• Top
  • Documentation
  • Books
  • Boolean-reasoning
  • Projects
    • Apt
    • Zfc
    • Acre
    • Milawa
    • Smtlink
    • Abnf
    • Vwsim
    • Isar
    • Wp-gen
    • Dimacs-reader
    • Pfcs
    • Legacy-defrstobj
    • Proof-checker-array
    • Soft
    • C
    • Farray
    • Rp-rewriter
    • Instant-runoff-voting
    • Imp-language
    • Sidekick
    • Leftist-trees
    • Java
    • Taspi
    • Bitcoin
    • Riscv
    • Des
    • Ethereum
    • X86isa
    • Sha-2
    • Yul
    • Zcash
    • Proof-checker-itp13
    • Regex
    • ACL2-programming-language
    • Json
    • Jfkr
    • Equational
    • Cryptography
    • Poseidon
      • Poseidon-main-definition
        • Param
        • Hashp
        • Absorb1
        • Sponge
        • Hash
        • All-rounds
        • Sponge-validp
        • Squeeze1
        • Sub-words-partial
        • Squeeze
        • Round
        • Partial-rounds
        • Mode
        • Full-rounds
        • Permute
        • Sub-words
        • Add-round-constants
        • Mix-layer
        • Dot-product
        • Absorb
        • Pow-by-alpha
        • Param->size
        • Sub-words-full
        • Param->capacity-then-rate-p
        • Param->partial-last-p
        • Param-additional-theorems
        • Param->rounds
        • Param->descending-p
        • Init-sponge
      • Poseidon-instantiations
    • Where-do-i-place-my-book
    • Axe
    • Bigmems
    • Builtins
    • Execloader
    • Aleo
    • Solidity
    • Paco
    • Concurrent-programs
    • Bls12-377-curves
  • Debugging
  • Std
  • Proof-automation
  • Macro-libraries
  • ACL2
  • Interfacing-tools
  • Hardware-verification
  • Software-verification
  • Math
  • Testing-utilities

• Poseidon-main-definition

Hash

Hash any number of inputs to any number of outputs.

Signature

(hash inputs param count) → outputs

Arguments

inputs — Guard (fe-listp inputs (param->prime param)).

param — Guard (paramp param).

count — Guard (natp count).

Returns

outputs — Type (fe-listp outputs (param->prime param)).

We initialize the sponge, we absorb all the inputs, and we squeeze all the outputs.

Note that inputs that only differ in one input having more trailing zeros than the other and not exceeeding a multiple of the rate length result in the same outputs. For instance, if r is 10, the inputs (17), @'(17 0)'), (17 0 0), etc. (up to (17 0 0 0 0 0 0 0 0 0) yield the same output, because the initial state vector consists of all zeros, and absorbing a 0 does not change the corresponding element. Therefore, the ACL2 function defined here should not be normally used as a collision-resistant hash; instead, a caller of this function should use padding, or other techniques like domain separation, to supply input strings that do not lead to the aforementioned collisions. The exact nature of these techniques is application-dependent; Poseidon itself does not appear to prescribe particular techniques.

Definitions and Theorems

Function: hash

(defun hash (inputs param count)
  (declare
       (xargs :guard (and (paramp param)
                          (natp count)
                          (fe-listp inputs (param->prime param)))))
  (let ((__function__ 'hash))
    (declare (ignorable __function__))
    (b* ((sponge (init-sponge (param->size param)))
         (sponge (absorb inputs sponge param))
         ((mv outputs &)
          (squeeze count sponge param)))
      outputs)))

Theorem: fe-listp-of-hash

(defthm fe-listp-of-hash
  (b* ((outputs (hash inputs param count)))
    (fe-listp outputs (param->prime param)))
  :rule-classes :rewrite)

Theorem: true-listp-of-hash

(defthm true-listp-of-hash
  (b* ((outputs (hash inputs param count)))
    (true-listp outputs))
  :rule-classes :type-prescription)

Theorem: len-of-hash

(defthm len-of-hash
  (b* ((?outputs (hash inputs param count)))
    (equal (len outputs) (nfix count))))

Theorem: consp-of-hash

(defthm consp-of-hash
  (b* ((?outputs (hash inputs param count)))
    (equal (consp outputs)
           (< 0 (nfix count)))))