longfellow 0.1.0

data/vendor/longfellow-zk/lib/algebra/interpolation_test.cc

@@ -0,0 +1,74 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/interpolation.h"
+
+#include <cstddef>
+
+#include "algebra/fp.h"
+#include "algebra/poly.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+using Field = Fp<1>;
+using Elt = typename Field::Elt;
+static constexpr size_t N = 37;
+
+using Interpolation = Interpolation<N, Field>;
+using Poly = Poly<N, Field>;
+const Field F("18446744073709551557");
+
+TEST(Interpolation, Simple) {
+  Poly X, M;
+
+  // arbitrary points and coefficients
+  for (size_t i = 0; i < N; ++i) {
+    X[i] = F.of_scalar(i * i + 3 * i + 37);
+    M[i] = F.of_scalar(i * i * i + (i & 0xF) + (i ^ (i << 2)));
+  }
+
+  // lagrange basis
+  Poly L;
+  for (size_t i = 0; i < N; ++i) {
+    L[i] = Interpolation::eval_monomial(M, X[i], F);
+  }
+
+  // newton basis
+  auto Newton = Interpolation::newton_of_lagrange(L, X, F);
+
+  // evaluation in newton and monomial bases must agree
+  for (size_t i = 0; i < 1000; ++i) {
+    Elt x = F.of_scalar(i);
+    EXPECT_EQ(Interpolation::eval_newton(Newton, X, x, F),
+              Interpolation::eval_monomial(M, x, F));
+  }
+
+  auto M2 = Interpolation::monomial_of_newton(Newton, X, F);
+
+  // monomial coefficients must agree
+  for (size_t i = 0; i < N; ++i) {
+    EXPECT_EQ(M[i], M2[i]);
+  }
+
+  auto M3 = Interpolation::monomial_of_lagrange(L, X, F);
+
+  // monomial coefficients must agree
+  for (size_t i = 0; i < N; ++i) {
+    EXPECT_EQ(M[i], M3[i]);
+  }
+}
+}  // namespace
+}  // namespace proofs
+

data/vendor/longfellow-zk/lib/algebra/limb.h

@@ -0,0 +1,153 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_LIMB_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_LIMB_H_
+
+#include <array>
+#include <cstddef>
+#include <cstdint>
+
+#include "util/serialization.h"
+
+namespace proofs {
+
+// Base class for representing bignum or bigpoly as arrays of
+// machine-dependent "limbs".  The serialization is in this
+// class; arithmetic is in subclasses.
+
+template <size_t W64>
+class Limb {
+ public:
+  using T = Limb<W64>;
+
+#if __WORDSIZE == 64
+  // Use the native word size as the limb size.  However, changing
+  // limb_t to uint32_t is expected to work at least on x86_64, as a
+  // way to test 32-bit arithmetic without cross-compiling
+  using limb_t = uint64_t;
+#else
+  using limb_t = uint32_t;
+#endif
+
+  // sizes in bytes, bits, limbs, uint64_t
+  static constexpr size_t kBytes = 8 * W64;
+  static constexpr size_t kBits = 64 * W64;
+  static constexpr size_t kLimbs = kBytes / sizeof(limb_t);
+  static constexpr size_t kU64 = W64;
+  static constexpr size_t kBitsPerLimb = 8 * sizeof(limb_t);
+
+  // no rounding allowed
+  static_assert(kLimbs * sizeof(limb_t) == kBytes);
+
+  limb_t limb_[kLimbs];
+
+  Limb() = default;  // uninitialized
+  explicit Limb(uint64_t x) : limb_{} { assign(limb_, 1, &x); }
+
+  explicit Limb(const std::array<uint64_t, kU64>& a) : limb_{} {
+    assign(limb_, kU64, &a[0]);
+  }
+
+  std::array<uint64_t, kU64> u64() const {
+    std::array<uint64_t, kU64> a;
+    unassign(limb_, kU64, &a[0]);
+    return a;
+  }
+
+  void to_bytes(uint8_t a[/* kBytes */]) const {
+    for (size_t i = 0; i < kLimbs; ++i) {
+      a = to_bytes(&limb_[i], a);
+    }
+  }
+
+  bool operator==(const T& other) const {
+    for (size_t i = 0; i < kLimbs; ++i) {
+      if (limb_[i] != other.limb_[i]) {
+        return false;
+      }
+    }
+    return true;
+  }
+  bool operator!=(const T& other) const { return !(operator==(other)); }
+
+  // Shift right by z.  Return the bits that fall off
+  // the edge.
+  limb_t shiftr(size_t z) {
+    limb_t c = 0;
+    for (size_t i = kLimbs; i-- > 0;) {
+      limb_t d = limb_[i];
+      limb_[i] = c | (d >> z);
+      c = d << (kBitsPerLimb - z);
+    }
+    return c;
+  }
+
+  // Returns the pos-th bit in the representation of this nat.
+  limb_t bit(size_t pos) const {
+    size_t ind = pos / kBitsPerLimb;
+    if (ind < kLimbs) {
+      size_t off = pos % kBitsPerLimb;
+      return (limb_[ind] >> off) & 0x1u;
+    }
+    return 0;
+  }
+
+ protected:
+  static void assign(uint64_t d[], size_t ns, const uint64_t s[/*ns*/]) {
+    for (size_t i = 0; i < ns; ++i) {
+      d[i] = s[i];
+    }
+  }
+
+  static void assign(uint32_t d[], size_t ns, const uint64_t s[/*ns*/]) {
+    for (size_t i = 0; i < ns; ++i) {
+      d[2 * i] = static_cast<uint32_t>(s[i]);
+      d[2 * i + 1] = static_cast<uint32_t>(s[i] >> 32);
+    }
+  }
+
+  static void unassign(const uint64_t d[], size_t ns, uint64_t s[/*ns*/]) {
+    for (size_t i = 0; i < ns; ++i) {
+      s[i] = d[i];
+    }
+  }
+
+  static void unassign(const uint32_t d[], size_t ns, uint64_t s[/*ns*/]) {
+    for (size_t i = 0; i < ns; ++i) {
+      s[i] = d[2 * i] | (static_cast<uint64_t>(d[2 * i + 1]) << 32);
+    }
+  }
+
+  static const uint8_t* of_bytes(uint64_t* r, const uint8_t* a) {
+    *r = u64_of_le(a);
+    return a + 8;
+  }
+  static const uint8_t* of_bytes(uint32_t* r, const uint8_t* a) {
+    *r = u32_of_le(a);
+    return a + 4;
+  }
+
+  static uint8_t* to_bytes(const uint64_t* r, uint8_t* a) {
+    u64_to_le(a, *r);
+    return a + 8;
+  }
+  static uint8_t* to_bytes(const uint32_t* r, uint8_t* a) {
+    u32_to_le(a, *r);
+    return a + 4;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_LIMB_H_

data/vendor/longfellow-zk/lib/algebra/limb_test.cc

@@ -0,0 +1,75 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/limb.h"
+
+#include <array>
+#include <cstdint>
+#include <cstdlib>
+
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+TEST(Limb, Scalar) {
+  constexpr size_t W = 4;
+  Limb<W> k42 = Limb<W>(42);
+  EXPECT_EQ(k42, k42);
+
+  auto k42u64 = k42.u64();
+  EXPECT_EQ(k42u64[0], 42u);
+  for (size_t i = 1; i < 4; ++i) {
+    EXPECT_EQ(k42u64[i], 0u);
+  }
+
+  uint8_t bytes[32];
+  k42.to_bytes(bytes);
+  EXPECT_EQ(bytes[0], 42);
+  for (size_t i = 1; i < 32; ++i) {
+    EXPECT_EQ(bytes[i], 0u);
+  }
+}
+
+TEST(Limb, Array) {
+  constexpr size_t W = 4;
+  std::array<uint64_t, W> k = {
+      0x0706050403020100ull,
+      0x0f0e0d0c0b0a0908ull,
+      0x1716151413121110ull,
+      0x1f1e1d1c1b1a1918ull,
+  };
+  Limb<W> kk = Limb<W>(k);
+  EXPECT_EQ(kk, kk);
+
+  auto kku64 = kk.u64();
+  for (size_t i = 0; i < 4; ++i) {
+    EXPECT_EQ(kku64[i], k[i]);
+  }
+
+  uint8_t bytes[32];
+  kk.to_bytes(bytes);
+  for (size_t i = 0; i < 32; ++i) {
+    EXPECT_EQ(bytes[i], i);
+  }
+
+  kk.shiftr(8);
+  kk.to_bytes(bytes);
+  for (size_t i = 0; i < 31; ++i) {
+    EXPECT_EQ(bytes[i], i + 1);
+  }
+  EXPECT_EQ(bytes[31], 0u);
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/algebra/nat.cc

@@ -0,0 +1,32 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/nat.h"
+
+#include "util/panic.h"
+
+namespace proofs {
+unsigned digit(char c) {
+  if (c >= '0' && c <= '9') {
+    return c - '0';
+  } else if (c >= 'a' && c <= 'f') {
+    return c - 'a' + 10;
+  } else if (c >= 'A' && c <= 'F') {
+    return c - 'A' + 10;
+  } else {
+    check(false, "malformed numeral in digit()");
+    return 0;  // silence compiler warning
+  }
+}
+}  // namespace proofs

data/vendor/longfellow-zk/lib/algebra/nat.h

@@ -0,0 +1,212 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_NAT_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_NAT_H_
+
+#include <array>
+#include <cctype>
+#include <cstddef>
+#include <cstdint>
+#include <optional>
+
+#include "algebra/limb.h"
+#include "algebra/static_string.h"
+#include "algebra/sysdep.h"
+#include "util/panic.h"
+
+namespace proofs {
+
+// return a^-1 mod 2^L where L is the number of bits in limb_t
+template <class limb_t>
+static limb_t inv_mod_b(limb_t a) {
+  // Let v=1-a.  We have 1/a=1/(1-v)=1+v+v^2+..., or
+  // 1/a=(1+v)(1+v^2)(1+v^4)... At some point v^(2^k) becomes 0 mod
+  // 2^L because v is even.
+
+  // A more complicated variant of this idea appears in Dumas,
+  // J.G. "On Newton–Raphson Iteration for Multiplicative Inverses
+  // Modulo Prime Powers", Algorithm 3, where they use v'=a-1
+  // instead of v=1-a, and so the first term needs to be handled
+  // separately as 2-a instead of 1+v, breaking the uniformity of
+  // the algorithm.  The sign difference disappears after the first
+  // squaring.
+  check((a & 1) != 0, "even A in inv_mod_b()");
+
+  limb_t v = 1u - a;
+  limb_t u = 1u;
+  while (v != 0) {
+    u *= (1u + v);
+    v *= v;
+  }
+  return u;
+}
+
+// This function should only be called on static input known at compile time.
+unsigned digit(char c);
+
+template <size_t W64>
+class Nat : public Limb<W64> {
+ public:
+  using Super = Limb<W64>;
+  using T = Nat<W64>;
+  using limb_t = typename Super::limb_t;
+  using Super::kLimbs;
+  using Super::kU64;
+  using Super::limb_;
+
+  // Maximum length for an untrusted string, 2^64 ~ 20 decimal digits.
+  static constexpr size_t kMaxStringLen = 20 * W64 + 1;
+
+  Nat() = default;  // uninitialized
+  explicit Nat(uint64_t x) : Super(x) {}
+
+  explicit Nat(const std::array<uint64_t, kU64>& a) : Super(a) {}
+
+  // Pre-condition: the caller of this function must check that the string
+  // s is either a valid base-10 or base-16 representation of a natural number
+  // that does not overflow the representation.
+  // In our current implementation, this method is only used on static strings.
+  explicit Nat(const StaticString& ss) : Super(0) {
+    limb_t base = 10u;
+    const char* s = ss.as_pointer;
+    if (s[0] == '0' && (s[1] == 'x' || s[1] == 'X')) {
+      s += 2;
+      base = 16u;
+    }
+    for (; *s; s++) {
+      T d(digit(*s));
+      bool ok = muls(limb_, base);
+      check(ok, "overflow in nat(const char *s)");
+      limb_t ah = add_limb(kLimbs, limb_, d.limb_);
+      check(ah == 0, "overflow in nat(const char *s)");
+    }
+  }
+
+  template <size_t LEN>
+  explicit Nat(const char (&p)[LEN]) : Nat(StaticString(p)) {}
+
+  // Interpret A[] as a little-endian nat
+  static T of_bytes(const uint8_t a[/* kBytes */]) {
+    T r;
+    for (size_t i = 0; i < kLimbs; ++i) {
+      a = Super::of_bytes(&r.limb_[i], a);
+    }
+    return r;
+  }
+
+  // Interpret A[] as a little-endian nat, masking the top bits to
+  // return a value in the range [0, 2^nbits - 1].
+  static T of_bytes(const uint8_t a[], size_t nbits) {
+    T r;
+    for (size_t i = 0; i < kLimbs; ++i) {
+      a = Super::of_bytes(&r.limb_[i], a);
+      if (nbits >= Super::kBitsPerLimb) {
+        nbits -= Super::kBitsPerLimb;
+      } else {
+        r.limb_[i] &= (limb_t{1} << nbits) - 1;
+        nbits = 0;
+      }
+    }
+    return r;
+  }
+
+  static std::optional<unsigned> safe_digit(char c, limb_t base) {
+    c = tolower(c);
+    if (c >= '0' && c <= '9') {
+      return c - '0';
+    } else if (base == 16u && c >= 'a' && c <= 'f') {
+      return c - 'a' + 10;
+    }
+    return std::nullopt;
+  }
+
+  static std::optional<T> of_untrusted_string(const char* s) {
+    T r(0);
+    limb_t base = 10u;
+    if (s[0] == '0' && (s[1] == 'x' || s[1] == 'X')) {
+      s += 2;
+      base = 16u;
+    }
+    const char* p = s;
+    for (size_t len = 0; len < kMaxStringLen && *p; ++len, ++p) {
+      auto d = safe_digit(*p, base);
+      if (!d.has_value()) {
+        return std::nullopt;
+      }
+      T td(d.value());
+      if (!muls(r.limb_, base)) {
+        return std::nullopt;
+      }
+      limb_t ah = add_limb(kLimbs, r.limb_, td.limb_);
+      if (ah != 0) {
+        return std::nullopt;
+      }
+    }
+    // If the loop terminates due to the length limit, then the string is not
+    // a valid base-10 or base-16 representation of a natural number.
+    if (*p) {
+      return std::nullopt;
+    }
+    return r;
+  }
+
+  bool operator<(const T& y) const {
+    T b = *this;
+    limb_t bh = sub_limb(kLimbs, b.limb_, y.limb_);
+    return (bh != 0);
+  }
+
+  T& add(const T& y) {
+    (void)add_limb(kLimbs, limb_, y.limb_);
+    return *this;
+  }
+  T& sub(const T& y) {
+    (void)sub_limb(kLimbs, limb_, y.limb_);
+    return *this;
+  }
+
+  // *this += x * y
+  template <size_t WX, size_t WY>
+  T& mac(const Nat<WX>& x, const Nat<WY>& y) {
+    constexpr size_t kLimbsX = Nat<WX>::kLimbs;
+    constexpr size_t kLimbsY = Nat<WY>::kLimbs;
+    static_assert(kLimbs >= kLimbsX + kLimbsY);
+    if (WX > WY) {
+      return mac(y, x);
+    } else {
+      // WX <= WY, outer loop on WX
+      for (size_t i = 0; i < kLimbsX; ++i) {
+        limb_t l[kLimbsY], h[kLimbsY];
+        mulhl(kLimbsY, l, h, x.limb_[i], y.limb_);
+        accum(kLimbs - i, limb_ + i, kLimbsY, l);
+        accum(kLimbs - i - 1, limb_ + i + 1, kLimbsY, h);
+      }
+      return *this;
+    }
+  }
+
+ private:
+  // b *= a, returns false if overflow occurred.
+  static bool muls(limb_t b[kLimbs], limb_t a) {
+    limb_t h[kLimbs];
+    mulhl(kLimbs, b, h, a, b);
+    limb_t bh = addh(kLimbs, b, h);
+    return bh == 0;
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_NAT_H_