miden_crypto/hash/algebraic_sponge/poseidon2/mod.rs
1use super::{
2 AlgebraicSponge, CAPACITY_RANGE, DIGEST_RANGE, Felt, PrimeCharacteristicRing, RATE_RANGE,
3 RATE0_RANGE, RATE1_RANGE, Range, STATE_WIDTH, Word, ZERO,
4};
5
6mod constants;
7use constants::{
8 ARK_EXT_INITIAL, ARK_EXT_TERMINAL, ARK_INT, MAT_DIAG, NUM_EXTERNAL_ROUNDS_HALF,
9 NUM_INTERNAL_ROUNDS,
10};
11
12#[cfg(test)]
13mod test;
14
15/// Implementation of the Poseidon2 hash function with 256-bit output.
16///
17/// The implementation follows the original [specification](https://eprint.iacr.org/2023/323) and
18/// its accompanying reference [implementation](https://github.com/HorizenLabs/poseidon2).
19///
20/// The parameters used to instantiate the function are:
21/// * Field: 64-bit prime field with modulus 2^64 - 2^32 + 1.
22/// * State width: 12 field elements.
23/// * Capacity size: 4 field elements.
24/// * S-Box degree: 7.
25/// * Rounds: There are 2 different types of rounds, called internal and external, and are
26/// structured as follows:
27/// - Initial External rounds (IE): `add_constants` → `apply_sbox` → `apply_matmul_external`.
28/// - Internal rounds: `add_constants` → `apply_sbox` → `apply_matmul_internal`, where the constant
29/// addition and sbox application apply only to the first entry of the state.
30/// - Terminal External rounds (TE): `add_constants` → `apply_sbox` → `apply_matmul_external`.
31/// - An additional `apply_matmul_external` is inserted at the beginning in order to protect against
32/// some recent attacks.
33///
34/// The above parameters target a 128-bit security level. The digest consists of four field elements
35/// and it can be serialized into 32 bytes (256 bits).
36///
37/// ## Hash output consistency
38/// Functions [hash_elements()](Poseidon2::hash_elements), [merge()](Poseidon2::merge), and
39/// [merge_with_int()](Poseidon2::merge_with_int) are internally consistent. That is, computing
40/// a hash for the same set of elements using these functions will always produce the same
41/// result. For example, merging two digests using [merge()](Poseidon2::merge) will produce the
42/// same result as hashing 8 elements which make up these digests using
43/// [hash_elements()](Poseidon2::hash_elements) function.
44///
45/// However, [hash()](Poseidon2::hash) function is not consistent with functions mentioned above.
46/// For example, if we take two field elements, serialize them to bytes and hash them using
47/// [hash()](Poseidon2::hash), the result will differ from the result obtained by hashing these
48/// elements directly using [hash_elements()](Poseidon2::hash_elements) function. The reason for
49/// this difference is that [hash()](Poseidon2::hash) function needs to be able to handle
50/// arbitrary binary strings, which may or may not encode valid field elements - and thus,
51/// deserialization procedure used by this function is different from the procedure used to
52/// deserialize valid field elements.
53///
54/// Thus, if the underlying data consists of valid field elements, it might make more sense
55/// to deserialize them into field elements and then hash them using
56/// [hash_elements()](Poseidon2::hash_elements) function rather than hashing the serialized bytes
57/// using [hash()](Poseidon2::hash) function.
58///
59/// ## Domain separation
60/// [merge_in_domain()](Poseidon2::merge_in_domain) hashes two digests into one digest with some
61/// domain identifier and the current implementation sets the second capacity element to the value
62/// of this domain identifier. Using a similar argument to the one formulated for domain separation
63/// in Appendix C of the [specifications](https://eprint.iacr.org/2023/1045), one sees that doing
64/// so degrades only pre-image resistance, from its initial bound of c.log_2(p), by as much as
65/// the log_2 of the size of the domain identifier space. Since pre-image resistance becomes
66/// the bottleneck for the security bound of the sponge in overwrite-mode only when it is
67/// lower than 2^128, we see that the target 128-bit security level is maintained as long as
68/// the size of the domain identifier space, including for padding, is less than 2^128.
69///
70/// ## Hashing of empty input
71/// The current implementation hashes empty input to the zero digest [0, 0, 0, 0]. This has
72/// the benefit of requiring no calls to the Poseidon2 permutation when hashing empty input.
73#[allow(rustdoc::private_intra_doc_links)]
74#[derive(Debug, Copy, Clone, Eq, PartialEq)]
75pub struct Poseidon2();
76
77impl AlgebraicSponge for Poseidon2 {
78 fn apply_permutation(state: &mut [Felt; STATE_WIDTH]) {
79 // 1. Apply (external) linear layer to the input
80 Self::apply_matmul_external(state);
81
82 // 2. Apply initial external rounds to the state
83 Self::initial_external_rounds(state);
84
85 // 3. Apply internal rounds to the state
86 Self::internal_rounds(state);
87
88 // 4. Apply terminal external rounds to the state
89 Self::terminal_external_rounds(state);
90 }
91}
92
93impl Poseidon2 {
94 // CONSTANTS
95 // --------------------------------------------------------------------------------------------
96
97 /// Target collision resistance level in bits.
98 pub const COLLISION_RESISTANCE: u32 = 128;
99
100 /// Number of initial or terminal external rounds.
101 pub const NUM_EXTERNAL_ROUNDS_HALF: usize = NUM_EXTERNAL_ROUNDS_HALF;
102 /// Number of internal rounds.
103 pub const NUM_INTERNAL_ROUNDS: usize = NUM_INTERNAL_ROUNDS;
104
105 /// Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for the
106 /// rate and the remaining 4 elements are reserved for the capacity.
107 pub const STATE_WIDTH: usize = STATE_WIDTH;
108
109 /// The rate portion of the state is located in elements 0 through 7 (inclusive).
110 pub const RATE_RANGE: Range<usize> = RATE_RANGE;
111
112 /// The first 4-element word of the rate portion.
113 pub const RATE0_RANGE: Range<usize> = RATE0_RANGE;
114
115 /// The second 4-element word of the rate portion.
116 pub const RATE1_RANGE: Range<usize> = RATE1_RANGE;
117
118 /// The capacity portion of the state is located in elements 8, 9, 10, and 11.
119 pub const CAPACITY_RANGE: Range<usize> = CAPACITY_RANGE;
120
121 /// The output of the hash function can be read from state elements 0, 1, 2, and 3 (the first
122 /// word of the state).
123 pub const DIGEST_RANGE: Range<usize> = DIGEST_RANGE;
124
125 /// Matrix used for computing the linear layers of internal rounds.
126 pub const MAT_DIAG: [Felt; STATE_WIDTH] = MAT_DIAG;
127
128 /// Round constants added to the hasher state.
129 pub const ARK_EXT_INITIAL: [[Felt; STATE_WIDTH]; NUM_EXTERNAL_ROUNDS_HALF] = ARK_EXT_INITIAL;
130 pub const ARK_EXT_TERMINAL: [[Felt; STATE_WIDTH]; NUM_EXTERNAL_ROUNDS_HALF] = ARK_EXT_TERMINAL;
131 pub const ARK_INT: [Felt; NUM_INTERNAL_ROUNDS] = ARK_INT;
132
133 // HASH FUNCTIONS
134 // --------------------------------------------------------------------------------------------
135
136 /// Returns a hash of the provided sequence of bytes.
137 #[inline(always)]
138 pub fn hash(bytes: &[u8]) -> Word {
139 <Self as AlgebraicSponge>::hash(bytes)
140 }
141
142 /// Applies the Poseidon2 permutation to the provided state in-place.
143 #[inline(always)]
144 pub fn apply_permutation(state: &mut [Felt; STATE_WIDTH]) {
145 <Self as AlgebraicSponge>::apply_permutation(state);
146 }
147
148 /// Returns a hash of the provided field elements.
149 #[inline(always)]
150 pub fn hash_elements<E: crate::field::BasedVectorSpace<Felt>>(elements: &[E]) -> Word {
151 <Self as AlgebraicSponge>::hash_elements(elements)
152 }
153
154 /// Returns a hash of two digests. This method is intended for use in construction of
155 /// Merkle trees and verification of Merkle paths.
156 #[inline(always)]
157 pub fn merge(values: &[Word; 2]) -> Word {
158 <Self as AlgebraicSponge>::merge(values)
159 }
160
161 /// Returns a hash of multiple digests.
162 #[inline(always)]
163 pub fn merge_many(values: &[Word]) -> Word {
164 <Self as AlgebraicSponge>::merge_many(values)
165 }
166
167 /// Returns a hash of a digest and a u64 value.
168 #[inline(always)]
169 pub fn merge_with_int(seed: Word, value: u64) -> Word {
170 <Self as AlgebraicSponge>::merge_with_int(seed, value)
171 }
172
173 /// Returns a hash of two digests and a domain identifier.
174 #[inline(always)]
175 pub fn merge_in_domain(values: &[Word; 2], domain: Felt) -> Word {
176 <Self as AlgebraicSponge>::merge_in_domain(values, domain)
177 }
178
179 // POSEIDON2 PERMUTATION
180 // --------------------------------------------------------------------------------------------
181
182 /// Applies the initial external rounds of the permutation.
183 #[allow(clippy::needless_range_loop)]
184 #[inline(always)]
185 fn initial_external_rounds(state: &mut [Felt; STATE_WIDTH]) {
186 for r in 0..NUM_EXTERNAL_ROUNDS_HALF {
187 Self::add_rc(state, &ARK_EXT_INITIAL[r]);
188 Self::apply_sbox(state);
189 Self::apply_matmul_external(state);
190 }
191 }
192
193 /// Applies the internal rounds of the permutation.
194 #[allow(clippy::needless_range_loop)]
195 #[inline(always)]
196 fn internal_rounds(state: &mut [Felt; STATE_WIDTH]) {
197 for r in 0..NUM_INTERNAL_ROUNDS {
198 state[0] += ARK_INT[r];
199 state[0] = state[0].exp_const_u64::<7>();
200 Self::matmul_internal(state, MAT_DIAG);
201 }
202 }
203
204 /// Applies the terminal external rounds of the permutation.
205 #[inline(always)]
206 #[allow(clippy::needless_range_loop)]
207 fn terminal_external_rounds(state: &mut [Felt; STATE_WIDTH]) {
208 for r in 0..NUM_EXTERNAL_ROUNDS_HALF {
209 Self::add_rc(state, &ARK_EXT_TERMINAL[r]);
210 Self::apply_sbox(state);
211 Self::apply_matmul_external(state);
212 }
213 }
214
215 /// Applies the M_E (external) linear layer to the state in-place.
216 ///
217 /// This basically takes any 4 x 4 MDS matrix M and computes the matrix-vector product with
218 /// the matrix defined by `[[2M, M, ..., M], [M, 2M, ..., M], ..., [M, M, ..., 2M]]`.
219 ///
220 /// Given the structure of the above matrix, we can compute the product of the state with
221 /// matrix `[M, M, ..., M]` and compute the final result using a few addition.
222 #[inline(always)]
223 pub fn apply_matmul_external(state: &mut [Felt; STATE_WIDTH]) {
224 // multiply the state by `[M, M, ..., M]` block-wise
225 Self::matmul_m4(state);
226
227 // accumulate column-wise sums
228 let number_blocks = STATE_WIDTH / 4;
229 let mut stored = [ZERO; 4];
230 for j in 0..number_blocks {
231 let base = j * 4;
232 for l in 0..4 {
233 stored[l] += state[base + l];
234 }
235 }
236
237 // add stored column-sums to each element
238 for (i, val) in state.iter_mut().enumerate() {
239 *val += stored[i % 4];
240 }
241 }
242
243 /// Multiplies the state block-wise with a 4 x 4 MDS matrix.
244 #[inline(always)]
245 fn matmul_m4(state: &mut [Felt; STATE_WIDTH]) {
246 let t4 = STATE_WIDTH / 4;
247
248 for i in 0..t4 {
249 let idx = i * 4;
250
251 let a = state[idx];
252 let b = state[idx + 1];
253 let c = state[idx + 2];
254 let d = state[idx + 3];
255
256 let t0 = a + b;
257 let t1 = c + d;
258 let two_b = b.double();
259 let two_d = d.double();
260
261 let t2 = two_b + t1;
262 let t3 = two_d + t0;
263
264 let t4 = t1.double().double() + t3;
265 let t5 = t0.double().double() + t2;
266
267 let t6 = t3 + t5;
268 let t7 = t2 + t4;
269
270 state[idx] = t6;
271 state[idx + 1] = t5;
272 state[idx + 2] = t7;
273 state[idx + 3] = t4;
274 }
275 }
276
277 /// Applies the M_I (internal) linear layer to the state in-place.
278 ///
279 /// The matrix is given by its diagonal entries with the remaining entries set equal to 1.
280 /// Hence, given the sum of the state entries, the matrix-vector product is computed using
281 /// a multiply-and-add per state entry.
282 #[inline(always)]
283 pub fn matmul_internal(state: &mut [Felt; STATE_WIDTH], mat_diag: [Felt; 12]) {
284 let mut sum = ZERO;
285 for s in state.iter().take(STATE_WIDTH) {
286 sum += *s
287 }
288
289 for i in 0..state.len() {
290 state[i] = state[i] * mat_diag[i] + sum;
291 }
292 }
293
294 /// Adds the round constants to the state in-place.
295 #[inline(always)]
296 pub fn add_rc(state: &mut [Felt; STATE_WIDTH], ark: &[Felt; 12]) {
297 state.iter_mut().zip(ark).for_each(|(s, &k)| *s += k);
298 }
299
300 /// Applies the S-box (x^7) to each element of the state in-place.
301 #[inline(always)]
302 pub fn apply_sbox(state: &mut [Felt; STATE_WIDTH]) {
303 state[0] = state[0].exp_const_u64::<7>();
304 state[1] = state[1].exp_const_u64::<7>();
305 state[2] = state[2].exp_const_u64::<7>();
306 state[3] = state[3].exp_const_u64::<7>();
307 state[4] = state[4].exp_const_u64::<7>();
308 state[5] = state[5].exp_const_u64::<7>();
309 state[6] = state[6].exp_const_u64::<7>();
310 state[7] = state[7].exp_const_u64::<7>();
311 state[8] = state[8].exp_const_u64::<7>();
312 state[9] = state[9].exp_const_u64::<7>();
313 state[10] = state[10].exp_const_u64::<7>();
314 state[11] = state[11].exp_const_u64::<7>();
315 }
316}
317
318// PLONKY3 INTEGRATION
319// ================================================================================================
320
321/// Plonky3-compatible Poseidon2 permutation implementation.
322///
323/// This module provides a Plonky3-compatible interface to the Poseidon2 hash function,
324/// implementing the `Permutation` and `CryptographicPermutation` traits from Plonky3.
325///
326/// This allows Poseidon2 to be used with Plonky3's cryptographic infrastructure, including:
327/// - PaddingFreeSponge for hashing
328/// - TruncatedPermutation for compression
329/// - DuplexChallenger for Fiat-Shamir transforms
330use p3_challenger::DuplexChallenger;
331use p3_symmetric::{
332 CryptographicPermutation, PaddingFreeSponge, Permutation, TruncatedPermutation,
333};
334
335// POSEIDON2 PERMUTATION FOR PLONKY3
336// ================================================================================================
337
338/// Plonky3-compatible Poseidon2 permutation.
339///
340/// This struct wraps the Poseidon2 permutation and implements Plonky3's `Permutation` and
341/// `CryptographicPermutation` traits, allowing Poseidon2 to be used within the Plonky3 ecosystem.
342///
343/// The permutation operates on a state of 12 field elements (STATE_WIDTH = 12), with:
344/// - Rate: 8 elements (positions 0-7)
345/// - Capacity: 4 elements (positions 8-11)
346/// - Digest output: 4 elements (positions 0-3)
347#[derive(Debug, Copy, Clone, Eq, PartialEq)]
348pub struct Poseidon2Permutation256;
349
350impl Poseidon2Permutation256 {
351 // CONSTANTS
352 // --------------------------------------------------------------------------------------------
353
354 /// Number of initial or terminal external rounds.
355 pub const NUM_EXTERNAL_ROUNDS_HALF: usize = Poseidon2::NUM_EXTERNAL_ROUNDS_HALF;
356
357 /// Number of internal rounds.
358 pub const NUM_INTERNAL_ROUNDS: usize = Poseidon2::NUM_INTERNAL_ROUNDS;
359
360 /// Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for rate and
361 /// the remaining 4 elements are reserved for capacity.
362 pub const STATE_WIDTH: usize = STATE_WIDTH;
363
364 /// The rate portion of the state is located in elements 0 through 7 (inclusive).
365 pub const RATE_RANGE: Range<usize> = Poseidon2::RATE_RANGE;
366
367 /// The capacity portion of the state is located in elements 8, 9, 10, and 11.
368 pub const CAPACITY_RANGE: Range<usize> = Poseidon2::CAPACITY_RANGE;
369
370 /// The output of the hash function can be read from state elements 0, 1, 2, and 3.
371 pub const DIGEST_RANGE: Range<usize> = Poseidon2::DIGEST_RANGE;
372
373 // POSEIDON2 PERMUTATION
374 // --------------------------------------------------------------------------------------------
375
376 /// Applies Poseidon2 permutation to the provided state.
377 ///
378 /// This delegates to the Poseidon2 implementation.
379 #[inline(always)]
380 pub fn apply_permutation(state: &mut [Felt; STATE_WIDTH]) {
381 Poseidon2::apply_permutation(state);
382 }
383}
384
385// PLONKY3 TRAIT IMPLEMENTATIONS
386// ================================================================================================
387
388impl Permutation<[Felt; STATE_WIDTH]> for Poseidon2Permutation256 {
389 fn permute_mut(&self, state: &mut [Felt; STATE_WIDTH]) {
390 Self::apply_permutation(state);
391 }
392}
393
394impl CryptographicPermutation<[Felt; STATE_WIDTH]> for Poseidon2Permutation256 {}
395
396// TYPE ALIASES FOR PLONKY3 INTEGRATION
397// ================================================================================================
398
399/// Poseidon2-based hasher using Plonky3's PaddingFreeSponge.
400///
401/// This provides a sponge-based hash function with:
402/// - WIDTH: 12 field elements (total state size)
403/// - RATE: 8 field elements (input/output rate)
404/// - OUT: 4 field elements (digest size)
405pub type Poseidon2Hasher = PaddingFreeSponge<Poseidon2Permutation256, 12, 8, 4>;
406
407/// Poseidon2-based compression function using Plonky3's TruncatedPermutation.
408///
409/// This provides a 2-to-1 compression function for Merkle tree construction with:
410/// - CHUNK: 2 (number of input chunks - i.e., 2 digests of 4 elements each = 8 elements)
411/// - N: 4 (output size in field elements)
412/// - WIDTH: 12 (total state size)
413///
414/// The compression function takes 8 field elements (2 digests) as input and produces
415/// 4 field elements (1 digest) as output.
416pub type Poseidon2Compression = TruncatedPermutation<Poseidon2Permutation256, 2, 4, 12>;
417
418/// Poseidon2-based challenger using Plonky3's DuplexChallenger.
419///
420/// This provides a Fiat-Shamir transform implementation for interactive proof protocols,
421/// with:
422/// - F: Generic field type (typically the same as Felt)
423/// - WIDTH: 12 field elements (sponge state size)
424/// - RATE: 8 field elements (rate of absorption/squeezing)
425pub type Poseidon2Challenger<F> = DuplexChallenger<F, Poseidon2Permutation256, 12, 8>;