0

"Traditional" hash functions such as SHA2/SHA3 are not considered ZK-friendly because their translation in the native prime fields of the ZK-proof system leads to a large number of multiplications, resulting in highly inefficient prover performances.

To address this concern, arithmetization-oriented hash functions have been developed (e.g. Poseidon, Anemoi, ...). However, before their introduction, polynomial hash functions over prime order fields (e.g. Poly1305) already have attracted a lot of attention and are actually deployed in practice (but not in ZK-proof systems to the best of my knowledge).

Is it correct to say that polynomial hash functions over prime order fields (e.g. Poly1305) are arithmetization-oriented? If so, what makes such functions not adequate for ZK-proof systems?

Raoul722
  • 3,003
  • 3
  • 23
  • 42

1 Answers1

2

If so, what makes such functions not adequate for ZK-proof systems?

In a zero-knowledge proof, one fundamental thing that a zero-knowledge proof wants is for the prover to be able to show that 'I know a hash preimage to this value'.

Now, Poly1305 isn't a conventional hash function - it takes a secret key. Here's the issue: with knowledge of the secret key, it is easy to generate preimages for any possible output. Hence:

  • If the prover has knowledge of the secret key, then the above proof doesn't actually prove anything (because it doesn't say anything that we didn't already know).

  • If the prover doesn't have knowledge of the secret key, he wouldn't be able to compute Poly1305 'hashes' in the first place.

poncho
  • 154,064
  • 12
  • 239
  • 382