Paper 2023/1045

XHash: Efficient STARK-friendly Hash Function

Tomer Ashur, Polygon Research, 3MI Labs, Leuven, Belgium
Amit Singh Bhati, COSIC, KU Leuven, Belgium
Al Kindi, Polygon
Mohammad Mahzoun, Eindhoven University of Technology
Léo Perrin, Inria
Abstract

Zero-knowledge proofs are widely used in real-world applications for authentication, access control, blockchains, and cryptocurren- cies, to name a few. A core element in zero-knowledge proof systems is the underlying hash function, which plays a vital role in the effi- ciency of the proof system. While the traditional hash functions, such as SHA3 or BLAKE3 are efficient on CPU architectures, they perform poorly within zero-knowledge proof systems. This is pri- marily due to the requirement of these systems for hash functions that operate efficiently over finite fields of large prime order as well as binary fields. To address this challenge, a new paradigm called Arithmetization-Orientation has emerged. These designs are tai- lored to improve the efficiency of hashing within zero-knowledge proof systems while providing reliable security guarantees. In this work, we propose XHash, which is a high-performance hash function designed for ZK-STARKs and is inspired by the Mar- vellous design strategy. When using Algebraic Intermediate Repre- sentation, XHash outperforms Rescue and Poseidon as the most im- portant ZK-friendly hash functions for STARKs. Moreover, XHash has a competitive performance on CPU architectures with an av- erage speed of ≈ 3𝜇𝑠 for 2-to-1 hashing. Compared to RPO, which is the fastest hash function of the Marvellous family, XHash per- forms ≈ 2.5 times faster on CPU. From the security perspective, XHash inherits the security of the Marvellous design strategy, and we analyze its security against state-of-the-art algebraic attacks. Additionally, we propose a new type of security argument against algebraic attacks that relies on a single well-defined and reasonable conjecture of a novel type. Finally, we specify a standard version of XHash designed for Polygon Miden VM, with its AIR complexity being 504, compared to Rescue with an AIR complexity of 672, and Poseidon with an AIR complexity of 1176.

Note: Improve security arguments. Add a new coauthor to the paper.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
Arithmetization-OrientedHash functionRescue PrimeMerkle tree hashingSTARK-friendly hashing
Contact author(s)
tomer @ cryptomeria tech
amitsingh bhati @ esat kuleuven be
al-kindi-0 @ protonmail com
mail @ mahzoun me
perrin leo @ gmail com
History
2024-08-06: last of 5 revisions
2023-07-04: received
See all versions
Short URL
https://ia.cr/2023/1045
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1045,
      author = {Tomer Ashur and Amit Singh Bhati and Al Kindi and Mohammad Mahzoun and Léo Perrin},
      title = {{XHash}: Efficient {STARK}-friendly Hash Function},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1045},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1045}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.