arnaucube
/
miden-crypto
mirror of https://github.com/arnaucube/miden-crypto.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

docs: update RPO with a comment on security given domain separation (#320)

al-update-winterfell
Al-Kindi-0 10 months ago
committed by GitHub
parent
8556c8fc43
commit
b06cfa3c03
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 25 additions and 2 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +14
    -2
      src/hash/rescue/rpo/mod.rs
  2. +11
    -0
      src/hash/rescue/rpx/mod.rs

+ 14
- 2
src/hash/rescue/rpo/mod.rs
View File

@ -22,9 +22,10 @@ mod tests;
/// [specifications](https://eprint.iacr.org/2022/1577) /// [specifications](https://eprint.iacr.org/2022/1577)
/// ///
/// The parameters used to instantiate the function are: /// The parameters used to instantiate the function are:
/// * Field: 64-bit prime field with modulus 2^64 - 2^32 + 1.
/// * Field: 64-bit prime field with modulus p = 2^64 - 2^32 + 1.
/// * State width: 12 field elements. /// * State width: 12 field elements.
/// * Capacity size: 4 field elements.
/// * Rate size: r = 8 field elements.
/// * Capacity size: c = 4 field elements.
/// * Number of founds: 7. /// * Number of founds: 7.
/// * S-Box degree: 7. /// * S-Box degree: 7.
/// ///
@ -52,6 +53,17 @@ mod tests;
/// to deserialize them into field elements and then hash them using /// to deserialize them into field elements and then hash them using
/// [hash_elements()](Rpo256::hash_elements) function rather then hashing the serialized bytes /// [hash_elements()](Rpo256::hash_elements) function rather then hashing the serialized bytes
/// using [hash()](Rpo256::hash) function. /// using [hash()](Rpo256::hash) function.
///
/// ## Domain separation
/// [merge_in_domain()](Rpo256::merge_in_domain) hashes two digests into one digest with some domain
/// identifier and the current implementation sets the second capacity element to the value of
/// this domain identifier. Using a similar argument to the one formulated for domain separation of
/// the RPX hash function in Appendix C of its [specification](https://eprint.iacr.org/2023/1045),
/// one sees that doing so degrades only pre-image resistance, from its initial bound of c.log_2(p),
/// by as much as the log_2 of the size of the domain identifier space. Since pre-image resistance
/// becomes the bottleneck for the security bound of the sponge in overwrite-mode only when it is
/// lower than 2^128, we see that the target 128-bit security level is maintained as long as
/// the size of the domain identifier space, including for padding, is less than 2^128.
#[derive(Debug, Copy, Clone, Eq, PartialEq)] #[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub struct Rpo256(); pub struct Rpo256();

+ 11
- 0
src/hash/rescue/rpx/mod.rs
View File

@ -55,6 +55,17 @@ pub type CubicExtElement = CubeExtension;
/// to deserialize them into field elements and then hash them using /// to deserialize them into field elements and then hash them using
/// [hash_elements()](Rpx256::hash_elements) function rather then hashing the serialized bytes /// [hash_elements()](Rpx256::hash_elements) function rather then hashing the serialized bytes
/// using [hash()](Rpx256::hash) function. /// using [hash()](Rpx256::hash) function.
///
/// ## Domain separation
/// [merge_in_domain()](Rpx256::merge_in_domain) hashes two digests into one digest with some domain
/// identifier and the current implementation sets the second capacity element to the value of
/// this domain identifier. Using a similar argument to the one formulated for domain separation
/// in Appendix C of the [specifications](https://eprint.iacr.org/2023/1045), one sees that doing
/// so degrades only pre-image resistance, from its initial bound of c.log_2(p), by as much as
/// the log_2 of the size of the domain identifier space. Since pre-image resistance becomes
/// the bottleneck for the security bound of the sponge in overwrite-mode only when it is
/// lower than 2^128, we see that the target 128-bit security level is maintained as long as
/// the size of the domain identifier space, including for padding, is less than 2^128.
#[derive(Debug, Copy, Clone, Eq, PartialEq)] #[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub struct Rpx256(); pub struct Rpx256();

Write Preview
Loading…
Cancel
Save