My concern is that when analyzing the security of hash functions, there are subtle degradations such as distinguishers, near-collision attacks, boomerang attacks, etc.. I do not think we can fathom all the ways such potential attacks may interact with the other invariants, in a such a way that reduces the entropy. I think it is fool's folly to assume otherwise and advocate such aggressive tolerances. It runs counter to my sensibilities as an engineer to underdesign for failure tolerance. Perhaps I have missed some mathematical insight which invalidates my concern but generally it is more difficult to prove something can't exist than it is to argue about what is known to exist. If so, please feel free to point it out. Mea culpa in advance.
None of these attacks apply to a single hash, which is what we have.
A priest could simply ask God to adjust the hash, but you are correct, that is not something that I can disprove.
Seems you continue to miss the point I made, which is that any breakage for Bitcoin's use of a hash function, would need to be replicated a multitude of times (without detection) in order to do widespread damage. Whereas, with homomorphic value hiding, your design's employment of a hash function only needs to be broken once to destroy the entire coin (unless that breakage can be detected and corrected). Edit: if you argued that the difference in brute force computation for breaking the hash function once or 1024 times is only 2^10, I would retort that the breakage might be opportunistic on a particular input structure that only occurs once per year.
I have specifically addressed this very point in multiple ways. Why limit to 2^10? Making the hash structure different does not need to be linear at all. The structure can be arbitrarily different like a tree structure: hash(reverse_x | hash(hash(x) | hash(reverse_x))) for another 2^128. Take the last 128 bits of an un-knowable-in-advance block hash, and construct a completely different Merkle tree every month.
This is unnecessary, of course, because a single 128 bit hash is sound enough and can be upgraded in flight for when quantum computers come into their own. Further unnecessary because any implementation can change the number to 256 or 512; if they need more, or are plain superstitious.
And it adds the catastrophic risk of undetected inflation (no matter how implausible the risk) and destroys tracking of aggregate statistics on the economy such as velocity of money. That is my marketing opinion, which is orthogonal to the technical work (which is I think is interesting), so please continue without me. Thanks for allowing me to investigate and get my questions answered.
As you know, Bitcoin doesn't show the real velocity of money, because holders can just shift coins between their own wallets. There are a bunch of attempts at trying to differentiate between the uses, like days destroyed, but they are hugely inaccurate and subject to gaming as well. A more reliable indication of activity comes from market price of fees, which are expensive to manipulate, and are public in both CT and CCT.
Thanks for your technical analysis and marketing opinion.