ZK Hash Function Cryptanalysis Bounties 2021
Ethereum Foundation
Help us understand the security of new hash functions better
Terms
Task: find X1, X2, Y1, Y2 such that
Perm(X1,X2,0)= (Y1,Y2,0)
where Perm is the inner sponge permutation (bijective mapping) of the hash function the challenge list.
Solutions should be sent to Dmitry Khovratovich dmitry.khovratovich@ethereum.org before November 30th 2022.
First come first win.
Within 1 month after the submission the authors should provide a technical report with the attack description, which should be released to the public domain at latest December 1st 2022. The code should be also made public before this date.
Total Bounty Budget -- $200 000.
Parameters are fixed on November 23d 2021.
Rescue Prime
p=18446744073709551557 ~ 2^64
m=3
alpha=3
Number of rounds N
Brute force attack complexity 2^64
We expect that a variant with s bits of security to withstand attacks of complexity up to 2^(1.5s) time (function calls) and memory.
Feistel-MIMC
p=18446744073709551557 ~ 2^64
alpha=3
Task: find X,Y such that Feistel-MiMC(X,0)=(Y,0)
Number of rounds r
Brute force attack complexity 2^64
We expect that a variant with s bits of security to withstand attacks of complexity up to 2^(2s) time (function calls) and memory.
The initial parameters were broken and were replaced.
Poseidon
p=18446744073709551557 ~ 2^64
d=3
t=3
Number of full rounds RF=8
Number of partial rounds RP varies (see below)
Brute force attack complexity 2^64
We expect that a variant with s bits of security to withstand attacks of complexity up to 2^(s+37) time (function calls) and memory.
Reinforced Concrete
Number of layers as in the original design
Different prime field
The best attack we have found for these variants is exhaustive search.
Groebner basis challenges might be declared additionally.
We expect that a variant with s bits of security to withstand attacks of complexity up to 2^(2s) time (function calls) and memory.