Daira-Emma Hopwood

Hmm, we could use the LP231 construction of Rogaway and Steinberger ([Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers](https://www.iacr.org/archive/crypto2008/51570433/51570433.pdf)) with MiMC(Fp)-p/p. That would fit the field exactly, giving a ~510 to...

Here's the definition of LPA231 from the Rogaway and Steinberger paper: function LP231A(v1, v2):     x1 := v1 + 2 v2     y1 := π1(x1)     x2 := 2 v1 + 2 v2...

Another option to get a ~510 → ~255-bit compression function is to use the Feistel variant of MiMC, i.e. MiMCP(Fp)-2p/p, to construct a ~510-bit permutation, and then truncate the result...

So, LongsightF-322/p/3 needs 644 constraints, and is ~2.76 times faster than Pedersen (after further optimization of Pedersen hashing), ~42.8 times faster than SHA256Compress, and ~2.99 times faster than a subset-sum...

Copying this comment from #647: If we were to use Pedersen hashes without #647 in place of all of the SHA256Compress instances in the circuit (which might not be possible,...

@ebfull wrote: > So, from a security perspective there doesn't seem to be any good reason to choose MiMC for the merkle tree. If discrete log is broken, counterfeiting can...

Let Ci = FromLE(BLAKE2b("LongsightF-322p3", ToLE2(i))) mod p. (ToLEℓ(n) is the sequence of ℓ bytes representing n in little-endian order. FromLE(s) is the nonnonnegative integer represented in little-endian form by s....

Or did you want me to convert it to R1CS? We should probably pair on doing that.

Here's an equivalent but more functional expression of the same algorithm: function LongsightF322p3(x1 ⦂ Fp, x0 ⦂ Fp) {     for i from 2 up to 323 {         xi := xi-2...

@zooko wrote on the Rocket chat: > So I'm currently leaning in favor of Pedersen commitments, because they don't introduce a "breakthrough A or breakthrough B", even if they do...