Ethereum Foundation logo
  • home
  • blog
  • research
  • bounties
  • team
  • events

ZK Hash Function Cryptanalysis Bounties

Terms

Task: find X1,X2,Y1,Y2X1,X2,Y1,Y2 such that Perm(X1,X2,0)=(Y1,Y2,0)\displaystyle Perm(X1,X2,0)=(Y1,Y2,0)

where PermPerm is the inner sponge permutation (bijective mapping) of the hash function the challenge list.

  • Solutions should be sent to Dmitry Khovratovich before November 30th 2022.
  • First come first win.
  • Within 1 month after the submission the authors should provide a technical report with the attack description, which should be released to the public domain at latest December 1st 2022. The code should be also made public before this date.
  • Total Bounty Budget: $200,000 USD.
  • Parameters are fixed on November 23rd 2021.

Rescue Prime

Design spec.

  • p=18446744073709551557~264p=18446744073709551557 \text{\textasciitilde} 2^{64}
  • m=3m=3
  • alpha=3alpha=3
  • Number of rounds: NN
  • Brute force attack complexity: 2642^{64}

We expect that a variant with ss bits of security to withstand attacks of complexity up to 21.5s2^{1.5s} time (function calls) and memory.

Reference implementation and bounty instances.

CategoryParametersSecurity Level (bits)Bounty
EasyN=4,m=3\sout{N=4, m=3}25$2,000
EasyN=6,m=2N=6, m=225$4,000
MediumN=7,m=2N=7, m=229$6,000
HardN=5,m=3N=5, m=330$12,000
HardN=8,m=2N=8, m=233$26,000

Feistel-MIMC

Design spec.

  • p=18446744073709551557~264p=18446744073709551557 \text{\textasciitilde} 2^{64}
  • alpha=3alpha=3
  • Task: find X,YX,Y such that FeistelMiMC(X,0)=(Y,0)Feistel\text{\textendash}MiMC(X,0)=(Y,0)
  • Number of rounds: rr
  • Brute force attack complexity: 2642^{64}

We expect that a variant with ss bits of security to withstand attacks of complexity up to 22s2^{2s} time (function calls) and memory.

The initial parameters were broken and were replaced.

Reference implementation and bounty instances.

CategoryParametersSecurity Level (bits)Bounty
EasyN=4,m=3\sout{N=4, m=3}25$2,000
EasyN=6,m=2N=6, m=225$4,000
MediumN=7,m=2N=7, m=229$6,000
HardN=5,m=3N=5, m=330$12,000
HardN=8,m=2N=8, m=233$26,000

Poseidon

Design spec.

  • p=18446744073709551557~264p=18446744073709551557 \text{\textasciitilde} 2^{64}
  • d=3d=3
  • t=3t=3
  • Number of full rounds: RF=8RF=8
  • Number of partial rounds RPRP varies (see below)
  • Brute force attack complexity: 2642^{64}

We expect that a variant with ss bits of security to withstand attacks of complexity up to 2s+372^{s+37} time (function calls) and memory.

The initial parameters were broken and were replaced.

Reference implementation and bounty instances.

CategoryParametersSecurity Level (bits)Bounty
EasyRP=3\sout{RP=3}8$2,000
EasyRP=8\sout{RP=8}16$4,000
MediumRP=13\sout{RP=13}24$6,000
HardRP=19RP=1932$12,000
HardRP=24RP=2440$26,000

Reinforced Concrete

Design spec.

  • Number of layers as in the original design
  • Different prime field
  • The best attack we have found for these variants is exhaustive search.
  • Groebner basis challenges might be declared additionally.

We expect that a variant with ss bits of security to withstand attacks of complexity up to 22s2^{2s} time (function calls) and memory.

Decomposition and alpha/beta values.

Reference implementation and bounty instances.

CategoryParametersSecurity Level (bits)Bounty
Easyp=281474976710597p=28147497671059724$4,000
Hardp=72057594037926839p=7205759403792683928$6,000
Hardp=18446744073709551557p=1844674407370955155732$12,000

Contact

dmitry.khovratovich@ethereum.org

cryptography@ethereum.org

© 2025 Ethereum Foundation. All rights reserved.