Tim Ruffing ad6bb6c1ff Clarify why we don't want short hashes ...

This is supposed to supersede https://github.com/sipa/bips/pull/158.
I tried to say this carefully. I don't think that multiparty signing is in general broken with short hashes. For example the attack in #158 could be avoided by letting everybody not only commit to the nonce but also to the message. It's just that using a collision-resistant hash just eliminates the problem entirely...

2020-01-19 14:47:33 -08:00

32 KiB

Raw Blame History

View Raw