零知识证明友好的杂凑函数研究综述  

作　　者：林茜 李永强[1,2] 王明生 LIN Xi;LI Yong-Qiang;WANG Ming-Sheng(Key Laboratory of Cyberspace Security Defense,Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100080,China;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China)

机构地区：[1]中国科学院信息工程研究所网络空间安全防御重点实验室,北京100080 [2]中国科学院大学网络空间安全学院,北京100049

出　　处：《密码学报(中英文)》2025年第1期19-38,共20页Journal of Cryptologic Research

基　　金：国家自然科学基金(12371525)。

摘　　要：零知识证明协议是隐私保护的一项重要工具.随着隐私保护技术的发展,出现了越来越多的零知识证明协议与杂凑函数结合的场景,例如零知识地证明杂凑函数被正确计算的.而传统的杂凑函数在该场景下并不高效,因此成为该类应用中的效率瓶颈.为了提高效率,构造高效的零知识证明友好的杂凑函数引起了工业界和学者的广泛关注.本文从零知识证明协议中常用的三种算术化方法的介绍开始,总结了零知识证明友好的杂凑函数的构造特点及其发展阶段.按照发展阶段,本文综述了目前的零知识证明友好的杂凑函数,包括MiMC、Poseidon、Rescue、Reinforced Concrete、Neptune、Anemoi及Griffin算法等,并给出以上算法的结构比较及算术化参数比较.最后给出了零知识证明友好的杂凑函数的挑战及潜在的研究方向.Zero-knowledge protocols are crucial tools for privacy protection.With the development of privacy protection techniques,more and more scenarios of combining zero-knowledge protocols with hash functions have emerged,such as proving that hash functions are evaluated correctly in a zeroknowledge manner.Yet,traditional hash functions are unsuitable for this scenario and significantly lower the overall efficiency.Therefore,designing zero-knowledge-friendly hash functions for higher overall efficiency has aroused extensive concern from both industry and academia.This study introduces three typical arithmetization methods used in the zero-knowledge protocols and summarizes the characteristics and development stages of ZK-friendly hash functions.Following the development stages,the current ZK-friendly hash functions are overviewed,including MiMC,Poseidon,Rescue,Reinforced Concrete,Neptune,Anemoi,and Griffin algorithms,and the structure and arithmetic parameters are compared.Finally,the challenges and potential research directions are provided for ZK-friendly hash functions.

关 键 词：零知识证明友好的杂凑函数 算术化 SNARK STARK 

分 类 号：TP309.7[自动化与计算机技术—计算机系统结构]