Weikeng Chen

Benchmark result after applying it to arkworks-rs. BN254 Fr mult: 1438 -> 74, 19x improvement BN254 Fr modinv: 114175 -> 215, 531x improvement BN254 Fr modsqrt: 661709 -> 2743, 241x...

So, the current implementation in this repo should be considered benchmark-purpose, though it is due to the upstream.

Some factoring result of p-1 for the MNT4/6-298/753. Factors > 100 are denoted by R. It shows that choosing \alpha=17 is okay for these curves. ----------------------- MNT4/6-298 475922286169261325753349249653048451545124878552823515553267735739164647307408490559963137 = 2^34...

So, ideally, the next step to boost the security is: - change the partial rounds from 29 to 31, which would match the official parameter search script, for providing 128-bit...

By the way, the current choice of \alpha = 17 by @ValarDragon is smart. It has few constraints for `pow_by_constant` and also reduces the number of rounds needed for security....

The number of partial rounds has been increased to 31, and the round constants are now generated via a PRNG with a hardcoded seed. This is still not good enough....

Yes. Citing a related issue in `sponge` about a more formal treatment: https://github.com/arkworks-rs/crypto-primitives/issues/95

We will need to examine the changes in this PR further and likely consider adding a Poseidon duplex wrapper that is less "raw" than what arkworks-rs currently has. I agree...

Feel free to apply to the constraints implementations.

Starting from the tests, there are still a lot of dependencies not yet fixed. Is there a likelihood to fix them? I committed some fixes. I think the main question...