longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/logic/unary.h

@@ -0,0 +1,55 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_H_
+
+#include <stddef.h>
+
+// Various unary decoders
+namespace proofs {
+template <class Logic>
+class Unary {
+ public:
+  using BitW = Logic::BitW;
+  const Logic& l_;
+
+  explicit Unary(const Logic& l) : l_(l) {}
+
+  // Even with this naive coding, it seems like the EQ circuit
+  // contains ~N wires and ~N terms, and the LT circuit contains ~N
+  // wires and ~2N terms, so there isn't much room for optimization.
+
+  // A[i] <- (i == j)
+  template <size_t W>
+  void eq(size_t n, BitW A[/*n*/],
+          const typename Logic::template bitvec<W>& j) const {
+    for (size_t i = 0; i < n; ++i) {
+      A[i] = l_.veq(j, i);
+    }
+  }
+
+  // A[i] <- (i < j)
+  template <size_t W>
+  void lt(size_t n, BitW A[/*n*/],
+          const typename Logic::template bitvec<W>& j) const {
+    for (size_t i = 0; i < n; ++i) {
+      A[i] = l_.vlt(i, j);
+    }
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_H_

data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker.h

@@ -0,0 +1,77 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_PLUCKER_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_PLUCKER_H_
+#include <stddef.h>
+#include <stdint.h>
+
+#include <vector>
+
+#include "algebra/interpolation.h"
+#include "algebra/poly.h"
+#include "circuits/logic/bit_plucker_constants.h"
+#include "circuits/logic/polynomial.h"
+
+namespace proofs {
+
+template <class Logic, size_t NJ>
+class UnaryPlucker {
+ public:
+  using Field = typename Logic::Field;
+  using BitW = typename Logic::BitW;
+  using EltW = typename Logic::EltW;
+  using Elt = typename Field::Elt;
+  // NJ + 1 so that pluck point NJ decodes to all zeroes
+  static constexpr size_t kN = NJ + 1;
+  using PolyN = Poly<kN, Field>;
+  using InterpolationN = Interpolation<kN, Field>;
+  const Logic& l_;
+  std::vector<PolyN> plucker_;
+
+  explicit UnaryPlucker(const Logic& l) : l_(l), plucker_(NJ) {
+    const Field& F = l_.f_;  // shorthand
+    // evaluation points
+    PolyN X;
+    for (size_t i = 0; i < kN; ++i) {
+      X[i] = bit_plucker_point<Field, kN>()(i, F);
+    }
+
+    for (size_t j = 0; j < NJ; ++j) {
+      PolyN Y;
+      for (size_t i = 0; i < kN; ++i) {
+        Y[i] = F.of_scalar(i == j);
+      }
+      plucker_[j] = InterpolationN::monomial_of_lagrange(Y, X, F);
+    }
+  }
+
+  typename Logic::template bitvec<NJ> pluck(const EltW& e) const {
+    typename Logic::template bitvec<NJ> r;
+    const Logic& L = l_;  // shorthand
+    const Polynomial<Logic> P(L);
+
+    for (size_t j = 0; j < NJ; ++j) {
+      EltW v = P.eval(plucker_[j], e);
+      L.assert_is_bit(v);
+      r[j] = BitW(v, L.f_);
+    }
+
+    return r;
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_PLUCKER_H_

data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_constants.h

@@ -0,0 +1,37 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_PLUCKER_CONSTANTS_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_PLUCKER_CONSTANTS_H_
+#include <stddef.h>
+#include <stdint.h>
+
+#include "circuits/logic/bit_plucker_constants.h"
+#include "util/panic.h"
+
+namespace proofs {
+template <class Field, size_t NJ>
+struct unary_plucker_point {
+  using Elt = typename Field::Elt;
+  static constexpr size_t kN = NJ + 1;
+
+  Elt operator()(size_t j, const Field& F) const {
+    check(j <= NJ, "j <= NJ in unary_plucker_point");
+    check(j < kN, "j < N in unary_plucker_point");
+    return bit_plucker_point<Field, kN>()(j, F);
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_LOGIC_UNARY_PLUCKER_CONSTANTS_H_

data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_test.cc

@@ -0,0 +1,53 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/logic/unary_plucker.h"
+
+#include <stddef.h>
+
+#include "algebra/fp.h"
+#include "circuits/logic/evaluation_backend.h"
+#include "circuits/logic/logic.h"
+#include "circuits/logic/unary_plucker_constants.h"
+#include "gf2k/gf2_128.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+template <class Field>
+void pluck_test(const Field& F) {
+  using EvalBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvalBackend>;
+
+  constexpr size_t NJ = 7;
+  constexpr size_t N = NJ + 1;
+  const EvalBackend ebk(F);
+  const Logic L(&ebk, F);
+  const UnaryPlucker<Logic, NJ> P(L);
+
+  for (size_t i = 0; i < N; ++i) {
+    auto got = P.pluck(L.konst(unary_plucker_point<Field, NJ>()(i, F)));
+    for (size_t j = 0; j < NJ; ++j) {
+      EXPECT_EQ(L.eval(got[j]), L.konst(i == j));
+    }
+  }
+}
+
+TEST(UnaryPluck, PluckPrimeField) { pluck_test(Fp<1>("18446744073709551557")); }
+
+TEST(UnaryPluck, PluckBinaryField) { pluck_test(GF2_128<>()); }
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/logic/unary_size_test.cc

@@ -0,0 +1,69 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <stddef.h>
+
+#include <vector>
+
+#include "algebra/fp.h"
+#include "circuits/compiler/circuit_dump.h"
+#include "circuits/compiler/compiler.h"
+#include "circuits/logic/compiler_backend.h"
+#include "circuits/logic/logic.h"
+#include "circuits/logic/unary.h"
+#include "gf2k/gf2_128.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+template <class Field>
+void one_size(const Field& F, const char* name, bool eq_or_lt) {
+  using CompilerBackend = CompilerBackend<Field>;
+  using LogicCircuit = Logic<Field, CompilerBackend>;
+  using BitWC = LogicCircuit::BitW;
+  QuadCircuit<Field> Q(F);
+  const CompilerBackend cbk(&Q);
+  const LogicCircuit LC(&cbk, F);
+  const Unary<LogicCircuit> U(LC);
+
+  constexpr size_t W = 12;
+  using BV = typename LogicCircuit::template bitvec<W>;
+  size_t n = 1u << W;
+  std::vector<BitWC> A(n);
+
+  BV jj = LC.template vinput<W>();
+  if (eq_or_lt) {
+    U.eq(n, A.data(), jj);
+  } else {
+    U.lt(n, A.data(), jj);
+  }
+  for (size_t i = 0; i < n; ++i) {
+    LC.output(A[i], i);
+  }
+  auto CIRCUIT = Q.mkcircuit(/*nc=*/1);
+  dump_info("foo", n, Q);
+}
+
+TEST(UnarySize, PrimeField) {
+  one_size(Fp<1>("18446744073709551557"), "eq_fp", /*eq_or_lt=*/true);
+  one_size(Fp<1>("18446744073709551557"), "lt_fp", /*eq_or_lt=*/false);
+}
+TEST(UnarySize, BinaryField) {
+  one_size(GF2_128<>(), "eq_gf", /*eq_or_lt=*/true);
+  one_size(GF2_128<>(), "lt_gf", /*eq_or_lt=*/false);
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/logic/unary_test.cc

@@ -0,0 +1,62 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/logic/unary.h"
+
+#include <stddef.h>
+
+#include <vector>
+
+#include "algebra/fp.h"
+#include "circuits/logic/evaluation_backend.h"
+#include "circuits/logic/logic.h"
+#include "gf2k/gf2_128.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+template <class Field>
+void one_test(const Field& F) {
+  using EvaluationBackend = EvaluationBackend<Field>;
+  using Logic = Logic<Field, EvaluationBackend>;
+  using BitW = typename Logic::BitW;
+
+  const EvaluationBackend ebk(F);
+  const Logic L(&ebk, F);
+  const Unary<Logic> U(L);
+
+  constexpr size_t W = 6;
+  using BV = typename Logic::template bitvec<W>;
+  size_t n = 1u << W;
+
+  for (size_t j = 0; j < n; ++j) {
+    std::vector<BitW> EQ(n);
+    std::vector<BitW> LT(n);
+    BV jj = L.template vbit<W>(j);
+
+    U.eq(n, EQ.data(), jj);
+    U.lt(n, LT.data(), jj);
+    for (size_t i = 0; i < n; ++i) {
+      EXPECT_EQ(L.eval(EQ[i]), L.konst(i == j));
+      EXPECT_EQ(L.eval(LT[i]), L.konst(i < j));
+    }
+  }
+}
+
+TEST(Unary, PrimeField) { one_test(Fp<1>("18446744073709551557")); }
+TEST(Unary, BinaryField) { one_test(GF2_128<>()); }
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit.h

@@ -0,0 +1,193 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_CIRCUIT_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_CIRCUIT_H_
+
+// Implements a message authentication code in GF 2^k for a 256-bit message.
+// The mac key is additively sampled by both the prover and verifier to ensure
+// soundness and zk.
+//
+// The mac is defined as (a_pi+a_v)*x_i = mac_i where (x_1,x_2) are 128-bit
+// portions of the hidden message. The verifier need only contribute one
+// a_v for all MACs verified in the circuit. The prover needs to commit to
+// separate a_p{i} for each portion of each message.
+//
+// The property that we need from this primitive is as follows:
+// Assume the prover has committed to a_pi and x, i.e., fix a_pi, x.
+// The probability over the verifier's random a_v that mac(x) = mac_(y)
+// if x != y is at most 2^{-128}.
+
+#include <algorithm>
+#include <cstddef>
+
+#include "circuits/logic/logic.h"
+#include "gf2k/gf2_128.h"
+
+namespace proofs {
+
+static constexpr size_t kMACPluckerBits = 2u;
+
+// MAC: implements a MAC in GF 2^k for a 256-bit message by simulating
+// the arithmetic of the GF 2^k field. This implementation commits both
+// the prover's a_p key as well as the bits of the message. This allows
+// the MAC computation and the equality of the purported message to be verified
+// in parallel to reduce depth.
+// As an optimization, the MAC computed here is a.x instead of a.x + b. This
+// MAC is unforgeable with vhp and hiding whenever x is non-zero. The caller
+// must ensure that the MACed values are non-zero with very high probability.
+// For example, in the case of the MAC of a hash of a randomly selected message,
+// the probability of the hash being zero is quite small. This case applies for
+// signatures of messages related to credentials. As another example, the
+// device public key is an honestly-generated ECDSA key, and thus is unlikely
+// to be zero for most curves. These cases add a small error to the
+// zero-knowledge analysis of the scheme.
+template <class Logic, class BitPlucker>
+class MAC {
+ public:
+  using Field = typename Logic::Field;
+  using Elt = typename Field::Elt;
+  using EltW = typename Logic::EltW;
+  using Nat = typename Field::N;
+  using v8 = typename Logic::v8;
+  using v128 = typename Logic::v128;
+  using v256 = typename Logic::v256;
+  using packed_v128 = typename BitPlucker::packed_v128;
+  using packed_v256 = typename BitPlucker::packed_v256;
+
+  BitPlucker bp_;
+
+  class Witness {
+   public:
+    packed_v128 aa_[2];
+    packed_v256 xx_;  // The value to be checked
+
+    void input(const Logic& lc) {
+      aa_[0] = BitPlucker::template packed_input<packed_v128>(lc);
+      aa_[1] = BitPlucker::template packed_input<packed_v128>(lc);
+      xx_ = BitPlucker::template packed_input<packed_v256>(lc);
+    }
+  };
+
+  explicit MAC(const Logic& lc) : bp_(lc), lc_(lc) {}
+
+  // Verifies a mac on the Field element value against the key (a_p + a_v).
+  // This method can only be called when the field is at least 256 bits, e.g.,
+  // with F_p256. In other cases, the caller should use a verify_mac method
+  // that takes the message in bit-wise form. Additionally, the order parameter
+  // is used to ensure that the message does not overflow the field.
+  void verify_mac(EltW msg, const v128 mac[/*2*/], const v128& av,
+                  const Witness& vw, Nat order) const {
+    check(Field::kBits >= 256, "Field::kBits < 256");
+    v128 msg2[2];
+    unpack_msg(msg2, msg, order, vw);
+    assert_mac(mac, av, msg2, vw);
+  }
+
+ private:
+  // Checks mac[i] = (a_p + a_v)*xi[i] for i=0..1.
+  void assert_mac(const v128 mac[/*2*/], const v128& av, const v128 xi[/*2*/],
+                  const Witness& vw) const {
+    v128 mv;
+    for (size_t i = 0; i < 2; ++i) {
+      v128 ap = bp_.template unpack<v128, packed_v128>(vw.aa_[i]);
+      v128 key = lc_.vxor(av, ap);
+      lc_.gf2_128_mul(mv, key, xi[i]);
+      lc_.vassert_eq(mac[i], mv);
+    }
+  }
+
+  void unpack_msg(v128 msg[/*2*/], EltW msgw, Nat order,
+                  const Witness& vw) const {
+    v256 x = bp_.template unpack<v256, packed_v256>(vw.xx_);
+    std::copy(x.begin(), x.begin() + 128, msg[0].begin());
+    std::copy(x.begin() + 128, x.end(), msg[1].begin());
+
+    // Ensure that the incoming message does not overflow the field.
+    v256 bits_n;
+    for (size_t i = 0; i < 256; ++i) {
+      bits_n[i] = lc_.bit(order.bit(i));
+    }
+    lc_.assert1(lc_.vlt(x, bits_n));
+
+    // Verify that the message bits in the witness correspond to msg.
+    EltW te = lc_.konst(lc_.zero());
+    Elt twok = lc_.one();
+    for (size_t i = 0; i < 256; ++i) {
+      te = lc_.axpy(te, twok, lc_.eval(x[i]));
+      lc_.f_.add(twok, twok);
+    }
+    lc_.assert_eq(te, msgw);
+  }
+
+  const Logic& lc_;
+};
+
+// Same MAC computation for native GF2_128 field.
+template <class Backend, class BitPlucker>
+class MACGF2 {
+ public:
+  using Elt = typename Logic<GF2_128<>, Backend>::Elt;
+  using EltW = typename Logic<GF2_128<>, Backend>::EltW;
+  using BitW = typename Logic<GF2_128<>, Backend>::BitW;
+
+  // In this specialization, 128 bits are stored in a native EltW.
+  using v128 = EltW;
+
+  // Message input types v8, v256 are still encoded bit-wise.
+  using v8 = typename Logic<GF2_128<>, Backend>::v8;
+  using v256 = typename Logic<GF2_128<>, Backend>::v256;
+
+  explicit MACGF2(const Logic<GF2_128<>, Backend>& lc) : lc_(lc) {}
+  class Witness {
+   public:
+    EltW aa_[2];
+
+    void input(const Logic<GF2_128<>, Backend>& lc) {
+      aa_[0] = lc.eltw_input();
+      aa_[1] = lc.eltw_input();
+    }
+  };
+
+  // Verify a mac on the 256-bit message msg.
+  void verify_mac(const EltW mac[/*2*/], const EltW& av, const v256& msg,
+                  const Witness& vw) const {
+    // Check that mac[i] = (a_p + a_v)*mm[i] for i=0..1.
+    for (size_t i = 0; i < 2; ++i) {
+      EltW mm = pack(&msg[i * 128]);
+      EltW key = lc_.add(av, vw.aa_[i]);
+      EltW got = lc_.mul(key, mm);
+      lc_.assert_eq(mac[i], got);
+    }
+  }
+
+ private:
+  // Pack a 128-bit message into a GF(2^128) field element.
+  EltW pack(const BitW msg[/*128*/]) const {
+    Elt alpha = lc_.f_.x();
+    Elt xi = lc_.f_.one();
+    EltW m = lc_.konst(0);
+    for (size_t i = 0; i < 128; ++i) {
+      m = lc_.axpy(m, xi, lc_.eval(msg[i]));
+      xi = lc_.mulf(xi, alpha);
+    }
+    return m;
+  }
+
+  const Logic<GF2_128<>, Backend>& lc_;
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_CIRCUIT_H_