github.com/consensys/gnark-crypto@v0.14.0/ecc/bn254/fr/mimc/doc.go (about)

     1  // Copyright 2020 Consensys Software Inc.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Code generated by consensys/gnark-crypto DO NOT EDIT
    16  
    17  // Package mimc provides MiMC hash function using Miyaguchi–Preneel construction.
    18  //
    19  // # Length extension attack
    20  //
    21  // The MiMC hash function is vulnerable to a length extension attack. For
    22  // example when we have a hash
    23  //
    24  //	h = MiMC(k || m)
    25  //
    26  // and we want to hash a new message
    27  //
    28  //	m' = m || m2,
    29  //
    30  // we can compute
    31  //
    32  //	h' = MiMC(k || m || m2)
    33  //
    34  // without knowing k by computing
    35  //
    36  //	h' = MiMC(h || m2).
    37  //
    38  // This is because the MiMC hash function is a simple iterated cipher, and the
    39  // hash value is the state of the cipher after encrypting the message.
    40  //
    41  // There are several ways to mitigate this attack:
    42  //   - use a random key for each hash
    43  //   - use a domain separation tag for different use cases:
    44  //     h = MiMC(k || tag || m)
    45  //   - use the secret input as last input:
    46  //     h = MiMC(m || k)
    47  //
    48  // In general, inside a circuit the length-extension attack is not a concern as
    49  // due to the circuit definition the attacker can not append messages to
    50  // existing hash. But the user has to consider the cases when using a secret key
    51  // and MiMC in different contexts.
    52  //
    53  // # Hash input format
    54  //
    55  // The MiMC hash function is defined over a field. The input to the hash
    56  // function is a byte slice. The byte slice is interpreted as a sequence of
    57  // field elements. Due to this interpretation, the input byte slice length must
    58  // be multiple of the field modulus size. And every secuence of byte slice for a
    59  // single field element must be strictly less than the field modulus.
    60  package mimc