Abstract
Zero-knowledge proof systems for computational integrity have seen a rise in popularity in the last couple of years. One of the results of this development is the ongoing effort in designing so-called arithmetization-friendly hash functions in order to make these proofs more efficient. One of these new hash functions, Poseidon, is extensively used in this context, also thanks to being one of the first constructions tailored towards this use case. Many of the design principles of Poseidon have proven to be efficient and were later used in other primitives, yet parts of the construction have shown to be expensive in real-word scenarios.
In this paper, we propose an optimized version of Poseidon, called Poseidon2. The two versions differ in two crucial points. First, Poseidon is a sponge hash function, while Poseidon2 can be either a sponge or a compression function depending on the use case. Secondly, Poseidon2 is instantiated by new and more efficient linear layers with respect to Poseidon. These changes allow to decrease the number of multiplications in the linear layer by up to \(90\%\) and the number of constraints in Plonk circuits by up to \(70\%\). This makes Poseidon2 the currently fastest arithmetization-oriented hash function without lookups.
Besides that, we address a recently proposed algebraic attack and propose a simple modification that makes both Poseidon and Poseidon2 secure against this approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We assume that the output consists of at least \(2 \kappa / \log _2(p)\) elements in order to prevent birthday bound attacks.
- 2.
The attack presented in [6] is prevented if \( \left( {\begin{array}{c}\mathcal V + D_{\text {reg}}\\ D_{\text {reg}}\end{array}}\right) ^2 \ge 2^M\), where \(\mathcal V = (R_F -2)\cdot t + R_P + 2r\) and \(D_{\text {reg}} \approx r\cdot \frac{R_F}{2} + R_P + \alpha \). We remark that – to the best of our knowledge – this attack does not affect the instances considered in this paper.
- 3.
- 4.
\(p_\text {BLS12} = \texttt {0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001}\),
\(p_\text {Goldilocks} = \texttt {0xffffffff00000001}\), \(p_\text {Babybear} = \texttt {0x78000001}\).
References
Albrecht, M.R., et al.: Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 371–397. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_13
Albrecht, M.R., Grassi, L., Perrin, L., Ramacher, S., Rechberger, C., Rotaru, D., Roy, A., Schofnegger, M.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_8
Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_7
Aly, A., Ashur, T., Eli Ben-Sasson, Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symmetric Cryptol. 2020(3), 1–45 (2020)
Ambrona, M., Schmitt, A., Toledo, R.R., Willems, D.: New optimization techniques for PlonK’s arithmetization. IACR Cryptol. ePrint Arch., p. 462 (2022)
Ashur, T., Buschman, T., Mahzoun, M.: Algebraic cryptanalysis of POSEIDON. IACR Cryptol. ePrint Arch., p. 537 (2023)
Aumasson, J.P., Khovratovich, D., Mennink, B., Quine, P.: SAFE (sponge API for field elements) - a toolbox for ZK hash applications (2022). https://hackmd.io/bHgsH6mMStCVibM_wYvb2w
Bariant, A., Bouvier, C., Leurent, G., Perrin, L.: Algebraic attacks against some arithmetization-oriented primitives. IACR Trans. Symmetric Cryptol. 2022(3), 73–101 (2022)
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast reed-solomon interactive oracle proofs of proximity. In: 45th International Colloquium on Automata, Languages, and Programming (ICALP 2018). Leibniz International Proceedings in Informatics (LIPIcs), vol. 107, pp. 14:1–14:17. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/46 (2018)
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable zero knowledge with no trusted setup. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 701–732. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_23
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Beyne, T., et al.: Out of oddity – new cryptanalytic techniques against symmetric primitives optimized for integrity proof systems. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 299–328. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_11
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1
Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_21
Bouvier, C., et al.: New design techniques for efficient arithmetization-oriented hash functions: anemoi permutations and jive compression mode. IACR Cryptol. ePrint Arch., p. 840 (2022)
Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_20
Damgård, I.B.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_39
Duval, S., Leurent, G.: MDS matrices with lightweight circuits. IACR Trans. Symmetric Cryptol. 2018(2), 48–78 (2018)
Faugère, J., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)
Gabizon, A., Williamson, Z.J.: Turbo-PLONK (2022). https://docs.zkproof.org/pages/standards/accepted-workshop3/proposal-turbo_plonk.pdf
Gabizon, A., Williamson, Z.J., Ciobotaru, O.: PLONK: permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953 (2019)
Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: A new feistel approach meets fluid-SPN: griffin for zero-knowledge applications. IACR Cryptol. ePrint Arch., p. 403 (2022)
Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: POSEIDON: a new hash function for zero-knowledge proof systems. In: USENIX Security Symposium, pp. 519–535. USENIX Association (2021)
Grassi, L., Khovratovich, D., Rønjom, S., Schofnegger, M.: The legendre symbol and the modulo-2 operator in symmetric schemes over \({\mathbb{F} _p}^n\) preimage attack on full grendel. IACR Trans. Symmetric Cryptol. 2022(1), 5–37 (2022)
Grassi, L., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: POSEIDON: a new hash function for zero-knowledge proof systems. IACR Cryptol. ePrint Arch., p. 458 (2019)
Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23
Grassi, L., Onofri, S., Pedicini, M., Sozzi, L.: Invertible quadratic non-linear layers for MPC-/FHE-/ZK-friendly schemes over \({\mathbb{F} _p}^n\) application to POSEIDON. IACR Trans. Symmetric Cryptol. 2022(3), 20–72 (2022)
Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2016)
Grassi, L., Rechberger, C., Schofnegger, M.: Proving resistance against infinitely long subspace trails: how to choose the linear layer. IACR Trans. Symmetric Cryptol. 2021(2), 314–352 (2021)
Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23
Horizen Labs: ginger-lib: a RUST library for recursive SNARKs using Darlin (2022). https://github.com/HorizenOfficial/ginger-lib
IAIK: Hash functions for Zero-Knowledge applications Zoo (2021). https://extgit.iaik.tugraz.at/krypto/zkfriendlyhashzoo. IAIK, Graz University of Technology
Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052332
Keller, N., Rosemarin, A.: Mind the middle layer: the HADES design strategy revisited. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 35–63. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_2
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka v2 - efficient short-input hashing for post-quantum applications. IACR Trans. Symmetric Cryptol. 2016(2), 1–29 (2016)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03317-9_16
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21
Polygon: Introducing Plonky2 (2022). https://blog.polygon.technology/introducing-plonky2/
Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: a synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_31
RISC Zero: RISC Zero: General-Purpose Verifiable Computing (2023). https://www.risczero.com/
Sauer, J.F., Szepieniec, A.: SoK: Gröbner basis algorithms for arithmetization oriented ciphers. IACR Cryptol. ePrint Arch., p. 870 (2021)
Szepieniec, A.: On the use of the legendre symbol in symmetric cipher design. IACR Cryptol. ePrint Arch., p. 984 (2021)
Szepieniec, A., Lemmens, A., Sauer, J.F., Threadbare, B.: The Tip5 hash function for recursive STARKs. Cryptology ePrint Archive, Paper 2023/107 (2023). https://eprint.iacr.org/2023/107
Zcash: halo2 (2022). https://zcash.github.io/halo2/index.html
Acknowledgements
We thank Nicholas Mainardi for making improvements to the original code. We also thank the anonymous reviewers for their helpful suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Grassi, L., Khovratovich, D., Schofnegger, M. (2023). Poseidon2: A Faster Version of the Poseidon Hash Function. In: El Mrabet, N., De Feo, L., Duquesne, S. (eds) Progress in Cryptology - AFRICACRYPT 2023. AFRICACRYPT 2023. Lecture Notes in Computer Science, vol 14064. Springer, Cham. https://doi.org/10.1007/978-3-031-37679-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-37679-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37678-8
Online ISBN: 978-3-031-37679-5
eBook Packages: Computer ScienceComputer Science (R0)