diff --git a/poseidon2/src/sponge.rs b/poseidon2/src/sponge.rs index 7184e5888..3cd678c01 100644 --- a/poseidon2/src/sponge.rs +++ b/poseidon2/src/sponge.rs @@ -8,24 +8,18 @@ use zeroize::Zeroize; /// Poseidon2-based Cryptographic Sponge /// -/// # Generic parameters: -/// - N: state size = rate (R) + capacity (C) -/// - R: rate (number of field abosrbed/squeezed) +/// # Parameters: +/// - `N`: State size = rate (R) + capacity (C) +/// - `R`: Rate (number of field elements absorbed/squeezed per operation) /// -/// For security, for b=128-bit security, field size |F|, C*|F|>=2b: -/// i.e. 128-bit for 256-bit fields, C>=1. -/// This check is being down during `Poseidon2Sponge::new(&iv)` -/// (See Poseidon2 paper Page 7 Footnote 5) -/// -/// For BLS12-381, we choose C=1 for 128 security -/// For BN254, we choose C=1 for (100<*<128)-security +/// For 128-bit security, `C * |F| >= 256` (capacity * field size in bits). +/// This is enforced during instantiation (`Poseidon2Sponge::new`). #[derive(Clone, Debug)] -pub struct Poseidon2Sponge> -{ - /// state of sponge +pub struct Poseidon2Sponge> { + /// State of the sponge. pub(crate) state: [F; N], _rate: PhantomData<[(); R]>, - _p: PhantomData

, + _params: PhantomData

, } impl Sponge for Poseidon2Sponge @@ -37,26 +31,29 @@ where const N: usize = N; const R: usize = R; + /// Creates a new Poseidon2 Sponge with an initialization vector. fn new(iv: [u8; 32]) -> Self { - assert!(N >= 2 && R > 0 && N > R); - // For security, for b-bit security, field size |F|, C*|F|>=2b: - // at least 100 security required - assert!((N - R) as u32 * ::MODULUS_BIT_SIZE >= 200); + assert!(N >= 2 && R > 0 && N > R, "Invalid state and rate parameters"); + assert!( + (N - R) as u32 * F::MODULUS_BIT_SIZE >= 200, + "Insufficient capacity for security" + ); - // fill capacity portion with initial vector IV let mut state = [F::default(); N]; state[R] = F::from_be_bytes_mod_order(&iv); Self { state, _rate: PhantomData, - _p: PhantomData, + _params: PhantomData, } } + /// Applies the Poseidon2 permutation to the sponge state. fn permute(&mut self) { Poseidon2::permute_mut::(&mut self.state); } } + impl Default for Poseidon2Sponge where F: PrimeField, @@ -66,7 +63,7 @@ where Self { state: [F::default(); N], _rate: PhantomData, - _p: PhantomData, + _params: PhantomData, } } } @@ -80,6 +77,7 @@ where &self.state } } + impl AsMut<[F]> for Poseidon2Sponge where F: PrimeField, @@ -102,16 +100,13 @@ where #[cfg(feature = "bls12-381")] mod bls12_381 { - #![allow(dead_code)] use super::*; use crate::constants::bls12_381::*; use ark_bls12_381::Fr; use nimue::hash::sponge::DuplexSponge; - /// A sponge over BLS12-381 scalar field, state_size=2, rate=1. + pub type Poseidon2SpongeBlsN2R1 = DuplexSponge>; - /// A sponge over BLS12-381 scalar field, state_size=3, rate=1. pub type Poseidon2SpongeBlsN3R1 = DuplexSponge>; - /// A sponge over BLS12-381 scalar field, state_size=3, rate=2. pub type Poseidon2SpongeBlsN3R2 = DuplexSponge>; #[test] @@ -125,14 +120,12 @@ mod bls12_381 { #[cfg(feature = "bn254")] mod bn254 { - #![allow(dead_code)] use super::*; use crate::constants::bn254::*; use ark_bn254::Fr; use nimue::hash::sponge::DuplexSponge; - /// A sponge over BN254 scalar field, state_size=3, rate=1. + pub type Poseidon2SpongeBnN3R1 = DuplexSponge>; - /// A sponge over BN254 scalar field, state_size=3, rate=2. pub type Poseidon2SpongeBnN3R2 = DuplexSponge>; #[test] @@ -150,48 +143,41 @@ pub(crate) mod tests { use ark_std::vec::Vec; use nimue::{DuplexHash, IOPattern, UnitTranscript}; - // inspired by: - // pub(crate) fn test_sponge>() { let io = IOPattern::::new("test") .absorb(1, "in") .squeeze(2048, "out"); - // prover transcript let mut merlin = io.to_merlin(); - // prover first message (label: "in") merlin.add_units(&[F::from(42u32)]).unwrap(); - let mut merlin_challenges = [F::default(); 2048]; merlin.fill_challenge_units(&mut merlin_challenges).unwrap(); - // verifier transcript let mut arthur = io.to_arthur(merlin.transcript()); - // reading prover's first message labelled "in", since we don't need it, read - // into a one-time throw-away array arthur.fill_next_units(&mut [F::default()]).unwrap(); let mut arthur_challenges = [F::default(); 2048]; arthur.fill_challenge_units(&mut arthur_challenges).unwrap(); - // challenge computed from both sides should be the same assert_eq!(merlin_challenges, arthur_challenges); - // Looking at byte distribution, whether it's close to uniform let chal_bytes: Vec = merlin_challenges .iter() .flat_map(|c| c.into_bigint().to_bytes_le()) .collect(); - let frequencies = (0u8..=255) - .map(|i| chal_bytes.iter().filter(|&&x| x == i).count()) - .collect::>(); - // the expected frequency if it's uniformly random + + let frequencies = compute_byte_frequencies(&chal_bytes); let expected_mean = (F::MODULUS_BIT_SIZE / 8 * 2048 / 256) as usize; + assert!( - frequencies - .iter() - .all(|&x| x < expected_mean * 2 && x > expected_mean / 2), - "Counts for each value shouldn't be too far away from mean: {:?}", + frequencies.iter().all(|&x| x < expected_mean * 2 && x > expected_mean / 2), + "Byte counts deviate significantly from expected mean: {:?}", frequencies ); } + + fn compute_byte_frequencies(bytes: &[u8]) -> Vec { + (0u8..=255) + .map(|i| bytes.iter().filter(|&&x| x == i).count()) + .collect() + } }