Binary Poseidon (2025/1893) | Cryptography Academy

Abstract

We present \text{Poseidon}_B and \text{Poseidon2}_B, natural variants of Poseidon and Poseidon2, respectively, defined over binary extension fields with a target security level of 128 bits. They are specifically designed to inherit many of the circuit-friendly properties of their prime field version, and to be used together with binary extension field proving systems such as Binius. Benchmarking demonstrates merits in proof size, proving time, and especially verification time, in comparison to traditional hash functions and other binary circuit-friendly hash functions such as Vision-32b and Anemoi.

Due to the close similarity to their prime field counterparts, many existing cryptanalytic results directly carry over to \text{Poseidon}_B and \text{Poseidon2}_B. Nevertheless, we revisit the security analysis to incorporate recent advances in cryptanalysis and to account for attack vectors that do not arise in the prime field setting. In particular, we focus on algebraic cryptanalysis and subspace trails, techniques that resulted in attacks on initial versions of Poseidon defined over binary extension fields. Our complexity estimates are based on the ideal degree, now increasingly adopted as a standard measure in algebraic cryptanalysis.

Keywords: Poseidon, Poseidon2, ZK, Binary Extension Fields, Binius.

1. Introduction

The Poseidon hash function, introduced in 2019, has gained widespread adoption in verifiable computation protocols, where one party asserts the correctness of a computation using a compact proof. Using only basic algebraic operations over a prime field, Poseidon is one of the fastest-to-prove hash functions, and is at the same time among the fastest ones to compute natively. Its recently updated version Poseidon2 is tailored towards smaller prime fields, which are gaining in popularity for proving large computation blocks such as Ethereum blockchain transitions, commonly known as zero-knowledge virtual machines (zkVMs).

Despite its security margin not being overly large, the full and practically used versions of Poseidon have withstood many different cryptanalytic attacks, and indeed, while being one of the earliest circuit-friendly hash functions, it is simultaneously one of the few unbroken ones. For this reason, it is among the most trusted hash functions in the community, and at the time of writing, it is also a prime candidate for adoption in Ethereum as its ZK-friendly hash function.

While smaller prime fields are convenient and allow for arguably fast implementations, they require conversion from standard machine words, which comes at the cost of some storage waste. Moreover, prime field proof systems inherently struggle with bit operations, as a prime field does not provide native tools to tackle separate bits.

All of this has led to various research results on binary proof systems, initially univariate ones exploiting properties of small elliptic curves to achieve efficient NTTs outside of two-adic structures, and most recently multivariate ones such as Binius, introducing new techniques that separate the committing field size from the constraint field size and thus make it possible to mix binary fields with specific properties.

1.1 Our Contributions

We formally introduce \text{Poseidon}_B and \text{Poseidon2}_B, natural variants of Poseidon and Poseidon2, respectively, over a binary extension field. The designs aim to:

Achieve high performance on a commodity CPU by using sparse constants and low-degree power maps.
Be efficient in binary proof systems by minimizing the number of algebraic constraints.

The binary variants \text{Poseidon(2)}_B^\pi are obtained by redefining the operations of Poseidon(2) over binary extension fields, with the goal of inheriting the cryptanalysis record of the original designs. Our contributions are summarized as follows:

We formally revise security properties beyond the classical collision and preimage resistance in order to accommodate the scenarios arising in the use of a hash function in various protocols, such as the Fiat–Shamir conversion.
We revisit the security analysis of Poseidon(2){}_{\text{B}} from scratch. In particular, we confirm the density estimates of the polynomial representation, which help establish lower bounds on the complexity of the interpolation attack and reanalyze the security against algebraic attacks. We base the attack complexity on the ideal degree bound.
We have conducted benchmarks both in native and circuit variants. In particular, we provide a proof implementation of the \text{Poseidon(2)}_B^\pi permutations in the Binius framework, showing its efficiency and applicability within binary proof systems.

1.2 Related Works

A binary version of Poseidon was first introduced in the original Poseidon paper under the name Starkad. It lies between the original Poseidon and the constructions presented in this paper. In particular, it uses a binary field and the same partial Substitution-Permutation-Network (SPN) scheme, but different linear layers. Soon after the publication of Starkad, its designers decided to withdraw it due to two main reasons:

The incapacity of providing a good estimation of the growth of the degree, a problem later solved in [Cid+22].
The vulnerability of some Starkad instances, resulting from the specific choices of linear layers [KR21; Bey+20], a problem later solved in [GRS21].

Another scheme based on binary extension fields is Vision Mark-32. It follows the Vision/Rescue design strategy, involving a high-degree power map. Whilst being one of the few circuit-friendly hash functions defined over binary extension fields, Vision Mark-32 is expected to be slow natively and may suffer from the FreeLunch attack similarly to its prime field counterpart. Further, a variant of Anemoi is defined over binary extension fields with odd extension degree.

2. Preliminaries

This section collects the notations and security definitions used throughout the remainder of the paper, which provide the common framework for the design and security analysis.

2.1 Notation

We denote the binary extension field of size 2^n by \mathbb{F}_{2^n}, with n being the extension degree. We consider transformations on states of finite-field elements (x_0, \ldots, x_{t-1}) \in \mathbb{F}^t, where t denotes the state size. The function \mathcal{H}: \mathbb{F}^* \to \mathbb{F}^\chi denotes a hash function that maps strings of finite field elements to fixed-length outputs of length \chi \in \mathbb{N}_+. Finally, \mathcal{P}: \mathbb{F}^t \to \mathbb{F}^t denotes a bijective function.

We write x \| y for concatenation. For 0 \le i < j \le k, let x[i:j] denote the subtuple of x from index i (inclusive) to j (exclusive). We define \textsf{left}_\ell(x) := x[0:\ell] and \textsf{right}_\ell(x) := x[k-\ell:k] as the first and last \ell elements of x, respectively.

2.2 Security Definitions

Definition 1 (Unit of Time)

We define the "unit of time" as the number of bit operations needed to compute \mathcal{H}(0), where 0 \in \mathbb{F} is a single field element.

Definition 2 (Preimage Resistance)

\mathcal{H} is preimage resistant with \lambda bits of security if, for any adversary that gets random h \in \mathbb{F}^\chi as input and runs in time \tau, the probability to output x such that \mathcal{H}(x) = h is at most \frac{\tau}{2^\lambda}.

Definition 3 (Second Preimage Resistance)

\mathcal{H} is second-preimage resistant with \lambda bits of security if, for any adversary that gets random h \in \mathbb{F}^t as input and runs in time \tau, given y such that \mathcal{H}(y) = h, the probability to output x \neq y such that \mathcal{H}(x) = h is at most \frac{\tau}{2^\lambda}.

Definition 4 (Collision Resistance)

\mathcal{H} is collision resistant with \lambda bits of security if, for any adversary that gets random K \in \mathbb{F}^\chi as input and runs in time \tau, the probability to output two inputs x, y such that \mathcal{H}(K \| x) = \mathcal{H}(K \| y) is at most \frac{\tau^2}{2^\lambda}.

Definition 5 (Target-Collision Resistance)

Consider the following game: (1) The challenger selects a secret key K \in \mathbb{F}^\chi. (2) The adversary submits a message M and receives \mathcal{H}(K, M). (3) The challenger reveals K. (4) The adversary submits a new message M^*. They win if \mathcal{H}(K, M) = \mathcal{H}(K, M^*). \mathcal{H} is target-collision resistant with \lambda bits of security if, for any adversary that runs in q < 2^\lambda time units, the probability of winning the game is at most \frac{q}{|\mathbb{F}|^\lambda} .

Definition 6 (Multi-Target-Collision Resistance)

Let n be an integer. Consider the following game: (1) The challenger selects a secret key K \in \mathbb{F}^\chi. (2) The adversary submits n distinct messages M_i and distinct nonces \eta_i, and receives the corresponding hashes \mathcal{H}(K, \eta_i, M_i). (3) The challenger reveals K. (4) The adversary submits one of the earlier indices i and a new message M^*. They win if \mathcal{H}(K, \eta_i, M_i) = \mathcal{H}(K, \eta_i, M^*).

Definition 7 (k-Zero-Test Resistance)

Let Q be a set of polynomial mappings of degree d that map \mathbb{F}^\chi to \mathbb{F}^k for some k \in \mathbb{N}_+. Then \mathcal{H} is called k-zero-test resistant if, for any adversary that gets random K \in \mathbb{F}^\chi as input and runs in \tau time units, the probability to output G \in Q such that \mathcal{H}(K, \widehat{G}) is a root of G is at most \frac{\tau \cdot d}{|\mathbb{F}|^k} .

Definition 8 (CICO-k Security)

\mathcal{P} is CICO-k secure if, for any adversary that gets random K \in \mathbb{F}^k as input and runs in \tau time units, the probability to output x, y \in \mathbb{F}^{t-k} such that \mathcal{P}(x \| K) = y \| K is at most \frac{\tau}{|\mathbb{F}|^k}.

3. Specification

Poseidon(2){}_{\text{B}} is a family of hash functions defined as a mode of operation over the permutation \text{Poseidon(2)}_B^\pi with a target security level of 128 bits. For the permutation, we essentially follow the design direction of \text{Poseidon(2)}^\pi, but operate over the binary extension field \mathbb{F}_{2^n}.

3.1 Modes of Operation

Let \chi denote the digest length and t the state size, measured in finite field elements.

3.1.1 Sponge Mode

The sponge construction is one of the most widely used constructions for setting up a hash function. Let \mathcal{P} be a permutation over \mathbb{F}^t, and let t = r + c, where c denotes the capacity and r the rate. Given a padded message M \in \mathbb{F}^*, it is first split into \mathbb{F}^r-blocks M_0, M_1, \ldots, M_{\ell-1}. Then, the message blocks are compressed one-by-one into a \mathbb{F}^t-state:

S \leftarrow \mathcal{P}\left(S + (M_i \| 0^c)\right)

for i = 0, 1, \ldots, \ell - 1, where S is initialized with 0^{c-1} \| \chi. After the absorption of the last message block, the hash output is formed by squeezing: repeatedly applying \mathcal{P} and extracting the rate portion until \chi elements are produced.

Security Requirements. Let \mathbb{F} = \mathbb{F}_{2^n}. In order to achieve a security level of \kappa bits (pre-quantum), the capacity c and digest \chi must satisfy c = \lceil \frac{2\kappa}{n} \rceil and \chi \ge \lceil \frac{2\kappa}{n} \rceil.

The authors recommend using the sponge-pi construction recently proposed by Lefevre et al. [LBM25] at ToSC'25 for variable-input hashing with output length \chi.

3.1.2 Compression Mode

The t-to-\chi compression function is defined as a combination of the feed-forward operation and a truncation:

\text{Compress}_{t,\chi}: \mathbb{F}^t \to \mathbb{F}^\chi, \quad x \mapsto \textsf{left}_\chi(\mathcal{P}(x) + x)

It can be used to hash t input elements and generate t/2 output elements via, e.g., a Tree-Hash. The suggested 2-to-1 compression function is:

\mathcal{H}_{2 \to 1}: \mathbb{F}^{t/2} \times \mathbb{F}^{t/2} \to \mathbb{F}^{t/2}, \quad (x, y) \mapsto \text{Compress}_{t, t/2}(x \| y)

3.2 The Poseidon(2){}_{\text{B}} Permutation

\text{Poseidon}_B^\pi and \text{Poseidon2}_B^\pi are families of permutations over \mathbb{F}_{2^n}^t for n \in \{32, 64, 128\}, where the state size t \in \{4, 6, 8, 12, 16, 24\} depends on n. A \text{Poseidon(2)}_B^\pi instance \mathcal{P}: \mathbb{F}_{2^n}^t \to \mathbb{F}_{2^n}^t is defined by:

\mathcal{P}(x) = \mathcal{E}_{R_F-1} \circ \cdots \circ \mathcal{E}_{R_F/2} \circ \mathcal{I}_{R_P-1} \circ \cdots \circ \mathcal{I}_0 \circ \mathcal{E}_{R_F/2-1} \circ \cdots \circ \mathcal{E}_0(M_\mathcal{E} \cdot x)

where \mathcal{E}_i and \mathcal{I}_i denote the i-th full (external) and partial (internal) round functions, respectively, and M_\mathcal{E} is the invertible t \times t matrix used in the external rounds. The value R_F = 2R_f denotes the number of external rounds, and R_P denotes the number of internal rounds.

Table 1. Instantiations of the Poseidon(2){}_{\text{B}} permutations over \mathbb{F}_{2^n} for 128-bit security with state size t, power-map exponent d, R_F full rounds and R_P partial rounds.

(a) \text{Poseidon}_B^\pi				(b) \text{Poseidon2}_B^\pi
n	t	d	(R_F, R_P)	n	t	d	(R_F, R_P)
32	16	7	(8, 15)	32	16	7	(10, 15)
32	24	7	(8, 15)	32	24	7	(10, 15)
64	8	7	(8, 29)	64	8	7	(10, 29)
64	12	7	(8, 29)	64	12	7	(10, 29)
128	4	7	(8, 58)	128	4	7	(8, 58)
128	6	7	(8, 58)	128	6	7	(8, 58)

3.2.1 Invertible Power Maps over \mathbb{F}_{2^n}

We recall that x \mapsto x^d is invertible over \mathbb{F}_{2^n} if and only if \gcd(2^n - 1, d) = 1. The invertible S-box of \text{Poseidon(2)}_B^\pi is instantiated with x \mapsto x^7.

Lemma 1

For each m \ge 2, 2^{2^m} - 1 is divisible by 3 and by 5. Moreover, 2^{2^m} - 1 is never divisible by 7.

Proof. By rewriting 2^{2^m} - 1, one can easily see that it is divisible by 3 and by 5:

2^{2^m} - 1 = (2^{2^{m-1}} - 1) \cdot (2^{2^{m-1}} + 1) = \ldots = (2^{2^1} - 1) \cdot \prod_{i=1}^{m-1}(2^{2^i} + 1)

Now assume that 7 divides 2^{2^m} - 1, i.e. 2^{2^m} \equiv 1 \bmod 7. As 2^3 \equiv 1 \bmod 7, it follows that 2^m \equiv 0 \bmod 3, which never happens and thus leads to a contradiction.

More generally, no exponent with Hamming weight 2 is coprime to 2^{2^m} - 1, i.e., no S-box of the form x \mapsto x^{2^i + 2^j} is invertible over \mathbb{F}_{2^n}.

Lemma 2

For each m \ge 2 and 0 < d < 2^m holds \gcd(2^{2^m} - 1, 2^d + 1) \neq 1.

3.2.2 The Full (External) Round \mathcal{E}

The external round \mathcal{E}_i: \mathbb{F}_{2^n}^t \to \mathbb{F}_{2^n}^t is given by:

\mathcal{E}_i(x_0, \ldots, x_{t-1}) = M_\mathcal{E} \cdot \left((x_0 \oplus c_0^{(i)})^7, (x_1 \oplus c_1^{(i)})^7, \ldots, (x_{t-1} \oplus c_{t-1}^{(i)})^7\right)

for 0 \le i \le R_F - 1, where c_j^{(i)} is the j-th round constant in the i-th external round, and M_\mathcal{E} is an invertible t \times t matrix. The choice of M_\mathcal{E} depends on n: for n = 128, it is an MDS matrix; for n \in \{32, 64\}, \text{Poseidon}_B^\pi uses MDS Cauchy matrices while \text{Poseidon2}_B^\pi uses a tensor product structure \text{circ}(X, 1, \ldots, 1) \otimes M_4.

3.2.3 The Partial (Internal) Round \mathcal{I}

The internal round \mathcal{I}_i: \mathbb{F}_{2^n}^t \to \mathbb{F}_{2^n}^t is given by:

\mathcal{I}_i(x_0, \ldots, x_{t-1}) = M_\mathcal{I} \cdot \left((x_0 \oplus \hat{c}_0^{(i)})^7, x_1, \ldots, x_{t-1}\right)

where \hat{c}_0^{(i)} is the round constant in the i-th internal round, and M_\mathcal{I} is an invertible t \times t matrix of the form \text{diag}(\mu_0, \ldots, \mu_{t-1}) + \mathbf{1}, chosen such that M_\mathcal{I} is invertible and admits no arbitrarily long subspace trails.

3.2.4 Round Constants

The round constants are generated using Turbo-SHAKE-256 to break up the symmetry in the design.

3.3 Comparison of Poseidon(2) and Poseidon(2){}_{\text{B}}

The original \text{Poseidon}^\pi permutation was introduced for prime fields of roughly 256 bits and employed a single fixed Cauchy MDS matrix as its linear layer, without an initial linear layer. Subsequent work identified weaknesses arising from this design choice, which led to the nowadays practically used variant of Poseidon that includes an initial linear layer.

\text{Poseidon2}^\pi generalizes the original design and was introduced to also support prime fields of smaller sizes, starting at approximately 32 bits, while allowing for a much broader range of parameters.

Both \text{Poseidon}_B and \text{Poseidon2}_B are defined in sponge and 2-to-1 compression mode. For the internal rounds, both variants follow the Poseidon2 design approach. Consequently, \text{Poseidon}_B and \text{Poseidon2}_B differ only in their choice of external linear layers M_\mathcal{E} for extension degrees n \in \{32, 64\}. While \text{Poseidon}_B adopts conservative MDS matrices, \text{Poseidon2}_B employs more aggressive non-MDS matrices to improve efficiency.

4. Security Claims

4.1 Collision Resistance

Claim (Collision Resistance)

All Poseidon(2){}_{\text{B}} instances over \mathbb{F}_{2^n} that output \chi field elements are collision-resistant with \min\{128, \chi \cdot n / 2\} bits of security.

4.2 (Second-)Preimage Resistance

Claim ((Second-)Preimage Resistance)

All Poseidon(2){}_{\text{B}} instances over \mathbb{F}_{2^n} that output \chi field elements are (second-)preimage resistant with \min\{128, \chi \cdot n\} bits of security.

4.3 CICO Problem

Claim (CICO Security)

All Poseidon(2){}_{\text{B}} instances over \mathbb{F}_{2^n} are CICO-k secure for k \le 128/n.

4.4 Multi-Target Collision Resistance

Claim (Multi-Target Collision Resistance)

All Poseidon(2){}_{\text{B}} instances over \mathbb{F}_{2^n} are multi-target-collision resistant with 128 bits of security.

4.5 Fiat–Shamir Security

Claim (Fiat–Shamir / Zero-Test Resistance)

All Poseidon(2){}_{\text{B}} instances over \mathbb{F}_{2^n} are k-zero-test resistant for k \le 128/n.

5. Security Analysis

Attacks against Poseidon(2){}_{\text{B}} behave in a similar way to the attacks against Poseidon(2). As in the case of Poseidon(2), the authors do not explicitly address weak distinguishers such as zero-sum distinguishers/partitions, as they have little to no relevance to practical attacks on hash functions.

5.1 Statistical Attacks

Similar to the case of Poseidon(2), the statistical attacks are prevented by the external full rounds.

5.1.1 Differential Attacks

The maximum differential probability of x \mapsto x^7 is given by:

DP_{\max}(x \mapsto x^7) = \frac{6}{2^n} = 3 \cdot 2^{-n+1}

The matrix M_\mathcal{E} has branch number at least equal to t/4 + 4. Considering 2 consecutive two-round segments (for a total of four external rounds), one obtains:

(3 \cdot 2^{-n+1})^{2 \cdot (t/4+4)} \le (3 \cdot 2^{-31})^{12} \approx 2^{-353}

for n \ge 32 and t \ge 8, which is much smaller than the security level of 128 bits. As a consequence, 4 external rounds are sufficient to provide security against differential attacks, with 2 more rounds as a security margin.

5.1.2 Truncated Differentials

Truncated differential cryptanalysis generalizes differential cryptanalysis in the sense that only a part of the difference can be predicted. For the full rounds, no truncated differential over r-round Poseidon(2){}_{\text{B}} for r \ge 2 holds with probability substantially smaller than the security level.

For the partial rounds, since the nonlinear layer uses only one nonlinear S-box, there exists an invariant subspace. The matrices M_\mathcal{I} are chosen such that no arbitrarily long subspace trail with active/inactive \mathbb{F}_{2^n}-word exists for Poseidon(2){}_{\text{B}}.

5.1.3 Other Statistical Attacks

Poseidon(2){}_{\text{B}} is claimed secure against other statistical attacks, such as linear cryptanalysis, impossible differential attacks, integral attacks, rotational cryptanalysis, slide attacks, multiple-of-8, and mixture differential cryptanalysis.

5.1.4 Summary

As all statistical properties have negligibly low probability to hold, the statistical attacks fail for:

R_F \ge 4

5.2 Degree and Density of the Interpolation Polynomial

5.2.1 Growth of the Degree — Forward Direction

The degree of x \mapsto x^7 is 7 over \mathbb{F}_{2^n} and \text{hw}(7) = 3 over \mathbb{F}_2, implying that to reach maximum degree the total round number R must satisfy:

7^R > t \cdot (2^n - 1) \quad \text{and} \quad 3^R > n \cdot t

The growth of the degree \delta(R) over \mathbb{F}_2 is given by:

\delta(R) \le \begin{cases} 3^R & \text{if } R \le 1 + \lfloor \log_3(t) \rfloor \\ t \cdot \log_2\left( \frac{7^R}{t} + 1\right) & \text{otherwise} \end{cases}

5.2.2 Growth of the Degree — Backward Direction

Focusing on the backward direction:

x^{1/7} = \begin{cases} x^{(2^{33}-1)/7} \approx x^{2^{30.19}} & \text{if } n = 32 \\ x^{(6(2^{64}-1)+1)/7} \approx x^{2^{63.78}} & \text{if } n = 64 \\ x^{(2(2^{128}-1)+1)/7} \approx x^{2^{126.19}} & \text{if } n = 128 \end{cases}

This implies that a very high degree is achieved in just a few rounds.

5.2.3 Density

Definition 9 (Dense Polynomial)

A polynomial over \mathbb{F}_{2^n}^t is called dense if it contains \Omega(2^{nt}) monomials.

Around \log_7(t) + n \cdot \log_7(2) rounds are needed to satisfy the density condition.

5.2.4 Practical Results

Practical tests were conducted for the degree growth and density of polynomials with t = 4 and d = 3 over \mathbb{F}_{2^n} for n \in \{7, 15\}. Full rounds contribute better to density than partial rounds; however, the difference between them is not asymptotically significant. Mixing the rounds in Poseidon(2){}_{\text{B}} leads to better behavior than only using a P-SPN. [Figure 3 in the original paper shows the number of monomials reached in SPN, P-SPN, and Poseidon(2){}_{\text{B}}.]

5.2.5 Interpolation Attack

The interpolation attack aims to reconstruct the polynomial that defines the attacked scheme. Security requires:

R_F + R_P \ge \lceil \log_7(t) \rceil + \left\lceil \frac{\min\{n, 128\}}{\log_2(7)} \right\rceil

5.2.6 Higher-Order Differential Attacks

Given a function \mathcal{F} over \mathbb{F}_2^n of degree \delta, then:

\bigoplus_{x \in \mathfrak{V}} \mathcal{F}(x) = 0

for any affine subspace \mathfrak{V} \subseteq \mathbb{F}_2^n of dimension at least \delta + 1. The number of rounds that ensure security against interpolation attacks also guarantees security against higher-order differential attacks.

5.3 Algebraic Attacks

Algebraic attacks describe a cryptographic primitive under a specific attack scenario as a system of polynomial equations over a finite field and apply system-solving techniques. The analysis estimates the attack complexity via the cost of retrieving a univariate polynomial in the ideal, taking into account the latest cryptanalysis results.

5.3.1 Algebraic System Solving

Univariate Solving. To find solutions to a single univariate polynomial equation of degree \delta over \mathbb{F}_q, one can apply factorization algorithms with complexity:

C_{\text{uni}}(\delta) \in \mathcal{O}\left(\delta \cdot \log(\delta) \cdot (\log(\delta) + \log(q)) \cdot \log\log(\delta)\right) \ge \delta

Gröbner Bases. A Gröbner basis attack consists of three steps: (1) compute a Gröbner basis in degrevlex order; (2) convert to lexicographic order with cost estimated as m \cdot d_I^\omega operations; (3) solve the resulting univariate polynomial. The complexity is estimated by step (2):

C_{\text{gb2}}(d_I) \in \mathcal{O}(m \cdot d_I^\omega) \ge d_I^2

Bivariate Resultants. Given a bivariate equation system, the resultant attack computes \text{Res}_{x_2}(p_1, p_2) with complexity at least \delta^2.

5.3.2 Application to Poseidon(2){}_{\text{B}}

Poseidon(2){}_{\text{B}} can be modeled over \mathbb{F}_{2^n} in several ways. Three main approaches exploit degrees of freedom:

Random guessing of input variables.
Skipping the first external full round.
Skipping several internal partial rounds.

CICO-k Problem. Algebraic attacks do not apply to the CICO-k problem whenever:

2^{\min\{k \cdot n, 128\}} \le \begin{cases} 7^{(R_F-1)+R_P} & \text{if } k = 1 \\ (7^{(R_F-1)+R_P})^2 & \text{if } k = 2 \\ (7^{k(R_F-1)+R_P})^2 & \text{if } k \ge 2 \end{cases}

Preimage, Collision, and Zero-Test Attacks. All valid preimage attacks that work independently of the preimage value are valid CICO attacks. Collision attacks are even more expensive due to twice the number of variables. Zero-test attacks reduce to CICO-k.

5.4 Rebound Attacks

Rebound attacks are divided into an inbound phase and an outbound phase. The inbound phase requires solving a CICO problem, and the outbound phase is limited by the strong statistical properties of the full external rounds. The maximum number of rounds covered by a rebound attack is given by the maximum number of rounds that can be broken via a Gröbner basis attack (assuming \le 4 external full rounds), plus 2 external full rounds, for a total of maximum 6 external rounds.

5.5 Round Numbers

5.5.1 Number of Full Rounds

The analysis of statistical attacks, including rebound attacks, implies that R_F = 6 is sufficient.

5.5.2 Number of Partial Rounds

The partial rounds prevent algebraic attacks on the CICO-k problem. The formula is:

R_P \ge \max\left\{ \lceil \log_7(t) \rceil + \left\lceil \frac{\min\{n, 128\}}{\log_2(7)} \right\rceil - 3, \; \max_{3 \le k \le 128/n} \left\{ \left\lceil \frac{\min\{kn, 128\}}{2\log_2(7)} \right\rceil - 3k \right\} \right\}

5.5.3 Security Margin

The number of full rounds is increased from 6 to 8, in general, and another 2 full rounds are added for \text{Poseidon2}_B with n \in \{32, 64\} due to improved full-round skipping techniques in the non-MDS case. The number of partial rounds is increased by 30%.

5.6 Comparison to Poseidon(2)

Number of Partial Rounds. For Poseidon, the analysis was based on the complexity of computing a Gröbner basis in degrevlex order. For Poseidon(2){}_{\text{B}}, the analysis is based on the complexity of retrieving or solving a univariate polynomial in the ideal. This accounts for: (i) cases where the first step of a Gröbner basis attack can be skipped; (ii) the observation that the degree of regularity is often overestimated by the Macaulay bound; (iii) the latest cryptanalysis results including resultant-based approaches.

Security Margin. The security margin for Poseidon(2) is 7.5% more partial rounds, while for Poseidon(2){}_{\text{B}} it is 30%, to remain comfortably secure since binary variants are still less explored.

Table 3. Partial round number derivation (without security margin) for different instantiations.

n	t	d	\chi	[Gra+19b], Eq. (12)	This work, Eq. (11)
31	—	—	—	max{11,8,13,...} = 13 / 20	max{13,12,15} = 15
64	—	7	—	max{20,17,...} = 20	max{22} = 22
256	2–3	—	1	max{52,50,...} = 52	max{54} = 54

6. Proof Implementation

To show a practical use case, the authors focus on the setting of a recursive verifier, i.e., a prover that attests the validity of a previous proof. A recursive verifier for Binius needs to replicate many of the prover's verification steps in a corresponding verification circuit. Some of these steps require hash function calls, for example, to validate commitments.

6.1 Overview of Binius

The Binius and FRI-Binius framework introduces a novel and efficient way to extend the Plonkish family of constraint systems to operate natively over binary extension fields. Binius employs binary extension fields \mathbb{F}_{2^k}, enabling each field element to map directly to a k-bit word in memory. This eliminates the need for expensive modular reductions and allows all arithmetic operations to be implemented as native instructions on CPUs.

Tower Fields in Binius. Binius uses the Wiedemann tower, where \mathbb{T}_0 := \mathbb{F}_2 and \mathbb{T}_m is defined recursively via quadratic extensions. The advantage is that the recursive structure carries over to arithmetic operations, improving efficiency of multiplication and inversion.

Virtual Polynomials. In addition to committed polynomials, Binius enables the usage of virtual polynomials that are algebraically linked to committed polynomials but do not require commitment. The evaluation is done locally by the verifier using virtual evaluation protocols.

6.2 Poseidon(2){}_{\text{B}} for Binius

6.2.1 Overview of the Arithmetization Costs

Non-Linear Components. For full rounds, t S-box computations are committed. For partial rounds, only one S-box is computed, resulting in one committed column per round.

Linear Components. For full rounds, the linear operations can be captured in t virtual columns each. For partial rounds, the cost for virtual evaluation of the matrix multiplication on the verifier side is reduced to t constant multiplications and t additions.

Total:

t \cdot (R_F + 1) + R_P committed columns, including t for the input state.
2t \cdot R_F + (t+2) \cdot R_P + t virtual columns.

6.2.2 Proof Implementation and Benchmarks

A proof implementation is provided for each parameter set using the Binius Rust framework. The implementation demonstrates the costs of proving the calculation of a Poseidon(2){}_{\text{B}} hash of a message of approximately 1 MB (via 2^{14} permutation calls). All performances were benchmarked on an AMD Ryzen 9 7900x with 12 cores.

Table 4. Benchmark results for the proof implementations in Binius when hashing ~1 MB of data.

Permutation	n	t	Proof (KiB)	Prove (s, multi)	Verify (ms, single)
Keccak-f	64	24	438	0.425	45.70
SHA-256	32	16	701	1.383	233.55
Grøstl-P	8	64	416	0.170	114.97
Vision-32b	32	24	560	0.605	10.12
\text{Poseidon}_B^\pi	32	16	402	0.129	4.66
\text{Poseidon}_B^\pi	64	8	366	0.143	3.61
\text{Poseidon}_B^\pi	128	4	386	0.304	3.54
\text{Poseidon2}_B^\pi	32	16	411	0.150	4.53
\text{Poseidon2}_B^\pi	64	8	370	0.162	3.68
\text{Poseidon2}_B^\pi	128	4	386	0.302	3.56

Key observations from the benchmarks:

All \text{Poseidon(2)}_B^\pi variants outperform Keccak-f in single-threaded runtime and verification time.
SHA-256 shows the slowest performance overall; \text{Poseidon(2)}_B^\pi outperforms it in all metrics.
\text{Poseidon(2)}_B^\pi approximately halves the verification time of Vision-32b.
Anemoi shows significantly slower proving and verification times compared to \text{Poseidon(2)}_B^\pi.

6.3 Plain Implementation

Plain implementations are provided for each parameter set in Rust. A binary variant of Anemoi is also implemented for comparison.

Table 5. Performance comparison of plain implementations (throughput in 10^4 perms/s, latency in μs/perm).

Permutation	t=4	t=6	t=8	t=12	t=16	t=24
10^4 Perms/s
Anemoi	1.2	0.9	1.7	1.2	3.6	2.2
\text{Poseidon}_B^\pi	5.5	3.4	8.8	4.9	7.9	4.0
\text{Poseidon2}_B^\pi	5.6	3.4	10.1	7.0	13.2	8.9
μs/Perm
Anemoi	8.3	11.7	6.0	8.4	2.8	4.5
\text{Poseidon}_B^\pi	1.8	3.0	1.1	2.0	1.3	2.5
\text{Poseidon2}_B^\pi	1.8	3.0	1.0	1.4	0.8	1.1

Across all binary-field instantiations, \text{Poseidon2}_B^\pi consistently delivers the highest throughput. Compared to \text{Poseidon}_B, it yields higher efficiency when t \ge 8, as its linear layer amortizes better as the state grows. Anemoi exhibits notably lower throughput and higher latency across all tested state widths.

6.4 Open Problems

Given the importance of efficient zero-knowledge proofs, native implementations of \text{Poseidon2}_B tailored towards different use cases (such as small versus large binary fields), hardware realizations, and adaptations to other proof systems or arithmetization techniques remain attractive targets for future work.

7. Acknowledgment

Authors thank the CiC anonymous Reviewers for pointing out a mistake in the analysis of the truncated differentials. Lorenzo Grassi was supported by the European Research Council (ERC), grant number 101160608 "SYMPZON".

Appendix A. Algebraic Attacks

A.1 Round-skipping Tricks Revisited

A.1.1 Skipping the first full (external) round

The goal is to find a k-dimensional affine subspace of \mathbb{F}_q^t after the first linear layer such that the input constraints are fulfilled when going in the backwards direction. Setting individual summands to zero yields linear equation systems \mathsf{L}_\ell. A non-zero solution can only be found if k \le \lfloor (t - 2k) / k \rfloor. The approach is applicable to CICO-k settings whenever k \le t/2 and the above condition is fulfilled, but is not applicable in compression mode.

A.1.2 Skipping several partial (internal) rounds

The goal is to find a finite-dimensional affine subspace \mathcal{S}^{(\ell)} + \gamma which allows to linearize \ell \ge 0 partial rounds. The matrix M_\mathcal{I} is carefully selected such that the dimension strictly decreases as \ell increases. Thus, at most t - 1 partial rounds can be linearized via a non-trivial subspace.

A.2 Algebraic Models over \mathbb{F}_{2^n}

Two primary modeling approaches exist: (1) Direct Forward Equations, deriving equations for several rounds in the forward direction; (2) Working at Round Level, introducing one variable for each S-box input and relating inputs and outputs via a single equation. Different strategies (a, b, c) can be used to consume available degrees of freedom and reduce the solving complexity. When applying a consistent approach, the resulting systems exhibit the same ideal degree.

A.3 Practical Results

All practical experiments were conducted on a machine with an Intel Xeon E5-2630 v3 @ 2.40 GHz (8 cores) and 378 GB RAM under Debian 11 using Magma V2.26-2. Results confirm that the ideal degree remains identical whether the system is modeled via direct forward equations or at round level; the difference arises solely from how the degrees of freedom are consumed. The Bézout bound often significantly overestimates the ideal degree, which aligns well with the conjectured values. [Tables 8–10 in the original paper provide extensive Bézout bound and ideal degree data for different algebraic models.]

Appendix B. Matrices Details

B.1 Initialization Vectors for Cauchy Matrices

For \text{Poseidon}_B^\pi with n \in \{32, 64\}, the external linear layer uses MDS Cauchy matrices. The initialization vectors are specified in the official repository.

B.2 Diagonal Entries of M_\mathcal{I}

The diagonal entries \mu_0, \mu_1, \ldots, \mu_{t-1} of the internal matrix M_\mathcal{I} are chosen such that M_\mathcal{I} is invertible and admits no arbitrarily long subspace trails. The concrete values are provided in the official Poseidon(2){}_{\text{B}} GitHub repository.

References

[ABM24] Ashur, Buschman, Mahzoun. Algebraic Cryptanalysis of the HADES Design Strategy: Application to Poseidon and Poseidon2. ACISP 2024.
[Aly+20] Aly, Ashur, Ben-Sasson, Dhooghe, Szepieniec. Design of Symmetric-Key Primitives for Advanced Cryptographic Protocols. ToSC 2020.3.
[Ash+24] Ashur, Mahzoun, Posen, Sijacic. Vision Mark-32: ZK-Friendly Hash Function Over Binary Tower Fields. ePrint 2024/633.
[Aum+23] Aumasson, Khovratovich, Mennink, Quine. SAFE: Sponge API for Field Elements. ePrint 2023/522.
[Bak+25a] Bak, Bariant, Boeuf, Briaud, Øygarden, Phanse. The Algebraic CheapLunch. ePrint 2025/2040.
[Bak+25b] Bak, Bariant, Boeuf, Hostettler, Jazeron. Solving CICO-2 bounty instances of Poseidon. EUROCRYPT 2025.
[Bar+22] Bariant, Bouvier, Leurent, Perrin. Algebraic Attacks against Some Arithmetization-Oriented Primitives. ToSC 2022.3.
[Bar+24] Bariant, Boeuf, Lemoine et al. The Algebraic FreeLunch. CRYPTO 2024.
[Bar+25] Bariant, Boeuf, Briaud, Hostettler, Øygarden, Raddum. Improved Resultant Attack Against Arithmetization-Oriented Primitives. CRYPTO 2025.
[BBS99] Biham, Biryukov, Shamir. Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. EUROCRYPT 1999.
[Ben+18] Ben-Sasson, Bentov, Horesh, Riabzev. Fast Reed-Solomon Interactive Oracle Proofs of Proximity. ICALP 2018.
[Ber+08] Bertoni, Daemen, Peeters, Van Assche. On the Indifferentiability of the Sponge Construction. EUROCRYPT 2008.
[Bey+20] Beyne, Canteaut, Dinur et al. Out of Oddity: New Cryptanalytic Techniques Against Symmetric Primitives Optimized for Integrity Proof Systems. CRYPTO 2020.
[BGL20] Ben-Sasson, Goldberg, Levit. STARK Friendly Hash – Survey and Recommendation. ePrint 2020/948.
[Bou+23] Bouvier, Briaud, Chaidos, Perrin, Salen, Velichkov, Willems. Anemoi Permutations and Jive Compression Mode. CRYPTO 2023.
[BR97] Bellare, Rogaway. Collision-Resistant Hashing: Towards Making UOWHFs Practical. CRYPTO 1997.
[BS90] Biham, Shamir. Differential Cryptanalysis of DES-like Cryptosystems. CRYPTO 1990.
[Cid+22] Cid, Grassi, Gunsing et al. Influence of the Linear Layer on the Algebraic Degree in SP-Networks. ToSC 2022.1.
[CR25] Campa, Roy. Gröbner Basis Cryptanalysis of Anemoi. EUROCRYPT 2025.
[DL18] Duval, Leurent. MDS Matrices with Lightweight Circuits. ToSC 2018.2.
[DP24] Diamond, Posen. Polylogarithmic Proofs for Multilinears over Binary Towers. ePrint 2024/504.
[DP25] Diamond, Posen. Succinct Arguments over Towers of Binary Fields. EUROCRYPT 2025.
[Eth24] Ethereum Foundation. Poseidon Cryptanalysis Initiative 2024–2026.
[GKR25] Grassi, Koschatko, Rechberger. Poseidon and Neptune: Gröbner Basis Cryptanalysis Exploiting Subspace Trails. ToSC 2025.2.
[GKS23b] Grassi, Khovratovich, Schofnegger. Poseidon2: A Faster Version of the Poseidon Hash Function. AFRICACRYPT 2023.
[Gra+19a] Grassi, Kales, Khovratovich et al. Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof Systems. ePrint 2019/458.
[Gra+19b] Grassi, Khovratovich, Rechberger, Roy, Schofnegger. Poseidon: A New Hash Function for Zero-Knowledge Proof Systems (Updated Version). ePrint 2019/458.
[Gra+21] Grassi, Khovratovich, Rechberger, Roy, Schofnegger. Poseidon: A New Hash Function for Zero-Knowledge Proof Systems. USENIX Security 2021.
[GRS21] Grassi, Rechberger, Schofnegger. Proving Resistance Against Infinitely Long Subspace Trails. ToSC 2021.2.
[JK97] Jakobsen, Knudsen. The Interpolation Attack on Block Ciphers. FSE 1997.
[KR21] Keller, Rosemarin. Mind the Middle Layer: The HADES Design Strategy Revisited. EUROCRYPT 2021.
[LBM25] Lefevre, Beltrán, Mennink. To Pad or Not to Pad? Padding-Free Arithmetization-Oriented Sponges. ToSC 2025.1.
[Mer79] Merkle. Secrecy, authentication and public key systems. PhD thesis, 1979.
[Per24] Perrin. Security Analysis of XHASH8/12. ePrint 2024/605.
[Pos25] Poseidon2b. Poseidon2b. GitHub repository, 2025.
[SV25] Sanso, Vitto. Attacking Poseidon via Graeffe-Based Root-Finding over NTT-Friendly Fields. ePrint 2025/937.
[Yan+24] Yang, Zheng, Yang, Liu, Tang. A New Security Evaluation Method Based on Resultant for Arithmetic-Oriented Algorithms. ASIACRYPT 2024.
[ZD25] Zhao, Ding. Breaking Poseidon Challenges with Graeffe Transforms and Complexity Analysis by FFT Lower Bounds. ePrint 2025/950.