I am curious whether one can do Pedersen commitment on $GF(2^n)$. One method I thought of was to get a prime order multiplicative subgroup of $GF(2^n)$. But for efficiency and security, what would be an appropriate value of $n$ for a security strength of 128-bit security?
Asked
Active
Viewed 74 times
0
-
Pedersen commitments rely on the discrete logarithm being hard and that one had a ... more shacky security history in $GF(2^n)$ than $GF(p)$ (IIRC). – SEJPM Jan 16 '21 at 19:29
-
Thanks. You are right, just found the recent attack on GF(2^10000). – Sean Jan 16 '21 at 22:06
-
The aftermath and considerations of the new record of 30750-Bit Binary Field Discrete Logarithm - 2020 – kelalaka Jan 17 '21 at 01:39
-
I noticed that some recent zk proof systems such as Aurora (libiop) needs binary field. How would pedersen commitment work using such systems? – Sean Jan 17 '21 at 01:51