Closed HarryR closed 6 years ago
daira
commented
6 years ago Please hold off deploying LongsightF since there may be significant problems with it as a hash function (due to the truncated Feistel structure).
Edit: the problem is described in https://github.com/zcash/zcash/issues/2233#issuecomment-416648993 .
HarryR
commented
6 years ago Certainly. As you can see I have very limited understanding of some of the underlying math for Longsight/MiMC.
The only viable alternative I have at the moment is SHA256, and possibly the JubJub curve, will you let me if there's any suitable alternatives?
Interesting functions:
From the related thread at https://github.com/zcash/zcash/issues/2233
This implements the LongsightF SNARK circuit, for the altBN curve as supported by Ethereum.
This specifies one variant of LongsightF, where the exponent is 5 and the number of rounds is 152.
This requires 750 constraints (5 per 152 rounds). This is more expensive than the proposed ZCash implementation because the exponent is 5.