Documentation ¶
Overview ¶
Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
Length extension attack ¶
The MiMC hash function is vulnerable to a length extension attack. For example when we have a hash
h = MiMC(k || m)
and we want to hash a new message
m' = m || m2,
we can compute
h' = MiMC(k || m || m2)
without knowing k by computing
h' = MiMC(h || m2).
This is because the MiMC hash function is a simple iterated cipher, and the hash value is the state of the cipher after encrypting the message.
There are several ways to mitigate this attack:
- use a random key for each hash
- use a domain separation tag for different use cases: h = MiMC(k || tag || m)
- use the secret input as last input: h = MiMC(m || k)
In general, inside a circuit the length-extension attack is not a concern as due to the circuit definition the attacker can not append messages to existing hash. But the user has to consider the cases when using a secret key and MiMC in different contexts.
Hash input format ¶
The MiMC hash function is defined over a field. The input to the hash function is a byte slice. The byte slice is interpreted as a sequence of field elements. Due to this interpretation, the input byte slice length must be multiple of the field modulus size. And every secuence of byte slice for a single field element must be strictly less than the field modulus.
Index ¶
Constants ¶
const (
BlockSize = fr.Bytes // BlockSize size that mimc consumes
)
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Option ¶
type Option func(*mimcConfig)
Option defines option for altering the behavior of the MiMC hasher. See the descriptions of functions returning instances of this type for particular options.
func WithByteOrder ¶
WithByteOrder sets the byte order used to decode the input in the Write method. Default is BigEndian.