Wikipedia:Reference desk/Archives/Mathematics/2023 June 30

= June 30 =

Pedersen hash : when truncating the hash to keep only the X coordinate, is it possible to compute a collision when the jubjub curve is used ?
The Pedersen hash is a low constraints friendly hash for Zk-Snarks.

Unlike many algorithms, the Pedersen hash returns a point  on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields  using the Weierstrass form.

As a result, if software chooses to truncate a hash to its first half, and if the attacker controls the fixed length input, then there’s the possibility to compute 2 inputs that will yield the same truncated hash.

But can this situation happen if the Pedersen is implemented over the JubJub curve ? And if yes, how exactly this can be computed in that case ?

The implementation I’m talking about is here, and the size of the attacker controlled input is fixed to 505bits. The software using it takes only  and discard   which is. But this could be a design choice since the chosen  curve might ensure security even in that case. 37.167.33.7 (talk) 11:43, 30 June 2023 (UTC)