Rescue Hash is a zk-friendly cryptographic hash function, meaning it is optimized for efficiency within zero-knowledge proof (ZKP) and validity proof systems like STARKs and SNARKs. Unlike traditional hash functions such as SHA-256, its mathematical operations are designed to be easily representable as arithmetic circuits, which drastically reduces the computational overhead of generating proofs about hashed data. This makes it a core primitive for blockchain scalability solutions like zkRollups and privacy-preserving applications.
LABS
Glossary
Rescue Hash
Rescue Hash is an arithmetization-friendly cryptographic hash function designed for optimal performance within zero-knowledge proof circuits operating over large prime fields.
Chainscore © 2026
definition
CRYPTOGRAPHIC PRIMITIVE
What is Rescue Hash?
Rescue Hash is a cryptographic hash function designed specifically for zero-knowledge proof (ZKP) systems, offering high performance and security in proof generation.
The function is built upon the Rescue-Prime algorithm, a sponge construction that operates over a prime field. Its design uses a set of carefully chosen operations—including non-linear S-boxes and linear layers—that are efficient in fields commonly used in ZK proofs (e.g., the Goldilocks field). This contrasts with hash functions that rely on binary operations, which are notoriously expensive to prove in ZK. The result is a hash that is both provably secure against known cryptanalytic attacks and orders of magnitude faster to use within a proving system.
A primary application of Rescue Hash is in STARK-based systems, such as those developed by StarkWare. Here, it functions as the Merkle tree hash for committing to large batches of transactions in a zkRollup, enabling high-throughput and low-cost settlements on a layer 1 blockchain like Ethereum. Its efficiency is critical for keeping proof generation times and costs manageable, which is essential for the practical deployment of layer 2 scaling solutions.
When comparing hash functions, Poseidon is another major zk-friendly alternative. While both are designed for similar use cases, they differ in their underlying mathematical approaches and parameter choices. The selection between Rescue, Poseidon, or other functions often depends on the specific proof system, the chosen elliptic curve, and the required balance between proof generation speed, verification cost, and security parameters within a given protocol's architecture.
how-it-works
CRYPTOGRAPHIC PRIMITIVE
How Rescue Hash Works
Rescue is a cryptographic hash function designed specifically for zero-knowledge proof systems, offering high performance in arithmetic circuits.
The Rescue hash function is a zk-friendly cryptographic primitive built on the Sponge construction, similar to SHA-3, but optimized for operations in finite fields used by zero-knowledge proof (ZKP) systems like STARKs. Its core innovation is using non-linear operations that are efficient to compute and verify within the constraints of an arithmetic circuit, making it significantly faster than traditional hash functions like SHA-256 in a ZKP context. This efficiency is critical for applications such as ZK-Rollups and private transactions, where proof generation speed directly impacts scalability and cost.
At its heart, Rescue operates over a prime field and employs a series of rounds, each consisting of a non-linear layer and a linear layer. The non-linear layer uses power maps (like x^α) that are carefully chosen to be invertible and efficient in the target field. The linear layer applies an MDS (Maximum Distance Separable) matrix to provide diffusion, ensuring that a small change in the input propagates throughout the entire state. This combination creates a secure permutation that is resistant to cryptanalysis while remaining arithmetization-friendly.
The design parameters of Rescue, such as the alpha exponent, state size, and number of rounds, are selected based on security proofs and performance requirements for a given field. For instance, a common instantiation uses a state of 12 field elements and α=5. Its security is analyzed in the algebraic group model, providing confidence in its resilience against attacks like Gröbner basis analysis, which are particularly relevant in the ZKP setting where adversaries can exploit the algebraic structure.
In practice, Rescue enables the efficient construction of Merkle trees and commitment schemes within ZKPs. For example, a STARK-based rollup might use a Rescue-based Merkle tree to commit to a batch of transactions. The prover can then generate a proof that they know a valid Merkle path without revealing the underlying data. Compared to using a Pedersen hash or Poseidon, Rescue often provides a different trade-off between constraint count and security, making it a versatile tool in the cryptographer's toolkit for designing scalable blockchain protocols.
key-features
CRYPTOGRAPHIC PRIMITIVE
Key Features of Rescue Hash
Rescue is a cryptographic hash function and permutation designed for zero-knowledge proof systems, offering high efficiency in arithmetic circuits.
01
Arithmetic Hash Function
Rescue is a hash function designed over prime fields, making its operations—addition, multiplication, and exponentiation—native to the arithmetic circuits used in ZK-SNARKs and ZK-STARKs. This eliminates the need for expensive bitwise operations required by traditional hash functions like SHA-256, drastically improving prover efficiency.
02
Sponge Construction
Rescue employs a sponge construction, absorbing input data and squeezing out a fixed-length digest. This mode allows it to be used for:
- Hashing arbitrary-length messages.
- Building Merkle trees (as a compression function).
- Generating pseudorandom numbers for proof systems. Its duplex sponge mode enables efficient authenticated encryption and other advanced protocols.
03
Rescue-Prime & Alpha
The core of Rescue is the Rescue-Prime permutation, built using a set of S-boxes (substitution boxes). The non-linear layer uses a power map, x^α, where α is a small, carefully chosen integer (often 3 or 5) that is invertible modulo the field's prime. This provides security while maintaining efficiency in large prime fields.
04
ZK-Native Performance
Rescue is optimized for the constraints of zero-knowledge virtual machines (VMs). Benchmarks in frameworks like Cairo (StarkNet) and zkEVM circuits show Rescue requires ~100x fewer constraints than SHA-256. This makes it the preferred choice for on-chain verification of hashes in ZK-rollups and privacy applications.
05
Security & Cryptanalysis
Rescue's security is based on the Marvellous design strategy, providing provable security against algebraic attacks. It is designed to be resistant to:
- Gröbner basis attacks.
- Statistical attacks like differential and linear cryptanalysis. Its security level is typically targeted at 128 bits or higher, commensurate with the underlying field size.
06
Implementation & Adoption
Rescue is implemented in several major ZK toolkits and ecosystems. Key implementations include:
- The StarkWare ecosystem (Cairo standard library).
- zkSync Era for Merkle tree hashing.
- The Plonky2 proof system by Polygon Zero. Its design is public domain, facilitating broad audit and adoption within the ZK research community.
design-rationale
RESCUE HASH
Design Rationale and Arithmetization
An overview of the design principles and mathematical underpinnings of the Rescue hash function, a key component in modern zero-knowledge proof systems.
The Rescue hash function is a cryptographic primitive specifically designed for zero-knowledge proof (ZKP) and STARK systems, prioritizing efficiency in arithmetic circuits over traditional binary fields. Unlike SHA-256 or Keccak, which are optimized for software and hardware on binary data, Rescue operates directly over prime fields (like the STARK-friendly prime field), making its operations—addition, multiplication, and inversion—native to the proof system's arithmetic. This design eliminates the need for costly bitwise operations within a proof, dramatically reducing the number of constraints and computational overhead during proof generation and verification.
Its core security and efficiency stem from a sponge construction and a permutation built from a set of low-degree power maps (e.g., x^α and x^{1/α}) and MDS matrices. The carefully chosen alpha exponent (commonly 3 or 5) and its inverse create a permutation that is both algebraically simple—keeping the constraint count low—and cryptographically robust, providing resistance against known attacks like Gröbner basis analysis. The use of an MDS matrix ensures strong diffusion, spreading the influence of each input bit across the entire state. This combination results in a function that is ZK-friendly, meaning it minimizes the prover's work while maintaining the required security guarantees for applications like Merkle tree commitments and digital signatures within ZK rollups.
The arithmetization of Rescue—translating its algorithm into a set of polynomial constraints for a proof system—is exceptionally clean. Each round of the permutation translates into a fixed set of arithmetic operations (additions and multiplications) that map directly to R1CS or AIR constraints without complex decompositions. This property makes Rescue a prime example of algebraic hash function design, where the entire cryptographic specification is expressed in the language of finite field arithmetic that proof systems natively understand. Its performance is benchmarked by metrics such as constraint count and multiplicative complexity, where it consistently outperforms adaptations of traditional hashes in ZK contexts.
In practical deployment, Rescue is often instantiated with parameters like Rescue-Prime, which fine-tunes the round count and constants for a specific security level and field. It forms the backbone of several production systems, including the zkSync rollup and the StarkWare ecosystem, where it hashes transaction data and state roots. Its design rationale represents a paradigm shift: instead of adapting general-purpose cryptography to ZK, it builds cryptography from the ground up with the proof system's arithmetic circuit as the primary computational model, optimizing for the prover's most expensive operations.
ecosystem-usage
RESCUE HASH
Ecosystem Usage and Protocols
A Rescue Hash is a cryptographic commitment used to securely and trustlessly recover funds from a failed or unresponsive cross-chain transaction. It is a core component of protocols implementing atomic commit-reveal schemes.
01
Core Mechanism: Commit-Reveal Scheme
The Rescue Hash enables a commit-reveal protocol for cross-chain messaging. A sender first commits to a secret by publishing its hash (the Rescue Hash) on the destination chain. To complete the transaction, they must later reveal the original secret (pre-image). If they fail to reveal, a rescuer can use the same secret to claim the funds, preventing them from being permanently locked. This creates a cryptographic guarantee that funds are always recoverable.
02
Primary Use Case: Cross-Chain Bridges
Rescue Hashes are fundamental to certain cross-chain bridge designs, like Chainscore's architecture. They solve the "lost transaction" problem where a user's funds are locked on the source chain but the corresponding action on the destination chain fails or is delayed. By requiring a Rescue Hash, the protocol ensures a fallback execution path exists, making the bridge operation atomic—it either fully succeeds or funds can be fully recovered.
03
The Rescue Transaction
A rescue is a permissionless transaction anyone can execute. The rescuer must:
- Observe a committed Rescue Hash on-chain.
- Possess or discover the corresponding secret pre-image.
- Submit a transaction calling the rescue function, providing the pre-image as proof. Upon successful verification, the locked funds are transferred to the rescuer as a reward. This creates a economic incentive for network participants to keep the system solvent and funds flowing.
04
Security & Cryptographic Guarantees
The security relies on the properties of cryptographic hash functions (like SHA-256 or Keccak).
- Pre-image Resistance: It is computationally infeasible to derive the secret from the Rescue Hash.
- Deterministic: The same secret always generates the same hash, allowing verification. This ensures only the original sender or someone they've shared the secret with can initially complete the transaction, while preventing anyone from front-running or guessing the rescue claim.
05
Contrast with Other Recovery Methods
Rescue Hashes provide a distinct, automated alternative to common recovery mechanisms:
- vs. Multi-sig Guardians: No trusted committee is needed; recovery is permissionless and algorithmic.
- vs. Timelocks: Funds aren't automatically released after a delay; they require active proof-of-knowledge, preventing unnecessary state bloat.
- vs. Escrow Services: Eliminates third-party custodial risk and counterparty trust. This makes it a non-custodial and verifiably secure primitive.
06
Protocol Implementation Example
In a practical bridge implementation, the flow is:
- Commit: User initiates transfer, protocol generates a secret and posts its hash (Rescue Hash) to the destination chain contract.
- Fulfill: User reveals secret to claim funds on destination chain within a set period.
- Rescue: If the user doesn't fulfill, any external party can submit the secret, claim the funds, and receive a portion as a rescue reward. The specific parameters (time window, reward percentage) are defined in the protocol's smart contract logic.
PERFORMANCE & DESIGN
Comparison with Other ZK-Friendly Hashes
A technical comparison of Rescue's core cryptographic properties against other hash functions commonly used in zero-knowledge proof systems.
| Feature / Metric | Rescue | Poseidon | SHA-256 |
|---|---|---|---|
Primary Design Goal | Arithmetic circuit efficiency | Arithmetic circuit efficiency | Cryptographic security |
Native Field | Prime field (e.g., Fp) | Prime field (e.g., Fp) | Binary field (F2) |
Proof Friendliness | |||
S-Box Type | Power map (x^α) | x^5 / x^{-1} | Bitwise operations |
Rounds (for 128-bit security) | 8-10 | 8-12 | 64 |
Constraint Count (approx.) | Low | Very Low | Very High |
Standardization Status | Academic proposal | De facto standard | NIST standard |
security-considerations
RESCUE HASH
Security Considerations
A Rescue Hash is a cryptographic commitment used in blockchain protocols to enable secure, permissionless recovery of assets from a compromised or lost wallet. This section details its core security mechanisms and operational risks.
01
Core Security Mechanism
The Rescue Hash is a cryptographic commitment (typically a hash) of a recovery secret, stored on-chain. Recovery is permissionless, triggered by anyone who can provide the pre-image (the original secret) that matches this hash. This creates a time-locked escape hatch that is cryptographically secure and does not rely on trusted intermediaries.
02
Primary Threat: Hash Pre-image Discovery
The fundamental security of the system rests on the pre-image resistance of the hash function (e.g., SHA-256, Keccak). If an attacker can reverse-engineer or brute-force the original secret from the public hash, they can trigger the recovery and steal the assets. The secret must have sufficient entropy (randomness) to make such an attack computationally infeasible.
03
Operational Risk: Secret Management
Security shifts from key custody to secret custody. The user must securely generate, store, and eventually use the recovery secret. Risks include:
- Loss: Losing the secret renders the rescue mechanism useless.
- Leakage: If the secret is exposed before the rescue is needed, an attacker can pre-compute the trigger.
- Insecure Generation: Using weak randomness or predictable secrets compromises the entire scheme.
04
Rescue Window & Finality Risks
Rescue mechanisms often include a challenge period or time delay between the rescue transaction and asset release. This introduces risks:
- Race Conditions: A malicious actor could front-run a legitimate rescue attempt.
- Network Congestion: High gas fees or network outages could prevent a timely counter-response during the challenge window.
- Reorg Attacks: Blockchain reorganizations could alter the state after a rescue is broadcast but before it finalizes.
05
Integration & Smart Contract Risk
The rescue logic is implemented in a smart contract. Its security depends on:
- Code Audits: Flaws in the contract code could allow bypassing the hash check or stealing funds.
- Upgradability: If the contract is upgradeable, management keys could change the rescue logic.
- Cross-Chain Bridges: When used in cross-chain contexts, risks compound with the bridge's security model and any trusted assumptions.
06
Comparison to Multi-Sig & Social Recovery
Contrasts with other recovery models:
- vs. Multi-Sig: Rescue Hash is permissionless and single-factor (one secret); multi-sig is permissioned and multi-factor (multiple signatures). Rescue Hash avoids trust in specific signers but has no inherent fraud detection.
- vs. Social Recovery: Social recovery (e.g., Ethereum's ERC-4337) uses a trusted group of guardians. Rescue Hash is entirely self-custodied, eliminating social trust but increasing personal responsibility for secret security.
RESCUE HASH
Frequently Asked Questions (FAQ)
Answers to common technical questions about the Rescue hash function, its cryptographic properties, and its application in blockchain systems like StarkNet.
Rescue is a zero-knowledge (ZK) friendly cryptographic hash function designed for efficient computation within STARK and SNARK proof systems. It operates as a sponge construction using a permutation function built on ARK (Add-Round Key) and MDS (Maximum Distance Separable) matrices over a prime field. Its core innovation is using a non-linear layer based on power maps (like x^α) that are efficient in the arithmetic circuits of ZK proofs, unlike traditional hash functions like SHA-256 which rely on bitwise operations. This makes Rescue exceptionally fast for proving statements about hashed data in a zero-knowledge context.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall