security properties
the security of zheng reduces to a single assumption: the collision resistance of hemera. every proof, every verification, every recursive composition — all of it rests on the hardness of finding two distinct inputs that produce the same hemera digest. if hemera is secure, zheng is secure. the analysis begins and ends there.
one assumption
hemera is Poseidon2 instantiated over the Goldilocks field. its internal state is 512 bits (eight field elements). its capacity is 256 bits (four field elements). the collision resistance of a sponge construction with c bits of capacity is bounded by 2^(c/2), giving hemera a classical security level of 128 bits.
zheng uses hemera for three purposes: Merkle tree construction in WHIR, Fiat-Shamir challenge derivation in the sumcheck protocol, and witness commitment. in every case, the security argument reduces to the same property: an adversary cannot find hemera collisions.
there are no elliptic curves. no discrete logarithm assumptions. no bilinear pairings. no structured reference strings generated by ceremonies. no toxic waste that must be destroyed. the cryptographic surface is one hash function over one field.
post-quantum security
pairing-based proof systems (Groth16, PLONK) rely on the hardness of discrete logarithms in elliptic curve groups. Shor's algorithm solves discrete logarithms in polynomial time on a quantum computer. when sufficiently large quantum computers exist, every pairing-based proof system will break.
zheng faces a different quantum threat: Grover's algorithm, which provides a quadratic speedup for brute-force search. Grover reduces the cost of finding a hemera collision from 2^128 classical hash evaluations to approximately 2^64 quantum operations — but this applies to preimage search. for collision finding, the quantum advantage is smaller: the birthday bound drops from 2^128 to roughly 2^85 using quantum collision algorithms. hemera's 256-bit capacity provides 128-bit security classically, which translates to at least 85-bit security against known quantum collision algorithms. the full 512-bit state provides additional margin.
at 128-bit classical security, an adversary performing 10^18 hash evaluations per second — a generous estimate for any foreseeable hardware — would need approximately 10^20 seconds to find a collision. that is roughly 3 × 10^12 years, about 200 times the current age of the universe.
Fiat-Shamir soundness
the sumcheck protocol is naturally interactive: the verifier sends random challenges after each round. zheng converts the protocol to non-interactive form using the Fiat-Shamir transform. the prover maintains a transcript — a running hemera hash of every message — and derives each challenge by hashing the transcript so far.
if the hash function behaves as a random oracle (its outputs are indistinguishable from uniformly random values), then the non-interactive proof is as sound as the interactive protocol. the soundness error per sumcheck round is at most d/p, where d is the polynomial degree and p = 2^64 - 2^32 + 1 is the field size. across k rounds, the total soundness error is at most kd/p — negligible for any practical parameters.
hemera serves as the random oracle. its algebraic structure over the Goldilocks field means the Fiat-Shamir challenges are native field elements, requiring no reduction or truncation. the prover and verifier compute identical transcripts using identical hash calls.
soundness guarantee
the probability that a false proof passes verification is bounded by the security parameter. at 128-bit security, this probability is less than 2^{-128}. concretely: if every atom in the observable universe (~10^80) generated one false proof per nanosecond for the lifetime of the universe (~10^17 seconds), the expected number of successful forgeries would be approximately 10^80 × 10^26 / 2^128 ≈ 10^106 / 10^38 ≈ 10^68 / 10^38. even this absurd scenario produces a negligible probability of a single forgery.
the concentration of trust
the single-assumption design is simultaneously the greatest strength and the most concentrated risk. the strength: auditing zheng means auditing hemera. one hash function, one field, one security analysis. there are no hidden interactions between different cryptographic assumptions, no subtle ways that a weakness in one primitive could combine with a weakness in another.
the risk: if hemera breaks, everything breaks. a practical algebraic attack on Poseidon2 over Goldilocks — one that finds collisions faster than the birthday bound — would compromise WHIR commitments, Fiat-Shamir challenges, and witness hiding simultaneously. the proof system would lose soundness entirely.
this is why the security analysis of hemera matters more than anything else in the stack. the detailed algebraic analysis, Gröbner basis resistance estimates, and differential cryptanalysis bounds live in the hemera documentation. zheng inherits whatever security hemera provides — exactly that, and nothing less.