[Cryptography] Komitments
Phillip Hallam-Baker
phill at hallambaker.com
Tue Dec 18 15:57:25 EST 2018
On Tue, Dec 18, 2018 at 3:50 PM Stephan Neuhaus <stephan.neuhaus at zhaw.ch>
wrote:
> If I understand your scheme, Bob can later claim to have committed to a
> different message.
>
> For example, Bob has the message
>
> s1 = The secret agent is Alice
>
> He chooses some random r1 and computes and publishes w = H(s1 + r1)
>
> When it later turns out that Dave is in fact the secret agent, he takes
>
> s2 = The secret agent is David
>
> and publishes s2 and r2 = s1 + r1 - s2. Since H(s2 + r2) = w = H(s1 +
> r1), Bob can thus "prove" that he knew that Dave had been the secret
> agent all along.
>
> Did I misunderstand something?
>
> You could perhaps save your scheme by using concatenation instead of
> addition. That looks as if it could work.
>
I intended the + sign to stand for concatenation, sorry if that was not
more clear.
I guess that what I should probably do to make things clearer still is to
use a HMAC instead of a digest since the nonce has a key like function.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181218/c0a2213d/attachment.html>
More information about the cryptography
mailing list