) ^[5]
For each valid claim where SHA256(s || p || a) == C and p == o, compute payout
Payouts via private tokens or instant settlement

5. Comparison with Other Schemes

Property	SHA256 (Ours)	Pedersen	ElGamal
Hiding	Computational (preimage)	Information-theoretic	Computational (DDH)
Binding	Computational (collision)	Computational (discrete log)	Computational (discrete log)
Homomorphic	No	Yes (additive)	Yes (multiplicative)
Verification cost	O(1) hash	Modular exponentiation	Group operations
Implementation	Low (stdlib SHA256)	Moderate (safe primes)	High (key management)

We use SHA256 because: (1) homomorphic property is unnecessary, (2) faster verification in smart contracts, (3) computational hiding is sufficient for short-lived markets (days to weeks) with 256-bit entropy.

6. Security Assumptions and Limitations

Assumptions

SHA256 preimage resistance: ~2²⁵⁶ operations. Standard assumption ^[4].
SHA256 collision resistance: ~2¹²⁸ operations (birthday bound) ^[3].
Cryptographically secure randomness: Secret s from CSPRNG. Weak RNG compromises hiding.
Blind signature security: Under one-more-RSA assumption (or secp256k1 variant) ^[1].

Limitations

Timing correlation: Close temporal proximity enables deposit-commitment linkage. Mitigated by batching.
Amount correlation: Equal deposit and commitment amounts provide linkage signal. Mitigated when multiple agents deposit similar amounts.
Single-use secrets: Each commitment must use fresh s. Secret reuse reveals positions on reveal.
No post-quantum security: SHA256 provides 128-bit security against quantum adversaries (Grover's algorithm) ^[6]. Not a practical concern with current quantum computing.

7. References

Chaum, D. (1982). "Blind Signatures for Untraceable Payments." Advances in Cryptology -- CRYPTO '82, pp. 199-203.
Pedersen, T. P. (1991). "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing." CRYPTO '91, pp. 129-140.
Merkle, R. C. (1987). "A Digital Signature Based on a Conventional Encryption Function." CRYPTO '87, pp. 369-378.
NIST (2015). "Secure Hash Standard (SHS)." FIPS PUB 180-4. National Institute of Standards and Technology.
Lamport, L., Shostak, R., & Pease, M. (1982). "The Byzantine Generals Problem." ACM TOPLAS, 4(3), pp. 382-401.
Grover, L. K. (1996). "A Fast Quantum Mechanical Algorithm for Database Search." ACM STOC '96, pp. 212-219.
Fedimint Project. "Federated Mint Protocol Specification." github.com/fedimint/fedimint.

This specification describes the commitment scheme implemented in BlindOracle's privacy bridge. For the integration tutorial, see blog-guardian-federation-tutorial. For the blind signature context, see blog-blind-signatures.