Poseidon Hash Overview

Now that we understood the architecture of a sponge-based hash function, we are now ready to go to the details of $\mathsf{Poseidon}$. $\mathsf{Poseidon}$ is the proposed hash function in the paper, which maps strings over $\mathbb{F}_p$ (for a prime $p \approx 2^n > 2^{31}$) to fixed length strings over $\mathbb{F}_p$. Specifically, they define: $$\mathsf{Poseidon}: \mathbb{F}_p^* \longrightarrow \mathbb{F}_p^o,$$ where $o$ is the output length ($\mathbb{F}_p$ elements), usually $o = 1$.

The overall structure of $\mathsf{Poseidon}$ hash is described in the figure below.

The hash function is constructed by instantiating a sponge function with the compression function $f$ being the permutation $\mathsf{Poseidon}^\pi$ (denoted by the block labeled $\mathsf{P}$ in the figure). The hashing design strategy is based on $\mathsf{Hades}$ [GLRRS20], which employes different round functions throughout the permutation to destroy all of its possible symmetries and structural properties.

The workflow of $\mathsf{Poseidon}$ hash is described below, which is used the same in different use cases:

Determine the capacity value $c$ and the input padding $pad$ depending on each use cases.
Split the obtained input $m$ in to chunks of size $r$.
Apply the $\mathsf{Poseidon}^\pi$ permutation to the capacity element and the first chunk: $I_c \oplus m_1$.
Add the result to the state and apply the permutation again until no more chunks are left.
Output $o$ output elements from the bitrate part of the state. If needed, iterate the permutation one more time.

Given that the overall structure of $\mathsf{Poseidon}$ is determined by the instatiation of $\mathsf{Poseidon}^\pi$, in the next Sections, we would go to the details of each $\mathsf{Poseidon}^\pi$ block (or equavilently, the block labeled $\mathsf{P}$ in the figure).

Orochi Network's Cookbook

Poseidon Hash Overview