Module L.Anemoi

Helper functions for the Anemoi Hash defined over the scalar field of the BLS12-381 curve.

anemoi_round ~kx ~ky (x0, y0) returns (x1, y1), the result of applying an Anemoi round (parametrized by kx and ky) to the 2-registers state (x0, y0).

In particular, x1 = u + kx + 7 * (v + ky) and y1 = 7 * (u + kx) + 50 * (v + ky) where (u, v) = S-BOX(x0, y0) defined as: u := t + beta * (y0 - t^(1/5))^2 + delta and v := y0 - t^(1/5) where t := x0 - beta * y0^2 - gamma and beta, gamma, delta are system parameters.

anemoi_double_round ~kx1 ~ky1 ~kx2 ~ky2 (x0, y0) returns (x2, y2), the result of applying two Anemoi rounds.

In particular, it is equivalent to anemoi_round ~kx:kx2 ~ky:ky2 (anemoi_round ~kx:kx1 ~ky:ky1 (x0, y0)), but models the necessary constraints with 5 PlonK rows instead of 8.

(Note that anemoi_round requires 4 PlonK rows.)

anemoi_custom ~kx1 ~ky1 ~kx2 ~ky2 (x0, y0) returns (x2, y2), the result of applying two Anemoi rounds.

In particular, it is equivalent to anemoi_round ~kx:kx2 ~ky:ky2 (anemoi_round ~kx:kx1 ~ky:ky1 (x0, y0)), but models the necessary constraints with 2 Plonk rows.

This is possible thanks to our custom gate for Anemoi double rounds.

See Lib_plonk.Hash_gates. Furthermore, the second row is "compatible" with the one after if another Anemoi round follows this one. (Our optimizer would combine such rows in that case).