longfellow 0.1.0

data/vendor/longfellow-zk/lib/sumcheck/testing.h

@@ -0,0 +1,69 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_TESTING_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_TESTING_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <memory>
+
+#include "arrays/dense.h"
+#include "random/transcript.h"
+#include "sumcheck/circuit.h"
+#include "sumcheck/prover.h"
+#include "sumcheck/verifier.h"
+#include "util/log.h"
+#include "util/panic.h"
+
+/*
+These are methods that help test modules
+by running the prover or the verifier.
+*/
+namespace proofs {
+template <class Field>
+void run_prover(const Circuit<Field> *C, std::unique_ptr<Dense<Field>> W,
+                Proof<Field> *proof, const Field& F) {
+  typename Prover<Field>::inputs pin;
+
+  Prover<Field> prover(F);
+  auto V = prover.eval_circuit(&pin, C, W->clone(), F);
+
+  check(V != nullptr, "eval_circuit failed.");
+
+  // Ensure the witness satisfies the circuit before making a proof.
+  for (size_t i = 0; i < V->n1_; ++i) {
+    if (V->v_[i] != F.zero()) {
+      log(INFO, "witness failed: non-zero output at %zu", i);
+    }
+    check(V->v_[i] == F.zero(), "witness failed, non-zero output");
+  }
+
+  Transcript tsp((uint8_t *)"testing", 7);
+  prover.prove(proof, nullptr, C, pin, tsp);
+}
+
+template <class Field>
+void run_verifier(const Circuit<Field> *C, std::unique_ptr<Dense<Field>> W,
+                  Proof<Field> &proof, const Field& F) {
+  const char *why = "ok";
+  auto V = std::make_unique<Dense<Field>>(F);
+  Transcript tsv((uint8_t *)"testing", 7);
+  check(Verifier<Field>::verify(&why, C, &proof, std::move(V),
+                                     W->clone(), tsv, F), why);
+}
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_TESTING_H_

data/vendor/longfellow-zk/lib/sumcheck/transcript_sumcheck.h

@@ -0,0 +1,85 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_TRANSCRIPT_SUMCHECK_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_TRANSCRIPT_SUMCHECK_H_
+
+#include <stddef.h>
+
+#include "arrays/affine.h"
+#include "arrays/dense.h"
+#include "random/transcript.h"
+#include "sumcheck/circuit.h"
+
+namespace proofs {
+/*
+Fiat-Shamir abstraction for sumcheck protocol.
+This class takes wraps a transcript object and provides the interface for
+sumcheck challenge and response.
+*/
+template <typename Field>
+class TranscriptSumcheck {
+  using Elt = typename Field::Elt;
+  using CPoly = typename Proof<Field>::CPoly;
+  using WPoly = typename Proof<Field>::WPoly;
+  static constexpr size_t kMaxBindings = Proof<Field>::kMaxBindings;
+
+ public:
+  explicit TranscriptSumcheck(Transcript& ts, const Field& F)
+      : ts_(ts), f_(F) {}
+
+  void write_input(const Dense<Field>* X) {
+    // Write column by column to make it compatible with oracle.
+    for (corner_t c = 0; c < X->n0_; ++c) {
+      ts_.write(&X->v_[c], X->n0_, X->n1_, f_);
+    }
+  }
+
+  void begin_circuit(Elt* Q, Elt* G) {
+    ts_.elt(Q, kMaxBindings, f_);
+    ts_.elt(G, kMaxBindings, f_);
+  }
+
+  void begin_layer(Elt& alpha, Elt& beta, size_t layer) {
+    alpha = ts_.elt(f_);
+    beta = ts_.elt(f_);
+  }
+
+  void write(const Elt e[/*n*/], size_t ince, size_t n) {
+    ts_.write(e, ince, n, f_);
+  }
+
+  template <class Poly>
+  Elt /*R*/ round(const Poly& poly) {
+    write_poly(&poly);
+    return ts_.elt(f_);
+  }
+
+ private:
+  template <class Poly>
+  void write_poly(const Poly* poly) {
+    // Do not write the p(1) value to the transcript, as its value is
+    // implied by the constraints, and we can omit it from the proof.
+    for (size_t i = 0; i < Poly::kN; ++i) {
+      if (i != 1) {
+        ts_.write(poly->t_[i], f_);
+      }
+    }
+  }
+  Transcript& ts_;
+  const Field& f_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_TRANSCRIPT_SUMCHECK_H_

data/vendor/longfellow-zk/lib/sumcheck/verifier.h

@@ -0,0 +1,84 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_VERIFIER_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_VERIFIER_H_
+
+#include <stddef.h>
+
+#include <memory>
+
+#include "arrays/dense.h"
+#include "random/transcript.h"
+#include "sumcheck/circuit.h"
+#include "sumcheck/transcript_sumcheck.h"
+#include "sumcheck/verifier_layers.h"
+
+namespace proofs {
+// Full sumcheck verifier that verifies the layers
+// via verifier_layers<> and then checks the input
+// binding directly.
+template <class Field>
+class Verifier : public VerifierLayers<Field> {
+  using super = VerifierLayers<Field>;
+  using typename super::claims;
+  using typename super::Elt;
+
+ public:
+  static bool verify(const char** why, const Circuit<Field>* circ,
+                      const Proof<Field>* proof,
+                      std::unique_ptr<Dense<Field>> V,
+                      std::unique_ptr<Dense<Field>> X, Transcript& ts,
+                      const Field& F) {
+    if (why == nullptr || circ == nullptr || proof == nullptr ||
+        V == nullptr || X == nullptr) {
+      return false;
+    }
+
+    claims cl{};
+    Challenge<Field> ch(circ->nl);
+    TranscriptSumcheck<Field> tss(ts, F);
+    tss.write_input(X.get());
+
+    if (!(super::circuit(why, &cl, circ, proof, &ch, std::move(V), tss,
+                         F))) {
+      return false;
+    }
+
+    // Final check on W, the input wires.
+    // bind the copy variables:
+    X->bind_all(circ->logc, cl.q, F);
+    X->reshape(cl.nv);
+
+    // bind the gate variables, for two hands:
+    auto X1 = X->clone();
+    Dense<Field>* VH[2] = {X.get(), X1.get()};
+
+    for (size_t hand = 0; hand < 2; ++hand) {
+      VH[hand]->bind_all(cl.logv, cl.g[hand], F);
+      Elt got = VH[hand]->scalar();
+      if (got != cl.claim[hand]) {
+        *why = "got != cl.claim[hand]";
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  Verifier() = delete;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_VERIFIER_H_

data/vendor/longfellow-zk/lib/sumcheck/verifier_layers.h

@@ -0,0 +1,221 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_SUMCHECK_VERIFIER_LAYERS_H_
+#define PRIVACY_PROOFS_ZK_LIB_SUMCHECK_VERIFIER_LAYERS_H_
+
+#include <stddef.h>
+
+#include <cstddef>
+#include <memory>
+
+#include "arrays/affine.h"
+#include "arrays/dense.h"
+#include "arrays/eq.h"
+#include "sumcheck/circuit.h"
+#include "sumcheck/quad.h"
+#include "sumcheck/transcript_sumcheck.h"
+
+namespace proofs {
+// Sumcheck verifier that only verifies the layers.
+// Derived classes are responsible for verifying the
+// input binding, either directly or through a commitment.
+template <class Field>
+class VerifierLayers {
+ public:
+  typedef typename Quad<Field>::index_t index_t;
+  using Elt = typename Field::Elt;
+
+  struct claims {
+    corner_t nv;
+    size_t logv;
+    Elt claim[2];
+    const Elt* q;
+    const Elt* g[2];
+  };
+  // Verify all the circuit layers, returning claims on the inputs in
+  // CL.  The caller is responsible to verify the claims, either via
+  // direct check or polynomial commitment.
+  static bool circuit(const char** why, claims* cl,
+                      const Circuit<Field>* CIRCUIT, const Proof<Field>* PROOF,
+                      Challenge<Field>* CH, std::unique_ptr<Dense<Field>> V,
+                      TranscriptSumcheck<Field>& ts, const Field& F) {
+    if (why == nullptr || cl == nullptr || CIRCUIT == nullptr ||
+        PROOF == nullptr || CH == nullptr) {
+      return false;
+    }
+    *why = "ok";
+
+    Elt claimV;
+    ts.begin_circuit(CH->q, CH->g);
+
+    if (V->n1_ == 1 && V->n0_ == 1 && V->v_[0] == F.zero()) {
+      // special case of all-zero binding
+      claimV = F.zero();
+    } else {
+      const desire desires[2] = {
+          {V->n1_ == CIRCUIT->nv, "V->n1_ != CIRCUIT->nv"},
+          {V->n0_ == CIRCUIT->nc, "V->n0_ != CIRCUIT->nc"},
+      };
+
+      if (!check(why, 2, desires)) {
+        return false;
+      }
+
+      // initial claim on V[G, Q] for the output V
+      V->bind_all(CIRCUIT->logc, CH->q, F);
+      V->reshape(CIRCUIT->nv);
+      V->bind_all(CIRCUIT->logv, CH->g, F);
+      claimV = V->scalar();
+    }
+
+    // Consider claimV on the binding to P.G as two (identical)
+    // claims, so we can get the induction going.  Thus, alpha in
+    // the first layer is redundant.
+    *cl = claims{
+        .nv = CIRCUIT->nv,
+        .logv = CIRCUIT->logv,
+        .claim = {claimV, claimV},
+        .q = CH->q,
+        .g = {CH->g, CH->g},
+    };
+
+    return layers(why, cl, CIRCUIT, PROOF, ts, CH, F);
+  }
+
+  VerifierLayers() = delete;
+
+ private:
+  struct desire {
+    bool cond;
+    const char* why;
+  };
+
+  static bool check(const char** why, size_t n, const desire* d) {
+    for (size_t i = 0; i < n; ++i) {
+      if (!d[i].cond) {
+        *why = d[i].why;
+        return false;
+      }
+    }
+    return true;
+  }
+
+  // Verify CLAIM for one layer and update CLAIM in-place as next
+  // claim.  Return TRUE on success, and (FALSE, why) on failure.
+  static bool layer_c(const char** why, Elt* claim, size_t logc,
+                      const LayerProof<Field>* plr, LayerChallenge<Field>* ch,
+                      TranscriptSumcheck<Field>& ts, const Field& F) {
+    for (size_t round = 0; round < logc; ++round) {
+      // Change verification equation from
+      //    claim =? (p(0) + p(1))
+      // to p(1) = claim - p(0).
+      auto tp = plr->cp[round];
+      auto t1 = F.subf(*claim, tp.t_[0]);
+      ch->cb[round] = ts.round(plr->cp[round]);
+      auto p = tp.to_poly(t1);
+      *claim = p.eval_lagrange(ch->cb[round], F);
+    }
+
+    return true;
+  }
+
+  static bool layer_h(const char** why, Elt* claim, size_t logw,
+                      const LayerProof<Field>* plr, LayerChallenge<Field>* ch,
+                      TranscriptSumcheck<Field>& ts, const Field& F) {
+    for (size_t round = 0; round < logw; ++round) {
+      for (size_t hand = 0; hand < 2; ++hand) {
+        // Change verification equation from
+        //    claim =? (p(0) + p(1))
+        // to p(1) = claim - p(0).
+        auto tp = plr->hp[hand][round];
+        auto t1 = F.subf(*claim, tp.t_[0]);
+        ch->hb[hand][round] = ts.round(tp);
+        auto p = tp.to_poly(t1);
+        *claim = p.eval_lagrange(ch->hb[hand][round], F);
+      }
+    }
+    return true;
+  }
+
+  // Verify CLAIMS for all layers and update CLAIMS in-place.  Return
+  // TRUE on success, and (FALSE, why) on failure.
+  static bool layers(const char** why, claims* cl,
+                     const Circuit<Field>* CIRCUIT, const Proof<Field>* PROOF,
+                     TranscriptSumcheck<Field>& ts, Challenge<Field>* CH,
+                     const Field& F) {
+    for (size_t ly = 0; ly < CIRCUIT->nl; ++ly) {
+      auto clr = &CIRCUIT->l.at(ly);
+      auto plr = &PROOF->l[ly];
+      auto challenge = &CH->l[ly];
+
+      // the claim is then an affine combination of the two
+      // inductive claims
+      ts.begin_layer(challenge->alpha, challenge->beta, ly);
+      Elt claim = F.addf(cl->claim[0], F.mulf(challenge->alpha, cl->claim[1]));
+
+      if (!layer_c(why, &claim, CIRCUIT->logc, plr, challenge, ts, F)) {
+        return false;
+      }
+
+      if (!layer_h(why, &claim, clr->logw, plr, challenge, ts, F)) {
+        return false;
+      }
+
+      // Now verify CLAIM = EQ[Q,C] QUAD[R,L] W[R,C] W[L,C]
+      // where W[R,C], W[L,C] are in the proof.
+
+      // bind QUAD[g|r,l] to the alpha-combination of the
+      // two G values GR, GL
+      auto EQUAD = clr->quad->bind_g(cl->logv, cl->g[0], cl->g[1],
+                                     challenge->alpha, challenge->beta, F);
+
+      // bind QUAD[G|r,l] to R, L
+      for (size_t round = 0; round < clr->logw; ++round) {
+        for (size_t hand = 0; hand < 2; ++hand) {
+          EQUAD->bind_h(challenge->hb[hand][round], hand, F);
+        }
+      }
+
+      // got = EQ[Q,C] QUAD[G|R,L] W[R,C] W[L,C], where
+      // W[.,C] is in the proof.
+      Elt got =
+          Eq<Field>::eval(CIRCUIT->logc, CIRCUIT->nc, cl->q, challenge->cb, F);
+      F.mul(got, EQUAD->scalar());
+      F.mul(got, plr->wc[0]);
+      F.mul(got, plr->wc[1]);
+
+      if (got != claim) {
+        *why = "got != claim (layer)";
+        return false;
+      }
+
+      // Add wc[0,1] to transcript
+      ts.write(&plr->wc[0], 1, 2);
+
+      // Reduce to two claims on W[R,C] and W[L,C]
+      *cl = claims{
+          .nv = clr->nw,
+          .logv = clr->logw,
+          .claim = {plr->wc[0], plr->wc[1]},
+          .q = challenge->cb,
+          .g = {challenge->hb[0], challenge->hb[1]},
+      };
+    }
+    return true;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_SUMCHECK_VERIFIER_LAYERS_H_

data/vendor/longfellow-zk/lib/testing/test_main.cc

@@ -0,0 +1,50 @@
+// Copyright 2024 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// main() for running both tests and benchmarks in the same
+// file.
+//
+// The behavior is as follows:
+//
+//   foo_test
+//       Run tests but not benchmarks
+//
+//   foo_test --benchmark_filter=all
+//       Run benchmarks but not tests
+//
+#include <benchmark/benchmark.h>
+#include <gtest/gtest.h>
+#include <string.h>
+
+int main(int argc, char **argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+    
+  // Hack: run benchmarks only if --benchmark_filter is
+  // specified explicitly.
+
+  // By default, the benchmark filter is set to *, which runs all
+  // benchmarks.  We don't want to run benchmarks when testing.  In
+  // recent versions of libbenchmark, one can call
+  // GetBenchmarkFilter(), but older versions don't support it.
+  // Check for anything that starts with --bench.
+  bool bench = (argc > 1) && !strncmp(argv[1], "--bench", 7);
+
+  if (bench) {
+    // By default run no benchmarks
+    benchmark::Initialize(&argc, argv);
+    return benchmark::RunSpecifiedBenchmarks();
+  }
+
+  return RUN_ALL_TESTS();
+}

data/vendor/longfellow-zk/lib/util/ceildiv.h

@@ -0,0 +1,164 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_UTIL_CEILDIV_H_
+#define PRIVACY_PROOFS_ZK_LIB_UTIL_CEILDIV_H_
+
+// This package holds basic math utility functions.
+
+#include <cstddef>
+#include <cstdint>
+
+namespace proofs {
+
+// ceil(a/b)
+template <class T>
+T ceildiv(T a, T b) {
+  return (a + (b - 1)) / b;
+}
+
+inline size_t lg(size_t n) {
+  size_t lgk = 0, k = 1;
+  while (k < n) {
+    k *= 2;
+    lgk += 1;
+  }
+  return lgk;
+}
+
+// Morton-order operations
+namespace morton {
+// extract even bits (pack)
+inline uint64_t even(uint64_t x) {
+  x &= 0x5555555555555555ull;
+  x |= (x >> 1);
+  x &= 0x3333333333333333ull;
+  x |= (x >> 2);
+  x &= 0x0F0F0F0F0F0F0F0Full;
+  x |= (x >> 4);
+  x &= 0x00FF00FF00FF00FFull;
+  x |= (x >> 8);
+  x &= 0x0000FFFF0000FFFFull;
+  x |= (x >> 16);
+  x &= 0x00000000FFFFFFFFull;
+  return x;
+}
+
+// inverse of even (unpack)
+inline uint64_t uneven(uint64_t x) {
+  x &= 0x00000000FFFFFFFFull;
+  x |= (x << 16);
+  x &= 0x0000FFFF0000FFFFull;
+  x |= (x << 8);
+  x &= 0x00FF00FF00FF00FFull;
+  x |= (x << 4);
+  x &= 0x0F0F0F0F0F0F0F0Full;
+  x |= (x << 2);
+  x &= 0x3333333333333333ull;
+  x |= (x << 1);
+  x &= 0x5555555555555555ull;
+  return x;
+}
+
+// Given two integers X and Y represented
+// as (even, odd) bits (X0, X1) and
+// (Y0, Y1), set (X0, X1) to the even/odd
+// representation of X+Y
+template <class T>
+static void add(T *x0, T *x1, T y0, T y1) {
+  // Given two arrays X[i] and Y[i] of bits, the goal
+  // is to build an adder.  One way to build an adder
+  // is to switch to the generate/propagate representation
+  //   G[i] = X[i] & Y[i]
+  //   P[i] = X[i] ^ Y[i]
+  // where G[i] means "position i generates a carry" and P[i] means
+  // "position i propagates the carry coming from position i-1".
+  //
+  // Generate/propagate can be extended to pairs of positions
+  // via the equations
+  //
+  //   G = G[i+1] ^ (G[i] ^ P[i+1])
+  //   P = P[i+1] & P[i].                       (1)
+  //
+  // (This is all well-known adder stuff that has been known since
+  // at least the '50s).
+  //
+  // Our strategy is thus: convert the addends into G/P representation;
+  // combine the [2i] and [2i+1] positions via Equation (1), and
+  // use the C "+" operation to propagate the carry over one array.
+  //
+  // The fun part is, how do you use the C adder to propagate G.
+  // The standard form of the adder is:
+  //
+  //   (G, P) = (X & Y, X ^ Y)
+  //   G' = propagate G in any convenient way
+  //   (X + Y) = RESULT = P ^ G'
+  //
+  // and thus we can extract the propagated G' as G' = (X + Y) ^ X ^ Y.
+  //
+  // The other fun part is, given G and P, how do you go back to X and
+  // Y that can be fed to the C adder?  The transformation (X, Y) -> (G, P)
+  // is not injective, but any inverse will work.  We choose
+  //
+  //   X = G
+  //   Y = P ^ G
+
+  // Convert inputs into (G, P) form.
+  T g0 = *x0 & y0, g1 = *x1 & y1;
+  T p0 = *x0 ^ y0, p1 = *x1 ^ y1;
+
+  // Combine the two (G, P) inputs.
+  T g = g1 ^ (g0 & p1);
+  T p = p0 & p1;
+
+  // Convert back into (X, Y) = (G, P ^ G) and compute
+  // GPRIME = (X + Y) ^ X ^ Y, which simplifies to (X + Y) ^ P
+  // because X = G and Y = P ^ G.
+  // Here we lose the carry of the addition, making it impossible
+  // to output a global carry.
+  T gprime = (g + (p ^ g)) ^ p;
+
+  // XOR the propagated carries back into P
+  *x0 = gprime ^ p0;
+  *x1 = g0 ^ (gprime & p0) ^ p1;
+}
+
+// a-b via ~(~a + b)
+template <class T>
+static void sub(T *x0, T *x1, T y0, T y1) {
+  *x0 = ~*x0;
+  *x1 = ~*x1;
+  add(x0, x1, y0, y1);
+  *x0 = ~*x0;
+  *x1 = ~*x1;
+}
+
+// a < b via (a - b) < 0.  Since we don't have
+// the output carry of the subtraction, we pretend that
+// the result is signed.
+template <class T>
+static bool lt(T x0, T x1, T y0, T y1) {
+  sub(&x0, &x1, y0, y1);
+  return (x1 >> (8 * sizeof(T) - 1)) == 1;
+}
+
+template <class T>
+static bool eq(T x0, T x1, T y0, T y1) {
+  return x0 == y0 && x1 == y1;
+}
+
+}  // namespace morton
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_UTIL_CEILDIV_H_