Can I create a simple commitment scheme using a secure hash function?
If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random\_string || message)$)
Thank you
Asked
Active
Viewed 796 times
2
-
a possible duplicate of Transfer and hide ciphertext with hash functions? – kelalaka Aug 03 '19 at 23:20
1 Answers
3
Yes. If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment. If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.
When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.
Meir Maor
- 11,835
- 1
- 23
- 54
-
Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both? – m0ur Aug 04 '19 at 07:39
-
1No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort. – Meir Maor Aug 04 '19 at 08:08
-