Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: MIMC security considerations #485

Open
Soleimani193 opened this issue Feb 9, 2024 · 2 comments
Open

feat: MIMC security considerations #485

Soleimani193 opened this issue Feb 9, 2024 · 2 comments
Labels
bug Something isn't working P2: Medium Issue priority: medium sec Issue related to a security flaw

Comments

@Soleimani193
Copy link

Description of the Problem
In the Original MIMC paper, the authors apply Sponge structure over MIMC permutation, while the gnark implementation uses Miyaguchi-Preneel structure.

Miyaguchi-Preneel is vulnerable to the length extension attack and should not be used for applications like MAC (where one hides a secret key inside the hash).

The positive side is a possible efficiency gain for the applications that are irrelevant to the length extension attack (e.g., snark) . Here is an estimation (footnote 19).

Screenshot 2024-02-08 at 09 03 50

Suggestions/Solutions

  1. The user should be warned about the use of MIMC hash based on Miyaguchi-Preneel structure.
  2. The implementation of MIMC based on Sponge structure would be very helpful
  3. A benchmark that can probably assert the efficiency gain of Miyaguchi-Preneel for snark applications.
@giuliop
Copy link

giuliop commented May 22, 2024

In their FAQ the MiMC authors comment against using a Miyaguchi-Preneel structure and add that if going that route they would recommend increasing the number of rounds.
The number of rounds in gnark's implementation matches the original paper and does not follow the recommendation to increase it with a Miyaguchi-Preneel structure.

What is the line of thinking followed to make these choices in gnark?

@ivokub ivokub changed the title MIMC implementation feat: MIMC security considerations May 29, 2024
@ivokub ivokub added bug Something isn't working sec Issue related to a security flaw P2: Medium Issue priority: medium labels May 29, 2024
@ivokub
Copy link
Collaborator

ivokub commented May 29, 2024
edited

I am not sure, I haven't been involved in the implementation, but I would assume the main reasoning would have been to have compatibility with alternative libraries. Length-extension attacks are somewhat mitigated as MiMC is mostly used for in-circuit hashing (and we have the native version in gnark-crypto for compatibility), where the input lengths are fixed.

But I do agree that the issue and I think it needs some consideration. There are several parallel lines of work regarding algebraic hashing:

I would definitely add the points raised by @Soleimani193:

  • The user should be warned about the use of MIMC hash based on Miyaguchi-Preneel structure.
  • The implementation of MIMC based on Sponge structure would be very helpful

@giuliop giuliop mentioned this issue Jun 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working P2: Medium Issue priority: medium sec Issue related to a security flaw
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@giuliop @ivokub @Soleimani193