Bit commitment with hashes in Applied Cryptography

Anonymous nobody at
Fri May 31 15:44:05 PDT 2002

Jason asks:
> In Applied Cryptography, p. 87 (2nd ed., heading "Bit Commitment Using
> One-Way Functions") Schneier specifies that Alice must generate 2
> random bit strings before hashing, and then send one along with the
> hash as her commitment:
> commitment = H(R1, R2, b), R1
> Is this to keep her from taking advantage of known collisions?

No, it's just a mistake.  AC's got more mistakes than a whore has crabs.
Never rely on it.  Always check the primary literature, or at least the

Using R1 you're basically choosing from a parameterized family of hash
functions.  But that's not necessary for this; you can choose a fixed
hash, junk R1, and just use the single random value R2.

More information about the cypherpunks-legacy mailing list