ZK-friendly Hashing

Research paper

Reference implementation

Encryption with Poseidon

Poseidon in Plonk

Poseidon in Your Application

In order to determine the right version of Poseidon for your scenario, you need to know the following:

  • The field F, over which the arithmetic statements that use Poseidon are defined. It is often determined by the ZK proof system. Most likely, it is a prime-order subgroup of the group of points of an elliptic curve, where the curve is BLS12-381, BN254, or Ed25519. Poseidon maps sequences of F elements to a fixed length sequence of F elements.
  • You hash messages of arbitrary length or fixed length (like in a Merkle tree, where almost always 2 elements are hashed).
  • The security level M against collision and preimage attacks (most likely, 128 bits).

With this information, you determine the width w, measured in the number of F elements, of Poseidon permutation as follows:

  • Reserve c elements for capacity so that c elements of F contain 2M or more bits.
  • If messages have fixed length l which is reasonably small (10 or less), then set w = c+l.

Then you figure out which S-box is compatible with the curve. For the curves BLS12-381, BN254, or Ed25519 the S-box x^5 is optimal.

Third Party Implementations

Some implementations use different constants than specified. That does not affect the security.