In recent years, “ZK-friendly” hash functions designed for zero-knowledge proof (ZK) scenarios have gained widespread attention. They are typically based on carefully constructed algebraic structures to exhibit lower constraint counts in arithmetic circuits, thereby achieving higher efficiency in proof systems. However, it is precisely this algebraic friendliness that exposes them to potential attack surfaces under certain analytical models. Particularly in recent years, algebraic analysis methods—such as Gröbner basis attacks and polynomial degree reduction techniques utilizing subspace trajectories—have seen significant research interest in the cryptanalysis field and have gradually become one of the core tools for evaluating the security of such hash functions. ...

In recent years, “ZK-friendly” hash functions designed for zero-knowledge proof (ZK) scenarios have gained widespread attention. They are typically based on carefully constructed algebraic structures to exhibit lower constraint counts in arithmetic circuits, thereby achieving higher efficiency in proof systems. However, it is precisely this algebraic friendliness that exposes them to potential attack surfaces under certain analytical models. Particularly in recent years, algebraic analysis methods—such as Gröbner basis attacks and polynomial degree reduction techniques utilizing subspace trajectories—have seen significant research interest in the cryptanalysis field and have gradually become one of the core tools for evaluating the security of such hash functions. ...

Work Key Idea Effectiveness on Poseidon [FP20] Closed-form degree expression Useful for modeling GB attacks [BBLP22] Skipping (multiple) full rounds Reduces effective non-linear depth [ABM24] Round-level GB modeling Shows underestimated vulnerability at κ = 1024 [BBL+24] FreeLunch GB attacks Not effective due to low S-box degree [KLR24] “Six Worlds” framework Not yet applied; potential for future work [GKR25] Forward GB Attack Exploiting Subspace Trails original analysis under- or overestimates the number of rounds needed for security. [BBB+25] Iterated resultants Reduces to simple univariate case Key Points Evolution of Attack Methods: Beyond traditional analytical approaches such as statistical analysis, algebraic attacks (particularly Gröbner basis attacks) have been recognized by the academic community as significantly more effective and have become the primary research focus in recent years. Parameter Customization Challenges: Poseidon hash offers extensive customizable parameter space, which leads to issues of conservative security assumptions and potential overestimation. Current Research Status: The results provided by [ABM24] are excellent, but their acceptance in the community remains limited at present. In [GKR25], the authors present a comprehensive analysis of Gröbner basis attacks against Poseidon2 in Sponge mode through Table 5. This analysis is based on a two-step approach: the GB step (Macaulay bound) and the FGLM step (conjectured dI). Subsequently, the authors derive the minimum partial rounds values $r_P$ that can be configured, as shown in Table 3. ...

Suggested Parameters: Parameter Suggested (Width 2) Suggested (Width 3) Notes Prime Field BLS12-381 BLS12-381 Newly supported field in Gnark Width t 2 3 Width 3 is preferred if Gnark supports it S-box $x^5$ $x^5$ Common and secure choice over prime fields Full Rounds 8 8 Avoid using fewer than 8 rounds Partial Rounds 22 14–17 Based on updated recommendations Mode Compress Mode Compress Mode Used for input compression in UTXO models Security Level ≥128 bits ≥128 bits Default setting meets the requirement Additional Notes Security Analysis: Considers recent advances in algebraic attacks such as Gröbner basis methods, [KR21], [BCD+20], [ABM23], and [GKR25]. ...

In modern cryptography, particularly in zero-knowledge proofs and high-performance hash designs (such as Poseidon, Rescue, and Griffin), one fundamental building block appears repeatedly: the cryptographic sponge function. It not only offers an elegant absorb-and-squeeze paradigm but also strikes a principled balance between security and efficiency. I. What is a Sponge Function? A sponge is a flexible cryptographic structure used to absorb an input of arbitrary length and squeeze out a fixed or extensible output. Its power lies in its simplicity, relying only on a single state and a permutation function. ...

In the competition of Web3 infrastructure, an increasing number of projects claim to be building “the TCP/IP of Web3.” Among these, Zero-Knowledge (ZK) proof technology has gained significant attention due to its powerful verification capabilities, with many Layer 0 projects positioning ZK proofs as their core competitive advantage. However, we need to think deeply: Are ZK proofs truly the essence of Layer 0? Let us approach this question from a more fundamental perspective. ...

“The internet was designed to be open, but the platforms built on top of it are not.” ——Chris Dixon, Rebooting the Internet 0. From Open Web1 to Centralized Web2: The Legacy of Missing Trust The Web1 era began with openness. Born out of academic and military collaboration, the TCP/IP protocol stack laid the foundation for global connectivity. TCP/IP was — and remains — an open and permissionless stack: any device following the protocol can join the network. This property of permissionless connectivity created the early decentralized flavor of the Internet. ...

Timeline for Post-Quantum Migration According to analysis by Chaincode Labs, Bitcoin’s transition to post-quantum cryptography (PQC) can follow two main strategies: a short-term contingency plan (cf. Figure 1) and a long-term comprehensive path (cf. Figure 2). The short-term strategy focuses on deploying a basic quantum-resistant option within 1 to 2 years, offering a fallback mechanism in case cryptographically relevant quantum computers (CRQCs) emerge sooner than expected. This involves proposing a minimal PQC signature scheme through a BIP, implementing it in Bitcoin Core, and enabling voluntary migration of vulnerable UTXOs. While not optimized for all use cases, it provides immediate protection for at-risk users and critical institutions. Success depends on close coordination across the technical community and early involvement from major Bitcoin holders. ...

Post-Quantum Cryptography (PQC) Post-Quantum Cryptography has become a critical solution to counter the threat posed by scalable, controllable quantum computers to current cryptographic systems. Urgency of PQC: Originates from Peter Shor’s 1995 algorithm, which can factor integers and compute discrete logarithms in polynomial time, effectively breaking mainstream schemes like RSA, DH, and ECC. PQC is not a single algorithm, but a set of parallel technical approaches, including: Lattice-based cryptography: The most promising category with well-established theoretical foundations; ...