[Cryptography] Komitments

Richard Clayton richard at highwayman.com
Wed Dec 19 13:54:01 EST 2018 

In message <AM4PR0701MB2226D4711F9F99CED6FDC32CC4BE0 at AM4PR0701MB2226.eur
prd07.prod.outlook.com>, =?utf-8?B?T3NtYW4gS3V6dWN1IEhvc3RpbmcgV2ViIFRhc
2FyxLFtIEdyYWZpaw==?= <bizbucaliyiz at hotmail.com> writes

>Please excuse my ignorance if I say something that is not feasible as I am 
>fairly new to cryptography. However, I was thinking about a possible solution 
>such that;
>
>Bob’s message = Alice is an agent = a1
>
>Time of the message = 01.01.1991 01:01 = b1
>
>sha512(a1+b1) => result hash.
>
>Bob then shares that result hash with some other third party and after Alice’s 
>arrest, he shares the input data with third party and makes them verify the hash 
>so he can prove he was the person who found about Alice.

yes ... but the timestamp is meaningless

        "Philby is a Russian agent  01.01.1940"

does not mean that I knew he was a traitor on that day.  So the
timestamp within the message is meaningless and you have to include
"some other third party" as a part of the protocol and explain how
_their_ timestamp can in some sense be trusted...

>In that scenario, if Bob shares multiple keys with third party, using different 
>names, such as “Jack is an agent” or “Gary is an agent” for making sure he can 
>claim he did the discovery even if agent turns out someone else, the third party 
>person might say “okay one hash was proof of you guessed the Alice ws agent, but 
>what are others for?”. Such scheme would allow only one shot for Bob.

you need to show how your scheme detects that the other hashes exist...
because once you admit of a time-stamping service ("some other third
party") then it's often the case that you let people use it anonymously
(because that somehow seems more useful).

another way of expressing this issue -- if you insist that the
timestamping service operate in the open -- is that once I publish my
hash accusing Philby (or Alice) then what prevents you pretending to be
me and submitting lots of hashes (that no-one can ever reverse) and you
then poo-pooing my claim ?

so you need me to "sign" the hash as well... and it's all starting to
get a bit more complicated...

Hash commitment (and indeed signing) is merely a building block. A
protocol needs to put the blocks together in a useful manner (to tackle
some real world issue); and it is there within that concept of "put
together" where most of the demons reside...

-- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181219/6d195886/attachment.sig>

More information about the cryptography mailing list