Use a Keyed Hash function for some of the system's identifiers

[adiabat]

Since we're using hash functions for various identifiers and relying on collision-resistance of these identifiers, one optimization is to have a keyed hash function where only the server side knows the key.

The advantage of this is that even with a 16 byte truncated hash, users would not be able to cause identifier collisions, as they never get to see the TXIDs / UTXOids to try to collide them.

The downside is that users can't compute identifiers themselves. So they can put together a transaction and sign it, but not compute the TXID themselves. Or they could have a user-facing TXID / UTXOid hash function that they can compute, but the internal usage is keyed.

The internal usage could also be a keyed hash of the public hash. So for example, users compute their TXID as sha256(transaction) and internally we use ITXID = hmac( cbdc_secret, TXID). We can then truncate the hmac output to 16 bytes without worrying about collisions.

[HalosGhost]

See also, #13 for a partial measure towards a property this design tries to offer.