Skip to main content

Poseidon2: A Faster Version of the Poseidon Hash Function

  • Conference paper
  • First Online:
Progress in Cryptology - AFRICACRYPT 2023 (AFRICACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14064))

Included in the following conference series:

  • 517 Accesses

Abstract

Zero-knowledge proof systems for computational integrity have seen a rise in popularity in the last couple of years. One of the results of this development is the ongoing effort in designing so-called arithmetization-friendly hash functions in order to make these proofs more efficient. One of these new hash functions, Poseidon, is extensively used in this context, also thanks to being one of the first constructions tailored towards this use case. Many of the design principles of Poseidon have proven to be efficient and were later used in other primitives, yet parts of the construction have shown to be expensive in real-word scenarios.

In this paper, we propose an optimized version of Poseidon, called Poseidon2. The two versions differ in two crucial points. First, Poseidon is a sponge hash function, while Poseidon2 can be either a sponge or a compression function depending on the use case. Secondly, Poseidon2 is instantiated by new and more efficient linear layers with respect to Poseidon. These changes allow to decrease the number of multiplications in the linear layer by up to \(90\%\) and the number of constraints in Plonk circuits by up to \(70\%\). This makes Poseidon2 the currently fastest arithmetization-oriented hash function without lookups.

Besides that, we address a recently proposed algebraic attack and propose a simple modification that makes both Poseidon and Poseidon2 secure against this approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We assume that the output consists of at least \(2 \kappa / \log _2(p)\) elements in order to prevent birthday bound attacks.

  2. 2.

    The attack presented in [6] is prevented if \( \left( {\begin{array}{c}\mathcal V + D_{\text {reg}}\\ D_{\text {reg}}\end{array}}\right) ^2 \ge 2^M\), where \(\mathcal V = (R_F -2)\cdot t + R_P + 2r\) and \(D_{\text {reg}} \approx r\cdot \frac{R_F}{2} + R_P + \alpha \). We remark that – to the best of our knowledge – this attack does not affect the instances considered in this paper.

  3. 3.

    https://github.com/HorizenLabs/poseidon2.

  4. 4.

    \(p_\text {BLS12} = \texttt {0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001}\),

    \(p_\text {Goldilocks} = \texttt {0xffffffff00000001}\), \(p_\text {Babybear} = \texttt {0x78000001}\).

References

  1. Albrecht, M.R., et al.: Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 371–397. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_13

    Chapter  Google Scholar 

  2. Albrecht, M.R., Grassi, L., Perrin, L., Ramacher, S., Rechberger, C., Rotaru, D., Roy, A., Schofnegger, M.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_8

    Chapter  Google Scholar 

  3. Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7

    Chapter  Google Scholar 

  4. Aly, A., Ashur, T., Eli Ben-Sasson, Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol. 2020(3), 1–45 (2020)

    Google Scholar 

  5. Ambrona, M., Schmitt, A., Toledo, R.R., Willems, D.: New optimization techniques for PlonK’s arithmetization. IACR Cryptol. ePrint Arch., p. 462 (2022)

    Google Scholar 

  6. Ashur, T., Buschman, T., Mahzoun, M.: Algebraic cryptanalysis of POSEIDON. IACR Cryptol. ePrint Arch., p. 537 (2023)

    Google Scholar 

  7. Aumasson, J.P., Khovratovich, D., Mennink, B., Quine, P.: SAFE (sponge API for field elements) - a toolbox for ZK hash applications (2022). https://hackmd.io/bHgsH6mMStCVibM_wYvb2w

  8. Bariant, A., Bouvier, C., Leurent, G., Perrin, L.: Algebraic attacks against some arithmetization-oriented primitives. IACR Trans. Symmetric Cryptol. 2022(3), 73–101 (2022)

    Article  Google Scholar 

  9. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast reed-solomon interactive oracle proofs of proximity. In: 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018). Leibniz International Proceedings in Informatics (LIPIcs), vol. 107, pp. 14:1–14:17. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)

    Google Scholar 

  10. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/46 (2018)

    Google Scholar 

  11. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_23

    Chapter  Google Scholar 

  12. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11

    Chapter  Google Scholar 

  13. Beyne, T., et al.: Out of oddity – new cryptanalytic techniques against symmetric primitives optimized for integrity proof systems. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 299–328. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_11

    Chapter  Google Scholar 

  14. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1

    Chapter  Google Scholar 

  15. Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_21

    Chapter  Google Scholar 

  16. Bouvier, C., et al.: New design techniques for efficient arithmetization-oriented hash functions: anemoi permutations and jive compression mode. IACR Cryptol. ePrint Arch., p. 840 (2022)

    Google Scholar 

  17. Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_20

    Chapter  Google Scholar 

  18. Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_39

    Chapter  Google Scholar 

  19. Duval, S., Leurent, G.: MDS matrices with lightweight circuits. IACR Trans. Symmetric Cryptol. 2018(2), 48–78 (2018)

    Article  Google Scholar 

  20. Faugère, J., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)

    Article  MATH  Google Scholar 

  21. Gabizon, A., Williamson, Z.J.: Turbo-PLONK (2022). https://docs.zkproof.org/pages/standards/accepted-workshop3/proposal-turbo_plonk.pdf

  22. Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019)

    Google Scholar 

  23. Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: A new feistel approach meets fluid-SPN: griffin for zero-knowledge applications. IACR Cryptol. ePrint Arch., p. 403 (2022)

    Google Scholar 

  24. Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: POSEIDON: a new hash function for zero-knowledge proof systems. In: USENIX Security Symposium, pp. 519–535. USENIX Association (2021)

    Google Scholar 

  25. Grassi, L., Khovratovich, D., Rønjom, S., Schofnegger, M.: The legendre symbol and the modulo-2 operator in symmetric schemes over \({\mathbb{F} _p}^n\) preimage attack on full grendel. IACR Trans. Symmetric Cryptol. 2022(1), 5–37 (2022)

    Article  Google Scholar 

  26. Grassi, L., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: POSEIDON: a new hash function for zero-knowledge proof systems. IACR Cryptol. ePrint Arch., p. 458 (2019)

    Google Scholar 

  27. Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23

    Chapter  Google Scholar 

  28. Grassi, L., Onofri, S., Pedicini, M., Sozzi, L.: Invertible quadratic non-linear layers for MPC-/FHE-/ZK-friendly schemes over \({\mathbb{F} _p}^n\) application to POSEIDON. IACR Trans. Symmetric Cryptol. 2022(3), 20–72 (2022)

    Article  Google Scholar 

  29. Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2016)

    Google Scholar 

  30. Grassi, L., Rechberger, C., Schofnegger, M.: Proving resistance against infinitely long subspace trails: how to choose the linear layer. IACR Trans. Symmetric Cryptol. 2021(2), 314–352 (2021)

    Article  Google Scholar 

  31. Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23

    Chapter  Google Scholar 

  32. Horizen Labs: ginger-lib: a RUST library for recursive SNARKs using Darlin (2022). https://github.com/HorizenOfficial/ginger-lib

  33. IAIK: Hash functions for Zero-Knowledge applications Zoo (2021). https://extgit.iaik.tugraz.at/krypto/zkfriendlyhashzoo. IAIK, Graz University of Technology

  34. Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052332

    Chapter  Google Scholar 

  35. Keller, N., Rosemarin, A.: Mind the middle layer: the HADES design strategy revisited. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 35–63. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_2

    Chapter  Google Scholar 

  36. Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16

    Chapter  Google Scholar 

  37. Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka v2 - efficient short-input hashing for post-quantum applications. IACR Trans. Symmetric Cryptol. 2016(2), 1–29 (2016)

    Google Scholar 

  38. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33

    Chapter  Google Scholar 

  39. Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_16

    Chapter  Google Scholar 

  40. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21

    Chapter  Google Scholar 

  41. Polygon: Introducing Plonky2 (2022). https://blog.polygon.technology/introducing-plonky2/

  42. Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_31

    Chapter  Google Scholar 

  43. RISC Zero: RISC Zero: General-Purpose Verifiable Computing (2023). https://www.risczero.com/

  44. Sauer, J.F., Szepieniec, A.: SoK: Gröbner basis algorithms for arithmetization oriented ciphers. IACR Cryptol. ePrint Arch., p. 870 (2021)

    Google Scholar 

  45. Szepieniec, A.: On the use of the legendre symbol in symmetric cipher design. IACR Cryptol. ePrint Arch., p. 984 (2021)

    Google Scholar 

  46. Szepieniec, A., Lemmens, A., Sauer, J.F., Threadbare, B.: The Tip5 hash function for recursive STARKs. Cryptology ePrint Archive, Paper 2023/107 (2023). https://eprint.iacr.org/2023/107

  47. Zcash: halo2 (2022). https://zcash.github.io/halo2/index.html

Download references

Acknowledgements

We thank Nicholas Mainardi for making improvements to the original code. We also thank the anonymous reviewers for their helpful suggestions.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Markus Schofnegger .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Grassi, L., Khovratovich, D., Schofnegger, M. (2023). Poseidon2: A Faster Version of the Poseidon Hash Function. In: El Mrabet, N., De Feo, L., Duquesne, S. (eds) Progress in Cryptology - AFRICACRYPT 2023. AFRICACRYPT 2023. Lecture Notes in Computer Science, vol 14064. Springer, Cham. https://doi.org/10.1007/978-3-031-37679-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-37679-5_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-37678-8

  • Online ISBN: 978-3-031-37679-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics