longfellow 0.1.0

data/vendor/longfellow-zk/lib/zk/zk_proof.h

@@ -0,0 +1,378 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ZK_ZK_PROOF_H_
+#define PRIVACY_PROOFS_ZK_LIB_ZK_ZK_PROOF_H_
+
+#include <cstddef>
+#include <cstdint>
+#include <optional>
+#include <vector>
+
+#include "ligero/ligero_param.h"
+#include "merkle/merkle_commitment.h"
+#include "merkle/merkle_tree.h"
+#include "sumcheck/circuit.h"
+#include "util/log.h"
+#include "util/readbuffer.h"
+#include "util/serialization.h"
+#include "zk/zk_common.h"
+
+namespace proofs {
+
+// ZkProof class handles proof serialization.
+//
+// We expect circuits to be created and stored locally by the prover and
+// verifier respectively, and thus the circuit representations are trusted and
+// are assumed to contain parameters that do not induce arithmetic overflows.
+// For example, we assume that values like c.logw and c.logc are smaller than
+// 2^24 and therefore do not cause any overflows (even on 32b machines) in the
+// range/length calculations that are performed during serialization.
+//
+// An earlier experiment implemented the IO methods using protobuf parsing.
+// Despite applying techniques like arena allocation, those methods required
+// an order of magnitude more time.
+template <class Field>
+struct ZkProof {
+ public:
+  const Circuit<Field> &c;
+  Proof<Field> proof;
+  LigeroParam<Field> param;
+  LigeroCommitment<Field> com;
+  LigeroProof<Field> com_proof;
+
+  // The max run length is 2^25, in order to prevent overflow issues on 32b
+  // machines when performing length calculations during serialization.
+  constexpr static size_t kMaxRunLen = (1 << 25);
+
+  constexpr static size_t kMaxNumDigests = (1 << 25);
+
+  typedef typename Field::Elt Elt;
+
+  explicit ZkProof(const Circuit<Field> &c, size_t rate, size_t req)
+      : c(c),
+        proof(c.nl),
+        param((c.ninputs - c.npub_in) + ZkCommon<Field>::pad_size(c), c.nl,
+              rate, req),
+        com_proof(&param) {}
+
+  explicit ZkProof(const Circuit<Field> &c, size_t rate, size_t req,
+                   size_t block_enc)
+      : c(c),
+        proof(c.nl),
+        param((c.ninputs - c.npub_in) + ZkCommon<Field>::pad_size(c), c.nl,
+              rate, req, block_enc),
+        com_proof(&param) {}
+
+  // Maximum size of the proof in bytes. The actual size will be smaller
+  // because the Merkle proof is batched.
+  size_t size() const {
+    return Digest::kLength +
+
+           proof.size() * Field::kBytes +
+
+           com_proof.block * 2 * Field::kBytes +
+           com_proof.nreq * com_proof.nrow * Field::kBytes +
+           com_proof.nreq * com_proof.mc_pathlen * Digest::kLength;
+  }
+
+  void write(std::vector<uint8_t> &buf, const Field &F) const {
+    size_t s0 = buf.size();
+    write_com(com, buf, F);
+    size_t s1 = buf.size();
+    write_sc_proof(proof, buf, F);
+    size_t s2 = buf.size();
+    write_com_proof(com_proof, buf, F);
+    size_t s3 = buf.size();
+    log(INFO,
+        "com:%zu, sc:%zu, com_proof:%zu [%zu el, %zu el, %zu d in %zu "
+        "rows]: %zub",
+        s1 - s0, s2 - s1, s3 - s2, 2 * com_proof.block,
+        com_proof.nreq * com_proof.nrow, com_proof.merkle.path.size(),
+        com_proof.nrow, s3 - s0);
+  }
+
+  // The read function returns false on error or underflow.
+  bool read(ReadBuffer &buf, const Field &F) {
+    if (!read_com(com, buf, F)) return false;
+    if (!read_sc_proof(proof, buf, F)) return false;
+    if (!read_com_proof(com_proof, buf, F)) return false;
+    return true;
+  }
+
+  void write_sc_proof(const Proof<Field> &pr, std::vector<uint8_t> &buf,
+                      const Field &F) const {
+    check(c.logc == 0, "cannot write sc proof with logc != 0");
+    for (size_t i = 0; i < pr.l.size(); ++i) {
+      for (size_t wi = 0; wi < c.l[i].logw; ++wi) {
+        for (size_t k = 0; k < 3; ++k) {
+          // Optimization: do not send p(1) as it is implied by constraints.
+          if (k != 1) {
+            write_elt(pr.l[i].hp[0][wi].t_[k], buf, F);
+            write_elt(pr.l[i].hp[1][wi].t_[k], buf, F);
+          }
+        }
+      }
+      write_elt(pr.l[i].wc[0], buf, F);
+      write_elt(pr.l[i].wc[1], buf, F);
+    }
+  }
+
+  void write_com(const LigeroCommitment<Field> &com0, std::vector<uint8_t> &buf,
+                 const Field &F) const {
+    buf.insert(buf.end(), com0.root.data, com0.root.data + Digest::kLength);
+  }
+
+  void write_com_proof(const LigeroProof<Field> &pr, std::vector<uint8_t> &buf,
+                       const Field &F) const {
+    for (size_t i = 0; i < pr.block; ++i) {
+      write_elt(pr.y_ldt[i], buf, F);
+    }
+    for (size_t i = 0; i < pr.dblock; ++i) {
+      write_elt(pr.y_dot[i], buf, F);
+    }
+    for (size_t i = 0; i < pr.r; ++i) {
+      write_elt(pr.y_quad_0[i], buf, F);
+    }
+    for (size_t i = 0; i < pr.dblock - pr.block; ++i) {
+      write_elt(pr.y_quad_2[i], buf, F);
+    }
+
+    // write all the Merkle nonces
+    for (size_t i = 0; i < pr.nreq; ++i) {
+      write_nonce(pr.merkle.nonce[i], buf);
+    }
+
+    // The format of the opened rows consists of a run of full-field elements,
+    // then a run of base-field elements, and finally a run of full-field
+    // elements.  To compress, we employ a run-length encoding approach.
+    size_t ci = 0;
+    bool subfield_run = false;
+    while (ci < pr.nreq * pr.nrow) {
+      size_t runlen = 0;
+      while (ci + runlen < pr.nreq * pr.nrow && runlen < kMaxRunLen &&
+             F.in_subfield(pr.req[ci + runlen]) == subfield_run) {
+        ++runlen;
+      }
+      write_size(runlen, buf);
+      for (size_t i = ci; i < ci + runlen; ++i) {
+        if (subfield_run) {
+          write_subfield_elt(pr.req[i], buf, F);
+        } else {
+          write_elt(pr.req[i], buf, F);
+        }
+      }
+      ci += runlen;
+      subfield_run = !subfield_run;
+    }
+
+    write_size(pr.merkle.path.size(), buf);
+    for (size_t i = 0; i < pr.merkle.path.size(); ++i) {
+      write_digest(pr.merkle.path[i], buf);
+    }
+  }
+
+ private:
+  void write_elt(const Elt &x, std::vector<uint8_t> &buf,
+                 const Field &F) const {
+    uint8_t tmp[Field::kBytes];
+    F.to_bytes_field(tmp, x);
+    buf.insert(buf.end(), tmp, tmp + Field::kBytes);
+  }
+
+  void write_subfield_elt(const Elt &x, std::vector<uint8_t> &buf,
+                          const Field &F) const {
+    uint8_t tmp[Field::kSubFieldBytes];
+    F.to_bytes_subfield(tmp, x);
+    buf.insert(buf.end(), tmp, tmp + Field::kSubFieldBytes);
+  }
+
+  void write_digest(const Digest &x, std::vector<uint8_t> &buf) const {
+    buf.insert(buf.end(), x.data, x.data + Digest::kLength);
+  }
+
+  void write_nonce(const MerkleNonce &x, std::vector<uint8_t> &buf) const {
+    buf.insert(buf.end(), x.bytes, x.bytes + MerkleNonce::kLength);
+  }
+
+  // Assumption is that all of the sizes of arrays that are part of proofs
+  // fit into 4 bytes, and can thus work on 32-b machines.
+  void write_size(size_t g, std::vector<uint8_t> &buf) const {
+    for (size_t i = 0; i < 4; ++i) {
+      buf.push_back(static_cast<uint8_t>(g & 0xff));
+      g >>= 8;
+    }
+  }
+
+  bool read_sc_proof(Proof<Field> &pr, ReadBuffer &buf, const Field &F) {
+    if (c.logc != 0) return false;
+    for (size_t i = 0; i < pr.l.size(); ++i) {
+      size_t needed = (c.l[i].logw * (3 - 1) * 2 + 2) * Field::kBytes;
+      if (!buf.have(needed)) return false;
+      for (size_t wi = 0; wi < c.l[i].logw; ++wi) {
+        for (size_t k = 0; k < 3; ++k) {
+          // Optimization: the p(1) value was not sent.
+          if (k != 1) {
+            for (size_t hi = 0; hi < 2; ++hi) {
+              auto v = read_elt(buf, F);
+              if (v) {
+                pr.l[i].hp[hi][wi].t_[k] = v.value();
+              } else {
+                return false;
+              }
+            }
+          } else {
+            pr.l[i].hp[0][wi].t_[k] = F.zero();
+            pr.l[i].hp[1][wi].t_[k] = F.zero();
+          }
+        }
+      }
+      for (size_t wi = 0; wi < 2; ++wi) {
+        auto v = read_elt(buf, F);
+        if (v) {
+          pr.l[i].wc[wi] = v.value();
+        } else {
+          return false;
+        }
+      }
+    }
+    return true;
+  }
+
+  bool read_com(LigeroCommitment<Field> &com0, ReadBuffer &buf,
+                const Field &F) {
+    if (!buf.have(Digest::kLength)) return false;
+    read_digest(buf, com0.root);
+    return true;
+  }
+
+  bool read_com_proof(LigeroProof<Field> &pr, ReadBuffer &buf, const Field &F) {
+    if (!buf.have(pr.block * Field::kBytes)) return false;
+    for (size_t i = 0; i < pr.block; ++i) {
+      auto v = read_elt(buf, F);
+      if (v) {
+        pr.y_ldt[i] = v.value();
+      } else {
+        return false;
+      }
+    }
+
+    if (!buf.have(pr.dblock * Field::kBytes)) return false;
+    for (size_t i = 0; i < pr.dblock; ++i) {
+      auto v = read_elt(buf, F);
+      if (v) {
+        pr.y_dot[i] = v.value();
+      } else {
+        return false;
+      }
+    }
+
+    if (!buf.have(pr.r * Field::kBytes)) return false;
+    for (size_t i = 0; i < pr.r; ++i) {
+      auto v = read_elt(buf, F);
+      if (v) {
+        pr.y_quad_0[i] = v.value();
+      } else {
+        return false;
+      }
+    }
+
+    if (!buf.have((pr.dblock - pr.block) * Field::kBytes)) return false;
+    for (size_t i = 0; i < pr.dblock - pr.block; ++i) {
+      auto v = read_elt(buf, F);
+      if (v) {
+        pr.y_quad_2[i] = v.value();
+      } else {
+        return false;
+      }
+    }
+
+    if (!buf.have(pr.nreq * MerkleNonce::kLength)) return false;
+    for (size_t i = 0; i < pr.nreq; ++i) {
+      read_nonce(buf, pr.merkle.nonce[i]);
+    }
+
+    // Decode runs of real and full Field elements.
+    size_t ci = 0;
+    bool subfield_run = false;
+    while (ci < pr.nreq * pr.nrow) {
+      if (!buf.have(4)) return false;
+      size_t runlen = read_size(buf); /* untrusted size input */
+      if (runlen >= kMaxRunLen || ci + runlen > pr.nreq * pr.nrow) return false;
+      if (subfield_run) {
+        if (!buf.have(runlen * Field::kSubFieldBytes)) return false;
+        for (size_t i = ci; i < ci + runlen; ++i) {
+          auto v = read_subfield_elt(buf, F);
+          if (v) {
+            pr.req[i] = v.value();
+          } else {
+            return false;
+          }
+        }
+      } else {
+        if (!buf.have(runlen * Field::kBytes)) return false;
+        for (size_t i = ci; i < ci + runlen; ++i) {
+          auto v = read_elt(buf, F);
+          if (v) {
+            pr.req[i] = v.value();
+          } else {
+            return false;
+          }
+        }
+      }
+      ci += runlen;
+      subfield_run = !subfield_run;
+    }
+
+    if (!buf.have(4)) return false;
+    size_t sz = read_size(buf); /* untrusted size input */
+
+    // Merkle proofs of length < NREQ are not valid in the zk proof setting.
+    if (sz < pr.nreq || sz >= kMaxNumDigests) return false;  // avoid overflow
+    if (!buf.have(sz * Digest::kLength)) return false;
+
+    // Sanity check, the proof should never be larger than this.
+    // That value should always fit into memory, so this check aims to avoid
+    // an exception by resize() if there is not enough memory to resize.
+    if (sz > pr.nreq * pr.mc_pathlen) return false;
+
+    pr.merkle.path.resize(sz);
+    for (size_t i = 0; i < sz; ++i) {
+      read_digest(buf, pr.merkle.path[i]);
+    }
+    return true;
+  }
+
+  std::optional<Elt> read_elt(ReadBuffer &buf, const Field &F) const {
+    return F.of_bytes_field(buf.next(Field::kBytes));
+  }
+
+  std::optional<Elt> read_subfield_elt(ReadBuffer &buf, const Field &F) const {
+    return F.of_bytes_subfield(buf.next(Field::kSubFieldBytes));
+  }
+
+  void read_digest(ReadBuffer &buf, Digest &x) const {
+    buf.next(Digest::kLength, x.data);
+  }
+
+  void read_nonce(ReadBuffer &buf, MerkleNonce &x) const {
+    buf.next(MerkleNonce::kLength, x.bytes);
+  }
+
+  size_t read_size(ReadBuffer &buf) { return u32_of_le(buf.next(4)); }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ZK_ZK_PROOF_H_

data/vendor/longfellow-zk/lib/zk/zk_prover.h

@@ -0,0 +1,202 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ZK_ZK_PROVER_H_
+#define PRIVACY_PROOFS_ZK_LIB_ZK_ZK_PROVER_H_
+
+#include <stddef.h>
+
+#include <memory>
+#include <vector>
+
+#include "arrays/dense.h"
+#include "ligero/ligero_param.h"
+#include "ligero/ligero_prover.h"
+#include "random/random.h"
+#include "random/transcript.h"
+#include "sumcheck/circuit.h"
+#include "sumcheck/prover_layers.h"
+#include "sumcheck/transcript_sumcheck.h"
+#include "util/log.h"
+#include "util/panic.h"
+#include "zk/zk_common.h"
+#include "zk/zk_proof.h"
+
+namespace proofs {
+// ZK Prover
+//
+// This class implements a zero-knowledge argument over a sumcheck transcript
+// by first committing to a sumcheck witness and a random pad to encrypt
+// a sumcheck transcript, then running the sumcheck protocol over the original
+// claim and witness, but outputting the encrypted transcript, and finally
+// using a Ligero prover to prove the statement: "the committed witness and
+// pad, when used to decrypt the encrypted sumcheck transcript satisfies the
+// sumcheck verifier."
+//
+// While this statement is complex, it can be implemented easily because
+// the sumcheck verifier essentially checks the evaluations of degree-2 or -3
+// polynomials, and performs one multiplication per layer of the circuit. The
+// Hyrax paper makes a similar observation, but uses an elliptic-curve based
+// proof, whereas here we use the Ligero system.
+template <class Field, class ReedSolomonFactory>
+class ZkProver : public ProverLayers<Field> {
+  using super = ProverLayers<Field>;
+  using typename super::bindings;
+  using Elt = typename Field::Elt;
+  using typename super::inputs;
+
+ public:
+  ZkProver(const Circuit<Field>& CIRCUIT, const Field& F,
+           const ReedSolomonFactory& rs_factory)
+      : ProverLayers<Field>(F),
+        c_(CIRCUIT),
+        n_witness_(c_.ninputs - c_.npub_in),
+        f_(F),
+        rsf_(rs_factory),
+        pad_(c_.nl),
+        witness_(n_witness_),
+        lqc_(c_.nl),
+        lp_(nullptr) {}
+
+  void commit(ZkProof<Field>& zkp, const Dense<Field>& W, Transcript& tp,
+              RandomEngine& rng) {
+    log(INFO, "ZK Commit start");
+
+    // Copy witnesses for commitment
+    // Layout of the com: 0 ...<witnesses>... start_pad <pad> len
+    // Only commit the private witnesses, which begin at index c_.npub_in.
+    for (size_t i = 0; i < n_witness_; ++i) {
+      witness_[i] = W.v_[i + c_.npub_in];
+    }
+
+    // Rebase the circuit SUBFIELD_BOUNDARY (if any) to start at
+    // NPUB_IN,
+    size_t subfield_boundary = 0;
+    if (c_.subfield_boundary >= c_.npub_in) {
+      subfield_boundary = c_.subfield_boundary - c_.npub_in;
+    }
+
+    // Fill pad with random values, add pad to witness, record lqc.
+    fill_pad(rng);
+    ZkCommon<Field>::setup_lqc(c_, lqc_, n_witness_ /* = start_pad */);
+
+    // Commit to witness and pad.
+    lp_ = std::make_unique<LigeroProver<Field, ReedSolomonFactory>>(zkp.param);
+    lp_->commit(zkp.com, tp, &witness_[0], subfield_boundary, &lqc_[0], rsf_,
+                rng, f_);
+
+    log(INFO, "ZK Commitment done");
+  }
+
+  bool prove(ZkProof<Field>& zkp, const Dense<Field>& W, Transcript& tsp) {
+    check(lp_ != nullptr, "must run commit before prove");
+
+    // Interpret W as public parameters, we only append
+    // c_.npub_in elements of W to the transcript
+    ZkCommon<Field>::initialize_sumcheck_fiat_shamir(tsp, c_, W, f_);
+    Transcript tst = tsp.clone();
+
+    // Run sumcheck to generate a padded proof.
+    inputs in;
+    auto V = super::eval_circuit(&in, &c_, W.clone(), f_);
+    if (V == nullptr) {
+      log(ERROR, "eval_circuit failed");
+      return false;
+    }
+    for (size_t i = 0; i < V->n1_; ++i) {
+      if (V->v_[i] != f_.zero()) {
+        log(ERROR, "V->v_[i] != F.zero()");
+        return false;
+      };
+    }
+    bindings bnd;
+    ProofAux<Field> aux(c_.nl);
+
+    TranscriptSumcheck<Field> tsts(tst, f_);
+    super::prove(&zkp.proof, &pad_, &c_, in, &aux, bnd, tsts, f_);
+    log(INFO, "ZK sumcheck done");
+
+    // 5. Simulate the verifier to assemble constraints on the committed vals.
+    //    Form the sparse matrix A and vector b such that A*w = b.
+    std::vector<LigeroLinearConstraint<Field>> a;
+    std::vector<Elt> b;
+    size_t ci = ZkCommon<Field>::verifier_constraints(c_, W, zkp.proof, &aux, a,
+                                                      b, tsp, n_witness_, f_);
+    log(INFO, "ZK constraints done");
+
+    // 6. Produce proof over commitment.
+    // For FS soundness, it is ok for hash_of_A to be any string.
+    // In the interactive version, the verifier provides a challenge for the
+    // com proof. The last prover message is the (wc_l,wc_r) pair, and this
+    // has already been added to the transcript.
+    const LigeroHash hash_of_A{0xde, 0xad, 0xbe, 0xef};
+    lp_->prove(zkp.com_proof, tsp, ci, a.size(), &a[0], hash_of_A, &lqc_[0],
+               rsf_, f_);
+
+    log(INFO, "Prover Done: flag");
+    return true;
+  }
+
+  // Fill proof with random pad values for a given circuit.
+  void fill_pad(RandomEngine& rng) {
+    for (size_t i = 0; i < c_.nl; ++i) {
+      for (size_t j = 0; j < c_.logc; ++j) {
+        for (size_t k = 0; k < 4; ++k) {
+          if (k != 1) {  // P(1) optimization
+            Elt r = rng.elt(f_);
+            pad_.l[i].cp[j].t_[k] = r;
+            witness_.push_back(r);
+          } else {
+            pad_.l[i].cp[j].t_[k] = f_.zero();
+          }
+        }
+      }
+      for (size_t j = 0; j < c_.l[i].logw; ++j) {
+        for (size_t h = 0; h < 2; ++h) {
+          for (size_t k = 0; k < 3; ++k) {
+            if (k != 1) {  // P(1) optimization
+              Elt r = rng.elt(f_);
+              pad_.l[i].hp[h][j].t_[k] = r;
+              witness_.push_back(r);
+            } else {
+              pad_.l[i].hp[h][j].t_[k] = f_.zero();
+            }
+          }
+        }
+      }
+      for (size_t k = 0; k < 2; ++k) {
+        Elt r = rng.elt(f_);
+        pad_.l[i].wc[k] = r;
+        witness_.push_back(r);
+      }
+
+      // Commit to product of pads for product proof.
+      Elt rr = f_.mulf(pad_.l[i].wc[0], pad_.l[i].wc[1]);
+      witness_.push_back(rr);
+    }
+  }
+
+  const Circuit<Field>& c_;
+  const size_t n_witness_;
+  const Field& f_;
+  const ReedSolomonFactory& rsf_;
+  Proof<Field> pad_;
+  std::vector<Elt> witness_;
+  std::vector<LigeroQuadraticConstraint> lqc_;
+  std::unique_ptr<LigeroProver<Field, ReedSolomonFactory>> lp_;
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ZK_ZK_PROVER_H_