feat(stdlib): Implement Poseidon hash

[ax0]

Related issue(s)

Resolves #387

Description

This PR implements the Poseidon hash function. It is exposed in the form of a permutation function (hash::poseidon::permute) for fixed-length and an absorption function (hash::poseidon::absorb) for variable-length inputs. Both functions take the usual parameters as inputs in addition to the input state. Instantiations are provided for fixed length inputs of length 2 to 17 as hash::poseidon::bn254::perm::x5_2, ..., hash::poseidon::bn254::perm::x5_17 for the field size currently used, which are in agreement with those used by Circom. A sponge function hash::poseidon::bn254::sponge is provided for variable-length inputs in accordance with a suggested application in §3 of the paper .

Summary of changes

Addition of Poseidon hash under noir_stdlib/src/hash with corresponding declaration in hash.nr

Dependency additions / changes

Test additions / changes

Two test cases under nargo/tests/test_data, separated into permutation tests and a sponge test. The former test agrees with Circom's tests and the latter may be verified in Arkworks using appropriate incantations of absorb and squeeze_field_elements. These cases are also listed in the config.toml.

Checklist

• I have tested the changes locally.
• I have formatted the changes with Prettier and/or cargo fmt with default settings.
• I have linked this PR to the issue(s) that it resolves.
• I have reviewed the changes on GitHub, line by line.
• I have ensured all changes are covered in the description.
• This PR requires documentation updates when merged.

Additional context

[guipublic]

Thank you for this submission, I have added my comments below.

[jfecher]

Some quick style suggestions

[guipublic]

Looks good, I just have a few comments.

[ax0]

Thanks for the comments. I've incorporated your changes.

A couple of things worth noting:

• The poseidonperm_x5_254 test's proof is successfully generated but verification fails (cf. CI).
• The poseidonsponge_x5_254 test no longer terminates with the unoptimised sponge function in there, at least not within 30 minutes. Curiously enough, if I revert f329379, it does terminate within 2-3 minutes.

[guipublic]

It fine for me.
The verification seems to be failing, which could be due to an existing issue.

[kevaundray]

@ax0 Thank you for the PR and for your patience in getting it merged. It's very much appreciated :)