runtime hash selection with SHA256, Blake3, Keccak support

[yash25198]

Summary

• Runtime hash selection: Replace compile-time feature flags with runtime HashConfig enum, allowing selection between Skyscraper, SHA256, Keccak, and BLAKE3 without recompilation
• Performance improvements: Standard cryptographic hashes significantly outperform algebraic hash for native operations
• Hash benchmarks: Add comprehensive benchmarking suite for comparing hash algorithm performance

Benchmarks

Primitive Operations (16 field elements)

Hash	Leaf Hash	Compress	Speedup vs Skyscraper
SHA256	212ns	45ns	~8x
Blake3	508ns	47ns	~8x
Keccak	654ns	127ns	~3x
Skyscraper	5.42µs	369ns	baseline

Merkle Layer (4096 nodes)

Hash	Duration	Speedup
SHA256	143µs	11x faster
Blake3	190µs	8x faster
Keccak	575µs	3x faster
Skyscraper	1.62ms	baseline

End-to-End Proving (complete_age_check, 524k leaves)

Hash	MerkleTree::new	Total Prove
SHA256	45ms	5.90s
Blake3	114ms	6.39s
Keccak	163ms	7.23s
Skyscraper	1.06s	8.42s

Changes

• New HashConfig enum with serde support for runtime hash algorithm selection
• runtime_hash! macro for compile-time monomorphization based on runtime config
• Complete hash module implementations for SHA256, Keccak, and BLAKE3 (merkle, sponge, PoW)
• Updated CLI commands (prepare, prove, verify) to accept --hash configuration
• Binary file format updates to store hash config in headers

Testing

# Test with different hash configurations
provekit prepare --hash sha256 ...
provekit prepare --hash blake3 ...
provekit prepare --hash keccak ...
provekit prepare --hash skyscraper (default) ...

# Run hash benchmarks
cargo bench --bench hash_bench

[Bisht13]

This implements a custom duplex sponge construction using SHA256. A few questions:

1. Has this construction been reviewed for cryptographic soundness in the Fiat-Shamir context?
2. The squeeze_unchecked uses a counter mode (self.squeeze_count). Is this secure for arbitrary-length squeezing in Fiat-Shamir transcripts?

Also, I remember spongefish having their own impl of these for different hashes, do we have them implemented?

[yash25198]

1. Cryptographic soundness — Sha256Sponge follows the same counter-mode pattern as spongefish's DigestBridge<D: Digest>. Each squeeze block is H(state || counter), indistinguishable from random under ROM.
2. Counter-mode security — Yes — spongefish uses the same approach with domain separation masks (0x00 absorb, 0x01 squeeze, 0x02 squeeze_end).
3. Spongefish implementations

• Keccak sponge: Re-exported directly from spongefish::keccak::Keccak
• SHA256 sponge: Spongefish provides DigestBridge; a simpler version with equal security is used here
• BLAKE3 sponge: Not provided by spongefish — the implementation uses native finalize_xof(), which is the correct approach since BLAKE3 is designed as a XOF
• Keccak/BLAKE3 PoW: Re-exported from spongefish-pow
• SHA256 PoW: Custom implementation (spongefish-pow doesn't provide one)

[Bisht13]

Can we have an inline comment addressing this?

[Bisht13]

Similar to the SHA256 sponge, this is a custom duplex construction. BLAKE3's XOF mode is used for squeezing which is good, but the absorb/squeeze state machine (ratcheting on mode switch) should be documented or reviewed for Fiat-Shamir security.

[Bisht13]

arrayvec unused.

[Bisht13]

Verifier impl Verify duplicated, add impl_verify!

[Bisht13]

Can we add e2e tests for all hashes which includes the prepare, prove and verify step?