longfellow 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CODE_OF_CONDUCT.md +10 -0
- data/LICENSE.txt +21 -0
- data/README.md +152 -0
- data/ext/longfellow/CMakeLists.txt +76 -0
- data/ext/longfellow/extconf.rb +77 -0
- data/lib/longfellow/attribute.rb +65 -0
- data/lib/longfellow/c.rb +105 -0
- data/lib/longfellow/errors.rb +78 -0
- data/lib/longfellow/version.rb +5 -0
- data/lib/longfellow/zk_spec.rb +40 -0
- data/lib/longfellow.rb +162 -0
- data/sig/longfellow.rbs +74 -0
- data/vendor/longfellow-zk/LICENSE +203 -0
- data/vendor/longfellow-zk/lib/algebra/blas.h +121 -0
- data/vendor/longfellow-zk/lib/algebra/bogorng.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/compare.h +40 -0
- data/vendor/longfellow-zk/lib/algebra/convolution.h +219 -0
- data/vendor/longfellow-zk/lib/algebra/crt.cc +42 -0
- data/vendor/longfellow-zk/lib/algebra/crt.h +299 -0
- data/vendor/longfellow-zk/lib/algebra/crt_convolution.h +114 -0
- data/vendor/longfellow-zk/lib/algebra/crt_test.cc +371 -0
- data/vendor/longfellow-zk/lib/algebra/fft.h +104 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation.h +304 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation_test.cc +168 -0
- data/vendor/longfellow-zk/lib/algebra/fft_test.cc +257 -0
- data/vendor/longfellow-zk/lib/algebra/fp.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/fp2.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/fp24.h +342 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6.h +305 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6_test.cc +197 -0
- data/vendor/longfellow-zk/lib/algebra/fp2_test.cc +280 -0
- data/vendor/longfellow-zk/lib/algebra/fp_generic.h +533 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p128.h +91 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256k1.h +123 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p384.h +65 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p521.h +62 -0
- data/vendor/longfellow-zk/lib/algebra/fp_test.cc +522 -0
- data/vendor/longfellow-zk/lib/algebra/hash.h +39 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation.h +117 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation_test.cc +74 -0
- data/vendor/longfellow-zk/lib/algebra/limb.h +153 -0
- data/vendor/longfellow-zk/lib/algebra/limb_test.cc +75 -0
- data/vendor/longfellow-zk/lib/algebra/nat.cc +32 -0
- data/vendor/longfellow-zk/lib/algebra/nat.h +212 -0
- data/vendor/longfellow-zk/lib/algebra/nat_test.cc +183 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer_test.cc +138 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumerfp2_test.cc +139 -0
- data/vendor/longfellow-zk/lib/algebra/permutations.h +79 -0
- data/vendor/longfellow-zk/lib/algebra/poly.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/poly_test.cc +123 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon.h +150 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension.h +108 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension_test.cc +76 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_test.cc +473 -0
- data/vendor/longfellow-zk/lib/algebra/rfft.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/rfft_test.cc +102 -0
- data/vendor/longfellow-zk/lib/algebra/static_string.h +29 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep.h +495 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep_test.cc +41 -0
- data/vendor/longfellow-zk/lib/algebra/twiddle.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/utility.h +86 -0
- data/vendor/longfellow-zk/lib/algebra/utility_test.cc +86 -0
- data/vendor/longfellow-zk/lib/arrays/affine.h +56 -0
- data/vendor/longfellow-zk/lib/arrays/affine_test.cc +220 -0
- data/vendor/longfellow-zk/lib/arrays/dense.h +210 -0
- data/vendor/longfellow-zk/lib/arrays/eq.h +75 -0
- data/vendor/longfellow-zk/lib/arrays/eqs.h +137 -0
- data/vendor/longfellow-zk/lib/arrays/eqs_test.cc +151 -0
- data/vendor/longfellow-zk/lib/arrays/sparse.h +192 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder.h +323 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder_test.cc +541 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor.h +594 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck.h +110 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck_test.cc +55 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_test.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_testing.h +98 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_witness.h +312 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso2_test.cc +662 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso_test.cc +485 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan.h +104 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan_test.cc +137 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor.h +640 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_testing.h +99 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_witness.h +319 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/lexer_test.cc +120 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/mdoc_examples_test.cc +89 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_circuit_test.cc +506 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_size_test.cc +79 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_test.cc +473 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/canonicalization_test.cc +185 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/circuit_dump.h +65 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler.h +471 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler_test.cc +110 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/node.h +176 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/pdqhash.h +127 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/schedule.h +435 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_circuit.h +371 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_external_test.cc +246 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_test.cc +587 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_witness.h +201 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker.h +247 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_constants.h +35 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_encoder.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_test.cc +183 -0
- data/vendor/longfellow-zk/lib/circuits/logic/compiler_backend.h +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter_test.cc +102 -0
- data/vendor/longfellow-zk/lib/circuits/logic/evaluation_backend.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic.h +1232 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_circuit_test.cc +310 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_test.cc +521 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp.h +68 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp_test.cc +148 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing.h +445 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing_test.cc +241 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary.h +55 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker.h +77 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_constants.h +37 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_test.cc +53 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_size_test.cc +69 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit.h +193 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit_test.cc +223 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_reference.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_witness.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/circuit_maker.cc +242 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_ids.h +311 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_circuit_id.cc +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_constants.h +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.cc +41 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_examples.h +5232 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_generate_circuit.cc +199 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_hash.h +554 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature.h +143 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature_test.cc +444 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_test_attributes.h +157 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_witness.h +863 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.cc +693 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.h +216 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk_test.cc +724 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec.cc +100 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec_test.cc +155 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit.h +330 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit_test.cc +607 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_io.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.cc +163 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.h +47 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.cc +34 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_test_values.h +389 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/ptrcred.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small.h +218 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_examples.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_io.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_test.cc +208 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_witness.h +130 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode.h +508 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_circuit_test.cc +95 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_test.cc +119 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.cc +47 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit.h +231 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit_test.cc +428 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_witness.h +102 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt.h +190 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_constants.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_test.cc +559 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_witness.h +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f.h +411 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_io.h +32 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_test.cc +364 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_witness.h +278 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation.h +146 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_constants.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_test.cc +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_witness.h +136 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr.h +250 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_test.cc +333 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_witness.h +152 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44.h +903 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_circuit_test.cc +274 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_eval_test.cc +440 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.cc +8851 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.h +93 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.cc +24 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness.h +453 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness_test.cc +49 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.cc +458 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test.cc +398 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors.inc +3618 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_pkdecode.inc +689 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_sigdecode.inc +1501 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/sigdecode_test_vectors.inc +540 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit.h +394 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit_test.cc +577 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_constants.h +90 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit.h +351 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit_test.cc +466 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.cc +207 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.h +59 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference_test.cc +153 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.cc +39 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_slicing.h +31 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.cc +83 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/shake_test_vectors.h +477 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve.h +596 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve_test.cc +548 -0
- data/vendor/longfellow-zk/lib/ec/p256.cc +36 -0
- data/vendor/longfellow-zk/lib/ec/p256.h +60 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.cc +34 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.h +60 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128.h +503 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_bench.cc +48 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_test.cc +416 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2poly.h +74 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14.h +242 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_bench.cc +75 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon.h +127 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon_test.cc +110 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_test.cc +246 -0
- data/vendor/longfellow-zk/lib/gf2k/sysdep.h +329 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_param.h +449 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_prover.h +354 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_test.cc +136 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_transcript.h +67 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_verifier.h +272 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_commitment.h +104 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree.h +216 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree_test.cc +240 -0
- data/vendor/longfellow-zk/lib/proto/circuit.h +354 -0
- data/vendor/longfellow-zk/lib/proto/circuit_test.cc +202 -0
- data/vendor/longfellow-zk/lib/random/random.h +119 -0
- data/vendor/longfellow-zk/lib/random/random_test.cc +189 -0
- data/vendor/longfellow-zk/lib/random/secure_random_engine.h +37 -0
- data/vendor/longfellow-zk/lib/random/transcript.h +193 -0
- data/vendor/longfellow-zk/lib/random/transcript_test.cc +344 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit.h +148 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit_id.h +71 -0
- data/vendor/longfellow-zk/lib/sumcheck/equad.h +126 -0
- data/vendor/longfellow-zk/lib/sumcheck/hquad.h +115 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover.h +59 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover_layers.h +362 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad.h +227 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_builder.h +211 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_test.cc +169 -0
- data/vendor/longfellow-zk/lib/sumcheck/sumcheck_test.cc +324 -0
- data/vendor/longfellow-zk/lib/sumcheck/testing.h +69 -0
- data/vendor/longfellow-zk/lib/sumcheck/transcript_sumcheck.h +85 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier.h +84 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier_layers.h +221 -0
- data/vendor/longfellow-zk/lib/testing/test_main.cc +50 -0
- data/vendor/longfellow-zk/lib/util/ceildiv.h +164 -0
- data/vendor/longfellow-zk/lib/util/ceildiv_test.cc +152 -0
- data/vendor/longfellow-zk/lib/util/crc64.h +45 -0
- data/vendor/longfellow-zk/lib/util/crypto.cc +39 -0
- data/vendor/longfellow-zk/lib/util/crypto.h +108 -0
- data/vendor/longfellow-zk/lib/util/log.cc +110 -0
- data/vendor/longfellow-zk/lib/util/log.h +33 -0
- data/vendor/longfellow-zk/lib/util/panic.h +40 -0
- data/vendor/longfellow-zk/lib/util/readbuffer.h +67 -0
- data/vendor/longfellow-zk/lib/util/serialization.h +54 -0
- data/vendor/longfellow-zk/lib/zk/zk_common.h +455 -0
- data/vendor/longfellow-zk/lib/zk/zk_proof.h +378 -0
- data/vendor/longfellow-zk/lib/zk/zk_prover.h +202 -0
- data/vendor/longfellow-zk/lib/zk/zk_test.cc +340 -0
- data/vendor/longfellow-zk/lib/zk/zk_testing.h +154 -0
- data/vendor/longfellow-zk/lib/zk/zk_verifier.h +109 -0
- metadata +347 -0
|
@@ -0,0 +1,202 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "proto/circuit.h"
|
|
16
|
+
|
|
17
|
+
#include <array>
|
|
18
|
+
#include <cstddef>
|
|
19
|
+
#include <cstdint>
|
|
20
|
+
#include <memory>
|
|
21
|
+
#include <vector>
|
|
22
|
+
|
|
23
|
+
#include "algebra/fp_p128.h"
|
|
24
|
+
#include "circuits/compiler/circuit_dump.h"
|
|
25
|
+
#include "circuits/compiler/compiler.h"
|
|
26
|
+
#include "circuits/ecdsa/verify_circuit.h"
|
|
27
|
+
#include "circuits/logic/bit_plucker.h"
|
|
28
|
+
#include "circuits/logic/compiler_backend.h"
|
|
29
|
+
#include "circuits/logic/logic.h"
|
|
30
|
+
#include "circuits/sha/flatsha256_circuit.h"
|
|
31
|
+
#include "ec/p256.h"
|
|
32
|
+
#include "sumcheck/circuit.h"
|
|
33
|
+
#include "util/log.h"
|
|
34
|
+
#include "util/readbuffer.h"
|
|
35
|
+
#include "gtest/gtest.h"
|
|
36
|
+
|
|
37
|
+
namespace proofs {
|
|
38
|
+
namespace {
|
|
39
|
+
|
|
40
|
+
template <class Field>
|
|
41
|
+
void expect_same_id(const Circuit<Field>& c0, const Circuit<Field>& c1,
|
|
42
|
+
const Field& F) {
|
|
43
|
+
std::array<uint8_t, 32> id0;
|
|
44
|
+
circuit_id(id0.data(), c0, F);
|
|
45
|
+
std::array<uint8_t, 32> id1;
|
|
46
|
+
circuit_id(id1.data(), c1, F);
|
|
47
|
+
EXPECT_EQ(id0, id1);
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
template <class FF>
|
|
51
|
+
void serialize_test2(const Circuit<FF>& circuit, const FF& F,
|
|
52
|
+
FieldID field_id) {
|
|
53
|
+
std::vector<uint8_t> bytes;
|
|
54
|
+
log(INFO, "Serializing2");
|
|
55
|
+
CircuitRep<FF> cr(F, field_id);
|
|
56
|
+
cr.to_bytes(circuit, bytes);
|
|
57
|
+
size_t sz = bytes.size();
|
|
58
|
+
log(INFO, "size: %zu", sz);
|
|
59
|
+
|
|
60
|
+
CircuitRep<FF> cr2(F, field_id);
|
|
61
|
+
|
|
62
|
+
log(INFO, "Deserializing2");
|
|
63
|
+
ReadBuffer rb(bytes);
|
|
64
|
+
auto c2 = cr2.from_bytes(rb, /*enforce_circuit_id=*/true);
|
|
65
|
+
log(INFO, "Parsed from bytes");
|
|
66
|
+
EXPECT_TRUE(c2 != nullptr);
|
|
67
|
+
expect_same_id(*c2, circuit, F);
|
|
68
|
+
|
|
69
|
+
// Test truncated inputs.
|
|
70
|
+
ReadBuffer rb1(bytes.data(), sz - 1);
|
|
71
|
+
auto bad = cr2.from_bytes(rb1, /*enforce_circuit_id=*/true);
|
|
72
|
+
EXPECT_TRUE(bad == nullptr);
|
|
73
|
+
|
|
74
|
+
ReadBuffer rb2(bytes.data() + 1, sz - 1);
|
|
75
|
+
bad = cr2.from_bytes(rb2, /*enforce_circuit_id=*/true);
|
|
76
|
+
EXPECT_TRUE(bad == nullptr);
|
|
77
|
+
|
|
78
|
+
uint8_t tmp[32];
|
|
79
|
+
// Test corrupted numconsts
|
|
80
|
+
ReadBuffer rb3(bytes);
|
|
81
|
+
size_t clobber = CircuitRep<FF>::kBytesPerSizeT * 7 - 1;
|
|
82
|
+
tmp[0] = bytes[clobber];
|
|
83
|
+
bytes[clobber] = 1;
|
|
84
|
+
bad = cr2.from_bytes(rb3, /*enforce_circuit_id=*/true);
|
|
85
|
+
EXPECT_TRUE(bad == nullptr);
|
|
86
|
+
bytes[clobber] = tmp[0];
|
|
87
|
+
|
|
88
|
+
// Test corrupted constant table Elt
|
|
89
|
+
ReadBuffer rb4(bytes);
|
|
90
|
+
for (size_t i = 0; i < 32; ++i) {
|
|
91
|
+
tmp[i] = bytes[clobber + 1 + i];
|
|
92
|
+
bytes[clobber + 1 + i] = 0xff;
|
|
93
|
+
}
|
|
94
|
+
bad = cr2.from_bytes(rb4, /*enforce_circuit_id=*/true);
|
|
95
|
+
EXPECT_TRUE(bad == nullptr);
|
|
96
|
+
for (size_t i = 0; i < 32; ++i) {
|
|
97
|
+
bytes[clobber + 1 + i] = tmp[i];
|
|
98
|
+
}
|
|
99
|
+
}
|
|
100
|
+
|
|
101
|
+
template <class FF>
|
|
102
|
+
void serialize_test3(Circuit<FF>& circuit, const FF& F, FieldID field_id) {
|
|
103
|
+
// corrupt the circuit id
|
|
104
|
+
circuit.id[0] ^= 1u;
|
|
105
|
+
|
|
106
|
+
std::vector<uint8_t> bytes;
|
|
107
|
+
log(INFO, "Serializing3");
|
|
108
|
+
CircuitRep<FF> cr(F, field_id);
|
|
109
|
+
cr.to_bytes(circuit, bytes);
|
|
110
|
+
size_t sz = bytes.size();
|
|
111
|
+
log(INFO, "size: %zu", sz);
|
|
112
|
+
|
|
113
|
+
// restore circuit id
|
|
114
|
+
circuit.id[0] ^= 1u;
|
|
115
|
+
|
|
116
|
+
CircuitRep<FF> cr2(F, field_id);
|
|
117
|
+
|
|
118
|
+
log(INFO, "Deserializing3");
|
|
119
|
+
ReadBuffer rb(bytes);
|
|
120
|
+
auto c2 = cr2.from_bytes(rb, /*enforce_circuit_id=*/true);
|
|
121
|
+
log(INFO, "Parsed from bytes");
|
|
122
|
+
EXPECT_TRUE(c2 == nullptr);
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
TEST(circuit_io, ecdsa) {
|
|
126
|
+
using CompilerBackend = CompilerBackend<Fp256Base>;
|
|
127
|
+
using LogicCircuit = Logic<Fp256Base, CompilerBackend>;
|
|
128
|
+
using EltW = LogicCircuit::EltW;
|
|
129
|
+
using Verc = VerifyCircuit<LogicCircuit, Fp256Base, P256>;
|
|
130
|
+
|
|
131
|
+
set_log_level(INFO);
|
|
132
|
+
|
|
133
|
+
std::unique_ptr<Circuit<Fp256Base>> circuit;
|
|
134
|
+
|
|
135
|
+
/*scope to delimit compile-time for ecdsa verification circuit */ {
|
|
136
|
+
QuadCircuit<Fp256Base> Q(p256_base);
|
|
137
|
+
CompilerBackend cbk(&Q);
|
|
138
|
+
const LogicCircuit LC(&cbk, p256_base);
|
|
139
|
+
|
|
140
|
+
using Nat = Fp256Base::N;
|
|
141
|
+
const Nat order = Nat(
|
|
142
|
+
"0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551");
|
|
143
|
+
|
|
144
|
+
Verc verc(LC, p256, order);
|
|
145
|
+
Verc::Witness vwc;
|
|
146
|
+
|
|
147
|
+
EltW pkx = LC.eltw_input(), pky = LC.eltw_input(), e = LC.eltw_input();
|
|
148
|
+
vwc.input(LC);
|
|
149
|
+
|
|
150
|
+
verc.verify_signature3(pkx, pky, e, vwc);
|
|
151
|
+
|
|
152
|
+
circuit = Q.mkcircuit(1);
|
|
153
|
+
dump_info("ecdsa", 1, Q);
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
serialize_test2<Fp256Base>(*circuit, p256_base, P256_ID);
|
|
157
|
+
serialize_test3<Fp256Base>(*circuit, p256_base, P256_ID);
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
TEST(circuit_io, SHA) {
|
|
161
|
+
using Fp128 = Fp128<>;
|
|
162
|
+
using CompilerBackend = CompilerBackend<Fp128>;
|
|
163
|
+
using LogicCircuit = Logic<Fp128, CompilerBackend>;
|
|
164
|
+
using v8C = LogicCircuit::v8;
|
|
165
|
+
using FlatShaC = FlatSHA256Circuit<LogicCircuit, BitPlucker<LogicCircuit, 1>>;
|
|
166
|
+
set_log_level(INFO);
|
|
167
|
+
|
|
168
|
+
const Fp128 Fg;
|
|
169
|
+
constexpr size_t kBlocks = 15;
|
|
170
|
+
|
|
171
|
+
std::unique_ptr<Circuit<Fp128>> circuit;
|
|
172
|
+
|
|
173
|
+
/*scope to delimit compile-time for sha hash circuit*/ {
|
|
174
|
+
QuadCircuit<Fp128> Q(Fg);
|
|
175
|
+
const CompilerBackend cbk(&Q);
|
|
176
|
+
const LogicCircuit lc(&cbk, Fg);
|
|
177
|
+
FlatShaC fsha(lc);
|
|
178
|
+
|
|
179
|
+
v8C numbW = lc.vinput<8>();
|
|
180
|
+
|
|
181
|
+
std::vector<v8C> inW(64 * kBlocks);
|
|
182
|
+
for (size_t i = 0; i < kBlocks * 64; ++i) {
|
|
183
|
+
inW[i] = lc.vinput<8>();
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
std::vector<FlatShaC::BlockWitness> bwW(kBlocks);
|
|
187
|
+
for (size_t j = 0; j < kBlocks; j++) {
|
|
188
|
+
bwW[j].input(lc);
|
|
189
|
+
}
|
|
190
|
+
|
|
191
|
+
fsha.assert_message(kBlocks, numbW, inW.data(), bwW.data());
|
|
192
|
+
|
|
193
|
+
circuit = Q.mkcircuit(1);
|
|
194
|
+
dump_info("assert_message", kBlocks, Q);
|
|
195
|
+
}
|
|
196
|
+
|
|
197
|
+
serialize_test2<Fp128>(*circuit, Fg, FP128_ID);
|
|
198
|
+
serialize_test3<Fp128>(*circuit, Fg, FP128_ID);
|
|
199
|
+
}
|
|
200
|
+
|
|
201
|
+
} // namespace
|
|
202
|
+
} // namespace proofs
|
|
@@ -0,0 +1,119 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_RANDOM_RANDOM_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_RANDOM_RANDOM_H_
|
|
17
|
+
|
|
18
|
+
#include <cstdint>
|
|
19
|
+
#include <cstdlib>
|
|
20
|
+
#include <optional>
|
|
21
|
+
#include <utility>
|
|
22
|
+
#include <vector>
|
|
23
|
+
|
|
24
|
+
#include "util/panic.h"
|
|
25
|
+
|
|
26
|
+
namespace proofs {
|
|
27
|
+
|
|
28
|
+
// Our protocols require random coins; this interface provides both prover
|
|
29
|
+
// and verifier components with those coins. Re-implementing this interface
|
|
30
|
+
// allows easily supporting the Fiat-Shamir transform, or for sampling using
|
|
31
|
+
// a system provided RNG such as openssl.
|
|
32
|
+
class RandomEngine {
|
|
33
|
+
public:
|
|
34
|
+
virtual ~RandomEngine() = default;
|
|
35
|
+
virtual void bytes(uint8_t* buf, size_t n) = 0; // pure virtual
|
|
36
|
+
|
|
37
|
+
// Sample a random field element.
|
|
38
|
+
template <class Field>
|
|
39
|
+
typename Field::Elt elt(const Field& F) {
|
|
40
|
+
return F.sample([this](size_t n, uint8_t* buf) { bytes(buf, n); });
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
template <class Field>
|
|
44
|
+
typename Field::Elt subfield_elt(const Field& F) {
|
|
45
|
+
return F.sample_subfield([this](size_t n, uint8_t* buf) {
|
|
46
|
+
bytes(buf, n);
|
|
47
|
+
});
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
// Convenience method to sample an array of random field elements.
|
|
51
|
+
template <class Field>
|
|
52
|
+
void elt(typename Field::Elt e[/*n*/], size_t n, const Field& F) {
|
|
53
|
+
for (size_t i = 0; i < n; ++i) e[i] = elt(F);
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
// random size_t < n
|
|
57
|
+
size_t nat(size_t n) {
|
|
58
|
+
check(n > 0, "nat(0)");
|
|
59
|
+
|
|
60
|
+
// compute the minimum number of random bytes needed
|
|
61
|
+
size_t l = 0;
|
|
62
|
+
size_t nn = n;
|
|
63
|
+
while (nn != 0) {
|
|
64
|
+
nn >>= 8;
|
|
65
|
+
++l;
|
|
66
|
+
}
|
|
67
|
+
check(l <= sizeof(size_t), "l <= sizeof(size_t)");
|
|
68
|
+
|
|
69
|
+
size_t msk = mask(n);
|
|
70
|
+
size_t r;
|
|
71
|
+
uint8_t buf[sizeof(size_t)];
|
|
72
|
+
|
|
73
|
+
// rejection sampling
|
|
74
|
+
do {
|
|
75
|
+
// consume L random bytes
|
|
76
|
+
bytes(buf, l);
|
|
77
|
+
|
|
78
|
+
// little-endian read
|
|
79
|
+
r = 0;
|
|
80
|
+
for (size_t i = l; i-- > 0;) {
|
|
81
|
+
r = (r << 8) | buf[i];
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
// mask off high bits
|
|
85
|
+
r &= msk;
|
|
86
|
+
} while (r >= n);
|
|
87
|
+
|
|
88
|
+
return r;
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
// Choose K distinct random naturals in [0..N).
|
|
92
|
+
// Textbook algorithm requiring O(N) space
|
|
93
|
+
void choose(size_t res[/*k*/], size_t n, size_t k) {
|
|
94
|
+
check(n >= k, "n >= k");
|
|
95
|
+
|
|
96
|
+
std::vector<size_t> A(n);
|
|
97
|
+
for (size_t i = 0; i < n; ++i) {
|
|
98
|
+
A[i] = i;
|
|
99
|
+
}
|
|
100
|
+
for (size_t i = 0; i < k; ++i) {
|
|
101
|
+
size_t j = i + nat(n - i);
|
|
102
|
+
std::swap(A[i], A[j]);
|
|
103
|
+
res[i] = A[i];
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
|
|
107
|
+
// the minimal bitmask such that (n & mask) == n
|
|
108
|
+
size_t mask(size_t n) {
|
|
109
|
+
size_t mask = 0;
|
|
110
|
+
while ((n & mask) != n) {
|
|
111
|
+
mask <<= 1;
|
|
112
|
+
mask |= 1u;
|
|
113
|
+
}
|
|
114
|
+
return mask;
|
|
115
|
+
}
|
|
116
|
+
};
|
|
117
|
+
} // namespace proofs
|
|
118
|
+
|
|
119
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_RANDOM_RANDOM_H_
|
|
@@ -0,0 +1,189 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "random/random.h"
|
|
16
|
+
|
|
17
|
+
#include <stdio.h>
|
|
18
|
+
#include <stdlib.h>
|
|
19
|
+
|
|
20
|
+
#include <algorithm>
|
|
21
|
+
#include <cstdint>
|
|
22
|
+
#include <vector>
|
|
23
|
+
|
|
24
|
+
#include "algebra/fp.h"
|
|
25
|
+
#include "algebra/fp24.h"
|
|
26
|
+
#include "gf2k/gf2_128.h"
|
|
27
|
+
#include "random/secure_random_engine.h"
|
|
28
|
+
#include "random/transcript.h"
|
|
29
|
+
#include "gtest/gtest.h"
|
|
30
|
+
|
|
31
|
+
namespace proofs {
|
|
32
|
+
namespace {
|
|
33
|
+
typedef Fp<1> Field;
|
|
34
|
+
typedef Field::Elt Elt;
|
|
35
|
+
static const Field F("18446744069414584321");
|
|
36
|
+
|
|
37
|
+
static void test_bytes(RandomEngine *e) {
|
|
38
|
+
// check that no bit is stuck at 0 or 1.
|
|
39
|
+
constexpr size_t N = 100;
|
|
40
|
+
uint8_t buf[N];
|
|
41
|
+
|
|
42
|
+
e->bytes(buf, N);
|
|
43
|
+
uint8_t band = 0xFFu, bor = 0x00u;
|
|
44
|
+
for (size_t i = 0; i < N; ++i) {
|
|
45
|
+
band &= buf[i];
|
|
46
|
+
bor |= buf[i];
|
|
47
|
+
}
|
|
48
|
+
EXPECT_EQ(band, 0x00u);
|
|
49
|
+
EXPECT_EQ(bor, 0xFFu);
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
static void test_nat(RandomEngine *e, size_t ub) {
|
|
53
|
+
// check that no bit is stuck at 0 or 1.
|
|
54
|
+
constexpr size_t N = 100;
|
|
55
|
+
|
|
56
|
+
size_t bor = 0;
|
|
57
|
+
size_t band = ~bor;
|
|
58
|
+
for (size_t i = 0; i < N; ++i) {
|
|
59
|
+
size_t u = e->nat(ub);
|
|
60
|
+
EXPECT_LT(u, ub);
|
|
61
|
+
band &= u;
|
|
62
|
+
bor |= u;
|
|
63
|
+
}
|
|
64
|
+
EXPECT_EQ(band, 0u);
|
|
65
|
+
EXPECT_EQ(bor, e->mask(ub - 1));
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
static void test_elt(RandomEngine *e) {
|
|
69
|
+
// Basic sanity test: Generate an array of elements and check that they
|
|
70
|
+
// are not all the same. Beware of the birthday paradox.
|
|
71
|
+
constexpr size_t N = 30;
|
|
72
|
+
Elt x[N];
|
|
73
|
+
e->elt(x, N, F);
|
|
74
|
+
for (size_t i = 0; i < N; ++i) {
|
|
75
|
+
for (size_t j = 0; j < N; ++j) {
|
|
76
|
+
if (i != j) {
|
|
77
|
+
// Generated elements in an array shouldn't equal to each other.
|
|
78
|
+
EXPECT_NE(x[i], x[j]);
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
static void test_choose(RandomEngine *e, size_t n, size_t k) {
|
|
85
|
+
std::vector<size_t> r(k);
|
|
86
|
+
e->choose(r.data(), n, k);
|
|
87
|
+
for (size_t i = 0; i < k; ++i) {
|
|
88
|
+
EXPECT_LT(r[i], n);
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
// sort the array and check that all elements
|
|
92
|
+
// are distinct
|
|
93
|
+
std::sort(r.begin(), r.end());
|
|
94
|
+
for (size_t i = 1; i < k; ++i) {
|
|
95
|
+
EXPECT_LT(r[i - 1], r[i]);
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
|
|
99
|
+
static void test_all(RandomEngine *e) {
|
|
100
|
+
test_bytes(e);
|
|
101
|
+
test_nat(e, 7);
|
|
102
|
+
test_nat(e, 8);
|
|
103
|
+
test_nat(e, 9);
|
|
104
|
+
test_nat(e, (1u << 31) + ((1u << 31) - 1u));
|
|
105
|
+
test_elt(e);
|
|
106
|
+
for (size_t k = 0; k <= 32; ++k) {
|
|
107
|
+
test_choose(e, 32, k);
|
|
108
|
+
}
|
|
109
|
+
test_choose(e, 10000, 42);
|
|
110
|
+
test_choose(e, 10000, 10000);
|
|
111
|
+
}
|
|
112
|
+
|
|
113
|
+
static void test_mask(RandomEngine *e) {
|
|
114
|
+
for (size_t n = 0; n < 1000; ++n) {
|
|
115
|
+
size_t m = e->mask(n);
|
|
116
|
+
EXPECT_TRUE(n == (n & m));
|
|
117
|
+
EXPECT_TRUE((m == 0) || (n != (n & (m >> 1))));
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
TEST(Random, FSPRF) {
|
|
122
|
+
Transcript ts((uint8_t *)"test", 4);
|
|
123
|
+
test_all(&ts);
|
|
124
|
+
test_mask(&ts);
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
TEST(Random, SmallPrime24Bit) {
|
|
128
|
+
// 24-bit prime: 2^24 - 3
|
|
129
|
+
typedef Fp<1> Field24;
|
|
130
|
+
Field24 F("16777213");
|
|
131
|
+
SecureRandomEngine e;
|
|
132
|
+
constexpr size_t N = 100;
|
|
133
|
+
for (size_t i = 0; i < N; ++i) {
|
|
134
|
+
Field24::Elt x = e.elt(F);
|
|
135
|
+
EXPECT_LT(x.n, F.m_);
|
|
136
|
+
x = e.subfield_elt(F);
|
|
137
|
+
EXPECT_LT(x.n, F.m_);
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
TEST(Random, Fp24) {
|
|
142
|
+
// 24-bit prime: 2^24 - 3
|
|
143
|
+
Fp24 F(8380417);
|
|
144
|
+
SecureRandomEngine e;
|
|
145
|
+
constexpr size_t N = 100;
|
|
146
|
+
for (size_t i = 0; i < N; ++i) {
|
|
147
|
+
Fp24::Elt x = e.elt(F);
|
|
148
|
+
EXPECT_LT(x.n, F.m_);
|
|
149
|
+
x = e.subfield_elt(F);
|
|
150
|
+
EXPECT_LT(x.n, F.m_);
|
|
151
|
+
}
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
TEST(Random, LargePrime80Bit) {
|
|
155
|
+
// 80-bit prime: 2^80 - 65
|
|
156
|
+
typedef Fp<2> Field80;
|
|
157
|
+
Field80 F("1208925819614629174706111");
|
|
158
|
+
SecureRandomEngine e;
|
|
159
|
+
constexpr size_t N = 100;
|
|
160
|
+
for (size_t i = 0; i < N; ++i) {
|
|
161
|
+
Field80::Elt x = e.elt(F);
|
|
162
|
+
EXPECT_LT(x.n, F.m_);
|
|
163
|
+
x = e.subfield_elt(F);
|
|
164
|
+
EXPECT_LT(x.n, F.m_);
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
|
|
168
|
+
TEST(Random, GF2_128) {
|
|
169
|
+
typedef GF2_128<> FieldGF;
|
|
170
|
+
FieldGF F;
|
|
171
|
+
SecureRandomEngine e;
|
|
172
|
+
constexpr size_t N = 100;
|
|
173
|
+
for (size_t i = 0; i < N; ++i) {
|
|
174
|
+
FieldGF::Elt x = e.elt(F);
|
|
175
|
+
// Every array of 128 bits is a valid element of GF2_128.
|
|
176
|
+
// The main point here is verifying `elt` compiles.
|
|
177
|
+
EXPECT_TRUE(x == x);
|
|
178
|
+
x = e.subfield_elt(F);
|
|
179
|
+
EXPECT_TRUE(x == x);
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
|
|
183
|
+
TEST(Random, SecureRandomEngine) {
|
|
184
|
+
SecureRandomEngine e;
|
|
185
|
+
test_all(&e);
|
|
186
|
+
}
|
|
187
|
+
|
|
188
|
+
} // namespace
|
|
189
|
+
} // namespace proofs
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_RANDOM_SECURE_RANDOM_ENGINE_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_RANDOM_SECURE_RANDOM_ENGINE_H_
|
|
17
|
+
|
|
18
|
+
#include <stdlib.h>
|
|
19
|
+
|
|
20
|
+
#include <cstddef>
|
|
21
|
+
#include <cstdint>
|
|
22
|
+
|
|
23
|
+
#include "random/random.h"
|
|
24
|
+
#include "util/crypto.h"
|
|
25
|
+
|
|
26
|
+
namespace proofs {
|
|
27
|
+
|
|
28
|
+
// SecureRandomEngine is a RandomEngine that uses openssl.
|
|
29
|
+
class SecureRandomEngine : public RandomEngine {
|
|
30
|
+
public:
|
|
31
|
+
SecureRandomEngine() = default;
|
|
32
|
+
void bytes(uint8_t* buf, size_t n) override { rand_bytes(buf, n); }
|
|
33
|
+
};
|
|
34
|
+
|
|
35
|
+
} // namespace proofs
|
|
36
|
+
|
|
37
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_RANDOM_SECURE_RANDOM_ENGINE_H_
|