Content deleted Content added
m task, replaced: Advances in Cryptology — → Advances in Cryptology – |
m grammar |
||
Line 56:
Formal definitions of commitment schemes vary strongly in notation and in flavour. The first such flavour is whether the commitment scheme provides perfect or computational security with respect to the hiding or binding properties. Another such flavour is whether the commitment is interactive, i.e. whether both the commit phase and the reveal phase can be seen as being executed by a [[cryptographic protocol]] or whether they are non-interactive, consisting of two algorithms ''Commit'' and ''CheckReveal''. In the latter case ''CheckReveal'' can often be seen as a derandomised version of ''Commit'', with the randomness used by ''Commit'' constituting the opening information.
If the commitment ''C'' to a value ''x'' is computed as ''C:=Commit(x,open)'' with ''open'' being the randomness used for computing the commitment, then ''CheckReveal (C,x,open)''
Using this notation and some knowledge about [[mathematical function]]s and [[probability theory]] we formalise different versions of the binding and hiding properties of commitments. The two most important combinations of these properties are perfectly binding and computationally hiding commitment schemes and computationally binding and perfectly hiding commitment schemes. Note that no commitment scheme can be at the same time perfectly binding and perfectly hiding – a computationally unbounded adversary can simply generate ''Commit(x,open)'' for every value of ''x'' and ''open'' until finding a pair that outputs ''C'', and in a perfectly binding scheme this uniquely identifies ''x''.
| |||