p3_poseidon1/lib.rs
1//! The Poseidon1 permutation.
2//!
3//! # Overview
4//!
5//! Poseidon1 is a cryptographic hash function designed for efficient verification inside
6//! zero-knowledge proof systems (SNARKs, STARKs, etc). It operates natively over
7//! prime fields, avoiding the overhead of bit-decomposition required by traditional hashes
8//! like SHA-256 or Keccak.
9//!
10//! This crate provides [`Poseidon1`], an optimized implementation that uses the **sparse matrix
11//! decomposition** from the original paper (Appendix B) to factor the dense MDS matrix into
12//! sparse components. This reduces the cost of each partial round from O(t^2) to O(t), where
13//! t = `WIDTH` is the state width.
14//!
15//! # Round Structure
16//!
17//! Poseidon1 alternates between two types of rounds:
18//!
19//! ```text
20//! ┌──────────────────┐ ┌───────────────────┐ ┌──────────────────┐
21//! │ RF/2 full rounds │ → │ RP partial rounds │ → │ RF/2 full rounds │
22//! │ (S-box on all) │ │ (S-box on s[0]) │ │ (S-box on all) │
23//! └──────────────────┘ └───────────────────┘ └──────────────────┘
24//! ```
25//!
26//! - **Full rounds** (RF total, split equally): apply the S-box x^D to every state element,
27//! then multiply by the dense MDS matrix. These provide resistance against statistical
28//! attacks (differential, linear, rebound).
29//!
30//! - **Partial rounds** (RP total): apply the S-box only to `state[0]`, then multiply by a
31//! **sparse** matrix derived from the MDS factorization. These efficiently increase the
32//! algebraic degree to resist interpolation and Gröbner basis attacks.
33//!
34//! Each round follows the sequence: **AddRoundConstants → S-box → MixLayer**.
35//!
36//! # References
37//!
38//! - Grassi et al., "Poseidon1: A New Hash Function for Zero-Knowledge Proof Systems",
39//! USENIX Security 2021. <https://eprint.iacr.org/2019/458>
40//! - HorizenLabs reference implementation: <https://github.com/HorizenLabs/poseidon2>
41
42#![no_std]
43
44extern crate alloc;
45
46pub mod external;
47pub mod generic;
48pub mod internal;
49pub mod utils;
50
51use alloc::vec::Vec;
52use core::marker::PhantomData;
53
54pub use external::*;
55pub use generic::*;
56pub use internal::*;
57use p3_field::{Algebra, InjectiveMonomial, PrimeField};
58use p3_symmetric::{CryptographicPermutation, Permutation};
59use rand::distr::{Distribution, StandardUniform};
60use rand::{Rng, RngExt};
61
62/// Raw Poseidon1 parameters before the sparse matrix optimization.
63///
64/// These are the "textbook" parameters as generated by the Grain LFSR or any
65/// other parameter-generation script. They are transformed into the optimized
66/// sparse form used at runtime.
67///
68/// # Round Constant Layout
69///
70/// Constants are stored in a flat array with three consecutive sections:
71///
72/// ```text
73/// ┌──────────────┬──────────────────┬──────────────────┐
74/// │ initial full │ partial rounds │ terminal full │
75/// │ (RF/2 items) │ (RP items) │ (RF/2 items) │
76/// └──────────────┴──────────────────┴──────────────────┘
77/// ```
78///
79/// Each entry is a WIDTH-sized vector (one constant per state element per round).
80#[derive(Clone, Debug)]
81pub struct Poseidon1Constants<F, const WIDTH: usize> {
82 /// Total number of full rounds (split equally between initial and terminal).
83 pub rounds_f: usize,
84
85 /// Number of partial rounds.
86 pub rounds_p: usize,
87
88 /// First column of the circulant MDS matrix, stored as signed integers.
89 ///
90 /// This matches the representation used by the MDS crate, so concrete
91 /// fields can pass their verified constants directly without duplication.
92 /// During initialization, the dense form is expanded once for the sparse
93 /// decomposition, then discarded.
94 pub mds_circ_col: [i64; WIDTH],
95
96 /// Round constants, one WIDTH-sized vector per round.
97 ///
98 /// Total length = rounds_f + rounds_p.
99 pub round_constants: Vec<[F; WIDTH]>,
100}
101
102impl<F: PrimeField, const WIDTH: usize> Poseidon1Constants<F, WIDTH> {
103 /// Compute the optimized sparse-form constants from these raw parameters.
104 ///
105 /// This performs two transformations:
106 ///
107 /// 1. **Sparse matrix decomposition**: factors the dense MDS matrix into one
108 /// dense transition matrix and several sparse matrices. Each sparse matrix
109 /// is parameterized by two vectors of length WIDTH-1.
110 ///
111 /// 2. **Round constant compression**: via backward substitution through the
112 /// inverse MDS matrix, reduces each partial round's full constant vector
113 /// to a single scalar, except for the first partial round.
114 pub fn to_optimized(
115 &self,
116 ) -> (
117 FullRoundConstants<F, WIDTH>,
118 PartialRoundConstants<F, WIDTH>,
119 ) {
120 let half_f = self.rounds_f / 2;
121 let rounds_p = self.rounds_p;
122
123 // Split the flat round-constant array into three sections.
124 //
125 // Layout: [initial_full (RF/2) | partial (RP) | terminal_full (RF/2)]
126 let initial_rc: Vec<[F; WIDTH]> = self.round_constants[..half_f].to_vec();
127 let partial_rc: Vec<[F; WIDTH]> = self.round_constants[half_f..half_f + rounds_p].to_vec();
128 let terminal_rc: Vec<[F; WIDTH]> = self.round_constants[half_f + rounds_p..].to_vec();
129
130 // Expand circulant first column into dense MDS matrix for the sparse decomposition.
131 let mds: [[F; WIDTH]; WIDTH] = utils::circulant_to_dense(&self.mds_circ_col);
132
133 // Compress round constants and factor MDS into sparse matrices.
134 let (first_round_constants, opt_partial_rc, m_i, sparse_v, sparse_first_row) =
135 utils::compute_optimized_constants::<F, WIDTH>(&mds, rounds_p, &partial_rc);
136
137 // Compute textbook path constants (forward constant substitution).
138 let (textbook_scalar_constants, textbook_residual) =
139 utils::forward_constant_substitution::<F, WIDTH>(&mds, &partial_rc);
140
141 let full_constants = FullRoundConstants {
142 initial: initial_rc,
143 terminal: terminal_rc,
144 dense_mds: mds,
145 };
146
147 let partial_constants = PartialRoundConstants {
148 first_round_constants,
149 m_i,
150 sparse_first_row,
151 v: sparse_v,
152 round_constants: opt_partial_rc,
153 textbook_scalar_constants,
154 textbook_residual,
155 };
156
157 (full_constants, partial_constants)
158 }
159}
160
161/// The optimized Poseidon1 permutation.
162///
163/// Holds the pre-computed full and partial round layers and applies them
164/// in sequence: initial full rounds, then partial rounds, then terminal
165/// full rounds.
166#[derive(Clone, Debug)]
167pub struct Poseidon1<F, FullRoundPerm, PartialRoundPerm, const WIDTH: usize, const D: u64> {
168 /// The initial and terminal full round layers.
169 ///
170 /// Full rounds apply the S-box to every state element, then multiply
171 /// by the dense MDS matrix.
172 full_round_layer: FullRoundPerm,
173
174 /// The partial round layer using sparse matrix decomposition.
175 ///
176 /// Partial rounds apply the S-box only to the first state element,
177 /// then multiply by a sparse matrix in O(t) operations.
178 partial_round_layer: PartialRoundPerm,
179
180 _phantom: PhantomData<F>,
181}
182
183impl<F, FullRoundPerm, PartialRoundPerm, const WIDTH: usize, const D: u64>
184 Poseidon1<F, FullRoundPerm, PartialRoundPerm, WIDTH, D>
185where
186 F: PrimeField,
187 FullRoundPerm: FullRoundLayerConstructor<F, WIDTH>,
188 PartialRoundPerm: PartialRoundLayerConstructor<F, WIDTH>,
189{
190 /// Create a new optimized Poseidon1 from raw constants.
191 ///
192 /// Internally computes the sparse matrix decomposition and the
193 /// optimized round constants. This is the typical entry point.
194 pub fn new(raw: &Poseidon1Constants<F, WIDTH>) -> Self {
195 const {
196 assert!(D > 1);
197 }
198 let (full_constants, partial_constants) = raw.to_optimized();
199 Self::new_from_precomputed(full_constants, partial_constants)
200 }
201
202 /// Create a new optimized Poseidon1 from pre-computed constants.
203 ///
204 /// Use this when the sparse matrix decomposition has already been performed
205 /// (e.g., constants loaded from a file or hardcoded).
206 fn new_from_precomputed(
207 full_constants: FullRoundConstants<F, WIDTH>,
208 partial_constants: PartialRoundConstants<F, WIDTH>,
209 ) -> Self {
210 Self {
211 full_round_layer: FullRoundPerm::new_from_constants(full_constants),
212 partial_round_layer: PartialRoundPerm::new_from_constants(partial_constants),
213 _phantom: PhantomData,
214 }
215 }
216
217 /// Create a new Poseidon1 with random round constants and a given MDS permutation.
218 ///
219 /// Builds the dense MDS matrix by applying the permutation to unit vectors,
220 /// generates random round constants, and computes the sparse matrix decomposition.
221 ///
222 /// Primarily useful for testing.
223 pub fn new_from_rng(
224 half_num_full_rounds: usize,
225 num_partial_rounds: usize,
226 mds: &impl Permutation<[F; WIDTH]>,
227 rng: &mut impl Rng,
228 ) -> Self
229 where
230 StandardUniform: Distribution<F>,
231 {
232 let rounds_f = 2 * half_num_full_rounds;
233 let num_rounds = rounds_f + num_partial_rounds;
234
235 // Generate random round constants.
236 let round_constants: Vec<[F; WIDTH]> = (0..num_rounds)
237 .map(|_| core::array::from_fn(|_| rng.sample(StandardUniform)))
238 .collect();
239
240 // Build dense MDS by applying the permutation to unit vectors.
241 let columns: [[F; WIDTH]; WIDTH] = core::array::from_fn(|j| {
242 let mut e = [F::ZERO; WIDTH];
243 e[j] = F::ONE;
244 mds.permute(e)
245 });
246 // Transpose to row-major format.
247 let dense_mds: [[F; WIDTH]; WIDTH] =
248 core::array::from_fn(|i| core::array::from_fn(|j| columns[j][i]));
249
250 // Split round constants into three sections.
251 let half_f = half_num_full_rounds;
252 let initial_rc = round_constants[..half_f].to_vec();
253 let partial_rc = round_constants[half_f..half_f + num_partial_rounds].to_vec();
254 let terminal_rc = round_constants[half_f + num_partial_rounds..].to_vec();
255
256 // Compute optimized sparse constants.
257 let (first_round_constants, opt_partial_rc, m_i, sparse_v, sparse_first_row) =
258 utils::compute_optimized_constants::<F, WIDTH>(
259 &dense_mds,
260 num_partial_rounds,
261 &partial_rc,
262 );
263
264 // Compute textbook path constants (forward constant substitution).
265 let (textbook_scalar_constants, textbook_residual) =
266 utils::forward_constant_substitution::<F, WIDTH>(&dense_mds, &partial_rc);
267
268 let full_constants = FullRoundConstants {
269 initial: initial_rc,
270 terminal: terminal_rc,
271 dense_mds,
272 };
273
274 let partial_constants = PartialRoundConstants {
275 first_round_constants,
276 m_i,
277 sparse_first_row,
278 v: sparse_v,
279 round_constants: opt_partial_rc,
280 textbook_scalar_constants,
281 textbook_residual,
282 };
283
284 Self::new_from_precomputed(full_constants, partial_constants)
285 }
286}
287
288impl<F, A, FullRoundPerm, PartialRoundPerm, const WIDTH: usize, const D: u64>
289 Permutation<[A; WIDTH]> for Poseidon1<F, FullRoundPerm, PartialRoundPerm, WIDTH, D>
290where
291 F: PrimeField + InjectiveMonomial<D>,
292 A: Algebra<F> + Sync + InjectiveMonomial<D>,
293 FullRoundPerm: FullRoundLayer<A, WIDTH, D>,
294 PartialRoundPerm: PartialRoundLayer<A, WIDTH, D>,
295{
296 fn permute_mut(&self, state: &mut [A; WIDTH]) {
297 // RF/2 full rounds (S-box on all elements + dense MDS).
298 self.full_round_layer.permute_state_initial(state);
299 // RP partial rounds (S-box on state[0] only + sparse matrix).
300 self.partial_round_layer.permute_state(state);
301 // RF/2 full rounds (S-box on all elements + dense MDS).
302 self.full_round_layer.permute_state_terminal(state);
303 }
304}
305
306impl<F, A, FullRoundPerm, PartialRoundPerm, const WIDTH: usize, const D: u64>
307 CryptographicPermutation<[A; WIDTH]> for Poseidon1<F, FullRoundPerm, PartialRoundPerm, WIDTH, D>
308where
309 F: PrimeField + InjectiveMonomial<D>,
310 A: Algebra<F> + Sync + InjectiveMonomial<D>,
311 FullRoundPerm: FullRoundLayer<A, WIDTH, D>,
312 PartialRoundPerm: PartialRoundLayer<A, WIDTH, D>,
313{
314}