Wikipedia:Reference desk/Archives/Mathematics/2023 June 30
| Mathematics desk | ||
|---|---|---|
| < June 29 | << May | June | Jul >> | July 1 > |
| Welcome to the Wikipedia Mathematics Reference Desk Archives |
|---|
| The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages. |
June 30
[edit]Pedersen hash : when truncating the hash to keep only the X coordinate, is it possible to compute a collision when the jubjub curve is used ?
[edit]The Pedersen hash is a low constraints friendly hash for Zk-Snarks.
Unlike many algorithms, the Pedersen hash returns a point P=(x,y) on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y) using the Weierstrass form.
As a result, if software chooses to truncate a hash to its first half, and if the attacker controls the fixed length input, then there’s the possibility to compute 2 inputs that will yield the same truncated hash.
But can this situation happen if the Pedersen is implemented over the JubJub curve ? And if yes, how exactly this can be computed in that case ?
The implementation I’m talking about is here, and the size of the attacker controlled input is fixed to 505bits. The software using it takes only out[0] and discard out[1] which is y. But this could be a design choice since the chosen JubJub curve might ensure security even in that case. 37.167.33.7 (talk) 11:43, 30 June 2023 (UTC)