Question on AIMer Parameters
82 views
Skip to first unread message
Mairon
Sep 27, 2023, 8:12:56 AM9/27/23
to KpqC-bulletin
Dear AIMer team,
I am writing to ask for the following parameters in the design of AIMer.
I am writing to ask for the following parameters in the design of AIMer.
1- The commitment randomness.
2- The commitment hash function.
3- The internal compression functions and their output length.
4- The PRGs and their seed length.
Best regards,
Mairon
Seongkwang Kim
Oct 4, 2023, 1:08:14 AM10/4/23
to KpqC-bulletin
Dear Mairon,
Sorry for late reply.
It was Chuseok, one of the biggest holiday in Korea.
Here are our answers of your questions.
1. We use "salt" as a randomness of commitment scheme. As you might know, commitment in AIMer is basically a hash function evaluation, so it is deterministic. If salt, repetition counter, party counter, input are all same, then the commit to them is always same.
2. We use SHAKE-128 for 128-bit security, and SHAKE-256 for 192, 256-bit security. We use the foremost 2 * lambda bits of the outputs.
3. As SHAKE is a sponge-type XOF, there is no compression function. Is this what you mean?
4. There is no PRG in our document. However, if you mean "CommitAndExpand", the input of it is salt (2 * lambda bits), repetition counter (16 bits), party counter (16 bits), input (lambda bits), domain seperation prefix (8 bits). So, the size is 3 * lambda + 40 bits.
If you have more question, feel free to contact me or reply here.
Best regards,
Seongkwang Kim on behalf of the AIMer team
Sorry for late reply.
It was Chuseok, one of the biggest holiday in Korea.
Here are our answers of your questions.
1. We use "salt" as a randomness of commitment scheme. As you might know, commitment in AIMer is basically a hash function evaluation, so it is deterministic. If salt, repetition counter, party counter, input are all same, then the commit to them is always same.
2. We use SHAKE-128 for 128-bit security, and SHAKE-256 for 192, 256-bit security. We use the foremost 2 * lambda bits of the outputs.
3. As SHAKE is a sponge-type XOF, there is no compression function. Is this what you mean?
4. There is no PRG in our document. However, if you mean "CommitAndExpand", the input of it is salt (2 * lambda bits), repetition counter (16 bits), party counter (16 bits), input (lambda bits), domain seperation prefix (8 bits). So, the size is 3 * lambda + 40 bits.
If you have more question, feel free to contact me or reply here.
Best regards,
Seongkwang Kim on behalf of the AIMer team
2023년 9월 27일 수요일 오후 9시 12분 56초 UTC+9에 Mairon님이 작성:
Reply all
Reply to author
Forward
0 new messages