• Top
    • Documentation
    • Books
    • Boolean-reasoning
    • Projects
    • Debugging
    • Std
    • Proof-automation
    • Macro-libraries
    • ACL2
    • Interfacing-tools
    • Hardware-verification
    • Software-verification
      • Kestrel-books
        • Crypto-hdwallet
        • Apt
        • Error-checking
        • Fty-extensions
        • Isar
        • Kestrel-utilities
        • Set
        • Soft
        • C
        • Bv
        • Imp-language
        • Event-macros
        • Java
        • Bitcoin
        • Ethereum
          • Mmp-trees
          • Semaphore
            • Verify-semaphore-r1cs
            • Mimc
            • Semaphore-specification
              • Prime-field-abbreviations
              • Pedersen-hash
                • Pedersen-scalar
                • Pedersen-generator
                • Pedersen-enc
                • Pedersen-pad
                • Pedersen
                • Pedersen-addend
              • Pedersen-hash-base-points
              • Baby-jubjub
            • Semaphore-proofs
          • Database
          • Cryptography
          • Rlp
          • Transactions
          • Hex-prefix
          • Basics
          • Addresses
        • Yul
        • Zcash
        • ACL2-programming-language
        • Prime-fields
        • Json
        • Syntheto
        • File-io-light
        • Cryptography
        • Number-theory
        • Lists-light
        • Axe
        • Builtins
        • Solidity
        • Helpers
        • Htclient
        • Typed-lists-light
        • Arithmetic-light
      • X86isa
      • Axe
      • Execloader
    • Math
    • Testing-utilities
  • Semaphore-specification

Pedersen-hash

The Pedersen hash for the Ethereum Semaphore.

This is specified in Section 5.3.2 of https://github.com/appliedzkp/semaphore/blob/master/spec/Semaphore%20Spec.pdf and also, in more detail, in https://iden3-docs.readthedocs.io/en/latest/_downloads/4b929e0f96aef77b75bb5cfc0f832151/Pedersen-Hash.pdf. In the documentation of our formalization of Pedersen hash, we use `[ES]' (for `Ethereum Specification`) to refer to the first and `[IS]' (for `Iden3 Specification`) to refer to the second. There appear to be a few discrepancies between the two, although there should not be any; we will update our specification and documentation as these discrepancies are discussed and resolved.

Note that the Pedersen hash formalized here differs from the one in Zcash; in particular, this one uses 4-bit windows, while the one in Zcash uses 3-bit windows. Yet, the two share obvious characteristics. In the future, we may formalize a generic form of Pedersen hash, obtaining the Ethereum Semaphore one and the Zcash one by suitably instantiating and specializing the generic one.

Subtopics

Pedersen-scalar
The function that maps each message segment to a scalar.
Pedersen-generator
Generator points for Pedersen hash.
Pedersen-enc
Encode a window of 4 bits.
Pedersen-pad
Pedersen hash padding.
Pedersen
Point resulting from the Pedersen hash.
Pedersen-addend
Addend point in the sum that yields the Pedersen hash.