Wikipedia:Reference desk/Archives/Mathematics/2023 June 30
Mathematics desk | ||
---|---|---|
< June 29 | << May | June | Jul >> | July 1 > |
Welcome to the Wikipedia Mathematics Reference Desk Archives |
---|
The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages. |
June 30
editPedersen hash : when truncating the hash to keep only the X coordinate, is it possible to compute a collision when the jubjub curve is used ?
editThe Pedersen hash is a low constraints friendly hash for Zk-Snarks.
Unlike many algorithms, the Pedersen hash returns a point P=(x,y)
on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y)
using the Weierstrass form.
As a result, if software chooses to truncate a hash to its first half, and if the attacker controls the fixed length input, then there’s the possibility to compute 2 inputs that will yield the same truncated hash.
But can this situation happen if the Pedersen is implemented over the JubJub curve ? And if yes, how exactly this can be computed in that case ?
The implementation I’m talking about is here, and the size of the attacker controlled input is fixed to 505bits. The software using it takes only out[0]
and discard out[1]
which is y
. But this could be a design choice since the chosen JubJub
curve might ensure security even in that case. 37.167.33.7 (talk) 11:43, 30 June 2023 (UTC)