longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.h

@@ -0,0 +1,59 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_REFERENCE_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_REFERENCE_H_
+
+// !!!!! DO NOT USE IN PRODUCTION !!!!!
+
+/* This is a simple reference implementation of sha3
+   to be used to design zero-knowledge circuits.  DO NOT USE
+   THIS CODE IN PRODUCTION. */
+#include <cstdint>
+#include <cstdlib>
+
+namespace proofs {
+class Sha3Reference {
+  size_t mdlen_;
+  size_t rate_;
+  size_t wrptr_;
+  uint8_t buf_[200];
+  uint64_t a_[5][5];
+
+  static void keccak_f_1600(uint64_t A[5][5]);
+  static void shake(size_t rate, const uint8_t* in, size_t inlen, uint8_t* out,
+                    size_t outlen);
+
+ public:
+  explicit Sha3Reference(size_t mdlen)
+      : mdlen_(mdlen), rate_(200 - 2 * mdlen), wrptr_(0), buf_{}, a_{} {}
+
+  void update(const char* data, size_t n);
+  void final(uint8_t digest[/*mdlen*/]);
+
+  static void keccak_f_1600_DEBUG_ONLY(uint64_t A[5][5]);
+  static void theta(uint64_t A[5][5]);
+  static void rho(uint64_t A[5][5]);
+  static void pi(const uint64_t A[5][5], uint64_t A1[5][5]);
+  static void chi(const uint64_t A1[5][5], uint64_t A[5][5]);
+  static void iota(uint64_t A[5][5], size_t round);
+  static void shake128Hash(const uint8_t* in, size_t inlen, uint8_t* out,
+                           size_t outlen);
+  static void shake256Hash(const uint8_t* in, size_t inlen, uint8_t* out,
+                           size_t outlen);
+  static void xorin(uint64_t A[5][5], const uint8_t* d, size_t n);
+};
+
+}  // namespace proofs
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_REFERENCE_H_

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference_test.cc

@@ -0,0 +1,153 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/tests/sha3/sha3_reference.h"
+
+#include <cstdint>
+#include <cstring>
+#include <vector>
+
+#include "circuits/tests/sha3/shake_test_vectors.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+TEST(Sha3Reference, TestVec) {
+  constexpr size_t mdlen = 32;
+  struct testvec {
+    const char* str;
+    uint8_t hash[mdlen];
+  };
+
+  static const struct testvec tv[] = {
+      {"",
+       {
+           0xa7, 0xff, 0xc6, 0xf8, 0xbf, 0x1e, 0xd7, 0x66, 0x51, 0xc1, 0x47,
+           0x56, 0xa0, 0x61, 0xd6, 0x62, 0xf5, 0x80, 0xff, 0x4d, 0xe4, 0x3b,
+           0x49, 0xfa, 0x82, 0xd8, 0x0a, 0x4b, 0x80, 0xf8, 0x43, 0x4a,
+       }},
+      {"abc",
+       {
+           0x3a, 0x98, 0x5d, 0xa7, 0x4f, 0xe2, 0x25, 0xb2, 0x04, 0x5c, 0x17,
+           0x2d, 0x6b, 0xd3, 0x90, 0xbd, 0x85, 0x5f, 0x08, 0x6e, 0x3e, 0x9d,
+           0x52, 0x5b, 0x46, 0xbf, 0xe2, 0x45, 0x11, 0x43, 0x15, 0x32,
+       }},
+      {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+       {
+           0x41, 0xc0, 0xdb, 0xa2, 0xa9, 0xd6, 0x24, 0x08, 0x49, 0x10, 0x03,
+           0x76, 0xa8, 0x23, 0x5e, 0x2c, 0x82, 0xe1, 0xb9, 0x99, 0x8a, 0x99,
+           0x9e, 0x21, 0xdb, 0x32, 0xdd, 0x97, 0x49, 0x6d, 0x33, 0x76,
+       }},
+
+      // test the block boundary length
+      {
+          // len=134
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab",
+          {
+              0x64, 0x17, 0x63, 0x24, 0xb8, 0x40, 0x94, 0x6a, 0x39, 0x68, 0xb2,
+              0xbc, 0x0f, 0x0d, 0x46, 0xc0, 0x41, 0x5f, 0x2d, 0x4a, 0xa4, 0x72,
+              0xd9, 0xe1, 0xa6, 0x76, 0x3a, 0xca, 0x2a, 0x16, 0x04, 0xca,
+          },
+      },
+      {
+          // len=135
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc",
+          {
+              0x14, 0xc6, 0xa7, 0x8b, 0x26, 0x5b, 0xa3, 0x05, 0x07, 0x27, 0x82,
+              0x89, 0xf2, 0x17, 0x64, 0x28, 0x4a, 0x3a, 0x6f, 0x46, 0x8d, 0x97,
+              0x90, 0x06, 0xdd, 0x02, 0x11, 0x9f, 0x89, 0xb2, 0x15, 0x68,
+          },
+      },
+      {
+          // len=136
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabc"
+          "d",
+          {
+              0x7b, 0xcb, 0x7e, 0x15, 0xce, 0x26, 0x90, 0x46, 0xeb, 0xa7, 0x84,
+              0x98, 0x8e, 0x07, 0xc5, 0x73, 0xde, 0x14, 0xdf, 0x4c, 0x91, 0xf8,
+              0xb2, 0x15, 0x37, 0x0e, 0x60, 0x34, 0xb1, 0x70, 0x32, 0x02,
+          },
+      },
+      {
+          // len=137
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
+          "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
+          "a",
+          {
+              0x47, 0xbb, 0x76, 0xa3, 0x53, 0x7a, 0x56, 0x48, 0x98, 0x89, 0xca,
+              0xf3, 0x32, 0x92, 0x5e, 0xdb, 0xa7, 0x14, 0xb2, 0x1e, 0xf7, 0x24,
+              0x1a, 0x1d, 0x59, 0x2a, 0x00, 0x3b, 0x96, 0x8b, 0x7a, 0xa0,
+          },
+      },
+  };
+
+  for (size_t i = 0; i < sizeof(tv) / sizeof(tv[0]); ++i) {
+    Sha3Reference ctx(mdlen);
+    uint8_t hash[mdlen];
+    ctx.update(tv[i].str, strlen(tv[i].str));
+    ctx.final(hash);
+    for (size_t j = 0; j < mdlen; ++j) {
+      EXPECT_EQ(hash[j], tv[i].hash[j]);
+    }
+  }
+}
+
+TEST(Sha3Reference, OneMillionAs) {
+  constexpr size_t mdlen = 32;
+  Sha3Reference ctx(mdlen);
+  static const char* A = "aaaaaaaaaa";
+  uint8_t hash[mdlen];
+  for (size_t i = 0; i < 1000000 / 10; ++i) {
+    ctx.update(A, 10);
+  }
+  ctx.final(hash);
+  static const uint8_t expected[mdlen] = {
+      0x5c, 0x88, 0x75, 0xae, 0x47, 0x4a, 0x36, 0x34, 0xba, 0x4f, 0xd5,
+      0x5e, 0xc8, 0x5b, 0xff, 0xd6, 0x61, 0xf3, 0x2a, 0xca, 0x75, 0xc6,
+      0xd6, 0x99, 0xd0, 0xcd, 0xcb, 0x6c, 0x11, 0x58, 0x91, 0xc1,
+  };
+  for (size_t j = 0; j < mdlen; ++j) {
+    EXPECT_EQ(hash[j], expected[j]);
+  }
+}
+
+TEST(Sha3Reference, Shake128Test) {
+  for (const auto& vec : sha3::GetShake128TestVectors()) {
+    std::vector<uint8_t> actual(vec.out.size());
+    Sha3Reference::shake128Hash(vec.in.data(), vec.in.size(), actual.data(),
+                                actual.size());
+
+    for (size_t i = 0; i < vec.out.size(); ++i) {
+      EXPECT_EQ(actual[i], vec.out[i]);
+    }
+  }
+}
+
+TEST(Sha3Reference, Shake256Test) {
+  for (const auto& vec : sha3::GetShake256TestVectors()) {
+    std::vector<uint8_t> actual(vec.out.size());
+    Sha3Reference::shake256Hash(vec.in.data(), vec.in.size(), actual.data(),
+                                actual.size());
+
+    for (size_t i = 0; i < vec.out.size(); ++i) {
+      EXPECT_EQ(actual[i], vec.out[i]);
+    }
+  }
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.cc

@@ -0,0 +1,39 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/tests/sha3/sha3_round_constants.h"
+
+#include <cstddef>
+#include <cstdint>
+
+namespace proofs {
+
+namespace sha3 {
+// round constants
+const uint64_t sha3_rc[24] = {
+    0x0000000000000001, 0x0000000000008082, 0x800000000000808A,
+    0x8000000080008000, 0x000000000000808B, 0x0000000080000001,
+    0x8000000080008081, 0x8000000000008009, 0x000000000000008A,
+    0x0000000000000088, 0x0000000080008009, 0x000000008000000A,
+    0x000000008000808B, 0x800000000000008B, 0x8000000000008089,
+    0x8000000000008003, 0x8000000000008002, 0x8000000000000080,
+    0x000000000000800A, 0x800000008000000A, 0x8000000080008081,
+    0x8000000000008080, 0x0000000080000001, 0x8000000080008008,
+};
+
+const size_t sha3_rotc[24] = {1,  3,  6,  10, 15, 21, 28, 36, 45, 55, 2,  14,
+                              27, 41, 56, 8,  25, 43, 62, 18, 39, 61, 20, 44};
+
+}  // namespace sha3
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.h

@@ -0,0 +1,29 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_ROUND_CONSTANTS_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_ROUND_CONSTANTS_H_
+
+#include <cstdint>
+#include <cstdlib>
+
+namespace proofs {
+
+namespace sha3 {
+extern const uint64_t sha3_rc[24];
+extern const size_t sha3_rotc[24];
+}  // namespace sha3
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_ROUND_CONSTANTS_H_

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_slicing.h

@@ -0,0 +1,31 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_SLICING_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_SLICING_H_
+
+#include <cstddef>
+
+// slicing parameters for sha/shake3
+namespace proofs {
+static inline bool sha3_slice_at(size_t round) {
+  constexpr size_t period = 6;
+  // We always slice at the final round 23.  In
+  // addition, we may slice at other rounds as well.
+  return (round == 23) || ((round % period) == (period - 1));
+}
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_SLICING_H_

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.cc

@@ -0,0 +1,83 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/tests/sha3/sha3_witness.h"
+
+#include <algorithm>
+#include <cstdint>
+#include <cstring>
+#include <vector>
+
+#include "circuits/tests/sha3/sha3_reference.h"
+
+namespace proofs {
+
+void Sha3Witness::compute_witness_block(uint64_t A[5][5], BlockWitness& bw) {
+  for (size_t round = 0; round < 24; ++round) {
+    Sha3Reference::theta(A);
+    Sha3Reference::rho(A);
+    uint64_t A1[5][5];
+    Sha3Reference::pi(A, A1);
+    Sha3Reference::chi(A1, A);
+    Sha3Reference::iota(A, round);
+
+    std::memcpy(bw.a_intermediate[round], A, 25 * sizeof(uint64_t));
+  }
+}
+
+void Sha3Witness::compute_witness_shake256(
+    const std::vector<uint8_t>& seed, size_t outlen,
+    std::vector<BlockWitness>& witnesses) {
+  size_t rate = 136;
+  uint64_t A[5][5];
+  std::memset(A, 0, sizeof(A));
+
+  uint8_t block[200] = {0};
+  size_t ptr = 0;
+
+  // Absorb phase
+  for (size_t i = 0; i < seed.size(); ++i) {
+    block[ptr++] = seed[i];
+    if (ptr == rate) {
+      Sha3Reference::xorin(A, block, rate);
+      BlockWitness bw;
+      compute_witness_block(A, bw);
+      witnesses.push_back(bw);
+      ptr = 0;
+      std::memset(block, 0, rate);
+    }
+  }
+
+  // Pad and absorb the last block (which might be empty or partial)
+  block[ptr] ^= 0x1F;
+  block[rate - 1] ^= 0x80;
+  Sha3Reference::xorin(A, block, rate);
+  BlockWitness bw;
+  compute_witness_block(A, bw);
+  witnesses.push_back(bw);
+
+  // Squeeze phase
+  size_t out_ptr = 0;
+  while (out_ptr < outlen) {
+    size_t take = std::min(rate, outlen - out_ptr);
+    out_ptr += take;
+    if (out_ptr < outlen) {
+      BlockWitness bw_next;
+      compute_witness_block(A, bw_next);
+      witnesses.push_back(bw_next);
+    }
+  }
+}
+
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.h

@@ -0,0 +1,72 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_WITNESS_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_WITNESS_H_
+
+#include <cstddef>
+#include <cstdint>
+#include <vector>
+
+#include "arrays/dense.h"
+#include "circuits/tests/sha3/sha3_slicing.h"
+
+namespace proofs {
+
+struct Sha3Witness {
+  struct BlockWitness {
+    // The witnesses are not sliced---we produce a witness for
+    // every round.  The circuit and the filler may or may
+    // not use all values depending on the slicing parameters
+    uint64_t a_intermediate[24][5][5];
+  };
+
+  // Runs one block of the keccak permutation on state A, recording
+  // intermediates into bw. Note: state A is updated in-place to the new state.
+  static void compute_witness_block(uint64_t A[5][5], BlockWitness& bw);
+
+  // Generate BlockWitnesses for a shake256 computation.
+  static void compute_witness_shake256(const std::vector<uint8_t>& seed,
+                                       size_t outlen,
+                                       std::vector<BlockWitness>& witnesses);
+
+  // Fills a Dense array mapping with exactly the bit outputs of the block
+  // witnesses.
+  template <class Field>
+  static void fill_witness(DenseFiller<Field>& filler, const BlockWitness& w,
+                           const Field& f) {
+    for (size_t round = 0; round < 24; ++round) {
+      if (sha3_slice_at(round)) {
+        for (size_t x = 0; x < 5; ++x) {
+          for (size_t y = 0; y < 5; ++y) {
+            uint64_t val = w.a_intermediate[round][x][y];
+            filler.push_back(val, 64, f);
+          }
+        }
+      }
+    }
+  }
+  template <class Field>
+  static void fill_witness(DenseFiller<Field>& filler,
+                           const std::vector<BlockWitness>& bws,
+                           const Field& f) {
+    for (const auto& w : bws) {
+      fill_witness(filler, w, f);
+    }
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_SHA3_SHA3_WITNESS_H_