Is it possible to get the negative point with −x in that version of the Pedersen hash over the BaybyJubJub curve?

user2284570

7/20/24, 2:16 PM

The Pedersen hash is a low constraints friendly hash for Zk-Snarks.
Unlike many algorithms, the Pedersen hash returns a point P = (x,y) on a curve as a hash. Depending on the selected curve, there can exist a fast deterministic way to compute a different input that yields −P=(x,−y) using the Weierstrass form or −P=(−x,y) in the twisted Edwards form like the case here with BabyJubJub.

But in the current variant that interests me, M is hashed into individual segments of 200Bits and each coordinate/hash is added over the BabyJubJub curve. But more importantly, each 200bits segment is seeded by a different static Montgomery point/initialisation vector.

Does the use of different initialisation vector, means it’s that time impossible to modify M to get −P from P even in the Edwards form ?
Also, is There are potentials issues with this approach where collisions can happen only possible if M’s length isn’t a multiple of 4 ?

0 + 0

cryptanalysis

elliptic-curves

collision-resistance

collision-attack

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to get the negative point with −x in that version of the Pedersen hash over the BaybyJubJub curve?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.