Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof Systems

The area of practical computational integrity proof systems, like SNARKs, STARKs, Bulletproofs, is seeing a very dynamic development with several constructions appeared in 2019 with improved properties and relaxed setup requirements. Many use cases of such systems involve, often as their most expensive apart, proving the knowledge of a preimage under a certain cryptographic hash function, which is expressed as a circuit over a large prime (sometimes binary) field. A zero-knowledge proof of coin ownership in the Zcash cryptocurrency is a notable example, where the inadequacy of SHA-256 hash function for such a circuit caused a huge computational penalty. In this paper, we present a modular framework and concrete instances of cryptographic hash functions which either work natively with GF (p) objects or on binary field elements. Our GF (p) hash-function Poseidon uses up to 8x fewer constraints per message bit than Pedersen Hash, whereas our binary hash-function Starkad wins by a substantial margin over the other recent designs. Our construction is not only expressed compactly as a circuit, but also can be tailored for various proof systems using specially crafted polynomials, thus bringing another boost in performance. We demonstrate this by implementing a 1-out-of-a-billion membership proof using Merkle-trees in less than a second.

[1]  Martin R. Albrecht,et al.  Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC , 2019, IACR Cryptol. ePrint Arch..

[2]  Alexander Vlasov,et al.  RedShift: Transparent SNARKs from List Polynomial Commitment IOPs , 2019, IACR Cryptol. ePrint Arch..

[3]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[4]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[5]  Ariel Gabizon,et al.  PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge , 2019, IACR Cryptol. ePrint Arch..

[6]  Martin R. Albrecht,et al.  MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity , 2016, ASIACRYPT.

[7]  B. Salvy,et al.  Asymptotic Behaviour of the Index of Regularity of Quadratic Semi-Regular Polynomial Systems , 2022 .

[8]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[9]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[10]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[11]  Eli Ben-Sasson,et al.  Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols , 2020, IACR Trans. Symmetric Cryptol..

[12]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[13]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[14]  Mary Maller,et al.  Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS , 2020, IACR Cryptol. ePrint Arch..

[15]  Dragos Rotaru,et al.  On a Generalization of Substitution-Permutation Networks: The HADES Design Strategy , 2020, IACR Cryptol. ePrint Arch..

[16]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[17]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[18]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[19]  Lars R. Knudsen,et al.  The Interpolation Attack on Block Ciphers , 1997, FSE.

[20]  Tomer Ashur,et al.  MARVELlous: a STARK-Friendly Family of Cryptographic Primitives , 2018, IACR Cryptol. ePrint Arch..

[21]  Markulf Kohlweiss,et al.  Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings , 2019, IACR Cryptol. ePrint Arch..

[22]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[23]  Itai Dinur,et al.  Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC , 2019, IACR Cryptol. ePrint Arch..

[24]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[25]  Donal O'Shea,et al.  Ideals, varieties, and algorithms - an introduction to computational algebraic geometry and commutative algebra (2. ed.) , 1997, Undergraduate texts in mathematics.

[26]  Lars R. Knudsen,et al.  Provable Security Against Differential Cryptanalysis , 1992, CRYPTO.

[27]  Gregor Leander,et al.  On The Distribution of Linear Biases: Three Instructive Examples , 2012, IACR Cryptol. ePrint Arch..

[28]  Anne Canteaut,et al.  Proving Resistance Against Invariant Attacks: How to Choose the Round Constants , 2017, CRYPTO.

[29]  Claude Carlet,et al.  Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems , 1998, Des. Codes Cryptogr..

[30]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[31]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[32]  Claudio Soriente,et al.  An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials , 2009, IACR Cryptol. ePrint Arch..

[33]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[34]  Christian Rechberger,et al.  A New Structural-Differential Property of 5-Round AES , 2017, EUROCRYPT.

[35]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[36]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[37]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[38]  A. Youssef On the Design of Linear Transformations for Substitution Permutation Encryption Networks , 2007 .

[39]  Lorenzo Grassi,et al.  Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES , 2018, IACR Cryptol. ePrint Arch..

[40]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[41]  Thomas Peyrin,et al.  Multiple Limited-Birthday Distinguishers and Applications , 2013, IACR Cryptol. ePrint Arch..

[42]  Vincent Rijmen,et al.  The Cipher SHARK , 1996, FSE.

[43]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..