This PR adds an optional r1cs feature to poseidon377 which lets us do fixed-width hashing in circuit. It also moves us to using the CryptographicSpongeVar trait in both our (out of circuit) proptests and in circuit.
There's a Groth16 proof added in the tests directory that exercises the 1:1 hash, proving knowledge of the hash preimage. The circuit cost is 231 constraints.
Followup: Later on an optimization we can make is to replace the ark-sponge PoseidonSpongeVar::permute method with one that uses the optimized parameter set - see the text in PR #21 for more details and concrete numbers on the savings. This can done as a a drop-in change such that we do not need to modify the API in poseidon377.
Closes https://github.com/penumbra-zone/penumbra/issues/714
This PR adds an optional
r1csfeature toposeidon377which lets us do fixed-width hashing in circuit. It also moves us to using theCryptographicSpongeVartrait in both our (out of circuit) proptests and in circuit.There's a Groth16 proof added in the tests directory that exercises the 1:1 hash, proving knowledge of the hash preimage. The circuit cost is 231 constraints.
Followup: Later on an optimization we can make is to replace the ark-sponge
PoseidonSpongeVar::permutemethod with one that uses the optimized parameter set - see the text in PR #21 for more details and concrete numbers on the savings. This can done as a a drop-in change such that we do not need to modify the API inposeidon377.