MiMC Hash Challenge Bounty

The Ethereum Foundation and Protocol Labs are offering rewards for finding collisions in MiMCSponge, a sponge construction instantiated with MiMC-Feistel over a prime field, targeting 128-bit and 80-bit security, on one of two fields described below.

Introduction

In 2017 Ethereum added support for BN254, a pairing-friendly elliptic-curve, via the Byzantium hard-fork, making it possible to verify SNARKs in a smart contract. Many applications use hashes both inside SNARKs and in smart contracts, calling for a hash function that is efficient in both cases.

Protocol Labs are using BLS12-381, a pairing-friendly elliptic-curve introduced by the ECC team.

MiMC has been initially introduced in a paper from 2016, as a cryptographic primitive with low multiplicative complexity, making it attractive for SNARKs, such as Groth16. One particular use of interest is a hash function based on a sponge construction instantiated with MiMC-Feistel permutation over a prime field.

While more low multiplicative complexity hash function have been published, MiMC is the earliest of the bunch and is already used in some applications on Ethereum.

Challenge Details

Rewards will be given for the following results:

BN254

BLS12-381

Reference code

Reference code for MiMCSponge on BN254 exists in the circomlib code base, where the constants for the hash are generated using this code. Participants are also encouraged to examine the MiMCSponge circuit code, the MiMC-Feistel EVM bytecode and the MiMCSponge Solidity code. Rewards for significant bugs in these may also be offered.

Submissions

Submissions should be sent to mimc-challenge@ethereum.org, and rewards will be given in USD, ETH or DAI. Submissions can not be anonymous.