poseidon128.aa

(module
    (field prime 340282366920938463463374607393113505793)
    (const $alpha scalar 5)
    (const $mds matrix
        (214709430312099715322788202694750992687  54066244720673262921467176400601950806 122144641489288436529811410313120680228)
        ( 83122512782280758906222839313578703456 163244785834732434882219275190570945140  65865044136286518938950810559808473518)
        ( 12333142678723890553278650076570367543 308304933036173868454178201249080175007  76915505462549994902479959396659996669))
    (function $poseidonRound
        (result vector 3)
        (param $state vector 3) (param $roundKeys vector 3) (param $isFullRound scalar)
        (local $fullRound vector 3) (local $partRound vector 3)
        (store.local $fullRound
            (prod
                (load.const $mds)
                (exp
                    (add (load.param $state) (load.param $roundKeys))
                    (load.const $alpha))))
        (store.local $partRound
            (prod
                (load.const $mds)
                (vector
                    (add 
                        (slice (load.param $state) 0 1)
                        (slice (load.param $roundKeys) 0 1))
                    (exp
                        (add (get (load.param $state) 2) (get (load.param $roundKeys) 2))
                        (load.const $alpha)))))
        (add
            (mul (load.local $fullRound) (load.param $isFullRound))
            (mul (load.local $partRound) (sub (scalar 1)  (load.param $isFullRound)))))
    (export Poseidon
        (registers 3) (constraints 3) (steps 64)
        (static
            (input secret (steps 64) (shift -1))
            (input secret (steps 64) (shift -1))
            (mask (input 0))
            (cycle 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0)
            (cycle (prng sha256 0x486164657331 64))
            (cycle (prng sha256 0x486164657332 64))
            (cycle (prng sha256 0x486164657333 64)))
        (init
            (vector (slice (load.static 0) 0 1) (scalar 0)))
        (transition
            (local vector 3)
            (store.local 0
                (call $poseidonRound (load.trace 0) (slice (load.static 0) 4 6) (get (load.static 0) 3)))
            (add
                (mul
                    (load.local 0)
                    (sub (scalar 1) (get (load.static 0) 2)))
                (vector (slice (load.static 0) 0 1) (scalar 0))))
        (evaluation
            (local vector 3)
            (store.local 0
                (call $poseidonRound (load.trace 0) (slice (load.static 0) 4 6) (get (load.static 0) 3)))
            (sub
                (load.trace 1)
                (add
                    (mul (load.local 0)	(get (load.static 0) 2))
                    (vector (slice (load.static 0) 0 1) (scalar 0)))))))