longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature.h

@@ -0,0 +1,143 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MDOC_MDOC_SIGNATURE_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MDOC_MDOC_SIGNATURE_H_
+
+#include <cstddef>
+
+#include "circuits/ecdsa/verify_circuit.h"
+#include "circuits/logic/bit_plucker.h"
+#include "circuits/mac/mac_circuit.h"
+
+namespace proofs {
+
+// This class creates a circuit to verify the signatures in an MDOC.
+// There are 2 signatures:
+//    1. A signature on the MSO by the issuer of the MDOC: The public
+//       key of the issuer is given as input for now. Later, it can be
+//       one among a list of issuers.  While the signer is public, the
+//       message is private, and thus its hash is committed in the witness.
+//    2. A signature on the transcript provided during a "Show" operation:
+//       the signature is under a device public key that is specified in the
+//       MSO.  Thus, the signing key is private (and committed), but the
+//       message is public.
+template <class LogicCircuit, class Field, class EC>
+class MdocSignature {
+  using EltW = typename LogicCircuit::EltW;
+  using Elt = typename LogicCircuit::Elt;
+  using Nat = typename Field::N;
+  using v128 = typename LogicCircuit::v128;
+  using v256 = typename LogicCircuit::v256;
+  using Ecdsa = VerifyCircuit<LogicCircuit, Field, EC>;
+  using EcdsaWitness = typename Ecdsa::Witness;
+  using MacBitPlucker = BitPlucker<LogicCircuit, kMACPluckerBits>;
+  using packed_v256 = typename MacBitPlucker::packed_v256;
+  using mac = MAC<LogicCircuit, MacBitPlucker>;
+  using MACWitness = typename mac::Witness;
+
+  const LogicCircuit& lc_;
+  const EC& ec_;
+  const Nat& order_;
+
+ public:
+  class Witness {
+   public:
+    EltW e_;
+    EltW dpkx_, dpky_;
+
+    EcdsaWitness mdoc_sig_;
+    EcdsaWitness dpk_sig_;
+    MACWitness macs_[3];
+
+    void input(const LogicCircuit& lc) {
+      e_ = lc.eltw_input();
+      dpkx_ = lc.eltw_input();
+      dpky_ = lc.eltw_input();
+
+      mdoc_sig_.input(lc);
+      dpk_sig_.input(lc);
+      for (size_t i = 0; i < 3; ++i) {
+        macs_[i].input(lc);
+      }
+    }
+  };
+
+  explicit MdocSignature(const LogicCircuit& lc, const EC& ec, const Nat& order)
+      : lc_(lc), ec_(ec), order_(order) {}
+
+  // This function is used to verify the signatures in an MDOC.
+  // The circuit verifies the following claims:
+  //    1. There exists a hash digest e and a signature (r,s) on e
+  //       under the public key (pkX, pkY).
+  //    2. The MAC of e under the secret mac key (a_v+a_pe) is mac_e.
+  //    3. There exists a device public key (dpkX, dpky) and a signature (r,s)
+  //       on the value hash_tr.
+  //    4. The MAC of the device public key (dpkX, dpky) under the secret MAC
+  //       key (a_v + apdk) is mac_dkpX and mac_dpkY respectively.
+  void assert_signatures(EltW pkX, EltW pkY, EltW hash_tr, v128 mac_e[2],
+                         v128 mac_dpkX[2], v128 mac_dpkY[2], const v128& a_v,
+                         Witness& vw) const {
+    Ecdsa ecc(lc_, ec_, order_);
+    mac macc(lc_);
+
+    ecc.verify_signature3(pkX, pkY, vw.e_, vw.mdoc_sig_);
+    ecc.verify_signature3(vw.dpkx_, vw.dpky_, hash_tr, vw.dpk_sig_);
+
+    macc.verify_mac(vw.e_, mac_e, a_v, vw.macs_[0], order_);
+    macc.verify_mac(vw.dpkx_, mac_dpkX, a_v, vw.macs_[1], order_);
+    macc.verify_mac(vw.dpky_, mac_dpkY, a_v, vw.macs_[2], order_);
+  }
+
+  // This function is similar to assert_signatures, but it also hides the
+  // public key of the issuer. Instead, it verifies that the issuer's public
+  // key belongs in a list of 50 public keys that are supplied as input. The
+  // issuer pk lists are assumed to be trusted inputs, i.e., it is the
+  // caller's responsibility to ensure that (issuer_pkX[i], issuer_pkY[i]) is
+  // a valid curve point for i=0..49.  The caller is also responsible for
+  // ensuring that issuer_pkY[i] != -issuer_pkY[j] for i != j.
+  // However, it is OK for the caller to repeat the same key in the list.
+  void assert_signatures_with_issuer_list(
+      EltW hash_tr, v128 mac_e[2], v128 mac_dpkX[2], v128 mac_dpkY[2],
+      const v128& a_v, EltW issuer_pkX[/*max_issuers*/],
+      EltW issuer_pkY[/*max_issuers*/], size_t max_issuers,
+      // private inputs begin here
+      EltW pkX, EltW pkY, Witness& vw) const {
+    assert_signatures(pkX, pkY, hash_tr, mac_e, mac_dpkX, mac_dpkY, a_v, vw);
+
+    // Verify that the issuer's public key is one of the 50 keys in the list.
+    // This is done by computing the difference between pkX and issuer_pkX[i]
+    // for i=0..49, and asserting that the product of the differences is zero.
+    //
+    // We argue that it suffices to verify that pkX is on the list and pkY is
+    // on the list independently.  Suppose a malicious prover sets pkX to be
+    // equal to the j-th key in issuer_pkX and sets pkY to be the k-th key in
+    // issuer_pkY, where j != k.   If (pkX, pkY) is not a curve point, then the
+    // assert_signatures() routine will fail.  However, for each X on the curve,
+    // there are only 2 possible Y values, namely, +-Y. By the constraints
+    // imposed on issuer_pkY, we know that issuer_pkY[j] is on the curve, and
+    // that -issuer_pkY[j] does not occur in the issuer_pkY list.  Thus, it is
+    // not possible for a witness to pass all checks and for k != j.
+    EltW goodXKey = lc_.mul(
+        0, max_issuers, [&](size_t i) { return lc_.sub(issuer_pkX[i], pkX); });
+    lc_.assert0(goodXKey);
+
+    EltW goodYKey = lc_.mul(
+        0, max_issuers, [&](size_t i) { return lc_.sub(issuer_pkY[i], pkY); });
+    lc_.assert0(goodYKey);
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_MDOC_MDOC_SIGNATURE_H_

data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature_test.cc

@@ -0,0 +1,444 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/mdoc/mdoc_signature.h"
+
+#include <stdint.h>
+
+#include <cstddef>
+#include <memory>
+#include <vector>
+
+#include "algebra/fp_p128.h"
+#include "arrays/dense.h"
+#include "circuits/compiler/circuit_dump.h"
+#include "circuits/compiler/compiler.h"
+#include "circuits/logic/compiler_backend.h"
+#include "circuits/logic/logic.h"
+#include "circuits/mac/mac_reference.h"
+#include "circuits/mdoc/mdoc_examples.h"
+#include "circuits/mdoc/mdoc_hash.h"
+#include "circuits/mdoc/mdoc_test_attributes.h"
+#include "circuits/mdoc/mdoc_witness.h"
+#include "circuits/mdoc/mdoc_zk.h"
+#include "ec/p256.h"
+#include "gf2k/gf2_128.h"
+#include "random/secure_random_engine.h"
+#include "sumcheck/circuit.h"
+#include "util/log.h"
+#include "util/panic.h"
+#include "zk/zk_testing.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+/*
+For Mdoc, we only need to be testing on P256, so we can
+declare these types globally.
+*/
+
+// For now, mac is chosen here.
+using gf2k = GF2_128<>::Elt;
+
+TEST(mdoc, mdoc_signature_test) {
+  using MdocSw = MdocSignatureWitness<P256, Fp256Scalar>;
+  using Elt = Fp256Base::Elt;
+
+  set_log_level(INFO);
+
+  std::unique_ptr<Circuit<Fp256Base>> CIRCUIT;
+
+  // ======== compile time =========================
+  {
+    using CompilerBackend = CompilerBackend<Fp256Base>;
+    using LogicCircuit = Logic<Fp256Base, CompilerBackend>;
+    using EltW = LogicCircuit::EltW;
+    using v128 = LogicCircuit::v128;
+    using MdocSig = MdocSignature<LogicCircuit, Fp256Base, P256>;
+    QuadCircuit<Fp256Base> Q(p256_base);
+    const CompilerBackend cbk(&Q);
+    const LogicCircuit LC(&cbk, p256_base);
+
+    MdocSig mdoc_sig(LC, p256, n256_order);
+
+    EltW pkX = LC.eltw_input(), pkY = LC.eltw_input(), htr = LC.eltw_input();
+    v128 emac[2] = {LC.vinput<128>(), LC.vinput<128>()};
+    v128 xmac[2] = {LC.vinput<128>(), LC.vinput<128>()};
+    v128 ymac[2] = {LC.vinput<128>(), LC.vinput<128>()};
+
+    v128 a_v = LC.vinput<128>();
+    Q.private_input();
+
+    MdocSig::Witness vwc;
+    vwc.input(LC);
+
+    mdoc_sig.assert_signatures(pkX, pkY, htr, emac, xmac, ymac, a_v, vwc);
+
+    CIRCUIT = Q.mkcircuit(/*nc=*/1);
+    dump_info("mdoc signature", Q);
+    log(INFO, "Compile done");
+  }
+
+  // ======== Witness
+  // Generate a witness from the mdoc data structure to remain close
+  // to the application use case.
+  GF2_128<> gf;
+  gf2k ap[6], mac[6];
+  gf2k av = gf.of_scalar_field(2983471870111);
+  Elt pkX, pkY;
+  MdocSw sw(p256, p256_scalar, gf);
+
+  {
+    constexpr size_t t_ind = 2;
+    const uint8_t* mdoc = mdoc_tests[t_ind].mdoc;
+    pkX = p256_base.of_string(mdoc_tests[t_ind].pkx);
+    pkY = p256_base.of_string(mdoc_tests[t_ind].pky);
+    MdocProverErrorCode ok = sw.compute_witness(
+        pkX, pkY, mdoc, mdoc_tests[t_ind].mdoc_size,
+        mdoc_tests[t_ind].transcript, mdoc_tests[t_ind].transcript_size);
+
+    check(ok == MDOC_PROVER_SUCCESS, "Could not compute signature witness");
+
+    MACReference<GF2_128<>> mac_ref;
+
+    // Should be chosen by prover and added to commitment.
+    SecureRandomEngine rng;
+    mac_ref.sample(ap, 6, &rng);
+
+    // This value is chosen after the prover commits.
+    uint8_t buf[Fp256Base::kBytes];
+
+    Elt tt[3] = {sw.e_, sw.dpkx_, sw.dpky_};
+    for (size_t i = 0; i < 3; ++i) {
+      p256_base.to_bytes_field(buf, tt[i]);
+      sw.macs_[i].compute_witness(&ap[2 * i], buf);
+      mac_ref.compute(&mac[2 * i], av, &ap[2 * i], buf);
+    }
+
+    log(INFO, "Witness done");
+  }
+
+  // ========= Fill witness
+  auto W = Dense<Fp256Base>(1, CIRCUIT->ninputs);
+  auto pub = Dense<Fp256Base>(1, CIRCUIT->npub_in);
+  DenseFiller<Fp256Base> filler(W);
+  DenseFiller<Fp256Base> pub_filler(pub);
+
+  filler.push_back(p256_base.one());
+  pub_filler.push_back(p256_base.one());
+  filler.push_back(pkX);
+  pub_filler.push_back(pkX);
+  filler.push_back(pkY);
+  pub_filler.push_back(pkY);
+  filler.push_back(sw.e2_);
+  pub_filler.push_back(sw.e2_);
+
+  for (size_t i = 0; i < 6; ++i) {
+    fill_gf2k<GF2_128<>, Fp256Base>(mac[i], filler, p256_base);
+    fill_gf2k<GF2_128<>, Fp256Base>(mac[i], pub_filler, p256_base);
+  }
+
+  fill_gf2k<GF2_128<>, Fp256Base>(av, filler, p256_base);
+  fill_gf2k<GF2_128<>, Fp256Base>(av, pub_filler, p256_base);
+
+  sw.fill_witness(filler);
+  log(INFO, "Fill done");
+
+  // =========== ZK test
+  run2_test_zk(
+      *CIRCUIT, W, pub, p256_base,
+      p256_base.of_string("1126492241464102818735004576096902583730188404304894"
+                          "08729223714171582664680802"), /* omega_x*/
+      p256_base.of_string("8408799435854090769574046142781866056018216899718237"
+                          "8749313018254450460212908"), /* omega_y */
+      1ull << 31);
+}
+
+TEST(mdoc, mdoc_issuer_list_valid) {
+  using Elt = Fp256Base::Elt;
+  // Verify the two constraints on issuer lists.
+
+  size_t sz = sizeof(kIssuerPKY) / sizeof(char*);
+  std::vector<Elt> pkY(sz);
+  for (size_t i = 0; i < sz; ++i) {
+    Elt pkX = p256_base.of_string(kIssuerPKX[i]);
+    pkY[i] = p256_base.of_string(kIssuerPKY[i]);
+    EXPECT_TRUE(p256.is_on_curve(pkX, pkY[i]));
+  }
+
+  // n^2 test ok for small n.
+  for (size_t i = 0; i < sz; ++i) {
+    for (size_t j = i + 1; j < sz; ++j) {
+      EXPECT_FALSE(pkY[i] == p256_base.negf(pkY[j]));
+    }
+  }
+}
+
+TEST(mdoc, mdoc_signature_test_with_issuer_list) {
+  using MdocSw = MdocSignatureWitness<P256, Fp256Scalar>;
+  using Elt = Fp256Base::Elt;
+
+  constexpr size_t MAX_ISSUERS = 50;
+  set_log_level(INFO);
+
+  std::unique_ptr<Circuit<Fp256Base>> CIRCUIT;
+
+  // ======== compile time =========================
+  {
+    using CompilerBackend = CompilerBackend<Fp256Base>;
+    using LogicCircuit = Logic<Fp256Base, CompilerBackend>;
+    using EltW = LogicCircuit::EltW;
+    using v128 = LogicCircuit::v128;
+    using MdocSig = MdocSignature<LogicCircuit, Fp256Base, P256>;
+    QuadCircuit<Fp256Base> Q(p256_base);
+    const CompilerBackend cbk(&Q);
+    const LogicCircuit LC(&cbk, p256_base);
+
+    MdocSig mdoc_sig(LC, p256, n256_order);
+
+    // public inputs
+    EltW htr = LC.eltw_input();
+    v128 emac[2] = {LC.vinput<128>(), LC.vinput<128>()};
+    v128 xmac[2] = {LC.vinput<128>(), LC.vinput<128>()};
+    v128 ymac[2] = {LC.vinput<128>(), LC.vinput<128>()};
+
+    v128 a_v = LC.vinput<128>();
+    EltW xlist[MAX_ISSUERS], ylist[MAX_ISSUERS];
+    for (size_t i = 0; i < MAX_ISSUERS; ++i) {
+      xlist[i] = LC.eltw_input();
+    }
+    for (size_t i = 0; i < MAX_ISSUERS; ++i) {
+      ylist[i] = LC.eltw_input();
+    }
+
+    Q.private_input();
+    EltW pkX = LC.eltw_input(), pkY = LC.eltw_input();
+    MdocSig::Witness vwc;
+    vwc.input(LC);
+
+    mdoc_sig.assert_signatures_with_issuer_list(
+        htr, emac, xmac, ymac, a_v, xlist, ylist, MAX_ISSUERS, pkX, pkY, vwc);
+
+    CIRCUIT = Q.mkcircuit(/*nc=*/1);
+    dump_info("mdoc signature_with_issuer", Q);
+    log(INFO, "Compile done");
+  }
+
+  // ======== Witness
+  // Generate a witness from the mdoc data structure to remain close
+  // to the application use case.
+  GF2_128<> gf;
+  gf2k ap[6], mac[6];
+  gf2k av = gf.of_scalar_field(2983471870111);
+  Elt pkX, pkY;
+  Elt issuerX[MAX_ISSUERS], issuerY[MAX_ISSUERS];
+  MdocSw sw(p256, p256_scalar, gf);
+
+  {
+    constexpr size_t t_ind = 2;
+    const uint8_t* mdoc = mdoc_tests[t_ind].mdoc;
+    pkX = p256_base.of_string(mdoc_tests[t_ind].pkx);
+    pkY = p256_base.of_string(mdoc_tests[t_ind].pky);
+    MdocProverErrorCode ok = sw.compute_witness(
+        pkX, pkY, mdoc, mdoc_tests[t_ind].mdoc_size,
+        mdoc_tests[t_ind].transcript, mdoc_tests[t_ind].transcript_size);
+
+    check(ok == MDOC_PROVER_SUCCESS, "Could not compute signature witness");
+
+    MACReference<GF2_128<>> mac_ref;
+
+    // Should be chosen by prover and added to commitment.
+    SecureRandomEngine rng;
+    mac_ref.sample(ap, 6, &rng);
+
+    // This value is chosen after the prover commits.
+    uint8_t buf[Fp256Base::kBytes];
+
+    Elt tt[3] = {sw.e_, sw.dpkx_, sw.dpky_};
+    for (size_t i = 0; i < 3; ++i) {
+      p256_base.to_bytes_field(buf, tt[i]);
+      sw.macs_[i].compute_witness(&ap[2 * i], buf);
+      mac_ref.compute(&mac[2 * i], av, &ap[2 * i], buf);
+    }
+
+    // It is OK to repeat the issuers.
+    size_t numIssuer = sizeof(kIssuerPKX) / sizeof(char*);
+    for (size_t i = 0; i < MAX_ISSUERS; ++i) {
+      issuerX[i] = p256_base.of_string(kIssuerPKX[i % numIssuer]);
+      issuerY[i] = p256_base.of_string(kIssuerPKY[i % numIssuer]);
+    }
+
+    log(INFO, "Witness created");
+  }
+
+  // ========= Fill witness
+  auto W = Dense<Fp256Base>(1, CIRCUIT->ninputs);
+  auto pub = Dense<Fp256Base>(1, CIRCUIT->npub_in);
+  DenseFiller<Fp256Base> filler(W);
+  DenseFiller<Fp256Base> pub_filler(pub);
+
+  filler.push_back(p256_base.one());
+  pub_filler.push_back(p256_base.one());
+  filler.push_back(sw.e2_);
+  pub_filler.push_back(sw.e2_);
+
+  for (size_t i = 0; i < 6; ++i) {
+    fill_gf2k<GF2_128<>, Fp256Base>(mac[i], filler, p256_base);
+    fill_gf2k<GF2_128<>, Fp256Base>(mac[i], pub_filler, p256_base);
+  }
+
+  fill_gf2k<GF2_128<>, Fp256Base>(av, filler, p256_base);
+  fill_gf2k<GF2_128<>, Fp256Base>(av, pub_filler, p256_base);
+
+  for (size_t i = 0; i < MAX_ISSUERS; ++i) {
+    filler.push_back(issuerX[i]);
+    pub_filler.push_back(issuerX[i]);
+  }
+  for (size_t i = 0; i < MAX_ISSUERS; ++i) {
+    filler.push_back(issuerY[i]);
+    pub_filler.push_back(issuerY[i]);
+  }
+
+  filler.push_back(pkX);
+  filler.push_back(pkY);
+  sw.fill_witness(filler);
+  log(INFO, "Fill done");
+
+  // =========== ZK test
+  run2_test_zk(
+      *CIRCUIT, W, pub, p256_base,
+      p256_base.of_string("1126492241464102818735004576096902583730188404304894"
+                          "08729223714171582664680802"), /* omega_x*/
+      p256_base.of_string("8408799435854090769574046142781866056018216899718237"
+                          "8749313018254450460212908"), /* omega_y */
+      1ull << 31);
+}
+
+template <class Field>
+void mdoc_hash_run(const typename Field::Elt& omega, uint64_t omega_order,
+                   const Field& F, std::vector<RequestedAttribute> attrs) {
+  using MdocHw = MdocHashWitness<P256, Field>;
+
+  set_log_level(INFO);
+
+  std::unique_ptr<Circuit<Field>> CIRCUIT;
+
+  // ======== compile time =========================
+  {
+    using CompilerBackend = CompilerBackend<Field>;
+    using LogicCircuit = Logic<Field, CompilerBackend>;
+    using v8 = typename LogicCircuit::v8;
+    using v256 = typename LogicCircuit::v256;
+    using MdocHash = MdocHash<LogicCircuit, Field>;
+    QuadCircuit<Field> Q(F);
+    const CompilerBackend cbk(&Q);
+    const LogicCircuit LC(&cbk, F);
+
+    std::vector<typename MdocHash::OpenedAttribute> oa(attrs.size());
+    MdocHash mdoc_hash(LC);
+    for (size_t ai = 0; ai < attrs.size(); ++ai) {
+      oa[ai].input(LC);
+    }
+
+    v8 now[20];
+    for (size_t i = 0; i < 20; ++i) {
+      now[i] = LC.template vinput<8>();
+    }
+
+    Q.private_input();
+    v256 e = LC.template vinput<256>();
+    v256 dpkx = LC.template vinput<256>();
+    v256 dpky = LC.template vinput<256>();
+
+    typename MdocHash::Witness vwc(attrs.size());
+    vwc.input(LC);
+
+    mdoc_hash.assert_valid_hash_mdoc(oa.data(), now, e, dpkx, dpky, vwc);
+
+    CIRCUIT = Q.mkcircuit(/*nc=*/1);
+    dump_info("mdoc hash and parse", Q);
+    log(INFO, "Compile done");
+  }
+
+  // ======== Witness: use the large Canonical Playground example
+  MdocHw hw(attrs.size(), p256, F);
+  constexpr size_t t_ind = 3;
+  const uint8_t* mdoc = mdoc_tests[t_ind].mdoc;
+
+  MdocProverErrorCode ok = hw.compute_witness(
+      mdoc, mdoc_tests[t_ind].mdoc_size, mdoc_tests[t_ind].transcript,
+      mdoc_tests[t_ind].transcript_size, attrs.data(), attrs.size(),
+      7 /* version */);
+
+  check(ok == MDOC_PROVER_SUCCESS, "Could not compute hash witness");
+
+  log(INFO, "Witness done");
+
+  // ========= Fill witness
+  auto W = Dense<Field>(1, CIRCUIT->ninputs);
+  auto pub = Dense<Field>(1, CIRCUIT->npub_in);
+  DenseFiller<Field> filler(W);
+  DenseFiller<Field> pub_filler(pub);
+  filler.push_back(F.one());
+  pub_filler.push_back(F.one());
+
+  for (size_t ai = 0; ai < attrs.size(); ++ai) {
+    fill_attribute(filler, attrs[ai], F, 7 /* version */);
+    fill_attribute(pub_filler, attrs[ai], F, 7 /* version */);
+  }
+  fill_bit_string(filler, mdoc_tests[t_ind].now, 20, 20, F);
+  fill_bit_string(pub_filler, mdoc_tests[t_ind].now, 20, 20, F);
+
+  // Private inputs
+  uint8_t buf[Fp256Base::kBytes];
+  Fp256Base::Elt tt[3] = {hw.e_, hw.dpkx_, hw.dpky_};
+  for (size_t i = 0; i < 3; ++i) {
+    p256_base.to_bytes_field(buf, tt[i]);
+    fill_bit_string(filler, buf, 32, 32, F);
+  }
+
+  hw.fill_witness(filler, 7);
+
+  log(INFO, "Fill done");
+
+  // =========== ZK prover
+
+  run_test_zk<Field>(*CIRCUIT, W, pub, omega, omega_order, F);
+}
+
+TEST(mdoc, mdoc_hash_test_fp128) {
+  std::vector<RequestedAttribute> oa;
+  oa.push_back(test::age_over_18);
+
+  static const Fp128<> Fg;
+  mdoc_hash_run<Fp128<>>(
+      Fg.of_string("164956748514267535023998284330560247862"), 1ull << 32, Fg,
+      oa);
+}
+
+TEST(mdoc, mdoc_hash_test_fp128_2) {
+  std::vector<RequestedAttribute> oa;
+  oa.push_back(test::age_over_18);
+
+  oa.push_back(test::familyname_mustermann);
+  oa.shrink_to_fit();
+
+  static const Fp128<> Fg;
+  mdoc_hash_run<Fp128<>>(
+      Fg.of_string("164956748514267535023998284330560247862"), 1ull << 32, Fg,
+      oa);
+}
+
+}  // namespace
+}  // namespace proofs