Paper 2023/522

SAFE: Sponge API for Field Elements

JP Aumasson, Taurus and Inference
Dmitry Khovratovich, Ethereum Foundation and Dusk Network
Bart Mennink, Radboud University Nijmegen
Porçu Quine, Lurk Lab and Protocol Labs

From hashing and commitment schemes to Fiat-Shamir and encryption, hash functions are everywhere in zero-knowledge proofsystems (ZKPs), and minor performance changes in ``vanilla'' implementations can translate in major discrepancies when the hash is processed as a circuit within the proofsystem. Protocol designers have resorted to a number of techniques and custom modes to optimize hash functions for ZKPs settings, but so far without a single established, well-studied construction. To address this need, we define the Sponge API for Field Elements (SAFE), a unified framework for permutation-based schemes (including AEAD, Sigma, PRNGs, and so on). SAFE eliminates the performance overhead, is pluggable in any field-oriented protocol, and is suitable for any permutation algorithm. SAFE is implemented in Filecoin's Neptune hash framework, {which is} our reference implementation (in Rust). SAFE is also being integrated in other prominent ZKP projects. This report specifies SAFE and describes some use cases. Among other improvements, our construction is among the first to store the protocol metadata in the sponge inner part in a provably secure way, which may be of independent interest to the sponge use cases outside of ZKP.

Available format(s)
Publication info
Contact author(s)
jp @ taurusgroup ch
khovratovich @ gmail com
b mennink @ cs ru nl
porcuquine @ gmail com
2023-04-12: approved
2023-04-11: received
See all versions
Short URL
No rights reserved


      author = {JP Aumasson and Dmitry Khovratovich and Bart Mennink and Porçu Quine},
      title = {SAFE: Sponge API for Field Elements},
      howpublished = {Cryptology ePrint Archive, Paper 2023/522},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.