Add Sinsemilla gadget

src/circuit/gadget.rs

@@ -1 +1,2 @@
 pub(crate) mod ecc;
+pub(crate) mod sinsemilla;

src/circuit/gadget/sinsemilla.rs

@@ -0,0 +1,36 @@
+//! Gadget and chips for the Sinsemilla hash function.
+use halo2::{
+    arithmetic::CurveAffine,
+    circuit::{Chip, Layouter},
+    plonk::Error,
+};
+
+/// The set of circuit instructions required to use the [`Sinsemilla`](https://zcash.github.io/halo2/design/gadgets/sinsemilla.html) gadget.
+pub trait SinsemillaInstructions<C: CurveAffine>: Chip<Field = C::Base> {
+    type Message: Iterator<Item = bool> + ExactSizeIterator;
+
+    fn extract(point: &C::Curve) -> C::Base;
+
+    #[allow(non_snake_case)]
+    fn Q(domain_prefix: &str) -> C::Curve;
+
+    fn hash_to_point(
+        layouter: &mut impl Layouter<Self>,
+        domain_prefix: &str,
+        message: Self::Message,
+    ) -> Result<C::Curve, Error>;
+
+    fn hash(
+        layouter: &mut impl Layouter<Self>,
+        domain_prefix: &str,
+        message: Self::Message,
+    ) -> Result<C::Base, Error>;
+
+    fn commit(domain_prefix: &str, msg: Self::Message, r: &C::Scalar) -> Result<C::Curve, Error>;
+
+    fn short_commit(
+        domain_prefix: &str,
+        msg: Self::Message,
+        r: &C::Scalar,
+    ) -> Result<C::Base, Error>;
+}

src/primitives/sinsemilla.rs

@@ -8,10 +8,14 @@ use halo2::{
     pasta::pallas,
 };
 
-const GROUP_HASH_Q: &str = "z.cash:SinsemillaQ";
-const GROUP_HASH_S: &str = "z.cash:SinsemillaS";
+/// Domain prefix used in SWU hash-to-curve to generate Q.
+pub const GROUP_HASH_Q: &str = "z.cash:SinsemillaQ";
 
-const K: usize = 10;
+/// Domain prefix used in SWU hash-to-curve to generate S_i's.
+pub const GROUP_HASH_S: &str = "z.cash:SinsemillaS";
+
+/// There are 2^K S_i generators in the Sinsemilla lookup.
+pub const K: usize = 10;
 const C: usize = 253;
 
 fn lebs2ip_32(bits: &[bool]) -> u32 {