You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Remember that for MiMC-n/n, d has to satisfy the condition gcd(d, 2^n − 1) = 1 in order to be a permutation, while in the case of MiMC-2n/n (that is, for Feistel Networks) this condition is not necessary.
...
Thus, the number of rounds to guarantee the security against the algebraic attacks doesn’t change choosing exponent of the form 2^t + 1 for t > 1. That is, both from the security point of view and from the implementation one, there is no advantage to choose exponents of the form 2^t + 1 greater than 3.
I think it's safe to say that the current exponent 5 can be reduced to 3.
However, there is ambiguity in the MiMC paper...
The text was updated successfully, but these errors were encountered:
As per §5.3 of https://eprint.iacr.org/2016/492.pdf
...
I think it's safe to say that the current exponent
5
can be reduced to3
.However, there is ambiguity in the MiMC paper...
The text was updated successfully, but these errors were encountered: