Allow the creation of custom Poseidon configs (#212)

* Poseidon custom config

* Clarify the difference between poseidon configs on C1 and C2

Author: winderica

folding-schemes/src/folding/nova/decider.rs

@@ -19,7 +19,7 @@ use crate::folding::traits::{
     CommittedInstanceOps, Dummy, Inputize, InputizeNonNative, WitnessOps,
 };
 use crate::frontend::FCircuit;
-use crate::transcript::poseidon::poseidon_canonical_config;
+use crate::transcript::poseidon::poseidon_custom_config;
 use crate::{Curve, Error};
 use crate::{Decider as DeciderTrait, FoldingScheme};
 
@@ -148,18 +148,32 @@ where
         >>::VerifierParam = vp.into();
         let pp_hash = nova_vp.pp_hash()?;
 
+        let poseidon_config1 = nova_vp.poseidon_config;
+        // Create a poseidon config on `C2`'s scalar field for `circuit2`, with
+        // the same parameters (`full_rounds` etc.) as `circuit1` to ensure the
+        // security level is the same.
+        // Note: `ark` and `mds` will be different because they depend on the
+        // field, but they will not affect the security level.
+        let poseidon_config2 = poseidon_custom_config(
+            poseidon_config1.full_rounds,
+            poseidon_config1.partial_rounds,
+            poseidon_config1.alpha,
+            poseidon_config1.rate,
+            poseidon_config1.capacity,
+        );
+
         let circuit1 = DeciderCircuit1::<C1, C2>::dummy((
             nova_vp.r1cs,
             &nova_vp.cf_r1cs,
-            nova_vp.poseidon_config,
+            poseidon_config1,
             (),
             (),
             state_len,
             2, // Nova's running CommittedInstance contains 2 commitments
         ));
         let circuit2 = DeciderCircuit2::<C2>::dummy((
             nova_vp.cf_r1cs,
-            poseidon_canonical_config::<C2::ScalarField>(),
+            poseidon_config2,
             2, // Nova's running CommittedInstance contains 2 commitments
         ));
 

folding-schemes/src/folding/nova/decider_circuits.rs

@@ -12,16 +12,16 @@ use super::{
     nifs::{nova::NIFS, NIFSTrait},
     CommittedInstance, Nova, Witness,
 };
+use crate::commitment::CommitmentScheme;
 use crate::folding::{circuits::CF1, traits::WitnessOps};
-use crate::frontend::FCircuit;
 use crate::{
     arith::r1cs::{circuits::R1CSMatricesVar, R1CS},
     folding::circuits::decider::{
         off_chain::{GenericOffchainDeciderCircuit1, GenericOffchainDeciderCircuit2},
         EvalGadget, KZGChallengesGadget,
     },
 };
-use crate::{commitment::CommitmentScheme, transcript::poseidon::poseidon_canonical_config};
+use crate::{frontend::FCircuit, transcript::poseidon::poseidon_custom_config};
 use crate::{Curve, Error};
 
 /// Circuit that implements part of the in-circuit checks needed for the offchain verification over
@@ -117,9 +117,18 @@ impl<
     type Error = Error;
 
     fn try_from(nova: Nova<C1, C2, FC, CS1, CS2, H>) -> Result<Self, Error> {
-        // compute the Commitment Scheme challenges of the CycleFold instance commitments, used as
-        // inputs in the circuit
-        let poseidon_config = poseidon_canonical_config::<C2::ScalarField>();
+        // Create a poseidon config on `C2`'s scalar field for `circuit2`, with
+        // the same parameters (`full_rounds` etc.) as `circuit1` to ensure the
+        // security level is the same.
+        // Note: `ark` and `mds` will be different because they depend on the
+        // field, but they will not affect the security level.
+        let poseidon_config = poseidon_custom_config(
+            nova.poseidon_config.full_rounds,
+            nova.poseidon_config.partial_rounds,
+            nova.poseidon_config.alpha,
+            nova.poseidon_config.rate,
+            nova.poseidon_config.capacity,
+        );
         let mut transcript = PoseidonSponge::<C2::ScalarField>::new(&poseidon_config);
         let pp_hash_Fq =
             C2::ScalarField::from_le_bytes_mod_order(&nova.pp_hash.into_bigint().to_bytes_le());

folding-schemes/src/transcript/poseidon.rs

@@ -1,6 +1,8 @@
 use ark_crypto_primitives::sponge::{
     constraints::CryptographicSpongeVar,
-    poseidon::{constraints::PoseidonSpongeVar, PoseidonConfig, PoseidonSponge},
+    poseidon::{
+        constraints::PoseidonSpongeVar, find_poseidon_ark_and_mds, PoseidonConfig, PoseidonSponge,
+    },
     Absorb, CryptographicSponge,
 };
 use ark_ec::{AffineRepr, CurveGroup};
@@ -79,6 +81,25 @@ impl<F: PrimeField> TranscriptVar<F, PoseidonSponge<F>> for PoseidonSpongeVar<F>
     }
 }
 
+/// This Poseidon configuration generator produces a Poseidon configuration with custom parameters
+pub fn poseidon_custom_config<F: PrimeField>(
+    full_rounds: usize,
+    partial_rounds: usize,
+    alpha: u64,
+    rate: usize,
+    capacity: usize,
+) -> PoseidonConfig<F> {
+    let (ark, mds) = find_poseidon_ark_and_mds::<F>(
+        F::MODULUS_BIT_SIZE as u64,
+        rate,
+        full_rounds as u64,
+        partial_rounds as u64,
+        0,
+    );
+
+    PoseidonConfig::new(full_rounds, partial_rounds, alpha, mds, ark, rate, capacity)
+}
+
 /// This Poseidon configuration generator agrees with Circom's Poseidon(4) in the case of BN254's scalar field
 pub fn poseidon_canonical_config<F: PrimeField>() -> PoseidonConfig<F> {
     // 120 bit security target as in
@@ -90,23 +111,7 @@ pub fn poseidon_canonical_config<F: PrimeField>() -> PoseidonConfig<F> {
     let alpha = 5;
     let rate = 4;
 
-    let (ark, mds) = ark_crypto_primitives::sponge::poseidon::find_poseidon_ark_and_mds::<F>(
-        F::MODULUS_BIT_SIZE as u64,
-        rate,
-        full_rounds,
-        partial_rounds,
-        0,
-    );
-
-    PoseidonConfig::new(
-        full_rounds as usize,
-        partial_rounds as usize,
-        alpha,
-        mds,
-        ark,
-        rate,
-        1,
-    )
+    poseidon_custom_config(full_rounds, partial_rounds, alpha, rate, 1)
 }
 
 #[cfg(test)]