longfellow 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CODE_OF_CONDUCT.md +10 -0
- data/LICENSE.txt +21 -0
- data/README.md +152 -0
- data/ext/longfellow/CMakeLists.txt +76 -0
- data/ext/longfellow/extconf.rb +77 -0
- data/lib/longfellow/attribute.rb +65 -0
- data/lib/longfellow/c.rb +105 -0
- data/lib/longfellow/errors.rb +78 -0
- data/lib/longfellow/version.rb +5 -0
- data/lib/longfellow/zk_spec.rb +40 -0
- data/lib/longfellow.rb +162 -0
- data/sig/longfellow.rbs +74 -0
- data/vendor/longfellow-zk/LICENSE +203 -0
- data/vendor/longfellow-zk/lib/algebra/blas.h +121 -0
- data/vendor/longfellow-zk/lib/algebra/bogorng.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/compare.h +40 -0
- data/vendor/longfellow-zk/lib/algebra/convolution.h +219 -0
- data/vendor/longfellow-zk/lib/algebra/crt.cc +42 -0
- data/vendor/longfellow-zk/lib/algebra/crt.h +299 -0
- data/vendor/longfellow-zk/lib/algebra/crt_convolution.h +114 -0
- data/vendor/longfellow-zk/lib/algebra/crt_test.cc +371 -0
- data/vendor/longfellow-zk/lib/algebra/fft.h +104 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation.h +304 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation_test.cc +168 -0
- data/vendor/longfellow-zk/lib/algebra/fft_test.cc +257 -0
- data/vendor/longfellow-zk/lib/algebra/fp.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/fp2.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/fp24.h +342 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6.h +305 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6_test.cc +197 -0
- data/vendor/longfellow-zk/lib/algebra/fp2_test.cc +280 -0
- data/vendor/longfellow-zk/lib/algebra/fp_generic.h +533 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p128.h +91 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256k1.h +123 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p384.h +65 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p521.h +62 -0
- data/vendor/longfellow-zk/lib/algebra/fp_test.cc +522 -0
- data/vendor/longfellow-zk/lib/algebra/hash.h +39 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation.h +117 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation_test.cc +74 -0
- data/vendor/longfellow-zk/lib/algebra/limb.h +153 -0
- data/vendor/longfellow-zk/lib/algebra/limb_test.cc +75 -0
- data/vendor/longfellow-zk/lib/algebra/nat.cc +32 -0
- data/vendor/longfellow-zk/lib/algebra/nat.h +212 -0
- data/vendor/longfellow-zk/lib/algebra/nat_test.cc +183 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer_test.cc +138 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumerfp2_test.cc +139 -0
- data/vendor/longfellow-zk/lib/algebra/permutations.h +79 -0
- data/vendor/longfellow-zk/lib/algebra/poly.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/poly_test.cc +123 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon.h +150 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension.h +108 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension_test.cc +76 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_test.cc +473 -0
- data/vendor/longfellow-zk/lib/algebra/rfft.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/rfft_test.cc +102 -0
- data/vendor/longfellow-zk/lib/algebra/static_string.h +29 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep.h +495 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep_test.cc +41 -0
- data/vendor/longfellow-zk/lib/algebra/twiddle.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/utility.h +86 -0
- data/vendor/longfellow-zk/lib/algebra/utility_test.cc +86 -0
- data/vendor/longfellow-zk/lib/arrays/affine.h +56 -0
- data/vendor/longfellow-zk/lib/arrays/affine_test.cc +220 -0
- data/vendor/longfellow-zk/lib/arrays/dense.h +210 -0
- data/vendor/longfellow-zk/lib/arrays/eq.h +75 -0
- data/vendor/longfellow-zk/lib/arrays/eqs.h +137 -0
- data/vendor/longfellow-zk/lib/arrays/eqs_test.cc +151 -0
- data/vendor/longfellow-zk/lib/arrays/sparse.h +192 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder.h +323 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder_test.cc +541 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor.h +594 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck.h +110 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck_test.cc +55 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_test.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_testing.h +98 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_witness.h +312 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso2_test.cc +662 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso_test.cc +485 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan.h +104 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan_test.cc +137 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor.h +640 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_testing.h +99 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_witness.h +319 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/lexer_test.cc +120 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/mdoc_examples_test.cc +89 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_circuit_test.cc +506 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_size_test.cc +79 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_test.cc +473 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/canonicalization_test.cc +185 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/circuit_dump.h +65 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler.h +471 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler_test.cc +110 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/node.h +176 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/pdqhash.h +127 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/schedule.h +435 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_circuit.h +371 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_external_test.cc +246 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_test.cc +587 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_witness.h +201 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker.h +247 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_constants.h +35 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_encoder.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_test.cc +183 -0
- data/vendor/longfellow-zk/lib/circuits/logic/compiler_backend.h +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter_test.cc +102 -0
- data/vendor/longfellow-zk/lib/circuits/logic/evaluation_backend.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic.h +1232 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_circuit_test.cc +310 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_test.cc +521 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp.h +68 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp_test.cc +148 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing.h +445 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing_test.cc +241 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary.h +55 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker.h +77 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_constants.h +37 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_test.cc +53 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_size_test.cc +69 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit.h +193 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit_test.cc +223 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_reference.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_witness.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/circuit_maker.cc +242 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_ids.h +311 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_circuit_id.cc +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_constants.h +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.cc +41 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_examples.h +5232 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_generate_circuit.cc +199 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_hash.h +554 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature.h +143 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature_test.cc +444 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_test_attributes.h +157 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_witness.h +863 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.cc +693 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.h +216 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk_test.cc +724 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec.cc +100 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec_test.cc +155 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit.h +330 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit_test.cc +607 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_io.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.cc +163 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.h +47 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.cc +34 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_test_values.h +389 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/ptrcred.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small.h +218 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_examples.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_io.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_test.cc +208 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_witness.h +130 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode.h +508 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_circuit_test.cc +95 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_test.cc +119 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.cc +47 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit.h +231 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit_test.cc +428 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_witness.h +102 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt.h +190 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_constants.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_test.cc +559 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_witness.h +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f.h +411 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_io.h +32 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_test.cc +364 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_witness.h +278 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation.h +146 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_constants.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_test.cc +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_witness.h +136 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr.h +250 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_test.cc +333 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_witness.h +152 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44.h +903 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_circuit_test.cc +274 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_eval_test.cc +440 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.cc +8851 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.h +93 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.cc +24 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness.h +453 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness_test.cc +49 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.cc +458 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test.cc +398 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors.inc +3618 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_pkdecode.inc +689 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_sigdecode.inc +1501 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/sigdecode_test_vectors.inc +540 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit.h +394 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit_test.cc +577 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_constants.h +90 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit.h +351 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit_test.cc +466 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.cc +207 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.h +59 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference_test.cc +153 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.cc +39 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_slicing.h +31 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.cc +83 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/shake_test_vectors.h +477 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve.h +596 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve_test.cc +548 -0
- data/vendor/longfellow-zk/lib/ec/p256.cc +36 -0
- data/vendor/longfellow-zk/lib/ec/p256.h +60 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.cc +34 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.h +60 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128.h +503 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_bench.cc +48 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_test.cc +416 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2poly.h +74 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14.h +242 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_bench.cc +75 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon.h +127 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon_test.cc +110 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_test.cc +246 -0
- data/vendor/longfellow-zk/lib/gf2k/sysdep.h +329 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_param.h +449 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_prover.h +354 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_test.cc +136 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_transcript.h +67 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_verifier.h +272 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_commitment.h +104 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree.h +216 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree_test.cc +240 -0
- data/vendor/longfellow-zk/lib/proto/circuit.h +354 -0
- data/vendor/longfellow-zk/lib/proto/circuit_test.cc +202 -0
- data/vendor/longfellow-zk/lib/random/random.h +119 -0
- data/vendor/longfellow-zk/lib/random/random_test.cc +189 -0
- data/vendor/longfellow-zk/lib/random/secure_random_engine.h +37 -0
- data/vendor/longfellow-zk/lib/random/transcript.h +193 -0
- data/vendor/longfellow-zk/lib/random/transcript_test.cc +344 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit.h +148 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit_id.h +71 -0
- data/vendor/longfellow-zk/lib/sumcheck/equad.h +126 -0
- data/vendor/longfellow-zk/lib/sumcheck/hquad.h +115 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover.h +59 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover_layers.h +362 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad.h +227 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_builder.h +211 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_test.cc +169 -0
- data/vendor/longfellow-zk/lib/sumcheck/sumcheck_test.cc +324 -0
- data/vendor/longfellow-zk/lib/sumcheck/testing.h +69 -0
- data/vendor/longfellow-zk/lib/sumcheck/transcript_sumcheck.h +85 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier.h +84 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier_layers.h +221 -0
- data/vendor/longfellow-zk/lib/testing/test_main.cc +50 -0
- data/vendor/longfellow-zk/lib/util/ceildiv.h +164 -0
- data/vendor/longfellow-zk/lib/util/ceildiv_test.cc +152 -0
- data/vendor/longfellow-zk/lib/util/crc64.h +45 -0
- data/vendor/longfellow-zk/lib/util/crypto.cc +39 -0
- data/vendor/longfellow-zk/lib/util/crypto.h +108 -0
- data/vendor/longfellow-zk/lib/util/log.cc +110 -0
- data/vendor/longfellow-zk/lib/util/log.h +33 -0
- data/vendor/longfellow-zk/lib/util/panic.h +40 -0
- data/vendor/longfellow-zk/lib/util/readbuffer.h +67 -0
- data/vendor/longfellow-zk/lib/util/serialization.h +54 -0
- data/vendor/longfellow-zk/lib/zk/zk_common.h +455 -0
- data/vendor/longfellow-zk/lib/zk/zk_proof.h +378 -0
- data/vendor/longfellow-zk/lib/zk/zk_prover.h +202 -0
- data/vendor/longfellow-zk/lib/zk/zk_test.cc +340 -0
- data/vendor/longfellow-zk/lib/zk/zk_testing.h +154 -0
- data/vendor/longfellow-zk/lib/zk/zk_verifier.h +109 -0
- metadata +347 -0
|
@@ -0,0 +1,315 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_JWT_JWT_WITNESS_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_JWT_JWT_WITNESS_H_
|
|
17
|
+
|
|
18
|
+
#include <cstddef>
|
|
19
|
+
#include <cstdint>
|
|
20
|
+
#include <cstdio>
|
|
21
|
+
#include <string>
|
|
22
|
+
#include <vector>
|
|
23
|
+
|
|
24
|
+
#include "arrays/dense.h"
|
|
25
|
+
#include "circuits/ecdsa/verify_witness.h"
|
|
26
|
+
#include "circuits/logic/bit_plucker_encoder.h"
|
|
27
|
+
#include "circuits/sha/flatsha256_witness.h"
|
|
28
|
+
#include "circuits/tests/base64/decode_util.h"
|
|
29
|
+
#include "circuits/tests/jwt/jwt_constants.h"
|
|
30
|
+
#include "util/crypto.h"
|
|
31
|
+
#include "util/log.h"
|
|
32
|
+
|
|
33
|
+
namespace proofs {
|
|
34
|
+
|
|
35
|
+
/* This struct allows a verifier to express which attribute and value the prover
|
|
36
|
+
* must claim. */
|
|
37
|
+
struct OpenedAttribute {
|
|
38
|
+
uint8_t id[32];
|
|
39
|
+
uint8_t value[64];
|
|
40
|
+
size_t id_len, value_len;
|
|
41
|
+
};
|
|
42
|
+
|
|
43
|
+
template <class Field>
|
|
44
|
+
bool fill_attribute(DenseFiller<Field>& filler, const OpenedAttribute& attr,
|
|
45
|
+
const Field& F, size_t version) {
|
|
46
|
+
std::vector<uint8_t> vbuf;
|
|
47
|
+
vbuf.push_back('"');
|
|
48
|
+
vbuf.insert(vbuf.end(), attr.id, attr.id + attr.id_len);
|
|
49
|
+
vbuf.push_back('"');
|
|
50
|
+
vbuf.push_back(':');
|
|
51
|
+
vbuf.push_back('"');
|
|
52
|
+
vbuf.insert(vbuf.end(), attr.value, attr.value + attr.value_len);
|
|
53
|
+
vbuf.push_back('"');
|
|
54
|
+
for (size_t i = 0; i < 128; ++i) {
|
|
55
|
+
if (i < vbuf.size()) {
|
|
56
|
+
filler.push_back(vbuf[i], 8, F);
|
|
57
|
+
} else {
|
|
58
|
+
filler.push_back(0, 8, F);
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
filler.push_back(vbuf.size(), 8, F);
|
|
62
|
+
return true;
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
|
|
66
|
+
template <class EC, class ScalarField, size_t SHABlocks>
|
|
67
|
+
class JWTWitness {
|
|
68
|
+
constexpr static size_t kMaxSHABlocks = SHABlocks;
|
|
69
|
+
using Field = typename EC::Field;
|
|
70
|
+
using Elt = typename Field::Elt;
|
|
71
|
+
using Nat = typename Field::N;
|
|
72
|
+
using EcdsaWitness = VerifyWitness3<EC, ScalarField>;
|
|
73
|
+
const EC& ec_;
|
|
74
|
+
|
|
75
|
+
public:
|
|
76
|
+
Elt e_, dpkx_, dpky_;
|
|
77
|
+
EcdsaWitness sig_;
|
|
78
|
+
EcdsaWitness kb_sig_;
|
|
79
|
+
|
|
80
|
+
uint8_t preimage_[64 * kMaxSHABlocks];
|
|
81
|
+
uint8_t e_bits_[256];
|
|
82
|
+
FlatSHA256Witness::BlockWitness sha_bw_[kMaxSHABlocks];
|
|
83
|
+
uint8_t numb_; /* Number of the correct sha block. */
|
|
84
|
+
uint8_t na_; /* Number of attributes. */
|
|
85
|
+
size_t payload_ind_, payload_len_;
|
|
86
|
+
std::vector<size_t> attr_ind_;
|
|
87
|
+
|
|
88
|
+
struct Jws {
|
|
89
|
+
std::string msg;
|
|
90
|
+
std::string payload;
|
|
91
|
+
size_t payload_len, payload_ind;
|
|
92
|
+
Nat ne, nr, ns;
|
|
93
|
+
Elt e, r, s;
|
|
94
|
+
};
|
|
95
|
+
|
|
96
|
+
bool parse_jws(std::string jwt, Jws& jws) {
|
|
97
|
+
size_t dot = jwt.find_first_of('.');
|
|
98
|
+
if (dot == std::string::npos) {
|
|
99
|
+
log(ERROR, "JWT is not well-formed");
|
|
100
|
+
return false;
|
|
101
|
+
}
|
|
102
|
+
size_t dot2 = jwt.find_first_of('.', dot + 1);
|
|
103
|
+
if (dot2 == std::string::npos) {
|
|
104
|
+
log(ERROR, "JWT is not in the format of header.payload.signature");
|
|
105
|
+
return false;
|
|
106
|
+
}
|
|
107
|
+
auto hdr = jwt.substr(0, dot);
|
|
108
|
+
auto pld = jwt.substr(dot + 1, dot2 - dot - 1);
|
|
109
|
+
auto sig = jwt.substr(dot2 + 1);
|
|
110
|
+
jws.msg = jwt.substr(0, dot2);
|
|
111
|
+
jws.payload = pld;
|
|
112
|
+
jws.payload_ind = dot + 1;
|
|
113
|
+
jws.payload_len = pld.size();
|
|
114
|
+
|
|
115
|
+
uint8_t hash[kSHA256DigestSize];
|
|
116
|
+
SHA256 sha;
|
|
117
|
+
sha.Update((const uint8_t*)jws.msg.data(), dot2);
|
|
118
|
+
sha.DigestData(hash);
|
|
119
|
+
jws.ne = nat_from_be(hash);
|
|
120
|
+
|
|
121
|
+
std::vector<uint8_t> sigb;
|
|
122
|
+
sigb.reserve(ec_.f_.kBytes * 2);
|
|
123
|
+
if (!base64_decode_url(sig, sigb) || sigb.size() < ec_.f_.kBytes * 2) {
|
|
124
|
+
log(ERROR, "signature is not in the format of base64url");
|
|
125
|
+
return false;
|
|
126
|
+
}
|
|
127
|
+
jws.nr = nat_from_be(&sigb[0]);
|
|
128
|
+
jws.ns = nat_from_be(&sigb[ec_.f_.kBytes]);
|
|
129
|
+
|
|
130
|
+
jws.e = ec_.f_.to_montgomery(jws.ne);
|
|
131
|
+
jws.r = ec_.f_.to_montgomery(jws.nr);
|
|
132
|
+
jws.s = ec_.f_.to_montgomery(jws.ns);
|
|
133
|
+
|
|
134
|
+
return true;
|
|
135
|
+
}
|
|
136
|
+
|
|
137
|
+
explicit JWTWitness(const EC& ec, const ScalarField& Fn)
|
|
138
|
+
: ec_(ec), sig_(Fn, ec), kb_sig_(Fn, ec) {}
|
|
139
|
+
|
|
140
|
+
void fill_witness(DenseFiller<Field>& filler) const {
|
|
141
|
+
filler.push_back(e_);
|
|
142
|
+
filler.push_back(dpkx_);
|
|
143
|
+
filler.push_back(dpky_);
|
|
144
|
+
sig_.fill_witness(filler);
|
|
145
|
+
kb_sig_.fill_witness(filler);
|
|
146
|
+
|
|
147
|
+
// Write the message.
|
|
148
|
+
for (size_t i = 0; i < 64 * kMaxSHABlocks; ++i) {
|
|
149
|
+
filler.push_back(preimage_[i], 8, ec_.f_);
|
|
150
|
+
}
|
|
151
|
+
|
|
152
|
+
for (size_t i = 0; i < 256; ++i) {
|
|
153
|
+
filler.push_back(e_bits_[i], 1, ec_.f_);
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
for (size_t j = 0; j < kMaxSHABlocks; ++j) {
|
|
157
|
+
fill_sha(filler, sha_bw_[j]);
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
filler.push_back(numb_, 8, ec_.f_);
|
|
161
|
+
|
|
162
|
+
for (size_t i = 0; i < na_; ++i) {
|
|
163
|
+
filler.push_back(attr_ind_[i], kJWTIndexBits, ec_.f_);
|
|
164
|
+
}
|
|
165
|
+
|
|
166
|
+
filler.push_back(payload_ind_, kJWTIndexBits, ec_.f_);
|
|
167
|
+
filler.push_back(payload_len_, kJWTIndexBits, ec_.f_);
|
|
168
|
+
}
|
|
169
|
+
|
|
170
|
+
void fill_sha(DenseFiller<Field>& filler,
|
|
171
|
+
const FlatSHA256Witness::BlockWitness& bw) const {
|
|
172
|
+
BitPluckerEncoder<Field, kSHAJWTPluckerBits> BPENC(ec_.f_);
|
|
173
|
+
for (size_t k = 0; k < 48; ++k) {
|
|
174
|
+
filler.push_back(BPENC.mkpacked_v32(bw.outw[k]));
|
|
175
|
+
}
|
|
176
|
+
for (size_t k = 0; k < 64; ++k) {
|
|
177
|
+
filler.push_back(BPENC.mkpacked_v32(bw.oute[k]));
|
|
178
|
+
filler.push_back(BPENC.mkpacked_v32(bw.outa[k]));
|
|
179
|
+
}
|
|
180
|
+
for (size_t k = 0; k < 8; ++k) {
|
|
181
|
+
filler.push_back(BPENC.mkpacked_v32(bw.h1[k]));
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
|
|
185
|
+
// Transform from u32 be (i.e., be[0] is the most significant nibble)
|
|
186
|
+
// into nat form, which requires first converting to le byte order.
|
|
187
|
+
Nat nat_from_u32(const uint32_t be[]) const {
|
|
188
|
+
uint8_t tmp[Nat::kBytes];
|
|
189
|
+
const size_t top = Nat::kBytes / 4;
|
|
190
|
+
for (size_t i = 0; i < Nat::kBytes; ++i) {
|
|
191
|
+
tmp[i] = (be[top - i / 4 - 1] >> ((i % 4) * 8)) & 0xff;
|
|
192
|
+
}
|
|
193
|
+
return Nat::of_bytes(tmp);
|
|
194
|
+
}
|
|
195
|
+
|
|
196
|
+
// Transform from u8 be (i.e., be[31] is the most significant byte) into
|
|
197
|
+
// nat form, which requires first converting to le byte order.
|
|
198
|
+
Nat nat_from_be(const uint8_t be[/* Nat::kBytes */]) {
|
|
199
|
+
uint8_t tmp[Nat::kBytes];
|
|
200
|
+
// Transform into byte-wise le representation.
|
|
201
|
+
for (size_t i = 0; i < Nat::kBytes; ++i) {
|
|
202
|
+
tmp[i] = be[Nat::kBytes - i - 1];
|
|
203
|
+
}
|
|
204
|
+
return Nat::of_bytes(tmp);
|
|
205
|
+
}
|
|
206
|
+
|
|
207
|
+
bool compute_witness(std::string jwt, Elt pkX, Elt pkY,
|
|
208
|
+
std::vector<OpenedAttribute> attrs) {
|
|
209
|
+
size_t tilde = jwt.find_first_of('~');
|
|
210
|
+
if (tilde == std::string::npos) {
|
|
211
|
+
log(ERROR, "JWT is not in the format of header.payload.signature~kb");
|
|
212
|
+
return false;
|
|
213
|
+
}
|
|
214
|
+
auto id = jwt.substr(0, tilde);
|
|
215
|
+
auto kb = jwt.substr(tilde + 1);
|
|
216
|
+
Jws id_jws;
|
|
217
|
+
if (!parse_jws(id, id_jws)) {
|
|
218
|
+
return false;
|
|
219
|
+
}
|
|
220
|
+
|
|
221
|
+
if (id_jws.msg.size() > kMaxSHABlocks * 64 - 9) {
|
|
222
|
+
log(INFO, "JWT payload bytes is too large");
|
|
223
|
+
return false;
|
|
224
|
+
}
|
|
225
|
+
|
|
226
|
+
FlatSHA256Witness::transform_and_witness_message(
|
|
227
|
+
id_jws.msg.size(), reinterpret_cast<const uint8_t*>(id_jws.msg.data()),
|
|
228
|
+
kMaxSHABlocks, numb_, preimage_, sha_bw_);
|
|
229
|
+
|
|
230
|
+
e_ = id_jws.e;
|
|
231
|
+
payload_ind_ = id_jws.payload_ind;
|
|
232
|
+
payload_len_ = id_jws.payload_len;
|
|
233
|
+
if (!sig_.compute_witness(pkX, pkY, id_jws.ne, id_jws.nr, id_jws.ns)) {
|
|
234
|
+
log(ERROR, "signature verification failed");
|
|
235
|
+
return false;
|
|
236
|
+
}
|
|
237
|
+
|
|
238
|
+
for (size_t i = 0; i < 256; ++i) {
|
|
239
|
+
e_bits_[i] = id_jws.ne.bit(i);
|
|
240
|
+
}
|
|
241
|
+
|
|
242
|
+
// Find the positions of each of the attributes.
|
|
243
|
+
na_ = attrs.size();
|
|
244
|
+
std::vector<uint8_t> payload;
|
|
245
|
+
payload.reserve(id_jws.payload.size());
|
|
246
|
+
if (!base64_decode_url(id_jws.payload, payload)) {
|
|
247
|
+
log(ERROR, "JWT payload is not in the format of base64url");
|
|
248
|
+
return false;
|
|
249
|
+
}
|
|
250
|
+
std::string str((const char*)payload.data(), payload.size());
|
|
251
|
+
for (size_t i = 0; i < na_; ++i) {
|
|
252
|
+
std::string idm =
|
|
253
|
+
"\"" + std::string((const char*)attrs[i].id, attrs[i].id_len) +
|
|
254
|
+
"\":\"" +
|
|
255
|
+
std::string((const char*)attrs[i].value, attrs[i].value_len) + "\"";
|
|
256
|
+
size_t ind = str.find(idm, 0);
|
|
257
|
+
if (ind == std::string::npos) {
|
|
258
|
+
log(ERROR, "Could not find attribute %s", idm.c_str());
|
|
259
|
+
return false;
|
|
260
|
+
}
|
|
261
|
+
attr_ind_.push_back(ind);
|
|
262
|
+
}
|
|
263
|
+
|
|
264
|
+
// Find device public key in payload.
|
|
265
|
+
std::string cnf_prefix =
|
|
266
|
+
"\"cnf\":{\"jwk\":{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"";
|
|
267
|
+
size_t x_ind = str.find(cnf_prefix.data(), 0, cnf_prefix.size());
|
|
268
|
+
if (x_ind == std::string::npos) {
|
|
269
|
+
log(ERROR, "Could not find device public key in payload");
|
|
270
|
+
return false;
|
|
271
|
+
}
|
|
272
|
+
size_t y_ind = str.find("\",\"y\":\"", x_ind + cnf_prefix.size());
|
|
273
|
+
if (y_ind == std::string::npos) {
|
|
274
|
+
log(ERROR, "Could not find device public key in payload");
|
|
275
|
+
return false;
|
|
276
|
+
}
|
|
277
|
+
std::string x = str.substr(x_ind + cnf_prefix.size(), 43);
|
|
278
|
+
std::string y = str.substr(y_ind + 7, 43);
|
|
279
|
+
std::vector<uint8_t> dpkx, dpky;
|
|
280
|
+
dpkx.reserve(65); dpky.reserve(65);
|
|
281
|
+
if (!base64_decode_url(x, dpkx)) {
|
|
282
|
+
log(ERROR, "CNF:dpkx payload is not in the format of base64url");
|
|
283
|
+
return false;
|
|
284
|
+
}
|
|
285
|
+
if (!base64_decode_url(y, dpky)) {
|
|
286
|
+
log(ERROR, "CNF:dpky payload is not in the format of base64url");
|
|
287
|
+
return false;
|
|
288
|
+
}
|
|
289
|
+
Nat nx = nat_from_be(dpkx.data());
|
|
290
|
+
Nat ny = nat_from_be(dpky.data());
|
|
291
|
+
dpkx_ = ec_.f_.to_montgomery(nx);
|
|
292
|
+
dpky_ = ec_.f_.to_montgomery(ny);
|
|
293
|
+
|
|
294
|
+
// Process the key binding portion
|
|
295
|
+
if (kb.empty()) {
|
|
296
|
+
log(ERROR, "kb portion is missing");
|
|
297
|
+
return false;
|
|
298
|
+
}
|
|
299
|
+
Jws kb_jws;
|
|
300
|
+
if (!parse_jws(kb, kb_jws)) {
|
|
301
|
+
log(ERROR, "kb jws parsing failed");
|
|
302
|
+
return false;
|
|
303
|
+
}
|
|
304
|
+
if (!kb_sig_.compute_witness(dpkx_, dpky_, kb_jws.ne, kb_jws.nr,
|
|
305
|
+
kb_jws.ns)) {
|
|
306
|
+
log(ERROR, "kb signature verification failed");
|
|
307
|
+
return false;
|
|
308
|
+
}
|
|
309
|
+
return true;
|
|
310
|
+
}
|
|
311
|
+
};
|
|
312
|
+
|
|
313
|
+
} // namespace proofs
|
|
314
|
+
|
|
315
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_JWT_JWT_WITNESS_H_
|