2

I am reading some monero docs and it says that the mask and amount are generated like this;

mask = x + H(K); //where x is the blinding scalar
amount = b + H(H(K)); //where b is the amount
`K` is the per-output Diffie-Hellman derived shared secret defined as `K=Hs(8rA||i)`
`H` is a hash function that produces a scalar

Why is it necessary to hash K twice when calculating the amount?

knaccc
  • 8,468
  • 16
  • 22
cookiekid
  • 201
  • 1
  • 3
  • @knaccc I just saw your edit. Why is rA multiplied by 8? – cookiekid Nov 12 '18 at 22:15
  • 1
    It's because it prevents a "subgroup attack" where the tx pubkey R is malicious and not in the subgroup of the base point G. Multiplying an EC point by 8 forces it in to the subgroup of G on the ed25519 curve. – knaccc Nov 12 '18 at 22:22

1 Answers1

3

I'll restate the algebra (if the same key was used each time) so it's a bit clearer:

mask = encrypted mask + key
amount = encrypted amount + key

Therefore key = amount - encrypted amount

This means that if you could guess the amount of the output being sent to someone (perhaps you have knowledge that someone owed someone else exactly 5 XMR), then you could determine the key and then determine the mask. So to protect the mask, a different key is used to encrypt it.

knaccc
  • 8,468
  • 16
  • 22