Preimage Commitment

The Preimage Commitment is an important cryptographic primitive in constructing SatoshiVM. Cryptographic primitives refer to low-level encryption algorithms that are mature and often used to build computer security systems.

Preimage Commitment is used to conceal the execution trace of a circuit until the Prover reveals the execution trace preimage to the Verifier. The execution trace refers to all the input and output signal values generated during the circuit's execution process. The preimage is related to hash functions, where if hash(a) = b, we call a the preimage and b the hash value. When the Prover discloses the preimage corresponding to a Preimage Commitment, the Verifier needs to check it to confirm whether it truly complies with the circuit's execution rules.

Consider a specific case, focusing on gate C, which has one input (1) and one output (5), and its function is to perform a NOT operation on its input. Suppose that when the circuit execution reaches gate C, its input value is value, as follows:

The Prover sends the hash value of the input line (4) value value and the output line (5) value output of gate B to the Verifier. The Verifier then uses these hash values to construct a script for on-chain verification, which we will discuss in detail later. The hash values of value and output given here are referred to as the Preimage Commitment. As mentioned before, the purpose of the Preimage Commitment is to prevent the Prover from altering the pre-committed execution path for malicious purposes. Once the Verifier has completed constructing this script, the Prover reveals the values of value and output.The Verifier has a local program that can verify whether the inputs and outputs disclosed by the Prover comply with the rules of gate B. If the Prover's output does not match the gate's rules, a transaction can be spent to prove the Prover's malfeasance. The script corresponding to this transaction is as follows:

When the Prover behaves maliciously, such as providing an input of 1 but also providing an output of 1, indicating dishonesty, the Verifier can spend the UTXO locked by the above script to prove that the Prover has acted maliciously. The specific construction of this script will also be discussed later in the document.