r1cs: PoseidonSpongeVar permutation

[redshiftzero]

Followup from #29: We are using PoseidonSpongeVar from ark-sponge for in-circuit hashing (ref penumbra-zone/penumbra#714).

~However, the implementation of the permutation via PoseidonSpongeVar::permute does not use the optimizations we added support for in our parameter generation code in #17 and in our poseidon-permutation crate in #20. For some concrete numbers, we saw a 1.9x reduction in the number of multiplications for our 4:1 hash (see PR text #21 for where this number comes from).

Edit: These optimizations only work out of circuit, as (ref section 6.2.1 in the paper), the R1CS cost does not change due to the (constant multiplication) linear layers.

[redshiftzero]

To prioritize the above here are the circuit costs of various gadgets as of commit 0db4a2be63ff444aa5e481cf82e6eb22e6653500 (in penumbra):

The numbers below include the constraint cost of witnessing the required instance variables:

• diversified_basepoint_not_identity (requires 1 Element instance variable): 1396
• ephemeral_public_key_integrity (requires 2 Element instance variable, plus 1 scalar): 4982
• value_commitment_integrity (requires 1 Element instance variable, 1 Fq, plus 2 scalar): 3376
• note_commitment_integrity (requires 6 Fq, 1 Element): 3201
• Verifying merkle path (requires 2 Fq, 1 merkle path variable (72 Fqs)): 8631
• rk_integrity (1 Element, 1 scalar, 1 Fq): 5689
• nullifier_integrity (4 Fq): 311
• ak_not_identity (1 Element): 1396
• witnessing a single decaf377 element: 1392

[redshiftzero]

This is no longer planned for implementation due to #40

[redshiftzero]

Reopening as #40 was backburnered