next up previous
Next: About this document Up: Application of one-way functions Previous: Not concealing

Not binding

The reason our implementation of commitment is not binding is that the one-way function need not be one-to-one. Suppose, for example, that our one-way function is tex2html_wrap_inline931 . The modulus is the product of 719 and 919, so tex2html_wrap_inline933 , which is 502456. I send you the value c=120041. When it comes time to decommit, I can send you as my secret the number 666 or the number 666+659124 because these values have the same image under f.

One might think that one could remedy this problem by restricting the inputs of f to be less than tex2html_wrap_inline943 . This does not solve the problem because, as it turns out, tex2html_wrap_inline945 . Thus, for example, f(666)=f(666+54927).

This example illustrates a fundamental weakness of modular exponentiation as a one-way function: it has certain exploitable regularities. In a practical situation one would use a one-way function that had no such regularities. The function might not be one-to-one but we would hope that it would be difficult for someone to discover pairs of numbers that map to the same value. We consider this sort of function in a later handout when we discuss digital signatures.


Lisa Eckstein
Thu Nov 21 01:20:27 EST 1996