Isn't there a better way to compute the number of full and partial rounds? Trying every possible number until they pass the are_secure() method seems a bit suboptimal.
Also, after having looked at the security mod, I see that the lower bound of the number of full rounds decreases when the number of partial rounds increases. If we want to keep using this algorithm, maybe it'd save us some time to start searching with a fixed number of partial rounds (e.g. 200 as above) and look for the first number of full rounds such that it is secure. Then that'd be the right number of full rounds and then we can decrease the number of partial rounds gradually. So instead of a loop in a loop we have a loop after a loop.
Finally, are we sure minimising the number of full rounds is the optimal strategy, i.e., for a given security level, is the implementation with the fewest full rounds the fastest one? In general, how faster is a partial round w.r.t. a full round?
_Originally posted by @SupremoUGH in https://github.com/openzklib/openzl/pull/34#discussion_r1044376446_