longfellow 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CODE_OF_CONDUCT.md +10 -0
- data/LICENSE.txt +21 -0
- data/README.md +152 -0
- data/ext/longfellow/CMakeLists.txt +76 -0
- data/ext/longfellow/extconf.rb +77 -0
- data/lib/longfellow/attribute.rb +65 -0
- data/lib/longfellow/c.rb +105 -0
- data/lib/longfellow/errors.rb +78 -0
- data/lib/longfellow/version.rb +5 -0
- data/lib/longfellow/zk_spec.rb +40 -0
- data/lib/longfellow.rb +162 -0
- data/sig/longfellow.rbs +74 -0
- data/vendor/longfellow-zk/LICENSE +203 -0
- data/vendor/longfellow-zk/lib/algebra/blas.h +121 -0
- data/vendor/longfellow-zk/lib/algebra/bogorng.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/compare.h +40 -0
- data/vendor/longfellow-zk/lib/algebra/convolution.h +219 -0
- data/vendor/longfellow-zk/lib/algebra/crt.cc +42 -0
- data/vendor/longfellow-zk/lib/algebra/crt.h +299 -0
- data/vendor/longfellow-zk/lib/algebra/crt_convolution.h +114 -0
- data/vendor/longfellow-zk/lib/algebra/crt_test.cc +371 -0
- data/vendor/longfellow-zk/lib/algebra/fft.h +104 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation.h +304 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation_test.cc +168 -0
- data/vendor/longfellow-zk/lib/algebra/fft_test.cc +257 -0
- data/vendor/longfellow-zk/lib/algebra/fp.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/fp2.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/fp24.h +342 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6.h +305 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6_test.cc +197 -0
- data/vendor/longfellow-zk/lib/algebra/fp2_test.cc +280 -0
- data/vendor/longfellow-zk/lib/algebra/fp_generic.h +533 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p128.h +91 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256k1.h +123 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p384.h +65 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p521.h +62 -0
- data/vendor/longfellow-zk/lib/algebra/fp_test.cc +522 -0
- data/vendor/longfellow-zk/lib/algebra/hash.h +39 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation.h +117 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation_test.cc +74 -0
- data/vendor/longfellow-zk/lib/algebra/limb.h +153 -0
- data/vendor/longfellow-zk/lib/algebra/limb_test.cc +75 -0
- data/vendor/longfellow-zk/lib/algebra/nat.cc +32 -0
- data/vendor/longfellow-zk/lib/algebra/nat.h +212 -0
- data/vendor/longfellow-zk/lib/algebra/nat_test.cc +183 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer_test.cc +138 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumerfp2_test.cc +139 -0
- data/vendor/longfellow-zk/lib/algebra/permutations.h +79 -0
- data/vendor/longfellow-zk/lib/algebra/poly.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/poly_test.cc +123 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon.h +150 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension.h +108 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension_test.cc +76 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_test.cc +473 -0
- data/vendor/longfellow-zk/lib/algebra/rfft.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/rfft_test.cc +102 -0
- data/vendor/longfellow-zk/lib/algebra/static_string.h +29 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep.h +495 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep_test.cc +41 -0
- data/vendor/longfellow-zk/lib/algebra/twiddle.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/utility.h +86 -0
- data/vendor/longfellow-zk/lib/algebra/utility_test.cc +86 -0
- data/vendor/longfellow-zk/lib/arrays/affine.h +56 -0
- data/vendor/longfellow-zk/lib/arrays/affine_test.cc +220 -0
- data/vendor/longfellow-zk/lib/arrays/dense.h +210 -0
- data/vendor/longfellow-zk/lib/arrays/eq.h +75 -0
- data/vendor/longfellow-zk/lib/arrays/eqs.h +137 -0
- data/vendor/longfellow-zk/lib/arrays/eqs_test.cc +151 -0
- data/vendor/longfellow-zk/lib/arrays/sparse.h +192 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder.h +323 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder_test.cc +541 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor.h +594 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck.h +110 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck_test.cc +55 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_test.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_testing.h +98 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_witness.h +312 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso2_test.cc +662 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso_test.cc +485 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan.h +104 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan_test.cc +137 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor.h +640 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_testing.h +99 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_witness.h +319 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/lexer_test.cc +120 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/mdoc_examples_test.cc +89 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_circuit_test.cc +506 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_size_test.cc +79 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_test.cc +473 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/canonicalization_test.cc +185 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/circuit_dump.h +65 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler.h +471 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler_test.cc +110 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/node.h +176 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/pdqhash.h +127 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/schedule.h +435 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_circuit.h +371 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_external_test.cc +246 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_test.cc +587 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_witness.h +201 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker.h +247 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_constants.h +35 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_encoder.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_test.cc +183 -0
- data/vendor/longfellow-zk/lib/circuits/logic/compiler_backend.h +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter_test.cc +102 -0
- data/vendor/longfellow-zk/lib/circuits/logic/evaluation_backend.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic.h +1232 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_circuit_test.cc +310 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_test.cc +521 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp.h +68 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp_test.cc +148 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing.h +445 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing_test.cc +241 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary.h +55 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker.h +77 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_constants.h +37 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_test.cc +53 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_size_test.cc +69 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit.h +193 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit_test.cc +223 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_reference.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_witness.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/circuit_maker.cc +242 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_ids.h +311 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_circuit_id.cc +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_constants.h +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.cc +41 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_examples.h +5232 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_generate_circuit.cc +199 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_hash.h +554 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature.h +143 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature_test.cc +444 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_test_attributes.h +157 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_witness.h +863 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.cc +693 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.h +216 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk_test.cc +724 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec.cc +100 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec_test.cc +155 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit.h +330 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit_test.cc +607 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_io.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.cc +163 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.h +47 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.cc +34 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_test_values.h +389 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/ptrcred.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small.h +218 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_examples.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_io.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_test.cc +208 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_witness.h +130 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode.h +508 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_circuit_test.cc +95 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_test.cc +119 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.cc +47 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit.h +231 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit_test.cc +428 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_witness.h +102 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt.h +190 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_constants.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_test.cc +559 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_witness.h +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f.h +411 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_io.h +32 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_test.cc +364 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_witness.h +278 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation.h +146 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_constants.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_test.cc +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_witness.h +136 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr.h +250 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_test.cc +333 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_witness.h +152 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44.h +903 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_circuit_test.cc +274 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_eval_test.cc +440 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.cc +8851 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.h +93 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.cc +24 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness.h +453 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness_test.cc +49 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.cc +458 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test.cc +398 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors.inc +3618 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_pkdecode.inc +689 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_sigdecode.inc +1501 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/sigdecode_test_vectors.inc +540 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit.h +394 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit_test.cc +577 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_constants.h +90 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit.h +351 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit_test.cc +466 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.cc +207 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.h +59 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference_test.cc +153 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.cc +39 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_slicing.h +31 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.cc +83 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/shake_test_vectors.h +477 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve.h +596 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve_test.cc +548 -0
- data/vendor/longfellow-zk/lib/ec/p256.cc +36 -0
- data/vendor/longfellow-zk/lib/ec/p256.h +60 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.cc +34 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.h +60 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128.h +503 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_bench.cc +48 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_test.cc +416 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2poly.h +74 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14.h +242 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_bench.cc +75 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon.h +127 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon_test.cc +110 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_test.cc +246 -0
- data/vendor/longfellow-zk/lib/gf2k/sysdep.h +329 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_param.h +449 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_prover.h +354 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_test.cc +136 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_transcript.h +67 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_verifier.h +272 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_commitment.h +104 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree.h +216 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree_test.cc +240 -0
- data/vendor/longfellow-zk/lib/proto/circuit.h +354 -0
- data/vendor/longfellow-zk/lib/proto/circuit_test.cc +202 -0
- data/vendor/longfellow-zk/lib/random/random.h +119 -0
- data/vendor/longfellow-zk/lib/random/random_test.cc +189 -0
- data/vendor/longfellow-zk/lib/random/secure_random_engine.h +37 -0
- data/vendor/longfellow-zk/lib/random/transcript.h +193 -0
- data/vendor/longfellow-zk/lib/random/transcript_test.cc +344 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit.h +148 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit_id.h +71 -0
- data/vendor/longfellow-zk/lib/sumcheck/equad.h +126 -0
- data/vendor/longfellow-zk/lib/sumcheck/hquad.h +115 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover.h +59 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover_layers.h +362 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad.h +227 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_builder.h +211 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_test.cc +169 -0
- data/vendor/longfellow-zk/lib/sumcheck/sumcheck_test.cc +324 -0
- data/vendor/longfellow-zk/lib/sumcheck/testing.h +69 -0
- data/vendor/longfellow-zk/lib/sumcheck/transcript_sumcheck.h +85 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier.h +84 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier_layers.h +221 -0
- data/vendor/longfellow-zk/lib/testing/test_main.cc +50 -0
- data/vendor/longfellow-zk/lib/util/ceildiv.h +164 -0
- data/vendor/longfellow-zk/lib/util/ceildiv_test.cc +152 -0
- data/vendor/longfellow-zk/lib/util/crc64.h +45 -0
- data/vendor/longfellow-zk/lib/util/crypto.cc +39 -0
- data/vendor/longfellow-zk/lib/util/crypto.h +108 -0
- data/vendor/longfellow-zk/lib/util/log.cc +110 -0
- data/vendor/longfellow-zk/lib/util/log.h +33 -0
- data/vendor/longfellow-zk/lib/util/panic.h +40 -0
- data/vendor/longfellow-zk/lib/util/readbuffer.h +67 -0
- data/vendor/longfellow-zk/lib/util/serialization.h +54 -0
- data/vendor/longfellow-zk/lib/zk/zk_common.h +455 -0
- data/vendor/longfellow-zk/lib/zk/zk_proof.h +378 -0
- data/vendor/longfellow-zk/lib/zk/zk_prover.h +202 -0
- data/vendor/longfellow-zk/lib/zk/zk_test.cc +340 -0
- data/vendor/longfellow-zk/lib/zk/zk_testing.h +154 -0
- data/vendor/longfellow-zk/lib/zk/zk_verifier.h +109 -0
- metadata +347 -0
|
@@ -0,0 +1,548 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "ec/elliptic_curve.h"
|
|
16
|
+
|
|
17
|
+
#include <array>
|
|
18
|
+
#include <cstddef>
|
|
19
|
+
#include <cstdint>
|
|
20
|
+
#include <random>
|
|
21
|
+
#include <vector>
|
|
22
|
+
|
|
23
|
+
#include "algebra/fp.h"
|
|
24
|
+
#include "ec/p256.h"
|
|
25
|
+
#include "ec/p256k1.h"
|
|
26
|
+
#include "benchmark/benchmark.h"
|
|
27
|
+
#include "gtest/gtest.h"
|
|
28
|
+
|
|
29
|
+
namespace proofs {
|
|
30
|
+
namespace {
|
|
31
|
+
constexpr size_t W = 4;
|
|
32
|
+
typedef Fp<4, true> Field;
|
|
33
|
+
|
|
34
|
+
const Field f_32543(
|
|
35
|
+
"1056598764504768070153408279638907619769800489"
|
|
36
|
+
"86351025435035631207814085532543");
|
|
37
|
+
|
|
38
|
+
const Field f_53951(
|
|
39
|
+
"0xFFFFFFFF00000001000000000000000000000000FFFF"
|
|
40
|
+
"FFFFFFFFFFFFFFFFFFFF");
|
|
41
|
+
|
|
42
|
+
typedef EllipticCurve<Field, 4, 256> EC32543;
|
|
43
|
+
typedef EllipticCurve<Field, 4, 256> EC53951;
|
|
44
|
+
|
|
45
|
+
// The following curve from https://arxiv.org/pdf/2208.01635.pdf has prime
|
|
46
|
+
// order =
|
|
47
|
+
// 105659876450476807015340827963890761976544313325663770762399235394744121359871.
|
|
48
|
+
const EC32543 ec_32543(
|
|
49
|
+
f_32543.of_string("57780130698115176583488499171344771088898507337873238590"
|
|
50
|
+
"400955371129685138826"),
|
|
51
|
+
f_32543.of_string("10245195084107374794931679649589693796070211548697536379"
|
|
52
|
+
"8323596797327090813462"),
|
|
53
|
+
f_32543.of_string("53851663331146464978109980746124159858219863711514859545"
|
|
54
|
+
"86014078688791960064"),
|
|
55
|
+
f_32543.of_string("88440166531789946723126083546750633179866039092883764784"
|
|
56
|
+
"041611065547926159080"),
|
|
57
|
+
f_32543);
|
|
58
|
+
|
|
59
|
+
const EC53951 ec_53951(
|
|
60
|
+
f_53951.of_string(
|
|
61
|
+
"0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC"),
|
|
62
|
+
f_53951.of_string(
|
|
63
|
+
"0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B"),
|
|
64
|
+
f_53951.of_string(
|
|
65
|
+
"0x6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"),
|
|
66
|
+
f_53951.of_string(
|
|
67
|
+
"0x4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"),
|
|
68
|
+
f_53951);
|
|
69
|
+
|
|
70
|
+
TEST(EllipticCurve, isOnCurve) {
|
|
71
|
+
EXPECT_TRUE(ec_32543.is_on_curve(ec_32543.generator()));
|
|
72
|
+
EXPECT_TRUE(ec_32543.is_on_curve(ec_32543.zero()));
|
|
73
|
+
|
|
74
|
+
EXPECT_TRUE(ec_53951.is_on_curve(ec_53951.generator()));
|
|
75
|
+
EXPECT_TRUE(ec_53951.is_on_curve(ec_53951.zero()));
|
|
76
|
+
|
|
77
|
+
EXPECT_TRUE(p256k1.is_on_curve(p256k1.generator()));
|
|
78
|
+
EXPECT_TRUE(p256k1.is_on_curve(p256k1.zero()));
|
|
79
|
+
|
|
80
|
+
// This point is on the curve, but not normalized, and thus our method
|
|
81
|
+
// should return false.
|
|
82
|
+
EXPECT_FALSE(ec_32543.is_on_curve(EC32543::ECPoint(
|
|
83
|
+
f_32543.of_scalar(6),
|
|
84
|
+
f_32543.of_string("175192863081551057610611323522603468882267323925296967"
|
|
85
|
+
"51295234077254554968800"),
|
|
86
|
+
f_32543.of_scalar(2))));
|
|
87
|
+
|
|
88
|
+
auto p = ec_32543.point(
|
|
89
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
90
|
+
"507506027505728800092025"),
|
|
91
|
+
f_32543.of_string("889447450485075202500625068071632266623496538812584765"
|
|
92
|
+
"51384786472009184561173"));
|
|
93
|
+
EXPECT_FALSE(ec_32543.equal(p, ec_32543.zero()));
|
|
94
|
+
|
|
95
|
+
auto mp = ec_32543.point(
|
|
96
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
97
|
+
"507506027505728800092025"),
|
|
98
|
+
f_32543.of_string("167151314019692867652783211567275353146303951050925488"
|
|
99
|
+
"83650844735804900971370"));
|
|
100
|
+
EXPECT_FALSE(ec_32543.equal(mp, ec_32543.zero()));
|
|
101
|
+
|
|
102
|
+
EXPECT_FALSE(ec_32543.is_on_curve(
|
|
103
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
104
|
+
"507506027505728800092025"),
|
|
105
|
+
f_32543.of_string("889447450485075202500625068071632266623496538812584765"
|
|
106
|
+
"51384786472009184561172")));
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
// Test with secp256k1 where a = 0, b = 7.
|
|
110
|
+
TEST(EllipticCurve, addEZeroA) {
|
|
111
|
+
// Compute in sagemath and check the result with our code.
|
|
112
|
+
// Use the secp256k1 curve.
|
|
113
|
+
// p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
|
|
114
|
+
// F = FiniteField(p)
|
|
115
|
+
// E = EllipticCurve(F, [0, 7])
|
|
116
|
+
// G =
|
|
117
|
+
// E(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
|
|
118
|
+
// 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8)
|
|
119
|
+
// # this is the order of the elliptic curve group
|
|
120
|
+
// n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
|
|
121
|
+
// Fn = FiniteField(n)
|
|
122
|
+
|
|
123
|
+
// P1 = G * 10 =
|
|
124
|
+
// (72488970228380509287422715226575535698893157273063074627791787432852706183111
|
|
125
|
+
// 62070622898698443831883535403436258712770888294397026493185421712108624767191
|
|
126
|
+
// 1)
|
|
127
|
+
// P2 = G * 12412 =
|
|
128
|
+
// (52879966086176162108240354162378292947425517669095498736796738054975791823498
|
|
129
|
+
// 30699390762290600754781212069883870270938814099133957400920709995153465021145
|
|
130
|
+
// 1)
|
|
131
|
+
// P1+P2 =
|
|
132
|
+
// (100032783050058150499785349038845742794401895778389296862674788824339876696454
|
|
133
|
+
// 24893872525273665559647505993700238432595500474576223152737037560633815418477
|
|
134
|
+
// 1)
|
|
135
|
+
|
|
136
|
+
auto p1 =
|
|
137
|
+
p256k1.point(p256k1_base.of_string(
|
|
138
|
+
"7248897022838050928742271522657553569889315727306307"
|
|
139
|
+
"4627791787432852706183111"),
|
|
140
|
+
p256k1_base.of_string(
|
|
141
|
+
"6207062289869844383188353540343625871277088829439702"
|
|
142
|
+
"6493185421712108624767191"));
|
|
143
|
+
auto p2 =
|
|
144
|
+
p256k1.point(p256k1_base.of_string(
|
|
145
|
+
"5287996608617616210824035416237829294742551766909549"
|
|
146
|
+
"8736796738054975791823498"),
|
|
147
|
+
p256k1_base.of_string(
|
|
148
|
+
"3069939076229060075478121206988387027093881409913395"
|
|
149
|
+
"7400920709995153465021145"));
|
|
150
|
+
auto want =
|
|
151
|
+
p256k1.point(p256k1_base.of_string(
|
|
152
|
+
"1000327830500581504997853490388457427944018957783892"
|
|
153
|
+
"96862674788824339876696454"),
|
|
154
|
+
p256k1_base.of_string(
|
|
155
|
+
"2489387252527366555964750599370023843259550047457622"
|
|
156
|
+
"3152737037560633815418477"));
|
|
157
|
+
|
|
158
|
+
auto got = p256k1.addEf(p1, p2);
|
|
159
|
+
EXPECT_TRUE(p256k1.equal(want, got));
|
|
160
|
+
|
|
161
|
+
// may as well test commutativity:
|
|
162
|
+
got = p256k1.addEf(p2, p1);
|
|
163
|
+
EXPECT_TRUE(p256k1.equal(want, got));
|
|
164
|
+
|
|
165
|
+
// test with infinity point.
|
|
166
|
+
auto z = p256k1.zero();
|
|
167
|
+
got = p256k1.addEf(z, p1);
|
|
168
|
+
EXPECT_TRUE(p256k1.equal(p1, got));
|
|
169
|
+
got = p256k1.addEf(p1, z);
|
|
170
|
+
EXPECT_TRUE(p256k1.equal(p1, got));
|
|
171
|
+
|
|
172
|
+
// test overwrite value
|
|
173
|
+
p256k1.addE(p1, p2);
|
|
174
|
+
EXPECT_TRUE(p256k1.equal(want, p1));
|
|
175
|
+
}
|
|
176
|
+
|
|
177
|
+
// Test with secp256k1 where a = 0, b = 7.
|
|
178
|
+
TEST(EllipticCurve, doubleEZeroA) {
|
|
179
|
+
auto p1 =
|
|
180
|
+
p256k1.point(p256k1_base.of_string(
|
|
181
|
+
"1073035822907330979248421939724650220531482117751943"
|
|
182
|
+
"73671539518313500194639752"),
|
|
183
|
+
p256k1_base.of_string(
|
|
184
|
+
"1037959661087827174468066840237421684623654492726397"
|
|
185
|
+
"90795591544606836007446638"));
|
|
186
|
+
|
|
187
|
+
auto want =
|
|
188
|
+
p256k1.point(p256k1_base.of_string(
|
|
189
|
+
"9288356354773395374719339924146797529520150860835279"
|
|
190
|
+
"8513009429659680796014075"),
|
|
191
|
+
p256k1_base.of_string(
|
|
192
|
+
"1146109652104331348038103431792376352806630981117018"
|
|
193
|
+
"48326472592228175073260197"));
|
|
194
|
+
|
|
195
|
+
auto got = p256k1.doubleEf(p1);
|
|
196
|
+
EXPECT_TRUE(p256k1.equal(want, got));
|
|
197
|
+
|
|
198
|
+
// // test with infinity point.
|
|
199
|
+
auto z = p256k1.zero();
|
|
200
|
+
got = p256k1.doubleEf(z);
|
|
201
|
+
EXPECT_TRUE(p256k1.equal(got, z));
|
|
202
|
+
}
|
|
203
|
+
|
|
204
|
+
// Test with secp256r1 curve where a = -3.
|
|
205
|
+
TEST(EllipticCurve, addEMinus3A) {
|
|
206
|
+
auto p1 = ec_53951.point(
|
|
207
|
+
f_53951.of_string("565152197906911714131090579040116886954248101558029299"
|
|
208
|
+
"73526481321309856242040"),
|
|
209
|
+
f_53951.of_string("337703184371225825922371145149145259808867551975154856"
|
|
210
|
+
"7112458094635497583569"));
|
|
211
|
+
auto p2 = ec_53951.point(
|
|
212
|
+
f_53951.of_string("112408679900023231809246133755790494075208376728748483"
|
|
213
|
+
"995370618426422155115628"),
|
|
214
|
+
f_53951.of_string("498237100143848652850565955106356993462945737819513433"
|
|
215
|
+
"11221423895961832974253"));
|
|
216
|
+
auto want = ec_53951.point(
|
|
217
|
+
f_53951.of_string("111694352951862023542776309354414877394027736966010471"
|
|
218
|
+
"01735900939923127703960"),
|
|
219
|
+
f_53951.of_string("786055119933597043243514268547451740551314242791577376"
|
|
220
|
+
"91618238984203071285154"));
|
|
221
|
+
|
|
222
|
+
auto got = ec_53951.addEf(p1, p2);
|
|
223
|
+
EXPECT_TRUE(ec_53951.equal(want, got));
|
|
224
|
+
}
|
|
225
|
+
|
|
226
|
+
// Test with secp256r1 curve where a = -3.
|
|
227
|
+
TEST(EllipticCurve, doubleEMinus3A) {
|
|
228
|
+
auto p1 = ec_53951.point(
|
|
229
|
+
f_53951.of_string("112408679900023231809246133755790494075208376728748483"
|
|
230
|
+
"995370618426422155115628"),
|
|
231
|
+
f_53951.of_string("498237100143848652850565955106356993462945737819513433"
|
|
232
|
+
"11221423895961832974253"));
|
|
233
|
+
auto want = ec_53951.point(
|
|
234
|
+
f_53951.of_string("885884674782654900235199359821876275484611260577767040"
|
|
235
|
+
"31032323803350375021520"),
|
|
236
|
+
f_53951.of_string("767985716630533603779391244706390556201037096191808849"
|
|
237
|
+
"9728736832660268223620"));
|
|
238
|
+
|
|
239
|
+
ec_53951.doubleE(p1);
|
|
240
|
+
EXPECT_TRUE(ec_53951.equal(want, p1));
|
|
241
|
+
}
|
|
242
|
+
|
|
243
|
+
// Test with random curve using the general formula.
|
|
244
|
+
TEST(EllipticCurve, addEGeneral) {
|
|
245
|
+
// G * 12
|
|
246
|
+
auto p12 = ec_32543.point(
|
|
247
|
+
f_32543.of_string("134808783667219648189263450305873688991251945654246752"
|
|
248
|
+
"22390028645041219938745"),
|
|
249
|
+
f_32543.of_string("100527482324383093851451454237191654885134853280983427"
|
|
250
|
+
"210888648347852121150952"));
|
|
251
|
+
// G * 4321
|
|
252
|
+
auto p4321 = ec_32543.point(
|
|
253
|
+
f_32543.of_string("329130036724930002544976288399195578354103016201810384"
|
|
254
|
+
"63262550483453294324440"),
|
|
255
|
+
f_32543.of_string("546743602120459044951591654595765404409913799377625317"
|
|
256
|
+
"5279966440418856665708"));
|
|
257
|
+
auto want = ec_32543.point(
|
|
258
|
+
f_32543.of_string("700549381434284036627210001211630287911988690360413711"
|
|
259
|
+
"71252986977253437280559"),
|
|
260
|
+
f_32543.of_string("602279424320787220776145802808248329062258408707344429"
|
|
261
|
+
"87846067237162092805952"));
|
|
262
|
+
|
|
263
|
+
auto got = ec_32543.addEf(p12, p4321);
|
|
264
|
+
EXPECT_TRUE(ec_32543.equal(want, got));
|
|
265
|
+
|
|
266
|
+
// Verify addition with itself.
|
|
267
|
+
auto want24 = ec_32543.point(
|
|
268
|
+
f_32543.of_string("103731248137202420387366645061627197035273436337246178"
|
|
269
|
+
"882638115333015475963392"),
|
|
270
|
+
f_32543.of_string("161231444099616023998514916519220697509776202121636011"
|
|
271
|
+
"25130907480358991149046"));
|
|
272
|
+
auto got24 = ec_32543.addEf(p12, p12);
|
|
273
|
+
EXPECT_TRUE(ec_32543.equal(want24, got24));
|
|
274
|
+
|
|
275
|
+
// Verify addition with neg.
|
|
276
|
+
auto pn12 = ec_32543.point(
|
|
277
|
+
f_32543.of_string("134808783667219648189263450305873688991251945654246752"
|
|
278
|
+
"22390028645041219938745"),
|
|
279
|
+
f_32543.of_string("513239412609371316388937372669910709184519570536759822"
|
|
280
|
+
"4146982859961964381591"));
|
|
281
|
+
auto gotn = ec_32543.addEf(p12, pn12);
|
|
282
|
+
EXPECT_TRUE(ec_32543.equal(ec_32543.zero(), gotn));
|
|
283
|
+
|
|
284
|
+
// Verify addition with Inf.
|
|
285
|
+
auto gotz = ec_32543.addEf(p12, ec_32543.zero());
|
|
286
|
+
EXPECT_TRUE(ec_32543.equal(p12, gotz));
|
|
287
|
+
gotz = ec_32543.addEf(ec_32543.zero(), p12);
|
|
288
|
+
EXPECT_TRUE(ec_32543.equal(p12, gotz));
|
|
289
|
+
|
|
290
|
+
{ // test that (i+j)*a+j*b = i*a+j*(a+b)
|
|
291
|
+
auto a = p12;
|
|
292
|
+
auto b = want24;
|
|
293
|
+
auto apb = ec_32543.addEf(a, b);
|
|
294
|
+
for (size_t i = 0; i < 10; ++i) {
|
|
295
|
+
for (size_t j = 0; j < 10; ++j) {
|
|
296
|
+
auto aipj = ec_32543.scalar_multf(a, EC32543::N(i + j));
|
|
297
|
+
auto ai = ec_32543.scalar_multf(a, EC32543::N(i));
|
|
298
|
+
auto bj = ec_32543.scalar_multf(b, EC32543::N(j));
|
|
299
|
+
auto apbj = ec_32543.scalar_multf(apb, EC32543::N(j));
|
|
300
|
+
EXPECT_TRUE(
|
|
301
|
+
ec_32543.equal(ec_32543.addEf(aipj, bj), ec_32543.addEf(ai, apbj)));
|
|
302
|
+
}
|
|
303
|
+
}
|
|
304
|
+
}
|
|
305
|
+
}
|
|
306
|
+
|
|
307
|
+
// Test with random curve using the general formula.
|
|
308
|
+
TEST(EllipticCurve, doubleEGeneral) {
|
|
309
|
+
auto p1 = ec_32543.point(
|
|
310
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
311
|
+
"507506027505728800092025"),
|
|
312
|
+
f_32543.of_string("889447450485075202500625068071632266623496538812584765"
|
|
313
|
+
"51384786472009184561173"));
|
|
314
|
+
auto want = ec_32543.point(
|
|
315
|
+
f_32543.of_string("509017422813935192393111620289104455654561113237332808"
|
|
316
|
+
"7715939287642942312136"),
|
|
317
|
+
f_32543.of_string("834726355457066002594785096169403344896585204779436918"
|
|
318
|
+
"80323533707461094248605"));
|
|
319
|
+
|
|
320
|
+
auto got = ec_32543.doubleEf(p1);
|
|
321
|
+
EXPECT_TRUE(ec_32543.equal(want, got));
|
|
322
|
+
|
|
323
|
+
auto zero = ec_32543.zero();
|
|
324
|
+
auto gotz = ec_32543.doubleEf(zero);
|
|
325
|
+
EXPECT_TRUE(ec_32543.equal(zero, gotz));
|
|
326
|
+
|
|
327
|
+
/* Double is also tested in the addGeneral tests above. */
|
|
328
|
+
}
|
|
329
|
+
|
|
330
|
+
TEST(EllipticCurve, P256MultiExponentiation) {
|
|
331
|
+
auto g = p256.generator();
|
|
332
|
+
|
|
333
|
+
std::mt19937 rng;
|
|
334
|
+
std::uniform_int_distribution<uint64_t> dist;
|
|
335
|
+
|
|
336
|
+
constexpr size_t n = 1000;
|
|
337
|
+
std::vector<P256::ECPoint> p(n);
|
|
338
|
+
std::vector<P256::N> s(n);
|
|
339
|
+
{
|
|
340
|
+
// Test default case.
|
|
341
|
+
auto got = p256.scalar_multf(0, &p[0], &s[0]);
|
|
342
|
+
EXPECT_TRUE(p256.equal(p256.zero(), got));
|
|
343
|
+
}
|
|
344
|
+
|
|
345
|
+
{
|
|
346
|
+
auto want = p256.zero();
|
|
347
|
+
for (size_t i = 0; i < n; ++i) {
|
|
348
|
+
if (i == 0) {
|
|
349
|
+
p[i] = g;
|
|
350
|
+
} else {
|
|
351
|
+
p[i] = p256.doubleEf(p[i - 1]);
|
|
352
|
+
}
|
|
353
|
+
std::array<uint64_t, W> init;
|
|
354
|
+
for (size_t j = 0; j < W; ++j) {
|
|
355
|
+
init[j] = dist(rng);
|
|
356
|
+
}
|
|
357
|
+
s[i] = P256::N(init);
|
|
358
|
+
want = p256.addEf(want, p256.scalar_multf(p[i], s[i]));
|
|
359
|
+
}
|
|
360
|
+
|
|
361
|
+
auto got = p256.scalar_multf(n, &p[0], &s[0]);
|
|
362
|
+
EXPECT_TRUE(p256.equal(want, got));
|
|
363
|
+
}
|
|
364
|
+
|
|
365
|
+
// now test the screw case of one large exponent and a bunch of
|
|
366
|
+
// small exponents, where the Bernstein variant
|
|
367
|
+
// (https://cr.yp.to/badbatch/boscoster2.py) takes forever
|
|
368
|
+
// because it runs
|
|
369
|
+
// for (s=0xdeadbeefabadcafe; s > 0; s--) {...}
|
|
370
|
+
{
|
|
371
|
+
auto want = p256.zero();
|
|
372
|
+
for (size_t i = 0; i < n; ++i) {
|
|
373
|
+
if (i == 0) {
|
|
374
|
+
p[i] = g;
|
|
375
|
+
s[i] = P256::N(0xdeadbeefabadcafe);
|
|
376
|
+
} else {
|
|
377
|
+
p[i] = p256.doubleEf(p[i - 1]);
|
|
378
|
+
s[i] = P256::N(1);
|
|
379
|
+
}
|
|
380
|
+
want = p256.addEf(want, p256.scalar_multf(p[i], s[i]));
|
|
381
|
+
}
|
|
382
|
+
|
|
383
|
+
auto got = p256.scalar_multf(n, &p[0], &s[0]);
|
|
384
|
+
EXPECT_TRUE(p256.equal(want, got));
|
|
385
|
+
}
|
|
386
|
+
|
|
387
|
+
{
|
|
388
|
+
p[0] = p256.generator();
|
|
389
|
+
s[0] = P256::N(1);
|
|
390
|
+
auto want = p[0];
|
|
391
|
+
auto got = p256.scalar_multf(1, &p[0], &s[0]);
|
|
392
|
+
EXPECT_TRUE(p256.equal(want, got));
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
|
|
396
|
+
TEST(EllipticCurve, P256k1MultiExponentiation) {
|
|
397
|
+
auto g = p256k1.generator();
|
|
398
|
+
|
|
399
|
+
std::mt19937 rng;
|
|
400
|
+
std::uniform_int_distribution<uint64_t> dist;
|
|
401
|
+
|
|
402
|
+
constexpr size_t n = 100;
|
|
403
|
+
std::vector<P256k1::ECPoint> p(n);
|
|
404
|
+
std::vector<P256k1::N> s(n);
|
|
405
|
+
{
|
|
406
|
+
// Test default case.
|
|
407
|
+
auto got = p256k1.scalar_multf(0, &p[0], &s[0]);
|
|
408
|
+
EXPECT_TRUE(p256k1.equal(p256k1.zero(), got));
|
|
409
|
+
}
|
|
410
|
+
|
|
411
|
+
{
|
|
412
|
+
auto want = p256k1.zero();
|
|
413
|
+
for (size_t i = 0; i < n; ++i) {
|
|
414
|
+
if (i == 0) {
|
|
415
|
+
p[i] = g;
|
|
416
|
+
} else {
|
|
417
|
+
p[i] = p256k1.doubleEf(p[i - 1]);
|
|
418
|
+
}
|
|
419
|
+
std::array<uint64_t, 4> init;
|
|
420
|
+
for (size_t j = 0; j < 4; ++j) {
|
|
421
|
+
init[j] = dist(rng);
|
|
422
|
+
}
|
|
423
|
+
s[i] = P256k1::N(init);
|
|
424
|
+
want = p256k1.addEf(want, p256k1.scalar_multf(p[i], s[i]));
|
|
425
|
+
}
|
|
426
|
+
|
|
427
|
+
auto got = p256k1.scalar_multf(n, &p[0], &s[0]);
|
|
428
|
+
EXPECT_TRUE(p256k1.equal(want, got));
|
|
429
|
+
}
|
|
430
|
+
}
|
|
431
|
+
|
|
432
|
+
// ============================= Benchmarks ================================
|
|
433
|
+
|
|
434
|
+
void BM_add_p256(benchmark::State& state) {
|
|
435
|
+
auto p = p256.generator();
|
|
436
|
+
|
|
437
|
+
for (auto _ : state) {
|
|
438
|
+
p256.addE(p, p);
|
|
439
|
+
}
|
|
440
|
+
}
|
|
441
|
+
BENCHMARK(BM_add_p256);
|
|
442
|
+
|
|
443
|
+
void BM_add(benchmark::State& state) {
|
|
444
|
+
auto p = ec_32543.point(
|
|
445
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
446
|
+
"507506027505728800092025"),
|
|
447
|
+
f_32543.of_string("889447450485075202500625068071632266623496538812584765"
|
|
448
|
+
"51384786472009184561173"));
|
|
449
|
+
auto p2 = ec_32543.addEf(p, p);
|
|
450
|
+
|
|
451
|
+
for (auto _ : state) {
|
|
452
|
+
ec_32543.addE(p2, p);
|
|
453
|
+
}
|
|
454
|
+
}
|
|
455
|
+
BENCHMARK(BM_add);
|
|
456
|
+
|
|
457
|
+
void BM_double(benchmark::State& state) {
|
|
458
|
+
auto p = ec_32543.generator();
|
|
459
|
+
|
|
460
|
+
for (auto _ : state) {
|
|
461
|
+
ec_32543.doubleE(p);
|
|
462
|
+
}
|
|
463
|
+
}
|
|
464
|
+
BENCHMARK(BM_double);
|
|
465
|
+
|
|
466
|
+
void BM_scalar(benchmark::State& state) {
|
|
467
|
+
using N = EC32543::N;
|
|
468
|
+
auto p = ec_32543.point(
|
|
469
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
470
|
+
"507506027505728800092025"),
|
|
471
|
+
f_32543.of_string("889447450485075202500625068071632266623496538812584765"
|
|
472
|
+
"51384786472009184561173"));
|
|
473
|
+
|
|
474
|
+
N n("377732104077222810948432467983836545945051582234611510526750448658884410"
|
|
475
|
+
"8848");
|
|
476
|
+
for (auto _ : state) {
|
|
477
|
+
p = ec_32543.scalar_multf(p, n);
|
|
478
|
+
}
|
|
479
|
+
}
|
|
480
|
+
BENCHMARK(BM_scalar);
|
|
481
|
+
|
|
482
|
+
void BM_commit(benchmark::State& state) {
|
|
483
|
+
auto p = ec_32543.point(
|
|
484
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
485
|
+
"507506027505728800092025"),
|
|
486
|
+
f_32543.of_string("889447450485075202500625068071632266623496538812584765"
|
|
487
|
+
"51384786472009184561173"));
|
|
488
|
+
|
|
489
|
+
using N = EC32543::N;
|
|
490
|
+
N n("377732104077222810948432467983836545945051582234611510526750448658884410"
|
|
491
|
+
"8848");
|
|
492
|
+
|
|
493
|
+
auto r = ec_32543.zero();
|
|
494
|
+
|
|
495
|
+
size_t LEN = state.range(0);
|
|
496
|
+
for (auto _ : state) {
|
|
497
|
+
for (size_t j = 0; j < LEN; ++j) {
|
|
498
|
+
p = ec_32543.scalar_multf(p, n);
|
|
499
|
+
ec_32543.addE(r, p);
|
|
500
|
+
}
|
|
501
|
+
}
|
|
502
|
+
}
|
|
503
|
+
BENCHMARK(BM_commit)->Range(1 << 10, 1 << 22);
|
|
504
|
+
|
|
505
|
+
void BM_multiexp(benchmark::State& state) {
|
|
506
|
+
auto g = ec_32543.point(
|
|
507
|
+
f_32543.of_string("104494200016653967385948977022237419181744316220626192"
|
|
508
|
+
"507506027505728800092025"),
|
|
509
|
+
f_32543.of_string("889447450485075202500625068071632266623496538812584765"
|
|
510
|
+
"51384786472009184561173"));
|
|
511
|
+
size_t n = state.range(0);
|
|
512
|
+
|
|
513
|
+
std::mt19937 rng;
|
|
514
|
+
std::uniform_int_distribution<uint64_t> dist;
|
|
515
|
+
|
|
516
|
+
using ECPoint = EC32543::ECPoint;
|
|
517
|
+
using N = EC32543::N;
|
|
518
|
+
|
|
519
|
+
std::vector<ECPoint> p(n);
|
|
520
|
+
std::vector<ECPoint> p1(n);
|
|
521
|
+
std::vector<N> s(n);
|
|
522
|
+
std::vector<N> s1(n);
|
|
523
|
+
|
|
524
|
+
// Generate random inputs for multi-exp.
|
|
525
|
+
p[0] = g;
|
|
526
|
+
s[0] = N(1);
|
|
527
|
+
for (size_t i = 1; i < n; ++i) {
|
|
528
|
+
p[i] = ec_32543.doubleEf(p[i - 1]);
|
|
529
|
+
std::array<uint64_t, N::kU64> init;
|
|
530
|
+
for (size_t j = 0; j < N::kU64; ++j) {
|
|
531
|
+
init[j] = dist(rng);
|
|
532
|
+
}
|
|
533
|
+
s[i] = N(init);
|
|
534
|
+
}
|
|
535
|
+
|
|
536
|
+
for (auto _ : state) {
|
|
537
|
+
// Need to copy inputs, because scalar_multf consumes them.
|
|
538
|
+
for (size_t i = 0; i < n; ++i) {
|
|
539
|
+
p1[i] = p[i];
|
|
540
|
+
s1[i] = s[i];
|
|
541
|
+
}
|
|
542
|
+
ec_32543.scalar_multf(n, &p1[0], &s1[0]);
|
|
543
|
+
}
|
|
544
|
+
}
|
|
545
|
+
BENCHMARK(BM_multiexp)->RangeMultiplier(4)->Range(1 << 10, 1 << 22);
|
|
546
|
+
|
|
547
|
+
} // namespace
|
|
548
|
+
} // namespace proofs
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "ec/p256.h"
|
|
16
|
+
|
|
17
|
+
namespace proofs {
|
|
18
|
+
const Fp256Base p256_base;
|
|
19
|
+
|
|
20
|
+
const Fp256Nat n256_order(
|
|
21
|
+
"0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551");
|
|
22
|
+
|
|
23
|
+
const Fp256Scalar p256_scalar(n256_order);
|
|
24
|
+
|
|
25
|
+
const P256 p256(
|
|
26
|
+
p256_base.of_string("115792089210356248762697446949407573530086143415290314"
|
|
27
|
+
"195533631308867097853948"), /* a for curve*/
|
|
28
|
+
p256_base.of_string("410583637251521421293261297800472684091144410159937255"
|
|
29
|
+
"54835256314039467401291"), /* b for curve*/
|
|
30
|
+
p256_base.of_string("484395612939064517590525852527979142027629495260417479"
|
|
31
|
+
"95844080717082404635286"), /* generator x coordinate */
|
|
32
|
+
p256_base.of_string("361342509567497957985851279195878819566111066729850150"
|
|
33
|
+
"71877198253568414405109"), /* generator y coordinate */
|
|
34
|
+
p256_base);
|
|
35
|
+
|
|
36
|
+
} // namespace proofs
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_EC_P256_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_EC_P256_H_
|
|
17
|
+
|
|
18
|
+
/*
|
|
19
|
+
This file declares the one instance of the P256 curve and its related fields.
|
|
20
|
+
There should be only one instance of this curve in any program due to the
|
|
21
|
+
typing conventions.
|
|
22
|
+
|
|
23
|
+
This curve is also known as secp256r1 and prime256v1.
|
|
24
|
+
|
|
25
|
+
It is defined over the base field F_p for
|
|
26
|
+
p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
|
|
27
|
+
= 115792089210356248762697446949407573530086143415290314195533631308867097853951
|
|
28
|
+
|
|
29
|
+
and has an order of
|
|
30
|
+
0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551
|
|
31
|
+
115792089210356248762697446949407573529996955224135760342422259061068512044369
|
|
32
|
+
|
|
33
|
+
|
|
34
|
+
*/
|
|
35
|
+
|
|
36
|
+
#include "algebra/fp.h"
|
|
37
|
+
#include "algebra/fp_p256.h"
|
|
38
|
+
#include "ec/elliptic_curve.h"
|
|
39
|
+
|
|
40
|
+
namespace proofs {
|
|
41
|
+
|
|
42
|
+
using Fp256Base = Fp256<true>;
|
|
43
|
+
using Fp256Scalar = Fp<4, true>;
|
|
44
|
+
using Fp256Nat = Fp256Base::N;
|
|
45
|
+
|
|
46
|
+
// This is the base field of the curve.
|
|
47
|
+
extern const Fp256Base p256_base;
|
|
48
|
+
|
|
49
|
+
// Order of the curve.
|
|
50
|
+
extern const Fp256Nat n256_order;
|
|
51
|
+
|
|
52
|
+
// This field allows operations mod the order of the curve.
|
|
53
|
+
extern const Fp256Scalar p256_scalar;
|
|
54
|
+
|
|
55
|
+
typedef EllipticCurve<Fp256Base, 4, 256> P256;
|
|
56
|
+
|
|
57
|
+
extern const P256 p256;
|
|
58
|
+
} // namespace proofs
|
|
59
|
+
|
|
60
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_EC_P256_H_
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "ec/p256k1.h"
|
|
16
|
+
|
|
17
|
+
namespace proofs {
|
|
18
|
+
const Fp256k1Base p256k1_base;
|
|
19
|
+
|
|
20
|
+
const Fp256k1Nat n256k1_order(
|
|
21
|
+
"0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141");
|
|
22
|
+
|
|
23
|
+
const Fp256k1Scalar p256k1_scalar(n256k1_order);
|
|
24
|
+
|
|
25
|
+
const P256k1 p256k1(
|
|
26
|
+
p256k1_base.zero(), /* a = 0 */
|
|
27
|
+
p256k1_base.of_string("7"), /* b = 7 */
|
|
28
|
+
p256k1_base.of_string("0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959"
|
|
29
|
+
"F2815B16F81798"), /* Gx */
|
|
30
|
+
p256k1_base.of_string("0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C"
|
|
31
|
+
"47D08FFB10D4B8"), /* Gy */
|
|
32
|
+
p256k1_base);
|
|
33
|
+
|
|
34
|
+
} // namespace proofs
|