Plonk’s Setup Phase In Plonk’s Setup Phase (SRS Generation Phase), we first obtain a Structured Reference String (SRS). The SRS contains powers of a secret exponent $τ$ (used for polynomial commitments): $$SRS={g^{τ^0},g^{τ^1},g^{τ^2},\ldots,g^{τ^n}}$$This step is one-time and global (universal SRS). Then, for a specific circuit $C$, we derive the Proving Key (PK) and Verifying Key (VK): $$(PK,~VK)\leftarrow \mathrm{Plonk.Setup}(C, SRS)$$The PK tuple contains polynomials for each gate, permutation, and constraint in the circuit (commitments encoded with $\tau$); the VK tuple contains public polynomial commitments + selector domain information + constant verification structures. ...

In recent years, “ZK-friendly” hash functions designed for zero-knowledge proof (ZK) scenarios have received widespread attention. They are typically based on carefully constructed algebraic structures to achieve lower constraint counts in arithmetic circuits, thereby enabling higher efficiency in proof systems. However, it is precisely this algebraic friendliness that exposes potential attack surfaces under certain analysis models. Particularly in recent years, algebraic analysis methods—such as Gröbner basis attacks and polynomial degree reduction techniques using subspace trails—have gained significant research interest in the cryptanalysis field and have gradually become one of the core tools for evaluating the security of such hash functions. ...

With the rapid development of quantum computing technology, blockchain systems face unprecedented security challenges. Particularly for the consensus layers of mainstream blockchains like Ethereum, the BLS signature schemes they rely on will become vulnerable in the face of quantum computers. This article delves into the considerations for choosing consensus layer signature schemes, focusing on analyzing the trade-offs between hash-based XMSS schemes and lattice-based Falcon schemes in different scenarios, and exploring new signature paradigms for ZK-native chains. ...

Poseidon is a ZK-friendly hash function, and its security evaluation largely relies on theoretical modeling of the complexity of Gröbner basis (GB) attacks. Early security analyses (such as [GKR+19], [GLR+20]) primarily employed input–output modeling (directly converting the input-output relationship of the entire function into a polynomial equation system) and calculated the so-called degree of regularity on this model to estimate the complexity of GB attacks. In [GLR+20], another approach was mentioned—round-level modeling: introducing new variables for each S-Box in each round, thereby decomposing the entire function into equation systems for multiple rounds. ...

In recent years, “ZK-friendly” hash functions designed for zero-knowledge proof (ZK) scenarios have gained widespread attention. They are typically based on carefully constructed algebraic structures to exhibit lower constraint counts in arithmetic circuits, thereby achieving higher efficiency in proof systems. However, it is precisely this algebraic friendliness that exposes them to potential attack surfaces under certain analytical models. Particularly in recent years, algebraic analysis methods—such as Gröbner basis attacks and polynomial degree reduction techniques utilizing subspace trajectories—have seen significant research interest in the cryptanalysis field and have gradually become one of the core tools for evaluating the security of such hash functions. ...

In recent years, “ZK-friendly” hash functions designed for zero-knowledge proof (ZK) scenarios have gained widespread attention. They are typically based on carefully constructed algebraic structures to exhibit lower constraint counts in arithmetic circuits, thereby achieving higher efficiency in proof systems. However, it is precisely this algebraic friendliness that exposes them to potential attack surfaces under certain analytical models. Particularly in recent years, algebraic analysis methods—such as Gröbner basis attacks and polynomial degree reduction techniques utilizing subspace trajectories—have seen significant research interest in the cryptanalysis field and have gradually become one of the core tools for evaluating the security of such hash functions. ...

Work Key Idea Effectiveness on Poseidon [FP20] Closed-form degree expression Useful for modeling GB attacks [BBLP22] Skipping (multiple) full rounds Reduces effective non-linear depth [ABM24] Round-level GB modeling Shows underestimated vulnerability at κ = 1024 [BBL+24] FreeLunch GB attacks Not effective due to low S-box degree [KLR24] “Six Worlds” framework Not yet applied; potential for future work [GKR25] Forward GB Attack Exploiting Subspace Trails original analysis under- or overestimates the number of rounds needed for security. [BBB+25] Iterated resultants Reduces to simple univariate case Key Points Evolution of Attack Methods: Beyond traditional analytical approaches such as statistical analysis, algebraic attacks (particularly Gröbner basis attacks) have been recognized by the academic community as significantly more effective and have become the primary research focus in recent years. Parameter Customization Challenges: Poseidon hash offers extensive customizable parameter space, which leads to issues of conservative security assumptions and potential overestimation. Current Research Status: The results provided by [ABM24] are excellent, but their acceptance in the community remains limited at present. In [GKR25], the authors present a comprehensive analysis of Gröbner basis attacks against Poseidon2 in Sponge mode through Table 5. This analysis is based on a two-step approach: the GB step (Macaulay bound) and the FGLM step (conjectured dI). Subsequently, the authors derive the minimum partial rounds values $r_P$ that can be configured, as shown in Table 3. ...

Suggested Parameters: Parameter Suggested (Width 2) Suggested (Width 3) Notes Prime Field BLS12-381 BLS12-381 Newly supported field in Gnark Width t 2 3 Width 3 is preferred if Gnark supports it S-box $x^5$ $x^5$ Common and secure choice over prime fields Full Rounds 8 8 Avoid using fewer than 8 rounds Partial Rounds 22 14–17 Based on updated recommendations Mode Compress Mode Compress Mode Used for input compression in UTXO models Security Level ≥128 bits ≥128 bits Default setting meets the requirement Additional Notes Security Analysis: Considers recent advances in algebraic attacks such as Gröbner basis methods, [KR21], [BCD+20], [ABM23], and [GKR25]. ...

In modern cryptography, particularly in zero-knowledge proofs and high-performance hash designs (such as Poseidon, Rescue, and Griffin), one fundamental building block appears repeatedly: the cryptographic sponge function. It not only offers an elegant absorb-and-squeeze paradigm but also strikes a principled balance between security and efficiency. I. What is a Sponge Function? A sponge is a flexible cryptographic structure used to absorb an input of arbitrary length and squeeze out a fixed or extensible output. Its power lies in its simplicity, relying only on a single state and a permutation function. ...