[Cryptography] Komitments
Phillip Hallam-Baker
phill at hallambaker.com
Tue Dec 18 12:06:05 EST 2018
A friend posed the following problem for which I have developed a
cryptographic solution that I would like your feedback on.
While working for Alice, Bob has discovered that Konrad is an enemy agent
and notified Carol the cop. Carol tells Bob not to tell anyone about the
discovery in the hope that surveillance of Konrad will lead to exposure of
his co-konspirators. Meanwhile, Bob would like to be able to prove to Alice
that he had made the discovery after Konrad has been arrested without
revealing anything to Alice before the arrests are made.
The side constraint here being that the scheme must use only simple
cryptographic constructs and not require Alice to have an encryption key of
any sort.
The commitment string, s = "Konrad is an enemy agent"
Naive method.
witness= Base32t ( H (s))
where Base32t(x) is a truncated base32 encoding of the octets (x) and H (x)
is the SHA2 digest function.
The obvious problem with this approach is that it is subject to a brute
force attack. While the commitment string has quite a few characters, many
of them are guessable.
Improved method.
r = random (128)
witness= Base32t ( SHA-2-512 (s + r))
Adding a sufficiently large nonce to the scheme makes the brute force
attack infeasible. This makes things a little harder for Bob as he has to
keep the random value in order to be able to make a claim against the
witness value.
I am sure this has been done before, just didn't see it in the books I
looked at. Is there an obvious flaw?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181218/887ba369/attachment.html>
More information about the cryptography
mailing list