longfellow 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CODE_OF_CONDUCT.md +10 -0
- data/LICENSE.txt +21 -0
- data/README.md +152 -0
- data/ext/longfellow/CMakeLists.txt +76 -0
- data/ext/longfellow/extconf.rb +77 -0
- data/lib/longfellow/attribute.rb +65 -0
- data/lib/longfellow/c.rb +105 -0
- data/lib/longfellow/errors.rb +78 -0
- data/lib/longfellow/version.rb +5 -0
- data/lib/longfellow/zk_spec.rb +40 -0
- data/lib/longfellow.rb +162 -0
- data/sig/longfellow.rbs +74 -0
- data/vendor/longfellow-zk/LICENSE +203 -0
- data/vendor/longfellow-zk/lib/algebra/blas.h +121 -0
- data/vendor/longfellow-zk/lib/algebra/bogorng.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/compare.h +40 -0
- data/vendor/longfellow-zk/lib/algebra/convolution.h +219 -0
- data/vendor/longfellow-zk/lib/algebra/crt.cc +42 -0
- data/vendor/longfellow-zk/lib/algebra/crt.h +299 -0
- data/vendor/longfellow-zk/lib/algebra/crt_convolution.h +114 -0
- data/vendor/longfellow-zk/lib/algebra/crt_test.cc +371 -0
- data/vendor/longfellow-zk/lib/algebra/fft.h +104 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation.h +304 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation_test.cc +168 -0
- data/vendor/longfellow-zk/lib/algebra/fft_test.cc +257 -0
- data/vendor/longfellow-zk/lib/algebra/fp.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/fp2.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/fp24.h +342 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6.h +305 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6_test.cc +197 -0
- data/vendor/longfellow-zk/lib/algebra/fp2_test.cc +280 -0
- data/vendor/longfellow-zk/lib/algebra/fp_generic.h +533 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p128.h +91 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256k1.h +123 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p384.h +65 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p521.h +62 -0
- data/vendor/longfellow-zk/lib/algebra/fp_test.cc +522 -0
- data/vendor/longfellow-zk/lib/algebra/hash.h +39 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation.h +117 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation_test.cc +74 -0
- data/vendor/longfellow-zk/lib/algebra/limb.h +153 -0
- data/vendor/longfellow-zk/lib/algebra/limb_test.cc +75 -0
- data/vendor/longfellow-zk/lib/algebra/nat.cc +32 -0
- data/vendor/longfellow-zk/lib/algebra/nat.h +212 -0
- data/vendor/longfellow-zk/lib/algebra/nat_test.cc +183 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer_test.cc +138 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumerfp2_test.cc +139 -0
- data/vendor/longfellow-zk/lib/algebra/permutations.h +79 -0
- data/vendor/longfellow-zk/lib/algebra/poly.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/poly_test.cc +123 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon.h +150 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension.h +108 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension_test.cc +76 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_test.cc +473 -0
- data/vendor/longfellow-zk/lib/algebra/rfft.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/rfft_test.cc +102 -0
- data/vendor/longfellow-zk/lib/algebra/static_string.h +29 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep.h +495 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep_test.cc +41 -0
- data/vendor/longfellow-zk/lib/algebra/twiddle.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/utility.h +86 -0
- data/vendor/longfellow-zk/lib/algebra/utility_test.cc +86 -0
- data/vendor/longfellow-zk/lib/arrays/affine.h +56 -0
- data/vendor/longfellow-zk/lib/arrays/affine_test.cc +220 -0
- data/vendor/longfellow-zk/lib/arrays/dense.h +210 -0
- data/vendor/longfellow-zk/lib/arrays/eq.h +75 -0
- data/vendor/longfellow-zk/lib/arrays/eqs.h +137 -0
- data/vendor/longfellow-zk/lib/arrays/eqs_test.cc +151 -0
- data/vendor/longfellow-zk/lib/arrays/sparse.h +192 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder.h +323 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder_test.cc +541 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor.h +594 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck.h +110 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck_test.cc +55 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_test.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_testing.h +98 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_witness.h +312 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso2_test.cc +662 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso_test.cc +485 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan.h +104 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan_test.cc +137 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor.h +640 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_testing.h +99 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_witness.h +319 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/lexer_test.cc +120 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/mdoc_examples_test.cc +89 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_circuit_test.cc +506 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_size_test.cc +79 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_test.cc +473 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/canonicalization_test.cc +185 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/circuit_dump.h +65 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler.h +471 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler_test.cc +110 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/node.h +176 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/pdqhash.h +127 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/schedule.h +435 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_circuit.h +371 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_external_test.cc +246 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_test.cc +587 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_witness.h +201 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker.h +247 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_constants.h +35 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_encoder.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_test.cc +183 -0
- data/vendor/longfellow-zk/lib/circuits/logic/compiler_backend.h +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter_test.cc +102 -0
- data/vendor/longfellow-zk/lib/circuits/logic/evaluation_backend.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic.h +1232 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_circuit_test.cc +310 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_test.cc +521 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp.h +68 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp_test.cc +148 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing.h +445 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing_test.cc +241 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary.h +55 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker.h +77 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_constants.h +37 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_test.cc +53 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_size_test.cc +69 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit.h +193 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit_test.cc +223 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_reference.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_witness.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/circuit_maker.cc +242 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_ids.h +311 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_circuit_id.cc +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_constants.h +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.cc +41 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_examples.h +5232 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_generate_circuit.cc +199 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_hash.h +554 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature.h +143 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature_test.cc +444 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_test_attributes.h +157 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_witness.h +863 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.cc +693 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.h +216 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk_test.cc +724 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec.cc +100 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec_test.cc +155 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit.h +330 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit_test.cc +607 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_io.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.cc +163 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.h +47 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.cc +34 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_test_values.h +389 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/ptrcred.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small.h +218 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_examples.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_io.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_test.cc +208 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_witness.h +130 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode.h +508 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_circuit_test.cc +95 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_test.cc +119 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.cc +47 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit.h +231 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit_test.cc +428 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_witness.h +102 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt.h +190 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_constants.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_test.cc +559 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_witness.h +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f.h +411 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_io.h +32 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_test.cc +364 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_witness.h +278 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation.h +146 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_constants.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_test.cc +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_witness.h +136 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr.h +250 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_test.cc +333 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_witness.h +152 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44.h +903 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_circuit_test.cc +274 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_eval_test.cc +440 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.cc +8851 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.h +93 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.cc +24 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness.h +453 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness_test.cc +49 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.cc +458 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test.cc +398 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors.inc +3618 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_pkdecode.inc +689 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_sigdecode.inc +1501 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/sigdecode_test_vectors.inc +540 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit.h +394 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit_test.cc +577 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_constants.h +90 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit.h +351 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit_test.cc +466 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.cc +207 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.h +59 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference_test.cc +153 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.cc +39 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_slicing.h +31 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.cc +83 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/shake_test_vectors.h +477 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve.h +596 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve_test.cc +548 -0
- data/vendor/longfellow-zk/lib/ec/p256.cc +36 -0
- data/vendor/longfellow-zk/lib/ec/p256.h +60 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.cc +34 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.h +60 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128.h +503 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_bench.cc +48 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_test.cc +416 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2poly.h +74 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14.h +242 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_bench.cc +75 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon.h +127 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon_test.cc +110 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_test.cc +246 -0
- data/vendor/longfellow-zk/lib/gf2k/sysdep.h +329 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_param.h +449 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_prover.h +354 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_test.cc +136 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_transcript.h +67 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_verifier.h +272 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_commitment.h +104 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree.h +216 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree_test.cc +240 -0
- data/vendor/longfellow-zk/lib/proto/circuit.h +354 -0
- data/vendor/longfellow-zk/lib/proto/circuit_test.cc +202 -0
- data/vendor/longfellow-zk/lib/random/random.h +119 -0
- data/vendor/longfellow-zk/lib/random/random_test.cc +189 -0
- data/vendor/longfellow-zk/lib/random/secure_random_engine.h +37 -0
- data/vendor/longfellow-zk/lib/random/transcript.h +193 -0
- data/vendor/longfellow-zk/lib/random/transcript_test.cc +344 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit.h +148 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit_id.h +71 -0
- data/vendor/longfellow-zk/lib/sumcheck/equad.h +126 -0
- data/vendor/longfellow-zk/lib/sumcheck/hquad.h +115 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover.h +59 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover_layers.h +362 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad.h +227 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_builder.h +211 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_test.cc +169 -0
- data/vendor/longfellow-zk/lib/sumcheck/sumcheck_test.cc +324 -0
- data/vendor/longfellow-zk/lib/sumcheck/testing.h +69 -0
- data/vendor/longfellow-zk/lib/sumcheck/transcript_sumcheck.h +85 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier.h +84 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier_layers.h +221 -0
- data/vendor/longfellow-zk/lib/testing/test_main.cc +50 -0
- data/vendor/longfellow-zk/lib/util/ceildiv.h +164 -0
- data/vendor/longfellow-zk/lib/util/ceildiv_test.cc +152 -0
- data/vendor/longfellow-zk/lib/util/crc64.h +45 -0
- data/vendor/longfellow-zk/lib/util/crypto.cc +39 -0
- data/vendor/longfellow-zk/lib/util/crypto.h +108 -0
- data/vendor/longfellow-zk/lib/util/log.cc +110 -0
- data/vendor/longfellow-zk/lib/util/log.h +33 -0
- data/vendor/longfellow-zk/lib/util/panic.h +40 -0
- data/vendor/longfellow-zk/lib/util/readbuffer.h +67 -0
- data/vendor/longfellow-zk/lib/util/serialization.h +54 -0
- data/vendor/longfellow-zk/lib/zk/zk_common.h +455 -0
- data/vendor/longfellow-zk/lib/zk/zk_proof.h +378 -0
- data/vendor/longfellow-zk/lib/zk/zk_prover.h +202 -0
- data/vendor/longfellow-zk/lib/zk/zk_test.cc +340 -0
- data/vendor/longfellow-zk/lib/zk/zk_testing.h +154 -0
- data/vendor/longfellow-zk/lib/zk/zk_verifier.h +109 -0
- metadata +347 -0
|
@@ -0,0 +1,522 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "algebra/fp.h"
|
|
16
|
+
|
|
17
|
+
#include <array>
|
|
18
|
+
#include <cstddef>
|
|
19
|
+
#include <cstdint>
|
|
20
|
+
|
|
21
|
+
#include "algebra/bogorng.h"
|
|
22
|
+
#include "algebra/fp24.h"
|
|
23
|
+
#include "algebra/fp_p128.h"
|
|
24
|
+
#include "algebra/fp_p256.h"
|
|
25
|
+
#include "algebra/fp_p256k1.h"
|
|
26
|
+
#include "algebra/fp_p384.h"
|
|
27
|
+
#include "algebra/fp_p521.h"
|
|
28
|
+
#include "algebra/nat.h"
|
|
29
|
+
#include "benchmark/benchmark.h"
|
|
30
|
+
#include "gtest/gtest.h"
|
|
31
|
+
|
|
32
|
+
namespace proofs {
|
|
33
|
+
namespace {
|
|
34
|
+
|
|
35
|
+
template <class Field>
|
|
36
|
+
typename Field::Elt ckfrom_montgomery(typename Field::Elt a, const Field& F) {
|
|
37
|
+
EXPECT_EQ(F.from_montgomery_reference(a), F.from_montgomery(a));
|
|
38
|
+
EXPECT_EQ(a, F.to_montgomery(F.from_montgomery(a)));
|
|
39
|
+
return a;
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
template <class Field>
|
|
43
|
+
typename Field::Elt ckadd(typename Field::Elt a, typename Field::Elt b,
|
|
44
|
+
const Field& F) {
|
|
45
|
+
auto r = F.addf(a, b);
|
|
46
|
+
EXPECT_EQ(r, F.addf(b, a));
|
|
47
|
+
EXPECT_EQ(F.addf(r, F.two()), F.addf(F.addf(a, F.one()), F.addf(b, F.one())));
|
|
48
|
+
EXPECT_EQ(a, F.subf(r, b));
|
|
49
|
+
EXPECT_EQ(b, F.subf(r, a));
|
|
50
|
+
return r;
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
template <class Field>
|
|
54
|
+
typename Field::Elt cksub(typename Field::Elt a, typename Field::Elt b,
|
|
55
|
+
const Field& F) {
|
|
56
|
+
auto r = F.subf(a, b);
|
|
57
|
+
EXPECT_EQ(r, F.subf(F.addf(a, F.one()), F.addf(b, F.one())));
|
|
58
|
+
auto mr = F.subf(b, a);
|
|
59
|
+
EXPECT_EQ(mr, F.subf(F.addf(b, F.one()), F.addf(a, F.one())));
|
|
60
|
+
EXPECT_EQ(a, F.addf(b, r));
|
|
61
|
+
EXPECT_EQ(b, F.addf(a, mr));
|
|
62
|
+
EXPECT_EQ(F.zero(), F.addf(r, mr));
|
|
63
|
+
return r;
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
template <class Field>
|
|
67
|
+
typename Field::Elt ckmul(typename Field::Elt a, typename Field::Elt b,
|
|
68
|
+
const Field& F) {
|
|
69
|
+
auto r = F.mulf(a, b);
|
|
70
|
+
EXPECT_EQ(r, F.mulf(b, a));
|
|
71
|
+
|
|
72
|
+
auto ma = F.negf(a);
|
|
73
|
+
auto mb = F.negf(b);
|
|
74
|
+
EXPECT_EQ(r, F.mulf(ma, mb));
|
|
75
|
+
EXPECT_EQ(r, F.mulf(mb, ma));
|
|
76
|
+
return r;
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
template <class Field>
|
|
80
|
+
void fibonacci(const Field& F) {
|
|
81
|
+
auto a = F.one();
|
|
82
|
+
auto b = F.one();
|
|
83
|
+
|
|
84
|
+
for (size_t i = 0; i < 1000; i++) {
|
|
85
|
+
a = ckadd(a, b, F);
|
|
86
|
+
b = ckadd(b, a, F);
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
auto want = F.of_string(
|
|
90
|
+
"683570225957580664704539654917058010705540802936552456540755336779808245"
|
|
91
|
+
"440805401495453431895311380272660372676952344747823819219271452667793994"
|
|
92
|
+
"333830610140510541481970566409090181363729645376709552810486826470491443"
|
|
93
|
+
"352935557914873104468563413548773589795462984251694710149425357586969989"
|
|
94
|
+
"340097653954574021481981915195208508953842295456514672038375212197211572"
|
|
95
|
+
"5761141759114990448978941370030912401573418221496592822626");
|
|
96
|
+
|
|
97
|
+
EXPECT_EQ(a, want);
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
template <class Field>
|
|
101
|
+
void factorial(const Field& F) {
|
|
102
|
+
auto p = F.one();
|
|
103
|
+
auto fi = F.one();
|
|
104
|
+
for (uint64_t i = 1; i <= 337; ++i) {
|
|
105
|
+
p = ckmul(p, fi, F);
|
|
106
|
+
fi = ckadd(fi, F.one(), F);
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
auto want = F.of_string(
|
|
110
|
+
"130932804149088992546057261943598916651380085320056882046632369209980447"
|
|
111
|
+
"366486195583875107499552077757320239493552004852577547570260331861859535"
|
|
112
|
+
"521014367028762150336371971084184802220775697724840028097301334011793388"
|
|
113
|
+
"942370614718341215113319703287766478296719019864501440605926667194653195"
|
|
114
|
+
"515282444560161328301222855804492620971650056743347973226019758046208866"
|
|
115
|
+
"500052558105710981673345457144935004205153930768986245233790635907756296"
|
|
116
|
+
"677802809190469443074096751804464370890609618413796499897335752206338990"
|
|
117
|
+
"966921419488285779097481797799327000523783874784902588031943372895509486"
|
|
118
|
+
"862780297994201058534583425203348291866696425144320000000000000000000000"
|
|
119
|
+
"000000000000000000000000000000000000000000000000000000000000");
|
|
120
|
+
|
|
121
|
+
EXPECT_EQ(p, want);
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
template <class Field>
|
|
125
|
+
void mult(const Field& F) {
|
|
126
|
+
for (uint64_t i = 0; i < 10; ++i) {
|
|
127
|
+
for (uint64_t j = 0; j < 10; ++j) {
|
|
128
|
+
EXPECT_EQ(ckmul(F.of_scalar(i), F.of_scalar(j), F), F.of_scalar(i * j));
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
|
|
133
|
+
template <class Field>
|
|
134
|
+
void inverse(const Field& F) {
|
|
135
|
+
for (uint64_t i = 0; i < 1000; ++i) {
|
|
136
|
+
auto x = F.of_scalar(i);
|
|
137
|
+
F.invert(x);
|
|
138
|
+
if (i == 0) {
|
|
139
|
+
EXPECT_EQ(ckmul(F.of_scalar(i), x, F), F.zero());
|
|
140
|
+
} else {
|
|
141
|
+
EXPECT_EQ(ckmul(F.of_scalar(i), x, F), F.one());
|
|
142
|
+
}
|
|
143
|
+
}
|
|
144
|
+
}
|
|
145
|
+
|
|
146
|
+
template <class Field>
|
|
147
|
+
void neg(const Field& F) {
|
|
148
|
+
for (uint64_t i = 0; i < 1000; ++i) {
|
|
149
|
+
auto x = F.of_scalar(i);
|
|
150
|
+
F.neg(x);
|
|
151
|
+
EXPECT_EQ(ckadd(F.of_scalar(i), x, F), F.zero());
|
|
152
|
+
EXPECT_EQ(ckadd(F.of_scalar(i), F.negf(F.of_scalar(i)), F), F.zero());
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
template <class Field>
|
|
157
|
+
void of_scalar(const Field& F) {
|
|
158
|
+
std::array<uint64_t, Field::kU64> n;
|
|
159
|
+
for (size_t i = 0; i < Field::kU64; ++i) {
|
|
160
|
+
n[i] = i + 47;
|
|
161
|
+
}
|
|
162
|
+
auto want = F.zero();
|
|
163
|
+
auto base = F.of_scalar(1ull << 16);
|
|
164
|
+
F.mul(base, base); // base = 2^32
|
|
165
|
+
F.mul(base, base); // base = 2^64
|
|
166
|
+
for (size_t i = Field::kU64; i-- > 0;) {
|
|
167
|
+
want = F.addf(F.of_scalar(i + 47), F.mulf(base, want));
|
|
168
|
+
}
|
|
169
|
+
EXPECT_EQ(F.of_scalar_field(n), want);
|
|
170
|
+
|
|
171
|
+
// check the identity
|
|
172
|
+
// of_scalar(sum_i b[i] 2^i) = sum_i b[i] beta(i)
|
|
173
|
+
|
|
174
|
+
// small integers k = sum_i b[i] 2^i
|
|
175
|
+
for (uint64_t k = 0; k < 1000; ++k) {
|
|
176
|
+
auto sum = F.zero();
|
|
177
|
+
for (size_t i = 0; i < 64; ++i) {
|
|
178
|
+
uint64_t bit = (k >> i) & 1;
|
|
179
|
+
if (bit) {
|
|
180
|
+
F.add(sum, F.beta(i));
|
|
181
|
+
}
|
|
182
|
+
}
|
|
183
|
+
EXPECT_EQ(F.of_scalar(k), sum);
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
// powers of two
|
|
187
|
+
for (size_t i = 0; i < 64; ++i) {
|
|
188
|
+
uint64_t k = static_cast<uint64_t>(1) << i;
|
|
189
|
+
if (F.fits(k)) {
|
|
190
|
+
EXPECT_EQ(F.of_scalar(k), F.beta(i));
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
|
|
195
|
+
template <size_t WX, class Field>
|
|
196
|
+
void reduce(const Field& F) {
|
|
197
|
+
auto e = F.one();
|
|
198
|
+
const Nat<WX> one(1);
|
|
199
|
+
Nat<WX> n(1);
|
|
200
|
+
|
|
201
|
+
// test all 2^i and 2^i - 1
|
|
202
|
+
for (size_t i = 0; i < Nat<WX>::kBits; ++i) {
|
|
203
|
+
auto x = F.reduce(n);
|
|
204
|
+
EXPECT_EQ(x, e);
|
|
205
|
+
|
|
206
|
+
auto em1 = F.subf(e, F.of_scalar(1));
|
|
207
|
+
auto nm1 = n;
|
|
208
|
+
nm1.sub(one);
|
|
209
|
+
auto xm1 = F.reduce(nm1);
|
|
210
|
+
EXPECT_EQ(xm1, em1);
|
|
211
|
+
|
|
212
|
+
F.add(e, e);
|
|
213
|
+
n.add(n);
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
|
|
217
|
+
template <class Field>
|
|
218
|
+
void dot(const Field& F) {
|
|
219
|
+
constexpr size_t n = 20;
|
|
220
|
+
std::vector<Nat<1>> e(n);
|
|
221
|
+
std::vector<typename Field::NatScaledForDot> d(n);
|
|
222
|
+
|
|
223
|
+
uint64_t want = 0;
|
|
224
|
+
for (size_t i = 0; i < n; ++i) {
|
|
225
|
+
uint64_t ei = i * i + 3;
|
|
226
|
+
uint64_t di = i + 7;
|
|
227
|
+
e[i] = Nat<1>(ei);
|
|
228
|
+
d[i] = F.prescale_for_dot(F.of_scalar(di));
|
|
229
|
+
want += ei * di;
|
|
230
|
+
}
|
|
231
|
+
auto got = F.dot(n, e.data(), d.data());
|
|
232
|
+
EXPECT_EQ(got, F.of_scalar(want));
|
|
233
|
+
}
|
|
234
|
+
|
|
235
|
+
// test add/sub around the -1..0 boundary in raw (not montgomery)
|
|
236
|
+
// space where wraparound occurs
|
|
237
|
+
template <class Field>
|
|
238
|
+
void wraparound(const Field& F) {
|
|
239
|
+
int k = 32;
|
|
240
|
+
auto f2k = F.of_scalar(2 * k);
|
|
241
|
+
for (int i = -k; i <= k; ++i) {
|
|
242
|
+
for (int j = -k; j <= k; ++j) {
|
|
243
|
+
// cannot convert i, j via of_scalar, so hack around it.
|
|
244
|
+
auto fi = F.subf(f2k, F.of_scalar(i + 2 * k));
|
|
245
|
+
auto fj = F.subf(f2k, F.of_scalar(j + 2 * k));
|
|
246
|
+
fi = ckfrom_montgomery(fi, F);
|
|
247
|
+
fj = ckfrom_montgomery(fj, F);
|
|
248
|
+
|
|
249
|
+
auto fa = F.subf(f2k, F.of_scalar(i + j + 2 * k));
|
|
250
|
+
auto fs = F.subf(f2k, F.of_scalar(i - j + 2 * k));
|
|
251
|
+
fa = ckfrom_montgomery(fa, F);
|
|
252
|
+
fs = ckfrom_montgomery(fs, F);
|
|
253
|
+
|
|
254
|
+
auto a = ckadd(fi, fj, F);
|
|
255
|
+
auto s = cksub(fi, fj, F);
|
|
256
|
+
EXPECT_EQ(a, fa);
|
|
257
|
+
EXPECT_EQ(s, fs);
|
|
258
|
+
}
|
|
259
|
+
}
|
|
260
|
+
}
|
|
261
|
+
|
|
262
|
+
template <class Field>
|
|
263
|
+
void poly_evaluation_points(const Field& F) {
|
|
264
|
+
constexpr size_t N = Field::kNPolyEvaluationPoints;
|
|
265
|
+
for (size_t i = 0; i < N; i++) {
|
|
266
|
+
for (size_t j = 0; j < N; j++) {
|
|
267
|
+
if (i != j) {
|
|
268
|
+
EXPECT_NE(F.poly_evaluation_point(i), F.poly_evaluation_point(j));
|
|
269
|
+
}
|
|
270
|
+
}
|
|
271
|
+
}
|
|
272
|
+
|
|
273
|
+
for (size_t i = 1; i < N; i++) {
|
|
274
|
+
for (size_t k = N; k-- > i;) {
|
|
275
|
+
auto dx =
|
|
276
|
+
F.subf(F.poly_evaluation_point(k), F.poly_evaluation_point(k - i));
|
|
277
|
+
EXPECT_EQ(F.one(), F.mulf(dx, F.newton_denominator(k, i)));
|
|
278
|
+
}
|
|
279
|
+
}
|
|
280
|
+
}
|
|
281
|
+
|
|
282
|
+
template <class Field>
|
|
283
|
+
void onefield(const Field& F) {
|
|
284
|
+
mult(F);
|
|
285
|
+
factorial(F);
|
|
286
|
+
fibonacci(F);
|
|
287
|
+
wraparound(F);
|
|
288
|
+
neg(F);
|
|
289
|
+
inverse(F);
|
|
290
|
+
of_scalar(F);
|
|
291
|
+
poly_evaluation_points(F);
|
|
292
|
+
if (F.kSupportsDot) {
|
|
293
|
+
dot(F);
|
|
294
|
+
reduce<1>(F);
|
|
295
|
+
reduce<2>(F);
|
|
296
|
+
reduce<3>(F);
|
|
297
|
+
reduce<4>(F);
|
|
298
|
+
reduce<5>(F);
|
|
299
|
+
reduce<6>(F);
|
|
300
|
+
reduce<30>(F);
|
|
301
|
+
}
|
|
302
|
+
|
|
303
|
+
EXPECT_EQ(F.zero(), F.addf(F.one(), F.mone()));
|
|
304
|
+
EXPECT_EQ(F.one(), F.addf(F.half(), F.half()));
|
|
305
|
+
EXPECT_EQ(F.two(), F.addf(F.one(), F.one()));
|
|
306
|
+
|
|
307
|
+
const uint64_t c = 0x123456789abcdef0ull;
|
|
308
|
+
if (F.fits(c)) {
|
|
309
|
+
EXPECT_EQ(F.of_string("0x123456789abcdef0"), F.of_scalar(c));
|
|
310
|
+
EXPECT_EQ(F.of_string("0X123456789ABCDEF0"), F.of_scalar(c));
|
|
311
|
+
}
|
|
312
|
+
}
|
|
313
|
+
|
|
314
|
+
TEST(Fp, AllSizes) {
|
|
315
|
+
onefield(Fp24(8380417)); // ML-DSA44 prime
|
|
316
|
+
onefield(Fp24(16777213)); // largest 24-bit prime
|
|
317
|
+
onefield(Fp<1>("18446744073709551557"));
|
|
318
|
+
onefield(Fp<2>("340282366920938463463374607431768211297"));
|
|
319
|
+
onefield(Fp<3>("6277101735386680763835789423207666416102355444464034512659"));
|
|
320
|
+
onefield(
|
|
321
|
+
Fp<4>("115792089237316195423570985008687907853269984665640564039457584007"
|
|
322
|
+
"913129639747"));
|
|
323
|
+
onefield(
|
|
324
|
+
Fp<5>("213598703592091008239502170616955211460270452235665276994704160782"
|
|
325
|
+
"2219725780640550022962086936379"));
|
|
326
|
+
onefield(
|
|
327
|
+
Fp<6>("394020061963944792122790401001436138050797392704654466679482934042"
|
|
328
|
+
"45721771497210611414266254884915640806627990306499"));
|
|
329
|
+
onefield(Fp256<>());
|
|
330
|
+
onefield(Fp256k1<>());
|
|
331
|
+
onefield(Fp128<>());
|
|
332
|
+
onefield(Fp384<>());
|
|
333
|
+
onefield(Fp521<>());
|
|
334
|
+
|
|
335
|
+
// Our field implementation "works" in a ring.
|
|
336
|
+
// 3906555671 * 4254597877 = 16620823464218910467
|
|
337
|
+
onefield(Fp<1>("16620823464218910467"));
|
|
338
|
+
// 1057848127303065953 * 2108036397730900859 =
|
|
339
|
+
// 2229982355626334583552843599381353627
|
|
340
|
+
onefield(Fp<2>("2229982355626334583552843599381353627"));
|
|
341
|
+
}
|
|
342
|
+
|
|
343
|
+
TEST(Fp, ExactBits) {
|
|
344
|
+
Fp<1> F17("17");
|
|
345
|
+
EXPECT_EQ(F17.exact_bits_, 5); // 17 is 10001 in binary, which is 5 bits
|
|
346
|
+
|
|
347
|
+
Fp<1> F_large("18446744073709551557"); // Near 2^64
|
|
348
|
+
EXPECT_EQ(F_large.exact_bits_, 64);
|
|
349
|
+
|
|
350
|
+
Fp256k1<> F_secp256k1;
|
|
351
|
+
// secp256k1 modulus is 256 bits exactly
|
|
352
|
+
EXPECT_EQ(F_secp256k1.exact_bits_, 256);
|
|
353
|
+
|
|
354
|
+
Fp384<> F_p384;
|
|
355
|
+
EXPECT_EQ(F_p384.exact_bits_, 384);
|
|
356
|
+
|
|
357
|
+
Fp521<> F_p521;
|
|
358
|
+
EXPECT_EQ(F_p521.exact_bits_, 521);
|
|
359
|
+
}
|
|
360
|
+
|
|
361
|
+
TEST(Fp, SmallField) {
|
|
362
|
+
Fp<1> F17("17");
|
|
363
|
+
F17.of_scalar(0);
|
|
364
|
+
F17.of_scalar(1);
|
|
365
|
+
F17.of_scalar(2);
|
|
366
|
+
|
|
367
|
+
uint8_t bad[8] = {17, 0, 0, 0, 0, 0, 0, 0};
|
|
368
|
+
EXPECT_FALSE(F17.of_bytes_field(bad).has_value());
|
|
369
|
+
EXPECT_FALSE(F17.of_bytes_subfield(bad).has_value());
|
|
370
|
+
}
|
|
371
|
+
|
|
372
|
+
TEST(Fp, RootOfUnity) {
|
|
373
|
+
Fp<4> F(
|
|
374
|
+
"218882428718392752222464057452572750885483644004160343436982041865758084"
|
|
375
|
+
"95617");
|
|
376
|
+
auto omega = F.of_string(
|
|
377
|
+
"191032190679217139442913928276920700361456519573292863153056420048214621"
|
|
378
|
+
"61904");
|
|
379
|
+
for (size_t i = 0; i < 28; ++i) {
|
|
380
|
+
EXPECT_NE(omega, F.one());
|
|
381
|
+
omega = ckmul(omega, omega, F);
|
|
382
|
+
}
|
|
383
|
+
EXPECT_EQ(omega, F.one());
|
|
384
|
+
}
|
|
385
|
+
|
|
386
|
+
TEST(Fp, InverseSecp256k1) {
|
|
387
|
+
Fp<4> F(
|
|
388
|
+
"11579208923731619542357098500868790785326998466564056403945758400790"
|
|
389
|
+
"8834671663");
|
|
390
|
+
|
|
391
|
+
// invert a bunch of powers of two
|
|
392
|
+
auto t = F.one();
|
|
393
|
+
for (int i = 0; i < 1000; ++i) {
|
|
394
|
+
auto ti = F.invertf(t);
|
|
395
|
+
auto one = F.mulf(t, ti);
|
|
396
|
+
EXPECT_EQ(one, F.one());
|
|
397
|
+
// inverse(inverse(x)) =? x
|
|
398
|
+
auto tii = F.invertf(ti);
|
|
399
|
+
EXPECT_EQ(t, tii);
|
|
400
|
+
|
|
401
|
+
F.add(t, t);
|
|
402
|
+
}
|
|
403
|
+
}
|
|
404
|
+
|
|
405
|
+
TEST(Fp, castable) {
|
|
406
|
+
Fp<4> F(
|
|
407
|
+
"11579208923731619542357098500868790785326998466564056403945758400790"
|
|
408
|
+
"8834671663");
|
|
409
|
+
uint8_t b[32] = {0xDD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
410
|
+
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
411
|
+
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
412
|
+
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
|
|
413
|
+
EXPECT_FALSE(F.of_bytes_field(b));
|
|
414
|
+
b[31] = 0xEF;
|
|
415
|
+
EXPECT_TRUE(F.of_bytes_field(b));
|
|
416
|
+
}
|
|
417
|
+
|
|
418
|
+
// ======= Benchmarks ============
|
|
419
|
+
|
|
420
|
+
template <class Field>
|
|
421
|
+
void bench_add(const Field& F, benchmark::State& state) {
|
|
422
|
+
Bogorng<Field> rng(&F);
|
|
423
|
+
auto a = rng.next();
|
|
424
|
+
for (auto _ : state) {
|
|
425
|
+
a = F.addf(a, a);
|
|
426
|
+
benchmark::DoNotOptimize(a);
|
|
427
|
+
}
|
|
428
|
+
}
|
|
429
|
+
|
|
430
|
+
template <class Field>
|
|
431
|
+
void bench_mul(const Field& F, benchmark::State& state) {
|
|
432
|
+
Bogorng<Field> rng(&F);
|
|
433
|
+
auto a = rng.next();
|
|
434
|
+
for (auto _ : state) {
|
|
435
|
+
a = F.mulf(a, a);
|
|
436
|
+
benchmark::DoNotOptimize(a);
|
|
437
|
+
}
|
|
438
|
+
}
|
|
439
|
+
|
|
440
|
+
void BM_Fp24_add(benchmark::State& state) {
|
|
441
|
+
const Fp24 F(16777213);
|
|
442
|
+
bench_add(F, state);
|
|
443
|
+
}
|
|
444
|
+
BENCHMARK(BM_Fp24_add);
|
|
445
|
+
|
|
446
|
+
void BM_Fp1_add(benchmark::State& state) {
|
|
447
|
+
const Fp<1> F("18446744073709551557");
|
|
448
|
+
bench_add(F, state);
|
|
449
|
+
}
|
|
450
|
+
BENCHMARK(BM_Fp1_add);
|
|
451
|
+
|
|
452
|
+
void BM_p256_add(benchmark::State& state) {
|
|
453
|
+
const Fp256<true> F;
|
|
454
|
+
bench_add(F, state);
|
|
455
|
+
}
|
|
456
|
+
BENCHMARK(BM_p256_add);
|
|
457
|
+
|
|
458
|
+
void BM_p256k1_add(benchmark::State& state) {
|
|
459
|
+
const Fp256k1<true> F;
|
|
460
|
+
bench_add(F, state);
|
|
461
|
+
}
|
|
462
|
+
BENCHMARK(BM_p256k1_add);
|
|
463
|
+
|
|
464
|
+
void BM_p384_add(benchmark::State& state) {
|
|
465
|
+
const Fp384<true> F;
|
|
466
|
+
bench_add(F, state);
|
|
467
|
+
}
|
|
468
|
+
BENCHMARK(BM_p384_add);
|
|
469
|
+
|
|
470
|
+
void BM_p521_add(benchmark::State& state) {
|
|
471
|
+
const Fp521<true> F;
|
|
472
|
+
bench_add(F, state);
|
|
473
|
+
}
|
|
474
|
+
BENCHMARK(BM_p521_add);
|
|
475
|
+
|
|
476
|
+
void BM_Fp24_mul(benchmark::State& state) {
|
|
477
|
+
const Fp24 F(16777213);
|
|
478
|
+
bench_mul(F, state);
|
|
479
|
+
}
|
|
480
|
+
BENCHMARK(BM_Fp24_mul);
|
|
481
|
+
|
|
482
|
+
void BM_Fp1_mul(benchmark::State& state) {
|
|
483
|
+
const Fp<1> F("18446744073709551557");
|
|
484
|
+
bench_mul(F, state);
|
|
485
|
+
}
|
|
486
|
+
BENCHMARK(BM_Fp1_mul);
|
|
487
|
+
|
|
488
|
+
void BM_p256_mul(benchmark::State& state) {
|
|
489
|
+
const Fp256<true> F;
|
|
490
|
+
bench_mul(F, state);
|
|
491
|
+
}
|
|
492
|
+
BENCHMARK(BM_p256_mul);
|
|
493
|
+
|
|
494
|
+
void BM_p256k1_mul(benchmark::State& state) {
|
|
495
|
+
const Fp256k1<true> F;
|
|
496
|
+
bench_mul(F, state);
|
|
497
|
+
}
|
|
498
|
+
BENCHMARK(BM_p256k1_mul);
|
|
499
|
+
|
|
500
|
+
void BM_p384_mul(benchmark::State& state) {
|
|
501
|
+
const Fp384<true> F;
|
|
502
|
+
bench_mul(F, state);
|
|
503
|
+
}
|
|
504
|
+
BENCHMARK(BM_p384_mul);
|
|
505
|
+
|
|
506
|
+
// Bench
|
|
507
|
+
void BM_p384_mul_normal(benchmark::State& state) {
|
|
508
|
+
const Fp<6, true> F(
|
|
509
|
+
"394020061963944792122790401001436138050797392704654466679482934042457217"
|
|
510
|
+
"71496870329047266088258938001861606973112319");
|
|
511
|
+
bench_mul(F, state);
|
|
512
|
+
}
|
|
513
|
+
BENCHMARK(BM_p384_mul_normal);
|
|
514
|
+
|
|
515
|
+
void BM_p521_mul(benchmark::State& state) {
|
|
516
|
+
const Fp521<true> F;
|
|
517
|
+
bench_mul(F, state);
|
|
518
|
+
}
|
|
519
|
+
BENCHMARK(BM_p521_mul);
|
|
520
|
+
|
|
521
|
+
} // namespace
|
|
522
|
+
} // namespace proofs
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_HASH_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_HASH_H_
|
|
17
|
+
|
|
18
|
+
#include <cstddef>
|
|
19
|
+
#include <cstdint>
|
|
20
|
+
|
|
21
|
+
#include "util/crc64.h"
|
|
22
|
+
|
|
23
|
+
namespace proofs {
|
|
24
|
+
|
|
25
|
+
// canonical hash of an Elt
|
|
26
|
+
template <class Field>
|
|
27
|
+
uint64_t elt_hash(const typename Field::Elt& k, const Field& F) {
|
|
28
|
+
uint64_t crc = 0x1;
|
|
29
|
+
uint8_t buf[Field::kBytes];
|
|
30
|
+
F.to_bytes_field(buf, k);
|
|
31
|
+
for (size_t l = 0; l < Field::kBytes; ++l) {
|
|
32
|
+
crc = crc64::update(crc, buf[l], 8);
|
|
33
|
+
}
|
|
34
|
+
return crc;
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
} // namespace proofs
|
|
38
|
+
|
|
39
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_HASH_H_
|
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_INTERPOLATION_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_INTERPOLATION_H_
|
|
17
|
+
|
|
18
|
+
#include <cstddef>
|
|
19
|
+
|
|
20
|
+
#include "algebra/poly.h"
|
|
21
|
+
|
|
22
|
+
namespace proofs {
|
|
23
|
+
// General-purpose polynomial interpolation routines,
|
|
24
|
+
// which operate on arbitrary points at the cost of
|
|
25
|
+
// computing inverses in the field.
|
|
26
|
+
// These static functions are grouped into a class due
|
|
27
|
+
// to the common template arguments.
|
|
28
|
+
template <size_t N, class Field>
|
|
29
|
+
class Interpolation {
|
|
30
|
+
public:
|
|
31
|
+
static const size_t kN = N;
|
|
32
|
+
using Elt = typename Field::Elt;
|
|
33
|
+
using PolyN = Poly<N, Field>;
|
|
34
|
+
|
|
35
|
+
// Throughout, X are the evaluation points.
|
|
36
|
+
|
|
37
|
+
// Lagrange basis to Newton
|
|
38
|
+
static void newton_of_lagrange_inplace(PolyN &A, const PolyN &X,
|
|
39
|
+
const Field &F) {
|
|
40
|
+
// Cache one element E and its inverse. In the common
|
|
41
|
+
// case where the points X are in an arithmetic sequence,
|
|
42
|
+
// this cache avoids the computation of most inverses.
|
|
43
|
+
Elt e = F.one(), inve = F.one();
|
|
44
|
+
|
|
45
|
+
for (size_t i = 1; i < N; i++) {
|
|
46
|
+
for (size_t k = N; k-- > i;) {
|
|
47
|
+
Elt dx = F.subf(X[k], X[k - i]);
|
|
48
|
+
if (dx != e) {
|
|
49
|
+
e = dx;
|
|
50
|
+
inve = F.invertf(dx);
|
|
51
|
+
}
|
|
52
|
+
A[k] = F.mulf(F.subf(A[k], A[k - 1]), inve);
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
static PolyN newton_of_lagrange(const PolyN &L, const PolyN &X,
|
|
58
|
+
const Field &F) {
|
|
59
|
+
PolyN A = L;
|
|
60
|
+
newton_of_lagrange_inplace(A, X, F);
|
|
61
|
+
return A;
|
|
62
|
+
}
|
|
63
|
+
|
|
64
|
+
// evaluation in Newton basis
|
|
65
|
+
static Elt eval_newton(PolyN &Newton, const PolyN &X, const Elt &x,
|
|
66
|
+
const Field &F) {
|
|
67
|
+
Elt e{};
|
|
68
|
+
|
|
69
|
+
for (size_t i = N; i-- > 0;) {
|
|
70
|
+
e = F.addf(Newton[i], F.mulf(e, F.subf(x, X[i])));
|
|
71
|
+
}
|
|
72
|
+
return e;
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
// Newton basis to monomial basis (i.e., coefficients)
|
|
76
|
+
static void monomial_of_newton_inplace(PolyN &A, const PolyN &X,
|
|
77
|
+
const Field &F) {
|
|
78
|
+
for (size_t i = N; i-- > 0;) {
|
|
79
|
+
for (size_t k = i + 1; k < N; ++k) {
|
|
80
|
+
A[k - 1] = F.subf(A[k - 1], F.mulf(A[k], X[i]));
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
static PolyN monomial_of_newton(const PolyN &Newton, const PolyN &X,
|
|
86
|
+
const Field &F) {
|
|
87
|
+
PolyN A = Newton;
|
|
88
|
+
monomial_of_newton_inplace(A, X, F);
|
|
89
|
+
return A;
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
// evaluation in the monomial basis
|
|
93
|
+
static Elt eval_monomial(PolyN &M, const Elt &x, const Field &F) {
|
|
94
|
+
Elt e{};
|
|
95
|
+
|
|
96
|
+
for (size_t i = N; i-- > 0;) {
|
|
97
|
+
e = F.addf(M[i], F.mulf(e, x));
|
|
98
|
+
}
|
|
99
|
+
return e;
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
static void monomial_of_lagrange_inplace(PolyN &A, const PolyN &X,
|
|
103
|
+
const Field &F) {
|
|
104
|
+
newton_of_lagrange_inplace(A, X, F);
|
|
105
|
+
monomial_of_newton_inplace(A, X, F);
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
static PolyN monomial_of_lagrange(const PolyN &L, const PolyN &X,
|
|
109
|
+
const Field &F) {
|
|
110
|
+
PolyN A = L;
|
|
111
|
+
monomial_of_lagrange_inplace(A, X, F);
|
|
112
|
+
return A;
|
|
113
|
+
}
|
|
114
|
+
};
|
|
115
|
+
} // namespace proofs
|
|
116
|
+
|
|
117
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_INTERPOLATION_H_
|