longfellow 0.1.0

data/vendor/longfellow-zk/lib/algebra/nussbaumer_test.cc

@@ -0,0 +1,138 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/nussbaumer.h"
+
+#include <stddef.h>
+
+#include <vector>
+
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+using Field = Fp<4>;
+using Elt = Field::Elt;
+
+static const Field F(
+    "21888242871839275222246405745257275088548364400416034343698204186575808495"
+    "617");
+
+static void ref_negacyclic(size_t n, Elt z[/*n*/], const Elt x[/*n*/],
+                           const Elt y[/*n*/]) {
+  for (size_t k = 0; k < n; ++k) {
+    Elt s = F.zero();
+    for (size_t j = 0; j <= k; ++j) {
+      F.add(s, F.mulf(x[j], y[k - j]));
+    }
+    for (size_t j = k + 1; j < n; ++j) {
+      F.sub(s, F.mulf(x[j], y[n + k - j]));
+    }
+    z[k] = s;
+  }
+}
+
+static void ref_linear(size_t n, Elt z[/*2*n*/], const Elt x[/*n*/],
+                       const Elt y[/*n*/]) {
+  // Really k<2*n-1, but we round up for consistency.  z[2*n-1] is
+  // set to 0.
+  for (size_t k = 0; k < 2 * n; ++k) {
+    Elt s = F.zero();
+    for (size_t j = 0; j <= k; ++j) {
+      if (j < n && (k - j) < n) {
+        F.add(s, F.mulf(x[j], y[k - j]));
+      }
+    }
+    z[k] = s;
+  }
+}
+
+// "middle-product" variant z[k] = sum_j x[n+k-j]*y[j]
+static void ref_middle(size_t n, Elt z[/*n*/], const Elt x[/*2*n*/],
+                       const Elt y[/*n*/]) {
+  for (size_t k = 0; k < n; ++k) {
+    Elt s = F.zero();
+    for (size_t j = 0; j < n; ++j) {
+      F.add(s, F.mulf(x[n + k - j], y[j]));
+    }
+    z[k] = s;
+  }
+}
+
+constexpr size_t max_n = 1u << 12;
+
+TEST(Nussbaumer, NegaCyclic) {
+  Bogorng<Field> rng(&F);
+
+  for (size_t n = 1; n < max_n; n *= 2) {
+    std::vector<Elt> x(n);
+    std::vector<Elt> y(n);
+    std::vector<Elt> z(n);
+    std::vector<Elt> zr(n);
+    for (size_t i = 0; i < n; ++i) {
+      x[i] = rng.next();
+      y[i] = rng.next();
+    }
+    Nussbaumer<Field>::negacyclic(n, z.data(), x.data(), y.data(), F);
+    ref_negacyclic(n, zr.data(), x.data(), y.data());
+    for (size_t i = 0; i < n; ++i) {
+      EXPECT_EQ(z[i], zr[i]);
+    }
+  }
+}
+
+TEST(Nussbaumer, Linear) {
+  Bogorng<Field> rng(&F);
+  for (size_t n = 1; n < max_n; n *= 2) {
+    std::vector<Elt> x(n);
+    std::vector<Elt> y(n);
+    std::vector<Elt> z(2 * n);
+    std::vector<Elt> zr(2 * n);
+    for (size_t i = 0; i < n; ++i) {
+      x[i] = rng.next();
+      y[i] = rng.next();
+    }
+    ref_linear(n, zr.data(), x.data(), y.data());
+    Nussbaumer<Field>::linear(n, z.data(), x.data(), y.data(), F);
+    for (size_t i = 0; i < 2 * n; ++i) {
+      EXPECT_EQ(z[i], zr[i]);
+    }
+  }
+}
+
+TEST(Nussbaumer, Middle) {
+  Bogorng<Field> rng(&F);
+  for (size_t n = 1; n < max_n; n *= 2) {
+    std::vector<Elt> x(2 * n);
+    std::vector<Elt> y(n);
+    std::vector<Elt> z(n);
+    std::vector<Elt> zr(n);
+    for (size_t i = 0; i < n; ++i) {
+      x[i] = rng.next();
+      x[i + n] = rng.next();
+      y[i] = rng.next();
+    }
+    ref_middle(n, zr.data(), x.data(), y.data());
+    Nussbaumer<Field>::middle(n, z.data(), x.data(), y.data(), F);
+    for (size_t i = 0; i < n; ++i) {
+      EXPECT_EQ(z[i], zr[i]);
+    }
+  }
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/algebra/nussbaumerfp2_test.cc

@@ -0,0 +1,139 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <stddef.h>
+
+#include <vector>
+
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "algebra/fp2.h"
+#include "algebra/nussbaumer.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+using Field0 = Fp<1>;
+// 2^61-1
+static const Field0 F0("2305843009213693951");
+
+using Field = Fp2<Field0>;
+using Elt = Field::Elt;
+static const Field F(F0);
+
+static void ref_negacyclic(size_t n, Elt z[/*n*/], const Elt x[/*n*/],
+                           const Elt y[/*n*/]) {
+  for (size_t k = 0; k < n; ++k) {
+    Elt s = F.zero();
+    for (size_t j = 0; j <= k; ++j) {
+      F.add(s, F.mulf(x[j], y[k - j]));
+    }
+    for (size_t j = k + 1; j < n; ++j) {
+      F.sub(s, F.mulf(x[j], y[n + k - j]));
+    }
+    z[k] = s;
+  }
+}
+
+static void ref_linear(size_t n, Elt z[/*2*n*/], const Elt x[/*n*/],
+                       const Elt y[/*n*/]) {
+  // Really k<2*n-1, but we round up for consistency.  z[2*n-1] is
+  // set to 0.
+  for (size_t k = 0; k < 2 * n; ++k) {
+    Elt s = F.zero();
+    for (size_t j = 0; j <= k; ++j) {
+      if (j < n && (k - j) < n) {
+        F.add(s, F.mulf(x[j], y[k - j]));
+      }
+    }
+    z[k] = s;
+  }
+}
+
+// "middle-product" variant z[k] = sum_j x[n+k-j]*y[j]
+static void ref_middle(size_t n, Elt z[/*n*/], const Elt x[/*2*n*/],
+                       const Elt y[/*n*/]) {
+  for (size_t k = 0; k < n; ++k) {
+    Elt s = F.zero();
+    for (size_t j = 0; j < n; ++j) {
+      F.add(s, F.mulf(x[n + k - j], y[j]));
+    }
+    z[k] = s;
+  }
+}
+
+constexpr size_t max_n = 1u << 12;
+
+TEST(Nussbaumer, NegaCyclic) {
+  Bogorng<Field> rng(&F);
+
+  for (size_t n = 1; n < max_n; n *= 2) {
+    std::vector<Elt> x(n);
+    std::vector<Elt> y(n);
+    std::vector<Elt> z(n);
+    std::vector<Elt> zr(n);
+    for (size_t i = 0; i < n; ++i) {
+      x[i] = rng.next();
+      y[i] = rng.next();
+    }
+    Nussbaumer<Field>::negacyclic(n, z.data(), x.data(), y.data(), F);
+    ref_negacyclic(n, zr.data(), x.data(), y.data());
+    for (size_t i = 0; i < n; ++i) {
+      EXPECT_EQ(z[i], zr[i]);
+    }
+  }
+}
+
+TEST(Nussbaumer, Linear) {
+  Bogorng<Field> rng(&F);
+  for (size_t n = 1; n < max_n; n *= 2) {
+    std::vector<Elt> x(n);
+    std::vector<Elt> y(n);
+    std::vector<Elt> z(2 * n);
+    std::vector<Elt> zr(2 * n);
+    for (size_t i = 0; i < n; ++i) {
+      x[i] = rng.next();
+      y[i] = rng.next();
+    }
+    ref_linear(n, zr.data(), x.data(), y.data());
+    Nussbaumer<Field>::linear(n, z.data(), x.data(), y.data(), F);
+    for (size_t i = 0; i < 2 * n; ++i) {
+      EXPECT_EQ(z[i], zr[i]);
+    }
+  }
+}
+
+TEST(Nussbaumer, Middle) {
+  Bogorng<Field> rng(&F);
+  for (size_t n = 1; n < max_n; n *= 2) {
+    std::vector<Elt> x(2 * n);
+    std::vector<Elt> y(n);
+    std::vector<Elt> z(n);
+    std::vector<Elt> zr(n);
+    for (size_t i = 0; i < n; ++i) {
+      x[i] = rng.next();
+      x[i + n] = rng.next();
+      y[i] = rng.next();
+    }
+    ref_middle(n, zr.data(), x.data(), y.data());
+    Nussbaumer<Field>::middle(n, z.data(), x.data(), y.data(), F);
+    for (size_t i = 0; i < n; ++i) {
+      EXPECT_EQ(z[i], zr[i]);
+    }
+  }
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/algebra/permutations.h

@@ -0,0 +1,79 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_PERMUTATIONS_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_PERMUTATIONS_H_
+
+#include <stddef.h>
+
+#include <utility>
+
+namespace proofs {
+
+template <class Elt>
+class Permutations {
+ public:
+  static void bitrev(Elt A[/*n*/], size_t n) {
+    size_t revi = 0;
+    for (size_t i = 0; i < n - 1; ++i) {
+      if (i < revi) {
+        std::swap(A[i], A[revi]);
+      }
+
+      bitrev_increment(&revi, n);
+    }
+  }
+
+  /* X[i] = X[(i+shift) mod N] */
+  /* We now use the notation X{N} to denote that X consists of N
+     elements.  We have X = [A{SHIFT} B{N-SHIFT}].  We want
+     X' = [B A] = rev[rev(A) rev(B)], where rev(A) reverses
+     array A in-place.
+  */
+  static void rotate(Elt* x, size_t n, size_t shift) {
+    if (shift > 0) {
+      reverse(x, 0, shift);
+      reverse(x, shift, n);
+      reverse(x, 0, n);
+    }
+  }
+
+  static void unrotate(Elt* x, size_t n, size_t shift) {
+    if (shift > 0) {
+      reverse(x, 0, n);
+      reverse(x, shift, n);
+      reverse(x, 0, shift);
+    }
+  }
+
+ private:
+  static void bitrev_increment(size_t* j, size_t bit) {
+    do {
+      bit >>= 1;
+      *j ^= bit;
+    } while (!(*j & bit));
+  }
+
+  // reverse x[i,j)
+  static void reverse(Elt* x, size_t i, size_t j) {
+    while (i + 1 < j) {
+      --j;
+      std::swap(x[i], x[j]);
+      i++;
+    }
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_PERMUTATIONS_H_

data/vendor/longfellow-zk/lib/algebra/poly.h

@@ -0,0 +1,240 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_POLY_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_POLY_H_
+
+#include <cstddef>
+
+namespace proofs {
+
+// This file defines templates for fixed-size N-tuples of field elements that
+// can be interpreted as polynomial coefficients and/or values and/or Newton
+// expansion. These polynomials handle the main operations of the sumcheck
+// protocol.
+
+// The Poly template represents a full polynomial stored as N evaluation points.
+// It supports interpolation at an arbitrary point in the Field.
+template <size_t N, class Field>
+class Poly {
+ public:
+  static const size_t kN = N;
+  using Elt = typename Field::Elt;
+  using T = Poly;
+
+  // the N-tuple itself
+  Elt t_[N];
+
+  Elt& operator[](size_t i) { return t_[i]; }
+  const Elt& operator[](size_t i) const { return t_[i]; }
+
+  T& add(const T& y, const Field& F) {
+    for (size_t i = 0; i < N; ++i) {
+      F.add(t_[i], y[i]);
+    }
+    return *this;
+  }
+  T& sub(const T& y, const Field& F) {
+    for (size_t i = 0; i < N; ++i) {
+      F.sub(t_[i], y[i]);
+    }
+    return *this;
+  }
+  T& mul(const T& y, const Field& F) {
+    for (size_t i = 0; i < N; ++i) {
+      F.mul(t_[i], y[i]);
+    }
+    return *this;
+  }
+  T& mul_scalar(const Elt& y, const Field& F) {
+    for (size_t i = 0; i < N; ++i) {
+      F.mul(t_[i], y);
+    }
+    return *this;
+  }
+
+  static T extend(const Poly<2, Field>& f, const Field& F) {
+    T g;
+    g[0] = f[0];
+    g[1] = f[1];
+    Elt df = F.subf(f[1], f[0]);
+
+    if (Field::kCharacteristicTwo) {
+      // Assume poly_evaluation_point[0] = 0, poly_evaluation_point[1] = 1,
+      // and the rest are arbitrary.
+      for (size_t i = 2; i < N; ++i) {
+        g[i] = F.addf(g[0], F.mulf(F.poly_evaluation_point(i), df));
+      }
+    } else {
+      // Assume that poly_evaluation_point[] form an arithmetic
+      // progression.
+      for (size_t i = 2; i < N; ++i) {
+        g[i] = F.addf(g[i - 1], df);
+      }
+    }
+
+    return g;
+  }
+
+  // convert Lagrange basis -> Newton forward differences for the
+  // special case of evaluation points 0, 1, 2, ..., N-1.
+  // See interpolation.h for the general case of interpolation.
+  void newton_of_lagrange(const Field& F) {
+    for (size_t i = 1; i < N; i++) {
+      for (size_t k = N; k-- > i;) {
+        F.sub(t_[k], t_[k - 1]);
+        F.mul(t_[k], F.newton_denominator(k, i));
+      }
+    }
+  }
+
+  // Evaluate f(x) for a polynomial in the Newton forward-difference
+  // basis.
+  Elt eval_newton(const Elt& x, const Field& F) const {
+    // Newton interpolation formula
+    Elt e = t_[N - 1];
+    for (size_t i = N - 1; i-- > 0;) {
+      F.mul(e, F.subf(x, F.poly_evaluation_point(i)));
+      F.add(e, t_[i]);
+    }
+
+    return e;
+  }
+
+  Elt eval_lagrange(const Elt& x, const Field& F) const {
+    T tmp(*this);  // do not clobber *this
+    tmp.newton_of_lagrange(F);
+    return tmp.eval_newton(x, F);
+  }
+
+  // Evaluate f(r) given a polynomial in the standard basis
+  // f(x)=t_[i]*x^i.
+  Elt eval_monomial(const Elt& x, const Field& F) const {
+    // Horner's algorithm
+    Elt e = t_[N - 1];
+    for (size_t i = N - 1; i-- > 0;) {
+      F.mul(e, x);
+      F.add(e, t_[i]);
+    }
+    return e;
+  }
+
+  // Interpolation via explicit dot product.
+  //
+  // The combination P.newton_of_lagrange().eval_newton(..., R, ...)
+  // evaluates P at R given the Lagrange basis [P(0), P(1), ..., P(N-1)].
+  //
+  // On the contrary, this class computes a V(R) such that P(R) =
+  // dot(V(R), [P(0), P(1), ..., P(N-1)]) and the caller computes the
+  // inner product, either explicitly or via an inner-product
+  // argument.  The construction is pure linear algebra: express the
+  // Lagrange basis P = [P(0), P(1), ..., P(N-1)]^T as I * P where I
+  // is the identity matrix, and interpolate the rows of I
+  // via newton_of_lagrange().eval_newton().  Since newton_of_lagrange()
+  // is O(N^2) and eval_newton() is O(N), pre-compute the eval_newton()
+  // of all rows.
+  class dot_interpolation {
+    // identity_[k] contains the Newton basis of the polynomial P(x) such
+    // that P(k) = 1 and P(i) = 0 for i != k and 0 <= i < N.
+    T identity_[N];
+
+   public:
+    explicit dot_interpolation(const Field& F) {
+      for (size_t k = 0; k < N; ++k) {
+        for (size_t i = 0; i < N; ++i) {
+          identity_[k][i] = (i == k) ? F.one() : F.zero();
+        }
+        identity_[k].newton_of_lagrange(F);
+      }
+    }
+
+    // return V such that P(r) = V^T [P(0), P(1), ..., P(N-1)]
+    T coef(const Elt& x, const Field& F) const {
+      T c;
+      for (size_t k = 0; k < N; ++k) {
+        c[k] = identity_[k].eval_newton(x, F);
+      }
+      return c;
+    }
+  };
+};
+
+// In SumcheckPoly, the p(1) is not computed in the add, sub, mul, mul_scalar
+// methods because it is implied by context. This optimization is used in the
+// inner-loop of the sumcheck prover. A convenience method is provided to
+// convert to a Poly object for use outside the inner-loop.
+template <size_t N, class Field>
+class SumcheckPoly {
+ public:
+  static const size_t kN = N;
+  using Elt = typename Field::Elt;
+  using T = SumcheckPoly;
+
+  // the N-tuple itself
+  Elt t_[N];
+
+  SumcheckPoly() = default;
+
+  explicit SumcheckPoly(const Poly<N, Field>& p) {
+    for (size_t i = 0; i < N; ++i) {
+      t_[i] = p[i];
+    }
+  }
+
+  Elt& operator[](size_t i) { return t_[i]; }
+  const Elt& operator[](size_t i) const { return t_[i]; }
+
+  T& add(const T& y, const Field& F) {
+    F.add(t_[0], y[0]);
+    for (size_t i = 2; i < N; ++i) {
+      F.add(t_[i], y[i]);
+    }
+    return *this;
+  }
+  T& sub(const T& y, const Field& F) {
+    F.sub(t_[0], y[0]);
+    for (size_t i = 2; i < N; ++i) {
+      F.sub(t_[i], y[i]);
+    }
+    return *this;
+  }
+  T& mul(const T& y, const Field& F) {
+    F.mul(t_[0], y[0]);
+    for (size_t i = 2; i < N; ++i) {
+      F.mul(t_[i], y[i]);
+    }
+    return *this;
+  }
+  T& mul_scalar(const Elt& y, const Field& F) {
+    F.mul(t_[0], y);
+    for (size_t i = 2; i < N; ++i) {
+      F.mul(t_[i], y);
+    }
+    return *this;
+  }
+
+  // Convert to a Poly object by providing the p(1) explicitly.
+  Poly<N, Field> to_poly(const Elt& p1) const {
+    Poly<N, Field> p;
+    for (size_t i = 0; i < N; ++i) {
+      p[i] = t_[i];
+    }
+    p[1] = p1;
+    return p;
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_POLY_H_