Insufficient randomization in swap balance commitment

[TalDerei]

The swap balance commitment cv is not sufficiently hiding in relation to the circuit balance commitment integrity check since (1) cv is deterministically derived from the fee commitment cvf, and (2) pedersen commitments are additively homomorphic. Combining these facts would enable the search space for the private asset values v1 and v2, after Sealed-Bid Batch Swaps are implemented, to be brute forced. The balance commitment needs to be derived with a new blinding factor to break this determinism.

This references component A1 in the ECC audit log, and A2 still needs to be done.

cc @redshiftzero

[TalDerei]

@redshiftzero erwan mentioned offline that this issue, in addition to describing the high-level goal, should be fleshed in greater detail to include:

• an overview of the suggested remediation path
• an explanation of why the PR potentially diverges from the recommended remediation

[redshiftzero]

The suggested remediation here is to use an additional blinding factor $v_i$ for cv in swaps which we'd witness in the SwapCircuit. I was thinking we'd derive the balance commitment as:

$cv = [−v_1​] G_1​+[−v_2​] G_2​ + [v_i] G_{v_i} + c_{v_f}$

(compared to now where we do $cv = [−v_1​] G_1​+[−v_2​] G_2​ + c_{v_f}$)

$G_{v_i}$ would be a new constant generator point we'd want to specify

[hdevalence]

I don’t understand why we need a new generator here?

[TalDerei]

I don’t understand why we need a new generator here?

#4481 (comment)

I was independently questioning this as well since it's using a vector commitment, and that's why the PR currently uses the same generator and divergences from the ECCs recommended remediation.