longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_encoder.h

@@ -0,0 +1,72 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_ENCODER_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_ENCODER_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <array>
+
+#include "circuits/logic/bit_plucker_constants.h"
+
+namespace proofs {
+template <class Field, size_t LOGN>
+class BitPluckerEncoder {
+  const Field& f_;
+
+  using Elt = typename Field::Elt;
+  static constexpr size_t kN = size_t(1) << LOGN;
+  static constexpr size_t kNv32Elts = (32u + LOGN - 1u) / LOGN;
+  static constexpr size_t kNv128Elts = (128u + LOGN - 1u) / LOGN;
+  static constexpr size_t kNv256Elts = (256u + LOGN - 1u) / LOGN;
+
+ public:
+  using packed_v32 = std::array<Elt, kNv32Elts>;
+  using packed_v128 = std::array<Elt, kNv128Elts>;
+  using packed_v256 = std::array<Elt, kNv256Elts>;
+
+  explicit BitPluckerEncoder(const Field& F) : f_(F) {}
+
+  Elt encode(size_t i) const { return bit_plucker_point<Field, kN>()(i, f_); }
+
+  // Special case packer for uint32_t used in sha256.
+  packed_v32 mkpacked_v32(uint32_t j) {
+    packed_v32 r;
+    for (size_t i = 0; i < r.size(); ++i) {
+      r[i] = encode(j & (kN - 1));
+      j >>= LOGN;
+    }
+    return r;
+  }
+
+  template <typename T>
+  T pack(uint8_t bits[/* n bits */], size_t n) {
+    T r;
+    for (size_t i = 0; i < r.size(); ++i) {
+      size_t v = 0;
+      for (size_t j = 0; j < LOGN; ++j) {
+        if (i * LOGN + j < n) {
+          v += (bits[i * LOGN + j] & 0x1) << j;
+        }
+      }
+      r[i] = encode(v);
+    }
+    return r;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_BIT_PLUCKER_ENCODER_H_

data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_test.cc

@@ -0,0 +1,183 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/logic/bit_plucker.h"
+
+#include <stddef.h>
+
+#include "algebra/fp.h"
+#include "circuits/compiler/circuit_dump.h"
+#include "circuits/compiler/compiler.h"
+#include "circuits/logic/bit_plucker_constants.h"
+#include "circuits/logic/bit_plucker_encoder.h"
+#include "circuits/logic/compiler_backend.h"
+#include "circuits/logic/evaluation_backend.h"
+#include "circuits/logic/logic.h"
+#include "gf2k/gf2_128.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+template <size_t LOGN, class Field>
+void test_plucker(const Field& F) {
+  using EvalBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvalBackend>;
+
+  const EvalBackend ebk(F);
+  const Logic L(&ebk, F);
+  constexpr size_t N = 1 << LOGN;
+  const BitPluckerEncoder<Field, LOGN> PE(F);
+  const BitPlucker<Logic, LOGN> P(L);
+
+  for (size_t i = 0; i < N; ++i) {
+    auto enc = PE.encode(i);
+    auto got = P.pluck(L.konst(enc));
+    for (size_t k = 0; k < LOGN; ++k) {
+      EXPECT_EQ(L.eval(got[k]), L.konst((i >> k) & 1));
+    }
+  }
+}
+
+TEST(BitPlucker, PluckPrimeField) {
+  const Fp<1> F("18446744073709551557");
+  test_plucker<1>(F);
+  test_plucker<2>(F);
+  test_plucker<3>(F);
+  test_plucker<4>(F);
+  test_plucker<5>(F);
+}
+
+TEST(BitPlucker, PluckBinaryField) {
+  const GF2_128<> F;
+  test_plucker<1>(F);
+  test_plucker<2>(F);
+  test_plucker<3>(F);
+  test_plucker<4>(F);
+  test_plucker<5>(F);
+}
+
+template <size_t LOGN, class Field>
+void pluck_size(const char *name, const Field &F) {
+  using CompilerBackend = CompilerBackend<Field>;
+  using LogicCircuit = Logic<Field, CompilerBackend>;
+  using EvalBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvalBackend>;
+
+  const EvalBackend ebk(F);
+  const Logic L(&ebk, F);
+  QuadCircuit<Field> Q(F);
+  const CompilerBackend cbk(&Q);
+  const LogicCircuit LC(&cbk, F);
+  const BitPlucker<LogicCircuit, LOGN> PC(LC);
+
+  auto eC = LC.eltw_input();
+  auto r = PC.pluck(eC);
+  for (size_t k = 0; k < LOGN; ++k) {
+    LC.output(r[k], k);
+  }
+  auto CIRCUIT = Q.mkcircuit(/*nc=*/1);
+  dump_info(name, LOGN, Q);
+}
+
+TEST(BitPlucker, PluckSizePrimeField) {
+  using Field = Fp<1>;
+  const Field F("18446744073709551557");
+  const char *name = "pluck<FP<1>>";
+  pluck_size<1>(name, F);
+  pluck_size<2>(name, F);
+  pluck_size<3>(name, F);
+  pluck_size<4>(name, F);
+  pluck_size<5>(name, F);
+  pluck_size<6>(name, F);
+  pluck_size<7>(name, F);
+  pluck_size<8>(name, F);
+}
+
+TEST(BitPlucker, PluckSizeBinaryField) {
+  using Field = GF2_128<>;
+  const Field F;
+  const char *name = "pluck<GF2_128<>>";
+  pluck_size<1>(name, F);
+  pluck_size<2>(name, F);
+  pluck_size<3>(name, F);
+  pluck_size<4>(name, F);
+  pluck_size<5>(name, F);
+  pluck_size<6>(name, F);
+  pluck_size<7>(name, F);
+  pluck_size<8>(name, F);
+}
+
+TEST(BitPlucker, EltMuxer) {
+  using Field = Fp<1>;
+  using EvalBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvalBackend>;
+  using EltW = Logic::EltW;
+
+  const Field F("257");
+  const EvalBackend ebk(F);
+  const Logic L(&ebk, F);
+  const EltW zero = L.konst(0);
+  const EltW one = L.konst(1);
+
+  EltW arr_z[] = {zero, one, one, one, one, one, one, one};
+  EltW arr_e[] = {zero, one, zero, one, zero, one, zero, one};
+  EltW arr_r[] = {zero, zero, one, one, zero, zero, one, one};
+  EltW arr_s[] = {zero, zero, zero, zero, one, one, one, one};
+
+  const EltMuxer<Logic, 8> em_z(L, arr_z);
+  const EltMuxer<Logic, 8> em_e(L, arr_e);
+  const EltMuxer<Logic, 8> em_r(L, arr_r);
+  const EltMuxer<Logic, 8> em_s(L, arr_s);
+
+  for (size_t i = 0; i < 8; ++i) {
+    auto enc = bit_plucker_point<Field, 8>()(i, F);
+
+    L.assert_eq(em_z.mux(L.konst(enc)), arr_z[i]);
+    L.assert_eq(em_e.mux(L.konst(enc)), arr_e[i]);
+    L.assert_eq(em_r.mux(L.konst(enc)), arr_r[i]);
+    L.assert_eq(em_s.mux(L.konst(enc)), arr_s[i]);
+  }
+}
+
+// Test use of the EltMuxer machinery to test whether a smaller muxer input
+// is in range. In this case, we want to test whether the muxed input is in
+// {0,1,2,3,4,5,6,7}. We want to ensure that there are no false positives and
+// thus the test iterates over the entire field.
+TEST(BitPlucker, EltMuxer9) {
+  using Field = Fp<1>;
+  using EvalBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvalBackend>;
+  using EltW = Logic::EltW;
+
+  const Field F("257");
+  const EvalBackend ebk(F);
+  const Logic L(&ebk, F);
+  const EltW zero = L.konst(0);
+  const EltW one = L.konst(1);
+
+  EltW arr_v[] = {zero, zero, zero, zero, zero, zero, zero, zero, one};
+  const EltMuxer<Logic, 9, 8> em2(L, arr_v);
+  for (size_t i = 0; i < 128 + /*intentional extra element*/ 1; ++i) {
+    auto enc = bit_plucker_point<Field, 8>()(i, F);
+    if (i < 9) {
+      L.assert_eq(em2.mux(L.konst(enc)), arr_v[i]);
+    } else {
+      EXPECT_NE(em2.mux(L.konst(enc)).elt(), F.zero());
+    }
+  }
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/logic/compiler_backend.h

@@ -0,0 +1,62 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_COMPILER_BACKEND_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_COMPILER_BACKEND_H_
+
+#include <stdlib.h>
+
+#include <cstddef>
+
+#include "circuits/compiler/compiler.h"
+
+namespace proofs {
+// backend that compiles a circuit that, when evaluated, computes Elt's
+template <class Field>
+class CompilerBackend {
+  using QuadCircuitF = QuadCircuit<Field>;
+  using Elt = typename Field::Elt;
+
+ public:
+  using V = size_t;
+
+  explicit CompilerBackend(QuadCircuitF* q) : q_(q) {}
+
+  V assert0(const V& a) const { return q_->assert0(a); }
+  V add(const V& a, const V& b) const { return q_->add(a, b); }
+  V sub(const V& a, const V& b) const {
+    auto mb = mul(konst(q_->f_.mone()), b);
+    return add(a, mb);
+  }
+  V mul(const V& a, const V& b) const { return q_->mul(a, b); }
+  V mul(const Elt& a, const V& b) const { return q_->mul(a, b); }
+  V mul(const Elt& a, const V& b, const V& c) const { return q_->mul(a, b, c); }
+  V konst(const Elt& a) const { return q_->konst(a); }
+
+  V ax(const Elt& a, const V& x) const { return q_->mul(a, x); }
+  V axy(const Elt& a, const V& x, const V& y) const { return q_->mul(a, x, y); }
+  V axpy(const V& y, const Elt& a, const V& x) const {
+    return q_->axpy(y, a, x);
+  }
+  V apy(const V& y, const Elt& a) const { return q_->apy(y, a); }
+
+  V input_wire() const { return q_->input_wire(); }
+  void output_wire(size_t n, V wire_id) const { q_->output_wire(n, wire_id); }
+
+ private:
+  QuadCircuitF* q_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_COMPILER_BACKEND_H_

data/vendor/longfellow-zk/lib/circuits/logic/counter.h

@@ -0,0 +1,171 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_COUNTER_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_COUNTER_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+
+// Embedding of small unsigned integers into an additive group of
+// unspecified size, but assumed to be able to encode 16 bits or so.
+// For prime fields inject the integer mod p, and for
+// binary fields use the multiplicative group.
+namespace proofs {
+
+template <class Logic, bool kCharacteristicTwo>
+class CounterAux;
+
+// Use the additive group in fields with large characteristic
+template <class Logic_>
+class CounterAux<Logic_, /*kCharacteristicTwo=*/false> {
+ public:
+  using Logic = Logic_;
+  using Field = typename Logic::Field;
+  using EltW = typename Logic::EltW;
+  using BitW = typename Logic::BitW;
+  using CElt = typename Field::CElt;
+
+  // Even though everything is ultimately represented
+  // as EltW, keeps the types distinct to avoid
+  // confusion.
+
+  struct CEltW {
+    EltW e;
+  };
+
+  explicit CounterAux(const Logic& l) : l_(l) {}
+
+  const Logic& logic() const { return l_; }
+
+  // Convert a counter into *some* field element such that the counter is
+  // nonzero (as a counter) iff the field element is nonzero.
+  EltW znz_indicator(const CEltW& celt) const { return celt.e; }
+
+  CEltW mone() const { return CEltW{l_.konst(l_.mone())}; }
+  CEltW as_counter(uint64_t n) const { return CEltW{l_.konst(n)}; }
+  CEltW as_counter(const CElt& x) const { return CEltW{l_.konst(x.e)}; }
+
+  CEltW as_counter(const BitW& b) const { return CEltW{l_.eval(b)}; }
+
+  template <size_t N>
+  CEltW as_counter(const typename Logic::template bitvec<N>& v) const {
+    // counters have the same representation as scalars
+    return CEltW{l_.as_scalar(v)};
+  }
+
+  CEltW add(const CEltW& a, const CEltW& b) const {
+    return CEltW{l_.add(a.e, b.e)};
+  }
+
+  // a ? b : 0
+  CEltW ite0(const BitW& a, const CEltW& b) const {
+    return CEltW{l_.mul(l_.eval(a), b.e)};
+  }
+
+  // a ? b : c
+  CEltW mux(const BitW& a, const CEltW& b, const CEltW& c) const {
+    return add(c, ite0(a, sub(b, c)));
+  }
+  void assert0(const CEltW& a) const { l_.assert0(a.e); }
+  void assert_eq(const CEltW& a, const CEltW& b) const {
+    l_.assert_eq(a.e, b.e);
+  }
+
+  CEltW input() const { return CEltW{l_.eltw_input()}; }
+
+ private:
+  const Logic& l_;
+
+  // used only internally, do not export since we don't
+  // want to invert in the multiplicative group
+  CEltW sub(const CEltW& a, const CEltW& b) const {
+    return CEltW{l_.sub(a.e, b.e)};
+  }
+};
+
+// use the multiplicative group in characteristic 2
+template <class Logic_>
+class CounterAux<Logic_, /*kCharacteristicTwo=*/true> {
+ public:
+  using Logic = Logic_;
+  using Field = typename Logic::Field;
+  using EltW = typename Logic::EltW;
+  using BitW = typename Logic::BitW;
+  using CElt = typename Field::CElt;
+
+  struct CEltW {
+    EltW e;
+  };
+
+  explicit CounterAux(const Logic& l) : l_(l) {}
+
+  const Logic& logic() const { return l_; }
+
+  // Convert a counter into *some* field element such that the counter is
+  // nonzero (as a counter) iff the field element is nonzero.
+  EltW znz_indicator(const CEltW& celt) const {
+    return l_.sub(celt.e, l_.konst(l_.one()));
+  }
+
+  CEltW mone() const { return CEltW{l_.konst(l_.f_.invg())}; }
+  CEltW as_counter(uint64_t n) const {
+    return CEltW{l_.konst(l_.f_.as_counter(n).e)};
+  }
+  CEltW as_counter(const CElt& x) const { return CEltW{l_.konst(x.e)}; }
+
+  CEltW as_counter(const BitW& b) const {
+    CEltW iftrue = CEltW{l_.konst(l_.f_.g())};
+    return ite0(b, iftrue);
+  }
+
+  template <size_t N>
+  CEltW as_counter(const typename Logic::template bitvec<N>& v) const {
+    // do the multiplication in Logic since we don't have
+    // a range addition in Counter
+    return CEltW{l_.mul(0, N, [&](size_t i) {
+      return l_.mux(v[i], l_.konst(l_.f_.counter_beta(i)), l_.konst(l_.one()));
+    })};
+  }
+
+  CEltW add(const CEltW& a, const CEltW& b) const {
+    return CEltW{l_.mul(a.e, b.e)};
+  }
+
+  // a ? b : 0
+  CEltW ite0(const BitW& a, const CEltW& b) const {
+    return CEltW{l_.mux(a, b.e, l_.konst(l_.one()))};
+  }
+
+  // a ? b : c
+  CEltW mux(const BitW& a, const CEltW& b, const CEltW& c) const {
+    return CEltW{l_.mux(a, b.e, c.e)};
+  }
+  void assert0(const CEltW& a) const { l_.assert_eq(a.e, l_.konst(l_.one())); }
+  void assert_eq(const CEltW& a, const CEltW& b) const {
+    l_.assert_eq(a.e, b.e);
+  }
+
+  CEltW input() const { return CEltW{l_.eltw_input()}; }
+
+ private:
+  const Logic& l_;
+};
+
+template <class Logic>
+using Counter = CounterAux<Logic, Logic::Field::kCharacteristicTwo>;
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_COUNTER_H_

data/vendor/longfellow-zk/lib/circuits/logic/counter_test.cc

@@ -0,0 +1,102 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/logic/counter.h"
+
+#include <stddef.h>
+
+#include "algebra/fp_p128.h"
+#include "circuits/logic/evaluation_backend.h"
+#include "circuits/logic/logic.h"
+#include "gf2k/gf2_128.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+template <class Field>
+void test_counter() {
+  const Field F;
+  constexpr size_t w = 7;
+
+  using EvalBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvalBackend>;
+  using CounterL = Counter<Logic>;
+  const EvalBackend ebk(F, /* panic_on_assertion_failure=*/false);
+  const Logic L(&ebk, F);
+  const CounterL CTR(L);
+
+  for (size_t a = 0; a < (1 << w); ++a) {
+    auto ca = CTR.as_counter(a);
+
+    // Computing CA in the circuit from a bitvec
+    // produces the same result as computing CA in the field
+    {
+      CTR.assert_eq(ca, CTR.as_counter(F.as_counter(a)));
+      EXPECT_FALSE(ebk.assertion_failed());
+      CTR.assert_eq(ca, CTR.as_counter(L.template vbit<w>(a)));
+      EXPECT_FALSE(ebk.assertion_failed());
+    }
+
+    {
+      auto eca = CTR.znz_indicator(ca);
+      L.assert0(eca);
+      EXPECT_EQ(ebk.assertion_failed(), (a != 0));
+
+      // F.znz_indicator() and CTR.znz_indicator() must compute the
+      // same thing
+      L.assert_eq(eca, L.konst(F.znz_indicator(F.as_counter(a))));
+      EXPECT_FALSE(ebk.assertion_failed());
+    }
+
+    {
+      // assert0() works as expected
+      CTR.assert0(ca);
+      EXPECT_EQ(ebk.assertion_failed(), (a != 0));
+    }
+
+    {
+      // minus one works as expected
+      auto cam1 = CTR.add(ca, CTR.mone());
+      CTR.assert0(cam1);
+      EXPECT_EQ(ebk.assertion_failed(), (a != 1));
+
+      if (a > 0) {
+        auto want_cam1 = CTR.as_counter(a - 1);
+        CTR.assert_eq(cam1, want_cam1);
+        EXPECT_FALSE(ebk.assertion_failed());
+      }
+    }
+
+    // addition works as expected
+    for (size_t b = 0; b < (1 << w); ++b) {
+      auto cb = CTR.as_counter(b);
+      for (size_t s = 0; s < (2 << w); ++s) {
+        auto cs = CTR.as_counter(s);
+
+        auto ab = CTR.add(ca, cb);
+        CTR.assert_eq(ab, cs);
+        EXPECT_EQ(ebk.assertion_failed(), ((a + b) != s));
+      }
+    }
+  }
+}
+
+TEST(Counter, Fields) {
+  test_counter<GF2_128<>>();
+  test_counter<Fp128<>>();
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/logic/evaluation_backend.h

@@ -0,0 +1,94 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_EVALUATION_BACKEND_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_EVALUATION_BACKEND_H_
+
+#include "util/panic.h"
+
+namespace proofs {
+// backend that evaluates values directly
+template <class Field>
+class EvaluationBackend {
+  using Elt = typename Field::Elt;
+
+ public:
+  explicit EvaluationBackend(const Field& F,
+                             bool panic_on_assertion_failure = true)
+      : f_(F),
+        panic_on_assertion_failure_(panic_on_assertion_failure),
+        assertion_failed_(false) {}
+
+  ~EvaluationBackend() {
+    // Crash if assertion_failed_, which indicates that a test
+    // has forgotten to read the value
+    check(!assertion_failed_, "assertion_failed_ true in ~EvaluationBackend()");
+  }
+
+  // Reading ASSERTION_FAILED_ returns the current ASSERTION_FAILED_
+  // state and resets the state.
+  bool assertion_failed() const {
+    bool b = assertion_failed_;
+    assertion_failed_ = false;
+    return b;
+  }
+
+  struct V {
+    Elt e;
+    V() = default;
+    explicit V(const Elt& x) : e(x) {}
+    Elt elt() const { return e; }
+
+    bool operator==(const V& y) const { return e == y.e; }
+    bool operator!=(const V& y) const { return e != y.e; }
+  };
+
+  V assert0(const V& a) const {
+    if (a.e == f_.zero()) {
+      return a;
+    } else {
+      if (panic_on_assertion_failure_) {
+        check(false, "a != F.zero()");
+      }
+      assertion_failed_ = true;
+    }
+    return a;
+  }
+
+  V add(const V& a, const V& b) const { return V{f_.addf(a.e, b.e)}; }
+  V sub(const V& a, const V& b) const { return V{f_.subf(a.e, b.e)}; }
+  V mul(const V& a, const V& b) const { return V{f_.mulf(a.e, b.e)}; }
+  V mul(const Elt& a, const V& b) const { return V{f_.mulf(a, b.e)}; }
+  V mul(const Elt& a, const V& b, const V& c) const {
+    return mul(a, mul(b, c));
+  }
+  V konst(const Elt& a) const { return V{a}; }
+
+  V ax(const Elt& a, const V& x) const { return V{f_.mulf(a, x.e)}; }
+  V axy(const Elt& a, const V& x, const V& y) const {
+    return V{f_.mulf(a, f_.mulf(x.e, y.e))};
+  }
+  V axpy(const V& y, const Elt& a, const V& x) const {
+    return V{f_.addf(y.e, f_.mulf(a, x.e))};
+  }
+  V apy(const V& y, const Elt& a) const { return V{f_.addf(y.e, a)}; }
+
+ private:
+  const Field& f_;
+  bool panic_on_assertion_failure_;
+  mutable bool assertion_failed_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_EVALUATION_BACKEND_H_