Poseidon: A New Hash Function for Zero-Knowledge Proof Systems

The area of practical computational integrity proof systems, like SNARKs, STARKs, Bulletproofs, is seeing a very dynamic development with several constructions having appeared recently with improved properties and relaxed setup requirements. Many use cases of such systems involve, often as their most expensive apart, proving the knowledge of a preimage under a certain cryptographic hash function, which is expressed as a circuit over a large prime field. A zero-knowledge proof of coin ownership in the Zcash cryptocurrency is a notable example, where the inadequacy of the SHA-256 hash function for such a circuit caused a huge computational penalty. In this paper, we present a modular framework and concrete instances of cryptographic hash functions which work natively with GF(p) objects. Our hash function Poseidon uses up to 8x fewer constraints per message bit than Pedersen Hash.

[1]  David A. Cox,et al.  Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra, 3/e (Undergraduate Texts in Mathematics) , 2007 .

[2]  Claudio Soriente,et al.  An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials , 2009, IACR Cryptol. ePrint Arch..

[3]  Ariel Gabizon,et al.  PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge , 2019, IACR Cryptol. ePrint Arch..

[4]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[5]  A. Youssef On the Design of Linear Transformations for Substitution Permutation Encryption Networks , 2007 .

[6]  Carlos Cid,et al.  Higher-Order Differentials of Word-Oriented SPN Schemes with Low-Degree S-Boxes , 2020 .

[7]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[8]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[9]  Dragos Rotaru,et al.  MPC-Friendly Symmetric Key Primitives , 2016, CCS.

[10]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[11]  Martin R. Albrecht,et al.  MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity , 2016, ASIACRYPT.

[12]  B. Salvy,et al.  Asymptotic Behaviour of the Index of Regularity of Quadratic Semi-Regular Polynomial Systems , 2022 .

[13]  Eli Biham,et al.  Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[14]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[15]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[16]  Eli Ben-Sasson,et al.  STARK Friendly Hash - Survey and Recommendation , 2020, IACR Cryptol. ePrint Arch..

[17]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[18]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[19]  Christian Rechberger,et al.  A New Structural-Differential Property of 5-Round AES , 2017, EUROCRYPT.

[20]  Mary Maller,et al.  Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS , 2020, IACR Cryptol. ePrint Arch..

[21]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge with No Trusted Setup , 2019, CRYPTO.

[22]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[23]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[24]  Lorenzo Grassi,et al.  Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES , 2018, IACR Cryptol. ePrint Arch..

[25]  Markulf Kohlweiss,et al.  Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings , 2019, IACR Cryptol. ePrint Arch..

[26]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[27]  Itai Dinur,et al.  Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC , 2019, IACR Cryptol. ePrint Arch..

[28]  Anne Canteaut,et al.  Proving Resistance Against Invariant Attacks: How to Choose the Round Constants , 2017, CRYPTO.

[29]  Qingju Wang,et al.  An Algebraic Attack on Ciphers with Low-Degree Round Functions: Application to Full MiMC , 2020, IACR Cryptol. ePrint Arch..

[30]  Christian Rechberger,et al.  Subspace Trail Cryptanalysis and its Applications to AES , 2017, IACR Trans. Symmetric Cryptol..

[31]  Christian Rechberger,et al.  Weak Linear Layers in Word-Oriented Partial SPN and HADES-Like Schemes , 2020 .

[32]  Lars R. Knudsen,et al.  Provable Security Against Differential Cryptanalysis , 1992, CRYPTO.

[33]  Christian Rechberger,et al.  Weak Linear Layers in Word-Oriented Partial SPN and HADES-Like Ciphers , 2020, IACR Cryptol. ePrint Arch..

[34]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[35]  Lars R. Knudsen,et al.  The Interpolation Attack on Block Ciphers , 1997, FSE.

[36]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[37]  L. H. Encinas,et al.  A Survey of the Elliptic Curve Integrated Encryption Scheme , 2010 .

[38]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[39]  Dragos Rotaru,et al.  On a Generalization of Substitution-Permutation Networks: The HADES Design Strategy , 2020, IACR Cryptol. ePrint Arch..

[40]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[41]  Gregor Leander,et al.  On The Distribution of Linear Biases: Three Instructive Examples , 2012, IACR Cryptol. ePrint Arch..

[42]  Yu Sasaki,et al.  Out of Oddity - New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems , 2020, IACR Cryptol. ePrint Arch..

[43]  Donal O'Shea,et al.  Ideals, varieties, and algorithms - an introduction to computational algebraic geometry and commutative algebra (2. ed.) , 1997, Undergraduate texts in mathematics.

[44]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[45]  Guozhen Liu,et al.  Practical Collision Attacks against Round-Reduced SHA-3 , 2019, Journal of Cryptology.

[46]  Tomer Ashur,et al.  MARVELlous: a STARK-Friendly Family of Cryptographic Primitives , 2018, IACR Cryptol. ePrint Arch..

[47]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[48]  Martin R. Albrecht,et al.  Algebraic Cryptanalysis of STARK-Friendly Designs: Application to MARVELlous and MiMC , 2019, IACR Cryptol. ePrint Arch..

[49]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[50]  Daniel Kales,et al.  Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof Systems , 2019, IACR Cryptol. ePrint Arch..

[51]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[52]  Vincent Rijmen,et al.  The Cipher SHARK , 1996, FSE.

[53]  Jesper Madsen,et al.  ZKBoo: Faster Zero-Knowledge for Boolean Circuits , 2016, USENIX Security Symposium.

[54]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[55]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[56]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[57]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[58]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[59]  Nathan Keller,et al.  Mind the Middle Layer: The HADES Design Strategy Revisited , 2020, IACR Cryptol. ePrint Arch..

[60]  Eli Ben-Sasson,et al.  Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols , 2020, IACR Trans. Symmetric Cryptol..

[61]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[62]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[63]  Alexander Vlasov,et al.  RedShift: Transparent SNARKs from List Polynomial Commitment IOPs , 2019, IACR Cryptol. ePrint Arch..

[64]  Thomas Peyrin,et al.  Multiple Limited-Birthday Distinguishers and Applications , 2013, IACR Cryptol. ePrint Arch..

[65]  Giulio Genovese Improving the algorithms of Berlekamp and Niederreiter for factoring polynomials over finite fields , 2007, J. Symb. Comput..

[66]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).