longfellow 0.1.0

data/vendor/longfellow-zk/lib/ligero/ligero_verifier.h

@@ -0,0 +1,272 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_LIGERO_LIGERO_VERIFIER_H_
+#define PRIVACY_PROOFS_ZK_LIB_LIGERO_LIGERO_VERIFIER_H_
+
+#include <stddef.h>
+
+#include <array>
+#include <vector>
+
+#include "algebra/blas.h"
+#include "ligero/ligero_param.h"
+#include "ligero/ligero_transcript.h"
+#include "merkle/merkle_commitment.h"
+#include "random/transcript.h"
+#include "util/crypto.h"
+
+namespace proofs {
+template <class Field, class InterpolatorFactory>
+class LigeroVerifier {
+  using Elt = typename Field::Elt;
+
+ public:
+  static void receive_commitment(const LigeroCommitment<Field>& commitment,
+                                 Transcript& ts) {
+    // P -> V
+    LigeroTranscript<Field>::write_commitment(commitment, ts);
+  }
+
+  static bool verify(const char** why, const LigeroParam<Field>& p,
+                     const LigeroCommitment<Field>& commitment,
+                     const LigeroProof<Field>& proof, Transcript& ts, size_t nl,
+                     size_t nllterm,
+                     const LigeroLinearConstraint<Field> llterm[/*nllterm*/],
+                     const LigeroHash& hash_of_llterm, const Elt b[/*nl*/],
+                     const LigeroQuadraticConstraint lqc[/*nq*/],
+                     const InterpolatorFactory& interpolator, const Field& F) {
+    if (why == nullptr) {
+      return false;
+    }
+
+    std::vector<Elt> u_ldt(p.nwqrow);
+    std::vector<Elt> alphal(nl);
+    std::vector<std::array<Elt, 3>> alphaq(p.nq);
+    std::vector<Elt> u_quad(p.nqtriples);
+    std::vector<size_t> idx(p.nreq);
+
+    // Replay the protocol first in order to compute all the
+    // challenges.  In particular, we need IDX before we can do
+    // anything useful.
+
+    // P -> V
+    ts.write(hash_of_llterm.bytes, hash_of_llterm.kLength);
+
+    // V -> P
+    LigeroTranscript<Field>::gen_uldt(&u_ldt[0], p, ts, F);
+
+    // V -> P
+    LigeroTranscript<Field>::gen_alphal(nl, &alphal[0], ts, F);
+    LigeroTranscript<Field>::gen_alphaq(&alphaq[0], p, ts, F);
+
+    // V -> P
+    LigeroTranscript<Field>::gen_uquad(&u_quad[0], p, ts, F);
+
+    // P -> V
+    ts.write(&proof.y_ldt[0], 1, p.block, F);
+    ts.write(&proof.y_dot[0], 1, p.dblock, F);
+    ts.write(&proof.y_quad_0[0], 1, p.r, F);
+    ts.write(&proof.y_quad_2[0], 1, p.dblock - p.block, F);
+
+    // V -> P
+    LigeroTranscript<Field>::gen_idx(&idx[0], p, ts, F);
+
+    if (!merkle_check(p, commitment, proof, &idx[0], F)) {
+      *why = "merkle_check failed";
+      return false;
+    }
+
+    if (!low_degree_check(p, proof, &idx[0], &u_ldt[0], interpolator, F)) {
+      *why = "low_degree_check failed";
+      return false;
+    }
+
+    {
+      // linear check
+      std::vector<Elt> A(p.nwqrow * p.w);
+
+      LigeroCommon<Field>::inner_product_vector(&A[0], p, nl, nllterm, llterm,
+                                                &alphal[0], lqc, &alphaq[0], F);
+
+      if (!dot_check(p, proof, &idx[0], &A[0], interpolator, F)) {
+        *why = "dot_check failed";
+        return false;
+      }
+
+      // check the putative value of the inner product
+      Elt want_dot = Blas<Field>::dot(nl, b, 1, &alphal[0], 1, F);
+      Elt proof_dot = Blas<Field>::dot1(p.w, &proof.y_dot[p.r], 1, F);
+      if (want_dot != proof_dot) {
+        *why = "wrong dot product";
+        return false;
+      }
+    }
+
+    if (!quadratic_check(p, proof, &idx[0], &u_quad[0], interpolator, F)) {
+      *why = "quadratic_check failed";
+      return false;
+    }
+
+    *why = "ok";
+    return true;
+  }
+
+ private:
+  static void interpolate_req_columns(Elt yp[/*nreq*/],
+                                      const LigeroParam<Field>& p, size_t ylen,
+                                      const Elt y[/*ylen*/],
+                                      const size_t idx[/*nreq*/],
+                                      const InterpolatorFactory& interpolator,
+                                      const Field& F) {
+    const auto interpy = interpolator.make(ylen, p.block_enc);
+    std::vector<Elt> yext(p.block_enc);
+    Blas<Field>::copy(ylen, &yext[0], 1, y, 1);
+    interpy->interpolate(&yext[0]);
+    Blas<Field>::gather(p.nreq, &yp[0], &yext[p.dblock], idx);
+  }
+
+  static bool merkle_check(const LigeroParam<Field>& p,
+                           const LigeroCommitment<Field>& commitment,
+                           const LigeroProof<Field>& proof,
+                           const size_t idx[/*nreq*/], const Field& F) {
+    auto updhash = [&](size_t r, SHA256& sha) {
+      LigeroCommon<Field>::column_hash(p.nrow, &proof.req_at(0, r), p.nreq, sha,
+                                       F);
+    };
+
+    return MerkleCommitmentVerifier::verify(p.block_enc - p.dblock,
+                                            commitment.root, proof.merkle, idx,
+                                            p.nreq, updhash);
+  }
+
+  static bool low_degree_check(const LigeroParam<Field>& p,
+                               const LigeroProof<Field>& proof,
+                               const size_t idx[/*nreq*/],
+                               const Elt u_ldt[/*nrow*/],
+                               const InterpolatorFactory& interpolator,
+                               const Field& F) {
+    std::vector<Elt> yc(p.nreq);
+
+    // the ILDT blinding row with coefficient 1
+    Blas<Field>::copy(p.nreq, &yc[0], 1, &proof.req_at(p.ildt, 0), 1);
+
+    // all remaining rows with coefficient u_ldt[]
+    for (size_t i = 0; i < p.nwqrow; ++i) {
+      Blas<Field>::axpy(p.nreq, &yc[0], 1, u_ldt[i], &proof.req_at(i + p.iw, 0),
+                        1, F);
+    }
+
+    std::vector<Elt> yp(p.nreq);
+    interpolate_req_columns(&yp[0], p, p.block, &proof.y_ldt[0], idx,
+                            interpolator, F);
+
+    if (!Blas<Field>::equal(p.nreq, &yp[0], 1, &yc[0], 1, F)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  static bool dot_check(const LigeroParam<Field>& p,
+                        const LigeroProof<Field>& proof,
+                        const size_t idx[/*nreq*/], const Elt A[/*nwqrow, w*/],
+                        const InterpolatorFactory& interpolator,
+                        const Field& F) {
+    std::vector<Elt> yc(p.nreq);
+
+    // the IDOT blinding row with coefficient 1
+    Blas<Field>::copy(p.nreq, &yc[0], 1, &proof.req_at(p.idot, 0), 1);
+
+    {
+      const auto interpA = interpolator.make(p.block, p.block_enc);
+
+      std::vector<Elt> Aext(p.block_enc);
+      std::vector<Elt> Areq(p.nreq);
+
+      for (size_t i = 0; i < p.nwqrow; ++i) {
+        LigeroCommon<Field>::layout_Aext(&Aext[0], p, i, &A[0], F);
+        interpA->interpolate(&Aext[0]);
+        Blas<Field>::gather(p.nreq, &Areq[0], &Aext[p.dblock], idx);
+
+        // Accumulate z += A[j] \otimes W[j].
+        Blas<Field>::vaxpy(p.nreq, &yc[0], 1, &Areq[0], 1,
+                           &proof.req_at(i + p.iw, 0), 1, F);
+      }
+    }
+
+    std::vector<Elt> yp(p.nreq);
+    interpolate_req_columns(&yp[0], p, p.dblock, &proof.y_dot[0], idx,
+                            interpolator, F);
+
+    if (!Blas<Field>::equal(p.nreq, &yp[0], 1, &yc[0], 1, F)) {
+      return false;
+    }
+    return true;
+  }
+
+  static bool quadratic_check(const LigeroParam<Field>& p,
+                              const LigeroProof<Field>& proof,
+                              const size_t idx[/*nreq*/],
+                              const Elt u_quad[/*nqtriples*/],
+                              const InterpolatorFactory& interpolator,
+                              const Field& F) {
+    std::vector<Elt> yc(p.nreq);
+
+    // the IQUAD blinding row with coefficient 1
+    Blas<Field>::copy(p.nreq, &yc[0], 1, &proof.req_at(p.iquad, 0), 1);
+
+    {
+      std::vector<Elt> tmp(p.nreq);
+      size_t iqx = p.iq;
+      size_t iqy = iqx + p.nqtriples;
+      size_t iqz = iqy + p.nqtriples;
+
+      // all quadratic triples with coefficient u_ldt[]
+      for (size_t i = 0; i < p.nqtriples; ++i) {
+        // yc += u_quad[i] * (z[i] - x[i] * y[i])
+
+        // tmp = z[i]
+        Blas<Field>::copy(p.nreq, &tmp[0], 1, &proof.req_at(iqz + i, 0), 1);
+
+        // tmp -= x[i] \otimes y[i]
+        Blas<Field>::vymax(p.nreq, &tmp[0], 1, &proof.req_at(iqx + i, 0), 1,
+                           &proof.req_at(iqy + i, 0), 1, F);
+
+        // yc += u_quad[i] * tmp
+        Blas<Field>::axpy(p.nreq, &yc[0], 1, u_quad[i], &tmp[0], 1, F);
+      }
+    }
+
+    // reconstruct y_quad from the two parts in the proof
+    std::vector<Elt> yquad(p.dblock);
+    Blas<Field>::copy(p.r, &yquad[0], 1, &proof.y_quad_0[0], 1);
+    Blas<Field>::clear(p.w, &yquad[p.r], 1, F);
+    Blas<Field>::copy(p.dblock - p.block, &yquad[p.block], 1,
+                      &proof.y_quad_2[0], 1);
+
+    // interpolate y_quad at the opened columns
+    std::vector<Elt> yp(p.nreq);
+    interpolate_req_columns(&yp[0], p, p.dblock, &yquad[0], idx, interpolator,
+                            F);
+
+    if (!Blas<Field>::equal(p.nreq, &yp[0], 1, &yc[0], 1, F)) {
+      return false;
+    }
+    return true;
+  }
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_LIGERO_LIGERO_VERIFIER_H_

data/vendor/longfellow-zk/lib/merkle/merkle_commitment.h

@@ -0,0 +1,104 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_MERKLE_MERKLE_COMMITMENT_H_
+#define PRIVACY_PROOFS_ZK_LIB_MERKLE_MERKLE_COMMITMENT_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <cstring>
+#include <functional>
+#include <vector>
+
+#include "merkle/merkle_tree.h"
+#include "random/random.h"
+#include "util/crypto.h"
+
+namespace proofs {
+
+struct MerkleNonce {
+  static constexpr size_t kLength = kSHA256DigestSize;
+  uint8_t bytes[kLength];
+};
+
+struct MerkleProof {
+  explicit MerkleProof(size_t nreq) : nonce(nreq), path() {}
+
+  std::vector<MerkleNonce> nonce;  // [nreq]
+  std::vector<Digest> path;        // variable size, but < nreq * mt_pathlen
+};
+
+inline size_t merkle_commitment_len(size_t n) { return merkle_tree_len(n); }
+
+// prover-side
+class MerkleCommitment {
+ public:
+  explicit MerkleCommitment(size_t n) : n_(n), mt_(n), nonce_(n) {}
+
+  Digest commit(const std::function<void(size_t, SHA256 &)> &updhash,
+                RandomEngine &rng) {
+    for (size_t i = 0; i < n_; ++i) {
+      SHA256 sha;
+      rng.bytes(nonce_[i].bytes, MerkleNonce::kLength);
+      sha.Update(nonce_[i].bytes, MerkleNonce::kLength);
+      updhash(i, sha);
+
+      Digest dig;
+      sha.DigestData(dig.data);
+      mt_.set_leaf(i, dig);
+    }
+
+    return mt_.build_tree();
+  }
+
+  void open(MerkleProof &proof, const size_t pos[/*np*/], size_t np) {
+    // fill in the nonces of the opening
+    for (size_t i = 0; i < np; ++i) {
+      proof.nonce[i] = nonce_[pos[i]];
+    }
+
+    (void)mt_.generate_compressed_proof(proof.path, pos, np);
+  }
+
+ private:
+  size_t n_;
+  MerkleTree mt_;
+  std::vector<MerkleNonce> nonce_;
+};
+
+// Declare a class for symmetry, but this class is never instantiated
+class MerkleCommitmentVerifier {
+ public:
+  static bool verify(size_t n, const Digest &root, const MerkleProof &proof,
+                     const size_t pos[/*nreq*/], size_t nreq,
+                     const std::function<void(size_t, SHA256 &)> &updhash) {
+    // Assemble the expected leaf values
+    std::vector<Digest> leaves(nreq);
+    for (size_t r = 0; r < nreq; ++r) {
+      SHA256 sha;
+      sha.Update(proof.nonce[r].bytes, MerkleNonce::kLength);
+      updhash(r, sha);
+      sha.DigestData(leaves[r].data);
+    }
+
+    MerkleTreeVerifier mtv(n, root);
+    return mtv.verify_compressed_proof(proof.path.data(), proof.path.size(),
+                                       &leaves[0], pos, nreq);
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_MERKLE_MERKLE_COMMITMENT_H_

data/vendor/longfellow-zk/lib/merkle/merkle_tree.h

@@ -0,0 +1,216 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_MERKLE_MERKLE_TREE_H_
+#define PRIVACY_PROOFS_ZK_LIB_MERKLE_MERKLE_TREE_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <cstring>
+#include <vector>
+
+#include "util/crypto.h"
+#include "util/panic.h"
+
+namespace proofs {
+
+// This package computes and verifies Merkle Tree inclusion claims.
+// The folklore Merkle tree algorithm has been implemented, with the following
+// constraints:
+//   1. A Merkle tree proof must reveal at least one leaf. We do not define
+//      empty proofs.
+//   2. The list of leaves must be a set, i.e., with no duplicates.  All usage
+//      within this library satisfies this requirement because the FS methods
+//      that produce the challenge set of indices includes no duplicates.
+//   3. The generated proof of inclusion for a set of leaves is compressed.
+//      That is, if a node in the Merkle tree can be deduced, it is not included
+//      in the proof. This makes the proof shorter, but the proof length varies
+//      depending on the included leaves.
+
+// A digest of a Merkle tree.
+struct Digest {
+  static constexpr size_t kLength = kSHA256DigestSize;
+  uint8_t data[kLength];
+
+  bool operator==(const Digest& y) const {
+    return memcmp(data, y.data, kLength) == 0;
+  }
+
+  static Digest hash2(const Digest& L, const Digest& R) {
+    SHA256 sha;
+    sha.Update(L.data, kLength);
+    sha.Update(R.data, kLength);
+    Digest output;
+    sha.DigestData(output.data);
+    return output;
+  }
+};
+
+// Return the length of the proof for N leaves.
+// Mimic the code in generate_proof() without actually
+// computing the proof
+inline size_t merkle_tree_len(size_t n) {
+  size_t r = 1;
+  size_t pos = (n - 1);  // maximum possible value
+  for (pos += n; pos > 1; pos >>= 1) {
+    ++r;
+  }
+  return r;
+}
+
+// compute the set of all nodes on the path from the
+// root to any leaf in POS.
+inline std::vector<bool> compressed_merkle_proof_tree(size_t n,
+                                                      const size_t pos[/*np*/],
+                                                      size_t np) {
+  check(np > 0, "A Merkle proof with 0 leaves is not defined.");
+  std::vector<bool> tree(2 * n, false);
+
+  // leaves are in TREE
+  for (size_t ip = 0; ip < np; ++ip) {
+    check(pos[ip] < n, "Invalid position for leaf in Merkle tree");
+    check(tree[pos[ip] + n] == false,
+          "duplicate position in merkle tree requested");
+    tree[pos[ip] + n] = true;
+  }
+
+  // If a child of an inner node is in TREE, then the parent is in TREE.
+  for (size_t i = n; i-- > 1;) {
+    tree[i] = (tree[2 * i] || tree[2 * i + 1]);
+  }
+
+  // Assert that the root is in TREE.
+  check(tree[1], "tree[1]");
+
+  return tree;
+}
+
+class MerkleTree {
+ public:
+  explicit MerkleTree(size_t n) : n_(n), layers_(2 * n) {}
+
+  void set_leaf(size_t pos, const Digest& leaf) {
+    check(pos < n_, "Invalid position for leaf in Merkle tree");
+    layers_[pos + n_] = leaf;
+  }
+
+  Digest build_tree() {
+    for (size_t i = n_; i-- > 1;) {
+      layers_[i] = Digest::hash2(layers_[2 * i], layers_[2 * i + 1]);
+    }
+    return layers_[1];
+  }
+
+  // Compressed Merkle proofs over a set POS[NP] of leaves.
+  //
+  // We first compute the set TREE of all nodes that are on the path
+  // from the root to any leaf in POS.  Then, for each inner node in
+  // TREE, we include in the proof the child that is not in TREE, if
+  // any.  Note, this method requires pos to contain no duplicates.
+  size_t generate_compressed_proof(std::vector<Digest>& proof,
+                                   const size_t pos[/*np*/], size_t np) {
+    std::vector<bool> tree = compressed_merkle_proof_tree(n_, pos, np);
+
+    // For each TREE node, include in the proof the
+    // child that is not TREE, if any.
+    size_t sz = 0;
+    for (size_t i = n_; i-- > 1;) {
+      if (tree[i]) {
+        size_t child = 2 * i;
+        if (tree[child]) {
+          // try the other child
+          child = 2 * i + 1;
+        }
+        if (!tree[child]) {
+          proof.push_back(layers_[child]);
+          ++sz;
+        }
+      }
+    }
+    return sz;
+  }
+
+  size_t n_;
+  // layers_[n, 2 * n) stores the leaves (nodes at layer 0).
+  // layers_[n/2, n) stores nodes at layer 1.
+  // layers_[n/4, n/2) stores nodes at layer 2, etc.
+  // The root is at layers_[1] where layers_[0] is not used.
+  std::vector<Digest> layers_;
+};
+
+class MerkleTreeVerifier {
+ public:
+  explicit MerkleTreeVerifier(size_t n, const Digest& root)
+      : n_(n), root_(root) {}
+
+  // Verify a compressed Merkle proof.
+  // As mentioned above, this method assumes that pos contains no duplicates.
+  bool verify_compressed_proof(const Digest* proof, size_t proof_len,
+                               const Digest leaves[/*np*/],
+                               const size_t pos[/*np*/], size_t np) const {
+    // Reconstructed layers_, where only the DEFINED subset is
+    // defined.
+    std::vector<Digest> layers(2 * n_, Digest{});
+    std::vector<bool> defined(2 * n_, false);
+
+    /*scope for TREE */ {
+      std::vector<bool> tree = compressed_merkle_proof_tree(n_, pos, np);
+
+      // read the proof
+      size_t sz = 0;
+      for (size_t i = n_; i-- > 1;) {
+        if (tree[i]) {
+          size_t child = 2 * i;
+          if (tree[child]) {
+            // try the other child
+            child = 2 * i + 1;
+          }
+          if (!tree[child]) {
+            if (sz >= proof_len) {
+              return false;
+            }
+            layers[child] = proof[sz++];
+            defined[child] = true;
+          }
+        }
+      }
+    }
+
+    // set LAYERS at all leaves in POS
+    for (size_t ip = 0; ip < np; ++ip) {
+      size_t l = pos[ip] + n_;
+      layers[l] = leaves[ip];
+      defined[l] = true;
+    }
+
+    // Recompute as many inner nodes as we can
+    for (size_t i = n_; i-- > 1;) {
+      if (defined[2 * i] && defined[2 * i + 1]) {
+        layers[i] = Digest::hash2(layers[2 * i], layers[2 * i + 1]);
+        defined[i] = true;
+      }
+    }
+
+    return (defined[1] && (root_ == layers[1]));
+  }
+
+ private:
+  size_t n_;
+  Digest root_;
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_MERKLE_MERKLE_TREE_H_