feat: Poseidon2 stdlib impl

barretenberg/cpp/src/barretenberg/proof_system/arithmetization/gate_data.hpp

@@ -138,14 +138,21 @@ template <typename FF> struct poseidon2_external_gate_ {
     uint32_t b;
     uint32_t c;
     uint32_t d;
-    uint32_t round_idx;
+    size_t round_idx;
 };
 
 template <typename FF> struct poseidon2_internal_gate_ {
     uint32_t a;
     uint32_t b;
     uint32_t c;
     uint32_t d;
-    uint32_t round_idx;
+    size_t round_idx;
+};
+
+template <typename FF> struct poseidon2_end_gate_ {
+    uint32_t a;
+    uint32_t b;
+    uint32_t c;
+    uint32_t d;
 };
 } // namespace proof_system

barretenberg/cpp/src/barretenberg/proof_system/circuit_builder/goblin_ultra_circuit_builder.cpp

@@ -294,6 +294,29 @@ void GoblinUltraCircuitBuilder_<FF>::create_poseidon2_internal_gate(const poseid
     ++this->num_gates;
 }
 
+template <typename FF> void GoblinUltraCircuitBuilder_<FF>::create_poseidon2_end_gate(const poseidon2_end_gate_<FF>& in)
+{
+    this->w_l.emplace_back(in.a);
+    this->w_r.emplace_back(in.b);
+    this->w_o.emplace_back(in.c);
+    this->w_4.emplace_back(in.d);
+    this->q_m.emplace_back(0);
+    this->q_1.emplace_back(0);
+    this->q_2.emplace_back(0);
+    this->q_3.emplace_back(0);
+    this->q_c.emplace_back(0);
+    this->q_arith.emplace_back(0);
+    this->q_4.emplace_back(0);
+    this->q_sort.emplace_back(0);
+    this->q_lookup_type.emplace_back(0);
+    this->q_elliptic.emplace_back(0);
+    this->q_aux.emplace_back(0);
+    this->q_busread.emplace_back(0);
+    this->q_poseidon2_external.emplace_back(0);
+    this->q_poseidon2_internal.emplace_back(0);
+    ++this->num_gates;
+}
+
 template <typename FF>
 inline FF GoblinUltraCircuitBuilder_<FF>::compute_poseidon2_external_identity(FF q_poseidon2_external_value,
                                                                               FF q_1_value,

barretenberg/cpp/src/barretenberg/proof_system/circuit_builder/goblin_ultra_circuit_builder.hpp

@@ -136,6 +136,7 @@ template <typename FF> class GoblinUltraCircuitBuilder_ : public UltraCircuitBui
     }
     void create_poseidon2_external_gate(const poseidon2_external_gate_<FF>& in);
     void create_poseidon2_internal_gate(const poseidon2_internal_gate_<FF>& in);
+    void create_poseidon2_end_gate(const poseidon2_end_gate_<FF>& in);
 
     FF compute_poseidon2_external_identity(FF q_poseidon2_external_value,
                                            FF q_1_value,

barretenberg/cpp/src/barretenberg/stdlib/hash/CMakeLists.txt

@@ -3,4 +3,5 @@ add_subdirectory(blake3s)
 add_subdirectory(pedersen)
 add_subdirectory(sha256)
 add_subdirectory(keccak)
-add_subdirectory(benchmarks)
+add_subdirectory(benchmarks)
+add_subdirectory(poseidon2)

barretenberg/cpp/src/barretenberg/stdlib/hash/poseidon2/CMakeLists.txt

@@ -0,0 +1 @@
+barretenberg_module(stdlib_poseidon2_hash stdlib_primitives)

barretenberg/cpp/src/barretenberg/stdlib/hash/poseidon2/poseidon2.cpp

@@ -0,0 +1,56 @@
+#include "barretenberg/stdlib/hash/poseidon2/poseidon2.hpp"
+#include "barretenberg/ecc/curves/grumpkin/grumpkin.hpp"
+namespace proof_system::plonk::stdlib {
+
+using namespace barretenberg;
+using namespace proof_system;
+
+template <typename C> field_t<C> poseidon2_hash<C>::hash(const std::vector<field_t>& inputs)
+{
+
+    /* Run the sponge by absorbing all the input and squeezing one output.
+     * This should just call the sponge variable length hash function
+     *
+     */
+    auto input{ inputs };
+    return Sponge::hash_fixed_length(input);
+}
+
+/**
+ * Hash a byte_array.
+ *
+ */
+template <typename C> field_t<C> poseidon2_hash<C>::hash_buffer(const stdlib::byte_array<C>& input)
+{
+    const size_t num_bytes = input.size();
+    const size_t bytes_per_element = 31;
+    size_t num_elements = static_cast<size_t>(num_bytes % bytes_per_element != 0) + (num_bytes / bytes_per_element);
+
+    std::vector<field_t> elements;
+    for (size_t i = 0; i < num_elements; ++i) {
+        size_t bytes_to_slice = 0;
+        if (i == num_elements - 1) {
+            bytes_to_slice = num_bytes - (i * bytes_per_element);
+        } else {
+            bytes_to_slice = bytes_per_element;
+        }
+        auto element = static_cast<field_t>(input.slice(i * bytes_per_element, bytes_to_slice));
+        elements.emplace_back(element);
+    }
+    for (auto& x : elements) {
+        std::cout << x << std::endl;
+    }
+    field_t hashed;
+    if (elements.size() < 2) {
+        hashed = hash(elements);
+    } else {
+        hashed = hash({ elements[0], elements[1] });
+        for (size_t i = 2; i < elements.size(); ++i) {
+            hashed = hash({ hashed, elements[i] });
+        }
+    }
+    return hashed;
+}
+template class poseidon2_hash<proof_system::GoblinUltraCircuitBuilder>;
+
+} // namespace proof_system::plonk::stdlib

barretenberg/cpp/src/barretenberg/stdlib/hash/poseidon2/poseidon2.hpp

@@ -0,0 +1,34 @@
+#pragma once
+#include "barretenberg/crypto/poseidon2/poseidon2_params.hpp"
+#include "barretenberg/stdlib/hash/poseidon2/sponge/sponge.hpp"
+#include "barretenberg/stdlib/primitives/byte_array/byte_array.hpp"
+#include "barretenberg/stdlib/primitives/field/field.hpp"
+
+#include "../../primitives/circuit_builders/circuit_builders.hpp"
+
+namespace proof_system::plonk::stdlib {
+
+using namespace barretenberg;
+/**
+ * @brief stdlib class that evaluates in-circuit poseidon2 hashes, consistent with behavior in
+ * crypto::poseidon2_hash
+ *
+ * @tparam Builder
+ */
+template <typename Builder> class poseidon2_hash {
+
+  private:
+    using field_t = stdlib::field_t<Builder>;
+    using bool_t = stdlib::bool_t<Builder>;
+    using Params = crypto::Poseidon2Bn254ScalarFieldParams;
+    using Permutation = Poseidon2Permutation<Params, Builder>;
+    using Sponge = FieldSponge<Params::t - 1, 1, Params::t, Permutation, Builder>;
+
+  public:
+    static field_t hash(const std::vector<field_t>& in);
+    static field_t hash_buffer(const stdlib::byte_array<Builder>& input);
+};
+
+extern template class poseidon2_hash<proof_system::GoblinUltraCircuitBuilder>;
+
+} // namespace proof_system::plonk::stdlib

barretenberg/cpp/src/barretenberg/stdlib/hash/poseidon2/poseidon2_permutation.hpp

@@ -0,0 +1,112 @@
+#pragma once
+#include <array>
+#include <cstddef>
+#include <cstdint>
+
+#include "barretenberg/crypto/poseidon2/poseidon2_permutation.hpp"
+#include "barretenberg/proof_system/arithmetization/gate_data.hpp"
+#include "barretenberg/stdlib/primitives/field/field.hpp"
+
+namespace proof_system::plonk::stdlib {
+
+using namespace proof_system;
+template <typename Params, typename Builder> class Poseidon2Permutation {
+  public:
+    using NativePermutation = crypto::Poseidon2Permutation<Params>;
+    // t = sponge permutation size (in field elements)
+    // t = rate + capacity
+    // capacity = 1 field element (256 bits)
+    // rate = number of field elements that can be compressed per permutation
+    static constexpr size_t t = Params::t;
+    // d = degree of s-box polynomials. For a given field, `d` is the smallest element of `p` such that gdc(d, p - 1) =
+    // 1 (excluding 1) For bn254/grumpkin, d = 5
+    static constexpr size_t d = Params::d;
+    // sbox size = number of bits in p
+    static constexpr size_t sbox_size = Params::sbox_size;
+    // number of full sbox rounds
+    static constexpr size_t rounds_f = Params::rounds_f;
+    // number of partial sbox rounds
+    static constexpr size_t rounds_p = Params::rounds_p;
+    static constexpr size_t NUM_ROUNDS = Params::rounds_f + Params::rounds_p;
+
+    using FF = typename Params::FF;
+    using State = std::array<field_t<Builder>, t>;
+    using NativeState = std::array<FF, t>;
+
+    using RoundConstants = std::array<FF, t>;
+    using RoundConstantsContainer = std::array<RoundConstants, NUM_ROUNDS>;
+    static constexpr RoundConstantsContainer round_constants = Params::round_constants;
+    static State permutation(const State& input)
+    {
+        Builder* ctx = input[0].get_context();
+        assert(ctx != nullptr);
+        // deep copy
+        State current_state(input);
+        NativeState current_native_state;
+        for (size_t i = 0; i < t; ++i) {
+            current_native_state[i] = current_state[i].get_value();
+        }
+
+        // Apply 1st linear layer
+        NativePermutation::matrix_multiplication_external(current_native_state);
+
+        constexpr size_t rounds_f_beginning = rounds_f / 2;
+        for (size_t i = 0; i < rounds_f_beginning; ++i) {
+            poseidon2_external_gate_<FF> in{ current_state[0].witness_index,
+                                             current_state[1].witness_index,
+                                             current_state[2].witness_index,
+                                             current_state[3].witness_index,
+                                             i };
+            ctx->create_poseidon2_external_gate(in);
+            // calculate the new witnesses
+            NativePermutation::add_round_constants(current_native_state, round_constants[i]);
+            NativePermutation::apply_sbox(current_native_state);
+            NativePermutation::matrix_multiplication_external(current_native_state);
+            for (size_t j = 0; j < t; ++j) {
+                current_state[j] = field_t<Builder>(ctx, current_native_state[j]);
+            }
+        }
+
+        const size_t p_end = rounds_f_beginning + rounds_p;
+        for (size_t i = rounds_f_beginning; i < p_end; ++i) {
+            poseidon2_internal_gate_<FF> in{ current_state[0].witness_index,
+                                             current_state[1].witness_index,
+                                             current_state[2].witness_index,
+                                             current_state[3].witness_index,
+                                             i };
+            ctx->create_poseidon2_internal_gate(in);
+            current_native_state[0] += round_constants[i][0];
+            NativePermutation::apply_single_sbox(current_native_state[0]);
+            NativePermutation::matrix_multiplication_internal(current_native_state);
+            for (size_t j = 0; j < t; ++j) {
+                current_state[j] = field_t<Builder>(ctx, current_native_state[j]);
+            }
+        }
+
+        for (size_t i = p_end; i < NUM_ROUNDS; ++i) {
+            poseidon2_external_gate_<FF> in{ current_state[0].witness_index,
+                                             current_state[1].witness_index,
+                                             current_state[2].witness_index,
+                                             current_state[3].witness_index,
+                                             i };
+            ctx->create_poseidon2_external_gate(in);
+            // calculate the new witnesses
+            NativePermutation::add_round_constants(current_native_state, round_constants[i]);
+            NativePermutation::apply_sbox(current_native_state);
+            NativePermutation::matrix_multiplication_external(current_native_state);
+            for (size_t j = 0; j < t; ++j) {
+                current_state[j] = field_t<Builder>(ctx, current_native_state[j]);
+            }
+        }
+        // need to add an extra row here to ensure that things check out
+        poseidon2_end_gate_<FF> in{
+            current_state[0].witness_index,
+            current_state[1].witness_index,
+            current_state[2].witness_index,
+            current_state[3].witness_index,
+        };
+        ctx->create_poseidon2_end_gate(in);
+        return current_state;
+    }
+};
+} // namespace proof_system::plonk::stdlib