Users need a strong random number generator to ensure bid confidentiality

[khovratovich]

It is supposed that the bid amount is difficult to guess as SHA-3 is a preimage-resistant function. However, note that the hash input consists of

• the domain hash name, which is public;
• an Ethereum address, which is easy to enumerate;
• the bid value, which has low entropy if, for example, the user pays in integer amount of Ether;
• salt value, which has low entropy if the user does not have a secure random number generator (RNG).

Thus to truly conceal the bid value, the bidder must use a secure RNG to fill the salt value or use a high-entropy number of Wei as a bid. Such RNGs are not widely available to regular users, possibly except for password/SSH key generators. These high-entropy values must be secretly stored by a bidder to unseal the bid, otherwise the bid will be lost. Note that a repetition of either bid value or salt in two different bids would hint the attacker to predict these values for future bids from the same owner.

Note that salt in many contexts such as password hashing means a non-secret nonce rather than a secret random value.

A proper way to ensure bid secrecy without extra randomness would be to use deterministic encryption.

[Arachnid]

Such RNGs are not widely available to regular users

On the contrary, modern browsers implement the crypto API, which provides a method for secure random numbers.

I agree that the use of the term 'salt' is misleading here.

I don't see any way to use deterministic encryption to effectively hide a user's bids here; can you elaborate?

[khovratovich]

You definitely can use a special app to generate a random number, I just wanted to say that users do need one and also need to store all these numbers.

After some thinking I realized that deterministic symmetric encryption would not be more efficient than the plain hash function here, as you would need to open the key.

A better strategy might be to have a secret master key and generate salt as a hash of this key and the domain hash. The account private key can serve as such master key. Thus any Dapp browser that has access to private keys can generate and look up the salt value for any domain hash, without extra randomness at all.

[Arachnid]

We expect most people to use the auction DApp, which uses the crypto API to generate secret keys, and store them in client storage (it also offers a backup option).

[khovratovich]

Special care must be taken to add the secret entropy into bids then. The slider I have seen at one issue here might not deliver enough entropy.

[Arachnid]

The slider is for adding extra value to the bid over and above the max bid, so as to disguise the true amount of the bid. 'Salts' are generated independently of that, and not presented explicitly to the user.