longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit_test.cc

@@ -0,0 +1,223 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/mac/mac_circuit.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#include <cstdint>
+#include <memory>
+#include <utility>
+
+#include "arrays/dense.h"
+#include "circuits/compiler/circuit_dump.h"
+#include "circuits/compiler/compiler.h"
+#include "circuits/logic/bit_plucker.h"
+#include "circuits/logic/compiler_backend.h"
+#include "circuits/logic/logic.h"
+#include "circuits/mac/mac_reference.h"
+#include "circuits/mac/mac_witness.h"
+#include "ec/p256.h"
+#include "gf2k/gf2_128.h"
+#include "random/secure_random_engine.h"
+#include "sumcheck/circuit.h"
+#include "sumcheck/testing.h"
+#include "util/log.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+// This test subsumes the evaluation test.
+TEST(MAC, full_circuit_test_128) {
+  set_log_level(INFO);
+  constexpr size_t kNum = 3;
+
+  size_t ninput;
+  std::unique_ptr<Circuit<Fp256Base>> circuit;
+
+  /*scope to delimit compile-time*/ {
+    using CompilerBackend = CompilerBackend<Fp256Base>;
+    using LogicCircuit = Logic<Fp256Base, CompilerBackend>;
+    using v128 = LogicCircuit::v128;
+    QuadCircuit<Fp256Base> Q(p256_base);
+    const CompilerBackend cbk(&Q);
+    const LogicCircuit LC(&cbk, p256_base);
+    using MACCircuit =
+        MAC<LogicCircuit, BitPlucker<LogicCircuit, kMACPluckerBits>>;
+    MACCircuit mac(LC);
+
+    MACCircuit::Witness vwc[kNum];
+    LogicCircuit::EltW msg[kNum];
+    v128 mv[kNum][2];
+    v128 a_v[kNum];
+    for (size_t i = 0; i < kNum; ++i) {
+      msg[i] = LC.eltw_input();
+      mv[i][0] = LC.vinput<128>();
+      mv[i][1] = LC.vinput<128>();
+      a_v[i] = LC.vinput<128>();
+    }
+
+    Q.private_input();
+    for (size_t i = 0; i < kNum; ++i) {
+      vwc[i].input(LC);
+    }
+    for (size_t i = 0; i < kNum; ++i) {
+      mac.verify_mac(msg[i], mv[i], a_v[i], vwc[i], n256_order);
+    }
+
+    circuit = Q.mkcircuit(1);
+    dump_info("mac verify p256", Q);
+    ninput = Q.ninput();
+  }
+
+  log(INFO, "Compile done");
+  /*------------------------------------------------------------*/
+  // Witness-creation time + fill inputs
+  using gf2k = GF2_128<>::Elt;
+  GF2_128<> gf;
+  MACReference<GF2_128<>> mac_ref;
+  SecureRandomEngine rng;
+
+  uint8_t test_msg[32];
+
+  for (size_t t = 0; t < 10; ++t) {
+    rng.bytes(test_msg, 32);
+
+    auto W = std::make_unique<Dense<Fp256Base>>(1, ninput);
+    DenseFiller<Fp256Base> filler(*W);
+    filler.push_back(p256_base.one());
+
+    Fp256Base::Elt msg_elt = p256_base.of_bytes_field(test_msg).value();
+
+    gf2k av, ap[2], mac[2];
+    mac_ref.sample(&av, 1, &rng);
+    mac_ref.sample(ap, 2, &rng);
+    mac_ref.compute(mac, av, ap, test_msg);
+
+    MacWitness<Fp256Base> vw(p256_base, gf);
+    vw.compute_witness(ap, test_msg);
+
+    for (size_t i = 0; i < kNum; ++i) {
+      filler.push_back(msg_elt);
+
+      // Fill inputs
+      for (size_t j = 0; j < 2; ++j) {
+        fill_gf2k<GF2_128<>, Fp256Base>(mac[j], filler, p256_base);
+      }
+      fill_gf2k<GF2_128<>, Fp256Base>(av, filler, p256_base);
+    }
+
+    for (size_t i = 0; i < kNum; ++i) {
+      vw.fill_witness(filler);
+    }
+
+    log(INFO, "Fill done");
+    /*------------------------------------------------------------*/
+    // Prove
+    Proof<Fp256Base> proof(circuit->nl);
+    run_prover<Fp256Base>(circuit.get(), W->clone(), &proof, p256_base);
+
+    log(INFO, "Prover done");
+    /*------------------------------------------------------------*/
+    // Verify
+    run_verifier<Fp256Base>(circuit.get(), std::move(W), proof, p256_base);
+    log(INFO, "Verify done");
+  }
+}
+
+TEST(MAC, full_circuit_GF2_128) {
+  set_log_level(INFO);
+  using f_128 = GF2_128<>;
+  size_t ninput;
+  std::unique_ptr<Circuit<f_128>> circuit;
+  f_128 F;
+
+  /*scope to delimit compile-time*/ {
+    using CompilerBackend = CompilerBackend<f_128>;
+    using LogicCircuit = Logic<f_128, CompilerBackend>;
+    using EltW = LogicCircuit::EltW;
+    using v256 = LogicCircuit::v256;
+    QuadCircuit<f_128> Q(F);
+    const CompilerBackend cbk(&Q);
+    const LogicCircuit LC(&cbk, F);
+    using MACCircuit =
+        MACGF2<CompilerBackend, BitPlucker<LogicCircuit, kMACPluckerBits>>;
+    MACCircuit mac(LC);
+    MACCircuit::Witness vwc;
+
+    v256 msg = LC.vinput<256>();
+    EltW mv[2] = {LC.eltw_input(), LC.eltw_input()};
+    EltW a_v = LC.eltw_input();
+    Q.private_input();
+    vwc.input(LC);
+    mac.verify_mac(mv, a_v, msg, vwc);
+
+    circuit = Q.mkcircuit(1);
+    dump_info("mac_gf2_128 verify", Q);
+    ninput = Q.ninput();
+  }
+
+  log(INFO, "Compile done");
+  /*------------------------------------------------------------*/
+  // Witness-creation time + fill inputs
+  using gf2k = f_128::Elt;
+  MACReference<f_128> mac_ref;
+  SecureRandomEngine rng;
+
+  uint8_t test_msg[32];
+
+  for (size_t t = 0; t < 10; ++t) {
+    rng.bytes(test_msg, 32);
+
+    auto W = std::make_unique<Dense<f_128>>(1, ninput);
+    DenseFiller<f_128> filler(*W);
+    filler.push_back(F.one());
+
+    for (size_t i = 0; i < 256; ++i) {
+      filler.push_back((test_msg[i / 8] >> (i % 8) & 0x1) ? F.one() : F.zero());
+    }
+
+    gf2k av, ap[2], mac[2];
+    mac_ref.sample(&av, 1, &rng);
+    mac_ref.sample(ap, 2, &rng);
+    mac_ref.compute(mac, av, ap, test_msg);
+
+    MacGF2Witness vw;
+    vw.compute_witness(ap);
+
+    // Fill inputs
+    for (size_t i = 0; i < 2; ++i) {
+      filler.push_back(mac[i]);
+    }
+    filler.push_back(av);
+    vw.fill_witness(filler);
+
+    log(INFO, "Fill done");
+    /*------------------------------------------------------------*/
+    // Prove
+    Proof<f_128> proof(circuit->nl);
+    run_prover<f_128>(circuit.get(), W->clone(), &proof, F);
+
+    log(INFO, "Prover done");
+    /*------------------------------------------------------------*/
+    // Verify
+    run_verifier<f_128>(circuit.get(), std::move(W), proof, F);
+    log(INFO, "Verify done");
+  }
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/mac/mac_reference.h

@@ -0,0 +1,72 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_REFERENCE_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_REFERENCE_H_
+
+#include <cstddef>
+#include <cstdint>
+#include <vector>
+
+#include "arrays/dense.h"
+#include "random/random.h"
+#include "util/panic.h"
+
+namespace proofs {
+
+template <class GF>
+class MACReference {
+  using gf2k = typename GF::Elt;
+
+ public:
+  void sample(gf2k ap[], size_t n, RandomEngine* rng) {
+    check(n > 0, "n must be positive");
+    std::vector<uint8_t> buf(n * GF::kBytes);
+    rng->bytes(buf.data(), n * GF::kBytes);
+    for (size_t i = 0; i < n; ++i) {
+      ap[i] = gf_.of_bytes_field(&buf[i * GF::kBytes]).value();
+    }
+  }
+
+  // Computes the mac of a 32-byte message.
+  void compute(gf2k mac[/*2*/], const gf2k& av, const gf2k ap[/*2*/],
+               uint8_t msg[/*32*/]) const {
+    uint8_t tmp[GF::kBytes] = {0};
+    for (size_t i = 0; i < 2; ++i) {
+      memcpy(tmp, &msg[i * GF::kBytes], GF::kBytes);
+      gf2k m = gf_.of_bytes_field(tmp).value();
+      mac[i] = gf_.mulf(gf_.addf(av, ap[i]), m);
+    }
+  }
+
+  void to_bytes(gf2k mac[/*2*/], uint8_t buf[/* 32 */]) {
+    gf_.to_bytes(mac[0], buf);
+    gf_.to_bytes(mac[1], buf + GF::kBytes);
+  }
+
+ private:
+  GF gf_;
+};
+
+template <typename GF, typename Field>
+void fill_gf2k(const typename GF::Elt& m, DenseFiller<Field>& df,
+               const Field& f) {
+  for (size_t i = 0; i < GF::kBits; ++i) {
+    df.push_back(m[i] ? f.one() : f.zero());
+  }
+}
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_REFERENCE_H_

data/vendor/longfellow-zk/lib/circuits/mac/mac_witness.h

@@ -0,0 +1,94 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_WITNESS_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_WITNESS_H_
+
+#include <cstddef>
+#include <cstdint>
+
+#include "arrays/dense.h"
+#include "circuits/logic/bit_plucker_encoder.h"
+#include "gf2k/gf2_128.h"
+
+namespace proofs {
+
+template <class Field>
+class MacWitness {
+  using f_128 = GF2_128<>;
+  using gf2k = f_128::Elt;
+  using packer = BitPluckerEncoder<Field, 2>;
+  using packed_v128 = typename packer::packed_v128;
+  using packed_v256 = typename packer::packed_v256;
+
+ public:
+  explicit MacWitness(const Field& F, const f_128& GF) : f_(F), gf_(GF) {}
+
+  void fill_witness(DenseFiller<Field>& fill) const {
+    packer bp(f_);
+    uint8_t tmp[f_128::kBits];
+    for (size_t i = 0; i < 2; ++i) {
+      for (size_t j = 0; j < f_128::kBits; ++j) {
+        tmp[j] = ap_[i][j];
+      }
+      fill.push_back(bp.template pack<packed_v128>(tmp, f_128::kBits));
+    }
+
+    for (size_t i = 0; i < 2; ++i) {
+      for (size_t j = 0; j < f_128::kBits; ++j) {
+        tmp[j] = x_[i][j];
+      }
+      fill.push_back(bp.template pack<packed_v128>(tmp, 128));
+    }
+  }
+
+  // Computes a mac witness on a 32-byte message x.
+  // This code assumes that a gf element is at least 16 bytes.
+  void compute_witness(const gf2k a_p[/*2*/], const uint8_t x[/*32*/]) {
+    for (size_t i = 0; i < 2; ++i) {
+      x_[i] = gf_.of_bytes_field(&x[i * 16]).value();
+      ap_[i] = a_p[i];
+    }
+  }
+
+ private:
+  gf2k ap_[2], x_[2];
+  const Field& f_;
+  const f_128& gf_;
+};
+
+class MacGF2Witness {
+  using f_128 = GF2_128<>;
+  using gf2k = f_128::Elt;
+
+ public:
+  void fill_witness(DenseFiller<f_128>& fill) const {
+    fill.push_back(ap_[0]);
+    fill.push_back(ap_[1]);
+  }
+
+  // Computes a mac witness on a 32-byte message x.
+  void compute_witness(const gf2k a_p[/*2*/]) {
+    for (size_t i = 0; i < 2; ++i) {
+      ap_[i] = a_p[i];
+    }
+  }
+
+ private:
+  gf2k ap_[2];
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MAC_MAC_WITNESS_H_

data/vendor/longfellow-zk/lib/circuits/mdoc/circuit_maker.cc

@@ -0,0 +1,242 @@
+// Copyright 2025 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This program generates a circuit for mdoc_zk, computes its ID, and writes
+// the circuit to a file named after the circuit ID in a specified output
+// directory.
+
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <filesystem>
+#include <fstream>
+#include <iomanip>
+#include <iostream>
+#include <sstream>
+#include <string>
+#include <vector>
+#include <absl/cleanup/cleanup.h>
+#include <absl/flags/flag.h>
+#include <absl/flags/parse.h>
+
+#include "circuits/mdoc/mdoc_zk.h"
+#include "util/log.h"
+#include "util/panic.h"
+#include "util/readbuffer.h"
+#include "zk/zk_common.h"
+#include "circuits/mdoc/mdoc_decompress.h"
+#include "ec/p256.h"
+#include "gf2k/gf2_128.h"
+#include "ligero/ligero_param.h"
+#include "proto/circuit.h"
+
+
+ABSL_FLAG(std::string, output_dir, "circuits",
+          "Output directory for the circuit file");
+ABSL_FLAG(int, num_attributes, 1,
+          "Number of attributes for the circuit (selects ZkSpec)");
+
+std::string BytesToHexString(const uint8_t* bytes, size_t len) {
+  std::stringstream ss;
+  ss << std::hex << std::setfill('0');
+  for (size_t i = 0; i < len; ++i) {
+    ss << std::setw(2) << static_cast<int>(bytes[i]);
+  }
+  return ss.str();
+}
+
+// Recompute the parameters to find the optimal fine grained block_enc.
+template <class LigeroParam>
+size_t optimize(LigeroParam &lp) {
+  size_t min_proof_size = lp.layout(lp.block_enc);
+  size_t best_block_enc = lp.block_enc;
+  for (size_t e = 100; e <= (1 << 17); e++) {
+    size_t proof_size = lp.layout(e);
+    if (proof_size < min_proof_size) {
+      min_proof_size = proof_size;
+      best_block_enc = e;
+    }
+  }
+  return best_block_enc;
+}
+
+// Decompress and parse the circuit bytes, optimize the Ligero
+// commitment parameters and print a ZkSpecStruct entry.
+void optimize_params(const uint8_t* circuit_bytes, size_t circuit_len,
+                     const std::string& circuit_id_hex,
+                     const ZkSpecStruct* zk_spec) {
+  using f_128 = proofs::GF2_128<>;
+  // Parse circuits.
+  const f_128 Fs;
+
+  size_t len = 1 << 27;
+  std::vector<uint8_t> bytes(len);
+  size_t full_size = proofs::decompress(bytes, circuit_bytes, circuit_len);
+
+  // Ensure that the circuit was decompressed correctly.
+  proofs::check(full_size > 0, "Circuit decompression failed");
+  proofs::ReadBuffer rb_circuit(bytes.data(), full_size);
+
+  proofs::CircuitRep<proofs::Fp256Base> cr_s(proofs::p256_base,
+                                             proofs::P256_ID);
+  auto c_sig = cr_s.from_bytes(rb_circuit, false);
+  proofs::check(c_sig != nullptr, "Signature circuit could not be parsed");
+
+  proofs::CircuitRep<f_128> cr_h(Fs, proofs::GF2_128_ID);
+  auto c_hash = cr_h.from_bytes(rb_circuit, false);
+  proofs::check(c_hash != nullptr, "Hash circuit could not be parsed");
+
+  proofs::LigeroParam<f_128> hp(
+      (c_hash->ninputs - c_hash->npub_in) +
+          proofs::ZkCommon<f_128>::pad_size(*c_hash),
+      c_hash->nl, kLigeroRate, kLigeroNreq);
+
+  size_t min_proof_size = hp.layout(hp.block_enc);
+  std::cout << "  hash legacy parameters: be:" << hp.block_enc
+            << " sz:" << min_proof_size << " r:" << hp.r << " w:" << hp.w
+            << " b:" << hp.block << " nr:" << hp.nrow << " nq:" << hp.nqtriples
+            << std::endl;
+  size_t best_block_enc = optimize(hp);
+  min_proof_size = hp.layout(best_block_enc);
+  std::cout << "  hash   best parameters: be:" << best_block_enc
+            << " sz:" << min_proof_size << std::endl;
+
+  proofs::LigeroParam<proofs::Fp256Base> sp(
+      (c_sig->ninputs - c_sig->npub_in) +
+          proofs::ZkCommon<proofs::Fp256Base>::pad_size(*c_sig),
+      c_sig->nl, kLigeroRate, kLigeroNreq);
+
+  min_proof_size = sp.layout(sp.block_enc);
+
+  std::cout << "   sig legacy parameters: be:" << sp.block_enc
+            << " sz:" << min_proof_size << " r:" << sp.r << " w:" << sp.w
+            << " b:" << sp.block << " nr:" << sp.nrow << " nq:" << sp.nqtriples
+            << std::endl;
+
+  size_t sig_best_block_enc = optimize(sp);
+  min_proof_size = sp.layout(sig_best_block_enc);
+
+  std::cout << "   sig   best parameters: be:" << sig_best_block_enc
+            << " sz:" << min_proof_size << std::endl;
+
+  std::cout << "{\"" << zk_spec->system << "\", \"" << circuit_id_hex << "\", "
+            << zk_spec->num_attributes << ", " << zk_spec->version << ", "
+            << best_block_enc << ", " << sig_best_block_enc << "},"
+            << std::endl;
+}
+
+// Helper to find a ZkSpecStruct matching the desired number of attributes.
+// If no exact match, returns nullptr. In a real scenario, you might pick the
+// latest or closest one, or error out.
+const ZkSpecStruct* FindZkSpecByNumAttributes(int n_attrs) {
+  for (size_t i = 0; i < kNumZkSpecs; ++i) {
+    if (static_cast<int>(kZkSpecs[i].num_attributes) == n_attrs) {
+      return &kZkSpecs[i];
+    }
+  }
+  return nullptr;  // Or handle as an error, or pick a default.
+}
+
+int main(int argc, char* argv[]) {
+  absl::ParseCommandLine(argc, argv);
+  proofs::set_log_level(proofs::ERROR);
+
+  std::string output_dir_path = absl::GetFlag(FLAGS_output_dir);
+  int n_attributes_requested = absl::GetFlag(FLAGS_num_attributes);
+  std::cout << "Output directory: " << output_dir_path << std::endl;
+  std::cout << "Requested number of attributes: " << n_attributes_requested
+            << std::endl;
+
+  // Find a ZkSpecStruct based on the number of attributes requested
+  const ZkSpecStruct* selected_zk_spec =
+      FindZkSpecByNumAttributes(n_attributes_requested);
+  if (selected_zk_spec == nullptr) {
+    std::cerr << "Error: No ZkSpec available in kZkSpecs array." << std::endl;
+    return 1;
+  }
+
+  std::cout << "Using ZkSpec: " << selected_zk_spec->system
+            << ", version: " << selected_zk_spec->version
+            << ", attributes: " << selected_zk_spec->num_attributes
+            << std::endl;
+
+  std::ifstream dir(output_dir_path, std::ios::binary);
+  if (!dir.is_open()) {
+    std::cerr << "Error: Could not open dir  " << output_dir_path << std::endl;
+    return 1;
+  }
+  dir.close();
+
+  uint8_t* circuit_bytes = nullptr;
+  size_t circuit_len = 0;
+  // Use absl mechanism to ensure that the memory is freed.
+  absl::Cleanup free_circuit_bytes = [&circuit_bytes] {
+    if (circuit_bytes) {
+      free(circuit_bytes);  // mdoc_zk.h uses C-style allocation
+    }
+  };
+
+  std::cout << "Generating circuit..." << std::endl;
+  CircuitGenerationErrorCode circuit_gen_status =
+      generate_circuit(selected_zk_spec, &circuit_bytes, &circuit_len);
+  if (circuit_gen_status != CIRCUIT_GENERATION_SUCCESS) {
+    std::cerr << "Error generating circuit. Code: " << circuit_gen_status
+              << std::endl;
+    return 1;
+  }
+  if (circuit_bytes == nullptr || circuit_len == 0) {
+    std::cerr << "Error: generate_circuit succeeded but output is empty."
+              << std::endl;
+    return 1;
+  }
+  std::cout << "Circuit generated successfully. Size: " << circuit_len
+            << " bytes." << std::endl;
+
+  // Compute circuit ID.
+  constexpr size_t kSHA256DigestSize = 32;
+  uint8_t c_id[kSHA256DigestSize];
+  std::cout << "Computing circuit ID." << std::endl;
+  if (!circuit_id(c_id, circuit_bytes, circuit_len, selected_zk_spec)) {
+    std::cerr << "Error computing circuit ID." << std::endl;
+    return 1;
+  }
+  std::string circuit_id_hex = BytesToHexString(c_id, kSHA256DigestSize);
+  std::cout << "Circuit ID (hex): " << circuit_id_hex << std::endl;
+
+  // Write circuit bytes to file.
+  namespace fs = std::filesystem;
+  std::string output_file_path = (fs::path(output_dir_path) / fs::path(circuit_id_hex)).string();
+  std::cout << "Writing circuit to: " << output_file_path << std::endl;
+  std::ofstream out_file(output_file_path, std::ios::binary | std::ios::trunc);
+  if (!out_file.is_open()) {
+    std::cerr << "Error: Could not open file for writing: " << output_file_path
+              << std::endl;
+    return 1;
+  }
+  out_file.write(reinterpret_cast<const char*>(circuit_bytes), circuit_len);
+  if (!out_file) {  // Check for write errors
+    std::cerr << "Error writing circuit to file: " << output_file_path
+              << std::endl;
+    out_file.close();
+    return 1;
+  }
+  out_file.close();
+  std::cout << "Circuit successfully written to " << output_file_path
+            << std::endl;
+
+  // Search for optimal Ligero parameters.
+  std::cout << "Optimizing Ligero parameters..." << std::endl;
+  optimize_params(circuit_bytes, circuit_len, circuit_id_hex, selected_zk_spec);
+  return 0;
+}