Paper 2023/522
SAFE: Sponge API for Field Elements
Abstract
From hashing and commitment schemes to Fiat-Shamir and encryption, hash functions are everywhere in zero-knowledge proofsystems (ZKPs), and minor performance changes in ``vanilla'' implementations can translate in major discrepancies when the hash is processed as a circuit within the proofsystem. Protocol designers have resorted to a number of techniques and custom modes to optimize hash functions for ZKPs settings, but so far without a single established, well-studied construction. To address this need, we define the Sponge API for Field Elements (SAFE), a unified framework for permutation-based schemes (including AEAD, Sigma, PRNGs, and so on). SAFE eliminates the performance overhead, is pluggable in any field-oriented protocol, and is suitable for any permutation algorithm. SAFE is implemented in Filecoin's Neptune hash framework, {which is} our reference implementation (in Rust). SAFE is also being integrated in other prominent ZKP projects. This report specifies SAFE and describes some use cases. Among other improvements, our construction is among the first to store the protocol metadata in the sponge inner part in a provably secure way, which may be of independent interest to the sponge use cases outside of ZKP.
Metadata
- Available format(s)
-
PDF
- Category
- Implementation
- Publication info
- Preprint.
- Keywords
- hashingfiat-shamirsponges
- Contact author(s)
-
jp @ taurusgroup ch
khovratovich @ gmail com
b mennink @ cs ru nl
porcuquine @ gmail com - History
- 2023-04-12: approved
- 2023-04-11: received
- See all versions
- Short URL
- https://ia.cr/2023/522
- License
-
CC0
BibTeX
@misc{cryptoeprint:2023/522,
author = {JP Aumasson and Dmitry Khovratovich and Bart Mennink and Porçu Quine},
title = {{SAFE}: Sponge {API} for Field Elements},
howpublished = {Cryptology {ePrint} Archive, Paper 2023/522},
year = {2023},
url = {https://eprint.iacr.org/2023/522}
}
