zkDaily - 2026-02-20

零知识证明 zkDaily

ZKP Frontier Tracker 🎯

Fri

02.20

2026

Skipping Class: Algebraic Attacks exploiting weak matrices and operation modes of Poseidon2(b)

Paper

https://eprint.iacr.org/2026/306

Simon-Philipp Merz Poseidon CICO

Merz and García propose new algebraic attacks on Poseidon2(b) in their paper, exploiting weak matrices and operation modes to significantly improve attack efficiency.

Notes

Attack exploits specific structure of linear layer matrices in Poseidon2(b), improving round-skipping for CICO problem
Direct modeling of algebraic preimage attacks in compression and sponge modes outperforms solving corresponding CICO problem
First example where algebraic collision attack outperforms algebraic preimage attack
Improves over state-of-the-art algebraic collision attacks by factor of 2^106 for some parameters (e.g., 128-bit)
Primitive still meets claimed security level due to algebraic security margin
Discusses mitigation measures without affecting Poseidon2(b) efficiency

Collected by @icerdesign

零知识证明 zkDaily

Q&A Deep Dive 💬

Fri

02.20

2026

What does the paper attack in Poseidon2(b), and is it broken?

The paper targets the external linear layer Mε = P ⊗ M4, using subspaces to enable round-skipping and reduce algebraic complexity. Under recommended parameters, 128-bit preimage and collision security remain intact.

Why can sponge-mode attacks be stronger than cico analysis?

Sponge mode involves multiple permutations and capacity structure, allowing optimized ideal degree and stronger round-skips. Direct sponge modeling can therefore be easier than standalone cico analysis.

What impact does this attack have on Poseidon in zkVMs or sum-check systems?

Recommended parameters remain secure, but the linear layer has algebraic weaknesses. Reducing external rounds for circuit savings could weaken the margin, so zk systems should avoid ad hoc parameter changes.

Prompted by @icerdesign