The Poseidon Hash

Used for the different purposes

The Poseidon is a hash function designed for zero-knowledge proof systems like zkSNARKs. It operates over the GF(p)GF(p)GF(p)
 prime field. The main advantage of the Poseidon hash is simplification in circuits building.
The Poseidon contains a series of rounds each based on input permutations (add constants, exponentiation and mixing). An S-box routine is just an exponentiation number in the GF(p)GF(p)GF(p)
 field (the power of 5).
The round constants and S-box operations count depend on the parameter set. The Poseidon parameters are a tuple (t,f,p,c,m)(t, f, p, c, m)(t,f,p,c,m)
, where
​ttt
 is a number of S-box routines in one round. It also specifies an input dimension: hash function supports up to ttt
 input numbers.
​fff
 is a full rounds count (ttt
 S-box routines)
​ppp
 is a partial rounds count (single S-box routine)
​ccc
 is a round constants array ((f+p)×t(f+p) \times t(f+p)×t
 dimension)
​mmm
 is a square array used for a mixing function (t×tt \times tt×t
 dimension)
The Poseidon routine produces a resulting hash (over prime field) after (f+p)(f+p)(f+p)
 rounds.
As mentioned previously there are different parameter sets used for hashes in the Merkle tree. These hash types are explained in the table below. The parameter set is presented in the reduced form (just a tuple(t,f,p)(t, f, p)(t,f,p)
): 
Label
Parameters
Hash purpose
Inputs
​HashHashHash
​
2, 8, 56
Key derivation (η\etaη
 and PdP_dPd​
)
Transaction verifier keyAAA
 or diversifier ddd
​
​HashmerkleHash_{merkle}Hashmerkle​
/ HashnullifierHash_{nullifier}Hashnullifier​
​
3, 8, 56
Merkle tree's node;
Nullifier
two child nodes or leafs;
Account hash and intermediate nullifier hash (details)
​HasheddsaHash_{eddsa}Hasheddsa​
/HashinhHash_{inh}Hashinh​
​
4, 8, 56
EDDSA sign and verify; Intermediate nullifier hash (inh)
​R.x,A.x,HR.x, A.x, HR.x,A.x,H
​ (details)
Hash(acc)Hash(acc)Hash(acc)
, η\etaη
, pathpathpath
 (details)
​HashnoteHash_{note}Hashnote​
​
5, 8, 56
Note hash
​d,Pd,b,td, P_d, b, td,Pd​,b,t
 (details)
​HashaccountHash_{account}Hashaccount​
/HashspongeHash_{sponge}Hashsponge​
​
6, 8, 57
Account hash;
Transaction hash
​d,Pd,i,bd, P_d, i, bd,Pd​,i,b
 (details)​;
account and notes hashes with transaction commitment (details)
Poseidon specification
This page provides just a simple description of the Poseidon hash function. For additional details please refer to the original publication. It contains exhaustive materials, security investigations, implementation details, proof system applications and so on.

Label	Parameters	Hash purpose	Inputs
$Hash$	2, 8, 56	Key derivation ( $\eta$ and $P_d$ )	Transaction verifier key $A$ or diversifier $d$
$Hash_{merkle}$ / $Hash_{nullifier}$	3, 8, 56	Merkle tree's node; Nullifier	two child nodes or leafs; Account hash and intermediate nullifier hash (details)
$Hash_{eddsa}$ / $Hash_{inh}$	4, 8, 56	EDDSA sign and verify; Intermediate nullifier hash (inh)	$R.x, A.x, H$ (details) $Hash(acc)$ , $\eta$ , $path$ (details)
$Hash_{note}$	5, 8, 56	Note hash	$d, P_d, b, t$ (details)
$Hash_{account}$ / $Hash_{sponge}$	6, 8, 57	Account hash; Transaction hash	$d, P_d, i, b$ (details); account and notes hashes with transaction commitment (details)

Technical Implementation - Previous

zkBob Merkle Tree

Next - Technical Implementation

Elliptic Curve Cryptography

Last modified 7mo ago