# Poseidon:

# ZK-friendly Hashing

## Poseidon in Your Application

In order to determine the right version of Poseidon for your scenario, you need to know the following:

The

*field*F, over which the arithmetic statements that use Poseidon are defined. It is often determined by the ZK proof system. Most likely, it is a prime-order subgroup of the group of points of an elliptic curve, where the curve is BLS12-381, BN254, or Ed25519. Poseidon maps sequences of F elements to a fixed length sequence of F elements.You hash messages of

*arbitrary*length or*fixed*length (like in a Merkle tree, where almost always 2 elements are hashed).The

*security level*M against collision and preimage attacks (most likely, 128 bits).

With this information, you determine the *width w, *measured in the number of F elements, of Poseidon permutation as follows:

Reserve c elements for capacity so that c elements of F contain 2M or more bits.

If messages have fixed length l which is reasonably small (10 or less), then set w = c+l.

Then you figure out which S-box is compatible with the curve. For the curves BLS12-381, BN254, or Ed25519 the S-box x^5 is optimal.

## Third Party Implementations

Some implementations use different constants than specified. That does not affect the security.

Rust (Filecoin/Neptune, Dusk, Arnaucube)

Circuits for zero-knowledge proofs: Bulletproofs, Circom