Merge pull request #23 from kobigurk/fix/mimcsponge_round_constants

MiMCSponge: makes first and last round constants always zero

circuits/mimcsponge.circom

@@ -39,8 +39,8 @@ template MiMCFeistel(nrounds) {
     signal output xL_out;
     signal output xR_out;
 
-    var c = [
-      0,
+    // doesn't contain the first and last round constants, which are always zero
+    var c_partial = [
       7120861356467848435263064379192047478074060781135320967663101236819528304084,
       5024705281721889198577876690145313457398658950011302225525409148828000436681,
       17980351014018068290387269214713820287804403312720763401943303895585469787384,
@@ -258,8 +258,7 @@ template MiMCFeistel(nrounds) {
       18224457394066545825553407391290108485121649197258948320896164404518684305122,
       274945154732293792784580363548970818611304339008964723447672490026510689427,
       11050822248291117548220126630860474473945266276626263036056336623671308219529,
-      2119542016932434047340813757208803962484943912710204325088879681995922344971,
-      0
+      2119542016932434047340813757208803962484943912710204325088879681995922344971
     ];
 
     var t;
@@ -268,8 +267,14 @@ template MiMCFeistel(nrounds) {
     signal xL[nrounds-1];
     signal xR[nrounds-1];
 
+    var c;
     for (var i=0; i<nrounds; i++) {
-        t = (i==0) ? k+xL_in : k + xL[i-1] + c[i];
+        if ((i == 0) || (i == nrounds - 1)) {
+          c = 0;
+        } else {
+          c = c_partial[i - 1];
+        }
+        t = (i==0) ? k+xL_in : k + xL[i-1] + c;
         t2[i] <== t*t;
         t4[i] <== t2[i]*t2[i];
         if (i<nrounds-1) {