longfellow 0.1.0

data/vendor/longfellow-zk/lib/sumcheck/quad_builder.h

@@ -0,0 +1,211 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_QUAD_BUILDER_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_QUAD_BUILDER_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <memory>
+#include <unordered_map>
+#include <vector>
+
+#include "algebra/hash.h"
+#include "sumcheck/equad.h"
+#include "sumcheck/quad.h"
+#include "util/panic.h"
+
+// Helper functions for building quads.  They should be used only
+// by tests and the compiler, but not by the prover and verifier.
+namespace proofs {
+
+// helper class for builting the kvec_ vector
+template <class Field>
+class KvecBuilder {
+  using Elt = typename Field::Elt;
+  using kvec_t = std::vector<Elt>;
+
+  // Class that defines the hash function for Elt.
+  class EltHash {
+   public:
+    const Field& f_;
+    explicit EltHash(const Field& f) : f_(f) {}
+    size_t operator()(const Elt& k) const { return elt_hash(k, f_); }
+  };
+
+ public:
+  explicit KvecBuilder(const Field& f)
+      : table_(10, EltHash(f)), kvec_(std::make_shared<kvec_t>()) {}
+
+  size_t kstore(const Elt& k) {
+    auto [it, inserted] = table_.try_emplace(k, 0);
+    if (inserted) {
+      it->second = kvec_->size();
+      kvec_->push_back(k);
+    }
+    return it->second;
+  }
+
+  size_t kload(const Elt& k) const {
+    if (auto search = table_.find(k); search != table_.end()) {
+      return search->second;
+    }
+    check(false, "kload() failed");
+    return 0;
+  }
+
+  std::shared_ptr<kvec_t> kvec() { return kvec_; }
+
+ private:
+  std::unordered_map<Elt, size_t, EltHash> table_;
+  std::shared_ptr<kvec_t> kvec_;
+};
+
+// hasher for delta_corner
+template <class Field>
+struct delta_corner_hash {
+  using delta_corner = typename Quad<Field>::delta_corner;
+  static uint64_t hash_combine(uint64_t seed, uint64_t v) {
+    return (seed * 0x100000001b3ull) ^ v;
+  }
+  uint64_t operator()(const delta_corner& d) const {
+    uint64_t h = 0xcbf29ce484222325ull;
+    h = hash_combine(h, static_cast<uint32_t>(d.dg));
+    h = hash_combine(h, static_cast<uint32_t>(d.dh[0]));
+    h = hash_combine(h, static_cast<uint32_t>(d.dh[1]));
+    h = hash_combine(h, d.vi);
+    return h;
+  }
+};
+
+// helper class for building the delta_table_ vector
+template <class Field>
+class DeltaTableBuilder {
+  using quad_corner_t = typename Quad<Field>::quad_corner_t;
+  using delta_corner = typename Quad<Field>::delta_corner;
+  using delta_table_t = typename Quad<Field>::delta_table_t;
+
+ public:
+  DeltaTableBuilder() : delta_table_(std::make_shared<delta_table_t>()) {}
+
+  uint32_t dedup(quad_corner_t dg, quad_corner_t dh0, quad_corner_t dh1,
+                 uint32_t vi) {
+    delta_corner d{dg, {dh0, dh1}, vi};
+    auto [it, inserted] = delta_map_.try_emplace(d, delta_table_->size());
+    if (inserted) {
+      delta_table_->push_back(d);
+    }
+    return it->second;
+  }
+
+  std::shared_ptr<delta_table_t> delta_table() { return delta_table_; }
+
+ private:
+  std::shared_ptr<delta_table_t> delta_table_;
+  std::unordered_map<delta_corner, uint32_t, delta_corner_hash<Field>>
+      delta_map_;
+};
+
+// ApproximateDeltaTableBuilder is like DeltaTableBuilder, but with a two-way
+// set-associative cache instead of an exact hash table. We prefer quick lookup
+// at the cost of missing some deduplications.
+template <class Field>
+class ApproximateDeltaTableBuilder {
+  using quad_corner_t = typename Quad<Field>::quad_corner_t;
+  using delta_corner = typename Quad<Field>::delta_corner;
+  using delta_table_t = typename Quad<Field>::delta_table_t;
+
+ public:
+  explicit ApproximateDeltaTableBuilder(size_t cache_size)
+      : delta_table_(std::make_shared<delta_table_t>()), cache_(cache_size) {}
+
+  uint32_t dedup(quad_corner_t dg, quad_corner_t dh0, quad_corner_t dh1,
+                 uint32_t vi) {
+    delta_corner d{dg, {dh0, dh1}, vi};
+    size_t h = delta_corner_hash<Field>{}(d);
+    size_t idx = static_cast<size_t>(h % cache_.size());
+    CacheEntry& ent = cache_[idx];
+    if (ent.slots[0].valid && ent.slots[0].d == d) {
+      return ent.slots[0].index;
+    }
+    if (ent.slots[1].valid && ent.slots[1].d == d) {
+      // Maintain the LRU property that slot[0] is the most recently used.
+      std::swap(ent.slots[0], ent.slots[1]);
+      return ent.slots[0].index;
+    }
+
+    uint32_t index = delta_table_->size();
+    delta_table_->push_back(d);
+    // LRU eviction.
+    ent.slots[1] = ent.slots[0];
+    ent.slots[0] = {d, index, true};
+    return index;
+  }
+
+  std::shared_ptr<delta_table_t> delta_table() { return delta_table_; }
+
+ private:
+  struct Slot {
+    delta_corner d;
+    uint32_t index;
+    bool valid = false;
+  };
+
+  struct CacheEntry {
+    Slot slots[2];
+  };
+
+  std::shared_ptr<delta_table_t> delta_table_;
+  std::vector<CacheEntry> cache_;
+};
+
+template <class Field>
+class QuadBuilder {
+  using Elt = typename Field::Elt;
+  using ecorner = typename EQuad<Field>::ecorner;
+  using index_t = typename EQuad<Field>::index_t;
+
+ public:
+  // Convert an EQuad into a Quad by collecting all constants in the
+  // EQuad.  A more refined approach would collect all constants
+  // in all layers.
+  static std::unique_ptr<Quad<Field>> compress(const EQuad<Field>* EQUAD,
+                                               const Field& f) {
+    KvecBuilder<Field> kb(f);
+    // collect all constants
+    for (index_t i = 0; i < EQUAD->n_; ++i) {
+      (void)kb.kstore(EQUAD->ec_[i].v);
+    }
+
+    DeltaTableBuilder<Field> db;
+    auto q =
+        std::make_unique<Quad<Field>>(EQUAD->n_, kb.kvec(), db.delta_table());
+    using QuadCorner = typename Quad<Field>::quad_corner_t;
+    QuadCorner prev_g(0), prev_h0(0), prev_h1(0);
+    for (index_t i = 0; i < EQUAD->n_; ++i) {
+      const ecorner& eqi = EQUAD->ec_[i];
+      q->assign(i,
+                db.dedup(eqi.g - prev_g, eqi.h[0] - prev_h0, eqi.h[1] - prev_h1,
+                         static_cast<uint32_t>(kb.kload(eqi.v))));
+      prev_g = eqi.g;
+      prev_h0 = eqi.h[0];
+      prev_h1 = eqi.h[1];
+    }
+    return q;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_QUAD_BUILDER_H_

data/vendor/longfellow-zk/lib/sumcheck/quad_test.cc

@@ -0,0 +1,169 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "sumcheck/quad.h"
+
+#include <stddef.h>
+
+#include <memory>
+#include <utility>
+#include <vector>
+
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "arrays/affine.h"
+#include "arrays/sparse.h"
+#include "sumcheck/equad.h"
+#include "sumcheck/hquad.h"
+#include "sumcheck/quad_builder.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+typedef Fp<1> Field;
+static const Field F("18446744073709551557");
+typedef Field::Elt Elt;
+Bogorng<Field> rng(&F);
+typedef EQuad<Field>::quad_corner_t quad_corner_t;
+typedef EQuad<Field>::index_t index_t;
+
+class RandomSlice {
+ public:
+  std::vector<Elt> r_;
+  explicit RandomSlice(size_t n) : r_(n) {
+    for (size_t i = 0; i < n; ++i) {
+      r_[i] = rng.next();
+    }
+  }
+};
+
+Elt lagrange(quad_corner_t p, size_t logn, const Elt* R) {
+  Elt l = F.one();
+  for (size_t i = 0; i < logn; i++) {
+    if ((p & (quad_corner_t(1) << i)) != quad_corner_t(0)) {
+      F.mul(l, R[i]);
+    } else {
+      F.mul(l, F.subf(F.one(), R[i]));
+    }
+  }
+  return l;
+}
+
+void one_bind_g(index_t n, size_t logn) {
+  RandomSlice R(logn);
+  RandomSlice R2(logn);
+  auto EQUAD = std::make_unique<EQuad<Field>>(n);
+  Elt s = F.zero();
+  Elt s2 = F.zero();
+  Elt alpha = rng.next();
+  for (index_t i = 0; i < n; ++i) {
+    quad_corner_t p = quad_corner_t(13 * i);
+    Elt r = rng.next();
+    EQUAD->ec_[i] = EQuad<Field>::ecorner{
+        .g = p, .h = {quad_corner_t(0), quad_corner_t(0)}, .v = r};
+    F.add(s, F.mulf(r, lagrange(p, logn, R.r_.data())));
+    F.add(s2, F.mulf(r, lagrange(p, logn, R2.r_.data())));
+  }
+
+  auto QUAD = QuadBuilder<Field>::compress(EQUAD.get(), F);
+  auto HQUAD =
+      QUAD->bind_g(logn, R.r_.data(), R2.r_.data(), alpha, F.zero(), F);
+  EXPECT_EQ(HQUAD->scalar(), F.addf(s, F.mulf(alpha, s2)));
+}
+
+TEST(EQuad, BindG) {
+  one_bind_g(index_t(666), 10 + 4);
+  one_bind_g(index_t(1), 9 + 4);
+  for (size_t i = 200; i < 300; i++) {
+    one_bind_g(index_t(i), 9 + 4);
+  }
+  one_bind_g(index_t(467), 9 + 4);
+  one_bind_g(index_t(512), 9 + 4);
+}
+
+// compare interleaved binding of quad<> with
+// a pair of bind_all() of Sparse<>.
+void one_bind_h(index_t n, size_t logn) {
+  auto EQUAD = std::make_unique<EQuad<Field>>(n);
+  auto S = Sparse<Field>(n);
+  RandomSlice R0(logn);
+  RandomSlice R1(logn);
+  size_t mask = (size_t(1) << logn) - 1;
+  for (index_t i = 0; i < n; ++i) {
+    quad_corner_t h0 = quad_corner_t((13 * i + 4) & mask);
+    quad_corner_t h1 = quad_corner_t((23 * i + 3) & mask);
+
+    // EQuad<Field> canonicalizes h0, h1 because
+    // they are only used for a commutative F.mul,
+    // but Sparse<Field> does not, so we canonicalize
+    // h0, h1 in advance
+    if (h0 > h1) {
+      std::swap(h0, h1);
+    }
+
+    Elt r = rng.next();
+    EQUAD->ec_[i] =
+        EQuad<Field>::ecorner{.g = quad_corner_t(0), .h = {h0, h1}, .v = r};
+    S.c_[i] = Sparse<Field>::corner{
+        .p0 = 0, .p1 = corner_t(h0), .p2 = corner_t(h1), .v = r};
+  }
+
+  EQUAD->canonicalize(F);
+  S.canonicalize(F);
+  S.reshape();
+
+  S.bind_all(logn, R0.r_.data(), F);
+  S.reshape();
+  S.bind_all(logn, R1.r_.data(), F);
+  auto QUAD = QuadBuilder<Field>::compress(EQUAD.get(), F);
+  auto HQUAD = QUAD->bind_g(/*logv=*/0, nullptr, nullptr, /*alpha=*/F.zero(),
+                            /*beta=*/F.zero(), F);
+
+  for (size_t round = 0; round < logn; ++round) {
+    HQUAD->bind_h(R0.r_[round], /*hand=*/0, F);
+    HQUAD->bind_h(R1.r_[round], /*hand=*/1, F);
+  }
+
+  EXPECT_EQ(HQUAD->scalar(), S.scalar());
+}
+
+TEST(EQuad, BindH) {
+  one_bind_h(index_t(666), 10);
+  one_bind_h(index_t(1), 9);
+  for (size_t i = 200; i < 300; i++) {
+    for (size_t logn = 1; logn < 20; ++logn) {
+      one_bind_h(index_t(i), logn);
+    }
+  }
+  one_bind_h(index_t(467), 9);
+  one_bind_h(index_t(512), 9);
+  one_bind_h(index_t(512), 33);
+}
+
+TEST(ApproximateDeltaTableBuilder, Basic) {
+  ApproximateDeltaTableBuilder<Field> db(10);
+  // These three should be different and likely hash to different buckets,
+  // but if they collide it's also fine for the builder's correctness.
+  db.dedup(quad_corner_t(1), quad_corner_t(2), quad_corner_t(3), 4);
+  db.dedup(quad_corner_t(5), quad_corner_t(6), quad_corner_t(7), 8);
+  db.dedup(quad_corner_t(1), quad_corner_t(2), quad_corner_t(3), 4);
+
+  auto table = db.delta_table();
+  // If no collision, size should be 2. If collision, size could be 3.
+  EXPECT_GE(table->size(), 2);
+  EXPECT_LE(table->size(), 3);
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/sumcheck/sumcheck_test.cc

@@ -0,0 +1,324 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <algorithm>
+#include <cstdint>
+#include <cstdlib>
+#include <memory>
+#include <utility>
+#include <vector>
+
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "arrays/affine.h"
+#include "arrays/dense.h"
+#include "random/transcript.h"
+#include "sumcheck/circuit.h"
+#include "sumcheck/equad.h"
+#include "sumcheck/prover.h"
+#include "sumcheck/quad.h"
+#include "sumcheck/quad_builder.h"
+#include "sumcheck/verifier.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+using Field = Fp<4>;
+static const Field F(
+    "11579208923731619542357098500868790785326998466564056403945758400790883467"
+    "1663");
+using Elt = typename Field::Elt;
+
+Bogorng<Field> rng(&F);
+using index_t = Quad<Field>::index_t;
+using ecorner = EQuad<Field>::ecorner;
+using quad_corner_t = Quad<Field>::quad_corner_t;
+
+/* From https://eprint.iacr.org/2015/1060.pdf Algorithm 7: Complete,
+   projective point addition for prime order j-invariant 0 short
+   Weierstrass curves E/Fq : y^2 = x^3 + b.
+
+   X3 = (X1 Y2 + X2 Y1)(Y1 Y2 - 3b Z1 Z2) - 3b(Y1 Z2 + Y2 Z1)(X1 Z2 + X2 Z1)
+   Y3 = (Y1 Y2 + 3b Z1 Z2)(Y1 Y2 - 3b Z1 Z2) + 9b X1 X2 (X1 Z2 + X2 Z1)
+   Z3 = (Y1 Z2 + Y2 Z1)(Y1 Y2 + 3b Z1 Z2) + 3 X1 X2(X1 Y2 + X2 Y1)
+*/
+
+constexpr uint64_t b = 7;
+Elt kone = F.one(), k3 = F.of_scalar(3), k3b = F.of_scalar(3 * b),
+    k9b = F.of_scalar(9 * b);
+
+void addE(Elt* X3, Elt* Y3, Elt* Z3, const Elt& X1, const Elt& Y1,
+          const Elt& Z1, const Elt& X2, const Elt& Y2, const Elt& Z2) {
+  // after common-subexpression elimination:
+  Elt t0 = F.mulf(X2, Y1);
+  Elt t1 = F.mulf(X1, Y2);
+  Elt t2 = F.addf(t1, t0);
+  Elt t3 = F.mulf(Y1, Y2);
+  Elt t4 = F.mulf(Z1, Z2);
+  Elt t5 = F.mulf(Y1, Z2);
+  Elt t6 = F.mulf(Y2, Z1);
+  Elt t7 = F.addf(t5, t6);
+  Elt t8 = F.mulf(X1, Z2);
+  Elt t9 = F.mulf(X2, Z1);
+  Elt t10 = F.addf(t8, t9);
+  Elt t11 = F.mulf(X1, X2);
+  Elt t12 = F.mulf(k3b, t4);
+  Elt t13 = F.addf(t3, t12);
+  Elt t14 = F.subf(t3, t12);
+
+  *X3 = F.subf(F.mulf(t2, t14), F.mulf(k3b, F.mulf(t7, t10)));
+  *Y3 = F.addf(F.mulf(t13, t14), F.mulf(k9b, F.mulf(t11, t10)));
+  *Z3 = F.addf(F.mulf(t7, t13), F.mulf(k3, F.mulf(t11, t2)));
+}
+
+/* Rewrite as quadratic forms in two layers:
+
+L2:
+   t0 = (Y1 Y2 + 3b Z1 Z2)
+   t1 = (X1 Y2 + X2 Y1)
+   t2 = (Y1 Y2 - 3b Z1 Z2)
+   t3 = (Y1 Z2 + Y2 Z1)
+   t4 = (X1 Z2 + X2 Z1)
+   t5 = X1 X2
+
+L1:
+   X3 = t1 t2 - 3b t3 t4
+   Y3 = t0 t2 + 9b t5 t4
+   Z3 = t3 t0 + 3 t5 t1
+*/
+
+// input wires
+enum { wX1, wY1, wZ1, wX2, wY2, wZ2 };
+
+// t[i] implicitly i
+
+// output wires
+enum {
+  wX3,
+  wY3,
+  wZ3,
+};
+
+struct testquad {
+  Elt coef;
+  size_t g, l, r;
+};
+
+std::unique_ptr<Quad<Field>> sparse_of_testquad(size_t n,
+                                                const struct testquad* q) {
+  auto S = std::make_unique<EQuad<Field>>(n);
+
+  for (size_t i = 0; i < n; i++) {
+    auto l = q[i].l, r = q[i].r;
+
+    // canonicalize to l <= r
+    if (l > r) {
+      std::swap(l, r);
+    }
+
+    S->ec_[i] = ecorner{.g = quad_corner_t(q[i].g),
+                        .h = {quad_corner_t(r), quad_corner_t(l)},
+                        .v = q[i].coef};
+  }
+
+  S->canonicalize(F);
+  return QuadBuilder<Field>::compress(S.get(), F);
+}
+
+#define NELEM(x) (sizeof(x) / sizeof(x[0]))
+
+std::unique_ptr<Quad<Field>> addE_quad0() {
+  testquad Q[] = {
+      // X3 = t1 t2 - 3b t3 t4
+      {kone, wX3, 1, 2},
+      {F.negf(k3b), wX3, 3, 4},
+
+      // Y3 = t0 t2 + 9b t5 t4
+      {kone, wY3, 0, 2},
+      {k9b, wY3, 5, 4},
+
+      // Z3 = t3 t0 + 3 t5 t1
+      {kone, wZ3, 3, 0},
+      {k3, wZ3, 5, 1},
+  };
+  return sparse_of_testquad(NELEM(Q), Q);
+}
+
+std::unique_ptr<Quad<Field>> addE_quad1() {
+  testquad Q[] = {
+      // t0 = (Y1 Y2 + 3b Z1 Z2)
+      {kone, 0, wY1, wY2},
+      {k3b, 0, wZ1, wZ2},
+
+      // t1 = (X1 Y2 + X2 Y1)
+      {kone, 1, wX1, wY2},
+      {kone, 1, wX2, wY1},
+
+      // t2 = (Y1 Y2 - 3b Z1 Z2)
+      {kone, 2, wY1, wY2},
+      {F.negf(k3b), 2, wZ1, wZ2},
+
+      // t3 = (Y1 Z2 + Y2 Z1)
+      {kone, 3, wY1, wZ2},
+      {kone, 3, wY2, wZ1},
+
+      // t4 = (X1 Z2 + X2 Z1)
+      {kone, 4, wX1, wZ2},
+      {kone, 4, wX2, wZ1},
+
+      // t5 = X1 X2
+      {kone, 5, wX1, wX2},
+  };
+  return sparse_of_testquad(NELEM(Q), Q);
+}
+
+std::unique_ptr<Circuit<Field>> addE_circuit(size_t logc, corner_t nc) {
+  std::unique_ptr<Circuit<Field>> c = std::make_unique<Circuit<Field>>();
+  *c = Circuit<Field>{
+      .nv = 3,  // outputs
+      .logv = 2,
+      .nc = nc,
+      .logc = logc,
+      .nl = 2,
+  };
+  c->l.push_back(Layer<Field>{.nw = 6, .logw = 3, .quad = addE_quad0()});
+  c->l.push_back(Layer<Field>{.nw = 6, .logw = 3, .quad = addE_quad1()});
+
+  return c;
+}
+
+TEST(Sumcheck, EvalCircuit) {
+  size_t logc = 8;
+  corner_t nc = 209;
+  auto CIRCUIT = addE_circuit(logc, nc);
+  auto W = std::make_unique<Dense<Field>>(nc, 6);
+  for (corner_t i = 0; i < W->n0_ * W->n1_; ++i) {
+    W->v_[i] = rng.next();
+  }
+  Prover<Field>::inputs in;
+  Prover<Field> prover(F);
+  auto Wclone = W->clone();
+  const Dense<Field>* Wsave = &*Wclone;
+  auto V = prover.eval_circuit(&in, CIRCUIT.get(), std::move(Wclone), F);
+
+  EXPECT_EQ(Wclone.get(), nullptr);  // moved to in(nl-1)
+  EXPECT_EQ(in[1].get(), Wsave);
+
+  for (corner_t i = 0; i < nc; ++i) {
+    Elt Xw, Yw, Zw;
+    addE(&Xw, &Yw, &Zw, (W->v_[i + nc * 0]), (W->v_[i + nc * 1]),
+         (W->v_[i + nc * 2]), (W->v_[i + nc * 3]), (W->v_[i + nc * 4]),
+         (W->v_[i + nc * 5]));
+
+    Elt X3 = V->v_[i + nc * 0], Y3 = (V->v_[i + nc * 1]),
+        Z3 = (V->v_[i + nc * 2]);
+    EXPECT_EQ(X3, Xw);
+    EXPECT_EQ(Y3, Yw);
+    EXPECT_EQ(Z3, Zw);
+  }
+
+  // create a proof for the side-effect of invoking the constructor/destructor
+  // to detect memory leaks
+  Proof<Field> P(CIRCUIT->nl);
+}
+
+void one_test_sumcheck_without_com(const Circuit<Field>* CIRCUIT) {
+  auto nc = CIRCUIT->nc;
+  auto nl = CIRCUIT->nl;
+
+  // random inputs
+  auto Wprover = std::make_unique<Dense<Field>>(nc, CIRCUIT->l[nl - 1].nw);
+  for (corner_t i = 0; i < Wprover->n0_ * Wprover->n1_; ++i) {
+    Wprover->v_[i] = rng.next();
+  }
+  auto Wverifier = Wprover->clone();
+
+  Proof<Field> proof(CIRCUIT->nl);
+  Prover<Field>::inputs in;
+  Prover<Field> prover(F);
+  auto V = prover.eval_circuit(&in, CIRCUIT, std::move(Wprover), F);
+
+  Transcript tsp((uint8_t *)"test", 4);
+  prover.prove(&proof, nullptr, CIRCUIT, in, tsp);
+
+  const char* why;
+  Transcript tsv((uint8_t *)"test", 4);
+  bool ok = Verifier<Field>::verify(&why, CIRCUIT, &proof, std::move(V),
+                                    std::move(Wverifier), tsv, F);
+  EXPECT_EQ(ok, true);
+  EXPECT_EQ(why, "ok");
+}
+
+void one_test_sumcheck(const Circuit<Field>* CIRCUIT) {
+  one_test_sumcheck_without_com(CIRCUIT);
+}
+
+TEST(Sumcheck, SumcheckAddE) {
+  auto CIRCUIT = addE_circuit(8, corner_t(177));
+  one_test_sumcheck(CIRCUIT.get());
+}
+
+TEST(Sumcheck, SumcheckAddEOneCopy) {
+  auto CIRCUIT = addE_circuit(0, corner_t(1));
+  one_test_sumcheck(CIRCUIT.get());
+}
+
+// ------------------------------------------------------------
+// tests with random circuits
+size_t around(size_t n) { return n + (std::rand() % n); }
+quad_corner_t rand_corner(size_t n) { return quad_corner_t(std::rand()) % n; }
+
+std::unique_ptr<Quad<Field>> random_quad(index_t n, corner_t nv, corner_t nw) {
+  auto S = std::make_unique<EQuad<Field>>(n);
+  for (index_t i = 0; i < n; i++) {
+    S->ec_[i] = ecorner{
+        .g = rand_corner(nv),
+        .h = {rand_corner(nw), rand_corner(nw)},
+        .v = rng.next(),
+    };
+  }
+  S->canonicalize(F);
+  return QuadBuilder<Field>::compress(S.get(), F);
+}
+
+std::unique_ptr<Circuit<Field>> random_circuit() {
+  std::unique_ptr<Circuit<Field>> CIRCUIT = std::make_unique<Circuit<Field>>();
+  *CIRCUIT = Circuit<Field>{
+      .nv = around(7),
+      .logv = 4,
+      .nc = around(12),
+      .logc = 5,
+      .nl = around(5),
+  };
+  size_t nv = CIRCUIT->nv;
+  for (size_t ly = 0; ly < CIRCUIT->nl; ++ly) {
+    corner_t nw = around(20);
+    CIRCUIT->l.push_back(Layer<Field>{
+        .nw = nw,
+        .logw = 6,
+        .quad = random_quad(around(300), nv, nw),
+    });
+    nv = nw;  // outputs of next layer == inputs of this layer
+  }
+  return CIRCUIT;
+}
+
+TEST(Sumcheck, RandomCircuit) {
+  for (size_t i = 0; i < 10; ++i) {
+    auto CIRCUIT = random_circuit();
+    one_test_sumcheck(CIRCUIT.get());
+  }
+}
+}  // namespace
+}  // namespace proofs