[Resource Topic] 2023/522: SAFE: Sponge API for Field Elements

Welcome to the resource topic for 2023/522

SAFE: Sponge API for Field Elements

Authors: JP Aumasson, Dmitry Khovratovich, Bart Mennink, Porçu Quine


From hashing and commitment schemes to Fiat-Shamir and encryption,
hash functions are everywhere in zero-knowledge proofsystems (ZKPs), and minor performance changes in ``vanilla’’ implementations can translate in major discrepancies when the hash is processed as a circuit within the proofsystem.

Protocol designers have resorted to a number of techniques and custom
modes to optimize hash functions for ZKPs settings, but so far without a single established, well-studied construction. To address this need, we define the Sponge API for Field Elements (SAFE), a unified framework for permutation-based schemes (including AEAD, Sigma, PRNGs, and so on). SAFE eliminates the performance overhead, is pluggable in any field-oriented protocol, and is suitable for any permutation algorithm.

SAFE is implemented in Filecoin’s Neptune hash framework, {which is} our reference implementation (in Rust). SAFE is also being integrated in other prominent ZKP projects. This report specifies SAFE and describes some use cases.

Among other improvements, our construction is among the first to store
the protocol metadata in the sponge inner part in a provably secure
way, which may be of independent interest to the sponge use cases outside of ZKP.

ePrint: https://eprint.iacr.org/2023/522

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .