Jump to content

Wikipedia:Reference desk/Archives/Mathematics/2023 June 30

From Wikipedia, the free encyclopedia
Mathematics desk
< June 29 << May | June | Jul >> July 1 >
Welcome to the Wikipedia Mathematics Reference Desk Archives
The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.


June 30

[edit]

Pedersen hash : when truncating the hash to keep only the X coordinate, is it possible to compute a collision when the jubjub curve is used ?

[edit]

The Pedersen hash is a low constraints friendly hash for Zk-Snarks.

Unlike many algorithms, the Pedersen hash returns a point P=(x,y) on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y) using the Weierstrass form.

As a result, if software chooses to truncate a hash to its first half, and if the attacker controls the fixed length input, then there’s the possibility to compute 2 inputs that will yield the same truncated hash.

But can this situation happen if the Pedersen is implemented over the JubJub curve ? And if yes, how exactly this can be computed in that case ?

The implementation I’m talking about is here, and the size of the attacker controlled input is fixed to 505bits. The software using it takes only out[0] and discard out[1] which is y. But this could be a design choice since the chosen JubJub curve might ensure security even in that case. 37.167.33.7 (talk) 11:43, 30 June 2023 (UTC)[reply]