Are pedersen hashes of small inputs safe?

cn flag

I understand that the end result of a Pedersen Hash (like this one) is a point in an Elliptic Curve.

In the example implementation mentioned above, the input $M$ is split into chunks of 200 bits (the last one possibly being smaller). For each chunk, disconnected/random points in the Elliptic Curve are generated and the end result is a linear combination of those points, with the coefficients depending on the bits present in each chunk.

My question is: suppose I wanted to hash something 200 bits long. I would therefore only need one chunk and one generated point. Of course, this point would be multiplied by a scalar generated by the bits in the chunk to give the resulting hash. Would this be a “secure” hash? Or should I split $M$ into smaller chunks so as to have at least a minimum amount of different points to combine linearly?


in flag

A Pedersen hash only guarantees collision resistance. If you have a single base of prime order and an input smaller than that order, then the "hash" is one-to-one so it is perfectly collision-resistant.

However, using a hash in a non-compressing application is an almost-sure sign that your protocol relies on other/additional security properties to collision resistance. Depending on what those properties are, a Pedersen hash may not be appropriate at all for the application, regardless of how many bases are used.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.