Poseidon in Your Application

In order to determine the right version of Poseidon for your scenario, you need to know the following:

• The field F, over which the arithmetic statements that use Poseidon are defined. It is often determined by the ZK proof system. Most likely, it is a prime-order subgroup of the group of points of an elliptic curve, where the curve is BLS12-381, BN254, or Ed25519. Poseidon maps sequences of F elements to a fixed length sequence of F elements.

• You hash messages of arbitrary length or fixed length (like in a Merkle tree, where almost always 2 elements are hashed).

• The security level M against collision and preimage attacks (most likely, 128 bits).

With this information, you determine the width w, measured in the number of F elements, of Poseidon permutation as follows:

• Reserve c elements for capacity so that c elements of F contain 2M or more bits.

• If messages have fixed length l which is reasonably small (10 or less), then set w = c+l.

Then you figure out which S-box is compatible with the curve. For the curves BLS12-381, BN254, or Ed25519 the S-box x^5 is optimal.

Third Party Implementations

Some implementations use different constants than specified. That does not affect the security.

• Go

• Rust (Filecoin/Neptune, Dusk, Arnaucube)

• Circuits for zero-knowledge proofs: Bulletproofs, Circom

• GPU/Futhark/OpenCL

• Python

• C with OCaml binding

• OCaml