feat: allow custom hash function in backends (#873)

* feat: add backend options

* feat: choosable field to hash in plonk verifier

* chore: generate

* fix: hash result len max(modlen, digestsize)

* chore: generate

* feat: allow custom hash to field during proving

* chore: generate

* test: add custom hash-to-field test using constant hash fn

* chore: go.mod update

* refactor: split backend option to prover and verifier opts

* refactor: split backend option in templates

* chore: generate

* test: enable custom hash-to-field test

* refactor: simplify hash-to-field init

* feat: add custom hash to field to groth16

* refactor: use import template

* chore: generate

* feat: pass options to verifiers

* test: test custom hash to field

* docs: add option descriptions

* feat: add custom challenge hash

* test: add custom challenge hash test

* feat: add custom KZG folding challenge hash

* feat: use custom KZG folding hash

* test: add custom KZG folding hash test

* chore: generate

* feat: use custom challenge hash in plonk+fri

* chore: generate

* feat: implement verifier options in tests

* chore: go mod update

backend/backend.go

@@ -15,7 +15,12 @@
 // Package backend implements Zero Knowledge Proof systems: it consumes circuit compiled with gnark/frontend.
 package backend
 
-import "github.com/consensys/gnark/constraint/solver"
+import (
+	"crypto/sha256"
+	"hash"
+
+	"github.com/consensys/gnark/constraint/solver"
+)
 
 // ID represent a unique ID for a proving scheme
 type ID uint16
@@ -53,13 +58,21 @@ type ProverOption func(*ProverConfig) error
 
 // ProverConfig is the configuration for the prover with the options applied.
 type ProverConfig struct {
-	SolverOpts []solver.Option
+	SolverOpts     []solver.Option
+	HashToFieldFn  hash.Hash
+	ChallengeHash  hash.Hash
+	KZGFoldingHash hash.Hash
 }
 
 // NewProverConfig returns a default ProverConfig with given prover options opts
 // applied.
 func NewProverConfig(opts ...ProverOption) (ProverConfig, error) {
-	opt := ProverConfig{}
+	opt := ProverConfig{
+		// we cannot initialize HashToFieldFn here as we use different domain
+		// separation tags for PLONK and Groth16
+		ChallengeHash:  sha256.New(),
+		KZGFoldingHash: sha256.New(),
+	}
 	for _, option := range opts {
 		if err := option(&opt); err != nil {
 			return ProverConfig{}, err
@@ -75,3 +88,98 @@ func WithSolverOptions(solverOpts ...solver.Option) ProverOption {
 		return nil
 	}
 }
+
+// WithProverHashToFieldFunction changes the hash function used for hashing
+// bytes to field. If not set then the default hash function based on RFC 9380
+// is used. Used mainly for compatibility between different systems and
+// efficient recursion.
+func WithProverHashToFieldFunction(hFunc hash.Hash) ProverOption {
+	return func(cfg *ProverConfig) error {
+		cfg.HashToFieldFn = hFunc
+		return nil
+	}
+}
+
+// WithProverChallengeHashFunction sets the hash function used for computing
+// non-interactive challenges in Fiat-Shamir heuristic. If not set then by
+// default SHA2-256 is used. Used mainly for compatibility between different
+// systems and efficient recursion.
+func WithProverChallengeHashFunction(hFunc hash.Hash) ProverOption {
+	return func(pc *ProverConfig) error {
+		pc.ChallengeHash = hFunc
+		return nil
+	}
+}
+
+// WithProverKZGFoldingHashFunction sets the hash function used for computing
+// the challenge when folding the KZG opening proofs. If not set then by default
+// SHA2-256 is used. Used mainly for compatibility between different systems and
+// efficient recursion.
+func WithProverKZGFoldingHashFunction(hFunc hash.Hash) ProverOption {
+	return func(pc *ProverConfig) error {
+		pc.KZGFoldingHash = hFunc
+		return nil
+	}
+}
+
+// VerifierOption defines option for altering the behavior of the verifier. See
+// the descriptions of functions returning instances of this type for
+// implemented options.
+type VerifierOption func(*VerifierConfig) error
+
+// VerifierConfig is the configuration for the verifier with the options applied.
+type VerifierConfig struct {
+	HashToFieldFn  hash.Hash
+	ChallengeHash  hash.Hash
+	KZGFoldingHash hash.Hash
+}
+
+// NewVerifierConfig returns a default [VerifierConfig] with given verifier
+// options applied.
+func NewVerifierConfig(opts ...VerifierOption) (VerifierConfig, error) {
+	opt := VerifierConfig{
+		// we cannot initialize HashToFieldFn here as we use different domain
+		// separation tags for PLONK and Groth16
+		ChallengeHash:  sha256.New(),
+		KZGFoldingHash: sha256.New(),
+	}
+	for _, option := range opts {
+		if err := option(&opt); err != nil {
+			return VerifierConfig{}, err
+		}
+	}
+	return opt, nil
+}
+
+// WithVerifierHashToFieldFunction changes the hash function used for hashing
+// bytes to field. If not set then the default hash function based on RFC 9380
+// is used. Used mainly for compatibility between different systems and
+// efficient recursion.
+func WithVerifierHashToFieldFunction(hFunc hash.Hash) VerifierOption {
+	return func(cfg *VerifierConfig) error {
+		cfg.HashToFieldFn = hFunc
+		return nil
+	}
+}
+
+// WithVerifierChallengeHashFunction sets the hash function used for computing
+// non-interactive challenges in Fiat-Shamir heuristic. If not set then by
+// default SHA2-256 is used. Used mainly for compatibility between different
+// systems and efficient recursion.
+func WithVerifierChallengeHashFunction(hFunc hash.Hash) VerifierOption {
+	return func(pc *VerifierConfig) error {
+		pc.ChallengeHash = hFunc
+		return nil
+	}
+}
+
+// WithVerifierKZGFoldingHashFunction sets the hash function used for computing
+// the challenge when folding the KZG opening proofs. If not set then by default
+// SHA2-256 is used. Used mainly for compatibility between different systems and
+// efficient recursion.
+func WithVerifierKZGFoldingHashFunction(hFunc hash.Hash) VerifierOption {
+	return func(pc *VerifierConfig) error {
+		pc.KZGFoldingHash = hFunc
+		return nil
+	}
+}