longfellow 0.1.0

data/vendor/longfellow-zk/lib/sumcheck/circuit_id.h

@@ -0,0 +1,71 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_CIRCUIT_ID_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_CIRCUIT_ID_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+
+#include "sumcheck/circuit.h"
+#include "util/crypto.h"
+
+namespace proofs {
+
+// This method produces a unique name for a circuit. It does not match
+// the serialization method for the circuit.
+template <class Field>
+void circuit_id(uint8_t id[/*32*/], const Circuit<Field>& c, const Field& F) {
+  const uint64_t CHAR2 = 0x2;
+  const uint64_t ODD = 0x1;
+  SHA256 sha;
+  uint8_t tmp[Field::kBytes];
+  if (F.kCharacteristicTwo) {
+    // Characteristic two fields are uniquely determined by their length
+    // in our codebase.
+    sha.Update8(CHAR2);  // Indicates binary field.
+    sha.Update8(F.kBits);
+  } else {
+    // Prime fields are determined by -1.
+    sha.Update8(ODD);  // Indicates odd prime field.
+    F.to_bytes_field(tmp, F.mone());
+    sha.Update(tmp, sizeof(tmp));
+  }
+  sha.Update8(c.nv);
+  sha.Update8(c.logv);
+  sha.Update8(c.nc);
+  sha.Update8(c.logc);
+  sha.Update8(c.nl);
+  sha.Update8(c.ninputs);
+  sha.Update8(c.npub_in);
+  sha.Update8(c.subfield_boundary);
+  for (const auto& layer : c.l) {
+    sha.Update8(layer.nw);
+    sha.Update8(layer.logw);
+    sha.Update8(layer.quad->size());
+    for (const auto& ec : *layer.quad) {
+      sha.Update8(static_cast<uint64_t>(ec.g));
+      sha.Update8(static_cast<uint64_t>(ec.h[0]));
+      sha.Update8(static_cast<uint64_t>(ec.h[1]));
+      F.to_bytes_field(tmp, ec.v);
+      sha.Update(tmp, sizeof(tmp));
+    }
+  }
+  sha.DigestData(id);
+}
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_CIRCUIT_ID_H_

data/vendor/longfellow-zk/lib/sumcheck/equad.h

@@ -0,0 +1,126 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_EQUAD_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_EQUAD_H_
+
+#include <stddef.h>
+
+#include <algorithm>
+#include <cstdint>
+#include <vector>
+
+#include "algebra/compare.h"
+#include "util/ceildiv.h"
+#define DEFINE_STRONG_INT_TYPE(a, b) using a = b
+
+// ------------------------------------------------------------
+// Expanded representation of the Quad
+namespace proofs {
+template <class Field>
+class EQuad {
+  using Elt = typename Field::Elt;
+
+ public:
+  // To save space when representing large circuits, quad_corner_t
+  // is defined as uint32_t.  (Note that Elt probably imposes uint64_t
+  // alignment, so struct corner has holes.)
+  //
+  // To make the narrowing explicit, define corner_t as a
+  // Google-specific strong int.  Outside of Google, replace
+  // this definition with a typedef.
+  DEFINE_STRONG_INT_TYPE(quad_corner_t, uint32_t);
+
+  struct ecorner {
+    quad_corner_t g;     // "gate" variable
+    quad_corner_t h[2];  // two "hand" variables
+    Elt v;
+
+    // equality of indices
+    bool eqndx(const ecorner& y) const {
+      return (g == y.g && h[0] == y.h[0] && h[1] == y.h[1]);
+    }
+
+    bool eq_hands(const ecorner& y) const {
+      return (h[0] == y.h[0] && h[1] == y.h[1]);
+    }
+
+    void canonicalize() {
+      quad_corner_t h0 = h[0], h1 = h[1];
+      h[0] = std::min<quad_corner_t>(h0, h1);
+      h[1] = std::max<quad_corner_t>(h0, h1);
+    }
+  };
+
+  using index_t = size_t;
+  index_t n_;
+  std::vector<ecorner> ec_;
+
+  explicit EQuad(index_t n) : n_(n), ec_(n) {}
+
+  // no copies
+  EQuad(const EQuad& y) = delete;
+  EQuad(EQuad&& y) = delete;
+  EQuad& operator=(const EQuad& y) = delete;
+  EQuad& operator=(EQuad&& y) = delete;
+
+  void canonicalize(const Field& F) {
+    for (index_t i = 0; i < n_; ++i) {
+      ec_[i].canonicalize();
+    }
+    // Sort only the first n_ elements, as n_ may have been reduced by
+    // coalescing.
+    std::sort(ec_.begin(), ec_.begin() + n_,
+              [&F](const ecorner& x, const ecorner& y) {
+                return compare_ecorner(x, y, F);
+              });
+    coalesce(F);
+  }
+
+ private:
+  static bool compare_ecorner(const ecorner& x, const ecorner& y,
+                              const Field& F) {
+    if (morton::lt(size_t(x.h[0]), size_t(x.h[1]), size_t(y.h[0]),
+                   size_t(y.h[1]))) {
+      return true;
+    } else if (morton::eq(size_t(x.h[0]), size_t(x.h[1]), size_t(y.h[0]),
+                          size_t(y.h[1]))) {
+      if (x.g < y.g) return true;
+      if (x.g > y.g) return false;
+      return elt_less_than(x.v, y.v, F);
+    } else {
+      return false;
+    }
+  }
+
+  void coalesce(const Field& F) {
+    // Coalesce duplicates.
+    // The (rd,wr)=(0,0) iteration executes the else{} branch and
+    // continues with (1,1), so we start at (1,1) and avoid the
+    // special case for wr-1 at wr=0.
+    index_t wr = 1;
+    for (index_t rd = 1; rd < n_; ++rd) {
+      if (ec_[rd].eqndx(ec_[wr - 1])) {
+        F.add(ec_[wr - 1].v, ec_[rd].v);
+      } else {
+        ec_[wr] = ec_[rd];
+        wr++;
+      }
+    }
+    n_ = wr;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_EQUAD_H_

data/vendor/longfellow-zk/lib/sumcheck/hquad.h

@@ -0,0 +1,115 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_HQUAD_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_HQUAD_H_
+
+#include <stddef.h>
+
+#include <vector>
+
+#include "arrays/affine.h"
+#include "sumcheck/equad.h"
+#include "util/panic.h"
+
+// ------------------------------------------------------------
+// Representation of the quad after bind_g, in which case g = 0
+// and we don't need to store it.
+namespace proofs {
+template <class Field>
+class HQuad {
+  using Elt = typename Field::Elt;
+
+ public:
+  using quad_corner_t = typename EQuad<Field>::quad_corner_t;
+  using index_t = typename EQuad<Field>::index_t;
+
+  // Ideally we would write
+  //
+  //  struct hcorner {
+  //    quad_corner_t h[2];
+  //    Elt v;
+  //  };
+  //
+  // However, Elt may be 128-bit aligned, causing holes in the struct.
+  // Thus we store an array of H and an array of V.
+
+  struct hcorner {
+    quad_corner_t h[2];  // two "hand" variables
+
+    bool eq_hands(const hcorner& y) const {
+      return (h[0] == y.h[0] && h[1] == y.h[1]);
+    }
+  };
+  struct vcorner {
+    Elt v;
+  };
+
+  index_t n_;
+  std::vector<hcorner> hc_;
+  std::vector<vcorner> vc_;
+
+  explicit HQuad(index_t n) : n_(n), hc_(n), vc_(n) {}
+
+  // no copies
+  HQuad(const HQuad& y) = delete;
+  HQuad(HQuad&& y) = delete;
+  HQuad& operator=(const HQuad& y) = delete;
+  HQuad& operator=(HQuad&& y) = delete;
+
+  void bind_h(const Elt& r, size_t hand, const Field& F) {
+    index_t rd = 0, wr = 0;
+    while (rd < n_) {
+      hcorner hcc;
+      vcorner vcc;
+      hcc.h[hand] = hc_[rd].h[hand] >> 1;
+      hcc.h[1 - hand] = hc_[rd].h[1 - hand];
+
+      size_t rd1 = rd + 1;
+      if (rd1 < n_ &&                                           //
+          hc_[rd].h[1 - hand] == hc_[rd1].h[1 - hand] &&        //
+          (hc_[rd].h[hand] >> 1) == (hc_[rd1].h[hand] >> 1) &&  //
+          hc_[rd1].h[hand] == hc_[rd].h[hand] + quad_corner_t(1)) {
+        // we have two corners.
+        vcc.v = affine_interpolation(r, vc_[rd].v, vc_[rd1].v, F);
+        rd += 2;
+      } else {
+        // we have one corner and the other one is zero.
+        if ((hc_[rd].h[hand] & quad_corner_t(1)) == quad_corner_t(0)) {
+          vcc.v = affine_interpolation_nz_z(r, vc_[rd].v, F);
+        } else {
+          vcc.v = affine_interpolation_z_nz(r, vc_[rd].v, F);
+        }
+        rd = rd1;
+      }
+
+      hc_[wr] = hcc;
+      vc_[wr] = vcc;
+      ++wr;
+    }
+
+    // shrink the array
+    n_ = wr;
+  }
+
+  Elt scalar() const {
+    check(n_ == 1, "n_ == 1");
+    check(hc_[0].h[0] == quad_corner_t(0), "hc_[0].h[0] == 0");
+    check(hc_[0].h[1] == quad_corner_t(0), "hc_[0].h[1] == 0");
+    return vc_[0].v;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_HQUAD_H_

data/vendor/longfellow-zk/lib/sumcheck/prover.h

@@ -0,0 +1,59 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_PROVER_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_PROVER_H_
+
+#include <stddef.h>
+
+#include "random/transcript.h"
+#include "sumcheck/circuit.h"
+#include "sumcheck/prover_layers.h"
+#include "sumcheck/transcript_sumcheck.h"
+
+namespace proofs {
+
+// A high level idea is partially described in chapter 4.6.7 "Leveraging Data
+// Parallelism for Further Speedups" in the book "Proofs, Arguments, and
+// Zero-Knowledge" by Justin Thaler.
+template <class Field>
+class Prover : public ProverLayers<Field> {
+  using super = ProverLayers<Field>;
+  using typename super::bindings;
+
+ public:
+  using typename super::inputs;
+
+  explicit Prover(const Field& f) : ProverLayers<Field>(f) {}
+
+  // Generate proof for circuit. pad can be nullptr if the caller does not
+  // want to add any pad to the proof. Caller must ensure in, t, and F remain
+  // valid during call duration.
+  // This method always succeeds, but may not produce a verifying proof if
+  // the inputs do not satisfy the circuit.
+  void prove(Proof<Field>* proof, const Proof<Field>* pad,
+             const Circuit<Field>* circ, const inputs& in, Transcript& t) {
+    if (proof == nullptr || circ == nullptr) return;
+
+    TranscriptSumcheck<Field> ts(t, super::f_);
+    // The input X is stored at in's layer nl - 1.
+    ts.write_input(in.at(circ->nl - 1).get());
+    bindings bnd;
+    super::prove(proof, pad, circ, in, /*aux=*/nullptr, bnd, ts, super::f_);
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_PROVER_H_