Poseidon Cryptanalysis Initiative 2024-2026
Ethereum Foundation
Ethereum Foundation
Scrutinizing Poseidon for Good
Poseidon and Poseidon2 are hash functions designed for the use in verifiable computation protocols. They have been optimized for the smallest circuit size over prime fields.
Below we present the details of the Phase 2 of the initiative, which shall conclude in December 2026. Phase 2 focuses on the original Poseidon hash function defined over the KoalaBear prime field.
The Poseidon hash function has been used in numerous Ethereum applications that deal with verifiable computation. It is among the top performers at recent STARK benchmarks by StarkNet, which makes it a promising candidate for the use at Ethereum L1 for various protocols that employ ZK proofs.
This project aims to boost the security investigation of various Poseidon instances and eventually decide whether there is sufficient evidence that is secure for high-value applications and foundations of Ethereum.
The project is run by the Ethereum Foundation Poseidon Group (EFPG: poseidon@ethereum.org ):
George Kadianakis
Dmitry Khovratovich
Antonio Sanso
The Advisory Board oversees key decisions and announcements made by EFPG, with members serving in an unpaid capacity:
Jean-Philippe Aumasson (Taurus)
Eli Ben-Sasson (Starknet)
Daira-Emma Hopwood (ZCash)
Daniel Lubarov (PolygonZero)
Ron Rothblum (Succinct)
The prize program runs till January 1st, 2029.
Hash function instances in the program:
Poseidon-31 (the Poseidon1 paper, the finite field being the KoalaBear 2^{31}-2^{24}+1 = 2130706433). Degree `d` of power mapping is 3, the state size `t` is 16.
Solutions should be sent to the Ethereum Foundation Poseidon Group poseidon@ethereum.org .
First come first win. Solutions sent within 1 day period after the first one --- will be considered.
Within 1 month after the submission the authors should provide a technical report with the attack description, which should be released to the public domain at latest January 1st 2027. The code should be also made public before this date.
Total Bounty Budget -- $992 000.
The task is to find a partial collision, i.e. to find two 15-element inputs X,Y such that H(0xc09de4,X)=H(0xc09de4,Y) on the first q elements, where H is the full Poseidon1 hash in the compression mode.
Partial collision verifier is available at https://github.com/khovratovich/poseidon-tools
Awards:
q = 3: $32K
q = 4: $64K
q=5: $128K
q=6: $256K
q=7: $512K
Bounty program runs till January 1st, 2027.
Hash function instances in the program:
Poseidon-31 (the Poseidon1 paper, the finite field being the KoalaBear 2^{31}-2^{24}+1 = 2130706433). Degree `d` of power mapping is 3, the state size `t` is 16.
Solutions should be sent to the Ethereum Foundation Poseidon Group poseidon@ethereum.org .
First come first win for the CICO problem, the best attack wins for Density and Zero-test problems. Solutions sent within 1 day period after the first one --- will be considered.
Within 1 month after the submission the authors should provide a technical report with the attack description, which should be released to the public domain at latest January 1st 2027. The code should be also made public before this date.
Total Bounty Budget -- $150 000.
Verifiers and sample solvers are available at https://github.com/khovratovich/poseidon-tools
The task is to find a partial preimage of 0, or, more precisely:
For Poseidon-31 a 62-bit preimage: find X1,..., X14, Y1,... Y14 such that Perm(0xc09de4,0xee6282,X1,...,X14)= (0,0,Y1,...,Y14)
where Perm is the inner sponge permutation (bijective mapping) of Poseidon1 with an extra linear layer before the first round.
We encourage cryptanalysts to find an improved attack variant (such as “skipping first rounds” trick) rather than to find a solution with a brute force. New attack ideas might qualify for a bonus.
Concrete bounties (details here):
RF=6, RP=6 $6000
RF=6, RP=8 $10000
RF=6, RP=10 $15000
We expect that the best attack that solves these bounties is a resultant attack. A Groebner basis attack that breaks any of these instances may qualify for an additional bonus.
The task is to find an input S with 2 zero elements at positions i1 and i2 (chosen by the attacker) such that all output elements of H(S), exponentiated to (p-1)/16, are either w^(i1) or w^(i2), where w=148625052 (16-th root of unity in Fp).
Here H is the Poseidon1 hash function in the compression mode, with RF=6 and RP>5. All the submitted solutions are kept confidential (except for the RP value) and ranked by RP. Solutions with highest RP broken get a reward, with the total fund being $40000. Solutions can be sent in two phases: before August 1st 2026 and between August 1st and December 1st 2026. The first phase solutions are ranked, rewarded, and published in the first week of August, 2026.
The task is to find a polynomial P of degree 7 over Fp^2 such that the first two elements of the hash of its coefficients, interpreted as a Fp^2 element, is a root of P.
Here H is the Poseidon1 hash function in the compression mode, with RF=6 and RP>5. All the submitted solutions are kept confidential (except for the RP value) and ranked by RP. Solutions with highest RP broken get a reward, with the total fund being $40000. Solutions can be sent in two phases: before August 1st 2026 and between August 1st and December 1st 2026. The first phase solutions are ranked, rewarded, and published in the first week of August, 2026.
The formal details are available by link.
A research paper, which describes an attack on a reduced-round Poseidon, may qualify for a prize. It has to conform to the following rules:
Attack should be on a reduced-round version of one of three instances described above: Poseidon-256, Poseidon-64, or Poseidon-31.
Attack should be an improvement to the attacks presented in the survey
The attack should break one of properties:
collision resistance for 256-bit output
(first or second) preimage resistance for 256-bit or 128-bit output
correlation intractability for relations arising from post-quantum proofs of knowledge (details later)
The paper should be made public (ePrint) by the end of 2026.
The amount of the award is proportional to the paper merit and remains at discretion of Ethereum Foundation. The minimal prize is $5000, the entire award fund is $90000.
Existing Groebner basis research papers on Poseidon have very imprecise complexity estimates. We would like to launch a more detailed investigation of attack complexity so that the complexity of a full attack can be extrapolated from the ones on small instances.
We provide research grants to derive a formula for Groebner basis preimage attacks arising from round equations. Concretely, we ask the following:
Construct a DRL-order Groebner basis using F4 or F5 GB algorithms for reduced-round versions of Poseidon-256, -64, -31, as specified in the Bounty Program, for all feasible combinations of RF and RP.
Construct, if possible, a Groebner basis manually for other orders but same instances.
Run the basis conversion algorithm in order to get the LEX basis from the bases obtained at previous steps..
Solve the preimage problem by factoring a univariate polynomial from the LEX basis.
The complexity of these steps should be counted separately, both in terms of memory requirements and CPU operations. From the table of practical complexities, a formula for the full instance should be extrapolated.
The investigation is supposed to be done in close collaboration with the EF Poseidon Group. Questions should be sent to poseidon@ethereum.org
Applications should be made at Ethereum Foundation website by April 1st, 2025. They will be processed in the order of receiving.
We plan to support workshops, retreats, and schools that are devoted to the cryptanalysis of Poseidon and related designs. Among those are
ALPSY workshop in January 2025
FSE-affiliated event in March 2025
Eurocrypt-affiliated event in May 2025.
Poseidon event in Luxembourg (October 2025).
Poseidon track at ZKSC workshop (February 2026)
Eurocrypt-affiliated event (May 2026)
We have compiled a list of research problems which appear necessary to understand the security of Poseidon instances further. The grant amount ranges from $20000 to $40000, depending on the deliverables that are suggested by the applicants.
Applications should be made at Ethereum Foundation website by June 1st, 2026. They will be processed in the order of receiving.
With the emergence of AOHs, Gröbner basis attacks have gained significant attention. However, alternative system-solving approaches, such as resultants, have also recently proven useful in the cryptanalysis of primitives like Anemoi, Jarvis, and Rescue-Prime. Expanding the application of resultants could enhance and diversify the quality of security evaluations of Poseidon-like constructions too.
The partial rounds in Poseidon1 use an MDS matrix. It was shown that a non-MDS matrix in Poseidon2 enhances some attacks; on the other hand, there is an equivalent representation of Poseidon1 where the matrix is not MDS. Prove or disprove that using a non-MDS matrix in Poseidon1 partial rounds is okay.
We are looking into attacks on (reduced-round) instances of Poseidon which would break the security of non-interactive cryptographic protocols obtained via the Fiat-Shamir heuristic, where Poseidon would be used to generate public coins. Applicants are free to choose protocols at their own.
Quantum attacks
We would like to explore in more details the resistance of the sponge mode and of the Poseidon compression function mode to quantum attacks. Those quantum attacks should cover various properties: collision, preimages, target collisions.
The standard EF rules for small grants apply. Poseidon authors can not be applicants to the grants nor to the award program.
Ethereum Foundation Poseidon Group includes Dmitry Khovratovich, one of the designers of Poseidon. Dmitry and the Poseidon team contributed to defining the bounty parameters and structuring the research grant program. Decisions on awarding grants and distributing bounties will be made by the members of the Ethereum Foundation Poseidon Group in consultation with the Advisory Board.
Bounty program runs till December 1st, 2025. The idea of the bounty program is twofold:
Ensure that the interpolation attack is the fastest preimage attack on Poseidon.
Verify that the complexity of the interpolation attack on the reduced round versions matches the theoretical estimates.
These ideas are implemented as follows: we take original instances of Poseidon and Poseidon2, which claim 128-bit preimage security, and reduce the number of rounds such that the interpolation attack becomes feasible. The expected complexity of the attack 2^T is then used to claim “T-bit estimated security”. If either of our assumptions is violated then a better attack should be found.
Hash function instances in the program:
Poseidon-256 (the original Poseidon paper, the finite field being the scalar field of the BLS12-381 elliptic curve). Degree `d` of power mapping is 5, the state size `t` is 3. The matrix from the reference implementation. UPD: the round constants should be generated for each instance separately.
Poseidon-64 (the Poseidon2 paper, the finite field based on a Goldilocks prime 2^{64}-2^{32}+1). Degree `d` of power mapping is 7, the state size `t` is 8. UPD: the round constants should be generated for each instance separately.
Poseidon-31 (the Poseidon2 paper, two options:
the finite field being the M31 prime 2^{31}-1 = 2147483647. Degree `d` of power mapping is 5, the state size `t` is 16.
the finite field being the KoalaBear 2^{31}-2^{24}+1 = 2130706433). Degree `d` of power mapping is 3, the state size `t` is 16.
The task is to find a preimage of 0, or, more precisely:
For Poseidon-256 a 256-bit preimage: find X1, X2, Y1, Y2 such that Perm(X1,X2,0)= (Y1,Y2,0)
For Poseidon-64 a 64-bit preimage: find X1,..., X7, Y1,... Y7 such that Perm(X1,...,X7,0)= (Y1,...,Y7,0)
For Poseidon-31 a 62-bit preimage: find X1,..., X14, Y1,... Y14 such that Perm(X1,...,X14,0,0)= (Y1,...,Y14,0,0)
where Perm is the inner sponge permutation (bijective mapping) of the hash function the challenge list.
We encourage cryptanalysts to find an improved attack variant (such as “skipping first rounds” trick) rather than to find a solution with a brute force. New attack ideas might qualify for a bonus.
Common terms:
Solutions should be sent to the Ethereum Foundation Poseidon Group poseidon@ethereum.org .
First come first win. Solutions sent within 1 day period after the first one --- will be considered.
Within 1 month after the submission the authors should provide a technical report with the attack description, which should be released to the public domain at latest December 1st 2025. The code should be also made public before this date.
Total Bounty Budget -- $130 000.
Concrete bounties (details here):
Poseidon-256:
24-bit estimated security: RF=6, RP=8. $4000 claimed 9 Dec 2024
28-bit estimated security: RF=6, RP=9. $6000 claimed 31 Dec 2024
32-bit estimated security: RF=6, RP=11. $10000
40-bit estimated security: RF=6, RP=16. $15000
Poseidon-64:
24-bit estimated security: RF=6, RP=7 $4000 claimed 23 Apr 2025
28-bit estimated security: RF=6, RP=8. $6000 claimed 27 Apr 2025
32-bit estimated security: RF=6, RP=10. $10000 claimed 24 May 2025
40-bit estimated security: RF=6, RP=13. $15000
Poseidon-31:
24-bit estimated security: RF=4, RP=0 (M31) claimed 29 Nov 2025 and RP=1 (KoalaBear). $4000 claimed 30 Nov 2024
28-bit estimated security: RF=4, RP=1 (M31) and RP=3 (KoalaBear). $6000 claimed 29 Nov 2024
32-bit estimated security: RF=6, RP=1 (M31) claimed 2 Dec 2025 and RP=4 (KoalaBear). $10000 claimed 5 Dec 2024
40-bit estimated security: RF=6, RP=4 (M31 only). $15000 claimed 5 Nov 2025
We expect that the best attack that solves these bounties is an interpolation attack. A Groebner basis attack that breaks any of these instances may qualify for an additional bonus.
24 Jan 2025 -- grant deadline extended, a bounty claim added.
10 Dec 2024 -- added 32-bit Poseidon-31 bounty claims and 24-bit Poseidon-256 claims. Also added that the round constants should be generated for each instance separately.
30 Nov 2024 -- 28-bit bounty claimed for Poseidon-31
29 Nov 2024 -- 24-bit bounty claimed for Poseidon-31
29 Nov 2024 -- a typo in the Koala Bear prime definition was fixed (2^32 -> 2^31 )