github.com/consensys/gnark-crypto@v0.14.0/hash/doc.go (about) 1 // Package hash provides MiMC hash function defined over implemented curves 2 // 3 // # Length extension attack 4 // 5 // The MiMC hash function is vulnerable to a length extension attack. For 6 // example when we have a hash 7 // 8 // h = MiMC(k || m) 9 // 10 // and we want to hash a new message 11 // 12 // m' = m || m2, 13 // 14 // we can compute 15 // 16 // h' = MiMC(k || m || m2) 17 // 18 // without knowing k by computing 19 // 20 // h' = MiMC(h || m2). 21 // 22 // This is because the MiMC hash function is a simple iterated cipher, and the 23 // hash value is the state of the cipher after encrypting the message. 24 // 25 // There are several ways to mitigate this attack: 26 // - use a random key for each hash 27 // - use a domain separation tag for different use cases: 28 // h = MiMC(k || tag || m) 29 // - use the secret input as last input: 30 // h = MiMC(m || k) 31 // 32 // In general, inside a circuit the length-extension attack is not a concern as 33 // due to the circuit definition the attacker can not append messages to 34 // existing hash. But the user has to consider the cases when using a secret key 35 // and MiMC in different contexts. 36 // 37 // # Hash input format 38 // 39 // The MiMC hash function is defined over a field. The input to the hash 40 // function is a byte slice. The byte slice is interpreted as a sequence of 41 // field elements. Due to this interpretation, the input byte slice length must 42 // be multiple of the field modulus size. And every secuence of byte slice for a 43 // single field element must be strictly less than the field modulus. 44 // 45 // See open issues: 46 // - https://github.com/Consensys/gnark-crypto/issues/504 47 // - https://github.com/Consensys/gnark-crypto/issues/485 48 package hash