longfellow 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CODE_OF_CONDUCT.md +10 -0
- data/LICENSE.txt +21 -0
- data/README.md +152 -0
- data/ext/longfellow/CMakeLists.txt +76 -0
- data/ext/longfellow/extconf.rb +77 -0
- data/lib/longfellow/attribute.rb +65 -0
- data/lib/longfellow/c.rb +105 -0
- data/lib/longfellow/errors.rb +78 -0
- data/lib/longfellow/version.rb +5 -0
- data/lib/longfellow/zk_spec.rb +40 -0
- data/lib/longfellow.rb +162 -0
- data/sig/longfellow.rbs +74 -0
- data/vendor/longfellow-zk/LICENSE +203 -0
- data/vendor/longfellow-zk/lib/algebra/blas.h +121 -0
- data/vendor/longfellow-zk/lib/algebra/bogorng.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/compare.h +40 -0
- data/vendor/longfellow-zk/lib/algebra/convolution.h +219 -0
- data/vendor/longfellow-zk/lib/algebra/crt.cc +42 -0
- data/vendor/longfellow-zk/lib/algebra/crt.h +299 -0
- data/vendor/longfellow-zk/lib/algebra/crt_convolution.h +114 -0
- data/vendor/longfellow-zk/lib/algebra/crt_test.cc +371 -0
- data/vendor/longfellow-zk/lib/algebra/fft.h +104 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation.h +304 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation_test.cc +168 -0
- data/vendor/longfellow-zk/lib/algebra/fft_test.cc +257 -0
- data/vendor/longfellow-zk/lib/algebra/fp.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/fp2.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/fp24.h +342 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6.h +305 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6_test.cc +197 -0
- data/vendor/longfellow-zk/lib/algebra/fp2_test.cc +280 -0
- data/vendor/longfellow-zk/lib/algebra/fp_generic.h +533 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p128.h +91 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256k1.h +123 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p384.h +65 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p521.h +62 -0
- data/vendor/longfellow-zk/lib/algebra/fp_test.cc +522 -0
- data/vendor/longfellow-zk/lib/algebra/hash.h +39 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation.h +117 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation_test.cc +74 -0
- data/vendor/longfellow-zk/lib/algebra/limb.h +153 -0
- data/vendor/longfellow-zk/lib/algebra/limb_test.cc +75 -0
- data/vendor/longfellow-zk/lib/algebra/nat.cc +32 -0
- data/vendor/longfellow-zk/lib/algebra/nat.h +212 -0
- data/vendor/longfellow-zk/lib/algebra/nat_test.cc +183 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer_test.cc +138 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumerfp2_test.cc +139 -0
- data/vendor/longfellow-zk/lib/algebra/permutations.h +79 -0
- data/vendor/longfellow-zk/lib/algebra/poly.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/poly_test.cc +123 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon.h +150 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension.h +108 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension_test.cc +76 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_test.cc +473 -0
- data/vendor/longfellow-zk/lib/algebra/rfft.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/rfft_test.cc +102 -0
- data/vendor/longfellow-zk/lib/algebra/static_string.h +29 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep.h +495 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep_test.cc +41 -0
- data/vendor/longfellow-zk/lib/algebra/twiddle.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/utility.h +86 -0
- data/vendor/longfellow-zk/lib/algebra/utility_test.cc +86 -0
- data/vendor/longfellow-zk/lib/arrays/affine.h +56 -0
- data/vendor/longfellow-zk/lib/arrays/affine_test.cc +220 -0
- data/vendor/longfellow-zk/lib/arrays/dense.h +210 -0
- data/vendor/longfellow-zk/lib/arrays/eq.h +75 -0
- data/vendor/longfellow-zk/lib/arrays/eqs.h +137 -0
- data/vendor/longfellow-zk/lib/arrays/eqs_test.cc +151 -0
- data/vendor/longfellow-zk/lib/arrays/sparse.h +192 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder.h +323 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder_test.cc +541 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor.h +594 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck.h +110 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck_test.cc +55 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_test.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_testing.h +98 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_witness.h +312 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso2_test.cc +662 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso_test.cc +485 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan.h +104 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan_test.cc +137 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor.h +640 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_testing.h +99 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_witness.h +319 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/lexer_test.cc +120 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/mdoc_examples_test.cc +89 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_circuit_test.cc +506 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_size_test.cc +79 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_test.cc +473 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/canonicalization_test.cc +185 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/circuit_dump.h +65 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler.h +471 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler_test.cc +110 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/node.h +176 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/pdqhash.h +127 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/schedule.h +435 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_circuit.h +371 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_external_test.cc +246 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_test.cc +587 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_witness.h +201 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker.h +247 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_constants.h +35 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_encoder.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_test.cc +183 -0
- data/vendor/longfellow-zk/lib/circuits/logic/compiler_backend.h +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter_test.cc +102 -0
- data/vendor/longfellow-zk/lib/circuits/logic/evaluation_backend.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic.h +1232 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_circuit_test.cc +310 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_test.cc +521 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp.h +68 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp_test.cc +148 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing.h +445 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing_test.cc +241 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary.h +55 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker.h +77 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_constants.h +37 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_test.cc +53 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_size_test.cc +69 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit.h +193 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit_test.cc +223 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_reference.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_witness.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/circuit_maker.cc +242 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_ids.h +311 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_circuit_id.cc +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_constants.h +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.cc +41 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_examples.h +5232 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_generate_circuit.cc +199 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_hash.h +554 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature.h +143 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature_test.cc +444 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_test_attributes.h +157 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_witness.h +863 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.cc +693 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.h +216 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk_test.cc +724 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec.cc +100 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec_test.cc +155 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit.h +330 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit_test.cc +607 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_io.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.cc +163 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.h +47 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.cc +34 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_test_values.h +389 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/ptrcred.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small.h +218 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_examples.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_io.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_test.cc +208 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_witness.h +130 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode.h +508 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_circuit_test.cc +95 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_test.cc +119 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.cc +47 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit.h +231 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit_test.cc +428 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_witness.h +102 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt.h +190 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_constants.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_test.cc +559 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_witness.h +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f.h +411 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_io.h +32 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_test.cc +364 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_witness.h +278 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation.h +146 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_constants.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_test.cc +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_witness.h +136 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr.h +250 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_test.cc +333 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_witness.h +152 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44.h +903 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_circuit_test.cc +274 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_eval_test.cc +440 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.cc +8851 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.h +93 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.cc +24 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness.h +453 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness_test.cc +49 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.cc +458 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test.cc +398 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors.inc +3618 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_pkdecode.inc +689 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_sigdecode.inc +1501 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/sigdecode_test_vectors.inc +540 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit.h +394 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit_test.cc +577 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_constants.h +90 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit.h +351 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit_test.cc +466 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.cc +207 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.h +59 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference_test.cc +153 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.cc +39 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_slicing.h +31 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.cc +83 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/shake_test_vectors.h +477 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve.h +596 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve_test.cc +548 -0
- data/vendor/longfellow-zk/lib/ec/p256.cc +36 -0
- data/vendor/longfellow-zk/lib/ec/p256.h +60 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.cc +34 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.h +60 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128.h +503 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_bench.cc +48 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_test.cc +416 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2poly.h +74 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14.h +242 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_bench.cc +75 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon.h +127 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon_test.cc +110 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_test.cc +246 -0
- data/vendor/longfellow-zk/lib/gf2k/sysdep.h +329 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_param.h +449 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_prover.h +354 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_test.cc +136 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_transcript.h +67 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_verifier.h +272 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_commitment.h +104 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree.h +216 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree_test.cc +240 -0
- data/vendor/longfellow-zk/lib/proto/circuit.h +354 -0
- data/vendor/longfellow-zk/lib/proto/circuit_test.cc +202 -0
- data/vendor/longfellow-zk/lib/random/random.h +119 -0
- data/vendor/longfellow-zk/lib/random/random_test.cc +189 -0
- data/vendor/longfellow-zk/lib/random/secure_random_engine.h +37 -0
- data/vendor/longfellow-zk/lib/random/transcript.h +193 -0
- data/vendor/longfellow-zk/lib/random/transcript_test.cc +344 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit.h +148 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit_id.h +71 -0
- data/vendor/longfellow-zk/lib/sumcheck/equad.h +126 -0
- data/vendor/longfellow-zk/lib/sumcheck/hquad.h +115 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover.h +59 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover_layers.h +362 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad.h +227 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_builder.h +211 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_test.cc +169 -0
- data/vendor/longfellow-zk/lib/sumcheck/sumcheck_test.cc +324 -0
- data/vendor/longfellow-zk/lib/sumcheck/testing.h +69 -0
- data/vendor/longfellow-zk/lib/sumcheck/transcript_sumcheck.h +85 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier.h +84 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier_layers.h +221 -0
- data/vendor/longfellow-zk/lib/testing/test_main.cc +50 -0
- data/vendor/longfellow-zk/lib/util/ceildiv.h +164 -0
- data/vendor/longfellow-zk/lib/util/ceildiv_test.cc +152 -0
- data/vendor/longfellow-zk/lib/util/crc64.h +45 -0
- data/vendor/longfellow-zk/lib/util/crypto.cc +39 -0
- data/vendor/longfellow-zk/lib/util/crypto.h +108 -0
- data/vendor/longfellow-zk/lib/util/log.cc +110 -0
- data/vendor/longfellow-zk/lib/util/log.h +33 -0
- data/vendor/longfellow-zk/lib/util/panic.h +40 -0
- data/vendor/longfellow-zk/lib/util/readbuffer.h +67 -0
- data/vendor/longfellow-zk/lib/util/serialization.h +54 -0
- data/vendor/longfellow-zk/lib/zk/zk_common.h +455 -0
- data/vendor/longfellow-zk/lib/zk/zk_proof.h +378 -0
- data/vendor/longfellow-zk/lib/zk/zk_prover.h +202 -0
- data/vendor/longfellow-zk/lib/zk/zk_test.cc +340 -0
- data/vendor/longfellow-zk/lib/zk/zk_testing.h +154 -0
- data/vendor/longfellow-zk/lib/zk/zk_verifier.h +109 -0
- metadata +347 -0
|
@@ -0,0 +1,607 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "circuits/sha/flatsha256_circuit.h"
|
|
16
|
+
|
|
17
|
+
// This test instantiates flatsha using p256 with the advanced plucker to
|
|
18
|
+
// test correctness.
|
|
19
|
+
|
|
20
|
+
#include <stddef.h>
|
|
21
|
+
|
|
22
|
+
#include <array>
|
|
23
|
+
#include <cstdint>
|
|
24
|
+
#include <memory>
|
|
25
|
+
#include <vector>
|
|
26
|
+
|
|
27
|
+
#include "algebra/convolution.h"
|
|
28
|
+
#include "algebra/fp.h"
|
|
29
|
+
#include "algebra/fp2.h"
|
|
30
|
+
#include "algebra/reed_solomon.h"
|
|
31
|
+
#include "arrays/dense.h"
|
|
32
|
+
#include "circuits/compiler/circuit_dump.h"
|
|
33
|
+
#include "circuits/compiler/compiler.h"
|
|
34
|
+
#include "circuits/logic/bit_plucker.h"
|
|
35
|
+
#include "circuits/logic/bit_plucker_encoder.h"
|
|
36
|
+
#include "circuits/logic/compiler_backend.h"
|
|
37
|
+
#include "circuits/logic/evaluation_backend.h"
|
|
38
|
+
#include "circuits/logic/logic.h"
|
|
39
|
+
#include "circuits/sha/flatsha256_io.h"
|
|
40
|
+
#include "circuits/sha/flatsha256_witness.h"
|
|
41
|
+
#include "circuits/sha/sha256_test_values.h"
|
|
42
|
+
#include "ec/p256.h"
|
|
43
|
+
#include "gf2k/gf2_128.h"
|
|
44
|
+
#include "gf2k/lch14_reed_solomon.h"
|
|
45
|
+
#include "random/secure_random_engine.h"
|
|
46
|
+
#include "random/transcript.h"
|
|
47
|
+
#include "sumcheck/circuit.h"
|
|
48
|
+
#include "sumcheck/testing.h"
|
|
49
|
+
#include "util/log.h"
|
|
50
|
+
#include "zk/zk_proof.h"
|
|
51
|
+
#include "zk/zk_prover.h"
|
|
52
|
+
#include "benchmark/benchmark.h"
|
|
53
|
+
#include "gtest/gtest.h"
|
|
54
|
+
|
|
55
|
+
namespace proofs {
|
|
56
|
+
namespace {
|
|
57
|
+
|
|
58
|
+
using Field = Fp256Base;
|
|
59
|
+
|
|
60
|
+
constexpr const Field& F = p256_base;
|
|
61
|
+
|
|
62
|
+
// =============================================================================
|
|
63
|
+
// Evaluation tests verify the correctness of circuit construction by
|
|
64
|
+
// comparing the output of the circuit against the reference implementation.
|
|
65
|
+
// These tests use an evaluation backend with the P256 field.
|
|
66
|
+
// =============================================================================
|
|
67
|
+
|
|
68
|
+
// Evaluation tests verify the correctness of circuit construction by
|
|
69
|
+
// comparing the output of the circuit against the reference implementation.
|
|
70
|
+
|
|
71
|
+
// Test the circuit via evaluation and comparison against reference.
|
|
72
|
+
TEST(FlatSHA256_Circuit, p256_assert_block) {
|
|
73
|
+
using EvalBackend = EvaluationBackend<Field>;
|
|
74
|
+
using Logic = Logic<Field, EvalBackend>;
|
|
75
|
+
using v32 = typename Logic::v32;
|
|
76
|
+
using FlatSha = FlatSHA256Circuit<Logic, BitPlucker<Logic, kShaPluckerSize>>;
|
|
77
|
+
const EvalBackend ebk(F);
|
|
78
|
+
const Logic L(&ebk, F);
|
|
79
|
+
const FlatSha FSHA(L);
|
|
80
|
+
uint32_t in[16];
|
|
81
|
+
uint32_t H0[8], outw[48], oute[64], outa[64], H1[8];
|
|
82
|
+
|
|
83
|
+
for (size_t t = 0; t < sizeof(kSha_bt_) / sizeof(kSha_bt_[0]); ++t) {
|
|
84
|
+
for (size_t i = 0; i < 16; ++i) {
|
|
85
|
+
in[i] = kSha_bt_[t].input[i];
|
|
86
|
+
}
|
|
87
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
88
|
+
H0[i] = kSha_bt_[t].h[i];
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
// Given IN and H0, generate witnesses
|
|
92
|
+
FlatSHA256Witness::transform_and_witness_block(in, H0, outw, oute, outa,
|
|
93
|
+
H1);
|
|
94
|
+
|
|
95
|
+
// H1 witness must agree with reference
|
|
96
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
97
|
+
EXPECT_EQ(kSha_bt_[t].want[i], H1[i]);
|
|
98
|
+
}
|
|
99
|
+
|
|
100
|
+
std::vector<v32> vin(16);
|
|
101
|
+
for (size_t i = 0; i < 16; ++i) {
|
|
102
|
+
vin[i] = L.vbit32(in[i]);
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
std::vector<v32> vH0(8), vH1(8);
|
|
106
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
107
|
+
vH0[i] = L.vbit32(H0[i]);
|
|
108
|
+
vH1[i] = L.vbit32(H1[i]);
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
std::vector<v32> voutw(48);
|
|
112
|
+
for (size_t i = 0; i < 48; ++i) {
|
|
113
|
+
voutw[i] = L.vbit32(outw[i]);
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
std::vector<v32> voute(64), vouta(64);
|
|
117
|
+
for (size_t i = 0; i < 64; ++i) {
|
|
118
|
+
voute[i] = L.vbit32(oute[i]);
|
|
119
|
+
vouta[i] = L.vbit32(outa[i]);
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
FSHA.assert_transform_block(vin.data(), vH0.data(), voutw.data(),
|
|
123
|
+
voute.data(), vouta.data(), vH1.data());
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
// Test the circuit via evaluation and comparison against reference.
|
|
128
|
+
TEST(FlatSHA256_Circuit, assert_block_packed) {
|
|
129
|
+
using EvalBackend = EvaluationBackend<Field>;
|
|
130
|
+
using Logic = Logic<Field, EvalBackend>;
|
|
131
|
+
using v32 = typename Logic::v32;
|
|
132
|
+
using FlatSha = FlatSHA256Circuit<Logic, BitPlucker<Logic, kShaPluckerSize>>;
|
|
133
|
+
using packed_v32 = FlatSha::packed_v32;
|
|
134
|
+
const EvalBackend ebk(F);
|
|
135
|
+
const Logic L(&ebk, F);
|
|
136
|
+
const FlatSha FSHA(L);
|
|
137
|
+
uint32_t in[16];
|
|
138
|
+
uint32_t H0[8], outw[48], oute[64], outa[64], H1[8];
|
|
139
|
+
|
|
140
|
+
for (size_t i = 0; i < 16; ++i) {
|
|
141
|
+
in[i] = kSha_bt_[0].input[i];
|
|
142
|
+
}
|
|
143
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
144
|
+
H0[i] = kSha_bt_[0].h[i];
|
|
145
|
+
}
|
|
146
|
+
|
|
147
|
+
// Given IN and H0, generate witnesses
|
|
148
|
+
FlatSHA256Witness::transform_and_witness_block(in, H0, outw, oute, outa, H1);
|
|
149
|
+
|
|
150
|
+
// H1 witness must agree with reference
|
|
151
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
152
|
+
EXPECT_EQ(kSha_bt_[0].want[i], H1[i]);
|
|
153
|
+
}
|
|
154
|
+
|
|
155
|
+
std::vector<v32> vin(16);
|
|
156
|
+
for (size_t i = 0; i < 16; ++i) {
|
|
157
|
+
vin[i] = L.vbit32(in[i]);
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
std::vector<packed_v32> vH0(8), vH1(8);
|
|
161
|
+
BitPluckerEncoder<Field, kShaPluckerSize> BPENC(F);
|
|
162
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
163
|
+
vH0[i] = L.konst(BPENC.mkpacked_v32(H0[i]));
|
|
164
|
+
vH1[i] = L.konst(BPENC.mkpacked_v32(H1[i]));
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
std::vector<packed_v32> voutw(48);
|
|
168
|
+
for (size_t i = 0; i < 48; ++i) {
|
|
169
|
+
voutw[i] = L.konst(BPENC.mkpacked_v32(outw[i]));
|
|
170
|
+
}
|
|
171
|
+
|
|
172
|
+
std::vector<packed_v32> voute(64), vouta(64);
|
|
173
|
+
for (size_t i = 0; i < 64; ++i) {
|
|
174
|
+
voute[i] = L.konst(BPENC.mkpacked_v32(oute[i]));
|
|
175
|
+
vouta[i] = L.konst(BPENC.mkpacked_v32(outa[i]));
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
FSHA.assert_transform_block(vin.data(), vH0.data(), voutw.data(),
|
|
179
|
+
voute.data(), vouta.data(), vH1.data());
|
|
180
|
+
}
|
|
181
|
+
|
|
182
|
+
// Test the circuit via evaluation and comparison against reference.
|
|
183
|
+
TEST(FlatSHA256_Circuit, assert_message) {
|
|
184
|
+
using EvalBackend = EvaluationBackend<Field>;
|
|
185
|
+
using Logic = Logic<Field, EvalBackend>;
|
|
186
|
+
using v8 = typename Logic::v8;
|
|
187
|
+
using v256 = typename Logic::v256;
|
|
188
|
+
using FlatSha = FlatSHA256Circuit<Logic, BitPlucker<Logic, kShaPluckerSize>>;
|
|
189
|
+
const EvalBackend ebk(F);
|
|
190
|
+
const Logic L(&ebk, F);
|
|
191
|
+
const FlatSha FSHA(L);
|
|
192
|
+
BitPluckerEncoder<Field, kShaPluckerSize> BPENC(F);
|
|
193
|
+
|
|
194
|
+
constexpr size_t max = 32;
|
|
195
|
+
std::vector<uint8_t> in(64 * max);
|
|
196
|
+
std::vector<FlatSHA256Witness::BlockWitness> bw(max);
|
|
197
|
+
|
|
198
|
+
std::vector<v8> inW(64 * max);
|
|
199
|
+
std::vector<FlatSha::BlockWitness> bwW(max);
|
|
200
|
+
|
|
201
|
+
for (size_t i = 0; i < sizeof(SHA256_TV) / sizeof(SHA256_TV[0]); ++i) {
|
|
202
|
+
size_t len = SHA256_TV[i].len;
|
|
203
|
+
if (len + 9 < 64 * max) {
|
|
204
|
+
continue;
|
|
205
|
+
}
|
|
206
|
+
|
|
207
|
+
uint8_t numb;
|
|
208
|
+
FlatSHA256Witness::transform_and_witness_message(
|
|
209
|
+
len, (const uint8_t*)SHA256_TV[i].str, max, numb, in.data(), bw.data());
|
|
210
|
+
|
|
211
|
+
// The last H1 must agree with the expected output
|
|
212
|
+
for (size_t j = 0; j < 8; ++j) {
|
|
213
|
+
uint32_t h1j = SHA256_ru32be(&SHA256_TV[i].hash[j * 4]);
|
|
214
|
+
EXPECT_EQ(bw[numb - 1].h1[j], h1j);
|
|
215
|
+
}
|
|
216
|
+
|
|
217
|
+
v256 target;
|
|
218
|
+
for (size_t j = 0; j < 256; ++j) {
|
|
219
|
+
target[j] = L.bit((SHA256_TV[i].hash[(255 - j) / 8] >> (j % 8)) & 0x1);
|
|
220
|
+
}
|
|
221
|
+
|
|
222
|
+
// fill input wires
|
|
223
|
+
v8 numbW = L.vbit8(numb);
|
|
224
|
+
|
|
225
|
+
for (size_t j = 0; j < max * 64; j++) {
|
|
226
|
+
inW[j] = L.vbit8(in[j]);
|
|
227
|
+
}
|
|
228
|
+
|
|
229
|
+
for (size_t j = 0; j < max; j++) {
|
|
230
|
+
for (size_t k = 0; k < 48; ++k) {
|
|
231
|
+
bwW[j].outw[k] = L.konst(BPENC.mkpacked_v32(bw[j].outw[k]));
|
|
232
|
+
}
|
|
233
|
+
for (size_t k = 0; k < 64; ++k) {
|
|
234
|
+
bwW[j].oute[k] = L.konst(BPENC.mkpacked_v32(bw[j].oute[k]));
|
|
235
|
+
bwW[j].outa[k] = L.konst(BPENC.mkpacked_v32(bw[j].outa[k]));
|
|
236
|
+
}
|
|
237
|
+
|
|
238
|
+
for (size_t k = 0; k < 8; ++k) {
|
|
239
|
+
bwW[j].h1[k] = L.konst(BPENC.mkpacked_v32(bw[j].h1[k]));
|
|
240
|
+
}
|
|
241
|
+
}
|
|
242
|
+
|
|
243
|
+
FSHA.assert_message_hash(max, numbW, inW.data(), target, bwW.data());
|
|
244
|
+
}
|
|
245
|
+
}
|
|
246
|
+
|
|
247
|
+
// =============================================================================
|
|
248
|
+
// Compiler tests are used to assess the circuit size and verify that the
|
|
249
|
+
// circuit works in sumcheck or zk proof processes. These tests use different
|
|
250
|
+
// fields.
|
|
251
|
+
// =============================================================================
|
|
252
|
+
|
|
253
|
+
template <class Field, size_t plucker_size>
|
|
254
|
+
std::unique_ptr<Circuit<Field>> test_block_circuit_size(const Field& f,
|
|
255
|
+
const char* test_name) {
|
|
256
|
+
using CompilerBackend = CompilerBackend<Field>;
|
|
257
|
+
using LogicCircuit = Logic<Field, CompilerBackend>;
|
|
258
|
+
using v32C = typename LogicCircuit::v32;
|
|
259
|
+
using FlatShaC =
|
|
260
|
+
FlatSHA256Circuit<LogicCircuit, BitPlucker<LogicCircuit, plucker_size>>;
|
|
261
|
+
using packed_v32C = typename FlatShaC::packed_v32;
|
|
262
|
+
|
|
263
|
+
QuadCircuit<Field> Q(f);
|
|
264
|
+
const CompilerBackend cbk(&Q);
|
|
265
|
+
const LogicCircuit LC(&cbk, f);
|
|
266
|
+
FlatShaC FSHAC(LC);
|
|
267
|
+
|
|
268
|
+
std::vector<v32C> vin(16);
|
|
269
|
+
for (size_t i = 0; i < 16; ++i) {
|
|
270
|
+
vin[i] = LC.template vinput<32>();
|
|
271
|
+
}
|
|
272
|
+
|
|
273
|
+
if (plucker_size == 1) {
|
|
274
|
+
std::vector<v32C> vH0(8), vH1(8), voutw(48), voute(64), vouta(64);
|
|
275
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
276
|
+
vH0[i] = LC.template vinput<32>();
|
|
277
|
+
vH1[i] = LC.template vinput<32>();
|
|
278
|
+
}
|
|
279
|
+
for (size_t i = 0; i < 48; ++i) {
|
|
280
|
+
voutw[i] = LC.template vinput<32>();
|
|
281
|
+
}
|
|
282
|
+
for (size_t i = 0; i < 64; ++i) {
|
|
283
|
+
voute[i] = LC.template vinput<32>();
|
|
284
|
+
vouta[i] = LC.template vinput<32>();
|
|
285
|
+
}
|
|
286
|
+
FSHAC.assert_transform_block(vin.data(), vH0.data(), voutw.data(),
|
|
287
|
+
voute.data(), vouta.data(), vH1.data());
|
|
288
|
+
} else {
|
|
289
|
+
std::vector<packed_v32C> vH0(8), vH1(8), voutw(48), voute(64), vouta(64);
|
|
290
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
291
|
+
vH0[i] = FlatShaC::packed_input(LC);
|
|
292
|
+
vH1[i] = FlatShaC::packed_input(LC);
|
|
293
|
+
}
|
|
294
|
+
for (size_t i = 0; i < 48; ++i) {
|
|
295
|
+
voutw[i] = FlatShaC::packed_input(LC);
|
|
296
|
+
}
|
|
297
|
+
for (size_t i = 0; i < 64; ++i) {
|
|
298
|
+
voute[i] = FlatShaC::packed_input(LC);
|
|
299
|
+
vouta[i] = FlatShaC::packed_input(LC);
|
|
300
|
+
}
|
|
301
|
+
FSHAC.assert_transform_block(vin.data(), vH0.data(), voutw.data(),
|
|
302
|
+
voute.data(), vouta.data(), vH1.data());
|
|
303
|
+
}
|
|
304
|
+
|
|
305
|
+
auto CIRCUIT = Q.mkcircuit(1);
|
|
306
|
+
dump_info(test_name, Q);
|
|
307
|
+
|
|
308
|
+
ZkProof<Field> zkpr(*CIRCUIT, 4, 138);
|
|
309
|
+
log(INFO, "SHA: nw:%zd nq:%zd r:%zd w:%zd bl:%zd bl_enc:%zd nrow:%zd\n",
|
|
310
|
+
zkpr.param.nw, zkpr.param.nq, zkpr.param.r, zkpr.param.w,
|
|
311
|
+
zkpr.param.block, zkpr.param.block_enc, zkpr.param.nrow);
|
|
312
|
+
|
|
313
|
+
return CIRCUIT;
|
|
314
|
+
}
|
|
315
|
+
|
|
316
|
+
TEST(FlatSHA256_Circuit, block_size_p256) {
|
|
317
|
+
test_block_circuit_size<Fp256Base, 1>(p256_base, "block_size_p256_pack_1");
|
|
318
|
+
}
|
|
319
|
+
|
|
320
|
+
TEST(FlatSHA256_Circuit, block_size_p256_2) {
|
|
321
|
+
test_block_circuit_size<Fp256Base, 2>(p256_base, "block_size_p256_pack_2");
|
|
322
|
+
}
|
|
323
|
+
|
|
324
|
+
TEST(FlatSHA256_Circuit, block_size_p256_3) {
|
|
325
|
+
test_block_circuit_size<Fp256Base, 3>(p256_base, "block_size_p256_pack_3");
|
|
326
|
+
}
|
|
327
|
+
|
|
328
|
+
TEST(FlatSHA256_Circuit, block_size_p256_4) {
|
|
329
|
+
test_block_circuit_size<Fp256Base, 4>(p256_base, "block_size_p256_pack_4");
|
|
330
|
+
}
|
|
331
|
+
|
|
332
|
+
TEST(FlatSHA256_Circuit, block_size_gf2_128_1) {
|
|
333
|
+
using f_128 = GF2_128<>;
|
|
334
|
+
const f_128 Fs;
|
|
335
|
+
test_block_circuit_size<f_128, 1>(Fs, "block_size_gf2128_pack_1");
|
|
336
|
+
}
|
|
337
|
+
|
|
338
|
+
TEST(FlatSHA256_Circuit, block_size_gf2_128_2) {
|
|
339
|
+
using f_128 = GF2_128<>;
|
|
340
|
+
const f_128 Fs;
|
|
341
|
+
test_block_circuit_size<f_128, 2>(Fs, "block_size_gf2128_pack_2");
|
|
342
|
+
}
|
|
343
|
+
|
|
344
|
+
TEST(FlatSHA256_Circuit, block_size_gf2_128_3) {
|
|
345
|
+
using f_128 = GF2_128<>;
|
|
346
|
+
const f_128 Fs;
|
|
347
|
+
test_block_circuit_size<f_128, 3>(Fs, "block_size_gf2128_pack_3");
|
|
348
|
+
}
|
|
349
|
+
|
|
350
|
+
TEST(FlatSHA256_Circuit, block_size_gf2_128_4) {
|
|
351
|
+
using f_128 = GF2_128<>;
|
|
352
|
+
const f_128 Fs;
|
|
353
|
+
test_block_circuit_size<f_128, 4>(Fs, "block_size_gf2128_pack_4");
|
|
354
|
+
}
|
|
355
|
+
|
|
356
|
+
} // namespace
|
|
357
|
+
|
|
358
|
+
namespace bench {
|
|
359
|
+
// =============================================================================
|
|
360
|
+
// Benchmarks for sumcheck- and zk- proofs about hashing messages of various
|
|
361
|
+
// sizes over different fields.
|
|
362
|
+
// =============================================================================
|
|
363
|
+
|
|
364
|
+
template <class Field, size_t pluckerSize>
|
|
365
|
+
std::unique_ptr<Circuit<Field>> make_circuit(size_t numBlocks, size_t numCopies,
|
|
366
|
+
const Field& f) {
|
|
367
|
+
set_log_level(ERROR);
|
|
368
|
+
using CompilerBackend = CompilerBackend<Field>;
|
|
369
|
+
using LogicCircuit = Logic<Field, CompilerBackend>;
|
|
370
|
+
using v8 = typename LogicCircuit::v8;
|
|
371
|
+
using v256 = typename LogicCircuit::v256;
|
|
372
|
+
using FlatShaC =
|
|
373
|
+
FlatSHA256Circuit<LogicCircuit, BitPlucker<LogicCircuit, pluckerSize>>;
|
|
374
|
+
using ShaBlockWitness = typename FlatShaC::BlockWitness;
|
|
375
|
+
|
|
376
|
+
QuadCircuit<Field> Q(f);
|
|
377
|
+
const CompilerBackend cbk(&Q);
|
|
378
|
+
const LogicCircuit lc(&cbk, f);
|
|
379
|
+
FlatShaC sha(lc);
|
|
380
|
+
|
|
381
|
+
v8 nb = lc.template vinput<8>();
|
|
382
|
+
std::vector<v8> in(64 * numBlocks);
|
|
383
|
+
for (size_t i = 0; i < 64 * numBlocks; ++i) {
|
|
384
|
+
in[i] = lc.template vinput<8>();
|
|
385
|
+
}
|
|
386
|
+
|
|
387
|
+
v256 target = lc.template vinput<256>();
|
|
388
|
+
|
|
389
|
+
std::vector<ShaBlockWitness> bw(numBlocks);
|
|
390
|
+
for (size_t j = 0; j < numBlocks; j++) {
|
|
391
|
+
bw[j].input(lc);
|
|
392
|
+
}
|
|
393
|
+
|
|
394
|
+
sha.assert_message_hash(numBlocks, nb, &in[0], target, &bw[0]);
|
|
395
|
+
|
|
396
|
+
auto circuit = Q.mkcircuit(numCopies);
|
|
397
|
+
dump_info("assert_message_hash", Q);
|
|
398
|
+
return circuit;
|
|
399
|
+
}
|
|
400
|
+
|
|
401
|
+
template <class Field, size_t N>
|
|
402
|
+
void push(const std::array<typename Field::Elt, N>& a, size_t& wi, size_t c,
|
|
403
|
+
size_t numCopies, Dense<Field>& W) {
|
|
404
|
+
for (size_t i = 0; i < N; ++i) {
|
|
405
|
+
W.v_[(wi++) * numCopies + c] = a[i];
|
|
406
|
+
}
|
|
407
|
+
}
|
|
408
|
+
|
|
409
|
+
template <class Field>
|
|
410
|
+
void push(uint8_t a, size_t& wi, size_t c, size_t numCopies, Dense<Field>& W,
|
|
411
|
+
const Field& f) {
|
|
412
|
+
for (size_t i = 0; i < 8; ++i) {
|
|
413
|
+
W.v_[(wi++) * numCopies + c] = (a >> i) & 1 ? f.one() : f.zero();
|
|
414
|
+
}
|
|
415
|
+
}
|
|
416
|
+
|
|
417
|
+
// Copy the same input for all copies.
|
|
418
|
+
template <class Field, size_t pluckerSize>
|
|
419
|
+
void fill_input(Dense<Field>& W, size_t numBlocks, size_t ninputs,
|
|
420
|
+
size_t numCopies, const Field& f) {
|
|
421
|
+
uint8_t numb;
|
|
422
|
+
std::vector<uint8_t> inb(64 * numBlocks);
|
|
423
|
+
std::vector<FlatSHA256Witness::BlockWitness> bwb(numBlocks);
|
|
424
|
+
size_t bmax = sizeof(kSha_benchmark_)/sizeof(kSha_benchmark_[0]);
|
|
425
|
+
size_t bench_index = numBlocks - 1;
|
|
426
|
+
if (bench_index > bmax) {
|
|
427
|
+
bench_index = bmax - 1;
|
|
428
|
+
}
|
|
429
|
+
std::vector<uint8_t> message(kSha_benchmark_[bench_index].len, 'a');
|
|
430
|
+
FlatSHA256Witness::transform_and_witness_message(
|
|
431
|
+
message.size(), message.data(), numBlocks, numb, &inb[0], &bwb[0]);
|
|
432
|
+
|
|
433
|
+
const uint8_t *hash = kSha_benchmark_[bench_index].hash;
|
|
434
|
+
|
|
435
|
+
// fill input wires
|
|
436
|
+
for (size_t c = 0; c < numCopies; ++c) {
|
|
437
|
+
size_t wi = 0;
|
|
438
|
+
|
|
439
|
+
W.v_[(wi++) * numCopies + c] = f.one();
|
|
440
|
+
push(numb, wi, c, numCopies, W, f);
|
|
441
|
+
for (size_t j = 0; j < numBlocks * 64; j++) {
|
|
442
|
+
push(inb[j], wi, c, numCopies, W, f);
|
|
443
|
+
}
|
|
444
|
+
|
|
445
|
+
// Target hash.
|
|
446
|
+
for (size_t j = 0; j < 256; ++j) {
|
|
447
|
+
W.v_[(wi++) * numCopies + c] =
|
|
448
|
+
(hash[(255 - j) / 8] >> (j % 8)) & 1 ? f.one() : f.zero();
|
|
449
|
+
}
|
|
450
|
+
|
|
451
|
+
// Sha block witnesses.
|
|
452
|
+
BitPluckerEncoder<Field, pluckerSize> BPENC(f);
|
|
453
|
+
for (size_t j = 0; j < numBlocks; j++) {
|
|
454
|
+
for (size_t k = 0; k < 48; ++k) {
|
|
455
|
+
push(BPENC.mkpacked_v32(bwb[j].outw[k]), wi, c, numCopies, W);
|
|
456
|
+
}
|
|
457
|
+
for (size_t k = 0; k < 64; ++k) {
|
|
458
|
+
push(BPENC.mkpacked_v32(bwb[j].oute[k]), wi, c, numCopies, W);
|
|
459
|
+
push(BPENC.mkpacked_v32(bwb[j].outa[k]), wi, c, numCopies, W);
|
|
460
|
+
}
|
|
461
|
+
for (size_t k = 0; k < 8; ++k) {
|
|
462
|
+
push(BPENC.mkpacked_v32(bwb[j].h1[k]), wi, c, numCopies, W);
|
|
463
|
+
}
|
|
464
|
+
}
|
|
465
|
+
}
|
|
466
|
+
}
|
|
467
|
+
|
|
468
|
+
void BM_ShaSumcheckProver_fp2_128(benchmark::State& state) {
|
|
469
|
+
using f_128 = GF2_128<>;
|
|
470
|
+
const f_128 Fs;
|
|
471
|
+
|
|
472
|
+
size_t numBlocks = state.range(0);
|
|
473
|
+
std::unique_ptr<Circuit<f_128>> CIRCUIT =
|
|
474
|
+
make_circuit<f_128, 2>(numBlocks, 1, Fs);
|
|
475
|
+
|
|
476
|
+
auto W = Dense<f_128>(1, CIRCUIT->ninputs);
|
|
477
|
+
|
|
478
|
+
fill_input<f_128, 2>(W, numBlocks, CIRCUIT->ninputs, 1, Fs);
|
|
479
|
+
|
|
480
|
+
// Run benchmark
|
|
481
|
+
for (auto s : state) {
|
|
482
|
+
Proof<f_128> proof(CIRCUIT->nl);
|
|
483
|
+
run_prover(CIRCUIT.get(), W.clone(), &proof, Fs);
|
|
484
|
+
benchmark::DoNotOptimize(proof);
|
|
485
|
+
}
|
|
486
|
+
}
|
|
487
|
+
BENCHMARK(BM_ShaSumcheckProver_fp2_128)->RangeMultiplier(2)->Range(1, 33);
|
|
488
|
+
|
|
489
|
+
void BM_ShaSumcheckCopyProver_fp2_128(benchmark::State& state) {
|
|
490
|
+
using f_128 = GF2_128<>;
|
|
491
|
+
const f_128 F;
|
|
492
|
+
size_t numCopies = state.range(0);
|
|
493
|
+
std::unique_ptr<Circuit<f_128>> CIRCUIT =
|
|
494
|
+
make_circuit<f_128, 2>(1, numCopies, F);
|
|
495
|
+
|
|
496
|
+
auto W = Dense<f_128>(numCopies, CIRCUIT->ninputs);
|
|
497
|
+
fill_input<f_128, 2>(W, 1, CIRCUIT->ninputs, numCopies, F);
|
|
498
|
+
|
|
499
|
+
for (auto s : state) {
|
|
500
|
+
Proof<f_128> proof(CIRCUIT->nl);
|
|
501
|
+
run_prover(CIRCUIT.get(), W.clone(), &proof, F);
|
|
502
|
+
benchmark::DoNotOptimize(proof);
|
|
503
|
+
}
|
|
504
|
+
}
|
|
505
|
+
|
|
506
|
+
BENCHMARK(BM_ShaSumcheckCopyProver_fp2_128)->RangeMultiplier(2)->Range(1, 33);
|
|
507
|
+
|
|
508
|
+
void BM_ShaZK_fp2_128(benchmark::State& state) {
|
|
509
|
+
using f_128 = GF2_128<>;
|
|
510
|
+
const f_128 Fs;
|
|
511
|
+
using RSFactory = LCH14ReedSolomonFactory<f_128>;
|
|
512
|
+
|
|
513
|
+
const size_t numBlocks = state.range(0);
|
|
514
|
+
constexpr size_t kPluckerSize = 2;
|
|
515
|
+
std::unique_ptr<Circuit<f_128>> CIRCUIT =
|
|
516
|
+
make_circuit<f_128, kPluckerSize>(numBlocks, 1, Fs);
|
|
517
|
+
|
|
518
|
+
auto W = Dense<f_128>(1, CIRCUIT->ninputs);
|
|
519
|
+
|
|
520
|
+
fill_input<f_128, kPluckerSize>(W, numBlocks, CIRCUIT->ninputs, 1, Fs);
|
|
521
|
+
|
|
522
|
+
const RSFactory rsf(Fs);
|
|
523
|
+
Transcript tp((uint8_t*)"test", 4);
|
|
524
|
+
SecureRandomEngine rng;
|
|
525
|
+
|
|
526
|
+
for (auto s : state) {
|
|
527
|
+
ZkProof<f_128> zkpr(*CIRCUIT, 4, 128);
|
|
528
|
+
ZkProver<f_128, RSFactory> prover(*CIRCUIT, Fs, rsf);
|
|
529
|
+
prover.commit(zkpr, W, tp, rng);
|
|
530
|
+
prover.prove(zkpr, W, tp);
|
|
531
|
+
benchmark::DoNotOptimize(zkpr);
|
|
532
|
+
}
|
|
533
|
+
}
|
|
534
|
+
BENCHMARK(BM_ShaZK_fp2_128)->RangeMultiplier(2)->Range(1, 33);
|
|
535
|
+
|
|
536
|
+
void BM_ShaZK_Fp64_2(benchmark::State& state) {
|
|
537
|
+
using f_goldi = Fp<1>;
|
|
538
|
+
using Field2 = Fp2<f_goldi>;
|
|
539
|
+
using Elt2 = typename Field2::Elt;
|
|
540
|
+
using FftConvolutionFactory = FFTConvolutionFactory<Field2>;
|
|
541
|
+
using RSFactory = ReedSolomonFactory<Field2, FftConvolutionFactory>;
|
|
542
|
+
|
|
543
|
+
const size_t numBlocks = state.range(0);
|
|
544
|
+
constexpr size_t kPluckerSize = 3;
|
|
545
|
+
const Fp<1> F("18446744069414584321");
|
|
546
|
+
const Field2 base_2(F);
|
|
547
|
+
|
|
548
|
+
std::unique_ptr<Circuit<Field2>> CIRCUIT =
|
|
549
|
+
make_circuit<Field2, kPluckerSize>(numBlocks, 1, base_2);
|
|
550
|
+
|
|
551
|
+
auto W = Dense<Field2>(1, CIRCUIT->ninputs);
|
|
552
|
+
|
|
553
|
+
fill_input<Field2, kPluckerSize>(W, numBlocks, CIRCUIT->ninputs, 1, base_2);
|
|
554
|
+
|
|
555
|
+
static constexpr char kSmallRoot[] = "2752994695033296049";
|
|
556
|
+
static constexpr uint64_t kSmallOrder = 1ull << 32;
|
|
557
|
+
|
|
558
|
+
const Elt2 omega = base_2.of_string(kSmallRoot);
|
|
559
|
+
const FftConvolutionFactory fft(base_2, omega, kSmallOrder);
|
|
560
|
+
const RSFactory rsf(fft, base_2);
|
|
561
|
+
|
|
562
|
+
Transcript tp((uint8_t*)"test", 4);
|
|
563
|
+
SecureRandomEngine rng;
|
|
564
|
+
|
|
565
|
+
for (auto s : state) {
|
|
566
|
+
ZkProof<Field2> zkpr(*CIRCUIT, 4, 138);
|
|
567
|
+
ZkProver<Field2, RSFactory> prover(*CIRCUIT, base_2, rsf);
|
|
568
|
+
prover.commit(zkpr, W, tp, rng);
|
|
569
|
+
prover.prove(zkpr, W, tp);
|
|
570
|
+
benchmark::DoNotOptimize(zkpr);
|
|
571
|
+
}
|
|
572
|
+
}
|
|
573
|
+
BENCHMARK(BM_ShaZK_Fp64_2)->RangeMultiplier(2)->Range(1, 32);
|
|
574
|
+
|
|
575
|
+
// This benchmark measures the time it takes to bind the quad for SHA.
|
|
576
|
+
void BM_ShaZK_quadbind_fp2_128(benchmark::State& state) {
|
|
577
|
+
using f_128 = GF2_128<>;
|
|
578
|
+
using Elt = f_128::Elt;
|
|
579
|
+
const f_128 Fs;
|
|
580
|
+
|
|
581
|
+
const size_t numBlocks = state.range(0);
|
|
582
|
+
constexpr size_t kPluckerSize = 2;
|
|
583
|
+
std::unique_ptr<Circuit<f_128>> CIRCUIT =
|
|
584
|
+
make_circuit<f_128, kPluckerSize>(numBlocks, 1, Fs);
|
|
585
|
+
|
|
586
|
+
SecureRandomEngine rng;
|
|
587
|
+
|
|
588
|
+
Elt alpha = rng.elt(Fs);
|
|
589
|
+
Elt beta = rng.elt(Fs);
|
|
590
|
+
Elt g0[64], g1[64];
|
|
591
|
+
for (size_t i = 0; i < 64; ++i) {
|
|
592
|
+
g0[i] = rng.elt(Fs);
|
|
593
|
+
g1[i] = rng.elt(Fs);
|
|
594
|
+
}
|
|
595
|
+
|
|
596
|
+
for (auto s : state) {
|
|
597
|
+
size_t logv = CIRCUIT->logv;
|
|
598
|
+
for (size_t ly = 0; ly < CIRCUIT->nl; ++ly) {
|
|
599
|
+
auto HQUAD = CIRCUIT->l[ly].quad->bind_g(logv, g0, g1, alpha, beta, Fs);
|
|
600
|
+
logv = CIRCUIT->l[ly].logw;
|
|
601
|
+
}
|
|
602
|
+
}
|
|
603
|
+
}
|
|
604
|
+
BENCHMARK(BM_ShaZK_quadbind_fp2_128)->RangeMultiplier(2)->Range(1, 32);
|
|
605
|
+
|
|
606
|
+
} // namespace bench
|
|
607
|
+
} // namespace proofs
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_SHA_FLATSHA256_IO_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_SHA_FLATSHA256_IO_H_
|
|
17
|
+
|
|
18
|
+
#include <stddef.h>
|
|
19
|
+
|
|
20
|
+
namespace proofs {
|
|
21
|
+
|
|
22
|
+
constexpr const size_t kShaPluckerSize = 2;
|
|
23
|
+
|
|
24
|
+
} // namespace proofs
|
|
25
|
+
|
|
26
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_SHA_FLATSHA256_IO_H_
|