On Sat, May 3, 2025 at 9:07 AM Greg Maxwell <[email protected]> wrote: > > On Saturday, May 3, 2025 at 11:55:28 AM UTC Sanket Kanjalkar wrote: > > > hash(UTXO_A||salt) + hash(UTXO_B||salt) - hash(UTXO_C||salt) - > > hash(UTXO_D||salt) == 0 (proving (A==C && B==D) || (A==D && B==C)) > > What if instead of hash we encrypt with AES and modular add/subs? I cannot > prove it; but I also don't see a clear way this is broken. > > 1. Sample random symmetric key `k` > 2. Instead of above; AES_k(UTXO_A) + AES_k(UTXO_B) - AES_k(UTXO_C) - > AES(UTXO_D) == 0 => (proving (A==C && B==D) || (A==D && B==C))? > > > AES in CTR mode is, I'm not sure about other modes? Obviously CTR mode would > be unsuitable! (I mean sure modular add/sub and xor are different operations > but they are quite close). I think that in many modes the collision > resistance would have to at least be restricted by the birthday bound with > the small block size. I think CMC might be needed to avoid that sort of issue.
Can Haraka V2 [1] hash function be used? It is based on AES and supports 256 or 512 bit inputs. UTXO (txid + index) has a fixed size and fits into 320 bits. We can use the 512 bit version and just leave the remaining bytes zero. [1] https://github.com/kste/haraka -- Best regards, Boris Nagaev -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAFC_Vt6BgUFt5%2BzbSKzHyN4Sk1nFw5hbXVcv_jdUzA5RJvwFBg%40mail.gmail.com.
