您当前的位置: 首页 > 

mutourend

暂无认证

  • 2浏览

    0关注

    661博文

    0收益

  • 0浏览

    0点赞

    0打赏

    0留言

私信
关注
热门博文

什么是Pedersen Hash?

mutourend 发布时间:2019-06-24 18:59:57 ,浏览量:2

Pedersen Hash被用于ZCash sapling版本的Pedersen commitment和incremental Merkle tree中,是一种对fixed input length 抗撞击的hash函数,但是对variable-length inputs是not collision-resistant的。对于SNARK(零知识证明)应用来说,SHA256 hash算法更为expensive,Pedersen Hash的执行效率更高。

The Pederson hash function Pederson(D,M) is defined on a personalization input, D, and a the message, M, that we want to hash.

Security requirement: PedersenHash and PedersenHashToPoint are required to be collision-resistant between inputs of fixed length, for a given personalization input D. No other security properties commonly associated with hash functions are needed.
Non-normative note: These hash functions are not collision-resistant for variable-length inputs.

I would like to first confirm my understanding of the the above statement:

  1. There is no way to cause a collision between Pedersen(D,M) and Pedersen(D’,N) where D not equal D’ for all M,N
  2. If someone knew the personalization input D he can use use a message N with a different length than M to cause a collision (i.e Pedersen(D,M) = Pedersen(D,N)

1 is a stronger property than the spec claims. The spec claims nothing about collisions across different personalisations. If the hash were allowed to take zero-length inputs, then those would have the same hash for different personalisations, but actually it’s only defined on nonzero-length inputs. It is possible to prove --although it isn’t proven in the spec-- that for such inputs, property 1 holds based on hardness of discrete log in the random oracle model (for BLAKE2b as the random oracle).The Zcash protocol never uses the hash with a variable-length input.

Note that if you want to use this hash for variable-length inputs, it is sufficient to prefix (not suffix) the input with a fixed-length encoding of the length.

All inputs to the Pedersen hash and to the Pedersen commitments are constructed from fixed-length field encodings. 在这里插入图片描述在这里插入图片描述 在这里插入图片描述 在这里插入图片描述 在这里插入图片描述 在这里插入图片描述

参考资料: 1、ZCash protocol 2、https://forum.zcashcommunity.com/t/pedersen-hash-collision-resistance/33586

关注
打赏
1664532908
查看更多评论
立即登录/注册

微信扫码登录

0.1636s