longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec.cc

@@ -0,0 +1,100 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <stdint.h>
+
+#include <cstring>
+
+#include "circuits/mdoc/mdoc_zk.h"
+
+extern "C" {
+// This is a hardcoded list of all the ZK specifications supported by this
+// library. Every time a new breaking change is introduced in either the circuit
+// format or its interpretation, a new version must be added here.
+// It is possible to remove old versions, if we're sure that they are not used
+// by either provers of verifiers in the wild.
+//
+// The format is:
+// {
+//   - system - The ZK system name and version ("longfellow-libzk-v*" for Google
+//   library).
+//   - circuit_hash - SHA265 hash of the output of generate_circuit() function,
+//   the circuit in compressed format. It's converted to a hex string. Every
+//   time the circuit changes, the hash must be manually calculated and a new
+//   ZKSpec added to this list.
+//   - num_attributes. number of attributes the circuit supports,
+//   - version. version of the ZK specification
+//.  - block_enc_hash. block_enc parameter for the ZK proof of the hash
+//     component. Version 3 uses the legacy-computed value, v4 uses optimized
+//     values.
+//   - block_enc_sig. block_enc parameter for the ZK proof of the signature
+//     component.
+// }
+
+const ZkSpecStruct kZkSpecs[kNumZkSpecs] = {
+    // Circuits produced 2026-01-09
+    {"longfellow-libzk-v1",
+     "8d079211715200ff06c5109639245502bfe94aa869908d31176aae4016182121", 1, 7,
+     4151, 4096},
+    {"longfellow-libzk-v1",
+     "6a5810683e62b6d7766ebd0d7ca72518a2b8325418142adcadb10d51dbbcd5ad", 2, 7,
+     4265, 4096},
+    {"longfellow-libzk-v1",
+     "8ee4849ae1293ae6fe5f9082ce3e5e15c4f198f2998c682fa1b727237d6d252f", 3, 7,
+     4307, 4096},
+    {"longfellow-libzk-v1",
+     "5aebdaaafe17296a3ef3ca6c80c6e7505e09291897c39700410a365fb278e460", 4, 7,
+     4415, 4096},
+    // Circuits produced on 2025-10-10
+    {"longfellow-libzk-v1",
+     "137e5a75ce72735a37c8a72da1a8a0a5df8d13365c2ae3d2c2bd6a0e7197c7c6", 1, 6,
+     4096, 2945},
+    {"longfellow-libzk-v1",
+     "b4bb6f01b7043f4f51d8302a30b36e3d4d2d0efc3c24557ab9212ad524a9764e", 2, 6,
+     4025, 2945},
+    {"longfellow-libzk-v1",
+     "b2211223b954b34a1081e3fbf71b8ea2de28efc888b4be510f532d6ba76c2010", 3, 6,
+     4121, 2945},
+    {"longfellow-libzk-v1",
+     "c70b5f44a1365c53847eb8948ad5b4fdc224251a2bc02d958c84c862823c49d6", 4, 6,
+     4283, 2945},
+    // Circuits produced on 2025-08-21
+    {"longfellow-libzk-v1",
+     "f88a39e561ec0be02bb3dfe38fb609ad154e98decbbe632887d850fc612fea6f", 1, 5,
+     4096, 2945},
+    {"longfellow-libzk-v1",
+     "f51b7248b364462854d306326abded169854697d752d3bb6d9a9446ff7605ddb", 2, 5,
+     4025, 2945},
+    {"longfellow-libzk-v1",
+     "c27195e03e22c9ab4efe9e1dabd2c33aa8b2429cc4e86410c6f12542d3c5e0a1", 3, 5,
+     4121, 2945},
+    {"longfellow-libzk-v1",
+     "fa5fadfb2a916d3b71144e9b412eff78f71fd6a6d4607eac10de66b195868b7a", 4, 5,
+     4283, 2945},
+
+};
+
+const ZkSpecStruct* find_zk_spec(const char* system_name,
+                                 const char* circuit_hash) {
+  for (size_t i = 0; i < kNumZkSpecs; ++i) {
+    const ZkSpecStruct& zk_spec = kZkSpecs[i];
+    if (strcmp(zk_spec.system, system_name) == 0 &&
+        strcmp(zk_spec.circuit_hash, circuit_hash) == 0) {
+      return &zk_spec;
+    }
+  }
+  return nullptr;
+}
+
+}  // extern "C"

data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec_test.cc

@@ -0,0 +1,155 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <sys/types.h>
+
+#include <cstddef>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+#include <string>
+
+#include "file/base/helpers.h"
+#include "file/base/options.h"
+#include "file/base/path.h"
+#include "circuits/mdoc/mdoc_examples.h"
+#include "circuits/mdoc/mdoc_test_attributes.h"
+#include "circuits/mdoc/mdoc_zk.h"
+#include "util/crypto.h"
+#include "util/log.h"
+#include "testing/base/public/gmock.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+TEST(ZkSpecTest, FindZkSpec) {
+  const ZkSpecStruct& zk_spec = kZkSpecs[0];
+
+  const ZkSpecStruct* found_zk_spec =
+      find_zk_spec("longfellow-libzk-v1", zk_spec.circuit_hash);
+  EXPECT_NE(found_zk_spec, nullptr);
+  EXPECT_EQ(found_zk_spec->system, zk_spec.system);
+  EXPECT_EQ(found_zk_spec->circuit_hash, zk_spec.circuit_hash);
+  EXPECT_EQ(found_zk_spec->num_attributes, zk_spec.num_attributes);
+  EXPECT_EQ(found_zk_spec->version, zk_spec.version);
+}
+
+TEST(ZkSpecTest, ReturnNullptrIfNoMatchingZkSpecFound) {
+  const ZkSpecStruct* zk_spec = find_zk_spec(
+      "longfellow-libzk-v1",
+      "1234567890123456789012345678901234567890123456789012345678901234");
+  EXPECT_EQ(zk_spec, nullptr);
+}
+
+void test_circuit_hash(size_t num_attributes) {
+  // Find the latest version of the circuit for the given number of attributes.
+  const ZkSpecStruct* zk_spec = nullptr;
+  for (int i = 0; i < kNumZkSpecs; ++i) {
+    if (kZkSpecs[i].num_attributes == num_attributes) {
+      if (zk_spec == nullptr || kZkSpecs[i].version > zk_spec->version) {
+        zk_spec = &kZkSpecs[i];
+      }
+    }
+  }
+
+  uint8_t* circuit;
+  size_t circuit_len;
+  auto ret = generate_circuit(zk_spec, &circuit, &circuit_len);
+  EXPECT_EQ(ret, CIRCUIT_GENERATION_SUCCESS);
+
+  uint8_t cid[kSHA256DigestSize];
+  EXPECT_TRUE(circuit_id(cid, circuit, circuit_len, zk_spec));
+
+  char buf[kSHA256DigestSize * 2 + 1] = {};
+  hex_to_str(buf, cid, kSHA256DigestSize);
+  log(INFO, "circuit hash %d attr:: %s", num_attributes, buf);
+
+  bool found = false;
+  for (size_t k = 0; k < kNumZkSpecs; ++k) {
+    if (strcmp(kZkSpecs[k].circuit_hash, buf) == 0) {
+      found = true;
+      break;
+    }
+  }
+  // Must use free because generate_circuit is a pure C library that allocates
+  // with malloc.
+  free(circuit);
+  EXPECT_TRUE(found);
+}
+
+// These tests ensure that the current circuit hash for 1--4 attributes is
+// included in the zk_spec data structure.
+// They are defined separately so that they can run in parallel.
+// They can be run using
+//    blaze test -c opt --test_output=streamed  \
+//        //circuits/mdoc:zk_spec_test
+// in order to print out the new circuit hashes.
+TEST(ZkSpecTest, CorrectSpecFor1Attribute) { test_circuit_hash(1); }
+
+TEST(ZkSpecTest, CorrectSpecFor2Attributes) { test_circuit_hash(2); }
+
+TEST(ZkSpecTest, CorrectSpecFor3Attributes) { test_circuit_hash(3); }
+
+TEST(ZkSpecTest, CorrectSpecFor4Attributes) { test_circuit_hash(4); }
+
+void test_proof_creation_and_verification(const ZkSpecStruct& zk_spec) {
+  // Read the circuit file from circuits/hash.
+  auto cp = file::JoinPath("circuits/mdoc/circuits/",
+                           zk_spec.circuit_hash);
+  std::string circuit_bytes;
+  EXPECT_OK(file::GetContents(cp, &circuit_bytes, file::Defaults()));
+
+  const MdocTests* test = &mdoc_tests[3]; /* Sprind example w/4 attributes  */
+  RequestedAttribute claims[4] = {test::age_over_18,
+                                  test::familyname_mustermann,
+                                  test::birthdate_1971_09_01, test::height_175};
+
+  uint8_t* zkproof;
+  size_t proof_len;
+
+  {
+    log(INFO, "starting prover");
+    MdocProverErrorCode ret = run_mdoc_prover(
+        (uint8_t*)circuit_bytes.data(), circuit_bytes.size(), test->mdoc,
+        test->mdoc_size, test->pkx.as_pointer, test->pky.as_pointer,
+        test->transcript, test->transcript_size, claims, zk_spec.num_attributes,
+        (const char*)test->now, &zkproof, &proof_len, &zk_spec);
+    EXPECT_EQ(ret, MDOC_PROVER_SUCCESS);
+  }
+  {
+    log(INFO, "starting verifier");
+    MdocVerifierErrorCode ret = run_mdoc_verifier(
+        (uint8_t*)circuit_bytes.data(), circuit_bytes.size(),
+        test->pkx.as_pointer, test->pky.as_pointer, test->transcript,
+        test->transcript_size, claims, zk_spec.num_attributes,
+        (const char*)test->now, zkproof, proof_len, test->doc_type, &zk_spec);
+    EXPECT_EQ(ret, MDOC_VERIFIER_SUCCESS);
+    free(zkproof);
+  }
+}
+
+// Test proof creation and verification against all supported circuits.
+TEST(ZkSpecTest, ProofCreationAndVerification) {
+  for (size_t k = 0; k < kNumZkSpecs; ++k) {
+    const ZkSpecStruct& zk_spec = kZkSpecs[k];
+    log(INFO, "Testing circuit hash %s, %d attributes", zk_spec.circuit_hash,
+        zk_spec.num_attributes);
+    test_proof_creation_and_verification(zk_spec);
+  }
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit.h

@@ -0,0 +1,330 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_SHA_FLATSHA256_CIRCUIT_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_SHA_FLATSHA256_CIRCUIT_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <vector>
+
+#include "circuits/logic/bit_adder.h"
+#include "circuits/sha/sha256_constants.h"
+
+namespace proofs {
+// FlatSHA256Circuit
+//
+// Implements SHA256 hash function as an arithmetic circuit over the field F.
+// The circuit is flattened, meaning that the SHA round function has been
+// repeated in parallel instead of sequentially. As a result, the prover must
+// provide the intermediate round values as witnesses.
+//
+// This package does not have any external dependencies on a SHA256 library.
+//
+// There are two versions of this function, one with standard bit inputs, and
+// another with packed bit inputs. The later reduces the number of inputs at
+// the cost of increasing the depth and number of wires. For example, the
+// following shows the difference with pack parameter 2.
+//
+// FlatSHA256_Circuit.assert_transform_block
+//  depth: 7 wires: 38029 in: 6657 out:128 use:30897 ovh:7132 t:166468 cse:9703
+//  notn:113744
+//
+// FlatSHA256_Circuit.assert_transform_block_packed
+//  depth: 9 wires: 65735 in: 3585 out:128 use:55486 ovh:10249 t:214653
+//  cse:28135 notn:151504
+//
+//
+template <class Logic, class BitPlucker>
+class FlatSHA256Circuit {
+ public:
+  using BitW = typename Logic::BitW;
+  using v8 = typename Logic::v8;
+  using v256 = typename Logic::v256;
+  using v32 = typename Logic::v32;
+  using v64 = typename Logic::v64;
+  using EltW = typename Logic::EltW;
+  using Field = typename Logic::Field;
+  using packed_v32 = typename BitPlucker::packed_v32;
+
+  const Logic& l_;
+  BitPlucker bp_; /* public, so caller can encode input */
+
+  static packed_v32 packed_input(const Logic& lc) {
+    return BitPlucker::template packed_input<packed_v32>(lc);
+  }
+
+  struct BlockWitness {
+    packed_v32 outw[48];
+    packed_v32 oute[64];
+    packed_v32 outa[64];
+    packed_v32 h1[8];
+
+    void input(const Logic& lc) {
+      for (size_t k = 0; k < 48; ++k) {
+        outw[k] = packed_input(lc);
+      }
+      for (size_t k = 0; k < 64; ++k) {
+        oute[k] = packed_input(lc);
+        outa[k] = packed_input(lc);
+      }
+      for (size_t k = 0; k < 8; ++k) {
+        h1[k] = packed_input(lc);
+      }
+    }
+  };
+
+  explicit FlatSHA256Circuit(const Logic& l) : l_(l), bp_(l_) {}
+
+  void assert_transform_block(const v32 in[16], const v32 H0[8],
+                              const v32 outw[48], const v32 oute[64],
+                              const v32 outa[64], const v32 H1[8]) const {
+    const Logic& L = l_;  // shorthand
+    BitAdder<Logic, 32> BA(L);
+
+    std::vector<v32> w(64);
+    for (size_t i = 0; i < 16; ++i) {
+      w[i] = in[i];
+    }
+
+    for (size_t i = 16; i < 64; ++i) {
+      w[i] = outw[i - 16];
+      BA.assert_eqmod(
+          w[i],
+          BA.add({sigma1(w[i - 2]), w[i - 7], sigma0(w[i - 15]), w[i - 16]}),
+          4);
+    }
+
+    v32 a(H0[0]);
+    v32 b(H0[1]);
+    v32 c(H0[2]);
+    v32 d(H0[3]);
+    v32 e(H0[4]);
+    v32 f(H0[5]);
+    v32 g(H0[6]);
+    v32 h(H0[7]);
+
+    for (size_t t = 0; t < 64; ++t) {
+      EltW t1 = BA.add(
+          {h, Sigma1(e), L.vCh(e, f, g), L.vbit32(kSha256Round[t]), w[t]});
+      EltW sigma0 = BA.as_field_element(Sigma0(a));
+      EltW vmaj = BA.as_field_element(L.vMaj(a, b, c));
+      EltW t2 = BA.add(sigma0, vmaj);
+
+      h = g;
+      g = f;
+      f = e;
+      e = oute[t];
+      EltW ed = BA.as_field_element(d);
+      BA.assert_eqmod(e, BA.add(t1, ed), 6);
+      d = c;
+      c = b;
+      b = a;
+      a = outa[t];
+      BA.assert_eqmod(a, BA.add(t1, t2), 7);
+    }
+
+    BA.assert_eqmod(H1[0], BA.add(H0[0], a), 2);
+    BA.assert_eqmod(H1[1], BA.add(H0[1], b), 2);
+    BA.assert_eqmod(H1[2], BA.add(H0[2], c), 2);
+    BA.assert_eqmod(H1[3], BA.add(H0[3], d), 2);
+    BA.assert_eqmod(H1[4], BA.add(H0[4], e), 2);
+    BA.assert_eqmod(H1[5], BA.add(H0[5], f), 2);
+    BA.assert_eqmod(H1[6], BA.add(H0[6], g), 2);
+    BA.assert_eqmod(H1[7], BA.add(H0[7], h), 2);
+  }
+
+  // Packed API.
+  // H0 not packed, all others packed
+  void assert_transform_block(const v32 in[16], const v32 H0[8],
+                              const packed_v32 poutw[48],
+                              const packed_v32 poute[64],
+                              const packed_v32 pouta[64],
+                              const packed_v32 pH1[8]) const {
+    std::vector<v32> H1(8);
+    std::vector<v32> outw(48);
+    std::vector<v32> oute(64), outa(64);
+    for (size_t i = 0; i < 8; ++i) {
+      H1[i] = bp_.unpack_v32(pH1[i]);
+    }
+    for (size_t i = 0; i < 48; ++i) {
+      outw[i] = bp_.unpack_v32(poutw[i]);
+    }
+    for (size_t i = 0; i < 64; ++i) {
+      oute[i] = bp_.unpack_v32(poute[i]);
+      outa[i] = bp_.unpack_v32(pouta[i]);
+    }
+    assert_transform_block(in, H0, outw.data(), oute.data(), outa.data(),
+                           H1.data());
+  }
+
+  // all packed
+  void assert_transform_block(const v32 in[16], const packed_v32 pH0[8],
+                              const packed_v32 poutw[48],
+                              const packed_v32 poute[64],
+                              const packed_v32 pouta[64],
+                              const packed_v32 pH1[8]) const {
+    std::vector<v32> H0(8);
+    for (size_t i = 0; i < 8; ++i) {
+      H0[i] = bp_.unpack_v32(pH0[i]);
+    }
+    assert_transform_block(in, H0.data(), poutw, poute, pouta, pH1);
+  }
+
+  /* This method checks that the block witness corresponds to the iterated
+     computation of the sha block transform on the input.
+  */
+  void assert_message(size_t max, const v8& nb, const v8 in[/* 64*max */],
+                      const BlockWitness bw[/*max*/]) const {
+    const Logic& L = l_;  // shorthand
+    const packed_v32* H = nullptr;
+    std::vector<v32> tmp(16);
+
+    for (size_t b = 0; b < max; ++b) {
+      const v8* inb = &in[64 * b];
+      for (size_t i = 0; i < 16; ++i) {
+        // big-endian mapping of v8[4] into v32.  The first
+        // argument of vappend() is the LSB, and thus +3 is
+        // the LSB and +0 is the MSB, hence big-endian.
+        tmp[i] = L.vappend(L.vappend(inb[4 * i + 3], inb[4 * i + 2]),
+                           L.vappend(inb[4 * i + 1], inb[4 * i + 0]));
+      }
+      if (b == 0) {
+        v32 H0[8];
+        initial_context(H0);
+        assert_transform_block(tmp.data(), H0, bw[b].outw, bw[b].oute,
+                               bw[b].outa, bw[b].h1);
+      } else {
+        assert_transform_block(tmp.data(), H, bw[b].outw, bw[b].oute,
+                               bw[b].outa, bw[b].h1);
+      }
+      H = bw[b].h1;
+    }
+    assert_zero_padding(max, nb, in);
+  }
+
+  /* This method checks if H(in) == target. The method requires that in[]
+  contains exactly nb*64 bytes and has been padded according to the SHA256
+  specification.
+  */
+  void assert_message_hash(size_t max, const v8& nb, const v8 in[/* 64*max */],
+                           const v256& target,
+                           const BlockWitness bw[/*max*/]) const {
+    assert_message(max, nb, in, bw);
+    assert_hash(max, target, nb, bw);
+  }
+
+  // Verifies that the nb_th element of the block witness is equal to e.
+  // The block witness keeps track of the intermediate output of each
+  // block transform.  Therefore, this method can be used to verify that the
+  // prover knows a preimage that hashes to the desired e.
+  void assert_hash(size_t max, const v256& e, const v8& nb,
+                   const BlockWitness bw[/*max*/]) const {
+    packed_v32 x[8];
+    for (size_t b = 0; b < max; ++b) {
+      auto bt = l_.veq(nb, b + 1); /* b is zero-indexed */
+      auto ebt = l_.eval(bt);
+      for (size_t i = 0; i < 8; ++i) {
+        for (size_t k = 0; k < bp_.kNv32Elts; ++k) {
+          if (b == 0) {
+            x[i][k] = l_.mul(ebt, bw[b].h1[i][k]);
+          } else {
+            auto maybe_sha = l_.mul(ebt, bw[b].h1[i][k]);
+            x[i][k] = l_.add(x[i][k], maybe_sha);
+          }
+        }
+      }
+    }
+
+    // Unpack the hash into a v256 in reverse byte-order.
+    v256 mm;
+    for (size_t j = 0; j < 8; ++j) {
+      auto hj = bp_.unpack_v32(x[j]);
+      for (size_t k = 0; k < 32; ++k) {
+        mm[((7 - j) * 32 + k)] = hj[k];
+      }
+    }
+    l_.vassert_eq(mm, e);
+  }
+
+  // Checks that the padding bytes of the input, i.e., any bytes that are
+  // not part of the SHA blocks that contain the mdoc, are zero.
+  void assert_zero_padding(size_t max, const v8& nb,
+                           const v8 in[/*64 * max*/]) const {
+    for (size_t i = 0; i < max; ++i) {
+      auto wantzero = l_.vleq(nb, i);  // If nb <= i, block should be 0.
+      for (size_t j = 0; j < 64; ++j) {
+        size_t ind = i * 64 + j;
+        auto zero = l_.veq(in[ind], 0);
+        l_.assert_implies(wantzero, zero);
+      }
+    }
+  }
+
+  // This function extracts the length of the message in bytes from the SHA
+  // block that is verified and also performs other sanity checks on the length.
+  // The length in bits is stored in the last 8 bytes of the nb_th SHA block.
+  v64 find_len(size_t max, const v8 in[/*64*max*/], const v8& nb) const {
+    v64 len = l_.template vbit<64>(0);
+    for (size_t i = 0; i < max; ++i) {
+      auto isblk = l_.veq(nb, i + 1);  // If nb == i, i is zero-indexed.
+      size_t ind = i * 64 + 63;
+      for (size_t j = 0; j < 64; ++j) { /* this loop is over bits */
+        len[j] =
+            l_.lor_exclusive(len[j], l_.land(isblk, in[ind - j / 8][j % 8]));
+      }
+    }
+    l_.vassert_is_bit(len);
+    return len;
+  }
+
+ private:
+  void initial_context(v32 H[8]) const {
+    static const uint64_t initial[8] = {0x6a09e667u, 0xbb67ae85u, 0x3c6ef372u,
+                                        0xa54ff53au, 0x510e527fu, 0x9b05688cu,
+                                        0x1f83d9abu, 0x5be0cd19u};
+    for (size_t i = 0; i < 8; i++) {
+      H[i] = l_.template vbit<32>(initial[i]);
+    }
+  }
+
+  v32 Sigma0(const v32& x) const {
+    auto x2 = l_.vrotr(x, 2);
+    auto x13 = l_.vrotr(x, 13);
+    return l_.vxor3(x2, x13, l_.vrotr(x, 22));
+  }
+
+  v32 Sigma1(const v32& x) const {
+    auto x6 = l_.vrotr(x, 6);
+    auto x11 = l_.vrotr(x, 11);
+    return l_.vxor3(x6, x11, l_.vrotr(x, 25));
+  }
+
+  v32 sigma0(const v32& x) const {
+    auto x7 = l_.vrotr(x, 7);
+    auto x18 = l_.vrotr(x, 18);
+    return l_.vxor3(x7, x18, l_.vshr(x, 3));
+  }
+
+  v32 sigma1(const v32& x) const {
+    auto x17 = l_.vrotr(x, 17);
+    auto x19 = l_.vrotr(x, 19);
+    return l_.vxor3(x17, x19, l_.vshr(x, 10));
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_SHA_FLATSHA256_CIRCUIT_H_