Content deleted Content added
m Ref to Pedersen's paper |
m v2.05b - Bot T20 CW#61 - Fix errors for CW project (Reference before punctuation) |
||
Line 138:
This scheme isn't perfectly concealing as someone could find the commitment if he manages to solve the [[discrete logarithm problem]]. In fact, this scheme isn't hiding at all with respect to the standard hiding game, where an adversary should be unable to guess which of two messages he chose were committed to - similar to the [[IND-CPA]] game. One consequence of this is that if the space of possible values of ''x'' is small, then an attacker could simply try them all and the commitment would not be hiding.
A better example of a perfectly binding commitment scheme is one where the commitment is the encryption of ''x'' under a [[semantically secure]], public-key encryption scheme with perfect completeness, and the decommitment is the string of random bits used to encrypt ''x''. An example of an information-theoretically hiding commitment scheme is the Pedersen commitment scheme,<ref name="Pedersen pp. 129–140">{{cite book | last=Pedersen | first=Torben Pryds | title=Advances in Cryptology — CRYPTO ’91 | chapter=Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing | publisher=Springer Berlin Heidelberg | publication-place=Berlin, Heidelberg | isbn=978-3-540-55188-1 | doi=10.1007/3-540-46766-1_9 | pages=129–140}}</ref>
<ref name="metere2017automated" >{{cite conference
| title = Automated cryptographic analysis of the pedersen commitment scheme
| |||