Poseidon Hash

Definition

Poseidon follows the HADES strategy (substitution-permutation network with partial S-box layers). Full rounds (R_F) and partial rounds (R_P) combine to maintain collision resistance while cutting in-circuit constraint count by one to two orders of magnitude versus SHA-256.

The reference parameter set is defined over the prime field p = 2^251 + 17·2^192 + 1 (StarkWare specification). Filecoin, Aztec, Penumbra, and others use it in production. EIP-5988 proposes a Poseidon precompile for Ethereum.

Bit-oriented hashes such as Keccak or SHA-2 explode in constraint count inside a ZK circuit. Poseidon is built from additions and multiplications only, so circuit cost scales nearly linearly in input length.

Lemma Oracle implementation

Lemma hashes the internal docHash representation with Poseidon. Inside the circuit, docHash, attributes, provenance, and commitments collapse into a single ZK-friendly hash chain.

The choice of Poseidon over a bit-oriented hash reduces downstream zero-knowledge proof generation time by orders of magnitude — which is what makes "the proof is ready immediately" a viable user-facing claim.

External interoperability uses SHA-256-family identifiers such as CID. The Poseidon representation is reserved for in-circuit use — a two-layer split that keeps both compatibility and efficiency.