什么是Pedersen Hash？

Pedersen Hash被用于ZCash sapling版本的Pedersen commitment和incremental Merkle tree中，是一种对fixed input length 抗撞击的hash函数，但是对variable-length inputs是not collision-resistant的。对于SNARK(零知识证明)应用来说，SHA256 hash算法更为expensive，Pedersen Hash的执行效率更高。

The Pederson hash function Pederson(D,M) is defined on a personalization input, D, and a the message, M, that we want to hash.

Security requirement: PedersenHash and PedersenHashToPoint are required to be collision-resistant between inputs of fixed length, for a given personalization input D. No other security properties commonly associated with hash functions are needed.
Non-normative note: These hash functions are not collision-resistant for variable-length inputs.

I would like to first confirm my understanding of the the above statement:

1. There is no way to cause a collision between Pedersen(D,M) and Pedersen(D’,N) where D not equal D’ for all M,N
2. If someone knew the personalization input D he can use use a message N with a different length than M to cause a collision (i.e Pedersen(D,M) = Pedersen(D,N)

1 is a stronger property than the spec claims. The spec claims nothing about collisions across different personalisations. If the hash were allowed to take zero-length inputs, then those would have the same hash for different personalisations, but actually it’s only defined on nonzero-length inputs. It is possible to prove --although it isn’t proven in the spec-- that for such inputs, property 1 holds based on hardness of discrete log in the random oracle model (for BLAKE2b as the random oracle).The Zcash protocol never uses the hash with a variable-length input.

Note that if you want to use this hash for variable-length inputs, it is sufficient to prefix (not suffix) the input with a fixed-length encoding of the length.

All inputs to the Pedersen hash and to the Pedersen commitments are constructed from fixed-length field encodings.

参考资料：
1、ZCash protocol
2、https://forum.zcashcommunity.com/t/pedersen-hash-collision-resistance/33586