longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_witness.h

@@ -0,0 +1,201 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_ECDSA_VERIFY_WITNESS_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_ECDSA_VERIFY_WITNESS_H_
+
+#include <cstddef>
+
+#include "algebra/utility.h"
+#include "arrays/dense.h"
+#include "util/panic.h"
+
+/*
+Methods to help prepare witnesses for use in assertions about ecdsa.
+*/
+namespace proofs {
+
+template <class EC, class ScalarField>
+class VerifyWitness3 {
+  using Field = typename EC::Field;
+  using Elt = typename Field::Elt;
+  using Nat = typename Field::N;
+  using Point = typename EC::ECPoint;
+  using Scalar = typename ScalarField::Elt;
+
+ public:
+  constexpr static size_t kBits = EC::kBits;
+  const ScalarField& fn_;
+  const EC& ec_;
+  Elt rx_, ry_;
+  Elt rx_inv_;
+  Elt s_inv_;
+  Elt pk_inv_;
+  Elt pre_[8];
+  Elt bi_[kBits];
+  Elt int_x_[kBits];   /* Intermediate x,y elliptic curve points */
+  Elt int_y_[kBits];   /* encountered during the scalar mult loop. */
+  Elt int_z_[kBits];   /* z-coordinate of the intermediate points */
+
+  VerifyWitness3(const ScalarField& Fn, const EC& ec) : fn_(Fn), ec_(ec) {}
+
+  void fill_witness(DenseFiller<Field>& filler) const {
+    filler.push_back(rx_);
+    filler.push_back(ry_);
+    filler.push_back(rx_inv_);
+    filler.push_back(s_inv_);
+    filler.push_back(pk_inv_);
+    for (size_t i = 0; i < 8; ++i) {
+      filler.push_back(pre_[i]);
+    }
+    for (size_t i = 0; i < kBits; ++i) {
+      filler.push_back(bi_[i]);
+      if (i < kBits - 1) {
+        filler.push_back(int_x_[i]);
+        filler.push_back(int_y_[i]);
+        filler.push_back(int_z_[i]);
+      }
+    }
+  }
+
+  // Produces witnesses to support the verification of the equation
+  //     id = g*e + pk*r + (rx,ry)*-s
+  // Note that the same rx is interpreted in scalar field as r.
+  bool compute_witness(const Elt pkX, const Elt pkY, const Nat e, const Nat r,
+                       const Nat s) {
+    const Field& F = ec_.f_;
+    const Scalar _s = fn_.invertf(fn_.to_montgomery(s));
+    const Scalar tms = fn_.negf(fn_.to_montgomery(s));
+
+    // Because Fp does not have a sqrt method, compute ry via the
+    // elliptic curve point g*(e/s) + pk*(r/s).
+    auto te_s = fn_.mulf(fn_.to_montgomery(e), _s);
+    auto tr_s = fn_.mulf(fn_.to_montgomery(r), _s);
+    const Nat nes = fn_.from_montgomery(te_s);
+    const Nat nrs = fn_.from_montgomery(tr_s);
+    Point bases[] = {ec_.generator(), Point(pkX, pkY, F.one())};
+    Nat scalars[] = {nes, nrs};
+    auto pr = ec_.scalar_multf(2, bases, scalars);
+    ec_.normalize(pr);
+
+    rx_ = F.to_montgomery(r);
+    ry_ = pr.y;
+
+    // In the case of a malicious input with rx=0 or s=0, the proof will fail.
+    if (rx_ != F.zero()) {
+      rx_inv_ = F.invertf(rx_);
+      check(F.mulf(rx_, rx_inv_) == F.one(), "bad inv");
+    }
+
+    s_inv_ = F.to_montgomery(fn_.from_montgomery(tms));
+    if (s_inv_ != F.zero()) {
+      F.invert(s_inv_);
+    }
+
+    if (pkX != F.zero()) {
+      pk_inv_ = F.invertf(pkX);
+    }
+
+    const Nat nms = fn_.from_montgomery(tms);   /* -s */
+
+    // Produce the table of pre-computed g,r,pk sums.
+    const Elt one = F.one(), gX = ec_.gx_, gY = ec_.gy_;
+    const Elt lh[] = {gX, gY, gX, gY, pkX, pkY};
+    const Elt rh[] = {pkX, pkY, rx_, ry_, rx_, ry_};
+    Elt zi;
+    for (size_t i = 0; i < 3; ++i) {
+      ec_.addE(pre_[2 * i], pre_[2 * i + 1], zi,
+               lh[2 * i], lh[2 * i + 1], one,
+               rh[2 * i], rh[2 * i + 1], one);
+
+      // This invert cannot fail because both the generator and pk are
+      // trusted inputs, so the above addition is not the identity.
+      // In the case that it is, the proof will fail (and it should, since
+      // the system is unsound with sk=-1).
+      if (zi != F.zero()) {
+        F.invert(zi);
+      }
+      F.mul(pre_[2 * i], zi);
+      F.mul(pre_[2 * i + 1], zi);
+    }
+    // rgpk
+    ec_.addE(pre_[6], pre_[7], zi, pre_[2], pre_[3], one, pkX, pkY, one);
+    if (zi != F.zero()) {
+      F.invert(zi);
+    }
+    F.mul(pre_[6], zi);
+    F.mul(pre_[7], zi);
+
+    Elt aX = F.zero(), aY = one, aZ = F.zero();
+
+    // Compute b[], and intermediate points, encode b as:
+    //  1:g  2:pk  3: gpk  4: r  5: r+g  6: r+pk  7:g+r+pk
+    // Elt int_z[kBits];
+    size_t b[kBits];
+    // bool early_zero = false;   /* indicates if any intermediate z is zero */
+    for (size_t i = 0; i < kBits; ++i) {
+      b[i] = e.bit(kBits - i - 1) + 2 * r.bit(kBits - i - 1) +
+             4 * nms.bit(kBits - i - 1);
+
+      // Manually compute standard (-n...n representation).
+      bi_[i] = F.subf(F.of_scalar(2 * b[i]), F.of_scalar(7));
+
+      if (i > 0) {
+        ec_.doubleE(aX, aY, aZ, aX, aY, aZ);
+      }
+      switch (b[i]) {
+        case 0:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, F.zero(), F.one(), F.zero());
+          break;
+        case 1:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, gX, gY, one);
+          break;
+        case 2:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, pkX, pkY, one);
+          break;
+        case 3:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, pre_[0], pre_[1], one);
+          break;
+        case 4:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, rx_, ry_, one);
+          break;
+        case 5:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, pre_[2], pre_[3], one);
+          break;
+        case 6:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, pre_[4], pre_[5], one);
+          break;
+        case 7:
+          ec_.addE(aX, aY, aZ, aX, aY, aZ, pre_[6], pre_[7], one);
+          break;
+      }
+
+      int_x_[i] = aX;
+      int_y_[i] = aY;
+      int_z_[i] = aZ;
+    }
+
+    if (aX != F.zero()) {
+      return false;
+    }
+    if (aZ != F.zero()) {
+      return false;
+    }
+
+    return true;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_ECDSA_VERIFY_WITNESS_H_

data/vendor/longfellow-zk/lib/circuits/logic/bit_adder.h

@@ -0,0 +1,140 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_ADDER_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_ADDER_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <initializer_list>
+#include <vector>
+
+// Circuit element that maps bitvec<N> V to a field element E
+// in such a way that:
+//
+// 1) addition can be performed efficiently, e.g. as field
+//    addition or field multiplication
+// 2) given and E that is the sum of K bitvecs, a simple circuit
+//    asserts that E = A mod 2^N
+namespace proofs {
+
+template <class Logic, size_t N, bool kCharacteristicTwo>
+class BitAdderAux;
+
+// Use the additive group in fields with large characteristic
+template <class Logic, size_t N>
+class BitAdderAux<Logic, N, /*kCharacteristicTwo=*/false> {
+ public:
+  using Field = typename Logic::Field;
+  using BitW = typename Logic::BitW;
+  using EltW = typename Logic::EltW;
+  using Elt = typename Field::Elt;
+  using BV = typename Logic::template bitvec<N>;
+  const Logic& l_;
+
+  explicit BitAdderAux(const Logic& l) : l_(l) {}
+
+  EltW as_field_element(const BV& v) const {
+    constexpr uint64_t uno = 1;
+    EltW r = l_.konst(l_.zero());
+    for (size_t i = 0; i < N; ++i) {
+      r = l_.axpy(r, l_.elt(uno << i), l_.eval(v[i]));
+    }
+    return r;
+  }
+
+  EltW add(const EltW& a, const EltW& b) const { return l_.add(a, b); }
+  EltW add(const BV& a, const BV& b) const {
+    return add(as_field_element(a), as_field_element(b));
+  }
+  EltW add(
+      std::initializer_list<typename Logic::template bitvec_view<N>> a) const {
+    return l_.add(0, a.size(), [&](size_t i) {
+      return as_field_element(*(a.begin()[i].ptr));
+    });
+  }
+
+  // assert that B = A + i*2^N for 0 <= i < k
+  void assert_eqmod(const BV& a, const EltW& b, size_t k) const {
+    constexpr uint64_t uno = 1;
+    EltW z = l_.sub(b, as_field_element(a));
+    EltW zz = l_.mul(
+        0, k, [&](size_t i) { return l_.sub(z, l_.konst((uno << N) * i)); });
+    l_.assert0(zz);
+  }
+};
+
+// Use the multiplicative group in GF(2^k)
+template <class Logic, size_t N>
+class BitAdderAux<Logic, N, /*kCharacteristicTwo=*/true> {
+ public:
+  using Field = typename Logic::Field;
+  using BitW = typename Logic::BitW;
+  using EltW = typename Logic::EltW;
+  using Elt = typename Field::Elt;
+  using BV = typename Logic::template bitvec<N>;
+  const Logic& l_;
+
+  explicit BitAdderAux(const Logic& l) : l_(l) {
+    // assume that X is a root of unity of order large enough.
+    Elt alpha = l_.f_.x();
+
+    for (size_t i = 0; i < N; ++i) {
+      alpha_2_i_[i] = alpha;
+      alpha = l_.mulf(alpha, alpha);
+    }
+    alpha_2_n_ = alpha;
+  }
+
+  EltW as_field_element(const BV& v) const {
+    return l_.mul(0, N, [&](size_t i) {
+      return l_.mux(v[i], l_.konst(alpha_2_i_[i]), l_.konst(l_.one()));
+    });
+  }
+
+  EltW add(const EltW& a, const EltW& b) const { return l_.mul(a, b); }
+  EltW add(const BV& a, const BV& b) const {
+    return add(as_field_element(a), as_field_element(b));
+  }
+  EltW add(
+      std::initializer_list<typename Logic::template bitvec_view<N>> a) const {
+    return l_.mul(0, a.size(), [&](size_t i) {
+      return as_field_element(*(a.begin()[i].ptr));
+    });
+  }
+
+  // assert that B = A + alpha^(i*2^N) for 0 <= i < k
+  void assert_eqmod(const BV& a, const EltW& b, size_t k) const {
+    std::vector<Elt> p(k);
+    p[0] = l_.f_.one();
+    for (size_t i = 1; i < k; ++i) {
+      p[i] = l_.f_.mulf(alpha_2_n_, p[i - 1]);
+    }
+    EltW aa = as_field_element(a);
+    EltW prod = l_.mul(
+        0, k, [&](size_t i) { return l_.sub(b, l_.mul(l_.konst(p[i]), aa)); });
+    l_.assert0(prod);
+  }
+
+ private:
+  Elt alpha_2_i_[N + 1];
+  Elt alpha_2_n_;
+};
+
+template <class Logic, size_t N>
+using BitAdder = BitAdderAux<Logic, N, Logic::Field::kCharacteristicTwo>;
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_ADDER_H_

data/vendor/longfellow-zk/lib/circuits/logic/bit_adder_test.cc

@@ -0,0 +1,64 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/logic/bit_adder.h"
+
+#include <stddef.h>
+
+
+#include "algebra/fp_p128.h"
+#include "circuits/logic/evaluation_backend.h"
+#include "circuits/logic/logic.h"
+#include "gf2k/gf2_128.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+template <class Field>
+void test_bit_adder() {
+  constexpr size_t w = 4;
+  constexpr size_t mask = (1 << w) - 1;
+  const Field F;
+
+  using EvalBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvalBackend>;
+  using BV = typename Logic::template bitvec<w>;
+  for (size_t a = 0; a < (1 << w); ++a) {
+    for (size_t b = 0; b < (1 << w); ++b) {
+      for (size_t c = 0; c < (1 << w); ++c) {
+        for (size_t s = 0; s < (1 << w); ++s) {
+          const EvalBackend ebk(F, /* panic_on_assertion_failure=*/false);
+          const Logic L(&ebk, F);
+          BV ea = L.template vbit<w>(a);
+          BV eb = L.template vbit<w>(b);
+          BV ec = L.template vbit<w>(c);
+          BV es = L.template vbit<w>(s);
+
+          BitAdder<Logic, w> BA(L);
+          BA.assert_eqmod(es, BA.add({ea, eb, ec}), 3);
+          EXPECT_EQ(ebk.assertion_failed(), (((a + b + c) ^ s) & mask) != 0);
+        }
+      }
+    }
+  }
+}
+
+TEST(BitAdder, Fields) {
+  test_bit_adder<GF2_128<>>();
+  test_bit_adder<Fp128<>>();
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker.h

@@ -0,0 +1,247 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_H_
+
+#include <stddef.h>
+
+#include <array>
+#include <vector>
+
+#include "algebra/interpolation.h"
+#include "algebra/poly.h"
+#include "circuits/logic/bit_plucker_constants.h"
+#include "circuits/logic/polynomial.h"
+
+namespace proofs {
+/*
+
+Many circuits we design require bit inputs in {0,1} when the field F takes 128+
+bits to represent. Each input to a circuit is an element in F, and must either
+be sent to the verifier or committed, and thus sending several single-bit
+inputs represents an overhead.
+
+A bit-plucker is a circuit component that maps a set
+S \subset F of size 2^k into k wires, b_0, ..., b_k-1, that are each in {0,1}.
+Thus, it can reduce the number of inputs that a predicate circuit requires, and
+thus makes the proof smaller or more efficient to compute or verify.
+
+The optimal bit-plucker for k bits depends on k.  For small k, the simplest
+bit plucker is sufficient. In some cases, bit pluckers can exploit the field
+structure.
+
+[ RUN      ] BitPlucker.PluckSize
+pluck[1]: depth: 3 wires: 6 in: 2 out:2 use:4 ovh:2 t:6 cse:0 notn:9
+pluck[2]: depth: 4 wires: 14 in: 2 out:4 use:9 ovh:5 t:18 cse:5
+notn:19
+pluck[3]: depth: 5 wires: 25 in: 2 out:6 use:17 ovh:8 t:38 cse:23
+notn:40
+pluck[4]: depth: 6 wires: 40 in: 2 out:8 use:29 ovh:11 t:74 cse:73
+notn:87
+pluck[5]: depth: 7 wires: 61 in: 2 out:10 use:47 ovh:14 t:144 cse:199
+notn:194
+pluck[6]: depth: 8 wires: 92 in: 2 out:12 use:75 ovh:17 t:288 cse:501
+notn:437
+pluck[7]: depth: 9 wires: 141 in: 2 out:14 use:121 ovh:20 t:594
+cse:1203 notn:984
+pluck[8]: depth: 10 wires: 224 in: 2 out:16 use:201 ovh:23 t:1254
+cse:2801 notn:2203
+
+Our experiments also considered an O(N)-wires, O(N)-terms bit plucker.
+To pluck a LOGN-bit quantity E, write E = N0*E1 + E0 where E0 is a
+LOGN0-bit quantity and where E1 is a LOGN1-bit quantity, and where
+LOGN0 = ceil(LOGN/2), LOGN1 = floor(LOGN/2).  This decomposition
+can be computed by interpolating two Polynomials of length N.  Now
+we are left with plucking two quantities E0, E1, which can be done
+by any subquadratic-time plucker.
+
+A similar idea for the LOGN -> N binary decoder is in Knuth 7.1.2
+Exercise 39.  (A plucker is the moral transpose of the binary
+decoder.)
+
+However, this plucker was dominated by the smaller one for our use case, and
+thus removed from the code here. It can be resurrected from experimental if
+needed.
+
+[ RUN      ] BitPlucker.LargePluckSize
+large_pluck[2] depth: 5 wires: 15 in: 2 out:4 use:9 ovh:6 t:19 cse:9
+notn:27
+large_pluck[3] depth: 7 wires: 31 in: 2 out:5 use:20 ovh:11 t:43
+cse:19 notn:50
+large_pluck[4] depth: 8 wires: 46 in: 2 out:8 use:33 ovh:13 t:70
+cse:33 notn:89
+large_pluck[5] depth: 10 wires: 79 in: 2 out:8 use:60 ovh:19 t:128
+cse:68 notn:164
+large_pluck[6] depth: 11 wires: 119 in: 2 out:12 use:99 ovh:20 t:209
+cse:119 notn:299
+large_pluck[7] depth: 13 wires: 206 in: 2 out:11 use:179 ovh:27 t:381
+cse:234 notn:567
+large_pluck[8] depth: 14 wires: 344 in: 2 out:16 use:317 ovh:27 t:668
+cse:413 notn:1065
+large_pluck[9] depth: 16 wires: 631 in: 2 out:14 use:596 ovh:35 t:1260
+cse:796 notn:2064
+large_pluck[10] depth: 17 wires: 1157 in: 2 out:20 use:1123 ovh:34
+t:2347 cse:1435 notn:3967
+large_pluck[11] depth: 19 wires: 2224 in: 2 out:17 use:2181 ovh:43
+t:4551 cse:2762 notn:7789
+large_pluck[12] depth: 20 wires: 4294 in: 2 out:24 use:4253 ovh:41
+t:8782 cse:5113 notn:15205
+
+*/
+template <class Logic, size_t LOGN>
+class BitPlucker {
+ public:
+  static constexpr size_t kN = 1 << LOGN;
+  static constexpr size_t kNv32Elts = (32u + LOGN - 1u) / LOGN;
+  static constexpr size_t kNv256Elts = (256u + LOGN - 1u) / LOGN;
+  static constexpr size_t kNv128Elts = (128u + LOGN - 1u) / LOGN;
+  using Field = typename Logic::Field;
+  using BitW = typename Logic::BitW;
+  using EltW = typename Logic::EltW;
+  using Elt = typename Field::Elt;
+  using PolyN = Poly<kN, Field>;
+  using InterpolationN = Interpolation<kN, Field>;
+  using v32 = typename Logic::v32;
+  using v256 = typename Logic::v256;
+  using packed_v32 = std::array<EltW, kNv32Elts>;
+  using packed_v128 = std::array<EltW, kNv128Elts>;
+  using packed_v256 = std::array<EltW, kNv256Elts>;
+
+  const Logic& l_;
+  std::vector<PolyN> plucker_;
+
+  explicit BitPlucker(const Logic& l) : l_(l), plucker_(LOGN) {
+    // evaluation points
+    PolyN X;
+    for (size_t i = 0; i < kN; ++i) {
+      X[i] = bit_plucker_point<Field, kN>()(i, l_.f_);
+    }
+    for (size_t k = 0; k < LOGN; ++k) {
+      PolyN Y;
+      for (size_t i = 0; i < kN; ++i) {
+        Y[i] = l_.f_.of_scalar((i >> k) & 1);
+      }
+      plucker_[k] = InterpolationN::monomial_of_lagrange(Y, X, l_.f_);
+    }
+  }
+
+  typename Logic::template bitvec<LOGN> pluck(const EltW& e) const {
+    typename Logic::template bitvec<LOGN> r;
+    const Logic& L = l_;  // shorthand
+    const Polynomial<Logic> P(L);
+
+    for (size_t k = 0; k < LOGN; ++k) {
+      EltW v = P.eval(plucker_[k], e);
+      L.assert_is_bit(v);
+      r[k] = BitW(v, l_.f_);
+    }
+
+    return r;
+  }
+
+  v32 unpack_v32(const packed_v32& v) const { return unpack<v32>(v); }
+
+  template <typename T, typename PackedT>
+  T unpack(const PackedT& v) const {
+    T r;
+    for (size_t i = 0; i < v.size(); ++i) {
+      auto b = pluck(v[i]);
+      for (size_t j = 0; j < LOGN; ++j) {
+        if (LOGN * i + j < r.size()) {
+          r[LOGN * i + j] = b[j];
+        }
+      }
+    }
+    return r;
+  }
+
+  template <typename T>
+  static T packed_input(const Logic& lc) {
+    T r;
+    for (size_t i = 0; i < r.size(); ++i) {
+      r[i] = lc.eltw_input();
+    }
+    return r;
+  }
+};
+
+/*
+On input Elt ind, and Elt arr[], returns arr[ind].
+This muxer is useful when the same array needs to be muxed multiple times
+with different indices.  It differs from the above classes in that it
+precomputes the coefficient array, which can depend on EltW inputs.
+
+The template parameter N indicates the size of the array.
+The template parameter PP defines the set of points used for the interpolation.
+This value defaults to N, which defines the set of points
+    { -N-1, -N-3, -N-5, ..., N-3, N-1}
+but in some cases, one may want to explicitly specify the set of points.
+*/
+template <class Logic, size_t N, size_t PP = N>
+class EltMuxer {
+  static constexpr size_t kN = N;
+  static constexpr size_t kPP = PP;
+
+ public:
+  using Field = typename Logic::Field;
+  using EltW = typename Logic::EltW;
+  using PolyN = Poly<kN, Field>;
+  using InterpolationN = Interpolation<kN, Field>;
+
+  EltMuxer(const Logic& l, const EltW arr[/* kN */]) : l_(l), coeff_(kN) {
+    for (size_t i = 0; i < kN; ++i) {
+      coeff_[i] = l_.konst(0);
+    }
+    for (size_t i = 0; i < kN; ++i) {
+      PolyN basis_i = even_lagrange_basis(i);
+      for (size_t j = 0; j < kN; ++j) {
+        auto bi = l_.konst(basis_i[j]);
+        auto barr_i = l_.mul(bi, arr[i]);
+        coeff_[j] = l_.add(coeff_[j], barr_i);
+      }
+    }
+  }
+
+  EltW mux(const EltW& ind) const {
+    const Polynomial<Logic> P(l_);
+
+    std::array<EltW, kN> xi;
+    P.powers_of_x(kN, xi.data(), ind);
+
+    // dot product with coefficients
+    EltW r = l_.konst(0);
+    for (size_t i = 0; i < kN; ++i) {
+      auto cxi = l_.mul(coeff_[i], xi[i]);
+      r = l_.add(r, cxi);
+    }
+    return r;
+  }
+
+ private:
+  const Logic& l_;
+  std::vector<EltW> coeff_;
+
+  PolyN even_lagrange_basis(size_t k) {
+    PolyN X, Y;
+    for (size_t i = 0; i < kN; ++i) {
+      X[i] = bit_plucker_point<Field, PP>()(i, l_.f_);
+      Y[i] = l_.f_.of_scalar((i == k));
+    }
+    return InterpolationN::monomial_of_lagrange(Y, X, l_.f_);
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_H_

data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_constants.h

@@ -0,0 +1,35 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_CONSTANTS_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_CONSTANTS_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+namespace proofs {
+// bit-plucker code common to both compiler-time and
+// wire-fill time
+template <class Field, size_t N>
+struct bit_plucker_point {
+  using Elt = typename Field::Elt;
+
+  // packing of bits compatible with even_lagrange_basis():
+  Elt operator()(uint64_t bits, const Field& F) const {
+    return F.subf(F.of_scalar(2 * bits), F.of_scalar(N - 1));
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_CONSTANTS_H_