longfellow 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CODE_OF_CONDUCT.md +10 -0
- data/LICENSE.txt +21 -0
- data/README.md +152 -0
- data/ext/longfellow/CMakeLists.txt +76 -0
- data/ext/longfellow/extconf.rb +77 -0
- data/lib/longfellow/attribute.rb +65 -0
- data/lib/longfellow/c.rb +105 -0
- data/lib/longfellow/errors.rb +78 -0
- data/lib/longfellow/version.rb +5 -0
- data/lib/longfellow/zk_spec.rb +40 -0
- data/lib/longfellow.rb +162 -0
- data/sig/longfellow.rbs +74 -0
- data/vendor/longfellow-zk/LICENSE +203 -0
- data/vendor/longfellow-zk/lib/algebra/blas.h +121 -0
- data/vendor/longfellow-zk/lib/algebra/bogorng.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/compare.h +40 -0
- data/vendor/longfellow-zk/lib/algebra/convolution.h +219 -0
- data/vendor/longfellow-zk/lib/algebra/crt.cc +42 -0
- data/vendor/longfellow-zk/lib/algebra/crt.h +299 -0
- data/vendor/longfellow-zk/lib/algebra/crt_convolution.h +114 -0
- data/vendor/longfellow-zk/lib/algebra/crt_test.cc +371 -0
- data/vendor/longfellow-zk/lib/algebra/fft.h +104 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation.h +304 -0
- data/vendor/longfellow-zk/lib/algebra/fft_interpolation_test.cc +168 -0
- data/vendor/longfellow-zk/lib/algebra/fft_test.cc +257 -0
- data/vendor/longfellow-zk/lib/algebra/fp.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/fp2.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/fp24.h +342 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6.h +305 -0
- data/vendor/longfellow-zk/lib/algebra/fp24_6_test.cc +197 -0
- data/vendor/longfellow-zk/lib/algebra/fp2_test.cc +280 -0
- data/vendor/longfellow-zk/lib/algebra/fp_generic.h +533 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p128.h +91 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256.h +68 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p256k1.h +123 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p384.h +65 -0
- data/vendor/longfellow-zk/lib/algebra/fp_p521.h +62 -0
- data/vendor/longfellow-zk/lib/algebra/fp_test.cc +522 -0
- data/vendor/longfellow-zk/lib/algebra/hash.h +39 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation.h +117 -0
- data/vendor/longfellow-zk/lib/algebra/interpolation_test.cc +74 -0
- data/vendor/longfellow-zk/lib/algebra/limb.h +153 -0
- data/vendor/longfellow-zk/lib/algebra/limb_test.cc +75 -0
- data/vendor/longfellow-zk/lib/algebra/nat.cc +32 -0
- data/vendor/longfellow-zk/lib/algebra/nat.h +212 -0
- data/vendor/longfellow-zk/lib/algebra/nat_test.cc +183 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumer_test.cc +138 -0
- data/vendor/longfellow-zk/lib/algebra/nussbaumerfp2_test.cc +139 -0
- data/vendor/longfellow-zk/lib/algebra/permutations.h +79 -0
- data/vendor/longfellow-zk/lib/algebra/poly.h +240 -0
- data/vendor/longfellow-zk/lib/algebra/poly_test.cc +123 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon.h +150 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension.h +108 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension_test.cc +76 -0
- data/vendor/longfellow-zk/lib/algebra/reed_solomon_test.cc +473 -0
- data/vendor/longfellow-zk/lib/algebra/rfft.h +400 -0
- data/vendor/longfellow-zk/lib/algebra/rfft_test.cc +102 -0
- data/vendor/longfellow-zk/lib/algebra/static_string.h +29 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep.h +495 -0
- data/vendor/longfellow-zk/lib/algebra/sysdep_test.cc +41 -0
- data/vendor/longfellow-zk/lib/algebra/twiddle.h +59 -0
- data/vendor/longfellow-zk/lib/algebra/utility.h +86 -0
- data/vendor/longfellow-zk/lib/algebra/utility_test.cc +86 -0
- data/vendor/longfellow-zk/lib/arrays/affine.h +56 -0
- data/vendor/longfellow-zk/lib/arrays/affine_test.cc +220 -0
- data/vendor/longfellow-zk/lib/arrays/dense.h +210 -0
- data/vendor/longfellow-zk/lib/arrays/eq.h +75 -0
- data/vendor/longfellow-zk/lib/arrays/eqs.h +137 -0
- data/vendor/longfellow-zk/lib/arrays/eqs_test.cc +151 -0
- data/vendor/longfellow-zk/lib/arrays/sparse.h +192 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder.h +323 -0
- data/vendor/longfellow-zk/lib/cbor/host_decoder_test.cc +541 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor.h +594 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck.h +110 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_pluck_test.cc +55 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_test.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_testing.h +98 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/cbor_witness.h +312 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso2_test.cc +662 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/mso_test.cc +485 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan.h +104 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser/scan_test.cc +137 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor.h +640 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_byte_decoder_test.cc +147 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_testing.h +99 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/cbor_witness.h +319 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/lexer_test.cc +120 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/mdoc_examples_test.cc +89 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_circuit_test.cc +506 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_size_test.cc +79 -0
- data/vendor/longfellow-zk/lib/circuits/cbor_parser_v2/parser_test.cc +473 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/canonicalization_test.cc +185 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/circuit_dump.h +65 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler.h +471 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/compiler_test.cc +110 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/node.h +176 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/pdqhash.h +127 -0
- data/vendor/longfellow-zk/lib/circuits/compiler/schedule.h +435 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_circuit.h +371 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_external_test.cc +246 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_test.cc +587 -0
- data/vendor/longfellow-zk/lib/circuits/ecdsa/verify_witness.h +201 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_adder_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker.h +247 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_constants.h +35 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_encoder.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/logic/bit_plucker_test.cc +183 -0
- data/vendor/longfellow-zk/lib/circuits/logic/compiler_backend.h +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/logic/counter_test.cc +102 -0
- data/vendor/longfellow-zk/lib/circuits/logic/evaluation_backend.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic.h +1232 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_circuit_test.cc +310 -0
- data/vendor/longfellow-zk/lib/circuits/logic/logic_test.cc +521 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp.h +68 -0
- data/vendor/longfellow-zk/lib/circuits/logic/memcmp_test.cc +148 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/logic/polynomial_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing.h +445 -0
- data/vendor/longfellow-zk/lib/circuits/logic/routing_test.cc +241 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary.h +55 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker.h +77 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_constants.h +37 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_plucker_test.cc +53 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_size_test.cc +69 -0
- data/vendor/longfellow-zk/lib/circuits/logic/unary_test.cc +62 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit.h +193 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_circuit_test.cc +223 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_reference.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/mac/mac_witness.h +94 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/circuit_maker.cc +242 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_ids.h +311 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_attribute_test.cc +64 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_circuit_id.cc +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_constants.h +85 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.cc +41 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_decompress.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_examples.h +5232 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_generate_circuit.cc +199 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_hash.h +554 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature.h +143 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_signature_test.cc +444 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_test_attributes.h +157 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_witness.h +863 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.cc +693 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk.h +216 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/mdoc_zk_test.cc +724 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec.cc +100 -0
- data/vendor/longfellow-zk/lib/circuits/mdoc/zk_spec_test.cc +155 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit.h +330 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_circuit_test.cc +607 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_io.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.cc +163 -0
- data/vendor/longfellow-zk/lib/circuits/sha/flatsha256_witness.h +47 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.cc +34 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_constants.h +27 -0
- data/vendor/longfellow-zk/lib/circuits/sha/sha256_test_values.h +389 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/ptrcred.h +171 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small.h +218 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_examples.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_io.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_test.cc +208 -0
- data/vendor/longfellow-zk/lib/circuits/tests/anoncred/small_witness.h +130 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode.h +508 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_circuit_test.cc +95 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_test.cc +119 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.cc +47 -0
- data/vendor/longfellow-zk/lib/circuits/tests/base64/decode_util.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit.h +231 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_circuit_test.cc +428 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ec/pk_witness.h +102 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt.h +190 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_constants.h +26 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_test.cc +559 -0
- data/vendor/longfellow-zk/lib/circuits/tests/jwt/jwt_witness.h +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f.h +411 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_io.h +32 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_test.cc +364 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_1f_witness.h +278 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation.h +146 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_constants.h +25 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_test.cc +315 -0
- data/vendor/longfellow-zk/lib/circuits/tests/mdoc/mdoc_revocation_witness.h +136 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr.h +250 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_test.cc +333 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/bitaddr/bitaddr_witness.h +152 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44.h +903 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_circuit_test.cc +274 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_eval_test.cc +440 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.cc +8851 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_examples.h +93 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.cc +24 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_types.h +118 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness.h +453 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness_test.cc +49 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.cc +458 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.h +150 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test.cc +398 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors.inc +3618 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_pkdecode.inc +689 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref_test_vectors_sigdecode.inc +1501 -0
- data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/sigdecode_test_vectors.inc +540 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit.h +394 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_circuit_test.cc +577 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_constants.h +90 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.cc +174 -0
- data/vendor/longfellow-zk/lib/circuits/tests/ripemd/ripemd_witness.h +140 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit.h +351 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_circuit_test.cc +466 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.cc +207 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference.h +59 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_reference_test.cc +153 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.cc +39 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_round_constants.h +29 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_slicing.h +31 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.cc +83 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/sha3_witness.h +72 -0
- data/vendor/longfellow-zk/lib/circuits/tests/sha3/shake_test_vectors.h +477 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve.h +596 -0
- data/vendor/longfellow-zk/lib/ec/elliptic_curve_test.cc +548 -0
- data/vendor/longfellow-zk/lib/ec/p256.cc +36 -0
- data/vendor/longfellow-zk/lib/ec/p256.h +60 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.cc +34 -0
- data/vendor/longfellow-zk/lib/ec/p256k1.h +60 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128.h +503 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_bench.cc +48 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2_128_test.cc +416 -0
- data/vendor/longfellow-zk/lib/gf2k/gf2poly.h +74 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14.h +242 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_bench.cc +75 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon.h +127 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon_test.cc +110 -0
- data/vendor/longfellow-zk/lib/gf2k/lch14_test.cc +246 -0
- data/vendor/longfellow-zk/lib/gf2k/sysdep.h +329 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_param.h +449 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_prover.h +354 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_test.cc +136 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_transcript.h +67 -0
- data/vendor/longfellow-zk/lib/ligero/ligero_verifier.h +272 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_commitment.h +104 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree.h +216 -0
- data/vendor/longfellow-zk/lib/merkle/merkle_tree_test.cc +240 -0
- data/vendor/longfellow-zk/lib/proto/circuit.h +354 -0
- data/vendor/longfellow-zk/lib/proto/circuit_test.cc +202 -0
- data/vendor/longfellow-zk/lib/random/random.h +119 -0
- data/vendor/longfellow-zk/lib/random/random_test.cc +189 -0
- data/vendor/longfellow-zk/lib/random/secure_random_engine.h +37 -0
- data/vendor/longfellow-zk/lib/random/transcript.h +193 -0
- data/vendor/longfellow-zk/lib/random/transcript_test.cc +344 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit.h +148 -0
- data/vendor/longfellow-zk/lib/sumcheck/circuit_id.h +71 -0
- data/vendor/longfellow-zk/lib/sumcheck/equad.h +126 -0
- data/vendor/longfellow-zk/lib/sumcheck/hquad.h +115 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover.h +59 -0
- data/vendor/longfellow-zk/lib/sumcheck/prover_layers.h +362 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad.h +227 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_builder.h +211 -0
- data/vendor/longfellow-zk/lib/sumcheck/quad_test.cc +169 -0
- data/vendor/longfellow-zk/lib/sumcheck/sumcheck_test.cc +324 -0
- data/vendor/longfellow-zk/lib/sumcheck/testing.h +69 -0
- data/vendor/longfellow-zk/lib/sumcheck/transcript_sumcheck.h +85 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier.h +84 -0
- data/vendor/longfellow-zk/lib/sumcheck/verifier_layers.h +221 -0
- data/vendor/longfellow-zk/lib/testing/test_main.cc +50 -0
- data/vendor/longfellow-zk/lib/util/ceildiv.h +164 -0
- data/vendor/longfellow-zk/lib/util/ceildiv_test.cc +152 -0
- data/vendor/longfellow-zk/lib/util/crc64.h +45 -0
- data/vendor/longfellow-zk/lib/util/crypto.cc +39 -0
- data/vendor/longfellow-zk/lib/util/crypto.h +108 -0
- data/vendor/longfellow-zk/lib/util/log.cc +110 -0
- data/vendor/longfellow-zk/lib/util/log.h +33 -0
- data/vendor/longfellow-zk/lib/util/panic.h +40 -0
- data/vendor/longfellow-zk/lib/util/readbuffer.h +67 -0
- data/vendor/longfellow-zk/lib/util/serialization.h +54 -0
- data/vendor/longfellow-zk/lib/zk/zk_common.h +455 -0
- data/vendor/longfellow-zk/lib/zk/zk_proof.h +378 -0
- data/vendor/longfellow-zk/lib/zk/zk_prover.h +202 -0
- data/vendor/longfellow-zk/lib/zk/zk_test.cc +340 -0
- data/vendor/longfellow-zk/lib/zk/zk_testing.h +154 -0
- data/vendor/longfellow-zk/lib/zk/zk_verifier.h +109 -0
- metadata +347 -0
|
@@ -0,0 +1,416 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#include "gf2k/gf2_128.h"
|
|
16
|
+
|
|
17
|
+
#include <algorithm>
|
|
18
|
+
#include <array>
|
|
19
|
+
#include <cstddef>
|
|
20
|
+
#include <cstdint>
|
|
21
|
+
#include <optional>
|
|
22
|
+
#include <vector>
|
|
23
|
+
|
|
24
|
+
#include "algebra/blas.h"
|
|
25
|
+
#include "algebra/bogorng.h"
|
|
26
|
+
#include "algebra/compare.h"
|
|
27
|
+
#include "algebra/poly.h"
|
|
28
|
+
#include "gtest/gtest.h"
|
|
29
|
+
|
|
30
|
+
namespace proofs {
|
|
31
|
+
namespace {
|
|
32
|
+
|
|
33
|
+
using Field = GF2_128<4>;
|
|
34
|
+
using Elt = Field::Elt;
|
|
35
|
+
using CElt = Field::CElt;
|
|
36
|
+
const Field F;
|
|
37
|
+
|
|
38
|
+
/* Reference GF(2^128) implementation */
|
|
39
|
+
struct ref_gf2_128 {
|
|
40
|
+
uint64_t l;
|
|
41
|
+
uint64_t h;
|
|
42
|
+
bool operator==(const ref_gf2_128& y) const { return l == y.l && h == y.h; }
|
|
43
|
+
};
|
|
44
|
+
|
|
45
|
+
ref_gf2_128 ref_gf2_128_xor(ref_gf2_128 a, ref_gf2_128 b) {
|
|
46
|
+
return ref_gf2_128{a.l ^ b.l, a.h ^ b.h};
|
|
47
|
+
}
|
|
48
|
+
ref_gf2_128 ref_gf2_128_shl(ref_gf2_128 a, size_t n) {
|
|
49
|
+
if (n == 0) {
|
|
50
|
+
return a;
|
|
51
|
+
} else if (n >= 128) {
|
|
52
|
+
return ref_gf2_128{};
|
|
53
|
+
} else if (n >= 64) {
|
|
54
|
+
return ref_gf2_128{0, (a.l << (n - 64))};
|
|
55
|
+
} else {
|
|
56
|
+
return ref_gf2_128{(a.l << n), (a.h << n) | (a.l >> (64 - n))};
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
static ref_gf2_128 refmul(ref_gf2_128 x, ref_gf2_128 y) {
|
|
61
|
+
static const ref_gf2_128 poly{0x87, 0};
|
|
62
|
+
ref_gf2_128 a{};
|
|
63
|
+
for (size_t i = 0; i < 128; ++i) {
|
|
64
|
+
uint64_t msb = a.h & 0x8000000000000000ull;
|
|
65
|
+
a = ref_gf2_128_shl(a, 1);
|
|
66
|
+
if (msb) {
|
|
67
|
+
a = ref_gf2_128_xor(a, poly);
|
|
68
|
+
}
|
|
69
|
+
if (y.h & 0x8000000000000000ull) {
|
|
70
|
+
a = ref_gf2_128_xor(a, x);
|
|
71
|
+
}
|
|
72
|
+
y = ref_gf2_128_shl(y, 1);
|
|
73
|
+
}
|
|
74
|
+
return a;
|
|
75
|
+
}
|
|
76
|
+
|
|
77
|
+
static Elt of_ref(const ref_gf2_128& ref) {
|
|
78
|
+
std::array<uint64_t, 2> u{ref.l, ref.h};
|
|
79
|
+
return F.of_scalar_field(u);
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
TEST(GF2_128, Constants) {
|
|
83
|
+
ref_gf2_128 zero = {0, 0};
|
|
84
|
+
ref_gf2_128 one = {1, 0};
|
|
85
|
+
ref_gf2_128 x = {2, 0};
|
|
86
|
+
EXPECT_EQ(F.zero(), of_ref(zero));
|
|
87
|
+
EXPECT_EQ(F.one(), of_ref(one));
|
|
88
|
+
EXPECT_EQ(F.x(), of_ref(x));
|
|
89
|
+
|
|
90
|
+
EXPECT_EQ(F.zero(), F.invertf(F.zero()));
|
|
91
|
+
|
|
92
|
+
EXPECT_EQ(F.one(), F.mulf(F.x(), F.invx()));
|
|
93
|
+
EXPECT_EQ(F.invx(), F.invertf(F.x()));
|
|
94
|
+
EXPECT_EQ(F.x(), F.invertf(F.invx()));
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
TEST(GF2_128, Invert0) {
|
|
98
|
+
for (uint64_t i = 1; i < 1000; ++i) {
|
|
99
|
+
Elt fi = F.of_scalar(i);
|
|
100
|
+
EXPECT_EQ(F.one(), F.mulf(fi, F.invertf(fi)));
|
|
101
|
+
}
|
|
102
|
+
for (uint64_t i = 1; i < 1000; ++i) {
|
|
103
|
+
Elt fi = F.of_scalar_field(i);
|
|
104
|
+
EXPECT_EQ(F.one(), F.mulf(fi, F.invertf(fi)));
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
TEST(GF2_128, Invert1) {
|
|
109
|
+
Elt a = F.x(), b = F.invx();
|
|
110
|
+
for (uint64_t i = 0; i < 1000; ++i) {
|
|
111
|
+
EXPECT_EQ(F.one(), F.mulf(a, b));
|
|
112
|
+
F.mul(a, F.x());
|
|
113
|
+
F.mul(b, F.invx());
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
TEST(GF2_128, Cmp) {
|
|
118
|
+
ref_gf2_128 one = {1, 0};
|
|
119
|
+
for (size_t i = 0; i < 128; ++i) {
|
|
120
|
+
for (size_t j = 0; j < 128; ++j) {
|
|
121
|
+
ref_gf2_128 x = ref_gf2_128_shl(one, i);
|
|
122
|
+
ref_gf2_128 y = ref_gf2_128_shl(one, j);
|
|
123
|
+
EXPECT_EQ(x == y, of_ref(x) == of_ref(y));
|
|
124
|
+
EXPECT_EQ(i == j, of_ref(x) == of_ref(y));
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
|
|
129
|
+
TEST(GF2_128, Mul) {
|
|
130
|
+
ref_gf2_128 one = {1, 0};
|
|
131
|
+
for (size_t i = 0; i < 129; ++i) {
|
|
132
|
+
for (size_t j = 0; j < 129; ++j) {
|
|
133
|
+
ref_gf2_128 x = ref_gf2_128_shl(one, i);
|
|
134
|
+
ref_gf2_128 y = ref_gf2_128_shl(one, j);
|
|
135
|
+
ref_gf2_128 a = refmul(x, y);
|
|
136
|
+
Elt b = F.mulf(of_ref(x), of_ref(y));
|
|
137
|
+
EXPECT_EQ(of_ref(a), b);
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
|
|
142
|
+
TEST(GF2_128, PolyEvaluationPoint) {
|
|
143
|
+
constexpr size_t N = Field::kNPolyEvaluationPoints;
|
|
144
|
+
for (size_t i = 0; i < N; i++) {
|
|
145
|
+
EXPECT_TRUE(F.in_subfield(F.poly_evaluation_point(i)));
|
|
146
|
+
for (size_t j = 0; j < N; j++) {
|
|
147
|
+
if (i != j) {
|
|
148
|
+
EXPECT_NE(F.poly_evaluation_point(i), F.poly_evaluation_point(j));
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
for (size_t i = 1; i < N; i++) {
|
|
153
|
+
for (size_t k = N; k-- > i;) {
|
|
154
|
+
auto dx =
|
|
155
|
+
F.subf(F.poly_evaluation_point(k), F.poly_evaluation_point(k - i));
|
|
156
|
+
EXPECT_EQ(F.one(), F.mulf(dx, F.newton_denominator(k, i)));
|
|
157
|
+
}
|
|
158
|
+
}
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
template <size_t N>
|
|
162
|
+
void one_test_eval_lagrange() {
|
|
163
|
+
using T = Poly<N, Field>;
|
|
164
|
+
Bogorng<Field> rng(&F);
|
|
165
|
+
const typename T::dot_interpolation dot_interp(F);
|
|
166
|
+
|
|
167
|
+
T C, L;
|
|
168
|
+
for (size_t iter = 0; iter < 10; ++iter) {
|
|
169
|
+
for (size_t i = 0; i < N; ++i) {
|
|
170
|
+
C[i] = rng.next();
|
|
171
|
+
}
|
|
172
|
+
|
|
173
|
+
for (size_t i = 0; i < N; ++i) {
|
|
174
|
+
// Lagrange basis
|
|
175
|
+
L[i] = C.eval_monomial(F.poly_evaluation_point(i), F);
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
for (size_t iter1 = 0; iter1 < 10; iter1++) {
|
|
179
|
+
Elt r = rng.next();
|
|
180
|
+
Elt got_val = L.eval_lagrange(r, F);
|
|
181
|
+
Elt want_val = C.eval_monomial(r, F);
|
|
182
|
+
EXPECT_EQ(got_val, want_val);
|
|
183
|
+
|
|
184
|
+
T coef = dot_interp.coef(r, F);
|
|
185
|
+
Elt got_dot = Blas<Field>::dot(N, &coef[0], 1, &L[0], 1, F);
|
|
186
|
+
EXPECT_EQ(got_dot, want_val);
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
}
|
|
190
|
+
|
|
191
|
+
TEST(GF2_128, EvalLagrange) {
|
|
192
|
+
one_test_eval_lagrange<1>();
|
|
193
|
+
one_test_eval_lagrange<2>();
|
|
194
|
+
one_test_eval_lagrange<3>();
|
|
195
|
+
one_test_eval_lagrange<4>();
|
|
196
|
+
one_test_eval_lagrange<5>();
|
|
197
|
+
one_test_eval_lagrange<6>();
|
|
198
|
+
}
|
|
199
|
+
|
|
200
|
+
// Ensure no short loops in Bogorng.
|
|
201
|
+
// Bogorng is optimized for prime fields. This test ensures
|
|
202
|
+
// the parameters do not break simple testing for GF2_128.
|
|
203
|
+
TEST(GF2_128, Bogorng) {
|
|
204
|
+
Bogorng<Field> rng(&F);
|
|
205
|
+
Elt start = rng.next();
|
|
206
|
+
for (size_t i = 0; i < 1000000; ++i) {
|
|
207
|
+
Elt x = rng.next();
|
|
208
|
+
EXPECT_NE(x, start);
|
|
209
|
+
}
|
|
210
|
+
}
|
|
211
|
+
|
|
212
|
+
template <size_t N>
|
|
213
|
+
void one_test_extend() {
|
|
214
|
+
using T2 = Poly<2, Field>;
|
|
215
|
+
using FT = Poly<N, Field>;
|
|
216
|
+
Bogorng<Field> rng(&F);
|
|
217
|
+
|
|
218
|
+
// Test the linear extension. Start with a polynomial
|
|
219
|
+
// L2 of degree <2, and extend it to a polynomial L
|
|
220
|
+
// of degree <N, then evaluate both at random points.
|
|
221
|
+
for (size_t iter = 0; iter < 10; ++iter) {
|
|
222
|
+
T2 L2;
|
|
223
|
+
L2[0] = rng.next();
|
|
224
|
+
L2[1] = rng.next();
|
|
225
|
+
|
|
226
|
+
FT L = FT::extend(L2, F);
|
|
227
|
+
|
|
228
|
+
for (size_t iter1 = 0; iter1 < 10; iter1++) {
|
|
229
|
+
Elt r = rng.next();
|
|
230
|
+
Elt got = L.eval_lagrange(r, F);
|
|
231
|
+
Elt got2 = L2.eval_lagrange(r, F);
|
|
232
|
+
EXPECT_EQ(got, got2);
|
|
233
|
+
}
|
|
234
|
+
}
|
|
235
|
+
}
|
|
236
|
+
|
|
237
|
+
TEST(GF2_128, Extend) {
|
|
238
|
+
one_test_extend<2>();
|
|
239
|
+
one_test_extend<3>();
|
|
240
|
+
one_test_extend<4>();
|
|
241
|
+
one_test_extend<5>();
|
|
242
|
+
one_test_extend<6>();
|
|
243
|
+
}
|
|
244
|
+
|
|
245
|
+
void expect_order(size_t log_order, const Elt x0) {
|
|
246
|
+
// EXPECT_NE(x, x0) is necessary but not sufficient. We should
|
|
247
|
+
// really check all factors of (2^log_order-1). At the very least
|
|
248
|
+
// this test prevents confusing x() with the generator of the
|
|
249
|
+
// subfield.
|
|
250
|
+
Elt x = F.mulf(x0, x0);
|
|
251
|
+
for (size_t i = 1; i < log_order; ++i) {
|
|
252
|
+
EXPECT_NE(x, x0);
|
|
253
|
+
F.mul(x, x);
|
|
254
|
+
}
|
|
255
|
+
EXPECT_EQ(x, x0);
|
|
256
|
+
}
|
|
257
|
+
|
|
258
|
+
TEST(GF2_128, X) {
|
|
259
|
+
expect_order(Field::kBits, F.x());
|
|
260
|
+
expect_order(Field::kBits, F.invx());
|
|
261
|
+
}
|
|
262
|
+
|
|
263
|
+
TEST(GF2_128, Beta) {
|
|
264
|
+
EXPECT_EQ(F.beta(0), F.one());
|
|
265
|
+
|
|
266
|
+
Elt r(F.beta(1));
|
|
267
|
+
|
|
268
|
+
// Expected: x^126 + x^124 + x^123 + x^122 + x^118 + x^116 + x^115 +
|
|
269
|
+
// x^112 + x^110 + x^109 + x^108 + x^104 + x^103 + x^98 + x^97 +
|
|
270
|
+
// x^96 + x^94 + x^93 + x^92 + x^90 + x^88 + x^80 + x^79 + x^78 +
|
|
271
|
+
// x^76 + x^74 + x^71 + x^69 + x^68 + x^67 + x^63 + x^62 + x^61 +
|
|
272
|
+
// x^60 + x^56 + x^55 + x^50 + x^49 + x^48 + x^44 + x^43 + x^42 +
|
|
273
|
+
// x^41 + x^32 + x^31 + x^29 + x^28 + x^26 + x^25 + x^22 + x^19 +
|
|
274
|
+
// x^18 + x^17 + x^16 + x^15 + x^14 + x^12 + x^11 + x^9 + x^6 + x^3
|
|
275
|
+
// + x^2
|
|
276
|
+
std::array<uint64_t, 2> want = {0xF1871E01B64FDA4Cull, 0x5C5971877501D4B8ull};
|
|
277
|
+
EXPECT_EQ(r, F.of_scalar_field(want));
|
|
278
|
+
expect_order(Field::kSubFieldBits, F.beta(1));
|
|
279
|
+
|
|
280
|
+
for (size_t i = 0; i < Field::kSubFieldBits; ++i) {
|
|
281
|
+
EXPECT_TRUE(F.in_subfield(F.beta(i)));
|
|
282
|
+
}
|
|
283
|
+
}
|
|
284
|
+
|
|
285
|
+
TEST(GF2_128, OfScalar) {
|
|
286
|
+
// test that of_scalar() returns the expected linear
|
|
287
|
+
// combination of the basis
|
|
288
|
+
size_t n = 1 << F.kSubFieldBits;
|
|
289
|
+
for (size_t i = 0; i < n; ++i) {
|
|
290
|
+
Elt e = F.of_scalar(i);
|
|
291
|
+
EXPECT_TRUE(F.in_subfield(e));
|
|
292
|
+
|
|
293
|
+
Elt t = F.zero();
|
|
294
|
+
for (size_t k = 0, u = i; u != 0; ++k, u >>= 1) {
|
|
295
|
+
if (u & 1) {
|
|
296
|
+
F.add(t, F.beta(k));
|
|
297
|
+
}
|
|
298
|
+
}
|
|
299
|
+
EXPECT_EQ(t, e);
|
|
300
|
+
}
|
|
301
|
+
}
|
|
302
|
+
|
|
303
|
+
TEST(GF2_128, SubFieldSize) {
|
|
304
|
+
// test that all subfield elements are distinct
|
|
305
|
+
size_t n = 1u << F.kSubFieldBits;
|
|
306
|
+
std::vector<Elt> scalars(n);
|
|
307
|
+
|
|
308
|
+
for (uint64_t i = 0; i < n; ++i) {
|
|
309
|
+
scalars[i] = F.of_scalar(i);
|
|
310
|
+
}
|
|
311
|
+
std::sort(scalars.begin(), scalars.end(),
|
|
312
|
+
[&](const Elt& x, const Elt& y) { return elt_less_than(x, y, F); });
|
|
313
|
+
for (uint64_t i = 0; i + 1 < n; ++i) {
|
|
314
|
+
EXPECT_NE(scalars[i], scalars[i + 1]);
|
|
315
|
+
}
|
|
316
|
+
}
|
|
317
|
+
|
|
318
|
+
TEST(GF2_128, Counter) {
|
|
319
|
+
size_t n = (1u << F.kSubFieldBits) - 1u;
|
|
320
|
+
|
|
321
|
+
// test that all counters are distinct
|
|
322
|
+
std::vector<CElt> counters(n);
|
|
323
|
+
|
|
324
|
+
for (uint64_t i = 0; i < n; ++i) {
|
|
325
|
+
CElt ctr = F.as_counter(i);
|
|
326
|
+
Elt e = F.znz_indicator(ctr);
|
|
327
|
+
counters[i] = ctr;
|
|
328
|
+
|
|
329
|
+
if (i == 0) {
|
|
330
|
+
EXPECT_EQ(e, F.zero());
|
|
331
|
+
EXPECT_EQ(ctr.e, F.one());
|
|
332
|
+
} else {
|
|
333
|
+
EXPECT_NE(e, F.zero());
|
|
334
|
+
EXPECT_NE(ctr.e, F.one());
|
|
335
|
+
}
|
|
336
|
+
if (i == 1) {
|
|
337
|
+
EXPECT_EQ(ctr.e, F.g());
|
|
338
|
+
} else {
|
|
339
|
+
EXPECT_NE(ctr.e, F.g());
|
|
340
|
+
}
|
|
341
|
+
if (i == n - 1) {
|
|
342
|
+
EXPECT_EQ(ctr.e, F.invg());
|
|
343
|
+
} else {
|
|
344
|
+
EXPECT_NE(ctr.e, F.invg());
|
|
345
|
+
}
|
|
346
|
+
}
|
|
347
|
+
std::sort(
|
|
348
|
+
counters.begin(), counters.end(),
|
|
349
|
+
[&](const CElt& x, const CElt& y) { return elt_less_than(x.e, y.e, F); });
|
|
350
|
+
|
|
351
|
+
for (uint64_t i = 0; i + 1 < n; ++i) {
|
|
352
|
+
EXPECT_NE(counters[i], counters[i + 1]);
|
|
353
|
+
}
|
|
354
|
+
}
|
|
355
|
+
|
|
356
|
+
TEST(GF2_128, Bytes) {
|
|
357
|
+
size_t n = 1 << F.kSubFieldBits;
|
|
358
|
+
for (size_t i = 0; i < n; ++i) {
|
|
359
|
+
Elt e = F.of_scalar(i);
|
|
360
|
+
EXPECT_TRUE(F.in_subfield(e));
|
|
361
|
+
|
|
362
|
+
uint8_t sbuf[F.kSubFieldBytes];
|
|
363
|
+
F.to_bytes_subfield(sbuf, e);
|
|
364
|
+
auto es = F.of_bytes_subfield(sbuf);
|
|
365
|
+
EXPECT_TRUE(es != std::nullopt);
|
|
366
|
+
EXPECT_EQ(e, es.value());
|
|
367
|
+
|
|
368
|
+
uint8_t fbuf[F.kBytes];
|
|
369
|
+
F.to_bytes_field(fbuf, e);
|
|
370
|
+
auto ef = F.of_bytes_field(fbuf);
|
|
371
|
+
EXPECT_TRUE(ef != std::nullopt);
|
|
372
|
+
EXPECT_EQ(e, ef.value());
|
|
373
|
+
}
|
|
374
|
+
}
|
|
375
|
+
} // namespace
|
|
376
|
+
|
|
377
|
+
namespace subfield {
|
|
378
|
+
template <size_t subfield_log_bits>
|
|
379
|
+
void test_subfield() {
|
|
380
|
+
using Field = GF2_128<subfield_log_bits>;
|
|
381
|
+
using Elt = typename Field::Elt;
|
|
382
|
+
const Field F;
|
|
383
|
+
constexpr uint64_t k1 = 1; // for uint64_t type
|
|
384
|
+
|
|
385
|
+
// test injection into the subfield, but since the subfield may be
|
|
386
|
+
// too large for exhaustive check, only test on all combinations of
|
|
387
|
+
// three bits.
|
|
388
|
+
size_t l = F.kSubFieldBits;
|
|
389
|
+
|
|
390
|
+
for (size_t b0 = 0; b0 < l; ++b0) {
|
|
391
|
+
for (size_t b1 = 0; b1 < l; ++b1) {
|
|
392
|
+
for (size_t b2 = 0; b2 < l; ++b2) {
|
|
393
|
+
uint64_t i = (k1 << b0) ^ (k1 << b1) ^ (k1 << b2);
|
|
394
|
+
Elt e = F.of_scalar(i);
|
|
395
|
+
EXPECT_TRUE(F.in_subfield(e));
|
|
396
|
+
|
|
397
|
+
uint8_t sbuf[F.kSubFieldBytes];
|
|
398
|
+
F.to_bytes_subfield(sbuf, e);
|
|
399
|
+
auto es = F.of_bytes_subfield(sbuf);
|
|
400
|
+
EXPECT_TRUE(es != std::nullopt);
|
|
401
|
+
EXPECT_EQ(e, es.value());
|
|
402
|
+
}
|
|
403
|
+
}
|
|
404
|
+
}
|
|
405
|
+
}
|
|
406
|
+
|
|
407
|
+
TEST(GF2_128, Subfields) {
|
|
408
|
+
test_subfield<3>();
|
|
409
|
+
test_subfield<4>();
|
|
410
|
+
test_subfield<5>();
|
|
411
|
+
test_subfield<6>();
|
|
412
|
+
// not enough bits in uint64_t for a (1<<7)-bit subfield
|
|
413
|
+
}
|
|
414
|
+
|
|
415
|
+
} // namespace subfield
|
|
416
|
+
} // namespace proofs
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
// Copyright 2026 Google LLC.
|
|
2
|
+
//
|
|
3
|
+
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
4
|
+
// you may not use this file except in compliance with the License.
|
|
5
|
+
// You may obtain a copy of the License at
|
|
6
|
+
//
|
|
7
|
+
// http://www.apache.org/licenses/LICENSE-2.0
|
|
8
|
+
//
|
|
9
|
+
// Unless required by applicable law or agreed to in writing, software
|
|
10
|
+
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
11
|
+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
12
|
+
// See the License for the specific language governing permissions and
|
|
13
|
+
// limitations under the License.
|
|
14
|
+
|
|
15
|
+
#ifndef PRIVACY_PROOFS_ZK_LIB_GF2K_GF2POLY_H_
|
|
16
|
+
#define PRIVACY_PROOFS_ZK_LIB_GF2K_GF2POLY_H_
|
|
17
|
+
|
|
18
|
+
#include <array>
|
|
19
|
+
#include <cstddef>
|
|
20
|
+
#include <cstdint>
|
|
21
|
+
|
|
22
|
+
#include "algebra/limb.h"
|
|
23
|
+
|
|
24
|
+
namespace proofs {
|
|
25
|
+
|
|
26
|
+
// Rough equivalent of Nat<W64> but representing polynomials
|
|
27
|
+
// over GF2 instead of natural numbers.
|
|
28
|
+
template <size_t W64>
|
|
29
|
+
class GF2Poly : public Limb<W64> {
|
|
30
|
+
public:
|
|
31
|
+
using Super = Limb<W64>;
|
|
32
|
+
using T = GF2Poly<W64>;
|
|
33
|
+
using Super::kLimbs;
|
|
34
|
+
using Super::kU64;
|
|
35
|
+
using Super::limb_;
|
|
36
|
+
|
|
37
|
+
GF2Poly() = default; // uninitialized
|
|
38
|
+
explicit GF2Poly(uint64_t x) : Super(x) {}
|
|
39
|
+
|
|
40
|
+
explicit GF2Poly(const std::array<uint64_t, kU64>& a) : Super(a) {}
|
|
41
|
+
|
|
42
|
+
bool operator<(const T& other) const {
|
|
43
|
+
for (size_t i = kLimbs; i-- > 0;) {
|
|
44
|
+
if (limb_[i] < other.limb_[i]) {
|
|
45
|
+
return true;
|
|
46
|
+
}
|
|
47
|
+
if (limb_[i] > other.limb_[i]) {
|
|
48
|
+
return false;
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
return false;
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
// Interpret A[] as a little-endian nat
|
|
55
|
+
static T of_bytes(const uint8_t a[/* kBytes */]) {
|
|
56
|
+
T r;
|
|
57
|
+
for (size_t i = 0; i < kLimbs; ++i) {
|
|
58
|
+
a = Super::of_bytes(&r.limb_[i], a);
|
|
59
|
+
}
|
|
60
|
+
return r;
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
T& add(const T& y) {
|
|
64
|
+
for (size_t i = 0; i < kLimbs; ++i) {
|
|
65
|
+
limb_[i] ^= y.limb_[i];
|
|
66
|
+
}
|
|
67
|
+
return *this;
|
|
68
|
+
}
|
|
69
|
+
T& sub(const T& y) { return add(y); }
|
|
70
|
+
};
|
|
71
|
+
|
|
72
|
+
} // namespace proofs
|
|
73
|
+
|
|
74
|
+
#endif // PRIVACY_PROOFS_ZK_LIB_GF2K_GF2POLY_H_
|