This approach works for the coin tossing problem,
but there are lots of other situations where we need to commit to values,
and we need to commit to values much longer than just 1 bit.
For that, we need something a little more versatile, but with the same idea.
What we need for this is what's called a cryptographic hash function.
It's a function that has this property that it takes some large value as an input
and outputs a small value.
This is similar to a regular hash function like we used in a hash table,
has the property that maps values from a large input domain.
And by large here, we usually mean infinite, such as all possible strings of any length
to a small fixed output size.
It should also have the property that it's well distributed.
That for any given input, the probability that that input maps to a particular value
is close to 1 over the size of the table, and we'll use N to represent the output size.
So we'll say that outputs are in the range from 0 of 10-1.
And so if it has this well-distributive property, this works great for a hash table.
This is not enough for cryptographic committments.
If we just have these 2 properties, well, it might be easy to find other x values
that map to the same thing.
We saw that one of the things that we need for a cryptographic hash function
is to make it hard for Alice to be able to do that, otherwise, she could find 2 inputs
and cheat in the coin tossing game.
This first property of mapping a large input domain to a small fixed output,
we'll call compression.
What we need for a cryptographic hash function is 3 additional properties.
The properties are pre-image resistance, which means given the output of the hash function,
it's hard to find the input that produced it.
This is a form of "one-way ness".
The other 2 properties we need concern the collision resistance.
The weakest form of this is known as weak collision resistance.
What weak collision resistance means is that if we're given some hash value,
it's hard to find any input that hashes to the same result.
These are sort of similar.
This one says it's hard to find the actual value of x that was used.
This one says it's hard to find any x prime value that hashes to that value.
If we have weak collision resistance that would imply we have a form of pre-image resistance
as well.
The final property is strong collision resistance, which is exactly the one we saw
that we needed for the coin tossing game.
Strong collision resistance requires that it's hard to find any pair, x and y,
such that the hash of x is equal to the hash of y.
So have we seen anything that can do this?
And the question is, which of these is almost a good cryptographic hash function?
I'm using almost here in somewhat of a fuzzy way, but I want you to select the one
that seems closest to being a good cryptographic hash function.
None of them is a perfect cryptographic hash function,
and we'll discuss that more after the quiz.
So here are the choices.
Use cipher-block chaining mode to encrypt x, and then take the last output block
as the value of the hash.
The second choice is to use counter mode to encrypt x, and then take the last output block.
The third choice is to use electronic code block mode to encrypt x,
and then take all of the output blocks and XOR them all together and use the result
as the hash value.
The fourth choice is to use counter mode to encrypt x, XOR together all that,
put blocks, and that's the hash value.
Which one of these makes the most sense to provide the cryptographic hash function
properties that we need?
