P OSEIDON : A New Hash Function for Zero-Knowledge Proof Systems (Updated Version)

The area of practical computational integrity proof systems, like SNARKs, STARKs, Bulletproofs, is seeing a very dy-namic development with several constructions having appeared recently with improved properties and relaxed setup requirements. Many use cases of such systems involve, often as their most expensive part, proving the knowledge of a preimage under a certain cryptographic hash function, which is expressed as a circuit over a large prime field. A notable example is a zero-knowledge proof of coin ownership in the Zcash cryptocurrency, where the inadequacy of the SHA-256 hash function for such a circuit caused a huge computational penalty. In this paper, we present a modular framework and concrete instances of cryptographic hash functions which work natively with GF ( p ) objects. Our hash function P OSEIDON uses up to 8x fewer constraints per message bit than Pedersen Hash. Our construction is not only expressed compactly as a circuit, but can also be tailored for various proof systems using specially crafted polynomials, thus bringing another boost in performance. We demonstrate this by implementing a 1-out-of-a-billion membership proof with Merkle trees in less than a second by using Bulletproofs.

[1]  Eli Ben-Sasson,et al.  Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols , 2020, IACR Trans. Symmetric Cryptol..

[2]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge with No Trusted Setup , 2019, CRYPTO.

[3]  Itai Dinur,et al.  Linear Equivalence of Block Ciphers with Partial Non-Linear Layers: Application to LowMC , 2019, IACR Cryptol. ePrint Arch..

[4]  Guozhen Liu,et al.  Practical Collision Attacks against Round-Reduced SHA-3 , 2019, Journal of Cryptology.

[5]  Lorenzo Grassi Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES , 2018, IACR Transactions on Symmetric Cryptology.

[6]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[7]  Anne Canteaut,et al.  Proving Resistance Against Invariant Attacks: How to Choose the Round Constants , 2017, CRYPTO.

[8]  Christian Rechberger,et al.  A New Structural-Differential Property of 5-Round AES , 2017, EUROCRYPT.

[9]  Martin R. Albrecht,et al.  MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity , 2016, ASIACRYPT.

[10]  Dragos Rotaru,et al.  MPC-Friendly Symmetric Key Primitives , 2016, CCS.

[11]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[12]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[13]  Thomas Peyrin,et al.  Multiple Limited-Birthday Distinguishers and Applications , 2013, IACR Cryptol. ePrint Arch..

[14]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[15]  Gregor Leander,et al.  On The Distribution of Linear Biases: Three Instructive Examples , 2012, IACR Cryptol. ePrint Arch..

[16]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[17]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[18]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[19]  Vincent Rijmen,et al.  Rebound Distinguishers: Results on the Full Whirlpool Compression Function , 2009, ASIACRYPT.

[20]  Ronald L. Rivest,et al.  Introduction to Algorithms, third edition , 2009 .

[21]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[22]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[23]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[24]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[25]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[26]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[27]  Eli Biham,et al.  Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[28]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[29]  Lars R. Knudsen,et al.  The Interpolation Attack on Block Ciphers , 1997, FSE.

[30]  Vincent Rijmen,et al.  The Cipher SHARK , 1996, FSE.

[31]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[32]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[33]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[34]  Lars R. Knudsen,et al.  Provable Security Against Differential Cryptanalysis , 1992, CRYPTO.

[35]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[36]  Tom Buschman,et al.  Algebraic cryptanalysis of POSEIDON , 2023, IACR Cryptol. ePrint Arch..

[37]  Christian Rechberger,et al.  Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer , 2021, IACR Trans. Symmetric Cryptol..

[38]  Eli Ben-Sasson,et al.  STARK Friendly Hash - Survey and Recommendation , 2020, IACR Cryptol. ePrint Arch..

[39]  Nathan Keller,et al.  Mind the Middle Layer: The HADES Design Strategy Revisited , 2020, IACR Cryptol. ePrint Arch..

[40]  Ariel Gabizon,et al.  PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge , 2019, IACR Cryptol. ePrint Arch..

[41]  Tomer Ashur,et al.  MARVELlous: a STARK-Friendly Family of Cryptographic Primitives , 2018, IACR Cryptol. ePrint Arch..

[42]  Jesper Madsen,et al.  ZKBoo: Faster Zero-Knowledge for Boolean Circuits , 2016, USENIX Security Symposium.

[43]  Daniel Davis Wood ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[44]  L. H. Encinas,et al.  A Survey of the Elliptic Curve Integrated Encryption Scheme , 2010 .

[45]  A. Youssef On the Design of Linear Transformations for Substitution Permutation Encryption Networks , 2007 .

[46]  Donal O'Shea,et al.  Ideals, varieties, and algorithms - an introduction to computational algebraic geometry and commutative algebra (2. ed.) , 1997, Undergraduate texts in mathematics.

[47]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.