Try   HackMD

The Sponge Construction in Polygon zkEVM

By Héctor and Tomer. This note comes out of a discussion with Markus, Tomer, Al, and Jordi.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

What others do

Poseidon is a hash function instantiating a sponge construction using the Poseidon

π permutation. The standard way to use the sponge construction is to carry over the output of one permutation call as input to the next. A widely used optimization, sometimes known as overwrite mode, is to truncate the top part of the permutation and only carry over the lower part to the next call.

What we do

In Polygon zkEVM, we are using a slightly modified version of this construction. The modification is in how we use the output of one permutation call as input to the next one. Rather than preserving the order of inputs between permutations, we carry over the four topmost elements of the last permutation output to be the bottom four elements of the next permutation’s input.

Where do we do It

  1. Linear Hashing. Here we just need to squeeze out four output elements and therefore only one permutation call is made in the squeezing phase. Also, by continuosly linear hashing distinct leaf elements and hashing together the result of distinct levels we can build a Merkle tree.
  2. Fiat-Shamir'ing things. In this scenario, we may need more than four output elements. To this end, we make as many permutation calls as necessary squeezing out four output elements each time until the desired number of outputs is achieved.

Is it safe to do it?

Yes, assuming Poseidon

π is a secure permutation. To see this, observe that the routing of output wires can be achieved by multiplying the output vector with a permutation matrix. Then, this permutation matrix can be absorbed into Poseidon
π’s last MDS matrix without affecting its cryptographic properties. Then, employing this new variant of Poseidon
π in overwrite mode results in our construction.

Another approach to this question, providing a more general result, is to consider that if the four topmost elements can be distinguished from the bottom four elements it implies that they have different distributions; and therefore, at least one of these sets is not uniformly distributed. This in turn implies that the unmodified sponge function is insecure.

Last changed by 
Héctor Masip
0
195

Read more

Elliptic Curves over Goldilocks

https://eprint.iacr.org/2022/274.pdf

Mar 13, 2025
Fflonk

Link to the paper: https://eprint.iacr.org/2021/1167.pdfLink to the slides: https://hecmas.github.io/talk/fflonk-for-the-polygon-zkevm/Link to some comments and optimizations: https://hackmd.io/-2oVDtk4TJGVWFAYvUoY1g?view

Dec 5, 2024
Computing the Optimal Ate Pairing over the BN254 Curve

The post BN254 For The Rest Of Us constitutes the base point for this article, so I highly recommend reading it to get a solid background of the BN254 curve. This post will reuse some parts of this post with an emphasy on the computational aspect of the optimal Ate pairing over the BN254 curve.

Jun 6, 2024
Computing the Optimal Ate Pairing over the BLS12-381 Curve

Draft IETF standard for pairing-friendly curves.

Apr 20, 2024
Read more from Héctor Masip
Published on HackMD