Comment on page

# Poseidon

POSEIDON is a cryptographic hash function designed to be efficient when expressed as a circuit over a large prime field

$\mathbb{F}$

. It was introduced by Dmitry Khovratovich, Alexei Ivanov, and Dmitry Meshkov in 2019. Its use is advantageous in the context of SNARKs as many other hash functions (such as SHA-256) that are widely used in other contexts do not have efficient circuit representations. Panther uses this hash function as it fits the requirements of our platform.Poseidon is a Snark-friendly cryptographic hashing algorithm based on a sponge function with the

$POSEIDON^\pi$

permutation. Poseidon, as a function per se, maps strings over $\mathbb{F}_p$

(for a prime $p \approx 2^n > 2^{31}$

) to fixed-length strings over $\mathbb{F}_p$

, i.e., POSEIDON: $\mathbb{F}_p^* \longrightarrow \mathbb{F}p^o$

where $o$

is the output length measured in $\mathbb{F}_p$

elements (usually, $o = 1$

). Poseidon takes a string of words in $\mathbb{F}_p$

as its input, and gives a single representative element of $\mathbb{F}_p$

as output (although longer outputs are supported). The main features of the Poseidon hash include:

1. Efficiency: The Poseidon hash is designed to be highly efficient, enabling fast computation of hash values. It achieves this efficiency using a round-based permutation structure that can be parallelized and optimized for hardware implementations.

2. Security: The Poseidon hash is built upon the cryptographic sponge construction, which provides resistance against cryptographic attacks such as preimage attacks, second preimage attacks, and collision attacks. It employs a combination of algebraic and bitwise operations to ensure the security of the hash function.

3. Resistance to certain cryptographic attacks: The Poseidon hash is specifically designed to resist certain types of attacks that exploit algebraic properties of hash functions, such as differential and linear attacks. The round-based structure and carefully chosen operations make it resistant to these attacks.

4. Customizable parameters: Poseidon allows for the customization of its parameters, such as the number of rounds and field size, to adapt to specific security requirements and performance constraints. This flexibility enables the fine-tuning of the hash function for different applications.

5. Application versatility: Poseidon is suitable for a wide range of cryptographic applications, including digital signatures, zero-knowledge proofs, and blockchain systems. It provides a robust and efficient hashing primitive that can be utilized in various cryptographic protocols.

However, let's keep in mind that the Poseidon hash is designed for efficient and secure computation, especially in the context of zero-knowledge applications aiming to minimize proof generation time, proof size, and verification time (when it is not constant).

The primary application of Poseidon is hashing in large prime fields, and so

$POSEIDON^\pi$

takes inputs of $t\ge 2$

words in $\mathbb{F}_p$

. For curves such as BLS12-381 of BN254, the prime (scalar) fields have a size of around $2^{255}$

. Consequently, a security level of 128 bits (that is, Poseidon-128) corresponds to a capacity of 255 bits, which is one field element.It's important to note that the Poseidon hash is just one among many cryptographic hash functions available. While it is true that Poseidon is better than the Pedersen Hash and Rescue for several use cases, the choice of hash function depends on the specific requirements and security considerations of the application at hand.

**Documentation on the Poseidon hash function is currently under construction, and we are actively working on providing users with a comprehensive overview of this technology.**