← Back to Lab
ZK Proof Lab

Exhibit 04 · Hash Commitment Scheme

EXHIBIT 04● REAL SHA-256 · window.crypto.subtle
Hash Commitment Scheme
A way to lock in a hidden choice now and prove later that you did not change it
✓ Binding ✓ Hiding
Repository ZK Primer Replay Lab View Source
Preset: Honest Reveal Preset: Cheat Caught
Cryptographic honesty: SHA-256 is computed by the browser Web Crypto API. This scenario uses educational-scale values for clarity and speed, not a complete production auction protocol.

This is like sealing your answer in an envelope before anyone is allowed to open it. You commit first, which locks in your choice, and then you reveal it later so everyone can check that you did not swap it out.

Here the digital envelope is a real SHA-256 hash. Once the bid and secret nonce are revealed, anyone can recompute the hash and confirm that the original commitment was honest and unchanged.

Real hash, educational scenario: the commitment digest is computed via window.crypto.subtle and can be independently recomputed from the revealed bid and nonce.
Toy vs Production Parameters
DimensionThis ExhibitProduction Expectation
Commitment primitiveSHA-256 digest (real)Hash + protocol-specific domain separation
Nonce source32-byte browser RNGStrict entropy controls + protocol audits
Application modelTwo bidder educational flowAuthenticated multi-party protocol with dispute handling
Security envelopeInspectable demo UIFormal protocol proofs + hardened backend integration
BIDDER A
Secret bid
Random nonce (32 bytes)
SHA-256(bid ‖ nonce)
BIDDER B
Secret bid
Random nonce (32 bytes)
SHA-256(bid ‖ nonce)
Commitments lock bids before revelation — neither bidder can see or change the other's bid once committed.
Real SHA-256 runs in your browser via window.crypto.subtle.digest(). Binding: changing even one character produces a completely different 256-bit hash. Hiding: the hash reveals nothing about the bid value.