mirror of https://github.com/zcash/zips.git
Update specification of Poseidon.
Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
parent
212fdc8752
commit
bbc6131f29
|
@ -8534,6 +8534,10 @@ inside a circuit.
|
||||||
$\Poseidon$ is a cryptographic permutation described in \cite{GKRRS2019}. It operates
|
$\Poseidon$ is a cryptographic permutation described in \cite{GKRRS2019}. It operates
|
||||||
over a sequence of finite field elements, which we instantiate as $\typeexp{\GF{\ParamP{q}}}{3}$.
|
over a sequence of finite field elements, which we instantiate as $\typeexp{\GF{\ParamP{q}}}{3}$.
|
||||||
|
|
||||||
|
The following specification is intended to follow \cite{GKRRS2019} and Version 1.1 of the $\Poseidon$
|
||||||
|
reference implementation \cite{Poseidon-1.1}.\footnote{\nufive{Previous versions of the reference implementation
|
||||||
|
were inconsistent with the paper.}}
|
||||||
|
|
||||||
The S-box function is $x \mapsto x^5$. The number of full rounds $R_F$ is $8$, and
|
The S-box function is $x \mapsto x^5$. The number of full rounds $R_F$ is $8$, and
|
||||||
the number of partial rounds $R_P$ is $58$.
|
the number of partial rounds $R_P$ is $58$.
|
||||||
|
|
||||||
|
@ -8541,8 +8545,9 @@ We use $\Poseidon$ in a sponge configuration \cite{BDPA2011} (with elementwise a
|
||||||
$\GF{\ParamP{q}}$ replacing exclusive-or of bit strings\footnote{\nufive{The sponge construction
|
$\GF{\ParamP{q}}$ replacing exclusive-or of bit strings\footnote{\nufive{The sponge construction
|
||||||
was originally proposed as operating on an arbitrary group. \cite{BDPA2007}}}) to construct
|
was originally proposed as operating on an arbitrary group. \cite{BDPA2007}}}) to construct
|
||||||
a \hashFunction. The sponge capacity is one field element, the rate is two field elements, and
|
a \hashFunction. The sponge capacity is one field element, the rate is two field elements, and
|
||||||
the output is one field element. We do not append any padding to the input message; this does
|
the output is one field element. We use the ``Constant-Input-Length''\strut mode described in
|
||||||
not affect security because the input length is fixed.
|
\cite[section 4.2]{GKRRS2019}: for a $2$-element input, the initial value of the capacity
|
||||||
|
element is $2^{65}$, and no padding of the input message is needed.
|
||||||
|
|
||||||
That is, if $f \typecolon \typeexp{\GF{\ParamP{q}}}{3} \rightarrow \typeexp{\GF{\ParamP{q}}}{3}$
|
That is, if $f \typecolon \typeexp{\GF{\ParamP{q}}}{3} \rightarrow \typeexp{\GF{\ParamP{q}}}{3}$
|
||||||
is the $\Poseidon$ permutation, then the \hashFunction
|
is the $\Poseidon$ permutation, then the \hashFunction
|
||||||
|
@ -8553,11 +8558,13 @@ is specified as:
|
||||||
\item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing).
|
\item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing).
|
||||||
\end{formulae}
|
\end{formulae}
|
||||||
|
|
||||||
\todo{Specify the MDS matrix.}
|
The MDS matrix is as generated by \texttt{generate\_parameters\_grain.sage} in Version 1.1 of the
|
||||||
|
reference implementation.
|
||||||
|
|
||||||
\begin{nnotes}
|
\begin{nnotes}
|
||||||
\item The choice of MDS matrix and the number of rounds take into account cryptanalytic
|
\item The choice of MDS matrix and the number of rounds take into account cryptanalytic
|
||||||
results in \cite{KR2020} and \cite{BCD+2020}. \todo{check.}
|
results in \cite{KR2020} and \cite{BCD+2020}. A detailed analysis of related matrix
|
||||||
|
properties is given in \cite{GRS2020}.
|
||||||
\item \cite{BCD+2020} says that ``... finite fields $\mathbb{F}_q$ with
|
\item \cite{BCD+2020} says that ``... finite fields $\mathbb{F}_q$ with
|
||||||
a limited number of multiplicative subgroups might be preferable, i.e.\ one
|
a limited number of multiplicative subgroups might be preferable, i.e.\ one
|
||||||
might want to avoid $q-1$ being smooth. This implies that the fields which are
|
might want to avoid $q-1$ being smooth. This implies that the fields which are
|
||||||
|
@ -8565,8 +8572,8 @@ is specified as:
|
||||||
$\GF{\ParamP{q}}$ is such a field; the factorization of $\ParamP{q}-1$ is
|
$\GF{\ParamP{q}}$ is such a field; the factorization of $\ParamP{q}-1$ is
|
||||||
$2^{32} \mult 3 \mult 463 \mult 539204044132271846773 \mult 8999194758858563409123804352480028797519453$.
|
$2^{32} \mult 3 \mult 463 \mult 539204044132271846773 \mult 8999194758858563409123804352480028797519453$.
|
||||||
|
|
||||||
Furthermore, cryptanalysis of $\Poseidon$ has focussed mainly on the case of S-box
|
Furthermore, previous cryptanalysis of $\Poseidon$ has focussed mainly on the case
|
||||||
$x \mapsto x^3$. That variant cannot be used in $\GF{\ParamP{q}}$ because
|
of S-box $x \mapsto x^3$. That variant cannot be used in $\GF{\ParamP{q}}$ because
|
||||||
$x \mapsto x^3$ would not be a permutation. $\alpha = 5$ is the smallest
|
$x \mapsto x^3$ would not be a permutation. $\alpha = 5$ is the smallest
|
||||||
integer for which $x \mapsto x^\alpha$ is a permutation in $\GF{\ParamP{q}}$.
|
integer for which $x \mapsto x^\alpha$ is a permutation in $\GF{\ParamP{q}}$.
|
||||||
|
|
||||||
|
@ -8581,19 +8588,20 @@ is specified as:
|
||||||
sponge mode limits an adversary to only being able to influence part of the $\Poseidon$
|
sponge mode limits an adversary to only being able to influence part of the $\Poseidon$
|
||||||
permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described in
|
permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described in
|
||||||
\crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$,
|
\crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$,
|
||||||
known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRandRepr$
|
known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$
|
||||||
is also chosen randomly by the \note creator (both are derived using $\PRFexpand{}$,
|
comes from a previous \nullifier which is effectively a random $x$-coordinate on the
|
||||||
from $\SpendingKey$ and $\NoteSeedBytes$ respectively). Then the PRF is used to enhance
|
\pallasCurve. Then the PRF is used to enhance the security of a discrete-logarithm-based
|
||||||
the security of a discrete-log-based nullifier construction (described in \crossref{...})
|
nullifier construction (described in \cite[Section 3.5 Nullifiers]{Zcash-Orchard})
|
||||||
against a potential discrete-log-breaking adversary. Given the weak assumption
|
against a potential discrete-log-breaking adversary. Given the weak assumption
|
||||||
that the $\PoseidonHash$ sponge produces output that preserves sufficient entropy
|
that the $\PoseidonHash$ sponge produces output that preserves sufficient entropy
|
||||||
from the inputs $\NullifierKey$ and $\NoteUniqueRandRepr$, this nullifier
|
from the inputs $\NullifierKey$ and $\NoteUniqueRand$, this nullifier
|
||||||
construction would still be secure under a decisional Diffie--Hellman assumption
|
construction would still be secure under a decisional Diffie--Hellman assumption
|
||||||
on the \Pallas curve, even if the $\Poseidon$-based PRF were distinguishable from
|
on the \Pallas curve, even if the $\Poseidon$-based PRF were distinguishable from
|
||||||
an ideal PRF.
|
an ideal PRF.
|
||||||
|
|
||||||
The recommended number of partial rounds for these parameters in the Poseidon paper
|
The recommended number of partial rounds for these parameters in the Poseidon paper
|
||||||
is $57$, but we prefer an even number of partial rounds for circuit efficiency.
|
is $57$, but we prefer an even number of partial rounds to simplify the circuit
|
||||||
|
implementation.
|
||||||
\item The constant $2^{65}$ comes from \cite[section 4.2]{GKRRS2019}:
|
\item The constant $2^{65}$ comes from \cite[section 4.2]{GKRRS2019}:
|
||||||
``Constant-Input-Length Hashing. The capacity value is $\mathit{length} \mult (2^{64}) + (o - 1)$
|
``Constant-Input-Length Hashing. The capacity value is $\mathit{length} \mult (2^{64}) + (o - 1)$
|
||||||
where $o$ is the output length.'' In this case the input length ($\mathit{length}$) is
|
where $o$ is the output length.'' In this case the input length ($\mathit{length}$) is
|
||||||
|
@ -13987,6 +13995,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
|
||||||
between the protocol specification and \cite{ZIP-225}.
|
between the protocol specification and \cite{ZIP-225}.
|
||||||
\item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent.
|
\item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
\item Update specification of $\Poseidon$.
|
||||||
\item Add references to \cite{Zcash-halo2}.
|
\item Add references to \cite{Zcash-halo2}.
|
||||||
\item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.
|
\item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.
|
||||||
\item Correct the type signature of $\DiversifyHash{Orchard}$ in \crossref{abstracthashes}.
|
\item Correct the type signature of $\DiversifyHash{Orchard}$ in \crossref{abstracthashes}.
|
||||||
|
|
|
@ -501,6 +501,15 @@ Received March~20, 2012.}
|
||||||
Last updated December~16, 2020.}
|
Last updated December~16, 2020.}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@misc{Poseidon-1.1,
|
||||||
|
presort={Poseidon-1.1},
|
||||||
|
author={Lorenzo Grassi and Dmitry Khovratovich and Christian Rechberger and Arnab Roy and Markus Schofnegger},
|
||||||
|
title={Poseidon reference implementation, Version 1.1},
|
||||||
|
date={2021-03-07},
|
||||||
|
url={https://extgit.iaik.tugraz.at/krypto/hadeshash/-/commit/7ecf9a7d4f37e777ea27e4c4d379443151270563},
|
||||||
|
urldate={2021-03-23}
|
||||||
|
}
|
||||||
|
|
||||||
@misc{BDPA2007,
|
@misc{BDPA2007,
|
||||||
presort={BDPA2007},
|
presort={BDPA2007},
|
||||||
author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}},
|
author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}},
|
||||||
|
@ -600,6 +609,16 @@ Last revised November~11, 2020.},
|
||||||
Lecture Notes in Computer Science; Springer, 2020.}
|
Lecture Notes in Computer Science; Springer, 2020.}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@misc{GRS2020,
|
||||||
|
presort={GRS2020},
|
||||||
|
author={Lorenzo Grassi and Christian Rechberger and Markus Schofnegger},
|
||||||
|
title={Proving Resistance Against Infinitely Long Subspace Trails: {H}ow to Choose the Linear Layer},
|
||||||
|
url={https://eprint.iacr.org/2020/500},
|
||||||
|
urldate={2021-03-23},
|
||||||
|
howpublished={Cryptology ePrint Archive: Report 2020/500.
|
||||||
|
Last revised January~27, 2021.}
|
||||||
|
}
|
||||||
|
|
||||||
@misc{AGRRT2017,
|
@misc{AGRRT2017,
|
||||||
presort={AGRRT2017},
|
presort={AGRRT2017},
|
||||||
author={Martin Albrecht and Lorenzo Grassi and Christian Rechberger and
|
author={Martin Albrecht and Lorenzo Grassi and Christian Rechberger and
|
||||||
|
|
Loading…
Reference in New Issue