There are two major pathways we use when designing the circuit
We investigate feasibility of doing both challenge generation as well as computing hashes used as randomness during LSU, inside the circuit.
Challenge generation is a process in which we are aiming to generate a number of challenges $C = 2200$.
$$ [\, c{8j+7}, c_{8j+6}, \cdots, c_{8j+1}, c_{8j}] = \text{Split-31bit}(\text{Poseidon–128}(CommR, j)) \\ c_i = c_i \bmod N $$
The $j \in [0,C/8)$ and $N$ is sector size nodes. The Result of Poseidon-128 is split into 31 bit chunks (discarding 7 high bits) forming eight challenges, which then are taken $\bmod N$.
Based on input from ZCash team, Poseidon can be used as PRG for challenge generation. Using it in this manner would mean using Poseidon-128 in 2-ary variant, costing ~311 constraints, plus additional 256 constrains for binary decomposition (binary decomposition constraints may already be included in the cost of inclusion proofs).
This results in 0.85M additional constraints.
One Poseidon, Multiple challenges
The Poseidon-128 outputs Fr field element which after decomposition results in 254.x bits of randomness. Our biggest $N$ requires 31 bits of randomness. This means that we could use one Poseidon-128 evaluation to generate 8 challenges. It would reduce cost of challenge generation by factor of 8 as the binary decomposition can be shared as well.
We are settling on number of $\rho$ per sector $H = 2^9 = 512$ (but want to keep some flexibility in final circuit), this gives us two options, we can either compute all H ρ values and use lookup to access ρ from these computed values; or we can compute ρ for each challenge and not use the fact that only H ρ computations need to be done.
The latter option is promising as 512-ary lookup of dynamic values will cost at least 512 constraints. (please verify)
$$ \phi = \text{Posedion-128}(CommD, OldCommR) \\ \rho_{c_i} = \text{Poseidon–128}(\phi, \lfloor \frac{c_iH}{N} \rfloor) $$
As both $H$ and $N$ are powers of two the $\lfloor \frac{c_iH}{N} \rfloor$ computation can be easily performed using bit shift by selecting bits from decomposed $c_i$.
$$ \lfloor \frac{c_iH}{N} \rfloor = c_i \gg (\log_2N - \log_2H) $$