Tim Ruffing 92582c2a33 Clarify why we don't want short hashes ...

This is supposed to supersede https://github.com/sipa/bips/pull/158.
I tried to say this carefully. I don't think that multiparty signing is in general broken with short hashes. For example the attack in #158 could be avoided by letting everybody not only commit to the nonce but also to the message. It's just that using a collision-resistant hash just eliminates the problem entirely...

2019-12-12 22:49:21 +01:00

32 KiB

Raw Blame History

View Raw