longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.cc

@@ -0,0 +1,174 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/tests/ripemd/ripemd_witness.h"
+
+#include <cstdint>
+#include <cstring>
+#include <vector>
+
+#include "circuits/tests/ripemd/ripemd_constants.h"
+
+namespace proofs {
+
+namespace ripemd {
+inline uint32_t rol(uint32_t x, int n) { return (x << n) | (x >> (32 - n)); }
+
+inline uint32_t f1(uint32_t x, uint32_t y, uint32_t z) { return x ^ y ^ z; }
+inline uint32_t f2(uint32_t x, uint32_t y, uint32_t z) {
+  return (x & y) | (~x & z);
+}
+inline uint32_t f3(uint32_t x, uint32_t y, uint32_t z) { return (x | ~y) ^ z; }
+inline uint32_t f4(uint32_t x, uint32_t y, uint32_t z) {
+  return (x & z) | (y & ~z);
+}
+inline uint32_t f5(uint32_t x, uint32_t y, uint32_t z) { return x ^ (y | ~z); }
+
+#define ROTATE_STATE(a, b, c, d, e, t) \
+  do {                                 \
+    (a) = (e);                         \
+    (e) = (d);                         \
+    (d) = rol((c), 10);                \
+    (c) = (b);                         \
+    (b) = (t);                         \
+  } while (0)
+
+inline uint32_t f_round_left(int r, uint32_t x, uint32_t y, uint32_t z) {
+  switch (r) {
+    case 0:
+      return f1(x, y, z);
+    case 1:
+      return f2(x, y, z);
+    case 2:
+      return f3(x, y, z);
+    case 3:
+      return f4(x, y, z);
+    case 4:
+      return f5(x, y, z);
+  }
+  return 0;
+}
+
+inline uint32_t f_round_right(int r, uint32_t x, uint32_t y, uint32_t z) {
+  switch (r) {
+    case 0:
+      return f5(x, y, z);
+    case 1:
+      return f4(x, y, z);
+    case 2:
+      return f3(x, y, z);
+    case 3:
+      return f2(x, y, z);
+    case 4:
+      return f1(x, y, z);
+  }
+  return 0;
+}
+
+}  // namespace ripemd
+
+using ripemd::f_round_left;
+using ripemd::f_round_right;
+using ripemd::KL;
+using ripemd::KR;
+using ripemd::RL;
+using ripemd::rol;
+using ripemd::RR;
+using ripemd::SL;
+using ripemd::SR;
+
+void RipemdWitness::witness_block(const uint32_t in[16], const uint32_t H0[5],
+                                  uint32_t left_temp[80],
+                                  uint32_t left_calc[80],
+                                  uint32_t right_temp[80],
+                                  uint32_t right_calc[80], uint32_t H1[5]) {
+  uint32_t a = H0[0], b = H0[1], c = H0[2], d = H0[3], e = H0[4];
+  uint32_t aa = H0[0], bb = H0[1], cc = H0[2], dd = H0[3], ee = H0[4];
+
+  for (int round = 0; round < 5; ++round) {
+    for (int step = 0; step < 16; ++step) {
+      int idx = round * 16 + step;
+
+      // Left
+      {
+        uint32_t f_val = f_round_left(round, b, c, d);
+        uint32_t temp = a + f_val + in[RL[round][step]] + KL[round];
+        left_temp[idx] = temp;
+        uint32_t calc = rol(temp, SL[round][step]) + e;
+        left_calc[idx] = calc;
+        ROTATE_STATE(a, b, c, d, e, calc);
+      }
+
+      // Right
+      {
+        uint32_t f_val = f_round_right(round, bb, cc, dd);
+        uint32_t temp = aa + f_val + in[RR[round][step]] + KR[round];
+        right_temp[idx] = temp;
+        uint32_t calc = rol(temp, SR[round][step]) + ee;
+        right_calc[idx] = calc;
+        ROTATE_STATE(aa, bb, cc, dd, ee, calc);
+      }
+    }
+  }
+
+  H1[0] = H0[1] + c + dd;
+  H1[1] = H0[2] + d + ee;
+  H1[2] = H0[3] + e + aa;
+  H1[3] = H0[4] + a + bb;
+  H1[4] = H0[0] + b + cc;
+}
+
+std::vector<uint8_t> RipemdWitness::PadMessage(
+    const std::vector<uint8_t>& msg) {
+  std::vector<uint8_t> padded = msg;
+  uint64_t L = padded.size() * 8;
+  padded.push_back(0x80);
+  while ((padded.size() % 64) != 56) {
+    padded.push_back(0x00);
+  }
+  // Append length (64-bit little endian)
+  for (int i = 0; i < 8; ++i) {
+    padded.push_back((L >> (i * 8)) & 0xff);
+  }
+  return padded;
+}
+
+void RipemdWitness::witness_message(const std::vector<uint8_t>& msg,
+                                    std::vector<BlockWitness>& witnesses) {
+  // 1. Padding
+  std::vector<uint8_t> padded = PadMessage(msg);
+
+  // 2. Process blocks
+  size_t num_blocks = padded.size() / 64;
+  witnesses.resize(num_blocks);
+  uint32_t initial[5] = {0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476,
+                         0xC3D2E1F0};
+  const uint32_t* H = initial;
+
+  for (size_t b = 0; b < num_blocks; ++b) {
+    uint32_t in[16];
+    for (int i = 0; i < 16; ++i) {
+      // Little endian load
+      in[i] = (uint32_t)padded[b * 64 + i * 4 + 0] |
+              ((uint32_t)padded[b * 64 + i * 4 + 1] << 8) |
+              ((uint32_t)padded[b * 64 + i * 4 + 2] << 16) |
+              ((uint32_t)padded[b * 64 + i * 4 + 3] << 24);
+    }
+    witness_block(in, H, witnesses[b].left_temp, witnesses[b].left_calc,
+                  witnesses[b].right_temp, witnesses[b].right_calc,
+                  witnesses[b].h_out);
+    H = witnesses[b].h_out;
+  }
+}
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.h

@@ -0,0 +1,140 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_RIPEMD_RIPEMD_WITNESS_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_RIPEMD_RIPEMD_WITNESS_H_
+
+#include <cstddef>
+#include <cstdint>
+#include <vector>
+
+#include "arrays/dense.h"
+#include "circuits/logic/bit_plucker_encoder.h"
+#include "util/panic.h"
+
+namespace proofs {
+
+struct RipemdWitness {
+  using v32 = uint32_t;
+
+  struct BlockWitness {
+    uint32_t left_temp[80];
+    uint32_t left_calc[80];
+    uint32_t right_temp[80];
+    uint32_t right_calc[80];
+    uint32_t h_out[5];
+  };
+
+  static void witness_block(const uint32_t in[16], const uint32_t H0[5],
+                            uint32_t left_temp[80], uint32_t left_calc[80],
+                            uint32_t right_temp[80], uint32_t right_calc[80],
+                            uint32_t H1[5]);
+
+  static void witness_message(const std::vector<uint8_t>& msg,
+                              std::vector<BlockWitness>& witnesses);
+
+  static std::vector<uint8_t> PadMessage(const std::vector<uint8_t>& msg);
+
+  template <class Field, int plucker_size = 1>
+  static void fill_input(DenseFiller<Field>& filler,
+                         const std::vector<uint8_t>& message, size_t ninputs,
+                         size_t maxBlocks, const Field& f);
+};
+
+template <class Field, int plucker_size>
+void RipemdWitness::fill_input(DenseFiller<Field>& filler,
+                               const std::vector<uint8_t>& message,
+                               size_t ninputs, size_t maxBlocks,
+                               const Field& f) {
+  std::vector<RipemdWitness::BlockWitness> bwb;
+  RipemdWitness::witness_message(message, bwb);
+  size_t numBlocks = maxBlocks;
+  uint8_t numb = bwb.size();
+
+  // checking if message fits in maxBlocks
+  check(bwb.size() <= maxBlocks, "bwb.size() <= maxBlocks");
+
+  // fill input wires
+  filler.push_back(f.one());
+  filler.push_back(numb, 8, f);
+
+  // Let's replicate padding here to get full input bytes.
+  std::vector<uint8_t> padded = RipemdWitness::PadMessage(message);
+
+  for (size_t j = 0; j < padded.size(); j++) {
+    filler.push_back(padded[j], 8, f);
+  }
+  // If padded.size() < 64 * numBlocks, fill remaining.
+  for (size_t j = padded.size(); j < 64 * numBlocks; j++) {
+    filler.push_back((uint8_t)0, 8, f);
+  }
+
+  // Target hash.
+  if (!bwb.empty()) {
+    const auto& final_h = bwb.back().h_out;
+    for (int j = 0; j < 5; ++j) {
+      uint32_t val = final_h[j];
+      for (int k = 0; k < 32; ++k) {
+        uint8_t bit = (val >> k) & 1;
+        filler.push_back(bit ? f.one() : f.zero());
+      }
+    }
+  } else {
+    for (int k = 0; k < 160; ++k) filler.push_back(f.zero());
+  }
+
+  // Block witnesses.
+  BitPluckerEncoder<Field, plucker_size> BPENC(f);
+  // Pad witnesses if needed
+  if (bwb.size() < numBlocks) {
+    auto last_h = bwb.empty() ? std::array<uint32_t, 5>{0x67452301, 0xEFCDAB89,
+                                                        0x98BADCFE, 0x10325476,
+                                                        0xC3D2E1F0}
+                              : std::array<uint32_t, 5>{0};
+    if (!bwb.empty()) {
+      for (int k = 0; k < 5; ++k) last_h[k] = bwb.back().h_out[k];
+    }
+
+    // We need to generate witnesses for compressing blocks of 0s.
+    // The input for these blocks is 0.
+    uint32_t zero_block[16] = {0};
+    for (size_t j = bwb.size(); j < numBlocks; ++j) {
+      RipemdWitness::BlockWitness bw;
+      uint32_t h1[5];
+      RipemdWitness::witness_block(zero_block, last_h.data(), bw.left_temp,
+                                   bw.left_calc, bw.right_temp, bw.right_calc,
+                                   h1);
+      for (int k = 0; k < 5; ++k) bw.h_out[k] = h1[k];  // Store h1 as h_out
+      bwb.push_back(bw);
+      for (int k = 0; k < 5; ++k) last_h[k] = h1[k];
+    }
+  }
+
+  for (size_t j = 0; j < numBlocks; j++) {
+    const auto& w = bwb[j];
+    for (size_t k = 0; k < 80; ++k) {
+      filler.push_back(BPENC.mkpacked_v32(w.left_temp[k]));
+      filler.push_back(BPENC.mkpacked_v32(w.left_calc[k]));
+      filler.push_back(BPENC.mkpacked_v32(w.right_temp[k]));
+      filler.push_back(BPENC.mkpacked_v32(w.right_calc[k]));
+    }
+    for (size_t k = 0; k < 5; ++k) {
+      filler.push_back(BPENC.mkpacked_v32(w.h_out[k]));
+    }
+  }
+}
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_RIPEMD_RIPEMD_WITNESS_H_

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit.h

@@ -0,0 +1,351 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_CIRCUIT_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_CIRCUIT_H_
+
+// ----------------------------------------------------------------------------
+//
+// !!!!! DO NOT USE IN PRODUCTION !!!!!
+//
+// This SHA3 circuit is an experimental implementation for research purposes.
+// It has not been fully vetted and is not recommended for production use cases
+// at this time.
+//
+// Sha3 and SHAKE256 are specified in
+//
+//      FIPS PUB 202
+//      SHA-3 Standard: Permutation-Based Hash and
+//      Extendable-Output Functions
+//
+//      https://nvlpubs.nist.gov/nistPubs/fips/nist.fips.202.pdf
+//
+// ----------------------------------------------------------------------------
+
+#include <stddef.h>
+
+#include <algorithm>
+#include <cstdint>
+#include <vector>
+
+#include "circuits/tests/sha3/sha3_round_constants.h"
+#include "circuits/tests/sha3/sha3_slicing.h"
+#include "util/panic.h"
+
+namespace proofs {
+template <class LogicCircuit>
+class Sha3Circuit {
+  typedef typename LogicCircuit::template bitvec<64> v64;
+  typedef typename LogicCircuit::template bitvec<8> v8;
+
+  const LogicCircuit& lc_;
+
+  v64 of_scalar(uint64_t x) const { return lc_.template vbit<64>(x); }
+
+  // Implementation of Step 6 in Algorithm 8, page 18--19 of the spec.
+  void xorin_block(v64 A[5][5], const std::vector<v8>& block, size_t rate) {
+    size_t x = 0, y = 0;
+    for (size_t i = 0; i < rate; i += 8) {
+      v64 a;
+      for (size_t b = 0; b < 8; ++b) {
+        for (size_t j = 0; j < 8; ++j) {
+          a[b * 8 + j] = block[i + b][j];
+        }
+      }
+      A[x][y] = lc_.vxor(A[x][y], a);
+      ++x;
+      if (x == 5) {
+        ++y;
+        x = 0;
+      }
+    }
+  }
+
+  // FIPS 202 3.2.1, theta
+  void theta(v64 A[5][5]) {
+    // The reference computes a five-way xor
+    //
+    // C[x] = A[x][0] ^ A[x][1] ^ A[x][2] ^ A[x][3] ^ A[x][4]
+    //
+    // However, computing C[x] requires three levels of xor.
+    // Instead, we write C[x] = C0[x] ^ C1[x] where
+    //
+    // C0[x] = A[x][0] ^ A[x][1] ^ A[x][2] ^ A[x][3]
+    // C1[x] = A[x][4]
+    //
+    // C0 requires two XOR levels, C1 is free.
+    //
+    // Later, the reference computes
+    //
+    //  D_x = C[(x + 4) % 5] ^ rotl(C[(x + 1) % 5], 1)
+    //
+    // Similarly, we split D_x = D0_x ^ D1_x.
+    v64 C0[5], C1[5];
+    for (size_t x = 0; x < 5; ++x) {
+      auto a01 = lc_.vxor(A[x][0], A[x][1]);
+      auto a23 = lc_.vxor(A[x][2], A[x][3]);
+      C0[x] = lc_.vxor(a23, a01);
+      C1[x] = A[x][4];
+    }
+
+    for (size_t x = 0; x < 5; ++x) {
+      v64 D0_x = lc_.vxor(C0[(x + 4) % 5], lc_.vrotl(C0[(x + 1) % 5], 1));
+      v64 D1_x = lc_.vxor(C1[(x + 4) % 5], lc_.vrotl(C1[(x + 1) % 5], 1));
+      for (size_t y = 0; y < 5; ++y) {
+        // D1_x is available two levels before D0_x, so we xor
+        // it in first.
+        A[x][y] = lc_.vxor(A[x][y], D1_x);
+        A[x][y] = lc_.vxor(A[x][y], D0_x);
+      }
+    }
+  }
+
+  // FIPS 202 3.2.2, rho
+  void rho(v64 A[5][5]) {
+    size_t x = 1, y = 0;
+    for (size_t t = 0; t < 24; ++t) {
+      A[x][y] = lc_.vrotl(A[x][y], sha3::sha3_rotc[t]);
+      size_t nx = y, ny = (2 * x + 3 * y) % 5;
+      x = nx;
+      y = ny;
+    }
+  }
+
+  // FIPS 202 3.2.3, pi
+  void pi(const v64 A[5][5], v64 A1[5][5]) {
+    for (size_t x = 0; x < 5; ++x) {
+      for (size_t y = 0; y < 5; ++y) {
+        A1[x][y] = A[(x + 3 * y) % 5][x];
+      }
+    }
+  }
+
+  // FIPS 202 3.2.4, chi
+  void chi(const v64 A1[5][5], v64 A[5][5]) {
+    for (size_t x = 0; x < 5; ++x) {
+      for (size_t y = 0; y < 5; ++y) {
+        A[x][y] = lc_.vxor(A1[x][y], lc_.vand(A1[(x + 2) % 5][y],
+                                              lc_.vnot(A1[(x + 1) % 5][y])));
+      }
+    }
+  }
+
+  // FIPS 202 3.2.5, iota
+  void iota(v64 A[5][5], size_t round) {
+    A[0][0] = lc_.vxor(A[0][0], of_scalar(sha3::sha3_rc[round]));
+  }
+
+ public:
+  explicit Sha3Circuit(const LogicCircuit& lc) : lc_(lc) {}
+
+  struct BlockWitness {
+    // One set of wires per round.  However the circuit only
+    // uses rounds satisfying SHA3_SLICE_AT()
+    v64 a_intermediate[24][5][5];
+
+    void input(const LogicCircuit& lc) {
+      for (size_t round = 0; round < 24; ++round) {
+        if (sha3_slice_at(round)) {
+          for (size_t x = 0; x < 5; ++x) {
+            for (size_t y = 0; y < 5; ++y) {
+              a_intermediate[round][x][y] = lc.template vinput<64>();
+            }
+          }
+        }
+      }
+    }
+  };
+
+  // This version of the Keccak-f[1600] permutation does not use any witnesses.
+  // It provides a baseline to measure the depth and computation required.
+  void keccak_f_1600(v64 A[5][5]) {
+    for (size_t round = 0; round < 24; ++round) {
+      theta(A);
+      rho(A);
+      v64 A1[5][5];
+      pi(A, A1);
+      chi(A1, A);
+      iota(A, round);
+    }
+  }
+
+  void keccak_f_1600(v64 A[5][5], const BlockWitness& bw) {
+    for (size_t round = 0; round < 24; ++round) {
+      theta(A);
+      rho(A);
+      v64 A1[5][5];
+      pi(A, A1);
+      chi(A1, A);
+      iota(A, round);
+
+      if (sha3_slice_at(round)) {
+        for (size_t x = 0; x < 5; ++x) {
+          for (size_t y = 0; y < 5; ++y) {
+            sha3_vassert_eq(A[x][y], bw.a_intermediate[round][x][y]);
+            A[x][y] = bw.a_intermediate[round][x][y];
+          }
+        }
+      }
+    }
+  }
+
+  // Computes SHAKE256 hash of seed with output length outlen bytes, and stores
+  // result in out.
+  //
+  // SHAKE256 is an extendable-output function (XOF) from Keccak family,
+  // standardized in FIPS 202.
+  //
+  // Arguments:
+  // - seed: Input message as a vector of v8.
+  // - outlen: Desired output length in bytes.
+  // - out: Output vector for hash result, resized to outlen v8.
+  // - bws: Block witnesses for Keccak rounds. One witness is required for each
+  //        call to keccak_f_1600, which occurs once per 136-byte block of
+  //        padded input, and once per 136-byte block of squeezed output
+  //        (except for the last block).
+  //
+  // Constraints:
+  // The number of block witnesses bws.size() must be exactly equal to:
+  // (seed.size() + 136) / 136 + (outlen == 0 ? 0 : (outlen - 1) / 136).
+  void assert_shake256(const std::vector<v8>& seed, size_t outlen,
+                       std::vector<v8>& out,
+                       const std::vector<BlockWitness>& bws) {
+    size_t rate = 136;  // shake256 rate
+    // Calculate expected number of blocks
+    size_t num_absorb_blocks = (seed.size() + rate) / rate;
+    size_t num_squeeze_blocks = (outlen == 0) ? 0 : (outlen - 1) / rate;
+    check(bws.size() == num_absorb_blocks + num_squeeze_blocks,
+          "Incorrect number of BlockWitnesses");
+
+    // Eagerly populate output
+    out.resize(outlen);
+    size_t out_ptr = 0;
+    size_t sqz_req = 0;
+    while (out_ptr < outlen) {
+      std::vector<v8> squeeze_block(200);
+      // It is possible to use a single index into A here,
+      // but this more verbose sx,sy makes it easier to map
+      // to the Fips spec.
+      size_t sx = 0, sy = 0;
+      for (size_t i = 0; i < rate; i += 8) {
+        // Handle the awkward copy of v64 into v8s.
+        for (size_t b = 0; b < 8; ++b) {
+          for (size_t j = 0; j < 8; ++j) {
+            squeeze_block[i + b][j] =
+                bws[num_absorb_blocks - 1 + sqz_req]
+                    .a_intermediate[23][sx][sy][b * 8 + j];
+          }
+        }
+        ++sx;
+        if (sx == 5) {
+          ++sy;
+          sx = 0;
+        }
+      }
+      size_t take = std::min(rate, outlen - out_ptr);
+      for (size_t i = 0; i < take; ++i) {
+        out[out_ptr++] = squeeze_block[i];
+      }
+      sqz_req++;
+    }
+
+    // Evaluate blocks in parallel
+    // Absorb phase
+    std::vector<v8> block(200);  // invariant: block[] is zero-padded.
+    for (size_t i = 0; i < 200; ++i) block[i] = lc_.template vbit<8>(0);
+    size_t bw_idx = 0;
+    size_t ptr = 0;
+
+    for (size_t i = 0; i < seed.size(); ++i) {
+      block[ptr++] = seed[i];
+      if (ptr == rate) {
+        v64 A_in[5][5];
+        for (int x = 0; x < 5; ++x) {
+          for (int y = 0; y < 5; ++y) {
+            if (bw_idx == 0) {
+              A_in[x][y] = lc_.template vbit<64>(0);
+            } else {
+              A_in[x][y] = bws[bw_idx - 1].a_intermediate[23][x][y];
+            }
+          }
+        }
+
+        xorin_block(A_in, block, rate);
+        keccak_f_1600(A_in, bws[bw_idx++]);
+        ptr = 0;
+        for (size_t j = 0; j < 200; ++j) block[j] = lc_.template vbit<8>(0);
+      }
+    }
+
+    // Pad and process the last block
+    auto pad1 = lc_.template vbit<8>(0x1F);
+    auto pad2 = lc_.template vbit<8>(0x80);
+    block[ptr] = pad1;
+    block[rate - 1] = lc_.vxor(block[rate - 1], pad2);
+
+    v64 A_in[5][5];
+    for (int x = 0; x < 5; ++x) {
+      for (int y = 0; y < 5; ++y) {
+        if (bw_idx == 0) {
+          A_in[x][y] = lc_.template vbit<64>(0);
+        } else {
+          A_in[x][y] = bws[bw_idx - 1].a_intermediate[23][x][y];
+        }
+      }
+    }
+
+    xorin_block(A_in, block, rate);
+    keccak_f_1600(A_in, bws[bw_idx++]);
+
+    // Squeeze phase blocks
+    for (size_t i = 0; i < num_squeeze_blocks; ++i) {
+      v64 A_sqz[5][5];
+      for (int x = 0; x < 5; ++x) {
+        for (int y = 0; y < 5; ++y) {
+          A_sqz[x][y] = bws[num_absorb_blocks - 1 + i].a_intermediate[23][x][y];
+        }
+      }
+      keccak_f_1600(A_sqz, bws[bw_idx++]);
+    }
+
+    check(bw_idx == bws.size(), "Did not consume all BlockWitnesses");
+  }
+
+  template <size_t I0, size_t I1>
+  void sha3_vassert_eq_range(const v64& x, const v64& y) const {
+    auto xx = lc_.as_scalar(lc_.template slice<I0, I1>(x));
+    auto yy = lc_.as_scalar(lc_.template slice<I0, I1>(y));
+    lc_.assert_eq(xx, yy);
+  }
+
+  void sha3_vassert_eq(const v64& x, const v64& y) const {
+    if (LogicCircuit::Field::kSubFieldBits == 16) {
+      sha3_vassert_eq_range<0, 16>(x, y);
+      sha3_vassert_eq_range<16, 32>(x, y);
+      sha3_vassert_eq_range<32, 48>(x, y);
+      sha3_vassert_eq_range<48, 64>(x, y);
+    } else {
+      // Assume >= 22 bit subfield.  If this assumption is
+      // wrong, as_scalar() will crash at circuit-compile time,
+      // but we won't produce an unsound circuit.
+      sha3_vassert_eq_range<0, 22>(x, y);
+      sha3_vassert_eq_range<22, 43>(x, y);
+      sha3_vassert_eq_range<43, 64>(x, y);
+    }
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_CIRCUIT_H_