Skip to main content

New Design Techniques for Efficient Arithmetization-Oriented Hash Functions: \(\texttt{Anemoi}\) Permutations and \(\texttt{Jive}\) Compression Mode

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)


Advanced cryptographic protocols such as Zero-knowledge (ZK) proofs of knowledge, widely used in cryptocurrency applications such as Zcash, Monero, Filecoin, Tezos, Topos, demand new cryptographic hash functions that are efficient not only over the binary field \(\mathbb {F}_2\), but also over large fields of prime characteristic \(\mathbb {F}_p\). This need has been acknowledged by the wider community and new so-called Arithmetization-Oriented (AO) hash functions have been proposed, e.g. MiMC-Hash, Rescue–Prime, Poseidon, Reinforced Concrete and Griffin to name a few.

In this paper we propose Anemoi: a new family of ZK-friendly permutations, that can be used to construct efficient hash functions and compression functions. The main features of these algorithms are that 1) they are designed to be efficient within multiple proof systems (e.g. Groth16, Plonk, etc.), 2) they contain dedicated functions optimised for specific applications (namely Merkle tree hashing and general purpose hashing), 3) they have highly competitive performance e.g. about a factor of 2 improvement over Poseidon and Rescue–Prime in terms of R1CS constraints, a 21%–35% Plonk constraint reduction over a highly optimized Poseidon implementation, as well as competitive native performance, running between two and three times faster than Rescue–Prime, depending on the field size.

On the theoretical side, Anemoi pushes further the frontier in understanding the design principles that are truly entailed by arithmetization-orientation. In particular, we identify and exploit a previously unknown relationship between CCZ-equivalence and arithmetization-orientation. In addition, we propose two new standalone components that can be easily reused in new designs. One is a new S-box called Flystel, based on the well-studied butterfly structure, and the second is \(\textsf{Jive}_{}\) – a new mode of operation, inspired by the “Latin dance” symmetric algorithms (Salsa, ChaCha and derivatives). Our design is a conservative one: it uses a very classical Substitution-Permutation Network structure, and our detailed analysis of algebraic attacks highlights can be of independent interest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions


  1. 1.

    “Factory” is here used in the sense of the programming design pattern, i.e. it is an object returning functions.

  2. 2.

    Starting from a given function F, applying any affine permutation of \(\mathbb {F}_{q}^{2}\) to its graph is unlikely to yield the graph of another function G. Indeed, this would require that the left hand side of \(\mathcal {L}(x, F(x))\) takes all the values in \(\mathbb {F}_{q}\) as x goes through \(\mathbb {F}_{q}\), which is a priori not the case. A mapping \(\mathcal {L}\) that does yield the graph of another function is called “admissible”, a concept that was extensively studied in [18].

  3. 3.

    The result of Li et al. covers all generalized butterflies, not just those corresponding to Flystel structures. In a Flystel, the first parameter (which we will denote a) is set to 1. Their results for the differential uniformity and the linearity hold only when \(\beta \ne (1+a)^\alpha \), meaning that we simply need to make sure that \(\beta \ne 0\). For the algebraic degree, the condition they give in their Theorem 5 to have a degree equal to \(n+1\) degenerates into \(\beta ^{2^{i+1}} = \beta ^{2^{i}+1}\), which is never the case as \(i > 0\).

  4. 4.

    The field order must have a bitlength of at least 10 bits. The aim of this restriction is to ensure that e.g. MDS matrices can be found as those might not be defined for small field sizes.

  5. 5.

    Recall that the branching number of a linear permutation L is the minimum over \(x \ne 0\) of \(\textrm{hw}(x) + \textrm{hw}\left( L(x) \right) \), where \(\textrm{hw}(x)\) denotes the Hamming weight of x.

  6. 6.

    We would expect the value of \(\kappa _{\alpha }\) to keep increasing with \(\alpha \) but the computations needed to estimate it become too costly as \(\alpha \) increases.

  7. 7.

    For readability, the selectors values have been omitted.

  8. 8.

    We refer here to original instantiations, in opposition to a common practice in the industry to tweak parameters (typically the MDS matrix layer). All instantiations here are original, paper versions for fair comparison.

  9. 9.

    Liu et al. originally utilized an earlier version of this work specifying 12 rounds in this setting.


  1. Polygon Miden. Repository, September 2022.

  2. Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 191–219. Springer, Heidelberg (2016).

    Chapter  Google Scholar 

  3. Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symm. Cryptol. 2020(3), 1–45 (2020).

  4. Ambrona, M., Schmitt, A.L., Toledo, R.R., Willems, D.: New optimization techniques for PlonK’s arithmetization. Cryptology ePrint Archive, Paper 2022/462 (2022).

  5. Beierle, C., et al.: Lightweight AEAD and hashing using the Sparkle permutation family. IACR Trans. Symm. Cryptol. 2020(S1), 208–261 (2020).

  6. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, Report 2018/046 (2018).

  7. Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014.

  8. Ben-Sasson, E., Goldberg, L., Levit, D.: Stark friendly hash - survey and recommendation. Cryptology ePrint Archive, Report 2020/948 (2020).

  9. Bernstein, D.J.: The Salsa20 family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008).

    Chapter  Google Scholar 

  10. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 313–314. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  11. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop, vol. 9. Citeseer (2007)

    Google Scholar 

  12. Bos, J., Coster, M.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 400–407. Springer, New York (1990).

    Chapter  Google Scholar 

  13. Bouvier, C., Briaud, P., Chaidos, P., Perrin, L., Salen, R., Velichkov, V., Willems, D.: New design techniques for efficient arithmetization-oriented hash functions: Anemoi permutations and Jive compression mode. Cryptology ePrint Archive, Paper 2022/840 (2022).

  14. Bouvier, C., Briaud, P., Chaidos, P., Perrin, L., Velichkov, V.: Anemoi: exploiting the link between arithmetization-orientation and CCZ-equivalence. Cryptology ePrint Archive, Report 2022/840 (2022).

  15. Budaghyan, L., Carlet, C., Pott, A.: New classes of almost bent and almost perfect nonlinear polynomials. IEEE Trans. Inf. Theor. 52(3), 1141–1152 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  16. Canteaut, A., Duval, S., Perrin, L.: A generalisation of Dillon’s APN permutation with the best known differential and nonlinear properties for all fields of size \(2^{4k+2}\). IEEE Trans. Inf. Theor. 63(11), 7575–7591 (2017).

    Article  MATH  Google Scholar 

  17. Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symm. Cryptol. 2020(S1), 160–207 (2020). 10.13154/tosc.v2020.iS1.160-207

    Google Scholar 

  18. Canteaut, A., Perrin, L.: On CCZ-equivalence, extended-affine equivalence, and function twisting. Finite Fields Appl. 56, 209–246 (2019).

    Article  MathSciNet  MATH  Google Scholar 

  19. Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations suitable for DES-like cryptosystems. Des. Codes Crypt. 15(2), 125–156 (1998)

    Article  MathSciNet  MATH  Google Scholar 

  20. Dobraunig, C., Grassi, L., Guinet, A., Kuijsters, D.: Ciminion: symmetric encryption based on Toffoli-gates over large finite fields. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 3–34. Springer, Cham (2021).

    Chapter  Google Scholar 

  21. Duval, S., Leurent, G.: MDS matrices with lightweight circuits. IACR Trans. Symm. Cryptol. 2018(2), 48–78 (2018).

  22. Dworkin, M.: SHA-3 standard: permutation-based hash and extendable-output functions (2015–08-04 2015).

  23. Faugère, J., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional gröbner bases by change of ordering. J. Symbolic Comput. 16(4), 329–344 (1993).

  24. Faugére, J.C.: A new efficient algorithm for computing gröbner bases (f4). J. Pure Appl. Algebra 139(1), 61–88 (1999).

  25. Faugère, J.C.: A new efficient algorithm for computing gröbner bases without reduction to zero (f5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. Association for Computing Machinery, New York (2002).

  26. Gabizon, A., Williamson, Z.J.: plookup: a simplified polynomial protocol for lookup tables. Cryptology ePrint Archive, Report 2020/315 (2020).

  27. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989).

  28. Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: A new Feistel approach meets fluid-SPN: Griffin for zero-knowledge applications. Cryptology ePrint Archive, Report 2022/403 (2022).

  29. Grassi, L., Khovratovich, D., Lüftenegger, R., Rechberger, C., Schofnegger, M., Walch, R.: Reinforced concrete: a fast hash function for verifiable computation. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 1323–1335. Association for Computing Machinery (2022).

  30. Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 519–535. USENIX Association, August 2021

    Google Scholar 

  31. Grassi, L., Øygarden, M., Schofnegger, M., Walch, R.: From farfalle to megafono via Ciminion: the PRF hydra for MPC applications. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part IV. LNCS, vol. 14007, pp. 255–286. Springer, Heidelberg, April 2023.

  32. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part II. LNCS, May 2016, vol. 9666, pp. 305–326. Springer, Heidelberg (2016).

  33. Hirose, S.: Sequential hashing with minimum padding. In: NIST Workshop on Lightweight Cryptography 2016. National Institute of Standards and Technology (NIST) (2016)

    Google Scholar 

  34. Li, Y., Tian, S., Yu, Y., Wang, M.: On the generalization of butterfly structure. IACR Trans. Symm. Cryptol. 2018(1), 160–179 (2018).

  35. Liu, J., et al.: An efficient verifiable state for zk-EVM and beyond from the Anemoi hash function. Cryptology ePrint Archive, Paper 2022/1487 (2022).

  36. Loustaunau, W.: An Introduction to Grobner Bases. American Mathematical Society (1994).

  37. McLoughlin, M.B.: addchain: cryptographic addition chain generation in go. Repository, October 2021.

  38. Meckler, I., Rao, V., Ryan, M., Querol, A., Spadavecchia, J., Wong, D.: Mina book, kimchi specification.

  39. Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994).

    Chapter  Google Scholar 

  40. Perrin, L., Udovenko, A., Biryukov, A.: Cryptanalysis of a theorem: decomposing the only known solution to the big APN problem. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 93–122. Springer, Heidelberg (2016).

    Chapter  Google Scholar 

  41. Szepieniec, A., Ashur, T., Dhooghe, S.: Rescue-prime: a standard specification (SoK). Cryptology ePrint Archive, Report 2020/1143 (2020).

  42. Szepieniec, A., Lemmens, A., Sauer, J.F., Threadbare, B.: The tip5 hash function for recursive starks. Cryptology ePrint Archive, Paper 2023/107 (2023).

  43. Zero, P.: Plonky2. Repository, September 2022.

Download references


We thank the reviewers of CRYPTO 2023 for providing insightful comments which helped improve the clarity of this paper. In particular, we would like to thank the shepherd for their assistance in finalizing the paper. We are also grateful to Markulf Kohlweiss, Antoine Rondelet and Duncan Tebbs for proofreading an earlier draft of this paper, and for providing insightful comments and suggestions. Additionally, we extend our thanks to Duncan Tebbs for providing an independent estimation of the Flystel circuit cost in terms of R1CS constraints. The work of Léo Perrin is supported by the European Research Council (ERC, grant agreement no. 101041545 “ReSCALE”). We thank Tomer Ashur for pointing out a mistake in Fig. 1 in a previous version of the paper. We also thank Miguel Ambrona and Raphaël Toledo for the idea of the quadratic custom gate and their contribution to the Plonk implementation.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Clémence Bouvier .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bouvier, C. et al. (2023). New Design Techniques for Efficient Arithmetization-Oriented Hash Functions: \(\texttt{Anemoi}\) Permutations and \(\texttt{Jive}\) Compression Mode. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics