In this paper we propose the (keyed) permutation Arion and the hash function ArionHash over $\mathbb{F}_p$ for odd and particularly large primes. The design of Arion is based on the newly introduced Generalized Triangular Dynamical System (GTDS), which provides a new algebraic framework for constructing (keyed) permutation using polynomials over a finite field. At round level Arion is the first design which is instantiated using the new GTDS. We provide extensive security analysis of our construction including algebraic cryptanalysis (e.g. interpolation and Groebner basis attacks) that are particularly decisive in assessing the security of permutations and hash functions over $\mathbb{F}_p$. From a application perspective, ArionHash is aimed for efficient implementation in zkSNARK protocols and Zero-Knowledge proof systems. For this purpose, we exploit that CCZ-equivalence of graphs can lead to a more efficient implementation of Arithmetization-Oriented primitives. We compare the efficiency of ArionHash in R1CS and Plonk settings with other hash functions such as Poseidon, Anemoi and Griffin. For demonstrating the practical efficiency of ArionHash we implemented it with the zkSNARK libraries libsnark and Dusk Network Plonk. Our result shows that ArionHash is significantly faster than Poseidon - a hash function designed for zero-knowledge proof systems. We also found that an aggressive version of ArionHash is considerably faster than Anemoi and Griffin in a practical zkSNARK setting.

翻译：本文提出在奇素数且尤其是大素数域$\mathbb{F}_p$上的（密钥化）排列Arion及哈希函数ArionHash。Arion的设计基于新引入的广义三角动力系统（GTDS），该代数框架利用有限域上的多项式构造（密钥化）排列。在轮结构层面，Arion是首个基于新型GTDS实例化的设计。我们提供了全面的安全性分析，包括对评估$\mathbb{F}_p$上排列与哈希函数安全性具有决定性作用的代数密码分析（如插值攻击和Gröbner基攻击）。从应用角度而言，ArionHash旨在高效实现于zkSNARK协议及零知识证明系统。为此，我们利用图的CCZ等价性可提升算术化友好型原语的实现效率，并在R1CS与Plonk设置下将ArionHash与Poseidon、Anemoi、Griffin等哈希函数进行效率对比。为验证ArionHash的实际效率，我们基于zkSNARK库libsnark与Dusk Network Plonk完成实现。结果表明，ArionHash显著快于专为零知识证明系统设计的哈希函数Poseidon。此外，我们发现激进版本的ArionHash在实际zkSNARK环境中比Anemoi与Griffin快得多。