Abstract
Neptune is a hash function proposed by Grassi et al. at ToSC 2022(3) for Zero-Knowledge (ZK) applications. In this note, we show that the linear layer of Neptune’s external rounds fails to guarantee the maximum growth of the degree, potentially affecting the security of Neptune against algebraic attacks. Here, we formally address this problem, by identifying sufficient conditions that ensure the expected degree growth is maintained.