Cheating in a Pedersen-based auction

Question

Imagine a simple auction made with Pedersen commitments rather than sealed envelopes.

Participant 1 commits their bid, $b_1$, choosing a blinding factor $x_1$ and using publicly known G and H generators. As they do so, the commitment value $C_1$ appears on a public website.

Participant 2 does the same. Again, as they commit their bid, $C_2$ appears on the public website.

As a deadline expires, the auctioneer meets with both participants and asks them to reveal their bids and blinding factors. Whoever committed the lowest bid wins.

If Participant 1 reveals their bid $b_1$ and blinding factor $x_1$ before Participant 2, can Participant 2 construct a new blinding factor $x_2'$ so the commitment $C_2$ can be shown to correspond to a new value of $b_2$ which is lower than $b_1$ (e.g., $b_2' = b_2 - 1$), and thus cheat?

My guess is no, because:

Participant 2 would have to find values of $x_2'$ and $b_2'$ such that $x_2 G - x_2' G = b_2' H - b_2 H$.

Assuming, WLOG, that $b_2'$ is slightly lower than $b_1$, i.e. $b_2' = b_1 - 1$, this becomes

$(x_2 - x_2') G = (b_1 - b_2 - 1) H$.

In exponential form, this could be written as: $g^{x_2-x_2'} = h^ {b_1 - b_2 - 1}$.

Participant knows the right hand side of the equation, because $h$ is known, $b_1$ is the (revealed) bid of the other participant and $b_2$ is its own original bid.

However, without finding the discrete log of $h$ in base $g$, I don't see how Participant 2 could cheat.

Am I right or am I missing something?

Answer 1

Actually, there is a possible attack which relies on a specific construction of $C_2$.

Let $C_2=C_1 + x_2G + (n-1)H $, $n$ being the order of the elliptic curve on $Z_p$.

Note that, by definition of elliptic curve order, $nH = O$, where $O$ is the neutral element of $Z_p$, i.e. $P+O=P$ for any point $P$ on the curve.

Therefore, we can rearrange $C_2$ as follows: $C_2=C_1 + x_2G + pH - H$.

Substituting $pH = O$, we get: $C_2=C_1 + x_2G - H$.

By definition of Pedersen commitment, $C_1 = x_1 G + b_1 H$. Therefore,

$C_2=x_1G + b_1 H + x_2G - H = (x_1+x_2)G+ (b_1-1)H$.

This shows that $C_2$, in its own particular construction we saw earlier, is in fact the commitment of $(b_1-1)$ (smaller than $b_1$ !) with a blinding factor $x_2'=(x_1+x_2)$.

Since Participant 2 already knows $b_1$, $x_1$, $x_2$, they can claim their commitment was for $b_1-1$, which is lower than the other bid, and win.

EDIT

To avoid excessive comment proliferation, I summarize here some important points that were brought so far by @knaccc.

Ultimately, the reason why this kind of attack works is the additive property of Pedersen commitments. An attacker can exploit the fact that $C(x_1+x_2,b_1+b_2)=C(x_1,b_1)+C(x_2,b_2)$ (with $C(x_1,b_1)$ known) to plausibly claim their commitment was for something else which is mathematically related to the victim's bid and blinding factor.

Possible mitigations include:

1. revealing the blinding factor but only after disclosing both the commitment and the hash of the blinding factor: $(C_i,h(b_i))$. As long as the hash function is cryptographically secure, an attacker shouldn't be able to find $b_i$ from its hash. And if they cannot mathematically relate their own blinding factor to $b_i$, the attack doesn't work because Pedersen commitments are additive w.r.t both terms;

2. not using homomorphic commitments at all.