Skip to main content

The Poseidon Hash

The Poseidon is a hash function designed for zero-knowledge proof systems like zkSNARKs. It operates over the GF(p)GF(p) prime field. The main advantage of the Poseidon hash is a circuits building simplification.

The Poseidon contains a series of rounds each based on input permutations (add constants, exponentiation and mixing). S-box routine is just an exponentiation number in the GF(p)GF(p) field (the power of 5).

The round constants and S-box operations count depend on the parameter set. The Poseidon parameters are tuple (t,f,p,c,m)(t, f, p, c, m), where

  • tt is a number of S-box routines in the one round. It also specifies an input dimension: hash function supports up to tt input numbers
  • ff is a full rounds count (tt S-box routines)
  • pp is a partial rounds count (single S-box routine)
  • cc is a round constants array ((f+p)×t(f+p) \times t dimension)
  • mm is a square array used for mixing function (t×tt \times t dimension)

The Poseidon routine produces a resulting hash (over prime field) after (f+p)(f+p) rounds.

As mentioned previously there are different parameter sets used for hashes in the Merkle tree. These hash types are explained in the table below. The parameter set is presented in the reduced form (just a tuple(t,f,p)(t, f, p)):

LabelParametersHash purposeInputs
HashHash2, 8, 56Key derivation (η\eta and PdP_d)Transaction verifier keyAA or diversifier dd
HashmerkleHash_{merkle}3, 8, 56Merkle tree's nodetwo child nodes or leafs
HasheddsaHash_{eddsa}4, 8, 56EDDSA sign and verifyR.x,A.x,HR.x, A.x, H​ (details)
HashnoteHash_{note}/HashnullifierHash_{nullifier}5, 8, 56

Note hash;

Nullifier

d, P_d, b, t (details)

Account hash and \eta (details)

HashaccountHash_{account}/HashspongeHash_{sponge}6, 8, 57

Account hash;

Transaction hash

\eta, i, b,t (details)​;

account and notes hashes with transaction commitment (details)

info

Poseidon specification

This page provides just a simple description of the Poseidon hash function. For additional details please refer to the original publication. It contains exhaustive materials, security investigations, implementation details, proof system applications and so on.