bb::crypto::pedersen_hash_base< Curve > Class Template Reference

Performs pedersen hashes! More...

#include <pedersen.hpp>

Public Types
using	AffineElement = typename Curve::AffineElement
using	Element = typename Curve::Element
using	Fq = typename Curve::BaseField
using	Fr = typename Curve::ScalarField
using	Group = typename Curve::Group
using	GeneratorContext = typename crypto::GeneratorContext< Curve >

Static Public Member Functions
static Fq	hash (const std::vector< Fq > &inputs, GeneratorContext context={})
	Given a vector of fields, generate a pedersen hash using generators from context.
static Fq	hash_buffer (const std::vector< uint8_t > &input, GeneratorContext context={})
	Given an arbitrary length of bytes, convert them to fields and hash the result using the default generators.

Static Public Attributes
static constexpr AffineElement	length_generator

Static Private Member Functions
static std::vector< Fq >	convert_buffer (const std::vector< uint8_t > &input)
	Converts input uint8_t buffers into vector of field elements. Used to hash the Transcript in a SNARK-friendly manner for recursive circuits.

Detailed Description

template<typename Curve>
class bb::crypto::pedersen_hash_base< Curve >

Performs pedersen hashes!

To hash a size-n list of field elements v, we return the X-coordinate of:

 Hash(v) = n * [h] + Commit(v, g)

Where g is a list of generator points defined by generator_data And h is a unique generator whose domain separator is the string pedersen_hash_length.

The addition of n * [h] into the hash is to prevent length-extension attacks. It also ensures that the hash output is never the point at infinity.

It is neccessary that all generator points are linearly independent of one another, so that finding collisions is equivalent to solving the discrete logarithm problem. This is ensured via the generator derivation algorithm in generator_data

Definition at line 30 of file pedersen.hpp.

Member Typedef Documentation

AffineElement

template<typename Curve >

using bb::crypto::pedersen_hash_base< Curve >::AffineElement = typename Curve::AffineElement

Definition at line 32 of file pedersen.hpp.

Element

template<typename Curve >

using bb::crypto::pedersen_hash_base< Curve >::Element = typename Curve::Element

Definition at line 33 of file pedersen.hpp.

Fq

template<typename Curve >

using bb::crypto::pedersen_hash_base< Curve >::Fq = typename Curve::BaseField

Definition at line 34 of file pedersen.hpp.

Fr

template<typename Curve >

using bb::crypto::pedersen_hash_base< Curve >::Fr = typename Curve::ScalarField

Definition at line 35 of file pedersen.hpp.

GeneratorContext

template<typename Curve >

using bb::crypto::pedersen_hash_base< Curve >::GeneratorContext = typename crypto::GeneratorContext<Curve>

Definition at line 37 of file pedersen.hpp.

Group

template<typename Curve >

using bb::crypto::pedersen_hash_base< Curve >::Group = typename Curve::Group

Definition at line 36 of file pedersen.hpp.

Member Function Documentation

convert_buffer()

template<typename Curve >

std::vector< typename Curve::BaseField > bb::crypto::pedersen_hash_base< Curve >::convert_buffer ( const std::vector< uint8_t > &  input )

staticprivate

Converts input uint8_t buffers into vector of field elements. Used to hash the Transcript in a SNARK-friendly manner for recursive circuits.

buffer is an unstructured byte array we want to convert these into field elements prior to hashing. We do this by splitting buffer into 31-byte chunks.

Parameters

buffer

Returns

std::vector<Fq>

Definition at line 23 of file pedersen.cpp.

hash()

template<typename Curve >

Curve::BaseField bb::crypto::pedersen_hash_base< Curve >::hash ( const std::vector< Fq > &  inputs, GeneratorContext  context = {}  )

static

Given a vector of fields, generate a pedersen hash using generators from context.

context.offset is used to access offset elements of context.generators if required. e.g. if one desires to compute inputs[0] * [generators[hash_index]] +inputs[1] * [generators[hash_index + 1]]` + ... etc Potentially useful to ensure multiple hashes with the same domain separator cannot collide.

Note

Length inclusion for collision resistance: For a given commitment C = a*G1 + b*G2 + c*G3 we take an x-coordinate of C.x and use it as the hash. However, due to elliptic curve symmetry about the x-axis, for any x-coordinate, there are two points with that x-coordinate. This means -C has the same hash (x-coord) as C, and the tuple [-a, -b, -c] produces the same hash as [a, b, c].

This property makes the hash trivially not collision resistant without including the length. By including the length l, the commitment becomes: C = a*G1 + b*G2 + c*G3 + l*G_len

Since -l would be -3 (an extraordinarily large number that cannot be a valid preimage length), including the length protects against these collisions.

For more background, see: https://hackmd.io/@aztec-network/ryzn3JIu3#PedersenHash

Parameters

inputs	what are we hashing?
context	Stores generator metadata + context pointer to the generators we are using for this hash

Returns

Fq (i.e. SNARK circuit scalar field, when hashing using a curve defined over the SNARK circuit scalar field)

Definition at line 78 of file pedersen.cpp.

hash_buffer()

template<typename Curve >

Curve::BaseField bb::crypto::pedersen_hash_base< Curve >::hash_buffer ( const std::vector< uint8_t > &  input, GeneratorContext  context = {}  )

static

Given an arbitrary length of bytes, convert them to fields and hash the result using the default generators.

Definition at line 88 of file pedersen.cpp.

Member Data Documentation

length_generator

template<typename Curve >

constexpr AffineElement bb::crypto::pedersen_hash_base< Curve >::length_generator

inlinestaticconstexpr

Initial value:

=
        get_precomputed_generators<Group, "pedersen_hash_length", 1>()[0]

Definition at line 38 of file pedersen.hpp.

---

The documentation for this class was generated from the following files:

• src/barretenberg/crypto/pedersen_hash/pedersen.hpp
• src/barretenberg/crypto/pedersen_hash/pedersen.cpp