1 Jun
2002
1 Jun
'02
11:02 a.m.
Jason asks:
In Applied Cryptography, p. 87 (2nd ed., heading "Bit Commitment Using One-Way Functions") Schneier specifies that Alice must generate 2 random bit strings before hashing, and then send one along with the hash as her commitment:
commitment = H(R1, R2, b), R1
Is this to keep her from taking advantage of known collisions?
No, it's just a mistake. AC's got more mistakes than a whore has crabs. Never rely on it. Always check the primary literature, or at least the HAC, http://www.cacr.math.uwaterloo.ca/hac/. Using R1 you're basically choosing from a parameterized family of hash functions. But that's not necessary for this; you can choose a fixed hash, junk R1, and just use the single random value R2.