Simple commitment scheme using secure hash functionTransfer and hide ciphertext with hash functions?Commitment scheme using hash functionsWhat are the pros/cons of using symmetric crypto vs. hash in a commitment scheme?PRG variant as a commitment schemeCalculate number of chips to solve bit commitment using hash functionProve if it is a CCA secure CommitmentWhat type of commitment scheme is it?Are all commitment schemes pseudo-random functions?Is this a UC-secure commitment scheme in the ROM?What is the reason of using Pedersen Commitment scheme over HMAC?What is wrong with encryption-based / hash-based commitment schemes?

What's a good pattern to calculate a variable only when it is used the first time?

Output the list of musical notes

How to prevent criminal gangs from making/buying guns?

How can I find files in directories listed in a file?

What modifiers are added to the attack and damage rolls of this unique longbow from Waterdeep: Dragon Heist?

Number in overlapping range

Bringing Power Supplies on Plane?

Do I need to start off my book by describing the character's "normal world"?

Setting up a Mathematical Institute of Refereeing?

What can I do to increase the amount of LEDs I can power with a pro micro?

Does an Irish VISA WARNING count as "refused entry at the border of any country other than the UK?"

How to gracefully leave a company you helped start?

Good textbook for queueing theory and performance modeling

What would cause a nuclear power plant to break down after 2000 years, but not sooner?

Solving a maximum minimum problem

Why do my bicycle brakes get worse and feel more 'squishy" over time?

What is the hottest thing in the universe?

What exactly happened to the 18 crew members who were reported as "missing" in "Q Who"?

Why does this Jet Provost strikemaster have a textured leading edge?

Scam? Phone call from "Department of Social Security" asking me to call back

If a person claims to know anything could it be disproven by saying 'prove that we are not in a simulation'?

How much can I judge a company based on a phone screening?

Sums of binomial coefficients weighted by incomplete gamma

When did Bilbo and Frodo learn that Gandalf was a Maia?



Simple commitment scheme using secure hash function


Transfer and hide ciphertext with hash functions?Commitment scheme using hash functionsWhat are the pros/cons of using symmetric crypto vs. hash in a commitment scheme?PRG variant as a commitment schemeCalculate number of chips to solve bit commitment using hash functionProve if it is a CCA secure CommitmentWhat type of commitment scheme is it?Are all commitment schemes pseudo-random functions?Is this a UC-secure commitment scheme in the ROM?What is the reason of using Pedersen Commitment scheme over HMAC?What is wrong with encryption-based / hash-based commitment schemes?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2












$begingroup$


Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments







share|improve this question









$endgroup$













  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20

















2












$begingroup$


Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments







share|improve this question









$endgroup$













  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20













2












2








2





$begingroup$


Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments







share|improve this question









$endgroup$




Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments




hash collision-resistance commitments






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 3 at 22:23









jimourisjimouris

942 silver badges10 bronze badges




942 silver badges10 bronze badges














  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20
















  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20















$begingroup$
a possible duplicate of Transfer and hide ciphertext with hash functions?
$endgroup$
– kelalaka
Aug 3 at 23:20




$begingroup$
a possible duplicate of Transfer and hide ciphertext with hash functions?
$endgroup$
– kelalaka
Aug 3 at 23:20










1 Answer
1






active

oldest

votes


















3












$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34














Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72357%2fsimple-commitment-scheme-using-secure-hash-function%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3












$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34
















3












$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34














3












3








3





$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$



Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 4 at 3:49









Meir MaorMeir Maor

5,9461 gold badge10 silver badges30 bronze badges




5,9461 gold badge10 silver badges30 bronze badges














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34

















  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34
















$begingroup$
Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
$endgroup$
– jimouris
Aug 4 at 7:39




$begingroup$
Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
$endgroup$
– jimouris
Aug 4 at 7:39




1




1




$begingroup$
No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
$endgroup$
– Meir Maor
Aug 4 at 8:08




$begingroup$
No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
$endgroup$
– Meir Maor
Aug 4 at 8:08












$begingroup$
Okay, got it. Thank you for your help!
$endgroup$
– jimouris
Aug 4 at 8:34





$begingroup$
Okay, got it. Thank you for your help!
$endgroup$
– jimouris
Aug 4 at 8:34


















draft saved

draft discarded
















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72357%2fsimple-commitment-scheme-using-secure-hash-function%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

Image
Natural numbersSquare numbersCategories requiring diffusion Help Category:9 (number) From Wikimedia Commons, the free media repository Jump to navigation Jump to search number: 9 (nine) instance of: natural number, deficient number, square number, composite number, odd number, centered cube number, centered octagonal number and nonagonal number other integers: -8 • -4 • -2 • -1 • 0 • 1 • 2 • 3 • 4 • 5 • 6 • 7 • 8 • 9 • 10 • 11 • 12 • 13 • 14 • 15 • 16 • 17 • 18 • 19 • 20 • 21 • 22 • 23 • 24 • 25 • 26 • 27 • 28 • 29 -20 • 0 • 10 • 20 • 30 • 40 • 50 • 60 • 70 • 80 • 90 • 100 • 110 • 120 • 130 • 140 • 150 • 160 • 170 • 180 • 190 • 200 This category has become too crowded. It should list very few images directly. Files should be moved to subcategories where appropriate. New subcategories can be created. Some files need to be moved elsewhere. Search for more categories: fulltext, Main Page, topics, meta categories. Please remove or replace this tag
Read more

Circuit construction for execution of conditional statements using least significant bitHow are two different registers being used as “control”?How exactly is the stated composite state of the two registers being produced using the $R_zz$ controlled rotations?Efficiently performing controlled rotations in HHLWould this quantum algorithm implementation work?How to prepare a superposed states of odd integers from $1$ to $sqrtN$?Why is this implementation of the order finding algorithm not working?Circuit construction for Hamiltonian simulationHow can I invert the least significant bit of a certain term of a superposed state?Implementing an oracleImplementing a controlled sum operation

Image
How to attach cable mounting points to a bicycle frame? Is Jon Snow the last of his House? A steel cutting sword? I know that there is a preselected candidate for a position to be filled at my department. What should I do? Is the field of q-series 'dead'? How to cut a climbing rope? Do photons bend spacetime or not? Where have Brexit voters gone? Is it legal to have an abortion in another state or abroad? Did this character show any indication of wanting to rule before S8E6? How to respond to upset student? Compaq Portable vs IBM 5155 Portable PC Is the Indo-European language family made up? Can I summon an otherworldly creature with the Gate spell without knowing its true name? USPS Back Room - Trespassing? Can my floppy disk still work without a shutter spring? Alternatives to achieve certain output format Are black holes spherical during merger? Can the product of any two aperiodic functions which are defined on the entire number line be p
Read more

Magento 2 “No Payment Methods” in Admin New OrderHow to integrate Paypal Express Checkout with the Magento APIMagento 1.5 - Sales > Order > edit order and shipping methods disappearAuto Invoice Check/Money Order Payment methodAdd more simple payment methods?Shipping methods not showingWhat should I do to change payment methods if changing the configuration has no effects?1.9 - No Payment Methods showing upMy Payment Methods not Showing for downloadable/virtual product when checkout?Magento2 API to access internal payment methodHow to call an existing payment methods in the registration form?

Image
What is the meaning of [[:space:]] in bash? Is this artwork (used in a video game) real? What happens on Day 6? Link of a singularity Should I be able to keep my company purchased standing desk when I leave my job? Alternator dying so junk car? A scene of Jimmy diversity Is the Gritty Realism variant incompatible with dungeon-based adventures? What could be reasoning of male prison in VR world to only allow undershirt and sarong as nightwear to male prisoners Why does FFmpeg choose 10+20+20 ms instead of an even 16 ms for 60 fps GIF images? Sending a photo of my bank account card to the future employer Advice for paying off student loans and auto loans now that I have my first 'real' job If I stood next to a piece of metal heated to a million degrees, but in a perfect vacuum, would I feel hot? What made Windows ME so crash-prone? Can a dragon's breath weapon pass through Leomund's Tiny Hut? Did 007 exist before James Bond? Is there a sour
Read more