Simple commitment scheme using secure hash functionTransfer and hide ciphertext with hash functions?Commitment scheme using hash functionsWhat are the pros/cons of using symmetric crypto vs. hash in a commitment scheme?PRG variant as a commitment schemeCalculate number of chips to solve bit commitment using hash functionProve if it is a CCA secure CommitmentWhat type of commitment scheme is it?Are all commitment schemes pseudo-random functions?Is this a UC-secure commitment scheme in the ROM?What is the reason of using Pedersen Commitment scheme over HMAC?What is wrong with encryption-based / hash-based commitment schemes?

What's a good pattern to calculate a variable only when it is used the first time?

Output the list of musical notes

How to prevent criminal gangs from making/buying guns?

How can I find files in directories listed in a file?

What modifiers are added to the attack and damage rolls of this unique longbow from Waterdeep: Dragon Heist?

Number in overlapping range

Bringing Power Supplies on Plane?

Do I need to start off my book by describing the character's "normal world"?

Setting up a Mathematical Institute of Refereeing?

What can I do to increase the amount of LEDs I can power with a pro micro?

Does an Irish VISA WARNING count as "refused entry at the border of any country other than the UK?"

How to gracefully leave a company you helped start?

Good textbook for queueing theory and performance modeling

What would cause a nuclear power plant to break down after 2000 years, but not sooner?

Solving a maximum minimum problem

Why do my bicycle brakes get worse and feel more 'squishy" over time?

What is the hottest thing in the universe?

What exactly happened to the 18 crew members who were reported as "missing" in "Q Who"?

Why does this Jet Provost strikemaster have a textured leading edge?

Scam? Phone call from "Department of Social Security" asking me to call back

If a person claims to know anything could it be disproven by saying 'prove that we are not in a simulation'?

How much can I judge a company based on a phone screening?

Sums of binomial coefficients weighted by incomplete gamma

When did Bilbo and Frodo learn that Gandalf was a Maia?



Simple commitment scheme using secure hash function


Transfer and hide ciphertext with hash functions?Commitment scheme using hash functionsWhat are the pros/cons of using symmetric crypto vs. hash in a commitment scheme?PRG variant as a commitment schemeCalculate number of chips to solve bit commitment using hash functionProve if it is a CCA secure CommitmentWhat type of commitment scheme is it?Are all commitment schemes pseudo-random functions?Is this a UC-secure commitment scheme in the ROM?What is the reason of using Pedersen Commitment scheme over HMAC?What is wrong with encryption-based / hash-based commitment schemes?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2












$begingroup$


Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments







share|improve this question









$endgroup$













  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20

















2












$begingroup$


Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments







share|improve this question









$endgroup$













  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20













2












2








2





$begingroup$


Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments







share|improve this question









$endgroup$




Can I create a simple commitment scheme using a secure hash function?



If so, is concatenation with a random secret enough to preserve hiding? (i.e. $C = H( random_string || message)$)



Thank you






hash collision-resistance commitments




hash collision-resistance commitments






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 3 at 22:23









jimourisjimouris

942 silver badges10 bronze badges




942 silver badges10 bronze badges














  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20
















  • $begingroup$
    a possible duplicate of Transfer and hide ciphertext with hash functions?
    $endgroup$
    – kelalaka
    Aug 3 at 23:20















$begingroup$
a possible duplicate of Transfer and hide ciphertext with hash functions?
$endgroup$
– kelalaka
Aug 3 at 23:20




$begingroup$
a possible duplicate of Transfer and hide ciphertext with hash functions?
$endgroup$
– kelalaka
Aug 3 at 23:20










1 Answer
1






active

oldest

votes


















3












$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34














Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72357%2fsimple-commitment-scheme-using-secure-hash-function%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3












$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34
















3












$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34














3












3








3





$begingroup$

Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.






share|improve this answer









$endgroup$



Yes.
If you publish such a commitment. And you model the hash as a random function it willl not only be preimage resistant but there will be many possible pairs of random string and message which will match the commitment.
If the random string is as big as the hash output most possible message values can produce the commitment for some random string. So even an attacker with infinite compute power will not be able to consistently discover the message, while an attacker with bounded computing power won't be able to learn anything about the message.



When the commitment is revealed, we know the attacker didn't cheat because collision resistance means the committer (With bounded conputing resources) won't be able to produce a commitment which matches two distinct known messages.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 4 at 3:49









Meir MaorMeir Maor

5,9461 gold badge10 silver badges30 bronze badges




5,9461 gold badge10 silver badges30 bronze badges














  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34

















  • $begingroup$
    Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
    $endgroup$
    – jimouris
    Aug 4 at 7:39






  • 1




    $begingroup$
    No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
    $endgroup$
    – Meir Maor
    Aug 4 at 8:08










  • $begingroup$
    Okay, got it. Thank you for your help!
    $endgroup$
    – jimouris
    Aug 4 at 8:34
















$begingroup$
Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
$endgroup$
– jimouris
Aug 4 at 7:39




$begingroup$
Thanks for your response. Since there will be many possible pairs of $random_string$ and $message$ that generate $C$, does this mean that the binding requirement is not satisfied since I can claim that I committed to either one of the messages? If so, how can I alter my scheme to satisfy both?
$endgroup$
– jimouris
Aug 4 at 7:39




1




1




$begingroup$
No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
$endgroup$
– Meir Maor
Aug 4 at 8:08




$begingroup$
No, because finding an alternate pair matching the commitment would mean breaking collision resistance. Note I separated between what is impossible with any computational resources and what is simply unfeasible with any sane amount of computational effort.
$endgroup$
– Meir Maor
Aug 4 at 8:08












$begingroup$
Okay, got it. Thank you for your help!
$endgroup$
– jimouris
Aug 4 at 8:34





$begingroup$
Okay, got it. Thank you for your help!
$endgroup$
– jimouris
Aug 4 at 8:34


















draft saved

draft discarded
















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72357%2fsimple-commitment-scheme-using-secure-hash-function%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Get product attribute by attribute group code in magento 2get product attribute by product attribute group in magento 2Magento 2 Log Bundle Product Data in List Page?How to get all product attribute of a attribute group of Default attribute set?Magento 2.1 Create a filter in the product grid by new attributeMagento 2 : Get Product Attribute values By GroupMagento 2 How to get all existing values for one attributeMagento 2 get custom attribute of a single product inside a pluginMagento 2.3 How to get all the Multi Source Inventory (MSI) locations collection in custom module?Magento2: how to develop rest API to get new productsGet product attribute by attribute group code ( [attribute_group_code] ) in magento 2

Image
Is it safe to keep the GPU on 100% utilization for a very long time? What happens when the drag force exceeds the weight of an object falling into earth? shebang or not shebang The unknown and unexplained in science fiction Are wands in any sort of book going to be too much like Harry Potter? How do I minimise waste on a flight? Concatenate all values of the same XML element using XPath/XQuery Did any early RISC OS precursor run on the BBC Micro? Single supply non-inverting amplifier using op amp Employee is self-centered and affects the team negatively Why always 4...dxc6 and not 4...bxc6 in the Ruy Lopez Exchange? TikZ/PGF draw algorithm Learning how to read schematics, questions about fractional voltage in schematic How can I test a shell script in a "safe environment" to avoid harm to my computer? A♭ major 9th chord in Bach is unexpectedly dissonant/jazzy What detail can Hubble see on Mars? Drug Testing and Prescribed Medications Justific
Read more

Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

Image
Natural numbersSquare numbersCategories requiring diffusion Help Category:9 (number) From Wikimedia Commons, the free media repository Jump to navigation Jump to search number: 9 (nine) instance of: natural number, deficient number, square number, composite number, odd number, centered cube number, centered octagonal number and nonagonal number other integers: -8 • -4 • -2 • -1 • 0 • 1 • 2 • 3 • 4 • 5 • 6 • 7 • 8 • 9 • 10 • 11 • 12 • 13 • 14 • 15 • 16 • 17 • 18 • 19 • 20 • 21 • 22 • 23 • 24 • 25 • 26 • 27 • 28 • 29 -20 • 0 • 10 • 20 • 30 • 40 • 50 • 60 • 70 • 80 • 90 • 100 • 110 • 120 • 130 • 140 • 150 • 160 • 170 • 180 • 190 • 200 This category has become too crowded. It should list very few images directly. Files should be moved to subcategories where appropriate. New subcategories can be created. Some files need to be moved elsewhere. Search for more categories: fulltext, Main Page, topics, meta categories. Please remove or replace this tag
Read more

Magento 2.3: How do i solve this, Not registered handle, on custom form?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlmain.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 : File Upload issue in UI Component FormMagento2 Not registered handleHow to configured Form Builder Js in my custom magento 2.3.0 module?Magento 2.3. How to create image upload field in an admin form

Image
2000s (or earlier) cyberpunk novel: dystopia, mega storm, omnipresent noise How important is it for multiple POVs to run chronologically? PhD: When to quit and move on? Motorcyle Chain needs to be cleaned every time you lube it? Why do most airliners have underwing engines, while business jets have rear-mounted engines? How to supply water to a coastal desert town with no rain and no freshwater aquifers? How come a desk dictionary be abridged? What's the big deal about the Nazgûl losing their horses? Is this standard Japanese employment negotiations, or am I missing something? Should I increase my 401(k) contributions, or increase my mortgage payments Is there a way to change the aspect ratio of a DNG file? Why is there paternal, for fatherly, fraternal, for brotherly, but no similar word for sons? What can a novel do that film and TV cannot? Is conquering your neighbors to fight a greater enemy a valid strategy? /api/sitecore is not working in CD server
Read more