longfellow 0.1.0

data/vendor/longfellow-zk/lib/algebra/utility_test.cc

@@ -0,0 +1,86 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/utility.h"
+
+#include <stddef.h>
+
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+using Field = Fp<4>;
+using Elt = typename Field::Elt;
+
+TEST(Utility, BatchInverse) {
+  const Field F(
+      "218882428718392752222464057452572750885483644004160343436982041865758084"
+      "95617");
+  Bogorng<Field> rng(&F);
+
+  constexpr size_t n = 133, da = 3, db = 5;
+  Elt a[n * da], b[n * db];
+  for (size_t i = 0; i < n; ++i) {
+    b[i * db] = rng.nonzero();
+  }
+  AlgebraUtil<Fp<4>>::batch_invert(n, a, da, b, db, F);
+  for (size_t i = 0; i < n; ++i) {
+    EXPECT_EQ(F.mulf(a[i * da], b[i * db]), F.one());
+    EXPECT_EQ(a[i * da], F.invertf(b[i * db]));
+    EXPECT_EQ(b[i * db], F.invertf(a[i * da]));
+  }
+}
+
+//------------------------------------------------------------
+
+// a[i] /= i!, without doing too many inversions
+void scale_inverse_factorial(size_t n, Elt* a, const Field& F) {
+  auto p = F.one();
+  auto fi = F.one();
+  for (size_t i = 1; i < n; ++i) {
+    F.mul(p, fi);
+    F.add(fi, F.one());
+  }
+  // now p=(n-1)!, fi=of_scalar(n)
+
+  F.invert(p);
+  for (size_t i = n; i-- > 1;) {
+    F.mul(a[i], p);
+    F.sub(fi, F.one());
+    F.mul(p, fi);
+  }
+}
+
+TEST(Utility, Factorial) {
+  constexpr size_t n = 37;
+  const Field F(
+      "218882428718392752222464057452572750885483644004160343436982041865758084"
+      "95617");
+  Bogorng<Field> rng(&F);
+
+  Elt A[n], B[n];
+  for (size_t i = 0; i < n; ++i) {
+    A[i] = B[i] = rng.next();
+  }
+  scale_inverse_factorial(n, A, F);
+  for (size_t i = 0; i < n; ++i) {
+    Elt fact = AlgebraUtil<Field>::factorial(i, F);
+    EXPECT_EQ(B[i], F.mulf(A[i], fact));
+  }
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/arrays/affine.h

@@ -0,0 +1,56 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ARRAYS_AFFINE_H_
+#define PRIVACY_PROOFS_ZK_LIB_ARRAYS_AFFINE_H_
+
+#include <stddef.h>
+
+namespace proofs {
+
+using corner_t = size_t;
+
+// return r * f0 + (1-r) * f1 = f0 + r * (f1 - f0)
+template <typename Field>
+typename Field::Elt affine_interpolation(const typename Field::Elt& r,
+                                         typename Field::Elt f0,
+                                         typename Field::Elt f1,
+                                         const Field& F) {
+  F.sub(f1, f0);
+  F.mul(f1, r);
+  F.add(f0, f1);
+  return f0;
+}
+
+// special case f0 = 0
+template <typename Field>
+typename Field::Elt affine_interpolation_z_nz(const typename Field::Elt& r,
+                                              typename Field::Elt f1,
+                                              const Field& F) {
+  F.mul(f1, r);
+  return f1;
+}
+
+// special case f1 = 0
+template <typename Field>
+typename Field::Elt affine_interpolation_nz_z(const typename Field::Elt& r,
+                                              typename Field::Elt f0,
+                                              const Field& F) {
+  F.sub(f0, F.mulf(f0, r));
+  return f0;
+}
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ARRAYS_AFFINE_H_

data/vendor/longfellow-zk/lib/arrays/affine_test.cc

@@ -0,0 +1,220 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "arrays/affine.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <memory>
+#include <vector>
+
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "arrays/dense.h"
+#include "arrays/sparse.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+using Field = Fp<4>;
+static const Field F(
+    "21888242871839275222246405745257275088548364400416034343698204186575808495"
+    "617");
+using Elt = typename Field::Elt;
+using index_t = Sparse<Field>::index_t;
+
+class RandomSlice {
+ public:
+  std::vector<Elt> r_;
+  explicit RandomSlice(size_t n) : r_(n) {
+    Bogorng<Field> rng(&F);
+    for (size_t i = 0; i < n; ++i) {
+      r_[i] = rng.next();
+    }
+  }
+};
+
+Elt lagrange(corner_t p, size_t logn, const Elt* R) {
+  Elt l = F.one();
+  for (size_t i = 0; i < logn; i++) {
+    if ((p & (corner_t(1) << i)) != 0) {
+      F.mul(l, R[i]);
+    } else {
+      F.mul(l, F.subf(F.one(), R[i]));
+    }
+  }
+  return l;
+}
+
+void one_bind3D(corner_t n0, corner_t n1, corner_t n2, size_t logn0,
+                size_t logn1, size_t logn2) {
+  RandomSlice R0(logn0);
+  RandomSlice R1(logn1);
+  RandomSlice R2(logn2);
+  auto D = Dense<Field>(n0, n2 * n1);
+  auto S = Sparse<Field>(n2 * n1 * n0);
+  Bogorng<Field> rng(&F);
+  Elt s = F.zero();
+  index_t i = 0;
+  for (corner_t p2 = 0; p2 < n2; p2++) {
+    for (corner_t p1 = 0; p1 < n1; p1++) {
+      for (corner_t p0 = 0; p0 < n0; p0++) {
+        Elt v = rng.next();
+        D.v_[p2 * n1 * n0 + p1 * n0 + p0] = v;
+        S.c_[i] = Sparse<Field>::corner{.p0 = p0, .p1 = p1, .p2 = p2, .v = v};
+        i++;
+
+        F.add(s, F.mulf(v, F.mulf(lagrange(p2, logn2, R2.r_.data()),
+                                  F.mulf(lagrange(p1, logn1, R1.r_.data()),
+                                         lagrange(p0, logn0, R0.r_.data())))));
+      }
+    }
+  }
+
+  // evaluate S, D at R via successive binding
+  D.bind_all(logn0, R0.r_.data(), F);
+  S.bind_all(logn0, R0.r_.data(), F);
+  D.reshape(n1);
+  S.reshape();
+
+  D.bind_all(logn1, R1.r_.data(), F);
+  S.bind_all(logn1, R1.r_.data(), F);
+  D.reshape(n2);
+  S.reshape();
+
+  D.bind_all(logn2, R2.r_.data(), F);
+  S.bind_all(logn2, R2.r_.data(), F);
+  EXPECT_EQ(D.scalar(), s);
+  EXPECT_EQ(S.scalar(), s);
+}
+
+void all_bind3D(corner_t n0, corner_t n1, corner_t n2, size_t logn0,
+                size_t logn1, size_t logn2) {
+  one_bind3D(n0, n1, n2, logn0, logn1, logn2);
+  one_bind3D(n1, n2, n0, logn1, logn2, logn0);
+  one_bind3D(n2, n0, n1, logn2, logn0, logn1);
+  one_bind3D(n2, n1, n0, logn2, logn1, logn0);
+  one_bind3D(n1, n0, n2, logn1, logn0, logn2);
+  one_bind3D(n0, n2, n1, logn0, logn2, logn1);
+}
+
+void one_bind(corner_t n, size_t logn) {
+  one_bind3D(1, 1, n, 0, 0, logn);
+  one_bind3D(1, n, 1, 0, logn, 0);
+  one_bind3D(n, 1, 1, logn, 0, 0);
+}
+
+TEST(Affine, Bind) {
+  one_bind(corner_t(666), 10);
+  one_bind(corner_t(1), 9);
+  one_bind(corner_t(255), 9);
+  one_bind(corner_t(256), 9);
+  one_bind(corner_t(257), 9);
+  one_bind(corner_t(467), 9);
+  one_bind(corner_t(512), 9);
+
+  all_bind3D(corner_t(7), corner_t(13), corner_t(19), 3, 4, 5);
+  all_bind3D(corner_t(8), corner_t(16), corner_t(32), 3, 4, 5);
+  all_bind3D(corner_t(8), corner_t(13), corner_t(19), 3, 4, 5);
+  all_bind3D(corner_t(8), corner_t(13), corner_t(32), 3, 4, 5);
+  all_bind3D(corner_t(13), corner_t(13), corner_t(32), 4, 4, 5);
+}
+
+void one_sparse_bind(index_t n, size_t logn) {
+  RandomSlice R(logn);
+  RandomSlice R2(logn);
+  auto S = Sparse<Field>(n);
+  auto D = Dense<Field>(1 << logn, 1);
+  D.clear(F);
+  Bogorng<Field> rng(&F);
+
+  Elt s = F.zero();
+  Elt s2 = F.zero();
+  for (index_t i = 0; i < n; ++i) {
+    corner_t p = corner_t(13 * i);
+    Elt r = rng.next();
+    D.v_[p] = r;
+    S.c_[i] = Sparse<Field>::corner{.p0 = p, .v = r};
+    F.add(s, F.mulf(r, lagrange(p, logn, R.r_.data())));
+    F.add(s2, F.mulf(r, lagrange(p, logn, R2.r_.data())));
+  }
+  auto S1 = S.clone_testing_only();
+  auto SC = S.clone_testing_only();
+  auto DC = D.clone();
+
+  D.bind_all(logn, R.r_.data(), F);
+  S.bind_all(logn, R.r_.data(), F);
+  EXPECT_EQ(D.scalar(), s);
+  EXPECT_EQ(S.scalar(), s);
+
+  DC->bind_all(logn, R.r_.data(), F);
+  SC->bind_all(logn, R.r_.data(), F);
+  EXPECT_EQ(DC->scalar(), s);
+  EXPECT_EQ(SC->scalar(), s);
+}
+
+TEST(Affine, SparseBind) {
+  one_sparse_bind(index_t(666), 10 + 4);
+  one_sparse_bind(index_t(1), 9 + 4);
+  for (size_t i = 200; i < 300; i++) {
+    one_sparse_bind(index_t(i), 9 + 4);
+  }
+  one_sparse_bind(index_t(467), 9 + 4);
+  one_sparse_bind(index_t(512), 9 + 4);
+}
+
+TEST(Affine, Canonicalize) {
+  constexpr corner_t n0 = 31, n1 = 47, n2 = 128;
+  constexpr corner_t d0 = 2, d1 = 5, d2 = 17;
+
+  // array of expected sums
+  uint64_t expected[(n0 + d0 - 1) / d0][(n1 + d1 - 1) / d1]
+                   [(n2 + d2 - 1) / d2] = {};
+
+  // create a n0 x n1 x n2 array in the "wrong" order, with duplicates
+  auto S = Sparse<Field>(n0 * n1 * n2);
+
+  index_t wr = 0;
+  for (corner_t p0 = 0; p0 < n0; p0++) {
+    for (corner_t p1 = 0; p1 < n1; p1++) {
+      for (corner_t p2 = 0; p2 < n2; p2++) {
+        uint64_t v = p0 + 171 * p1 + 333 * p2;
+        expected[p0 / d0][p1 / d1][p2 / d2] += v;
+        S.c_[wr] = Sparse<Field>::corner{.p0 = p0 / d0,
+                                          .p1 = p1 / d1,
+                                          .p2 = p2 / d2,
+                                          .v = F.of_scalar(v)};
+        wr++;
+      }
+    }
+  }
+
+  S.canonicalize(F);
+
+  index_t rd = 0;
+  for (corner_t p2 = 0; p2 < (n2 + d2 - 1) / d2; p2++) {
+    for (corner_t p1 = 0; p1 < (n1 + d1 - 1) / d1; p1++) {
+      for (corner_t p0 = 0; p0 < (n0 + d0 - 1) / d0; p0++) {
+        Sparse<Field>::corner want = {
+            p0, p1, p2, F.of_scalar(expected[p0][p1][p2])};
+        EXPECT_EQ(want, S.c_[rd]);
+        rd++;
+      }
+    }
+  }
+  EXPECT_EQ(S.n_, rd);
+}
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/arrays/dense.h

@@ -0,0 +1,210 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ARRAYS_DENSE_H_
+#define PRIVACY_PROOFS_ZK_LIB_ARRAYS_DENSE_H_
+
+#include <stddef.h>
+#include <string.h>
+
+#include <array>
+#include <cstdint>
+#include <memory>
+#include <vector>
+
+#include "algebra/blas.h"
+#include "algebra/poly.h"
+#include "arrays/affine.h"
+#include "util/panic.h"
+
+namespace proofs {
+// ------------------------------------------------------------
+// Dense representation of multi-affine function, heap-allocated.
+// The caller is responsible for instantiating const Field throughout call
+// duration.
+template <class Field>
+class Dense {
+  using T2 = Poly<2, Field>;
+  using Elt = typename Field::Elt;
+
+ public:
+  corner_t n0_, n1_;
+
+  // Row-major indexing: v_[i1*n0+i0] stores the value at (i0, i1)
+  std::vector<Elt> v_;
+
+  explicit Dense(corner_t n0, corner_t n1) : n0_(n0), n1_(n1), v_(n0 * n1) {}
+
+  // make0 replacement
+  explicit Dense(const Field& F) : n0_(1), n1_(1), v_(1) { v_[0] = F.zero(); }
+
+  // initialize dense array from P[i1*ldp+i0]
+  explicit Dense(corner_t n0, corner_t n1, const Elt p[], size_t ldp)
+      : n0_(n0), n1_(n1), v_(n0 * n1) {
+    for (corner_t i1 = 0; i1 < n1; ++i1) {
+      Blas<Field>::copy(n0, v_[i1 * n0], 1, &p[i1 * ldp], 1);
+    }
+  }
+
+  Dense(const Dense& y) = delete;
+  Dense(const Dense&& y) = delete;
+  Dense operator=(const Dense& y) = delete;
+
+  std::unique_ptr<Dense> clone() const {
+    auto d = std::make_unique<Dense>(n0_, n1_);
+    for (corner_t i = 0; i < n0_ * n1_; ++i) {
+      d->v_[i] = v_[i];
+    }
+    return d;
+  }
+
+  void clear(const Field& F) { Blas<Field>::clear(n0_ * n1_, &v_[0], 1, F); }
+
+  // For a given random number r, the binding operation computes
+  //   this[i] = (1 - r) * in[2 * i] + r * in[2 * i + 1]
+  //           = in[2 * i] + r * (in[2 * i + 1] - in[2 * i])
+  // This method works even in-place, i.e., if &in == this.
+  void bind(const Elt& r, const Dense& in, const Field& F) {
+    const corner_t n0_out = (in.n0_ + 1u) / 2u;
+    check(n1_ == in.n1_, "n1_ == in.n1_");
+    check(n0_ >= n0_out, "n0_ >= n0_out");
+    corner_t rd = 0, wr = 0;
+    for (corner_t i1 = 0; i1 < n1_; ++i1) {
+      corner_t i0 = 0;
+      while (2 * i0 + 1 < in.n0_) {
+        v_[wr] = affine_interpolation(r, in.v_[rd], in.v_[rd + 1], F);
+        i0++, rd += 2, wr += 1;
+      }
+      if (2 * i0 < in.n0_) {
+        v_[wr] = affine_interpolation_nz_z(r, in.v_[rd], F);
+        i0++, rd++, wr++;
+      }
+    }
+    n0_ = n0_out;
+  }
+
+  void bind(const Elt& r, const Field& F) { bind(r, *this, F); }
+
+  void bind_all(size_t logv, const Elt r[/*logv*/], const Field& F) {
+    for (size_t v = 0; v < logv; ++v) {
+      bind(r[v], F);
+    }
+  }
+
+  Elt at(corner_t j) const { return v_[j]; }
+
+  // Scale all elements by x, except for the last element in
+  // the n0_ dimension, which is scaled by x_last.  This "last" quirk
+  // is used by EQ.
+  void scale(const Elt& x, const Elt& x_last, const Field& F) {
+    corner_t ndx = 0;
+    for (corner_t i1 = 0; i1 < n1_; ++i1) {
+      corner_t i0 = 0;
+      for (; i0 + 1 < n0_; ++i0) {
+        F.mul(v_[ndx++], x);
+      }
+      if (i0 < n0_) {
+        F.mul(v_[ndx++], x_last);
+      }
+    }
+  }
+
+  Elt at_corners(corner_t p0, corner_t p1, const Field& F) const {
+    if (p0 < n0_) {
+      return v_[p1 * n0_ + p0];
+    } else {
+      return F.zero();
+    }
+  }
+
+  T2 t2_at_corners(corner_t p0, corner_t p1, const Field& F) const {
+    return T2{at_corners(p0, p1, F), at_corners(p0 + 1, p1, F)};
+  }
+
+  // The precondition for reshaping is that the first dimension must be
+  // fully bound.
+  void reshape(corner_t n0) {
+    check(n0_ == 1, "n0_ == 1");
+    check(n0 > 0, "n0 > 0");
+    corner_t wasn1 = n1_;
+    n0_ = n0;
+    n1_ = n1_ / n0;
+    check(n1_ * n0 == wasn1, "n1_*n0 == wasn1");
+  }
+
+  // This method can only be called after full binding; the caller
+  // is responsible for ensuring that pre-condition.
+  Elt scalar() {
+    check(n0_ == 1, "n0_ == 1");
+    check(n1_ == 1, "n1_ == 1");
+    return v_[0];
+  }
+};
+
+// Helper class to fill a dense array a la std::vector<>
+//
+template <class Field>
+class DenseFiller {
+  using Elt = typename Field::Elt;
+  using CElt = typename Field::CElt;
+
+ public:
+  // Caller must ensure that W remains valid.
+  explicit DenseFiller(Dense<Field>& W) : pos_(0), w_(W) {
+    // only works in this special case
+    check(w_.n0_ == 1, "W_.n0_ == 1");
+  }
+
+  DenseFiller& push_back(const Elt& x) {
+    check(pos_ < w_.n1_, "pos_ < w_.n1_");
+    w_.v_[pos_++] = x;
+    return *this;
+  }
+
+  DenseFiller& push_back(const CElt& x) { return push_back(x.e); }
+
+  template <size_t N>
+  DenseFiller& push_back(const std::array<Elt, N>& a) {
+    for (size_t i = 0; i < N; ++i) {
+      push_back(a[i]);
+    }
+    return *this;
+  }
+
+  DenseFiller& push_back(const std::vector<Elt>& a) {
+    for (size_t i = 0; i < a.size(); ++i) {
+      push_back(a[i]);
+    }
+    return *this;
+  }
+
+  // Push back a bit string derived from a number.  The parameter "bits" is the
+  // number of bits in the string, and "x" is the number to be converted. This
+  // works for pushing v8, v32, etc.
+  DenseFiller& push_back(uint64_t x, size_t bits, const Field& F) {
+    for (size_t i = 0; i < bits; ++i) {
+      push_back(F.of_scalar((x >> i) & 1));
+    }
+    return *this;
+  }
+
+  size_t size() const { return pos_; }
+
+ private:
+  size_t pos_;
+  Dense<Field>& w_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ARRAYS_DENSE_H_

data/vendor/longfellow-zk/lib/arrays/eq.h

@@ -0,0 +1,75 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ARRAYS_EQ_H_
+#define PRIVACY_PROOFS_ZK_LIB_ARRAYS_EQ_H_
+
+#include <stddef.h>
+
+#include "arrays/affine.h"
+
+namespace proofs {
+template <class Field>
+// EQ[i,j] is 2D sparse array EQ[i, j] = (i == j).
+// This class contains a state-free version of EQ, which
+// evaluates EQ[i, j] on the fly.  See Eqs for a stateful
+// version that stores all the values of EQ[I, j] for fixed I
+// and variable j.
+class Eq {
+  using Elt = typename Field::Elt;
+
+ public:
+  /*
+    Bind EQ{logn,n} at I, J.
+
+    We consider the diagonal matrix EQ[i,j] to be composed of
+    N-1 diagonal elements A and one last diagonal element B, i.e.,
+    EQ=diag([A A A A ... B]).  We bind one I variable and one J
+    variable in one step, yielding a matrix of the same form
+    with ceil(n/2) diagonal entries.
+
+    Let I1J1=I[0]*J[0] and I0J0=(1-I[0])*(1-J[0]).
+
+    Binding A is equivalent to binding the 2x2 block [A 0; 0 A],
+    yielding A <- A*(I0J0+I1J1).
+
+    If n is even, then the last 2x2 block is [A 0; 0 B], whose binding
+    yields B <- A*I0J0 + B*I1J1.
+
+    If n is odd, then the last 2x2 block is [B 0; 0 0], whose binding
+    yields B <- B*I0J0.
+  */
+  static Elt eval(size_t logn, corner_t n, const Elt I[/*logn*/],
+                  const Elt J[/*logn*/], const Field& F) {
+    Elt a = F.one(), b = F.one();
+    for (size_t round = 0; round < logn; round++) {
+      Elt i1 = I[round], j1 = J[round];
+      Elt i0 = F.subf(F.one(), i1), j0 = F.subf(F.one(), j1);
+      Elt i0j0 = F.mulf(i0, j0);
+      Elt i1j1 = F.mulf(i1, j1);
+      if ((n & 1) == 0) {
+        F.mul(b, i1j1);
+        F.add(b, F.mulf(a, i0j0));
+      } else {
+        F.mul(b, i0j0);
+      }
+      F.mul(a, F.addf(i0j0, i1j1));
+      n = (n + 1) / 2;
+    }
+    return b;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ARRAYS_EQ_H_