Overview

Starknet is built on advanced cryptographic primitives that enable scalable, trustless computation using STARK proofs. These include a custom prime field and elliptic curve and multiple hash functions optimized for zero-knowledge performance.

The STARK field

The STARK field is the finite field FP\mathbb{F}_{P}, where: PP = 2251+172192+12^{251} + 17 \cdot 2^{192} + 1 = 3618502788666131213697322783095070105623107215331596699973092056135872020481
The felt252 type in Cairo refers to elements of the STARK field.

The STARK curve

The STARK curve is an elliptic curve defined over the STARK field by: y2x3+αx+β(modP)y^{2} \equiv x^{3} + \alpha \cdot x + \beta \left(\right. mod P \left.\right) where:
  • α\alpha = 1
  • β\beta = 3141592653589793238462643383279502884197169399375105820974944592307816406665
The curve’s order is 3618502788666131213697322783095070105526743751716087489154079457884512865583, and the generator point GG in the Elliptic Curve Digital Signature Algorithm (ECDSA) implementation that is used in Cairo with respect to it is defined by:
  • GxG_{x} = 874739451078007766457464989774322083649278607533249481151382481072868806602
  • GyG_{y} = 152666792071518830868575557812948353041420400780739481342941381225525861407
The STARK curve is commonly used in smart contracts, but is not distinguished by the Starknet protocol.

Hash functions

There are three hash functions used throughout Starknet’s specifications that map inputs to elements in the STARK field.

Starknet Keccak

Starknet’s version of the Keccak hash function, commonly denoted by snkeccak\text{sn}_\text{keccak}, is defined as the first 250 bits of Ethereum’s keccak256.

Pedersen hash

Starknet’s version of the Pedersen hash function is then defined by: h(a,b)=([shiftpoint+alowP0+ahighP1+blowP2+bhighP3])xh \left(\right. a , b \left.\right) = \left(\left[\right. \text{shift}_\text{point} + a_{l o w} \cdot P_{0} + a_{h i g h} \cdot P 1 + b_{l o w} \cdot P 2 + b_{h i g h} \cdot P 3 \left]\right.\right)_{x} where:
  • alowa_{l o w} and blowb_{l o w} are the 248 low of aa and bb, respectively
  • ahigha_{h i g h} and bhighb_{h i g h} are the 4 high bits of aa and bb, respectively
  • The values of the constants shiftpoint,P0,P1,P2,P3\text{shift}_\text{point} , P_{0} , P_{1} , P_{2} , P_{3} can be found in fast_pedersen_hash.py
  • [P]x\left[\right. P \left]\right._{x} denotes the xx coordinate of point PP

Array hashing

Let hh denote the pedersen hash function, then given an array a1,...,ana_{1} , . . . , a_{n} of nn field elements we define h(a1,...,an)h \left(\right. a_{1} , . . . , a_{n} \left.\right) to be: h(...h(h(0,a1),a2),...,an),n)h \left(\right. . . . h \left(\right. h \left(\right. 0 , a_{1} \left.\right) , a_{2} \left.\right) , . . . , a_{n} \left.\right) , n \left.\right)

Poseidon hash

Poseidon is a family of hash functions designed to be very efficient as algebraic circuits. As such, they can be very useful in ZK-proving systems such as STARKs.
Starknet’s version of the Poseidon hash function is based on a three-element state Hades permutation and defined of up to 2 elements by: poseidon(x):=([hadespermutation(x,0,1)])0\text{poseidon} \left(\right. x \left.\right) := \left(\left[\right. \text{hades}_\text{permutation} \left(\right. x , 0 , 1 \left.\right) \left]\right.\right)_{0} poseidon(x,y):=([hadespermutation(x,y,2)])0\text{poseidon} \left(\right. x , y \left.\right) := \left(\left[\right. \text{hades}_\text{permutation} \left(\right. x , y , 2 \left.\right) \left]\right.\right)_{0} Where []j\left[\right. \cdot \left]\right._{j} denotes taking the jj‘th coordinate of a tuple.

Array hashing

Let hades:FP3FP3\text{hades} : \mathbb{F}_{P}^{3} \rightarrow \mathbb{F}_{P}^{3} denote the Hades permutation with Starknet’s parameters, then given an array a1,...,ana_{1} , . . . , a_{n} of nn field elements we define poseidon(a1,...,an)\text{poseidon} \left(\right. a_{1} , . . . , a_{n} \left.\right) to be the first coordinate of H(a1,...,an;0,0,0)H \left(\right. a_{1} , . . . , a_{n} ; 0 , 0 , 0 \left.\right), where: H(a1,,an;s1,s2,s3)={H(a3,,an;hades(s1+a1,s2+a2,s3))if n2hades(s1+a1,s2+1,s3)if n=1hades(s1+1,s2,s3)if n=0H(a_1, \ldots, a_n; s_1, s_2, s_3) = \begin{cases} H(a_3, \ldots, a_n; \text{hades}(s_1 + a_1, s_2 + a_2, s_3)) & \text{if } n \geq 2 \\ \text{hades}(s_1 + a_1, s_2 + 1, s_3) & \text{if } n = 1 \\ \text{hades}(s_1 + 1, s_2, s_3) & \text{if } n = 0 \end{cases}
For reference implementations of the above see poseidon_hash.py and poseidon.cairo in the cairo-lang GitHub repository.

Additional resources