Bit commitment with hashes in Applied Cryptography
Anonymous
nobody at remailer.privacy.at
Fri May 31 15:44:05 PDT 2002
Jason asks:
> In Applied Cryptography, p. 87 (2nd ed., heading "Bit Commitment Using
> One-Way Functions") Schneier specifies that Alice must generate 2
> random bit strings before hashing, and then send one along with the
> hash as her commitment:
>
> commitment = H(R1, R2, b), R1
>
> Is this to keep her from taking advantage of known collisions?
No, it's just a mistake. AC's got more mistakes than a whore has crabs.
Never rely on it. Always check the primary literature, or at least the
HAC, http://www.cacr.math.uwaterloo.ca/hac/.
Using R1 you're basically choosing from a parameterized family of hash
functions. But that's not necessary for this; you can choose a fixed
hash, junk R1, and just use the single random value R2.
More information about the cypherpunks-legacy
mailing list