18

Let's say Alice and Bob are playing a game where Bob is trying to guess a number Alice has chosen.

Alice chooses a key $K$ and a number $N$ at random and performs $C=Commit(K, N)$ where $Commit(K, N)=h(h(K) \| h(N))$.
$h()$ is a collision-resistant hash function and $K$ and $N$ can be of any length.

Bob guesses $N'$ and sends it to Alice who responds with $K$ and $N$.

Bob can now do $C'=Decommit(K, N)$ which in our case is the same as Commit and verify that $C=C'$.

As I understand it the scheme above is perfectly hiding and computationaly binding. Is there a way to make the scheme both perfectly binding and perfectly hiding, or is there another scheme that has these properties?

I'm new to cryptography so I apologize in advance if I don't get some of the concepts right.

rath
  • 2,598
  • 3
  • 27
  • 40

1 Answers1

9

As you noticed correctly, a hash function is kind-of computationally binding if you assume collision resistance. However, it is impossible to achieve perfect hiding property for hash functions, due to the potential loss of information.

Perfect hiding means, that a computationally unbound Alice COULD decomit any value: I.e. Pedersen commitments $c = g^xh^r$ can be decommited to any value, if you know the discrete logarithm $log_g h$.

In your hash function you have no guarantee for this: for a fixed pair of commitment and K there might not be $h(N)$ to fulfill the computation. Even replacing $h(N)$ with just $N$ does not imply this property.

In general, a scheme can not be both perfectly hiding and perfectly binding, because they are opposing principles: If Alice was computationally unbound, hiding means she can decomit ANY value, and binding means she could still decomit ONLY the original value.

tylo
  • 12,864
  • 26
  • 40