Documentation
¶
Overview ¶
Package mimc provides a ZKP-circuit function to compute a MiMC hash.
For the reference implementation of the MiMC hash function, see the corresponding package in gnark-crypto.
Length extension attack ¶
The MiMC hash function is vulnerable to a length extension attack. For example when we have a hash
h = MiMC(k || m)
and we want to hash a new message
m' = m || m2,
we can compute
h' = MiMC(k || m || m2)
without knowing k by computing
h' = MiMC(h || m2).
This is because the MiMC hash function is a simple iterated cipher, and the hash value is the state of the cipher after encrypting the message.
There are several ways to mitigate this attack:
- use a random key for each hash
- use a domain separation tag for different use cases: h = MiMC(k || tag || m)
- use the secret input as last input: h = MiMC(m || k)
In general, inside a circuit the length-extension attack is not a concern as due to the circuit definition the attacker can not append messages to existing hash. But the user has to consider the cases when using a secret key and MiMC in different contexts.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type MiMC ¶
type MiMC struct {
// contains filtered or unexported fields
}
MiMC contains the params of the MiMC hash func and the curves on which it is implemented.
NB! See the package documentation for length extension attack consideration.
func NewMiMC ¶
NewMiMC returns a MiMC instance that can be used in a gnark circuit. The out-circuit counterpart of this function is provided in gnark-crypto.
NB! See the package documentation for length extension attack consideration.
func (*MiMC) Sum ¶
Sum hash using Miyaguchi–Preneel where the XOR operation is replaced by field addition.
Source Files