Dear Mairon,
Sorry for late reply.
It was Chuseok, one of the biggest holiday in Korea.
Here are our answers of your questions.
1. We use "salt" as a randomness of commitment scheme. As you might know, commitment in AIMer is basically a hash function evaluation, so it is deterministic. If salt, repetition counter, party counter, input are all same, then the commit to them is always same.
2. We use SHAKE-128 for 128-bit security, and SHAKE-256 for 192, 256-bit security. We use the foremost 2 * lambda bits of the outputs.
3. As SHAKE is a sponge-type XOF, there is no compression function. Is this what you mean?
4. There is no PRG in our document. However, if you mean "CommitAndExpand", the input of it is salt (2 * lambda bits), repetition counter (16 bits), party counter (16 bits), input (lambda bits), domain seperation prefix (8 bits). So, the size is 3 * lambda + 40 bits.
If you have more question, feel free to contact me or reply here.
Best regards,
Seongkwang Kim on behalf of the AIMer team
2023년 9월 27일 수요일 오후 9시 12분 56초 UTC+9에 Mairon님이 작성: