In the paper, we construct security estimations of Poseidon hash function against non-binary linear and differential attacks. We adduce the general parameters for the Poseidon hash function that allow using this hash function in recurrent SNARK-proofs based on MNT-4 and MNT-6 triplets. We also analyse how to choose S-boxes for such function for this choice to be optimal from the point of view of the number of constraints and security. We show how many full rounds are sufficient to guarantee security of such hash function against non-binary linear and differential attacks. We also calculate the number of constraints per bit achieved in the proposed realizations and demonstrate a considerable gain as compared to the Pedersen hash function.

Load

Load