zec
/
zips
mirror of https://github.com/zcash/zips.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update specification of Poseidon. 

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira Hopwood 2021-03-26 17:28:06 +00:00
parent 212fdc8752
commit bbc6131f29
2 changed files with 40 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
protocol/protocol.tex
View File

@ -8534,6 +8534,10 @@ inside a circuit.
$\Poseidon$ is a cryptographic permutation described in \cite{GKRRS2019}. It operates $\Poseidon$ is a cryptographic permutation described in \cite{GKRRS2019}. It operates
over a sequence of finite field elements, which we instantiate as $\typeexp{\GF{\ParamP{q}}}{3}$. over a sequence of finite field elements, which we instantiate as $\typeexp{\GF{\ParamP{q}}}{3}$.
The following specification is intended to follow \cite{GKRRS2019} and Version 1.1 of the $\Poseidon$
reference implementation \cite{Poseidon-1.1}.\footnote{\nufive{Previous versions of the reference implementation
were inconsistent with the paper.}}
The S-box function is $x \mapsto x^5$. The number of full rounds $R_F$ is $8$, and The S-box function is $x \mapsto x^5$. The number of full rounds $R_F$ is $8$, and
the number of partial rounds $R_P$ is $58$. the number of partial rounds $R_P$ is $58$.
@ -8541,8 +8545,9 @@ We use $\Poseidon$ in a sponge configuration \cite{BDPA2011} (with elementwise a
$\GF{\ParamP{q}}$ replacing exclusive-or of bit strings\footnote{\nufive{The sponge construction $\GF{\ParamP{q}}$ replacing exclusive-or of bit strings\footnote{\nufive{The sponge construction
was originally proposed as operating on an arbitrary group. \cite{BDPA2007}}}) to construct was originally proposed as operating on an arbitrary group. \cite{BDPA2007}}}) to construct
a \hashFunction. The sponge capacity is one field element, the rate is two field elements, and a \hashFunction. The sponge capacity is one field element, the rate is two field elements, and
the output is one field element. We do not append any padding to the input message; this does the output is one field element. We use the ``Constant-Input-Length''\strut mode described in
not affect security because the input length is fixed. \cite[section 4.2]{GKRRS2019}: for a $2$-element input, the initial value of the capacity
element is $2^{65}$, and no padding of the input message is needed.
That is, if $f \typecolon \typeexp{\GF{\ParamP{q}}}{3} \rightarrow \typeexp{\GF{\ParamP{q}}}{3}$ That is, if $f \typecolon \typeexp{\GF{\ParamP{q}}}{3} \rightarrow \typeexp{\GF{\ParamP{q}}}{3}$
is the $\Poseidon$ permutation, then the \hashFunction is the $\Poseidon$ permutation, then the \hashFunction
@ -8553,11 +8558,13 @@ is specified as:
\item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing). \item $\PoseidonHash(x, y) = f([x, y, 2^{65}])_1$ (using $1$-based indexing).
\end{formulae} \end{formulae}
\todo{Specify the MDS matrix.} The MDS matrix is as generated by \texttt{generate\_parameters\_grain.sage} in Version 1.1 of the
reference implementation.
\begin{nnotes} \begin{nnotes}
\item The choice of MDS matrix and the number of rounds take into account cryptanalytic \item The choice of MDS matrix and the number of rounds take into account cryptanalytic
results in \cite{KR2020} and \cite{BCD+2020}. \todo{check.} results in \cite{KR2020} and \cite{BCD+2020}. A detailed analysis of related matrix
properties is given in \cite{GRS2020}.
\item \cite{BCD+2020} says that ``... finite fields $\mathbb{F}_q$ with \item \cite{BCD+2020} says that ``... finite fields $\mathbb{F}_q$ with
a limited number of multiplicative subgroups might be preferable, i.e.\ one a limited number of multiplicative subgroups might be preferable, i.e.\ one
might want to avoid $q-1$ being smooth. This implies that the fields which are might want to avoid $q-1$ being smooth. This implies that the fields which are
@ -8565,8 +8572,8 @@ is specified as:
$\GF{\ParamP{q}}$ is such a field; the factorization of $\ParamP{q}-1$ is $\GF{\ParamP{q}}$ is such a field; the factorization of $\ParamP{q}-1$ is
$2^{32} \mult 3 \mult 463 \mult 539204044132271846773 \mult 8999194758858563409123804352480028797519453$. $2^{32} \mult 3 \mult 463 \mult 539204044132271846773 \mult 8999194758858563409123804352480028797519453$.
Furthermore, cryptanalysis of $\Poseidon$ has focussed mainly on the case of S-box Furthermore, previous cryptanalysis of $\Poseidon$ has focussed mainly on the case
$x \mapsto x^3$. That variant cannot be used in $\GF{\ParamP{q}}$ because of S-box $x \mapsto x^3$. That variant cannot be used in $\GF{\ParamP{q}}$ because
$x \mapsto x^3$ would not be a permutation. $\alpha = 5$ is the smallest $x \mapsto x^3$ would not be a permutation. $\alpha = 5$ is the smallest
integer for which $x \mapsto x^\alpha$ is a permutation in $\GF{\ParamP{q}}$. integer for which $x \mapsto x^\alpha$ is a permutation in $\GF{\ParamP{q}}$.
@ -8581,19 +8588,20 @@ is specified as:
sponge mode limits an adversary to only being able to influence part of the $\Poseidon$ sponge mode limits an adversary to only being able to influence part of the $\Poseidon$
permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described in permutation input, and we use it only to construct a PRF ($\PRFnf{Orchard}{}$ as described in
\crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$, \crossref{concreteprfs}). Half of the sponge input is a random key $\NullifierKey$,
known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRandRepr$ known only to holders of a \fullViewingKey, and the remaining half $\NoteUniqueRand$
is also chosen randomly by the \note creator (both are derived using $\PRFexpand{}$, comes from a previous \nullifier which is effectively a random $x$-coordinate on the
from $\SpendingKey$ and $\NoteSeedBytes$ respectively). Then the PRF is used to enhance \pallasCurve. Then the PRF is used to enhance the security of a discrete-logarithm-based
the security of a discrete-log-based nullifier construction (described in \crossref{...}) nullifier construction (described in \cite[Section 3.5 Nullifiers]{Zcash-Orchard})
against a potential discrete-log-breaking adversary. Given the weak assumption against a potential discrete-log-breaking adversary. Given the weak assumption
that the $\PoseidonHash$ sponge produces output that preserves sufficient entropy that the $\PoseidonHash$ sponge produces output that preserves sufficient entropy
from the inputs $\NullifierKey$ and $\NoteUniqueRandRepr$, this nullifier from the inputs $\NullifierKey$ and $\NoteUniqueRand$, this nullifier
construction would still be secure under a decisional Diffie--Hellman assumption construction would still be secure under a decisional Diffie--Hellman assumption
on the \Pallas curve, even if the $\Poseidon$-based PRF were distinguishable from on the \Pallas curve, even if the $\Poseidon$-based PRF were distinguishable from
an ideal PRF. an ideal PRF.
The recommended number of partial rounds for these parameters in the Poseidon paper The recommended number of partial rounds for these parameters in the Poseidon paper
is $57$, but we prefer an even number of partial rounds for circuit efficiency. is $57$, but we prefer an even number of partial rounds to simplify the circuit
implementation.
\item The constant $2^{65}$ comes from \cite[section 4.2]{GKRRS2019}: \item The constant $2^{65}$ comes from \cite[section 4.2]{GKRRS2019}:
``Constant-Input-Length Hashing. The capacity value is $\mathit{length} \mult (2^{64}) + (o - 1)$ ``Constant-Input-Length Hashing. The capacity value is $\mathit{length} \mult (2^{64}) + (o - 1)$
where $o$ is the output length.'' In this case the input length ($\mathit{length}$) is where $o$ is the output length.'' In this case the input length ($\mathit{length}$) is
@ -13987,6 +13995,7 @@ Peter Newell's illustration of the Jubjub bird, from \cite{Carroll1902}.
between the protocol specification and \cite{ZIP-225}. between the protocol specification and \cite{ZIP-225}.
\item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent. \item Make the naming of $\enableSpends$ and $\enableOutputs$ consistent.
\end{itemize} \end{itemize}
\item Update specification of $\Poseidon$.
\item Add references to \cite{Zcash-halo2}. \item Add references to \cite{Zcash-halo2}.
\item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}. \item Correct the description of $\lengthField$ in \crossref{unifiedpaymentaddrencoding}.
\item Correct the type signature of $\DiversifyHash{Orchard}$ in \crossref{abstracthashes}. \item Correct the type signature of $\DiversifyHash{Orchard}$ in \crossref{abstracthashes}.

19
protocol/zcash.bib
View File

@ -501,6 +501,15 @@ Received March~20, 2012.}
Last updated December~16, 2020.} Last updated December~16, 2020.}
} }
@misc{Poseidon-1.1,
presort={Poseidon-1.1},
author={Lorenzo Grassi and Dmitry Khovratovich and Christian Rechberger and Arnab Roy and Markus Schofnegger},
title={Poseidon reference implementation, Version 1.1},
date={2021-03-07},
url={https://extgit.iaik.tugraz.at/krypto/hadeshash/-/commit/7ecf9a7d4f37e777ea27e4c4d379443151270563},
urldate={2021-03-23}
}
@misc{BDPA2007, @misc{BDPA2007,
presort={BDPA2007}, presort={BDPA2007},
author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}}, author={Guido Bertoni and Joan Daemen and Michaël Peeters and Gilles {Van Assche}},
@ -600,6 +609,16 @@ Last revised November~11, 2020.},
Lecture Notes in Computer Science; Springer, 2020.} Lecture Notes in Computer Science; Springer, 2020.}
} }
@misc{GRS2020,
presort={GRS2020},
author={Lorenzo Grassi and Christian Rechberger and Markus Schofnegger},
title={Proving Resistance Against Infinitely Long Subspace Trails: {H}ow to Choose the Linear Layer},
url={https://eprint.iacr.org/2020/500},
urldate={2021-03-23},
howpublished={Cryptology ePrint Archive: Report 2020/500.
Last revised January~27, 2021.}
}
@misc{AGRRT2017, @misc{AGRRT2017,
presort={AGRRT2017}, presort={AGRRT2017},
author={Martin Albrecht and Lorenzo Grassi and Christian Rechberger and author={Martin Albrecht and Lorenzo Grassi and Christian Rechberger and