Skip to content

Poseidon-Hash/Poseidon2b

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
anemoi_bench
anemoi_bench
 
 
binius_poseidon2b
binius_poseidon2b
 
 
poseidon2b_bench
poseidon2b_bench
 
 
poseidonb_bench
poseidonb_bench
 
 
sage-ref
sage-ref
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Poseidon2b

This repository provides research and reference code for integrating the Poseidon2b hash function into the Binius framework.

The project is organized into two main components with distinct licensing origins:

  1. binius_poseidon2b/ folder – Based on code from the Binius project, commit 924103fe50a9767b03c61981a5df12dafc1f44bd. The code has been adapted and extended to support the Poseidon2b hash function. The original Binius code is licensed under the Apache License, Version 2.0, see binius_poseidon2b/LICENSE for the full license text.

  2. sage-ref/ folder – Contains original SageMath reference implementations and related research code. This code, along with all top-level files not otherwise specified, is released under the MIT License (see LICENSE).

If you redistribute or reuse this code, ensure compliance with both the Apache 2.0 and MIT license conditions as they apply to each component.

Citing the E-Print version and this repository

@misc{iacr/GrassiKKRSS25-poseidon2b,
  author       = {Lorenzo Grassi and Dmitry Khovratovich and Katharina Koschatko and Christian Rechberger and Markus Schofnegger and Verena Schr{\"{o}}ppel},
  title        = {{Poseidon2b}: A Binary Field Version of {Poseidon2}},
  howpublished = {{IACR} Cryptology ePrint Archive, Paper 2025/058},
  year         = {2025},
  url          = {https://eprint.iacr.org/2025/058},
  note         = {Reference implementations available at https://github.com/Poseidon-Hash/Poseidon2b},
}

Proof implementation in Binius

Extensions to the Binius project:

The instances can be run inside the binius_poseidon2b/ folder with:

cargo run --release --example poseidon2b -- --n 32 --t 16

The parameters n and t define the field sizes and state sizes and can be combined as defined in the parameter specification.

Additionally, --n-permutations can be used to specify the number of permutations to verify.

The concrete proof implementations for each parameter set can be found in the circuits subfolder hades.

The code was developed and tested using cargo 1.88.0-nightly and Python 3.10.12.

Benchmark Results

Permutation n t #Perm Proof size (KiB) Proving time (s) (single-threaded) Proving time (s) (multi-threaded) Verify time (ms) (single-threaded) Verify time (ms) (multi-threaded)
Keccak-f 64 24 2¹³ 438 3.038 0.425 45.70 46.59
SHA-256 32 16 2¹⁴ 701 5.248 1.383 233.55 235.30
Groestl-P 8 64 2¹⁴ 416 0.495 0.170 114.97 115.81
Vision-32b 32 24 2¹⁴ 560 1.764 0.605 10.12 10.60
Poseidon2bπ 32 16 2¹⁴ 402 0.400 0.148 5.07 5.15
Poseidon2bπ 32 24 2¹⁴ 471 0.528 0.211 5.99 6.15
Poseidon2bπ 64 8 2¹⁴ 366 0.485 0.150 4.34 4.39
Poseidon2bπ 64 12 2¹⁴ 426 0.760 0.220 4.79 4.91
Poseidon2bπ 128 4 2¹⁴ 507 2.642 0.564 6.24 6.52
Poseidon2bπ 128 6 2¹⁴ 525 2.916 0.617 6.56 6.84

For Keccak-f, we prove 2¹³ permutation calls, which results in a hash size of 1.1 MB. For all other permutation functions, the hash output size is 1.049 MB for 2¹⁴ permutation invocations.

Benchmark setup:
All performances were measured on an AMD Ryzen 9 7900X (12 cores). The Rust implementations were compiled and executed in release mode using:

RUSTFLAGS="-C target-cpu=native"

Sage implementations

Contents:

  • Poseidon2b.sage – SageMath reference implementation of the Poseidon2b permutation.

  • Poseidon2b.ipynb – Jupyter notebook demonstrating example usage, including the definition of Poseidon2b instances.

  • AlgebraicModels.ipynb – SageMath implementations of the algebraic models analyzed in the accompanying paper.

The code and notebooks were developed and tested using SageMath 10.6 with Python 3.12.5. Using the same version is recommended to ensure compatibility.

Poseidon2b Notes

  • Additive constants, MDS (full/partial), and round counts (R_f, R_p) are taken directly from binius_poseidon2b to match the reference parameters.
  • Partial rounds use the O(t) MDS multiplication:
    • y_i = (mu_i - 1) * x_i + sum_{j=0}^{t-1} x_j

The instances can be run inside the poseidon2b_bench/ folder with:

RUSTFLAGS="-C target-cpu=native" cargo run --release

Anemoi Notes (binary fields)

  • Parameters: beta = g, gamma = g^{-1}, delta = 0, with g the multiplicative generator of the field.
  • S-box on each (x, y) pair:
    1. x <- x + g * y^alpha + g^{-1}
    2. y <- y + x^(1/alpha)
    3. x <- x + g * y^alpha
    • The safety of this S-box shape is not fully certain; the original text suggests using exponents of the form alpha = 2^i + 1 with gcd(i, n) = 1 for security. And currently the alpha is 7.
  • Estimated algebraic attack cost (FGLM-style):

    • C_alg(r) = l * r * 9^(2 * l * r), where t = 2l is the state size and r is the number of rounds.

      The instances can be run inside the anemoi_bench/ folder with:

RUSTFLAGS="-C target-cpu=native" cargo run --release --bin anemoi_bench
The parameters can be generated by:

RUSTFLAGS="-C target-cpu=native" cargo run --release --bin gen_params

About

We present Poseidon2b, a binary hardware friendly version of Poseidon2. It is designed to work together with binary extension field proving systems such as Binius.

eprint.iacr.org/2025/1893

Topics

poseidon zk arithmetization-friendly-hash-functions binius

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

7 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

Languages