In Applied Cryptography, p. 87 (2nd ed., heading "Bit Commitment Using One-Way
Functions") Schneier specifies that Alice must generate 2 random bit strings
before hashing, and then send one along with the hash as her commitment:
commitment = H(R1, R2, b), R1
Then she sends R2 and her bit to reveal what she committed to. Why do we need
R1? It should be sufficient to send H(R2, b) as the commitment, then reveal
R2,b later.
Is this to keep her from taking advantage of known collisions? (Are there
known collisions for md5/sha/etc.?) In a protocol where the preimage data
must meet a certain format would we need R1?
-J
