IVLS uses Poseidon with hardcoded parameters that do not guarantee to be secure

[weikengchen]

This is the same as https://github.com/arkworks-rs/pcd/issues/1.

IVLS has two instantiations of Merkle trees, one via Poseidon, one via Bowe-Hopwood variant of Pedersen. The problem with Poseidon, as the post above mentions, is that the parameter is hardcoded regardless of the curve and field. Sometimes, and in some situations, such parameters could be completely insecure.

This, therefore, means that the current repo is benchmark-purpose, and will wait for an upstream end-to-end implementation of a nice Poseidon sponge.

[drewstone]

How do the parameters differ when using the sponge construction? Does the MDS matrix and round constants change with sponges?

Otherwise why not just generate a bunch of parameters using https://extgit.iaik.tugraz.at/krypto/hadeshash/-/tree/master/code and add to another repo? Are these parameters compatible here for an arbitrary curve?

[weikengchen]

First let me link it to the main issue: https://github.com/arkworks-rs/crypto-primitives/issues/95

Basically, the constants will change depending on the curve or the application. And as you mention, either pre-generating a bunch of parameters for different curves inside the arkworks, or letting the developers specify their parameters.