Skip to main content
Version: 2.15.0

Poseidon

const Poseidon: {
  Sponge: typeof Sponge;
  Unsafe: {
     hashToGroup: Group;
  };
  hash: Field;
  hashAnyLength: Field;
  hashPacked: Field;
  hashToGroup: Group;
  hashWithPrefix: Field;
  initialState: [Field, Field, Field];
  update: [Field, Field, Field];
};

Defined in: lib/provable/crypto/poseidon.ts:82

Applies the full Poseidon permutation to the provided state.

Type Declaration

Sponge

Sponge: typeof Sponge;

Unsafe

Unsafe: {
  hashToGroup: Group;
};

Unsafe.hashToGroup()

hashToGroup(input: Field[]): Group;

Low-level version of Poseidon.hashToGroup().

Warning: This function is marked unsafe because its output is not deterministic. It returns the square root of a value without constraining which of the two possible square roots is chosen. This allows the prover to choose between two different hashes, which can be a vulnerability if consuming code treats the output as unique.

Parameters
input

Field[]

Returns

Group

hash()

hash(input: Field[]): Field;

Parameters

input

Field[]

Returns

Field

hashAnyLength()

hashAnyLength(input: Field[]): Field;

Parameters

input

Field[]

Returns

Field

hashPacked()

hashPacked<T>(type: WithProvable<Hashable<T>>, value: T): Field;

Hashes a provable type efficiently.

let skHash = Poseidon.hashPacked(PrivateKey, secretKey);

Note: Instead of just doing Poseidon.hash(value.toFields()), this uses the toInput() method on the provable type to pack the input into as few field elements as possible. This saves constraints because packing has a much lower per-field element cost than hashing.

Type Parameters

T

T

Parameters

type

WithProvable<Hashable<T>>

value

T

Returns

Field

hashToGroup()

hashToGroup(input: Field[]): Group;

Hashes a list of field elements to a point on the Pallas curve.

The output point is deterministic and its discrete log is not efficiently computable.

Parameters

input

Field[]

Returns

Group

hashWithPrefix()

hashWithPrefix(prefix: string, input: Field[]): Field;

Parameters

prefix

string

input

Field[]

Returns

Field

initialState()

initialState(): [Field, Field, Field];

Returns

[Field, Field, Field]

update()

update(state: [Field, Field, Field], input: Field[]): [Field, Field, Field];

Parameters

state

[Field, Field, Field]

input

Field[]

Returns

[Field, Field, Field]

Warning

Internally, this pads inputs with trailing zeros to reach an even length (a multiple of the rate which is 2). This means that inputs that only differ in trailing zeros will collide (they produce an identical output); therefore, it MUST only be used with fixed-length inputs. In-circuit, padded input messages lead to another circuit and hence different verification key, so this cannot be exploited to tamper proofs (a proof for the padded input cannot be verified with the keys for the circuit encoding hashes of unpadded input lengths). If you need to hash variable-length inputs, or are in doubt, instead of Poseidon.hash() please use Poseidon.hashAnyLength(), which includes the length of your message as part of the hash input to prevent collisions.

Example

const state = [Field.from(1n)];
const padded = [...state, Field.from(0n)];

poseidonBlockCipher(params, state);
poseidonBlockCipher(params, padded);
assert(FieldVector.equals(state, padded));