Arrabbiata: prepare the primitives to absorb the state after committing to it

arrabbiata/src/curve.rs

@@ -9,7 +9,9 @@ use ark_ec::short_weierstrass::{Affine, SWCurveConfig};
 use ark_ff::PrimeField;
 use kimchi::curve::{pallas_endos, vesta_endos};
 use mina_curves::pasta::curves::{pallas::PallasParameters, vesta::VestaParameters};
-use mina_poseidon::{constants::SpongeConstants, poseidon::ArithmeticSpongeParams};
+use mina_poseidon::{
+    constants::SpongeConstants, poseidon::ArithmeticSpongeParams, sponge::DefaultFqSponge, FqSponge,
+};
 use poly_commitment::commitment::{CommitmentCurve, EndoCurve};
 
 #[derive(Clone)]
@@ -63,6 +65,29 @@ where
     /// Return the coefficients `a` and `b` of the equation
     /// `y^2 = x^3 + a x + b` defining the curve.
     fn get_curve_params() -> (Self::BaseField, Self::BaseField);
+
+    /// Create a new sponge, with an empty state (i.e. initialized to zero).
+    fn create_new_sponge() -> DefaultFqSponge<Self::Params, Self::SpongeConstants>;
+
+    /// Absorb an element of the base field into the sponge.
+    ///
+    /// This method is supposed to be an alias to `sponge.absorb_fq(&[fq])`.
+    /// However, it seems that the compiler requests some additional type
+    /// constraints if there is generic code over the trait `ArrabbiataCurve`.
+    fn absorb_fq(
+        sponge: &mut DefaultFqSponge<Self::Params, Self::SpongeConstants>,
+        fq: Self::BaseField,
+    );
+
+    /// Absorb a list of curve points into the sponge.
+    ///
+    /// This method is supposed to be an alias to `sponge.absorb_g(&[gs])`.
+    /// However, it seems that the compiler requests some additional type
+    /// constraints if there is generic code over the trait `ArrabbiataCurve`.
+    fn absorb_curve_points(
+        sponge: &mut DefaultFqSponge<Self::Params, Self::SpongeConstants>,
+        comms: &[Self],
+    );
 }
 
 impl ArrabbiataCurve for Affine<PallasParameters> {
@@ -91,6 +116,26 @@ impl ArrabbiataCurve for Affine<PallasParameters> {
     fn get_curve_params() -> (Self::BaseField, Self::BaseField) {
         (PallasParameters::COEFF_A, PallasParameters::COEFF_B)
     }
+
+    fn create_new_sponge() -> DefaultFqSponge<Self::Params, Self::SpongeConstants> {
+        let sponge: DefaultFqSponge<PallasParameters, PlonkSpongeConstants> =
+            DefaultFqSponge::new(Self::other_curve_sponge_params());
+        sponge
+    }
+
+    fn absorb_fq(
+        sponge: &mut DefaultFqSponge<Self::Params, Self::SpongeConstants>,
+        fq: Self::BaseField,
+    ) {
+        sponge.absorb_fq(&[fq])
+    }
+
+    fn absorb_curve_points(
+        sponge: &mut DefaultFqSponge<Self::Params, Self::SpongeConstants>,
+        comms: &[Self],
+    ) {
+        sponge.absorb_g(comms)
+    }
 }
 
 impl ArrabbiataCurve for Affine<VestaParameters> {
@@ -119,4 +164,24 @@ impl ArrabbiataCurve for Affine<VestaParameters> {
     fn get_curve_params() -> (Self::BaseField, Self::BaseField) {
         (VestaParameters::COEFF_A, VestaParameters::COEFF_B)
     }
+
+    fn create_new_sponge() -> DefaultFqSponge<Self::Params, Self::SpongeConstants> {
+        let sponge: DefaultFqSponge<VestaParameters, PlonkSpongeConstants> =
+            DefaultFqSponge::new(Self::other_curve_sponge_params());
+        sponge
+    }
+
+    fn absorb_fq(
+        sponge: &mut DefaultFqSponge<Self::Params, Self::SpongeConstants>,
+        fq: Self::BaseField,
+    ) {
+        sponge.absorb_fq(&[fq])
+    }
+
+    fn absorb_curve_points(
+        sponge: &mut DefaultFqSponge<Self::Params, Self::SpongeConstants>,
+        comms: &[Self],
+    ) {
+        sponge.absorb_g(comms)
+    }
 }

arrabbiata/src/interpreter.rs

@@ -329,8 +329,8 @@
 //! the messages are kept in an "application environment", located in the
 //! "witness environment". The structure [crate::witness::Env] is used to keep
 //! track of the messages that must be passed.
-//! Each step starts with an "application state" and end with another that are
-//! accumuated. The final state is passed through a "digest" to the next
+//! Each step starts with an "program state" and end with another that is
+//! accumulated. The final state is passed through a "digest" to the next
 //! instance. The digest is performed using a hash function (see [Hash -
 //! Poseidon](#hash---poseidon)). We often use the term "sponge" to refer to the
 //! hash function or the state of the hash function.
@@ -359,7 +359,7 @@
 //! - `Ct_(p, n, i)` for the commitments to the cross-terms of degree `i`.
 //! witness/commitments.
 //! - `u_(p, n)` for the challenge used to homogenize the constraints.
-//! - `o_(p, n)` for the final digest of the application state.
+//! - `o_(p, n)` for the final digest of the sponge state.
 //!
 //! Here a diagram (FIXME: this is not complete) that shows the messages that
 //! must be passed:
@@ -392,10 +392,10 @@
 //! |             Receive in PI                |                                   |
 //! |             --------------               |                                   |
 //! | - Commitments to w_(p, (n - 1))          |                                   |
-//! | - Final digest of the application        |                                   |
+//! | - Final digest of the program            |                                   |
 //! | state at instance (n - 1)                |                                   |
 //! | (o_(q, n - 1)).                          |                                   |
-//! | - Final digest of the application        |                                   |
+//! | - Final digest of the program            |                                   |
 //! | state at instance (n - 2)                |                                   |
 //! | (o_(p, n - 1)).                          |                                   |
 //! |                                          |                                   |

arrabbiata/src/main.rs

@@ -101,11 +101,10 @@ pub fn main() {
             elapsed = start_iteration.elapsed().as_micros()
         );
 
-        // FIXME:
-        // update current instance with the previous "next" commitments (i.e.
-        // env.next_commitments)
-        // update next instance with current commitments
-        // FIXME: Check twice the updated commitments
+        // Commit to the program state.
+        // Depending on the iteration, either E1 or E2 will be used.
+        // The environment will keep the commitments to the program state to
+        // verify and accumulate it at the next iteration.
         env.commit_state();
 
         // FIXME:

arrabbiata/src/witness.rs

@@ -142,8 +142,11 @@ pub struct Env<
     /// The current iteration of the IVC
     pub current_iteration: u64,
 
-    /// A previous hash, encoded in 2 chunks of 128 bits.
-    pub previous_hash: [u128; 2],
+    /// The digest of the last program state, including the cross-terms
+    /// commitments.
+    /// The value is a 128 bits value, to be absorbed to initialize the sponge
+    /// state for both curves.
+    pub last_digest: BigInt,
 
     /// The coin folding combiner will be used to generate the combinaison of
     /// folding instances
@@ -890,7 +893,7 @@ where
             sponge_e1,
             sponge_e2,
             current_iteration: 0,
-            previous_hash: [0; 2],
+            last_digest: BigInt::from(0_u64),
             r: BigInt::from(0_usize),
             // Initialize the temporary accumulators with 0
             temporary_accumulators: (