ecosystem context

Poseidon2 deployment landscape

System Field t R_F R_P Capacity Status
Plonky3 Goldilocks 12 8 22 4 (128-bit) Production
SP1 BabyBear 16 8 13 8 (124-bit) Production
RISC Zero BabyBear 16 8 13 8 (124-bit) Production
Stwo/Starknet M31 16 8 14 8 (124-bit) Production (mainnet)
Miden Goldilocks 12 8 22 4 (128-bit) Production
Aztec/Noir BN254 4 8 56 1 (127-bit) Production
Hemera Goldilocks 16 8 64 8 (256-bit) Genesis

what is novel, what is not

Not novel:

  • Poseidon2 with t=16. SP1, RISC Zero, and Stwo all deploy t=16.
  • Poseidon2 on Goldilocks. Plonky3 and Miden use Goldilocks with t=12.
  • The security proof methodology. Hemera follows the same wide trail and algebraic degree analysis as all Poseidon2 instantiations.
  • MDS construction. The matrix design follows known techniques for Poseidon2.

Novel:

  • Goldilocks + t=16 combination. No production system uses Goldilocks at width 16. Plonky3 and Miden use t=12. The systems that use t=16 (SP1, RISC Zero, Stwo) use 31-bit fields.
  • R_P=64. The highest partial round count in any deployed Poseidon2. The next highest is Aztec/Noir at R_P=56 (on BN254, a very different field). On small fields, the maximum deployed is R_P=22.

Actual risk: a subtle error in the specific M_E or M_I matrix constructed for Goldilocks at t=16. The permutation structure, S-box, and round counts are conservative. The MDS matrices are the only component that must be validated specifically for this field-width combination.

Homonyms

security
nox security security properties and formal guarantees of nox security bounds attack surface formal properties Turing completeness Theorem: nox is Turing-complete. Proof: Construct encoding of arbitrary Turing machine M via patterns 0-4, 9. ∎ confluence Theorem: nox is confluent. Proof: Orthogonal…
bostrom/security
cyber/security
cyb/wysm/SECURITY
Reporting a vulnerability If you identify a potential security vulnerability, we kindly request refraining from using the issue tracker or engaging in public discussions to mitigate the risk of exacerbating the situation. Such vulnerabilities should be promptly reported via email to:…
soft3/zheng/docs/explanation/security
security properties the security of zheng reduces to a single assumption: the collision resistance of hemera. every proof, every verification, every recursive composition — all of it rests on the hardness of finding two distinct inputs that produce the same hemera digest. if hemera is secure, zheng…

Graph