

Confidential Transactions - jc123
https://people.xiph.org/~greg/confidential_values.txt

======
benoitbenoit
Related, this was just published today:
[http://voxelsoft.com/dev/sumcoin.pdf](http://voxelsoft.com/dev/sumcoin.pdf)

------
deckar01
> A commitment scheme lets you keep a piece of data secret but commit to it so
> that you can not change it later.

> commitment = SHA256( binding_factor || data )

> Tell someone the commitment, then [later] reveal both the data and blinding
> factor.

It looks like I can change my data, then generate a binding factor that will
combine to produce the original hash input.

~~~
throwaway7767
>> A commitment scheme lets you keep a piece of data secret but commit to it
so that you can not change it later. >> commitment = SHA256( binding_factor ||
data ) >> Tell someone the commitment, then [later] reveal both the data and
blinding factor.

>It looks like I can change my data, then generate a binding factor that will
combine to produce the original hash input.

If you can find SHA256 collisions on demand. But if you can do that, you
should probably be writing a paper about it and advancing the state of the
art.

~~~
deckar01
Assume for a moment that no hashing is performed.

I compute C = B || D.

I reveal C.

I later choose new data D'.

I compute C = B' || D'.

I reveal B' and D'.

Since both B and D were secret, B' and D' are accepted.

Secretly masking data lends to malleability. (EDIT: Not a mask)

EDIT: As CJefferson points out the operation is not a mask, but concatenation
of a fixed length random value which invalidates this example. Exploiting this
secrecy would require a weakness in SHA256 that allows input prefixes to
produce colliding hash states (hard).

~~~
CJefferson
Here || denotes concatenation. Therefore your only options are to change where
you split B and D into two two strings. If you (as is common) either fix the
length of B, or make sure the splitter marker characters can't occur in B,
then given C, B and D are fixed.

------
maxerickson
This is related to:

[https://news.ycombinator.com/item?id=9684066](https://news.ycombinator.com/item?id=9684066)

