github.com/consensys/gnark-crypto@v0.14.0/ecc/bls12-377/fr/mimc/doc.go (about) 1 // Copyright 2020 Consensys Software Inc. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Code generated by consensys/gnark-crypto DO NOT EDIT 16 17 // Package mimc provides MiMC hash function using Miyaguchi–Preneel construction. 18 // 19 // # Length extension attack 20 // 21 // The MiMC hash function is vulnerable to a length extension attack. For 22 // example when we have a hash 23 // 24 // h = MiMC(k || m) 25 // 26 // and we want to hash a new message 27 // 28 // m' = m || m2, 29 // 30 // we can compute 31 // 32 // h' = MiMC(k || m || m2) 33 // 34 // without knowing k by computing 35 // 36 // h' = MiMC(h || m2). 37 // 38 // This is because the MiMC hash function is a simple iterated cipher, and the 39 // hash value is the state of the cipher after encrypting the message. 40 // 41 // There are several ways to mitigate this attack: 42 // - use a random key for each hash 43 // - use a domain separation tag for different use cases: 44 // h = MiMC(k || tag || m) 45 // - use the secret input as last input: 46 // h = MiMC(m || k) 47 // 48 // In general, inside a circuit the length-extension attack is not a concern as 49 // due to the circuit definition the attacker can not append messages to 50 // existing hash. But the user has to consider the cases when using a secret key 51 // and MiMC in different contexts. 52 // 53 // # Hash input format 54 // 55 // The MiMC hash function is defined over a field. The input to the hash 56 // function is a byte slice. The byte slice is interpreted as a sequence of 57 // field elements. Due to this interpretation, the input byte slice length must 58 // be multiple of the field modulus size. And every secuence of byte slice for a 59 // single field element must be strictly less than the field modulus. 60 package mimc