MiMC is block cipher and hash function family designed specifically for SNARK applications. The low multiplicative complexity of MiMC over prime fields makes it suitable for ZK-SNARK applications such as ZCash.
The core component of MiMC is the function f(x) = x3. The computation of this function takes place in GF(q), where q = p or q = 2n for a prime number p and a natural number n.
There exist two variants of MiMC, namely MiMC-n/n (or MiMC-p/p for prime fields) and MiMC-2n/n (or MiMC-2p/p for prime fields), where the latter is built using a Feistel construction.
For an n-bit key, the key scheduling adds the same n-bit key at each round and is followed by the round constant addition. For a 2n-bit key, the two n-bit keys are added alternately.
The precise definition of the round function of MiMC and all other details can be found in the paper.
Since its publication in 2016, no attack on full-round MiMC-n/n or MiMC-p/p has been found. The only third-party analysis published regards an interpolation attack on reduced-round MiMC in a low-memory scenario.
In a paper to be published at Asiacrypt 2019, researchers including some of the original authors of MiMC reevaluate the security of the construction against Gröbner basis attacks, and conclude that this attack vector is not applicable to MiMC.
The Feistel approach of MiMC (i.e., MiMC-2n/n and MiMC-2p/p) is vulnerable to an attack recently presented at SAC 2019, which does not depend on the specific round function of MiMC-2n/n and MiMC-2p/p, but rather on its key schedule. Note, however, that this attack is not applicable to MiMC-n/n and MiMC-p/p, which, to the best of our knowledge, are the only versions of MiMC currently being used. Moreover, the attack only applies to the block cipher mode of MiMC, and not to the hash function. Indeed, also in the sources listed below, MiMC always refers to the Even-Mansour approach of MiMC, which is not vulnerable. If one still wants to implement the Feistel version of MiMC, a small tweak to the key schedule prevents the attack. For example, one could use the key (i * k) in round i instead of always repeating the same key (this key schedule is also linear).
Due to its simple approach and absence of any attacks since its publication, MiMC has been considered to be used in various scenarios which benefit from its algebraic structure. For example, it can be used as a verifiable delay function (here and here). It is also currently being evaluated as a candidate for Zcash.