Struct DuplexChallenger 

pub struct DuplexChallenger<F, P, const WIDTH: usize, const RATE: usize>
where
    F: Clone,
    P: CryptographicPermutation<[F; WIDTH]>,
{
    pub sponge_state: [F; WIDTH],
    pub input_buffer: Vec<F>,
    pub output_buffer: Vec<F>,
    pub permutation: P,
}

A generic duplex sponge challenger over a finite field, used for generating deterministic challenges from absorbed inputs.

This structure implements a duplex sponge that alternates between:

• Absorbing inputs into the sponge state,
• Applying a cryptographic permutation over the state,
• Squeezing outputs from the state as challenges.

The sponge operates over a state of WIDTH elements, divided into:

• A rate of RATE elements (the portion exposed to input/output),
• A capacity of WIDTH - RATE elements (the hidden part ensuring security).

The challenger buffers observed inputs until the rate is full, applies the permutation, and then produces challenge outputs from the permuted state. It supports:

• Observing single values, arrays, hashes, or nested vectors,
• Sampling fresh challenges as field elements or bitstrings.

Fields

sponge_state: [F; WIDTH]

The internal sponge state, consisting of WIDTH field elements.

The first RATE elements form the rate section, where input values are absorbed and output values are squeezed. The remaining WIDTH - RATE elements form the capacity, which provides hidden entropy and security against attacks.

input_buffer: Vec<F>

A buffer holding field elements that have been observed but not yet absorbed.

Inputs added via observe are collected here. Once the buffer reaches RATE elements, the sponge performs a duplexing step: it absorbs the inputs into the state and applies the permutation.

output_buffer: Vec<F>

A buffer holding field elements that have been squeezed from the sponge state.

Outputs are produced by duplexing and stored here. Calls to sample or sample_bits pop values from this buffer. When the buffer is empty (or new inputs were absorbed), a new duplexing step is triggered.

permutation: P

The cryptographic permutation applied to the sponge state.

This permutation must provide strong pseudorandomness and collision resistance, ensuring that squeezed outputs are indistinguishable from random and securely bound to the absorbed inputs.

Implementations

impl<F, P, const WIDTH: usize, const RATE: usize> DuplexChallenger<F, P, WIDTH, RATE>

where F: Copy, P: CryptographicPermutation<[F; WIDTH]>,

pub fn new(permutation: P) -> Self

where F: Default,

Trait Implementations

impl<F, P, const N: usize, const WIDTH: usize, const RATE: usize> CanObserve<[F; N]> for DuplexChallenger<F, P, WIDTH, RATE>

where F: Copy, P: CryptographicPermutation<[F; WIDTH]>,

fn observe(&mut self, values: [F; N])

Absorb a single value into the transcript.

fn observe_slice(&mut self, values: &[T])

where T: Clone,

Absorb a slice of values into the transcript.

impl<F, P, const WIDTH: usize, const RATE: usize> CanObserve<F> for DuplexChallenger<F, P, WIDTH, RATE>

where F: Copy, P: CryptographicPermutation<[F; WIDTH]>,

fn observe(&mut self, value: F)

Absorb a single value into the transcript.

fn observe_slice(&mut self, values: &[T])

where T: Clone,

Absorb a slice of values into the transcript.

impl<F, P, const N: usize, const WIDTH: usize, const RATE: usize> CanObserve<Hash<F, F, N>> for DuplexChallenger<F, P, WIDTH, RATE>

where F: Copy, P: CryptographicPermutation<[F; WIDTH]>,

fn observe(&mut self, values: Hash<F, F, N>)

Absorb a single value into the transcript.

fn observe_slice(&mut self, values: &[T])

where T: Clone,

Absorb a slice of values into the transcript.

impl<F, P, const WIDTH: usize, const RATE: usize> CanObserve<Vec<Vec<F>>> for DuplexChallenger<F, P, WIDTH, RATE>

where F: Copy, P: CryptographicPermutation<[F; WIDTH]>,

fn observe(&mut self, valuess: Vec<Vec<F>>)

Absorb a single value into the transcript.

fn observe_slice(&mut self, values: &[T])

where T: Clone,

Absorb a slice of values into the transcript.

impl<F, EF, P, const WIDTH: usize, const RATE: usize> CanSample<EF> for DuplexChallenger<F, P, WIDTH, RATE>

where F: Field, EF: BasedVectorSpace<F>, P: CryptographicPermutation<[F; WIDTH]>,

fn sample(&mut self) -> EF

Sample a single challenge value from the transcript.

fn sample_array<const N: usize>(&mut self) -> [T; N]

Sample an array of N challenge values from the transcript.

fn sample_vec(&mut self, n: usize) -> Vec<T>

Sample a Vec of n challenge values from the transcript.

impl<F, P, const WIDTH: usize, const RATE: usize> CanSampleBits<usize> for DuplexChallenger<F, P, WIDTH, RATE>

where F: PrimeField64, P: CryptographicPermutation<[F; WIDTH]>,

fn sample_bits(&mut self, bits: usize) -> usize

The sampled bits are not perfectly uniform, but we can bound the error: every sequence appears with probability 1/p-close to uniform (1/2^b).

Proof: We denote p = F::ORDER_U64, and b = bits. If X follows a uniform distribution over F, if we consider the first b bits of X, each sequence appears either with probability P1 = ⌊p / 2^b⌋ / p or P2 = (1 + ⌊p / 2^b⌋) / p. We have 1/2^b - 1/p ≤ P1, P2 ≤ 1/2^b + 1/p

impl<F, P, const WIDTH: usize, const RATE: usize> CanSampleUniformBits<F> for DuplexChallenger<F, P, WIDTH, RATE>

where F: UniformSamplingField + PrimeField64, P: CryptographicPermutation<[F; WIDTH]>,

fn sample_uniform_bits<const RESAMPLE: bool>( &mut self, bits: usize, ) -> Result<usize, ResamplingError>

Sample a random bits-bit integer from the transcript with a guarantee of uniformly sampled bits.

impl<F, P, const WIDTH: usize, const RATE: usize> Clone for DuplexChallenger<F, P, WIDTH, RATE>

where F: Clone + Clone, P: CryptographicPermutation<[F; WIDTH]> + Clone,

fn clone(&self) -> DuplexChallenger<F, P, WIDTH, RATE>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<F, P, const WIDTH: usize, const RATE: usize> Debug for DuplexChallenger<F, P, WIDTH, RATE>

where F: Clone + Debug, P: CryptographicPermutation<[F; WIDTH]> + Debug,

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<F, P, const WIDTH: usize, const RATE: usize> FieldChallenger<F> for DuplexChallenger<F, P, WIDTH, RATE>

where F: PrimeField64, P: CryptographicPermutation<[F; WIDTH]>,

fn observe_algebra_element<A: BasedVectorSpace<F>>(&mut self, alg_elem: A)

Absorb an element from a vector space over the base field.

fn observe_algebra_slice<A: BasedVectorSpace<F> + Clone>( &mut self, alg_elems: &[A], )

Absorb a slice of elements from a vector space over the base field.

fn sample_algebra_element<A: BasedVectorSpace<F>>(&mut self) -> A

Sample an element of a vector space over the base field.

fn observe_base_as_algebra_element<EF>(&mut self, val: F)

where EF: Algebra<F> + BasedVectorSpace<F>,

Observe base field elements as extension field elements for recursion-friendly transcripts.

impl<F, P, const WIDTH: usize, const RATE: usize> GrindingChallenger for DuplexChallenger<F, P, WIDTH, RATE>

where F: PrimeField64, P: CryptographicPermutation<[F; WIDTH]>,

type Witness = F

The underlying field element type used as the witness.

fn grind(&mut self, bits: usize) -> Self::Witness

Perform a brute-force search to find a valid PoW witness.

fn check_witness(&mut self, bits: usize, witness: Self::Witness) -> bool

Check whether a given witness satisfies the PoW condition.

impl<F, P, const WIDTH: usize, const RATE: usize> UniformGrindingChallenger for DuplexChallenger<F, P, WIDTH, RATE>

where F: UniformSamplingField + PrimeField64, P: CryptographicPermutation<[F; WIDTH]>,

fn grind_uniform(&mut self, bits: usize) -> Self::Witness

Grinds based on uniformly sampled bits. This variant is allowed to do rejection sampling if a value is sampled that would violate our uniformity requirement (chance of about 1/P).

fn grind_uniform_may_error(&mut self, bits: usize) -> Self::Witness

Grinds based on uniformly sampled bits. This variant errors if a value is sampled, which would violate our uniformity requirement (chance of about 1/P). See the UniformSamplingField trait implemented for each field for details.

fn check_witness_uniform(&mut self, bits: usize, witness: Self::Witness) -> bool

Check whether a given witness satisfies the PoW condition.

fn check_witness_uniform_may_error( &mut self, bits: usize, witness: Self::Witness, ) -> bool

Check whether a given witness satisfies the PoW condition.