Poseidon in Your Application
In order to determine the right version of Poseidon for your scenario, you need to know the following:
- The field F, over which the arithmetic statements that use Poseidon are defined. It is often determined by the ZK proof system. Most likely, it is a prime-order subgroup of the group of points of an elliptic curve, where the curve is BLS12-381, BN254, or Ed25519. Poseidon maps sequences of F elements to a fixed length sequence of F elements.
- You hash messages of arbitrary length or fixed length (like in a Merkle tree, where almost always 2 elements are hashed).
- The security level M against collision and preimage attacks (most likely, 128 bits).
With this information, you determine the width w, measured in the number of F elements, of Poseidon permutation as follows:
- Reserve c elements for capacity so that c elements of F contain 2M or more bits.
- If messages have fixed length l which is reasonably small (10 or less), then set w = c+l.
Then you figure out which S-box is compatible with the curve. For the curves BLS12-381, BN254, or Ed25519 the S-box x^5 is optimal.