npm - @sip-protocol/sdk - Versions diffs - 0.2.1 → 0.2.3 - Mend

@sip-protocol/sdk 0.2.1 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/browser.d.mts +2 -1
package/dist/browser.d.ts +2 -1
package/dist/browser.js +6673 -7444
package/dist/browser.mjs +22 -20
package/dist/chunk-DU7LQDD2.mjs +10148 -0
package/dist/chunk-NDGUWOOZ.mjs +10157 -0
package/dist/chunk-UHZKNGIT.mjs +223 -0
package/dist/chunk-VITVG25F.mjs +982 -0
package/dist/index.d.mts +32 -467
package/dist/index.d.ts +32 -467
package/dist/index.js +14 -1764
package/dist/index.mjs +17 -17
package/dist/noir-BHQtFvRk.d.mts +467 -0
package/dist/noir-BHQtFvRk.d.ts +467 -0
package/dist/proofs/noir.d.mts +2 -0
package/dist/proofs/noir.d.ts +2 -0
package/dist/proofs/noir.js +1862 -0
package/dist/proofs/noir.mjs +790 -0
package/package.json +19 -14
package/src/index.ts +5 -3
package/src/proofs/index.ts +7 -2
package/src/proofs/mock.ts +33 -2
package/LICENSE +0 -21

package/dist/index.js CHANGED Viewed

@@ -58,7 +58,6 @@ __export(index_exports, {
   NATIVE_TOKENS: () => import_types33.NATIVE_TOKENS,
   NEARIntentsAdapter: () => NEARIntentsAdapter,
   NetworkError: () => NetworkError,
-  NoirProofProvider: () => NoirProofProvider,
   ORACLE_DOMAIN: () => ORACLE_DOMAIN,
   OneClickClient: () => OneClickClient,
   OneClickDepositMode: () => import_types37.OneClickDepositMode,
@@ -3145,16 +3144,25 @@ var MockProofProvider = class {
   framework = "mock";
   _isReady = false;
   _warningShown = false;
+  _silent;
+  /**
+   * Create a new MockProofProvider
+   *
+   * @param options - Configuration options
+   */
+  constructor(options) {
+    this._silent = options?.silent ?? false;
+  }
   get isReady() {
     return this._isReady;
   }
   /**
    * Initialize the mock provider
    *
-   * Logs a warning to console about mock usage.
+   * Logs a warning to console about mock usage (unless silent mode is enabled).
    */
   async initialize() {
-    if (!this._warningShown) {
+    if (!this._warningShown && !this._silent) {
       console.warn(WARNING_MESSAGE);
       this._warningShown = true;
     }
@@ -3301,1763 +3309,6 @@ var MockProofProvider = class {
   }
 };
-// src/proofs/noir.ts
-var import_noir_js = require("@noir-lang/noir_js");
-var import_bb = require("@aztec/bb.js");
-var import_secp256k13 = require("@noble/curves/secp256k1");
-// src/proofs/circuits/funding_proof.json
-var funding_proof_default = { noir_version: "1.0.0-beta.15+83245db91dcf63420ef4bcbbd85b98f397fee663", hash: "13977419962319221401", abi: { parameters: [{ name: "commitment_hash", type: { kind: "field" }, visibility: "public" }, { name: "minimum_required", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "asset_id", type: { kind: "field" }, visibility: "public" }, { name: "balance", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "blinding", type: { kind: "field" }, visibility: "private" }], return_type: null, error_types: { "2900908756532713827": { error_kind: "string", string: "Insufficient balance" }, "15764276373176857197": { error_kind: "string", string: "Stack too deep" }, "17719928407928969950": { error_kind: "string", string: "Commitment hash mismatch" } } }, bytecode: "H4sIAAAAAAAA/+VYbUhTURg+d7vTTdfmnJlK1g360LJolUEUJaUZ/qgooS9Taq5aoCudlhHV6LuglPplBH0gLUuiCCv6osA+LImItCQ0wUyRTJSJWkG7ds58PV53PzT60Qt3z+65z/ue533u8exeGfQnWIxZm+zZ4V4043PGe6gx8kcCNabGYyw+V6HBQcY4jDMzl+c0WC7E3l2ZVO5yrd0YM7t5WcG9HUVLGjxn2nEdDkkKRi3OZfxd5JC0XNiXBmMAYRAz+IEEqgJLTfS3mh+ibiGuy2hkaAhAykxlZPYKNYn1yvqZmJ5XrJaEReMLeOMDMWppknoYAsRMChyam0ZxGa10DWgkDWWRMkN1GINoklxDoQAxQ3VIuqFB0jX0mcbfgAAwxmHULiwwfYjX5ce2B+RZfo6u/FXgPtf2al7hIvuaOKsjZT3kRu1P7y3bb0mbdDWiU/+iZvai19f21Lw0htW5HlTE9JzZCLlSgnA1Ke7tua9OzFmVvuFRdeP8i5Gnjhgz5q2cfHpnfVLRw0YV5HLn3zyO+7Gmp4t1JNZEPevtzkm98TxhL9u6OWrz0conkyFXLOBCC0T9PvGowxhEaRUJJtj7ofceo9DILuRgpGwhGzAaaZLchQwFiC1kA5K+kI1I2Q0bJBDJ60ePlBkagtFEk+QaCgWIGRqCpBtqQv/GUBVSZmgoRjNNkmsoFCBmaCiSbqhZugbfFqIHYxzG/3mrhdyxiR0l3F7X0xMHJ5S40ppvWkIm3v9mjoi8X+u5VOZOXga56tK2uU2Lp0YzRdapz9YVt7SWXI8b437JlS64cfJ4RbcbcuVomN59L+HLccNy867Pq3N7m4qj81bY45uuHCjfctZp6aiqgtwZVcfertv6YPXdw0UzRoUf2ZR6vbz06bvu9CmV+77felJ4EHLFgjyg8evEgNGIMQSjCWMoRjOlXSTUMrhy6jJh3o/R3iOcuiD3LQpypcwpkevTwRvAov79o68QGrjpCL01WT92dk2MXBwDa5LNqa7Ycwe9b/HQ+eTnNdNmdWTtcOTaMrbZs53j8KiWYpNXMg5JCgauFvn5B5Lp1wGZ8yeTh6Hh6Cc5CvJ9D6yJIJ/Wwoce9f8fAFE5/IOdAXw3ghw+kkA9hrq2VGDeYfaURPJZZfmqUDR4flKLf1jle4zA52oBLlxLGsAR8hUJjDECdWhv4H3gMJotqGZ8fXzBtPC5jhX5h+pTy/aFXY79aoxoy1uQ3/PJQfei8qNd70eDXqAf6A/5m1Dm/+5kMifRpUGD/YL1WYofjVEH5oc6OeQ/ais81bdTZmWZqHw+SM98n1H4e6Y9x2Z12vNtGd6NybbVlpOxM8/htNuyncQJLcgiFeWsSJIfrCx/wGsporTAur4JMbICecwQ5yoK/XHpcTimF7hGapLfCqiX9PEbVAIFlc4UAAA=", debug_symbols: "pZbNbsMgDMffhXMO2HwE8irTVKUtmyJFaZUlk6aq7z6TQpYcYBW9QN3k/4sx2PjGzu44fx664ePyxZq3GzuOXd93n4f+cmqn7jLQvzfG/QCaNVgxqB+TYY2gybJGVgzpDXm/VyzKDtPonFdtOES/tqMbJtYMc99X7Lvt5+Wlr2s7LPPUjvSUV8wNZ5oJ+NH1zv+6V39qnpYajkFsUK9yqHd6SOu1lEGvlSjRG4h6Y4r0cfE1T34/t36I/hsJq149HT/gwgYAcKWKCGBWgq5ThDpD0BCDCHrjA9gdwWQI1kYfkGOSYNMECaACQYIyJQQUdSRgrcoI8CoBxROEbCSNjnthbQkBuYpHEgEhRfDhTiGEkjEQQnNe4gRgvTqhRdKJzKmUysZ1SC03tUUXImwKkUsukLG+AdhkemIGgWjW3BDbGrkPBWaKFBpct9So5JYivpxfWcRzCfYPAl5GPJVi2XBaHmsuWrAlCAE83hsCQJQh/pIMbP0qAtN5mjvfyNfLAyXfne93stpTN+5bE6SHFRPLKJdRLaP210/FqFkB2h/zsOzDAupW/CUF4HOAZoIglTkQwZbBVsHWwfatjw29jz/23+3YtcfeeU+8r/Nwio6ROf1c45PYVV3Hy8md59H5RWxaKxrfKKfQvt/9Qn8B", file_map: { "16": { source: "use crate::cmp::Eq;\nuse crate::hash::Hash;\nuse crate::ops::arith::{Add, Neg, Sub};\n\n/// A point on the embedded elliptic curve\n/// By definition, the base field of the embedded curve is the scalar field of the proof system curve, i.e the Noir Field.\n/// x and y denotes the Weierstrass coordinates of the point, if is_infinite is false.\npub struct EmbeddedCurvePoint {\n    pub x: Field,\n    pub y: Field,\n    pub is_infinite: bool,\n}\n\nimpl EmbeddedCurvePoint {\n    /// Elliptic curve point doubling operation\n    /// returns the doubled point of a point P, i.e P+P\n    pub fn double(self) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, self)\n    }\n\n    /// Returns the null element of the curve; 'the point at infinity'\n    pub fn point_at_infinity() -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: 0, y: 0, is_infinite: true }\n    }\n\n    /// Returns the curve's generator point.\n    pub fn generator() -> EmbeddedCurvePoint {\n        // Generator point for the grumpkin curve (y^2 = x^3 - 17)\n        EmbeddedCurvePoint {\n            x: 1,\n            y: 17631683881184975370165255887551781615748388533673675138860, // sqrt(-16)\n            is_infinite: false,\n        }\n    }\n}\n\nimpl Add for EmbeddedCurvePoint {\n    /// Adds two points P+Q, using the curve addition formula, and also handles point at infinity\n    fn add(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, other)\n    }\n}\n\nimpl Sub for EmbeddedCurvePoint {\n    /// Points subtraction operation, using addition and negation\n    fn sub(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        self + other.neg()\n    }\n}\n\nimpl Neg for EmbeddedCurvePoint {\n    /// Negates a point P, i.e returns -P, by negating the y coordinate.\n    /// If the point is at infinity, then the result is also at infinity.\n    fn neg(self) -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: self.x, y: -self.y, is_infinite: self.is_infinite }\n    }\n}\n\nimpl Eq for EmbeddedCurvePoint {\n    /// Checks whether two points are equal\n    fn eq(self: Self, b: EmbeddedCurvePoint) -> bool {\n        (self.is_infinite & b.is_infinite)\n            | ((self.is_infinite == b.is_infinite) & (self.x == b.x) & (self.y == b.y))\n    }\n}\n\nimpl Hash for EmbeddedCurvePoint {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        if self.is_infinite {\n            self.is_infinite.hash(state);\n        } else {\n            self.x.hash(state);\n            self.y.hash(state);\n        }\n    }\n}\n\n/// Scalar for the embedded curve represented as low and high limbs\n/// By definition, the scalar field of the embedded curve is base field of the proving system curve.\n/// It may not fit into a Field element, so it is represented with two Field elements; its low and high limbs.\npub struct EmbeddedCurveScalar {\n    pub lo: Field,\n    pub hi: Field,\n}\n\nimpl EmbeddedCurveScalar {\n    pub fn new(lo: Field, hi: Field) -> Self {\n        EmbeddedCurveScalar { lo, hi }\n    }\n\n    #[field(bn254)]\n    pub fn from_field(scalar: Field) -> EmbeddedCurveScalar {\n        let (a, b) = crate::field::bn254::decompose(scalar);\n        EmbeddedCurveScalar { lo: a, hi: b }\n    }\n\n    //Bytes to scalar: take the first (after the specified offset) 16 bytes of the input as the lo value, and the next 16 bytes as the hi value\n    #[field(bn254)]\n    pub(crate) fn from_bytes(bytes: [u8; 64], offset: u32) -> EmbeddedCurveScalar {\n        let mut v = 1;\n        let mut lo = 0 as Field;\n        let mut hi = 0 as Field;\n        for i in 0..16 {\n            lo = lo + (bytes[offset + 31 - i] as Field) * v;\n            hi = hi + (bytes[offset + 15 - i] as Field) * v;\n            v = v * 256;\n        }\n        let sig_s = crate::embedded_curve_ops::EmbeddedCurveScalar { lo, hi };\n        sig_s\n    }\n}\n\nimpl Eq for EmbeddedCurveScalar {\n    fn eq(self, other: Self) -> bool {\n        (other.hi == self.hi) & (other.lo == self.lo)\n    }\n}\n\nimpl Hash for EmbeddedCurveScalar {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        self.hi.hash(state);\n        self.lo.hash(state);\n    }\n}\n\n// Computes a multi scalar multiplication over the embedded curve.\n// For bn254, We have Grumpkin and Baby JubJub.\n// For bls12-381, we have JubJub and Bandersnatch.\n//\n// The embedded curve being used is decided by the\n// underlying proof system.\n// docs:start:multi_scalar_mul\npub fn multi_scalar_mul<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n) -> EmbeddedCurvePoint\n// docs:end:multi_scalar_mul\n{\n    multi_scalar_mul_array_return(points, scalars, true)[0]\n}\n\n#[foreign(multi_scalar_mul)]\npub(crate) fn multi_scalar_mul_array_return<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n    predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n// docs:start:fixed_base_scalar_mul\npub fn fixed_base_scalar_mul(scalar: EmbeddedCurveScalar) -> EmbeddedCurvePoint\n// docs:end:fixed_base_scalar_mul\n{\n    multi_scalar_mul([EmbeddedCurvePoint::generator()], [scalar])\n}\n\n/// This function only assumes that the points are on the curve\n/// It handles corner cases around the infinity point causing some overhead compared to embedded_curve_add_not_nul and embedded_curve_add_unsafe\n// docs:start:embedded_curve_add\npub fn embedded_curve_add(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    // docs:end:embedded_curve_add\n    if crate::runtime::is_unconstrained() {\n        // `embedded_curve_add_unsafe` requires the inputs not to be the infinity point, so we check it here.\n        // This is because `embedded_curve_add_unsafe` uses the `embedded_curve_add` opcode.\n        // For efficiency, the backend does not check the inputs for the infinity point, but it assumes that they are not the infinity point\n        // so that it can apply the ec addition formula directly.\n        if point1.is_infinite {\n            point2\n        } else if point2.is_infinite {\n            point1\n        } else {\n            embedded_curve_add_unsafe(point1, point2)\n        }\n    } else {\n        // In a constrained context, we also need to check the inputs are not the infinity point because we also use `embedded_curve_add_unsafe`\n        // However we also need to identify the case where the two inputs are the same, because then\n        // the addition formula does not work and we need to use the doubling formula instead.\n        // In unconstrained context, we can check directly if the input values are the same when solving the opcode, so it is not an issue.\n\n        // x_coordinates_match is true if both abscissae are the same\n        let x_coordinates_match = point1.x == point2.x;\n        // y_coordinates_match is true if both ordinates are the same\n        let y_coordinates_match = point1.y == point2.y;\n        // double_predicate is true if both abscissae and ordinates are the same\n        let double_predicate = (x_coordinates_match & y_coordinates_match);\n        // If the abscissae are the same, but not the ordinates, then one point is the opposite of the other\n        let infinity_predicate = (x_coordinates_match & !y_coordinates_match);\n\n        // `embedded_curve_add_unsafe` would not perform doubling, even if the inputs point1 and point2 are the same, because it cannot know this without adding some logic (and some constraints)\n        // However we did this logic when we computed `double_predicate`, so we set the result to 2*point1 if point1 and point2 are the same\n        let mut result = if double_predicate {\n            // `embedded_curve_add_unsafe` is doing a doubling if the input is the same variable, because in this case it is guaranteed (at 'compile time') that the input is the same.\n            embedded_curve_add_unsafe(point1, point1)\n        } else {\n            let point1_1 = EmbeddedCurvePoint {\n                x: point1.x + (x_coordinates_match as Field),\n                y: point1.y,\n                is_infinite: false,\n            };\n            let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n            // point1_1 is guaranteed to have a different abscissa than point2:\n            // - if x_coordinates_match is 0, that means point1.x != point2.x, and point1_1.x = point1.x + 0\n            // - if x_coordinates_match is 1, that means point1.x = point2.x, but point1_1.x = point1.x + 1 in this case\n            // Because the abscissa is different, the addition formula is guaranteed to succeed, so we can safely use `embedded_curve_add_unsafe`\n            // Note that this computation may be garbage: if x_coordinates_match is 1, or if one of the input is the point at infinity.\n            // therefore we only want to do this if we need the result, otherwise it needs to be eliminated as a dead instruction, lest we want the circuit to fail.\n            embedded_curve_add_unsafe(point1_1, point2_1)\n        };\n\n        // Same logic as above for unconstrained context, we set the proper result when one of the inputs is the infinity point\n        if point1.is_infinite {\n            result = point2;\n        }\n        if point2.is_infinite {\n            result = point1;\n        }\n\n        // Finally, we set the is_infinity flag of the result:\n        // Opposite points should sum into the infinity point, however, if one of them is point at infinity, their coordinates are not meaningful\n        // so we should not use the fact that the inputs are opposite in this case:\n        let mut result_is_infinity =\n            infinity_predicate & (!point1.is_infinite & !point2.is_infinite);\n        // However, if both of them are at infinity, then the result is also at infinity\n        result.is_infinite = result_is_infinity | (point1.is_infinite & point2.is_infinite);\n        result\n    }\n}\n\n#[foreign(embedded_curve_add)]\nfn embedded_curve_add_array_return(\n    _point1: EmbeddedCurvePoint,\n    _point2: EmbeddedCurvePoint,\n    _predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n/// This function assumes that:\n/// The points are on the curve, and\n/// The points don't share an x-coordinate, and\n/// Neither point is the infinity point.\n/// If it is used with correct input, the function ensures the correct non-zero result is returned.\n/// Except for points on the curve, the other assumptions are checked by the function. It will cause assertion failure if they are not respected.\npub fn embedded_curve_add_not_nul(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    assert(point1.x != point2.x);\n    assert(!point1.is_infinite);\n    assert(!point2.is_infinite);\n    // Ensure is_infinite is comptime\n    let point1_1 = EmbeddedCurvePoint { x: point1.x, y: point1.y, is_infinite: false };\n    let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n    embedded_curve_add_unsafe(point1_1, point2_1)\n}\n\n/// Unsafe ec addition\n/// If the inputs are the same, it will perform a doubling, but only if point1 and point2 are the same variable.\n/// If they have the same value but are different variables, the result will be incorrect because in this case\n/// it assumes (but does not check) that the points' x-coordinates are not equal.\n/// It also assumes neither point is the infinity point.\npub fn embedded_curve_add_unsafe(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    embedded_curve_add_array_return(point1, point2, true)[0]\n}\n", path: "std/embedded_curve_ops.nr" }, "17": { source: `use crate::field::field_less_than;
-use crate::runtime::is_unconstrained;
-// The low and high decomposition of the field modulus
-global PLO: Field = 53438638232309528389504892708671455233;
-global PHI: Field = 64323764613183177041862057485226039389;
-pub(crate) global TWO_POW_128: Field = 0x100000000000000000000000000000000;
-// Decomposes a single field into two 16 byte fields.
-fn compute_decomposition(x: Field) -> (Field, Field) {
-    // Here's we're taking advantage of truncating 128 bit limbs from the input field
-    // and then subtracting them from the input such the field division is equivalent to integer division.
-    let low = (x as u128) as Field;
-    let high = (x - low) / TWO_POW_128;
-    (low, high)
-}
-pub(crate) unconstrained fn decompose_hint(x: Field) -> (Field, Field) {
-    compute_decomposition(x)
-}
-unconstrained fn lte_hint(x: Field, y: Field) -> bool {
-    if x == y {
-        true
-    } else {
-        field_less_than(x, y)
-    }
-}
-// Assert that (alo > blo && ahi >= bhi) || (alo <= blo && ahi > bhi)
-fn assert_gt_limbs(a: (Field, Field), b: (Field, Field)) {
-    let (alo, ahi) = a;
-    let (blo, bhi) = b;
-    // Safety: borrow is enforced to be boolean due to its type.
-    // if borrow is 0, it asserts that (alo > blo && ahi >= bhi)
-    // if borrow is 1, it asserts that (alo <= blo && ahi > bhi)
-    unsafe {
-        let borrow = lte_hint(alo, blo);
-        let rlo = alo - blo - 1 + (borrow as Field) * TWO_POW_128;
-        let rhi = ahi - bhi - (borrow as Field);
-        rlo.assert_max_bit_size::<128>();
-        rhi.assert_max_bit_size::<128>();
-    }
-}
-/// Decompose a single field into two 16 byte fields.
-pub fn decompose(x: Field) -> (Field, Field) {
-    if is_unconstrained() {
-        compute_decomposition(x)
-    } else {
-        // Safety: decomposition is properly checked below
-        unsafe {
-            // Take hints of the decomposition
-            let (xlo, xhi) = decompose_hint(x);
-            // Range check the limbs
-            xlo.assert_max_bit_size::<128>();
-            xhi.assert_max_bit_size::<128>();
-            // Check that the decomposition is correct
-            assert_eq(x, xlo + TWO_POW_128 * xhi);
-            // Assert that the decomposition of P is greater than the decomposition of x
-            assert_gt_limbs((PLO, PHI), (xlo, xhi));
-            (xlo, xhi)
-        }
-    }
-}
-pub fn assert_gt(a: Field, b: Field) {
-    if is_unconstrained() {
-        assert(
-            // Safety: already unconstrained
-            unsafe { field_less_than(b, a) },
-        );
-    } else {
-        // Decompose a and b
-        let a_limbs = decompose(a);
-        let b_limbs = decompose(b);
-        // Assert that a_limbs is greater than b_limbs
-        assert_gt_limbs(a_limbs, b_limbs)
-    }
-}
-pub fn assert_lt(a: Field, b: Field) {
-    assert_gt(b, a);
-}
-pub fn gt(a: Field, b: Field) -> bool {
-    if is_unconstrained() {
-        // Safety: unsafe in unconstrained
-        unsafe {
-            field_less_than(b, a)
-        }
-    } else if a == b {
-        false
-    } else {
-        // Safety: Take a hint of the comparison and verify it
-        unsafe {
-            if field_less_than(a, b) {
-                assert_gt(b, a);
-                false
-            } else {
-                assert_gt(a, b);
-                true
-            }
-        }
-    }
-}
-pub fn lt(a: Field, b: Field) -> bool {
-    gt(b, a)
-}
-mod tests {
-    // TODO: Allow imports from "super"
-    use crate::field::bn254::{assert_gt, decompose, gt, lt, lte_hint, PHI, PLO, TWO_POW_128};
-    #[test]
-    fn check_decompose() {
-        assert_eq(decompose(TWO_POW_128), (0, 1));
-        assert_eq(decompose(TWO_POW_128 + 0x1234567890), (0x1234567890, 1));
-        assert_eq(decompose(0x1234567890), (0x1234567890, 0));
-    }
-    #[test]
-    unconstrained fn check_lte_hint() {
-        assert(lte_hint(0, 1));
-        assert(lte_hint(0, 0x100));
-        assert(lte_hint(0x100, TWO_POW_128 - 1));
-        assert(!lte_hint(0 - 1, 0));
-        assert(lte_hint(0, 0));
-        assert(lte_hint(0x100, 0x100));
-        assert(lte_hint(0 - 1, 0 - 1));
-    }
-    #[test]
-    fn check_gt() {
-        assert(gt(1, 0));
-        assert(gt(0x100, 0));
-        assert(gt((0 - 1), (0 - 2)));
-        assert(gt(TWO_POW_128, 0));
-        assert(!gt(0, 0));
-        assert(!gt(0, 0x100));
-        assert(gt(0 - 1, 0 - 2));
-        assert(!gt(0 - 2, 0 - 1));
-        assert_gt(0 - 1, 0);
-    }
-    #[test]
-    fn check_plo_phi() {
-        assert_eq(PLO + PHI * TWO_POW_128, 0);
-        let p_bytes = crate::field::modulus_le_bytes();
-        let mut p_low: Field = 0;
-        let mut p_high: Field = 0;
-        let mut offset = 1;
-        for i in 0..16 {
-            p_low += (p_bytes[i] as Field) * offset;
-            p_high += (p_bytes[i + 16] as Field) * offset;
-            offset *= 256;
-        }
-        assert_eq(p_low, PLO);
-        assert_eq(p_high, PHI);
-    }
-    #[test]
-    fn check_decompose_edge_cases() {
-        assert_eq(decompose(0), (0, 0));
-        assert_eq(decompose(TWO_POW_128 - 1), (TWO_POW_128 - 1, 0));
-        assert_eq(decompose(TWO_POW_128 + 1), (1, 1));
-        assert_eq(decompose(TWO_POW_128 * 2), (0, 2));
-        assert_eq(decompose(TWO_POW_128 * 2 + 0x1234567890), (0x1234567890, 2));
-    }
-    #[test]
-    fn check_decompose_large_values() {
-        let large_field = 0xffffffffffffffff;
-        let (lo, hi) = decompose(large_field);
-        assert_eq(large_field, lo + TWO_POW_128 * hi);
-        let large_value = large_field - TWO_POW_128;
-        let (lo2, hi2) = decompose(large_value);
-        assert_eq(large_value, lo2 + TWO_POW_128 * hi2);
-    }
-    #[test]
-    fn check_lt_comprehensive() {
-        assert(lt(0, 1));
-        assert(!lt(1, 0));
-        assert(!lt(0, 0));
-        assert(!lt(42, 42));
-        assert(lt(TWO_POW_128 - 1, TWO_POW_128));
-        assert(!lt(TWO_POW_128, TWO_POW_128 - 1));
-    }
-}
-`, path: "std/field/bn254.nr" }, "19": { source: '// Exposed only for usage in `std::meta`\npub(crate) mod poseidon2;\n\nuse crate::default::Default;\nuse crate::embedded_curve_ops::{\n    EmbeddedCurvePoint, EmbeddedCurveScalar, multi_scalar_mul, multi_scalar_mul_array_return,\n};\nuse crate::meta::derive_via;\n\n#[foreign(sha256_compression)]\n// docs:start:sha256_compression\npub fn sha256_compression(input: [u32; 16], state: [u32; 8]) -> [u32; 8] {}\n// docs:end:sha256_compression\n\n#[foreign(keccakf1600)]\n// docs:start:keccakf1600\npub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {}\n// docs:end:keccakf1600\n\npub mod keccak {\n    #[deprecated("This function has been moved to std::hash::keccakf1600")]\n    pub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {\n        super::keccakf1600(input)\n    }\n}\n\n#[foreign(blake2s)]\n// docs:start:blake2s\npub fn blake2s<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake2s\n{}\n\n// docs:start:blake3\npub fn blake3<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake3\n{\n    if crate::runtime::is_unconstrained() {\n        // Temporary measure while Barretenberg is main proving system.\n        // Please open an issue if you\'re working on another proving system and running into problems due to this.\n        crate::static_assert(\n            N <= 1024,\n            "Barretenberg cannot prove blake3 hashes with inputs larger than 1024 bytes",\n        );\n    }\n    __blake3(input)\n}\n\n#[foreign(blake3)]\nfn __blake3<let N: u32>(input: [u8; N]) -> [u8; 32] {}\n\n// docs:start:pedersen_commitment\npub fn pedersen_commitment<let N: u32>(input: [Field; N]) -> EmbeddedCurvePoint {\n    // docs:end:pedersen_commitment\n    pedersen_commitment_with_separator(input, 0)\n}\n\n#[inline_always]\npub fn pedersen_commitment_with_separator<let N: u32>(\n    input: [Field; N],\n    separator: u32,\n) -> EmbeddedCurvePoint {\n    let mut points = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N];\n    for i in 0..N {\n        // we use the unsafe version because the multi_scalar_mul will constrain the scalars.\n        points[i] = from_field_unsafe(input[i]);\n    }\n    let generators = derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n    multi_scalar_mul(generators, points)\n}\n\n// docs:start:pedersen_hash\npub fn pedersen_hash<let N: u32>(input: [Field; N]) -> Field\n// docs:end:pedersen_hash\n{\n    pedersen_hash_with_separator(input, 0)\n}\n\n#[no_predicates]\npub fn pedersen_hash_with_separator<let N: u32>(input: [Field; N], separator: u32) -> Field {\n    let mut scalars: [EmbeddedCurveScalar; N + 1] = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N + 1];\n    let mut generators: [EmbeddedCurvePoint; N + 1] =\n        [EmbeddedCurvePoint::point_at_infinity(); N + 1];\n    let domain_generators: [EmbeddedCurvePoint; N] =\n        derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n\n    for i in 0..N {\n        scalars[i] = from_field_unsafe(input[i]);\n        generators[i] = domain_generators[i];\n    }\n    scalars[N] = EmbeddedCurveScalar { lo: N as Field, hi: 0 as Field };\n\n    let length_generator: [EmbeddedCurvePoint; 1] =\n        derive_generators("pedersen_hash_length".as_bytes(), 0);\n    generators[N] = length_generator[0];\n    multi_scalar_mul_array_return(generators, scalars, true)[0].x\n}\n\n#[field(bn254)]\n#[inline_always]\npub fn derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {\n    crate::assert_constant(domain_separator_bytes);\n    // TODO(https://github.com/noir-lang/noir/issues/5672): Add back assert_constant on starting_index\n    __derive_generators(domain_separator_bytes, starting_index)\n}\n\n#[builtin(derive_pedersen_generators)]\n#[field(bn254)]\nfn __derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {}\n\n#[field(bn254)]\n// Same as from_field but:\n// does not assert the limbs are 128 bits\n// does not assert the decomposition does not overflow the EmbeddedCurveScalar\nfn from_field_unsafe(scalar: Field) -> EmbeddedCurveScalar {\n    // Safety: xlo and xhi decomposition is checked below\n    let (xlo, xhi) = unsafe { crate::field::bn254::decompose_hint(scalar) };\n    // Check that the decomposition is correct\n    assert_eq(scalar, xlo + crate::field::bn254::TWO_POW_128 * xhi);\n    EmbeddedCurveScalar { lo: xlo, hi: xhi }\n}\n\npub fn poseidon2_permutation<let N: u32>(input: [Field; N], state_len: u32) -> [Field; N] {\n    assert_eq(input.len(), state_len);\n    poseidon2_permutation_internal(input)\n}\n\n#[foreign(poseidon2_permutation)]\nfn poseidon2_permutation_internal<let N: u32>(input: [Field; N]) -> [Field; N] {}\n\n// Generic hashing support.\n// Partially ported and impacted by rust.\n\n// Hash trait shall be implemented per type.\n#[derive_via(derive_hash)]\npub trait Hash {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher;\n}\n\n// docs:start:derive_hash\ncomptime fn derive_hash(s: TypeDefinition) -> Quoted {\n    let name = quote { $crate::hash::Hash };\n    let signature = quote { fn hash<H>(_self: Self, _state: &mut H) where H: $crate::hash::Hasher };\n    let for_each_field = |name| quote { _self.$name.hash(_state); };\n    crate::meta::make_trait_impl(\n        s,\n        name,\n        signature,\n        for_each_field,\n        quote {},\n        |fields| fields,\n    )\n}\n// docs:end:derive_hash\n\n// Hasher trait shall be implemented by algorithms to provide hash-agnostic means.\n// TODO: consider making the types generic here ([u8], [Field], etc.)\npub trait Hasher {\n    fn finish(self) -> Field;\n\n    fn write(&mut self, input: Field);\n}\n\n// BuildHasher is a factory trait, responsible for production of specific Hasher.\npub trait BuildHasher {\n    type H: Hasher;\n\n    fn build_hasher(self) -> H;\n}\n\npub struct BuildHasherDefault<H>;\n\nimpl<H> BuildHasher for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    type H = H;\n\n    fn build_hasher(_self: Self) -> H {\n        H::default()\n    }\n}\n\nimpl<H> Default for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    fn default() -> Self {\n        BuildHasherDefault {}\n    }\n}\n\nimpl Hash for Field {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self);\n    }\n}\n\nimpl Hash for u1 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u128 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for i8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u8 as Field);\n    }\n}\n\nimpl Hash for i16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u16 as Field);\n    }\n}\n\nimpl Hash for i32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u32 as Field);\n    }\n}\n\nimpl Hash for i64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u64 as Field);\n    }\n}\n\nimpl Hash for bool {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for () {\n    fn hash<H>(_self: Self, _state: &mut H)\n    where\n        H: Hasher,\n    {}\n}\n\nimpl<T, let N: u32> Hash for [T; N]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<T> Hash for [T]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.len().hash(state);\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<A, B> Hash for (A, B)\nwhere\n    A: Hash,\n    B: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n    }\n}\n\nimpl<A, B, C> Hash for (A, B, C)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n    }\n}\n\nimpl<A, B, C, D> Hash for (A, B, C, D)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n    }\n}\n\nimpl<A, B, C, D, E> Hash for (A, B, C, D, E)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n    E: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n        self.4.hash(state);\n    }\n}\n\n// Some test vectors for Pedersen hash and Pedersen Commitment.\n// They have been generated using the same functions so the tests are for now useless\n// but they will be useful when we switch to Noir implementation.\n#[test]\nfn assert_pedersen() {\n    assert_eq(\n        pedersen_hash_with_separator([1], 1),\n        0x1b3f4b1a83092a13d8d1a59f7acb62aba15e7002f4440f2275edb99ebbc2305f,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1], 1),\n        EmbeddedCurvePoint {\n            x: 0x054aa86a73cb8a34525e5bbed6e43ba1198e860f5f3950268f71df4591bde402,\n            y: 0x209dcfbf2cfb57f9f6046f44d71ac6faf87254afc7407c04eb621a6287cac126,\n            is_infinite: false,\n        },\n    );\n\n    assert_eq(\n        pedersen_hash_with_separator([1, 2], 2),\n        0x26691c129448e9ace0c66d11f0a16d9014a9e8498ee78f4d69f0083168188255,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2], 2),\n        EmbeddedCurvePoint {\n            x: 0x2e2b3b191e49541fe468ec6877721d445dcaffe41728df0a0eafeb15e87b0753,\n            y: 0x2ff4482400ad3a6228be17a2af33e2bcdf41be04795f9782bd96efe7e24f8778,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3], 3),\n        0x0bc694b7a1f8d10d2d8987d07433f26bd616a2d351bc79a3c540d85b6206dbe4,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3], 3),\n        EmbeddedCurvePoint {\n            x: 0x1fee4e8cf8d2f527caa2684236b07c4b1bad7342c01b0f75e9a877a71827dc85,\n            y: 0x2f9fedb9a090697ab69bf04c8bc15f7385b3e4b68c849c1536e5ae15ff138fd1,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4], 4),\n        0xdae10fb32a8408521803905981a2b300d6a35e40e798743e9322b223a5eddc,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4], 4),\n        EmbeddedCurvePoint {\n            x: 0x07ae3e202811e1fca39c2d81eabe6f79183978e6f12be0d3b8eda095b79bdbc9,\n            y: 0x0afc6f892593db6fbba60f2da558517e279e0ae04f95758587760ba193145014,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5], 5),\n        0xfc375b062c4f4f0150f7100dfb8d9b72a6d28582dd9512390b0497cdad9c22,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5], 5),\n        EmbeddedCurvePoint {\n            x: 0x1754b12bd475a6984a1094b5109eeca9838f4f81ac89c5f0a41dbce53189bb29,\n            y: 0x2da030e3cfcdc7ddad80eaf2599df6692cae0717d4e9f7bfbee8d073d5d278f7,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6], 6),\n        0x1696ed13dc2730062a98ac9d8f9de0661bb98829c7582f699d0273b18c86a572,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6], 6),\n        EmbeddedCurvePoint {\n            x: 0x190f6c0e97ad83e1e28da22a98aae156da083c5a4100e929b77e750d3106a697,\n            y: 0x1f4b60f34ef91221a0b49756fa0705da93311a61af73d37a0c458877706616fb,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        0x128c0ff144fc66b6cb60eeac8a38e23da52992fc427b92397a7dffd71c45ede3,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        EmbeddedCurvePoint {\n            x: 0x015441e9d29491b06563fac16fc76abf7a9534c715421d0de85d20dbe2965939,\n            y: 0x1d2575b0276f4e9087e6e07c2cb75aa1baafad127af4be5918ef8a2ef2fea8fc,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        0x2f960e117482044dfc99d12fece2ef6862fba9242be4846c7c9a3e854325a55c,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        EmbeddedCurvePoint {\n            x: 0x1657737676968887fceb6dd516382ea13b3a2c557f509811cd86d5d1199bc443,\n            y: 0x1f39f0cb569040105fa1e2f156521e8b8e08261e635a2b210bdc94e8d6d65f77,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        0x0c96db0790602dcb166cc4699e2d306c479a76926b81c2cb2aaa92d249ec7be7,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        EmbeddedCurvePoint {\n            x: 0x0a3ceae42d14914a432aa60ec7fded4af7dad7dd4acdbf2908452675ec67e06d,\n            y: 0xfc19761eaaf621ad4aec9a8b2e84a4eceffdba78f60f8b9391b0bd9345a2f2,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        0x2cd37505871bc460a62ea1e63c7fe51149df5d0801302cf1cbc48beb8dff7e94,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        EmbeddedCurvePoint {\n            x: 0x2fb3f8b3d41ddde007c8c3c62550f9a9380ee546fcc639ffbb3fd30c8d8de30c,\n            y: 0x300783be23c446b11a4c0fabf6c91af148937cea15fcf5fb054abf7f752ee245,\n            is_infinite: false,\n        },\n    );\n}\n', path: "std/hash/mod.nr" }, "50": { source: `/// Funding Proof Circuit
-///
-/// Proves: "I have sufficient funds to fulfill this intent, without revealing
-/// my exact balance, wallet address, or source of funds."
-///
-/// @see docs/specs/FUNDING-PROOF.md
-use std::hash::pedersen_hash;
-use std::hash::pedersen_commitment;
-// --- Main Circuit ---
-/// Main funding proof entry point
-///
-/// Public inputs: commitment_hash, minimum_required, asset_id
-/// Private inputs: balance, blinding
-///
-/// Constraints:
-/// 1. balance >= minimum_required (range proof via u64)
-/// 2. commitment = Pedersen(balance, blinding)
-/// 3. hash(commitment, asset_id) == commitment_hash
-pub fn main(
-    commitment_hash: pub Field,
-    minimum_required: pub u64,
-    asset_id: pub Field,
-    balance: u64,
-    blinding: Field,
-) {
-    // Constraint 1: Sufficient Funds
-    assert(balance >= minimum_required, "Insufficient balance");
-    // Constraint 2: Compute Pedersen Commitment
-    // Uses Noir's built-in pedersen_commitment which returns (x, y) point
-    let commitment = pedersen_commitment([balance as Field, blinding]);
-    // Constraint 3: Verify Commitment Hash
-    let computed_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-    assert(computed_hash == commitment_hash, "Commitment hash mismatch");
-}
-// --- Tests ---
-#[test]
-fn test_valid_funding_proof() {
-    let balance: u64 = 100;
-    let minimum_required: u64 = 50;
-    let blinding: Field = 12345;
-    let asset_id: Field = 0xABCD;
-    // Compute commitment using same method as circuit
-    let commitment = pedersen_commitment([balance as Field, blinding]);
-    let commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-    // This should pass
-    main(commitment_hash, minimum_required, asset_id, balance, blinding);
-}
-#[test(should_fail_with = "Insufficient balance")]
-fn test_insufficient_balance() {
-    let balance: u64 = 50;
-    let minimum_required: u64 = 100;
-    let blinding: Field = 12345;
-    let asset_id: Field = 0xABCD;
-    let commitment = pedersen_commitment([balance as Field, blinding]);
-    let commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-    // This should fail - balance < minimum
-    main(commitment_hash, minimum_required, asset_id, balance, blinding);
-}
-#[test(should_fail_with = "Commitment hash mismatch")]
-fn test_wrong_commitment_hash() {
-    let balance: u64 = 100;
-    let minimum_required: u64 = 50;
-    let blinding: Field = 12345;
-    let asset_id: Field = 0xABCD;
-    let wrong_hash: Field = 0xDEADBEEF;
-    // This should fail - wrong hash
-    main(wrong_hash, minimum_required, asset_id, balance, blinding);
-}
-#[test(should_fail_with = "Commitment hash mismatch")]
-fn test_wrong_blinding() {
-    let balance: u64 = 100;
-    let minimum_required: u64 = 50;
-    let correct_blinding: Field = 12345;
-    let wrong_blinding: Field = 54321;
-    let asset_id: Field = 0xABCD;
-    // Compute hash with correct blinding
-    let commitment = pedersen_commitment([balance as Field, correct_blinding]);
-    let commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id]);
-    // Try to prove with wrong blinding - should fail
-    main(commitment_hash, minimum_required, asset_id, balance, wrong_blinding);
-}
-`, path: "/Users/rz/local-dev/sip-protocol/packages/circuits/funding_proof/src/main.nr" } }, expression_width: { Bounded: { width: 4 } } };
-// src/proofs/circuits/validity_proof.json
-var validity_proof_default = { noir_version: "1.0.0-beta.15+83245db91dcf63420ef4bcbbd85b98f397fee663", hash: "17105369051450454041", abi: { parameters: [{ name: "intent_hash", type: { kind: "field" }, visibility: "public" }, { name: "sender_commitment_x", type: { kind: "field" }, visibility: "public" }, { name: "sender_commitment_y", type: { kind: "field" }, visibility: "public" }, { name: "nullifier", type: { kind: "field" }, visibility: "public" }, { name: "timestamp", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "expiry", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "sender_address", type: { kind: "field" }, visibility: "private" }, { name: "sender_blinding", type: { kind: "field" }, visibility: "private" }, { name: "sender_secret", type: { kind: "field" }, visibility: "private" }, { name: "pub_key_x", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "pub_key_y", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "signature", type: { kind: "array", length: 64, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "message_hash", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "nonce", type: { kind: "field" }, visibility: "private" }], return_type: null, error_types: { "4743545721632785176": { error_kind: "string", string: "Nullifier mismatch" }, "4924752953922582949": { error_kind: "string", string: "Invalid ECDSA signature" }, "5940733937471987676": { error_kind: "string", string: "Intent expired" }, "9872184990886929843": { error_kind: "string", string: "Sender commitment X mismatch" }, "14620555433709191364": { error_kind: "string", string: "Sender commitment Y mismatch" }, "15764276373176857197": { error_kind: "string", string: "Stack too deep" } } }, bytecode: "H4sIAAAAAAAA/+WZaXBV5QGGz81CAwTCTogsF2XfJEBQBCFAQjAqIETZQgIkAYJmXyCIkMgaUEgENxBli8SQlEpCCAK1MsVWLNPptCMdxyl1xlI7Tqm1QwdoO9O85D345fAm997AjD88M+FJnvOdc77zeXPufaLLatgCyLQlqeln61nHn131X/4kxkQ6XKBwreu/ghyujXBthQsWrp1w7YULEa6DcB2F6yRcZ+G6CNdVuG7CdRcuVLgewoUJd59wPYXrJVxv4foI5xaur3D3C/eAcP2E6y/cAOEGCjdIuMHCDRFuqHDDhBsu3AjhHhRupHDhwo0SbrRwY4SLEG6scA8J97Bw44R7RLjxwk0Q7lHhJgo3SbhI4SYLN0W4qcJFCRct3DThYoSbLtxjwsUK97hwTwj3pHAzhJsp3CzhnhJutnBzhIsT7mnhnhFurnDzhJsv3ALhFgoXL9wi4RKESxRusXBLhFsqXJJwycKlCLdMuOXCrRAuVbiVwj0r3HPCpQmXLlyGcJnCZQmXLVyOcLnC5QmXL9wq4VYLVyDcGuGeF26tcC8It0649cIVClck3IvCbRBuo3CbhNss3BbhtgpXLNw24bYL95JwLwu3Q7idwpUIVyrcK8LtEm63cK8K95pwrwv3hnBvCrdHuL3CvSXcPuHeFu4d4fYLd0C4g8IdEu6wcGXCvSvcEeHK6ex+cVl3brZzW15trlbej7X8jO8ryKPOQf53MYGRyTOyvwzfP7huVnRtUdG8RYNGfz294FRm6dQvr+36lhdtYmy8Y6zrqPdzuKcL+hOrZQtaSVY5B/m6oOYEPC1opeX9glZ5P4dbi4ZXaivDucmgiQUd/xjROn/wt63ywv/b9cL/Csr3Xv10XMmk1LnDkjJiF5hjw9Yn3KxaHx7f/73QfwX/+tLoSb85uubSJyFd/lR05vygG7sWmWO92eyxgbHlK3M+3TZmdsLCn3/21fgDPXZsDkkcN2vAzqzL0aVnv/Izx7r3/fbDYf+Ze+PfARlRl8I+vnk9O+7YryLXBnyzNGzplgsfDTDHetrMF1oFeZSsJKscc/WwuX5a/8+x+q+fOXb4Oc7j6bXgsny7ppdj72pOfpb3czpmtWxOLh/n9L7l/Zxw7la8RmuyDdmWDCbbke3JELID2ZHsRHYmu5BdyW5kdzKU7EGGkfeRPcleZG+yj/X9awLsS95PPkD2I/uTA8iB5CByMDmEHEoOI4eTI8gHyZFkODmKHE2OISPIseRD5MPkOPIRcjw5gXyUnEhOIiPJyeQUcioZRUaT08gYcjr5GBlLPk4+QT5JziBnkrPIp8jZ5BwyjnyafIacS84j55MLyIVkPLmITCATycXkEnIpmUQmkynkMnI5uYJMJVeSz5LPkWlkOplBZpJZZDaZQ+aSeWQ+uYpcTRaQa8jnybXkC+Q6cj1ZSBaRL5IbyI3kJnIzuYXcShaT28jt5Evky+QOcidZQpaSr5C7yN3kq+Rr5OvkG+Sb5B5yL/kWuY98m3yH3E8eIA+Sh8jDZBn5LnmELCfx3DxuNd5cpNvyanMdN8Z6ek7fyw91Qd6PbfShrpqscQ7y9UOdOQFPN17d9Ng7PtTVeD+He7qgPoxttKAnyFrnIF8X1BzraUFPWN4vaK31wyzoe1bLFvQkWecc5OuCmhPwtKAnLe8XtM77OdxaNPymBBvOTf6Ys8Mc2zPquzL32qJz2zb0LSuK//r98A79Tv+9c2iP059fO1hVHjPdHOtfcXXslSlDerlKk4Z8PH/P374pqxzWvfwTd8WEY9uLz18vN8f6Mofh109F/qW4/YzOq/48J+fmlT298mamRlw5Uli7bHdu+HcXL5pjR1zc+rv5y8/MqdtUOqJdt81L4iprK879/nrCwAvr/nH8o5IN5lhPWxCJ10k1WUOeIGvJk2SdY+4eNn8fxvpyXtep+n8+qP867djha1L5W75d08uxtx5mLqvxw6WpOXq6boDl/f0Eej6vq7mdbsu7Y837OkOetUfYf6GDiHScIcC7C92+YEtvvomxJfaD9IwP5z1rtWxRne9anq5jzsnTdphET+NvXPhlRlOjp9HSeOijodHPaGd0M5oZvYxWRiejkdHHaGN0MZoYPYwWRgejgdG/fTivvlZD76J10bloXDx50bboWjQtehYti45Fw6Jf0a7oVjQrehWtik5Fo6JP0aboUjQpehQtig5Fg6I/0Z6RVkNzojfRmuhMNCb6Em2JJzWaEj2JlkRHoiHRj2hHdCOaEb2IVkQnohHRh2hDdCGaEO98aEF0IN7Z0H9ov8VWQ/Oh99B66Dw0HvoObYeuQ9Oh59By6Dg0HPoN7YZuQ7Oh19Bq6DQ0GvoMbYYuQ5Ohx9Bi6DA0GPoL7VVoNTQXegtPeXQWGgt9hbZCV6Gp0FNoKXQUGgr9hHZCN6GZ0EtoJXQSGgl9hDZCF6GJ0ENoIXQQGgj9g/bZbzU0D3oHrYPXHxoHfYO2wbsfPvSYf+O0H4B4HuD3ONDYZ35/hKzuf+74P9u6io1dt86L7Ze/6BdRU3blgrnP/mt7WUHPHnUT5kWZ++zWCPX/sLQ67w+TzX32p7wv+rgz23yQNdv29kOtPZmckpSRlpmRk5K4IjU9tzdtkGO0/cRzW15tLvNt1/fjC2OCnCf06Xgrxv7/KHczf/uYFhx/+xUSZRzvnAs2+y+B5qPVPgZPvPbG9yHGMdiijfO5HPumieve5T1F28cHtOx4v07Wnde3z4UnOu4xlD/7i7HmaynQGKPW1RLOJc7jXBvzv4Ob7BxuXepzOaJgaLexGTPzN16Oq1rX5dDgv4aEXs2bkH/jiwznvfg1M/fgZuYQLO7HXB/7d6Jl6786xr6mPa9A6871Ms8f4Bjfi2xtXN+cp9tqfvv8/LXPamJHpXV0HI/NvmfcZxi/T07NTknKTc1PSax/MKUsT8lOzMrLyE1NSc+1VyLIOMo+oy+vSPv4ti07vtH7gOWYi3ne2xckA8RxriZ+9nOwubFOb7pgsc8+ZyfSnK99H/8HYaTeT0IrAAA=", debug_symbols: "pZbNjuIwDIDfJeceYsf541VGI1SgM6pUFdSBlVaId9+YxaU9JMuGS+O69dfYsV1f1aHbXb63/fh1/FGbj6vaTf0w9N/b4bhvz/1xTNqr0nwBpzbYKPB/l6A2Ji1RbahRmN6g261RYrY9T13HVgtOop/aqRvPajNehqFRv9rhcn/p59SO9/XcTumpblQ3HtKagF/90LF0a57WOm8aND6MA7rZHPzKHvL2juhh76ypsQ8g9iFU2YvzXme/X/AfCCQAQO4ZAbuOoC0QHIgL4Kx97iGuCK5AiDE8CKgxS/B5AgHYB4HAhhoCGi8E9LaOAO8S0LxAKEYyODmLGGsIqK0kNAJCjgAmjzCWJBDGaV2zCUA/b8KZ7CYKWUk2ih/kaFHZrhIRc4hicfkox2GBcsVVIlinZ8LiQP+D4IOUBgQKOQKWENpJXgKYRSDo5U0EN/eI4HWFGykvYU4JDVk3CnmJGOY2Y5bNfp1VSAVEwLk6gs1WB9q3W1UR8Vqv+gcC3ka81K2K4Yxa6gMjxBqEAS0FYlJy1iGe/QqifxeB+ZZXym+AZ9+lmkJHREksRDIrwme6a/f9tJ7SwGEae9JM5gxXNgv0UFhROO53LHguXRYCu8VC5K3yfKdFAP40C4mLbOUNnywLJBorGicaLxqeEO/miWyIR0bNfxMWQAQUwbBw43BMfbsbOvaIfb6Me3Ew3Z5/n+SJDKqn6bjvDpep42AsptV0/UhnjPHzxgH7Aw==", file_map: { "14": { source: "// docs:start:ecdsa_secp256k1\n/// Verifies a ECDSA signature over the secp256k1 curve.\n/// - inputs:\n///     - x coordinate of public key as 32 bytes\n///     - y coordinate of public key as 32 bytes\n///     - the signature, as a 64 bytes array\n///       The signature internally will be represented as `(r, s)`,\n///       where `r` and `s` are fixed-sized big endian scalar values.\n///       As the `secp256k1` has a 256-bit modulus, we have a 64 byte signature\n///       while `r` and `s` will both be 32 bytes.\n///       We expect `s` to be normalized. This means given the curve's order,\n///       `s` should be less than or equal to `order / 2`.\n///       This is done to prevent malleability.\n///       For more context regarding malleability you can reference BIP 0062.\n///     - the hash of the message, as a vector of bytes\n/// - output: false for failure and true for success\npub fn verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n) -> bool\n// docs:end:ecdsa_secp256k1\n{\n    _verify_signature(public_key_x, public_key_y, signature, message_hash, true)\n}\n\n#[foreign(ecdsa_secp256k1)]\npub fn _verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n    predicate: bool,\n) -> bool {}\n", path: "std/ecdsa_secp256k1.nr" }, "16": { source: "use crate::cmp::Eq;\nuse crate::hash::Hash;\nuse crate::ops::arith::{Add, Neg, Sub};\n\n/// A point on the embedded elliptic curve\n/// By definition, the base field of the embedded curve is the scalar field of the proof system curve, i.e the Noir Field.\n/// x and y denotes the Weierstrass coordinates of the point, if is_infinite is false.\npub struct EmbeddedCurvePoint {\n    pub x: Field,\n    pub y: Field,\n    pub is_infinite: bool,\n}\n\nimpl EmbeddedCurvePoint {\n    /// Elliptic curve point doubling operation\n    /// returns the doubled point of a point P, i.e P+P\n    pub fn double(self) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, self)\n    }\n\n    /// Returns the null element of the curve; 'the point at infinity'\n    pub fn point_at_infinity() -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: 0, y: 0, is_infinite: true }\n    }\n\n    /// Returns the curve's generator point.\n    pub fn generator() -> EmbeddedCurvePoint {\n        // Generator point for the grumpkin curve (y^2 = x^3 - 17)\n        EmbeddedCurvePoint {\n            x: 1,\n            y: 17631683881184975370165255887551781615748388533673675138860, // sqrt(-16)\n            is_infinite: false,\n        }\n    }\n}\n\nimpl Add for EmbeddedCurvePoint {\n    /// Adds two points P+Q, using the curve addition formula, and also handles point at infinity\n    fn add(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, other)\n    }\n}\n\nimpl Sub for EmbeddedCurvePoint {\n    /// Points subtraction operation, using addition and negation\n    fn sub(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        self + other.neg()\n    }\n}\n\nimpl Neg for EmbeddedCurvePoint {\n    /// Negates a point P, i.e returns -P, by negating the y coordinate.\n    /// If the point is at infinity, then the result is also at infinity.\n    fn neg(self) -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: self.x, y: -self.y, is_infinite: self.is_infinite }\n    }\n}\n\nimpl Eq for EmbeddedCurvePoint {\n    /// Checks whether two points are equal\n    fn eq(self: Self, b: EmbeddedCurvePoint) -> bool {\n        (self.is_infinite & b.is_infinite)\n            | ((self.is_infinite == b.is_infinite) & (self.x == b.x) & (self.y == b.y))\n    }\n}\n\nimpl Hash for EmbeddedCurvePoint {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        if self.is_infinite {\n            self.is_infinite.hash(state);\n        } else {\n            self.x.hash(state);\n            self.y.hash(state);\n        }\n    }\n}\n\n/// Scalar for the embedded curve represented as low and high limbs\n/// By definition, the scalar field of the embedded curve is base field of the proving system curve.\n/// It may not fit into a Field element, so it is represented with two Field elements; its low and high limbs.\npub struct EmbeddedCurveScalar {\n    pub lo: Field,\n    pub hi: Field,\n}\n\nimpl EmbeddedCurveScalar {\n    pub fn new(lo: Field, hi: Field) -> Self {\n        EmbeddedCurveScalar { lo, hi }\n    }\n\n    #[field(bn254)]\n    pub fn from_field(scalar: Field) -> EmbeddedCurveScalar {\n        let (a, b) = crate::field::bn254::decompose(scalar);\n        EmbeddedCurveScalar { lo: a, hi: b }\n    }\n\n    //Bytes to scalar: take the first (after the specified offset) 16 bytes of the input as the lo value, and the next 16 bytes as the hi value\n    #[field(bn254)]\n    pub(crate) fn from_bytes(bytes: [u8; 64], offset: u32) -> EmbeddedCurveScalar {\n        let mut v = 1;\n        let mut lo = 0 as Field;\n        let mut hi = 0 as Field;\n        for i in 0..16 {\n            lo = lo + (bytes[offset + 31 - i] as Field) * v;\n            hi = hi + (bytes[offset + 15 - i] as Field) * v;\n            v = v * 256;\n        }\n        let sig_s = crate::embedded_curve_ops::EmbeddedCurveScalar { lo, hi };\n        sig_s\n    }\n}\n\nimpl Eq for EmbeddedCurveScalar {\n    fn eq(self, other: Self) -> bool {\n        (other.hi == self.hi) & (other.lo == self.lo)\n    }\n}\n\nimpl Hash for EmbeddedCurveScalar {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        self.hi.hash(state);\n        self.lo.hash(state);\n    }\n}\n\n// Computes a multi scalar multiplication over the embedded curve.\n// For bn254, We have Grumpkin and Baby JubJub.\n// For bls12-381, we have JubJub and Bandersnatch.\n//\n// The embedded curve being used is decided by the\n// underlying proof system.\n// docs:start:multi_scalar_mul\npub fn multi_scalar_mul<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n) -> EmbeddedCurvePoint\n// docs:end:multi_scalar_mul\n{\n    multi_scalar_mul_array_return(points, scalars, true)[0]\n}\n\n#[foreign(multi_scalar_mul)]\npub(crate) fn multi_scalar_mul_array_return<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n    predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n// docs:start:fixed_base_scalar_mul\npub fn fixed_base_scalar_mul(scalar: EmbeddedCurveScalar) -> EmbeddedCurvePoint\n// docs:end:fixed_base_scalar_mul\n{\n    multi_scalar_mul([EmbeddedCurvePoint::generator()], [scalar])\n}\n\n/// This function only assumes that the points are on the curve\n/// It handles corner cases around the infinity point causing some overhead compared to embedded_curve_add_not_nul and embedded_curve_add_unsafe\n// docs:start:embedded_curve_add\npub fn embedded_curve_add(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    // docs:end:embedded_curve_add\n    if crate::runtime::is_unconstrained() {\n        // `embedded_curve_add_unsafe` requires the inputs not to be the infinity point, so we check it here.\n        // This is because `embedded_curve_add_unsafe` uses the `embedded_curve_add` opcode.\n        // For efficiency, the backend does not check the inputs for the infinity point, but it assumes that they are not the infinity point\n        // so that it can apply the ec addition formula directly.\n        if point1.is_infinite {\n            point2\n        } else if point2.is_infinite {\n            point1\n        } else {\n            embedded_curve_add_unsafe(point1, point2)\n        }\n    } else {\n        // In a constrained context, we also need to check the inputs are not the infinity point because we also use `embedded_curve_add_unsafe`\n        // However we also need to identify the case where the two inputs are the same, because then\n        // the addition formula does not work and we need to use the doubling formula instead.\n        // In unconstrained context, we can check directly if the input values are the same when solving the opcode, so it is not an issue.\n\n        // x_coordinates_match is true if both abscissae are the same\n        let x_coordinates_match = point1.x == point2.x;\n        // y_coordinates_match is true if both ordinates are the same\n        let y_coordinates_match = point1.y == point2.y;\n        // double_predicate is true if both abscissae and ordinates are the same\n        let double_predicate = (x_coordinates_match & y_coordinates_match);\n        // If the abscissae are the same, but not the ordinates, then one point is the opposite of the other\n        let infinity_predicate = (x_coordinates_match & !y_coordinates_match);\n\n        // `embedded_curve_add_unsafe` would not perform doubling, even if the inputs point1 and point2 are the same, because it cannot know this without adding some logic (and some constraints)\n        // However we did this logic when we computed `double_predicate`, so we set the result to 2*point1 if point1 and point2 are the same\n        let mut result = if double_predicate {\n            // `embedded_curve_add_unsafe` is doing a doubling if the input is the same variable, because in this case it is guaranteed (at 'compile time') that the input is the same.\n            embedded_curve_add_unsafe(point1, point1)\n        } else {\n            let point1_1 = EmbeddedCurvePoint {\n                x: point1.x + (x_coordinates_match as Field),\n                y: point1.y,\n                is_infinite: false,\n            };\n            let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n            // point1_1 is guaranteed to have a different abscissa than point2:\n            // - if x_coordinates_match is 0, that means point1.x != point2.x, and point1_1.x = point1.x + 0\n            // - if x_coordinates_match is 1, that means point1.x = point2.x, but point1_1.x = point1.x + 1 in this case\n            // Because the abscissa is different, the addition formula is guaranteed to succeed, so we can safely use `embedded_curve_add_unsafe`\n            // Note that this computation may be garbage: if x_coordinates_match is 1, or if one of the input is the point at infinity.\n            // therefore we only want to do this if we need the result, otherwise it needs to be eliminated as a dead instruction, lest we want the circuit to fail.\n            embedded_curve_add_unsafe(point1_1, point2_1)\n        };\n\n        // Same logic as above for unconstrained context, we set the proper result when one of the inputs is the infinity point\n        if point1.is_infinite {\n            result = point2;\n        }\n        if point2.is_infinite {\n            result = point1;\n        }\n\n        // Finally, we set the is_infinity flag of the result:\n        // Opposite points should sum into the infinity point, however, if one of them is point at infinity, their coordinates are not meaningful\n        // so we should not use the fact that the inputs are opposite in this case:\n        let mut result_is_infinity =\n            infinity_predicate & (!point1.is_infinite & !point2.is_infinite);\n        // However, if both of them are at infinity, then the result is also at infinity\n        result.is_infinite = result_is_infinity | (point1.is_infinite & point2.is_infinite);\n        result\n    }\n}\n\n#[foreign(embedded_curve_add)]\nfn embedded_curve_add_array_return(\n    _point1: EmbeddedCurvePoint,\n    _point2: EmbeddedCurvePoint,\n    _predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n/// This function assumes that:\n/// The points are on the curve, and\n/// The points don't share an x-coordinate, and\n/// Neither point is the infinity point.\n/// If it is used with correct input, the function ensures the correct non-zero result is returned.\n/// Except for points on the curve, the other assumptions are checked by the function. It will cause assertion failure if they are not respected.\npub fn embedded_curve_add_not_nul(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    assert(point1.x != point2.x);\n    assert(!point1.is_infinite);\n    assert(!point2.is_infinite);\n    // Ensure is_infinite is comptime\n    let point1_1 = EmbeddedCurvePoint { x: point1.x, y: point1.y, is_infinite: false };\n    let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n    embedded_curve_add_unsafe(point1_1, point2_1)\n}\n\n/// Unsafe ec addition\n/// If the inputs are the same, it will perform a doubling, but only if point1 and point2 are the same variable.\n/// If they have the same value but are different variables, the result will be incorrect because in this case\n/// it assumes (but does not check) that the points' x-coordinates are not equal.\n/// It also assumes neither point is the infinity point.\npub fn embedded_curve_add_unsafe(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    embedded_curve_add_array_return(point1, point2, true)[0]\n}\n", path: "std/embedded_curve_ops.nr" }, "17": { source: `use crate::field::field_less_than;
-use crate::runtime::is_unconstrained;
-// The low and high decomposition of the field modulus
-global PLO: Field = 53438638232309528389504892708671455233;
-global PHI: Field = 64323764613183177041862057485226039389;
-pub(crate) global TWO_POW_128: Field = 0x100000000000000000000000000000000;
-// Decomposes a single field into two 16 byte fields.
-fn compute_decomposition(x: Field) -> (Field, Field) {
-    // Here's we're taking advantage of truncating 128 bit limbs from the input field
-    // and then subtracting them from the input such the field division is equivalent to integer division.
-    let low = (x as u128) as Field;
-    let high = (x - low) / TWO_POW_128;
-    (low, high)
-}
-pub(crate) unconstrained fn decompose_hint(x: Field) -> (Field, Field) {
-    compute_decomposition(x)
-}
-unconstrained fn lte_hint(x: Field, y: Field) -> bool {
-    if x == y {
-        true
-    } else {
-        field_less_than(x, y)
-    }
-}
-// Assert that (alo > blo && ahi >= bhi) || (alo <= blo && ahi > bhi)
-fn assert_gt_limbs(a: (Field, Field), b: (Field, Field)) {
-    let (alo, ahi) = a;
-    let (blo, bhi) = b;
-    // Safety: borrow is enforced to be boolean due to its type.
-    // if borrow is 0, it asserts that (alo > blo && ahi >= bhi)
-    // if borrow is 1, it asserts that (alo <= blo && ahi > bhi)
-    unsafe {
-        let borrow = lte_hint(alo, blo);
-        let rlo = alo - blo - 1 + (borrow as Field) * TWO_POW_128;
-        let rhi = ahi - bhi - (borrow as Field);
-        rlo.assert_max_bit_size::<128>();
-        rhi.assert_max_bit_size::<128>();
-    }
-}
-/// Decompose a single field into two 16 byte fields.
-pub fn decompose(x: Field) -> (Field, Field) {
-    if is_unconstrained() {
-        compute_decomposition(x)
-    } else {
-        // Safety: decomposition is properly checked below
-        unsafe {
-            // Take hints of the decomposition
-            let (xlo, xhi) = decompose_hint(x);
-            // Range check the limbs
-            xlo.assert_max_bit_size::<128>();
-            xhi.assert_max_bit_size::<128>();
-            // Check that the decomposition is correct
-            assert_eq(x, xlo + TWO_POW_128 * xhi);
-            // Assert that the decomposition of P is greater than the decomposition of x
-            assert_gt_limbs((PLO, PHI), (xlo, xhi));
-            (xlo, xhi)
-        }
-    }
-}
-pub fn assert_gt(a: Field, b: Field) {
-    if is_unconstrained() {
-        assert(
-            // Safety: already unconstrained
-            unsafe { field_less_than(b, a) },
-        );
-    } else {
-        // Decompose a and b
-        let a_limbs = decompose(a);
-        let b_limbs = decompose(b);
-        // Assert that a_limbs is greater than b_limbs
-        assert_gt_limbs(a_limbs, b_limbs)
-    }
-}
-pub fn assert_lt(a: Field, b: Field) {
-    assert_gt(b, a);
-}
-pub fn gt(a: Field, b: Field) -> bool {
-    if is_unconstrained() {
-        // Safety: unsafe in unconstrained
-        unsafe {
-            field_less_than(b, a)
-        }
-    } else if a == b {
-        false
-    } else {
-        // Safety: Take a hint of the comparison and verify it
-        unsafe {
-            if field_less_than(a, b) {
-                assert_gt(b, a);
-                false
-            } else {
-                assert_gt(a, b);
-                true
-            }
-        }
-    }
-}
-pub fn lt(a: Field, b: Field) -> bool {
-    gt(b, a)
-}
-mod tests {
-    // TODO: Allow imports from "super"
-    use crate::field::bn254::{assert_gt, decompose, gt, lt, lte_hint, PHI, PLO, TWO_POW_128};
-    #[test]
-    fn check_decompose() {
-        assert_eq(decompose(TWO_POW_128), (0, 1));
-        assert_eq(decompose(TWO_POW_128 + 0x1234567890), (0x1234567890, 1));
-        assert_eq(decompose(0x1234567890), (0x1234567890, 0));
-    }
-    #[test]
-    unconstrained fn check_lte_hint() {
-        assert(lte_hint(0, 1));
-        assert(lte_hint(0, 0x100));
-        assert(lte_hint(0x100, TWO_POW_128 - 1));
-        assert(!lte_hint(0 - 1, 0));
-        assert(lte_hint(0, 0));
-        assert(lte_hint(0x100, 0x100));
-        assert(lte_hint(0 - 1, 0 - 1));
-    }
-    #[test]
-    fn check_gt() {
-        assert(gt(1, 0));
-        assert(gt(0x100, 0));
-        assert(gt((0 - 1), (0 - 2)));
-        assert(gt(TWO_POW_128, 0));
-        assert(!gt(0, 0));
-        assert(!gt(0, 0x100));
-        assert(gt(0 - 1, 0 - 2));
-        assert(!gt(0 - 2, 0 - 1));
-        assert_gt(0 - 1, 0);
-    }
-    #[test]
-    fn check_plo_phi() {
-        assert_eq(PLO + PHI * TWO_POW_128, 0);
-        let p_bytes = crate::field::modulus_le_bytes();
-        let mut p_low: Field = 0;
-        let mut p_high: Field = 0;
-        let mut offset = 1;
-        for i in 0..16 {
-            p_low += (p_bytes[i] as Field) * offset;
-            p_high += (p_bytes[i + 16] as Field) * offset;
-            offset *= 256;
-        }
-        assert_eq(p_low, PLO);
-        assert_eq(p_high, PHI);
-    }
-    #[test]
-    fn check_decompose_edge_cases() {
-        assert_eq(decompose(0), (0, 0));
-        assert_eq(decompose(TWO_POW_128 - 1), (TWO_POW_128 - 1, 0));
-        assert_eq(decompose(TWO_POW_128 + 1), (1, 1));
-        assert_eq(decompose(TWO_POW_128 * 2), (0, 2));
-        assert_eq(decompose(TWO_POW_128 * 2 + 0x1234567890), (0x1234567890, 2));
-    }
-    #[test]
-    fn check_decompose_large_values() {
-        let large_field = 0xffffffffffffffff;
-        let (lo, hi) = decompose(large_field);
-        assert_eq(large_field, lo + TWO_POW_128 * hi);
-        let large_value = large_field - TWO_POW_128;
-        let (lo2, hi2) = decompose(large_value);
-        assert_eq(large_value, lo2 + TWO_POW_128 * hi2);
-    }
-    #[test]
-    fn check_lt_comprehensive() {
-        assert(lt(0, 1));
-        assert(!lt(1, 0));
-        assert(!lt(0, 0));
-        assert(!lt(42, 42));
-        assert(lt(TWO_POW_128 - 1, TWO_POW_128));
-        assert(!lt(TWO_POW_128, TWO_POW_128 - 1));
-    }
-}
-`, path: "std/field/bn254.nr" }, "19": { source: '// Exposed only for usage in `std::meta`\npub(crate) mod poseidon2;\n\nuse crate::default::Default;\nuse crate::embedded_curve_ops::{\n    EmbeddedCurvePoint, EmbeddedCurveScalar, multi_scalar_mul, multi_scalar_mul_array_return,\n};\nuse crate::meta::derive_via;\n\n#[foreign(sha256_compression)]\n// docs:start:sha256_compression\npub fn sha256_compression(input: [u32; 16], state: [u32; 8]) -> [u32; 8] {}\n// docs:end:sha256_compression\n\n#[foreign(keccakf1600)]\n// docs:start:keccakf1600\npub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {}\n// docs:end:keccakf1600\n\npub mod keccak {\n    #[deprecated("This function has been moved to std::hash::keccakf1600")]\n    pub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {\n        super::keccakf1600(input)\n    }\n}\n\n#[foreign(blake2s)]\n// docs:start:blake2s\npub fn blake2s<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake2s\n{}\n\n// docs:start:blake3\npub fn blake3<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake3\n{\n    if crate::runtime::is_unconstrained() {\n        // Temporary measure while Barretenberg is main proving system.\n        // Please open an issue if you\'re working on another proving system and running into problems due to this.\n        crate::static_assert(\n            N <= 1024,\n            "Barretenberg cannot prove blake3 hashes with inputs larger than 1024 bytes",\n        );\n    }\n    __blake3(input)\n}\n\n#[foreign(blake3)]\nfn __blake3<let N: u32>(input: [u8; N]) -> [u8; 32] {}\n\n// docs:start:pedersen_commitment\npub fn pedersen_commitment<let N: u32>(input: [Field; N]) -> EmbeddedCurvePoint {\n    // docs:end:pedersen_commitment\n    pedersen_commitment_with_separator(input, 0)\n}\n\n#[inline_always]\npub fn pedersen_commitment_with_separator<let N: u32>(\n    input: [Field; N],\n    separator: u32,\n) -> EmbeddedCurvePoint {\n    let mut points = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N];\n    for i in 0..N {\n        // we use the unsafe version because the multi_scalar_mul will constrain the scalars.\n        points[i] = from_field_unsafe(input[i]);\n    }\n    let generators = derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n    multi_scalar_mul(generators, points)\n}\n\n// docs:start:pedersen_hash\npub fn pedersen_hash<let N: u32>(input: [Field; N]) -> Field\n// docs:end:pedersen_hash\n{\n    pedersen_hash_with_separator(input, 0)\n}\n\n#[no_predicates]\npub fn pedersen_hash_with_separator<let N: u32>(input: [Field; N], separator: u32) -> Field {\n    let mut scalars: [EmbeddedCurveScalar; N + 1] = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N + 1];\n    let mut generators: [EmbeddedCurvePoint; N + 1] =\n        [EmbeddedCurvePoint::point_at_infinity(); N + 1];\n    let domain_generators: [EmbeddedCurvePoint; N] =\n        derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n\n    for i in 0..N {\n        scalars[i] = from_field_unsafe(input[i]);\n        generators[i] = domain_generators[i];\n    }\n    scalars[N] = EmbeddedCurveScalar { lo: N as Field, hi: 0 as Field };\n\n    let length_generator: [EmbeddedCurvePoint; 1] =\n        derive_generators("pedersen_hash_length".as_bytes(), 0);\n    generators[N] = length_generator[0];\n    multi_scalar_mul_array_return(generators, scalars, true)[0].x\n}\n\n#[field(bn254)]\n#[inline_always]\npub fn derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {\n    crate::assert_constant(domain_separator_bytes);\n    // TODO(https://github.com/noir-lang/noir/issues/5672): Add back assert_constant on starting_index\n    __derive_generators(domain_separator_bytes, starting_index)\n}\n\n#[builtin(derive_pedersen_generators)]\n#[field(bn254)]\nfn __derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {}\n\n#[field(bn254)]\n// Same as from_field but:\n// does not assert the limbs are 128 bits\n// does not assert the decomposition does not overflow the EmbeddedCurveScalar\nfn from_field_unsafe(scalar: Field) -> EmbeddedCurveScalar {\n    // Safety: xlo and xhi decomposition is checked below\n    let (xlo, xhi) = unsafe { crate::field::bn254::decompose_hint(scalar) };\n    // Check that the decomposition is correct\n    assert_eq(scalar, xlo + crate::field::bn254::TWO_POW_128 * xhi);\n    EmbeddedCurveScalar { lo: xlo, hi: xhi }\n}\n\npub fn poseidon2_permutation<let N: u32>(input: [Field; N], state_len: u32) -> [Field; N] {\n    assert_eq(input.len(), state_len);\n    poseidon2_permutation_internal(input)\n}\n\n#[foreign(poseidon2_permutation)]\nfn poseidon2_permutation_internal<let N: u32>(input: [Field; N]) -> [Field; N] {}\n\n// Generic hashing support.\n// Partially ported and impacted by rust.\n\n// Hash trait shall be implemented per type.\n#[derive_via(derive_hash)]\npub trait Hash {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher;\n}\n\n// docs:start:derive_hash\ncomptime fn derive_hash(s: TypeDefinition) -> Quoted {\n    let name = quote { $crate::hash::Hash };\n    let signature = quote { fn hash<H>(_self: Self, _state: &mut H) where H: $crate::hash::Hasher };\n    let for_each_field = |name| quote { _self.$name.hash(_state); };\n    crate::meta::make_trait_impl(\n        s,\n        name,\n        signature,\n        for_each_field,\n        quote {},\n        |fields| fields,\n    )\n}\n// docs:end:derive_hash\n\n// Hasher trait shall be implemented by algorithms to provide hash-agnostic means.\n// TODO: consider making the types generic here ([u8], [Field], etc.)\npub trait Hasher {\n    fn finish(self) -> Field;\n\n    fn write(&mut self, input: Field);\n}\n\n// BuildHasher is a factory trait, responsible for production of specific Hasher.\npub trait BuildHasher {\n    type H: Hasher;\n\n    fn build_hasher(self) -> H;\n}\n\npub struct BuildHasherDefault<H>;\n\nimpl<H> BuildHasher for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    type H = H;\n\n    fn build_hasher(_self: Self) -> H {\n        H::default()\n    }\n}\n\nimpl<H> Default for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    fn default() -> Self {\n        BuildHasherDefault {}\n    }\n}\n\nimpl Hash for Field {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self);\n    }\n}\n\nimpl Hash for u1 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u128 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for i8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u8 as Field);\n    }\n}\n\nimpl Hash for i16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u16 as Field);\n    }\n}\n\nimpl Hash for i32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u32 as Field);\n    }\n}\n\nimpl Hash for i64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u64 as Field);\n    }\n}\n\nimpl Hash for bool {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for () {\n    fn hash<H>(_self: Self, _state: &mut H)\n    where\n        H: Hasher,\n    {}\n}\n\nimpl<T, let N: u32> Hash for [T; N]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<T> Hash for [T]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.len().hash(state);\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<A, B> Hash for (A, B)\nwhere\n    A: Hash,\n    B: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n    }\n}\n\nimpl<A, B, C> Hash for (A, B, C)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n    }\n}\n\nimpl<A, B, C, D> Hash for (A, B, C, D)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n    }\n}\n\nimpl<A, B, C, D, E> Hash for (A, B, C, D, E)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n    E: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n        self.4.hash(state);\n    }\n}\n\n// Some test vectors for Pedersen hash and Pedersen Commitment.\n// They have been generated using the same functions so the tests are for now useless\n// but they will be useful when we switch to Noir implementation.\n#[test]\nfn assert_pedersen() {\n    assert_eq(\n        pedersen_hash_with_separator([1], 1),\n        0x1b3f4b1a83092a13d8d1a59f7acb62aba15e7002f4440f2275edb99ebbc2305f,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1], 1),\n        EmbeddedCurvePoint {\n            x: 0x054aa86a73cb8a34525e5bbed6e43ba1198e860f5f3950268f71df4591bde402,\n            y: 0x209dcfbf2cfb57f9f6046f44d71ac6faf87254afc7407c04eb621a6287cac126,\n            is_infinite: false,\n        },\n    );\n\n    assert_eq(\n        pedersen_hash_with_separator([1, 2], 2),\n        0x26691c129448e9ace0c66d11f0a16d9014a9e8498ee78f4d69f0083168188255,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2], 2),\n        EmbeddedCurvePoint {\n            x: 0x2e2b3b191e49541fe468ec6877721d445dcaffe41728df0a0eafeb15e87b0753,\n            y: 0x2ff4482400ad3a6228be17a2af33e2bcdf41be04795f9782bd96efe7e24f8778,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3], 3),\n        0x0bc694b7a1f8d10d2d8987d07433f26bd616a2d351bc79a3c540d85b6206dbe4,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3], 3),\n        EmbeddedCurvePoint {\n            x: 0x1fee4e8cf8d2f527caa2684236b07c4b1bad7342c01b0f75e9a877a71827dc85,\n            y: 0x2f9fedb9a090697ab69bf04c8bc15f7385b3e4b68c849c1536e5ae15ff138fd1,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4], 4),\n        0xdae10fb32a8408521803905981a2b300d6a35e40e798743e9322b223a5eddc,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4], 4),\n        EmbeddedCurvePoint {\n            x: 0x07ae3e202811e1fca39c2d81eabe6f79183978e6f12be0d3b8eda095b79bdbc9,\n            y: 0x0afc6f892593db6fbba60f2da558517e279e0ae04f95758587760ba193145014,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5], 5),\n        0xfc375b062c4f4f0150f7100dfb8d9b72a6d28582dd9512390b0497cdad9c22,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5], 5),\n        EmbeddedCurvePoint {\n            x: 0x1754b12bd475a6984a1094b5109eeca9838f4f81ac89c5f0a41dbce53189bb29,\n            y: 0x2da030e3cfcdc7ddad80eaf2599df6692cae0717d4e9f7bfbee8d073d5d278f7,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6], 6),\n        0x1696ed13dc2730062a98ac9d8f9de0661bb98829c7582f699d0273b18c86a572,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6], 6),\n        EmbeddedCurvePoint {\n            x: 0x190f6c0e97ad83e1e28da22a98aae156da083c5a4100e929b77e750d3106a697,\n            y: 0x1f4b60f34ef91221a0b49756fa0705da93311a61af73d37a0c458877706616fb,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        0x128c0ff144fc66b6cb60eeac8a38e23da52992fc427b92397a7dffd71c45ede3,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        EmbeddedCurvePoint {\n            x: 0x015441e9d29491b06563fac16fc76abf7a9534c715421d0de85d20dbe2965939,\n            y: 0x1d2575b0276f4e9087e6e07c2cb75aa1baafad127af4be5918ef8a2ef2fea8fc,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        0x2f960e117482044dfc99d12fece2ef6862fba9242be4846c7c9a3e854325a55c,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        EmbeddedCurvePoint {\n            x: 0x1657737676968887fceb6dd516382ea13b3a2c557f509811cd86d5d1199bc443,\n            y: 0x1f39f0cb569040105fa1e2f156521e8b8e08261e635a2b210bdc94e8d6d65f77,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        0x0c96db0790602dcb166cc4699e2d306c479a76926b81c2cb2aaa92d249ec7be7,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        EmbeddedCurvePoint {\n            x: 0x0a3ceae42d14914a432aa60ec7fded4af7dad7dd4acdbf2908452675ec67e06d,\n            y: 0xfc19761eaaf621ad4aec9a8b2e84a4eceffdba78f60f8b9391b0bd9345a2f2,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        0x2cd37505871bc460a62ea1e63c7fe51149df5d0801302cf1cbc48beb8dff7e94,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        EmbeddedCurvePoint {\n            x: 0x2fb3f8b3d41ddde007c8c3c62550f9a9380ee546fcc639ffbb3fd30c8d8de30c,\n            y: 0x300783be23c446b11a4c0fabf6c91af148937cea15fcf5fb054abf7f752ee245,\n            is_infinite: false,\n        },\n    );\n}\n', path: "std/hash/mod.nr" }, "50": { source: `/// Validity Proof Circuit
-///
-/// Proves: "This intent is authorized by the sender, without revealing
-/// the sender's identity, private key, or signature."
-///
-/// @see docs/specs/VALIDITY-PROOF.md
-use std::hash::pedersen_hash;
-use std::hash::pedersen_commitment;
-use std::ecdsa_secp256k1::verify_signature;
-// --- Main Circuit ---
-/// Main validity proof entry point
-///
-/// Public inputs: intent_hash, sender_commitment (x,y), nullifier, timestamp, expiry
-/// Private inputs: sender_address (Field), sender_blinding, sender_secret,
-///                 pub_key_x, pub_key_y, signature, message_hash, nonce
-///
-/// Constraints:
-/// 1. sender_commitment = Pedersen(sender_address, sender_blinding)
-/// 2. signature is valid for message_hash using pub_key
-/// 3. nullifier = Pedersen_hash(sender_secret, intent_hash, nonce)
-/// 4. timestamp < expiry
-pub fn main(
-    // Public inputs
-    intent_hash: pub Field,
-    sender_commitment_x: pub Field,
-    sender_commitment_y: pub Field,
-    nullifier: pub Field,
-    timestamp: pub u64,
-    expiry: pub u64,
-    // Private inputs
-    sender_address: Field,
-    sender_blinding: Field,
-    sender_secret: Field,
-    pub_key_x: [u8; 32],
-    pub_key_y: [u8; 32],
-    signature: [u8; 64],
-    message_hash: [u8; 32],
-    nonce: Field,
-) {
-    // Constraint 1: Verify Sender Commitment
-    // C = Pedersen(sender_address, sender_blinding)
-    let commitment = pedersen_commitment([sender_address, sender_blinding]);
-    assert(commitment.x == sender_commitment_x, "Sender commitment X mismatch");
-    assert(commitment.y == sender_commitment_y, "Sender commitment Y mismatch");
-    // Constraint 2: Verify ECDSA Signature
-    // The signature must be valid for the message_hash using the provided public key
-    let valid_sig = verify_signature(pub_key_x, pub_key_y, signature, message_hash);
-    assert(valid_sig, "Invalid ECDSA signature");
-    // Constraint 3: Verify Nullifier Derivation
-    // nullifier = Pedersen_hash(sender_secret, intent_hash, nonce)
-    let computed_nullifier = pedersen_hash([sender_secret, intent_hash, nonce]);
-    assert(computed_nullifier == nullifier, "Nullifier mismatch");
-    // Constraint 4: Time Bounds Check
-    assert(timestamp < expiry, "Intent expired");
-}
-// --- Tests ---
-// NOTE: Full ECDSA integration test requires TypeScript to generate valid signatures
-// The NoirProofProvider in SDK will generate proper test vectors
-// Here we test the commitment and nullifier logic which are pure Noir
-#[test]
-fn test_commitment_and_nullifier() {
-    // Test just the commitment and nullifier computation (without ECDSA)
-    let sender_address: Field = 0x742d35Cc6634C0532925a3b844Bc9e7595f;
-    let sender_blinding: Field = 0xABCDEF123456;
-    let sender_secret: Field = 0x1234567890ABCDEF;
-    let intent_hash: Field = 0xDEADBEEF;
-    let nonce: Field = 0x99999;
-    // Compute and verify commitment is consistent
-    let commitment1 = pedersen_commitment([sender_address, sender_blinding]);
-    let commitment2 = pedersen_commitment([sender_address, sender_blinding]);
-    assert(commitment1.x == commitment2.x, "Commitment X should be deterministic");
-    assert(commitment1.y == commitment2.y, "Commitment Y should be deterministic");
-    // Compute and verify nullifier is consistent
-    let nullifier1 = pedersen_hash([sender_secret, intent_hash, nonce]);
-    let nullifier2 = pedersen_hash([sender_secret, intent_hash, nonce]);
-    assert(nullifier1 == nullifier2, "Nullifier should be deterministic");
-    // Different nonce should give different nullifier
-    let different_nonce: Field = 0x88888;
-    let nullifier3 = pedersen_hash([sender_secret, intent_hash, different_nonce]);
-    assert(nullifier1 != nullifier3, "Different nonce should give different nullifier");
-}
-#[test]
-fn test_time_bounds() {
-    // Test timestamp < expiry constraint
-    let valid_timestamp: u64 = 1732600000;
-    let valid_expiry: u64 = 1732686400;
-    assert(valid_timestamp < valid_expiry, "Valid time bounds");
-}
-// NOTE: Full integration tests with ECDSA require TypeScript SDK
-// The NoirProofProvider will generate valid signature test vectors
-`, path: "/Users/rz/local-dev/sip-protocol/packages/circuits/validity_proof/src/main.nr" } }, expression_width: { Bounded: { width: 4 } } };
-// src/proofs/circuits/fulfillment_proof.json
-var fulfillment_proof_default = { noir_version: "1.0.0-beta.15+83245db91dcf63420ef4bcbbd85b98f397fee663", hash: "13146944445132352806", abi: { parameters: [{ name: "intent_hash", type: { kind: "field" }, visibility: "public" }, { name: "output_commitment_x", type: { kind: "field" }, visibility: "public" }, { name: "output_commitment_y", type: { kind: "field" }, visibility: "public" }, { name: "recipient_stealth", type: { kind: "field" }, visibility: "public" }, { name: "min_output_amount", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "solver_id", type: { kind: "field" }, visibility: "public" }, { name: "fulfillment_time", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "expiry", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "output_amount", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "output_blinding", type: { kind: "field" }, visibility: "private" }, { name: "solver_secret", type: { kind: "field" }, visibility: "private" }, { name: "attestation_recipient", type: { kind: "field" }, visibility: "private" }, { name: "attestation_amount", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "attestation_tx_hash", type: { kind: "field" }, visibility: "private" }, { name: "attestation_block", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "oracle_signature", type: { kind: "array", length: 64, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "oracle_message_hash", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "oracle_pub_key_x", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }, { name: "oracle_pub_key_y", type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "private" }], return_type: null, error_types: { "1811611355587044900": { error_kind: "string", string: "Unauthorized solver" }, "5682920188479059162": { error_kind: "string", string: "Amount mismatch in attestation" }, "9350488092177273812": { error_kind: "string", string: "Recipient mismatch in attestation" }, "10078784717933725989": { error_kind: "string", string: "Invalid oracle attestation signature" }, "10879340518732620616": { error_kind: "string", string: "Commitment X mismatch" }, "12297495446303487112": { error_kind: "string", string: "Output below minimum" }, "12394005467219657293": { error_kind: "string", string: "Commitment Y mismatch" }, "15764276373176857197": { error_kind: "string", string: "Stack too deep" }, "17406200060514520896": { error_kind: "string", string: "Fulfillment after expiry" } } }, bytecode: "H4sIAAAAAAAA/82aCXBV1QGGzwshhBqJEJYQBR7IFoFIgKAIQhRCIErYouwJIQkQNAlkgyBCwr4ohKXUglpcKgFBtpiyCrZjW7GM06kjHactOmO1M51au+gA6oz5yX/zDpefvPcSdTwz8OV999x7z7153Pz/Cx5TN0LJvMzc/HO1fIOvPbV/mpGYk+hyYcK1EC5cuAjhWgkXyf1td5twrYVrI1yUcG2Faydce+E6CBctXEfhYoS7Xbg7hOskXGfhugjnFa6rcN2Eu1O47sL1EK6ncL2E6y1crHB3CddHuL7C9RMuTri7hesvXLxwA4QbKNwg4RKEGyzcPcLdK9wQ4e4Tbqhww4S7X7jhwo0QLlG4B4R7ULiRwo0SLkm40cIlCzdGuLHCpQj3kHAPCzdOuFThxgs3QbiJwk0SbrJwacI9Ityjwk0Rbqpw04SbLtwM4WYKN0u4dOEyhJstXKZwc4TLEi5buBzh5go3T7j5wuUKt0C4x4R7XLg84fKFKxBuoXCLhCsUrki4YuFKhCsVbrFwS4QrE26pcE8It0y4J4VbLtwK4cqFqxBupXCrhFst3Brh1gq3Trj1wm0QbqNwm4R7Srinhdss3BbhKoXbKtw24bYLt0O4nwq3U7ifCfeMcD8Xbpdwu4V7VrjnhHteuF8It0e4F4R7UbiXhHtZuF8K94pwe4WrEm6fcPuFe1W4A8IdFO41ulC+DjE3Dsd5yf7ZqYUfxe+JPT4hqaaiYuqs3gP/MabsxMKtIz/6YvvnPJbXBDQ84f7nehra6DWB7Wtf1yHysDPDuRkQia4jhLpO9H1d/E2OW8njeg4FsYbDpnE31RPktdpr8netoQ2c2H1ef8cK4E1TP+xv/BHyqHtSsyYswN9NOnLzuTNdcz1HA1+D+S5vaEvTuBt6jKx2Twr2htoL8HdDj5nAb2h14Gu4dtPwjQ2znJcMH17W+s8JLUtjPw8rif+63flvyqp2f/bOkMoRuVP6ZhWkTLfnxqxIv3pwRfzMHvui/xfx+4sDR/zh1aUX345s+7eK02/1vrJ9lj03kOHMbZ5StaDonY2DJqXPeOP9j4e+0HHz2siMIRN6bll0KWnrmY9D7Lne59492/erKVe+DC0YdTHmt1cvF6Yd+l3istB/zomZs+78mz3tuf6G/UY7Qh4lj5HVrrX6GZ7Xa/+qqf3zK9eGYH/UeExw5wxwbpPWFGICX1ON+WHW1MwEvqZbzA+zpiCe4p4I07g1BfsT7bgJfE04dhjPUUAuJBeRhWQRWUyWkKXkYnIJWUYuJZ8gl5FPksvJFWQ5WUGuJFeRq8k15FpyHbme3EBuJDeRT5FPk5uNr7KAlcZXTcBtxldBwB3GVzXAncZXKcBnjK86gLuMryKAzxpfFQCfN77ID+4xvmgPvmh8ER582fiiOviK8UVysMr4oje43/giNnjA+KI0+BoZSd5GtibbkFFkW7Id2Z7sQEaTHckY8nbyDrIT2ZnsYnzPQrAr2Y28k+xO9iB7kr3I3mQseRfZh+xL9iPjyLvJ/mQ8OYAcSA4iE8jB5D3kveQQ8j5yKDmMvJ8cTo4gE8kHyAfJkeQoMokcTSaTY8ixZAr5EPkwOY5MJceTE8iJ5CRyMplGPkI+Sk4hp5LTyOnkDHImOYtMJzPI2WQmOYfMIrPJHHIuOY+cT+aSC8jHyMfJPDKfxHPzhLl+eEivCWh4TlhzA2lZ9jmact6fBD73uvB7kjzlnhRs+LUX4O/CT9587g3h91Tga7h2037M4bff5ROJf9/QKjVq8YeTi65+sqtTyfjchE/2ltfM3VEc/98LF+y5cRfW/3HavNOTj6/ZGndr+7WZaQdq9v/6T5fTe51f/u+jb1ausuf6G/Yb7SR5yrU2P8MTxNygjnu69q8zxve7a2cEG8Sam+DOGeDc7/QzpTAT+Bpb+J/raWij1wS2r31dZ8lzzgznMyWIRNcRgv1MqbEX7+8zpbNBrOGcadxN9QR5rfaa/F3rXn6BBxc+QcCDFO0FbeFWU/efK5DMkMqQyJDGkMSQwpDAkL6QvJC6kLiQtpC0kLKQsJCuunA9XU1dmkKSQopCgkJ6QnJCakJiQlpCUkJKQkJCOkIyQipCIkIaQhJCCkICQvpB8kHqQeJB2kHSQcpBwkG6QbJJNHWJBmkGSQYpBgkG6QXJBakFiQVpBUkFKQUJBekEyQSpBIkEaQRJBCkECQTpA8kDqQOJA09yJA2kDDypkS6QLGabukSBNIEkgRSBBIH0gOSA1IDEgLSApICUgISAdIBmhFaERoQ2hCaEFoQGhPaD5oPWg8aDtoOmg5aDhoN2g2ZTbuoaDdoMnt5oMWgwaC9oLmgtaCxoK2gqaCloKGgnaCZoJWgkaCNoImghaCBoH2geaB1oHGgbaBpoGWgYaBdoFntMXaNAm0CTQItAg0B7wHsQrQGNAW0BTQEtAQ3B+XDdGc7DEM8GPAPw4MW/7RbWHHv+PnL9oE87/H/pvv3WpvoPscdkbavYEvfVTnvbYXLcyg8zU6dfW079cD4DfS/q7NXZu39TYW9zPhf9oLr/xAtv/zXV3vY62WNslHdcy0ub7G1O8us+973L/+rWvaO97QyZ+O60qlPDt/zH8c7DsxWZnZNVkLewoCgnY35ufnFn2nDXbOfJ6jUBDU+4tV/w+5cnh7sPGNT+Jtn5dUtT1u/s04j96+PcKGt/91owIvjafoQ7++Dd2cr6OtLaByPJOp7HtW20OG8TrynJ2T+0cfuHtDE3nt85Fn6C4Bqj+bqZmGu/l5pbc9R9NcJ5xHHc98b+PnjJqHhzsculhLI+7QcXjC9dfSnt4PK2L8V+Ghn9Wcmw0it/KXBfS0gDa49oYA0R4nrs++P8m2jc/V+S7JzTWVdzc+P9so8f6prfiWxpnd9ep9c0PD5464v3q1MG5LV27Y/hXDOuM4ZfZ+cW5mQV55bmZNQ+mHLm5RRmLCopKM7NyS927kS4tZdzxGDekc7+tzRu/+tKm3GtxT5u/QnJULGf5yavQ1xsaK7b2y5CbHOO2Ya01+tcx7dZzirpuSsAAA==", debug_symbols: "pZbLjqswDIbfJWsWsXPvq4xGFW2ZERKiFdMe6ajqux+7QwJdJOoJG2Iu/oiN/eO7OHWH2/e+H7/OP2L3cReHqR+G/ns/nI/ttT+PdPUuJB/Aih02Atzv4sVO0RLETjcC6Qn9eDQiuu2vU9ex14pD9Es7deNV7MbbMDTiTzvcng/9XNrxuV7bie7KRnTjiVYCfvVDx9ajWbxl3tVLnJ092uQO7sUf8v5W69nfGlXj7yH6e1/lH4N3Mvv+QvzgpZoB4JVLBPN2BlFCDAGlUhUECEEmgsEcwRUINu0BrDFLHsILwRf34NMeMEsIeYIGMDNBg/E1BFQuEtCZOgJsJaB6g1DMpLfxW4RQQ6AiiE2FgJAjcLpzCGV0TISyUtZsAtClTViV3UShKrUJMQ5t9UpdbCUi5BDF9rQmxbHKxH80OKiQCE7XEKiSIkFBlcgom9pTyxqRQYNJpqzJ5gF1obKlTVpJOVk+hn57EzYRkJS7JgyvU1l6l00lutLX8CmXav3Te61sLDWHx9Sh3mQ7FLfLJW7XS9wumLhdMYvpDDJ1WIBQg1DU21HwqDjrEItmQnBbEZiX3WJ9L7NAWGn/+x2i5JIJuSpvJnzSWXvsp9dpFSxNqlSMYN28+nkNv6uT3PxsABk8xTqMV1S8onmCYsOw6LLB8y+wwRPwcxL23HJsBBYkHoplNIAlgQ3kfbNBZMUPe80/MTaIrPgVnsisyeBdNHw0AhsPTs/Ut4eh4wg5B7fxGAOm0+vfS7wTB/jLdD52p9vUcXJWUzwdP6jbMXw+OIH/AA==", file_map: { "14": { source: "// docs:start:ecdsa_secp256k1\n/// Verifies a ECDSA signature over the secp256k1 curve.\n/// - inputs:\n///     - x coordinate of public key as 32 bytes\n///     - y coordinate of public key as 32 bytes\n///     - the signature, as a 64 bytes array\n///       The signature internally will be represented as `(r, s)`,\n///       where `r` and `s` are fixed-sized big endian scalar values.\n///       As the `secp256k1` has a 256-bit modulus, we have a 64 byte signature\n///       while `r` and `s` will both be 32 bytes.\n///       We expect `s` to be normalized. This means given the curve's order,\n///       `s` should be less than or equal to `order / 2`.\n///       This is done to prevent malleability.\n///       For more context regarding malleability you can reference BIP 0062.\n///     - the hash of the message, as a vector of bytes\n/// - output: false for failure and true for success\npub fn verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n) -> bool\n// docs:end:ecdsa_secp256k1\n{\n    _verify_signature(public_key_x, public_key_y, signature, message_hash, true)\n}\n\n#[foreign(ecdsa_secp256k1)]\npub fn _verify_signature(\n    public_key_x: [u8; 32],\n    public_key_y: [u8; 32],\n    signature: [u8; 64],\n    message_hash: [u8; 32],\n    predicate: bool,\n) -> bool {}\n", path: "std/ecdsa_secp256k1.nr" }, "16": { source: "use crate::cmp::Eq;\nuse crate::hash::Hash;\nuse crate::ops::arith::{Add, Neg, Sub};\n\n/// A point on the embedded elliptic curve\n/// By definition, the base field of the embedded curve is the scalar field of the proof system curve, i.e the Noir Field.\n/// x and y denotes the Weierstrass coordinates of the point, if is_infinite is false.\npub struct EmbeddedCurvePoint {\n    pub x: Field,\n    pub y: Field,\n    pub is_infinite: bool,\n}\n\nimpl EmbeddedCurvePoint {\n    /// Elliptic curve point doubling operation\n    /// returns the doubled point of a point P, i.e P+P\n    pub fn double(self) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, self)\n    }\n\n    /// Returns the null element of the curve; 'the point at infinity'\n    pub fn point_at_infinity() -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: 0, y: 0, is_infinite: true }\n    }\n\n    /// Returns the curve's generator point.\n    pub fn generator() -> EmbeddedCurvePoint {\n        // Generator point for the grumpkin curve (y^2 = x^3 - 17)\n        EmbeddedCurvePoint {\n            x: 1,\n            y: 17631683881184975370165255887551781615748388533673675138860, // sqrt(-16)\n            is_infinite: false,\n        }\n    }\n}\n\nimpl Add for EmbeddedCurvePoint {\n    /// Adds two points P+Q, using the curve addition formula, and also handles point at infinity\n    fn add(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        embedded_curve_add(self, other)\n    }\n}\n\nimpl Sub for EmbeddedCurvePoint {\n    /// Points subtraction operation, using addition and negation\n    fn sub(self, other: EmbeddedCurvePoint) -> EmbeddedCurvePoint {\n        self + other.neg()\n    }\n}\n\nimpl Neg for EmbeddedCurvePoint {\n    /// Negates a point P, i.e returns -P, by negating the y coordinate.\n    /// If the point is at infinity, then the result is also at infinity.\n    fn neg(self) -> EmbeddedCurvePoint {\n        EmbeddedCurvePoint { x: self.x, y: -self.y, is_infinite: self.is_infinite }\n    }\n}\n\nimpl Eq for EmbeddedCurvePoint {\n    /// Checks whether two points are equal\n    fn eq(self: Self, b: EmbeddedCurvePoint) -> bool {\n        (self.is_infinite & b.is_infinite)\n            | ((self.is_infinite == b.is_infinite) & (self.x == b.x) & (self.y == b.y))\n    }\n}\n\nimpl Hash for EmbeddedCurvePoint {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        if self.is_infinite {\n            self.is_infinite.hash(state);\n        } else {\n            self.x.hash(state);\n            self.y.hash(state);\n        }\n    }\n}\n\n/// Scalar for the embedded curve represented as low and high limbs\n/// By definition, the scalar field of the embedded curve is base field of the proving system curve.\n/// It may not fit into a Field element, so it is represented with two Field elements; its low and high limbs.\npub struct EmbeddedCurveScalar {\n    pub lo: Field,\n    pub hi: Field,\n}\n\nimpl EmbeddedCurveScalar {\n    pub fn new(lo: Field, hi: Field) -> Self {\n        EmbeddedCurveScalar { lo, hi }\n    }\n\n    #[field(bn254)]\n    pub fn from_field(scalar: Field) -> EmbeddedCurveScalar {\n        let (a, b) = crate::field::bn254::decompose(scalar);\n        EmbeddedCurveScalar { lo: a, hi: b }\n    }\n\n    //Bytes to scalar: take the first (after the specified offset) 16 bytes of the input as the lo value, and the next 16 bytes as the hi value\n    #[field(bn254)]\n    pub(crate) fn from_bytes(bytes: [u8; 64], offset: u32) -> EmbeddedCurveScalar {\n        let mut v = 1;\n        let mut lo = 0 as Field;\n        let mut hi = 0 as Field;\n        for i in 0..16 {\n            lo = lo + (bytes[offset + 31 - i] as Field) * v;\n            hi = hi + (bytes[offset + 15 - i] as Field) * v;\n            v = v * 256;\n        }\n        let sig_s = crate::embedded_curve_ops::EmbeddedCurveScalar { lo, hi };\n        sig_s\n    }\n}\n\nimpl Eq for EmbeddedCurveScalar {\n    fn eq(self, other: Self) -> bool {\n        (other.hi == self.hi) & (other.lo == self.lo)\n    }\n}\n\nimpl Hash for EmbeddedCurveScalar {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: crate::hash::Hasher,\n    {\n        self.hi.hash(state);\n        self.lo.hash(state);\n    }\n}\n\n// Computes a multi scalar multiplication over the embedded curve.\n// For bn254, We have Grumpkin and Baby JubJub.\n// For bls12-381, we have JubJub and Bandersnatch.\n//\n// The embedded curve being used is decided by the\n// underlying proof system.\n// docs:start:multi_scalar_mul\npub fn multi_scalar_mul<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n) -> EmbeddedCurvePoint\n// docs:end:multi_scalar_mul\n{\n    multi_scalar_mul_array_return(points, scalars, true)[0]\n}\n\n#[foreign(multi_scalar_mul)]\npub(crate) fn multi_scalar_mul_array_return<let N: u32>(\n    points: [EmbeddedCurvePoint; N],\n    scalars: [EmbeddedCurveScalar; N],\n    predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n// docs:start:fixed_base_scalar_mul\npub fn fixed_base_scalar_mul(scalar: EmbeddedCurveScalar) -> EmbeddedCurvePoint\n// docs:end:fixed_base_scalar_mul\n{\n    multi_scalar_mul([EmbeddedCurvePoint::generator()], [scalar])\n}\n\n/// This function only assumes that the points are on the curve\n/// It handles corner cases around the infinity point causing some overhead compared to embedded_curve_add_not_nul and embedded_curve_add_unsafe\n// docs:start:embedded_curve_add\npub fn embedded_curve_add(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    // docs:end:embedded_curve_add\n    if crate::runtime::is_unconstrained() {\n        // `embedded_curve_add_unsafe` requires the inputs not to be the infinity point, so we check it here.\n        // This is because `embedded_curve_add_unsafe` uses the `embedded_curve_add` opcode.\n        // For efficiency, the backend does not check the inputs for the infinity point, but it assumes that they are not the infinity point\n        // so that it can apply the ec addition formula directly.\n        if point1.is_infinite {\n            point2\n        } else if point2.is_infinite {\n            point1\n        } else {\n            embedded_curve_add_unsafe(point1, point2)\n        }\n    } else {\n        // In a constrained context, we also need to check the inputs are not the infinity point because we also use `embedded_curve_add_unsafe`\n        // However we also need to identify the case where the two inputs are the same, because then\n        // the addition formula does not work and we need to use the doubling formula instead.\n        // In unconstrained context, we can check directly if the input values are the same when solving the opcode, so it is not an issue.\n\n        // x_coordinates_match is true if both abscissae are the same\n        let x_coordinates_match = point1.x == point2.x;\n        // y_coordinates_match is true if both ordinates are the same\n        let y_coordinates_match = point1.y == point2.y;\n        // double_predicate is true if both abscissae and ordinates are the same\n        let double_predicate = (x_coordinates_match & y_coordinates_match);\n        // If the abscissae are the same, but not the ordinates, then one point is the opposite of the other\n        let infinity_predicate = (x_coordinates_match & !y_coordinates_match);\n\n        // `embedded_curve_add_unsafe` would not perform doubling, even if the inputs point1 and point2 are the same, because it cannot know this without adding some logic (and some constraints)\n        // However we did this logic when we computed `double_predicate`, so we set the result to 2*point1 if point1 and point2 are the same\n        let mut result = if double_predicate {\n            // `embedded_curve_add_unsafe` is doing a doubling if the input is the same variable, because in this case it is guaranteed (at 'compile time') that the input is the same.\n            embedded_curve_add_unsafe(point1, point1)\n        } else {\n            let point1_1 = EmbeddedCurvePoint {\n                x: point1.x + (x_coordinates_match as Field),\n                y: point1.y,\n                is_infinite: false,\n            };\n            let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n            // point1_1 is guaranteed to have a different abscissa than point2:\n            // - if x_coordinates_match is 0, that means point1.x != point2.x, and point1_1.x = point1.x + 0\n            // - if x_coordinates_match is 1, that means point1.x = point2.x, but point1_1.x = point1.x + 1 in this case\n            // Because the abscissa is different, the addition formula is guaranteed to succeed, so we can safely use `embedded_curve_add_unsafe`\n            // Note that this computation may be garbage: if x_coordinates_match is 1, or if one of the input is the point at infinity.\n            // therefore we only want to do this if we need the result, otherwise it needs to be eliminated as a dead instruction, lest we want the circuit to fail.\n            embedded_curve_add_unsafe(point1_1, point2_1)\n        };\n\n        // Same logic as above for unconstrained context, we set the proper result when one of the inputs is the infinity point\n        if point1.is_infinite {\n            result = point2;\n        }\n        if point2.is_infinite {\n            result = point1;\n        }\n\n        // Finally, we set the is_infinity flag of the result:\n        // Opposite points should sum into the infinity point, however, if one of them is point at infinity, their coordinates are not meaningful\n        // so we should not use the fact that the inputs are opposite in this case:\n        let mut result_is_infinity =\n            infinity_predicate & (!point1.is_infinite & !point2.is_infinite);\n        // However, if both of them are at infinity, then the result is also at infinity\n        result.is_infinite = result_is_infinity | (point1.is_infinite & point2.is_infinite);\n        result\n    }\n}\n\n#[foreign(embedded_curve_add)]\nfn embedded_curve_add_array_return(\n    _point1: EmbeddedCurvePoint,\n    _point2: EmbeddedCurvePoint,\n    _predicate: bool,\n) -> [EmbeddedCurvePoint; 1] {}\n\n/// This function assumes that:\n/// The points are on the curve, and\n/// The points don't share an x-coordinate, and\n/// Neither point is the infinity point.\n/// If it is used with correct input, the function ensures the correct non-zero result is returned.\n/// Except for points on the curve, the other assumptions are checked by the function. It will cause assertion failure if they are not respected.\npub fn embedded_curve_add_not_nul(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    assert(point1.x != point2.x);\n    assert(!point1.is_infinite);\n    assert(!point2.is_infinite);\n    // Ensure is_infinite is comptime\n    let point1_1 = EmbeddedCurvePoint { x: point1.x, y: point1.y, is_infinite: false };\n    let point2_1 = EmbeddedCurvePoint { x: point2.x, y: point2.y, is_infinite: false };\n    embedded_curve_add_unsafe(point1_1, point2_1)\n}\n\n/// Unsafe ec addition\n/// If the inputs are the same, it will perform a doubling, but only if point1 and point2 are the same variable.\n/// If they have the same value but are different variables, the result will be incorrect because in this case\n/// it assumes (but does not check) that the points' x-coordinates are not equal.\n/// It also assumes neither point is the infinity point.\npub fn embedded_curve_add_unsafe(\n    point1: EmbeddedCurvePoint,\n    point2: EmbeddedCurvePoint,\n) -> EmbeddedCurvePoint {\n    embedded_curve_add_array_return(point1, point2, true)[0]\n}\n", path: "std/embedded_curve_ops.nr" }, "17": { source: `use crate::field::field_less_than;
-use crate::runtime::is_unconstrained;
-// The low and high decomposition of the field modulus
-global PLO: Field = 53438638232309528389504892708671455233;
-global PHI: Field = 64323764613183177041862057485226039389;
-pub(crate) global TWO_POW_128: Field = 0x100000000000000000000000000000000;
-// Decomposes a single field into two 16 byte fields.
-fn compute_decomposition(x: Field) -> (Field, Field) {
-    // Here's we're taking advantage of truncating 128 bit limbs from the input field
-    // and then subtracting them from the input such the field division is equivalent to integer division.
-    let low = (x as u128) as Field;
-    let high = (x - low) / TWO_POW_128;
-    (low, high)
-}
-pub(crate) unconstrained fn decompose_hint(x: Field) -> (Field, Field) {
-    compute_decomposition(x)
-}
-unconstrained fn lte_hint(x: Field, y: Field) -> bool {
-    if x == y {
-        true
-    } else {
-        field_less_than(x, y)
-    }
-}
-// Assert that (alo > blo && ahi >= bhi) || (alo <= blo && ahi > bhi)
-fn assert_gt_limbs(a: (Field, Field), b: (Field, Field)) {
-    let (alo, ahi) = a;
-    let (blo, bhi) = b;
-    // Safety: borrow is enforced to be boolean due to its type.
-    // if borrow is 0, it asserts that (alo > blo && ahi >= bhi)
-    // if borrow is 1, it asserts that (alo <= blo && ahi > bhi)
-    unsafe {
-        let borrow = lte_hint(alo, blo);
-        let rlo = alo - blo - 1 + (borrow as Field) * TWO_POW_128;
-        let rhi = ahi - bhi - (borrow as Field);
-        rlo.assert_max_bit_size::<128>();
-        rhi.assert_max_bit_size::<128>();
-    }
-}
-/// Decompose a single field into two 16 byte fields.
-pub fn decompose(x: Field) -> (Field, Field) {
-    if is_unconstrained() {
-        compute_decomposition(x)
-    } else {
-        // Safety: decomposition is properly checked below
-        unsafe {
-            // Take hints of the decomposition
-            let (xlo, xhi) = decompose_hint(x);
-            // Range check the limbs
-            xlo.assert_max_bit_size::<128>();
-            xhi.assert_max_bit_size::<128>();
-            // Check that the decomposition is correct
-            assert_eq(x, xlo + TWO_POW_128 * xhi);
-            // Assert that the decomposition of P is greater than the decomposition of x
-            assert_gt_limbs((PLO, PHI), (xlo, xhi));
-            (xlo, xhi)
-        }
-    }
-}
-pub fn assert_gt(a: Field, b: Field) {
-    if is_unconstrained() {
-        assert(
-            // Safety: already unconstrained
-            unsafe { field_less_than(b, a) },
-        );
-    } else {
-        // Decompose a and b
-        let a_limbs = decompose(a);
-        let b_limbs = decompose(b);
-        // Assert that a_limbs is greater than b_limbs
-        assert_gt_limbs(a_limbs, b_limbs)
-    }
-}
-pub fn assert_lt(a: Field, b: Field) {
-    assert_gt(b, a);
-}
-pub fn gt(a: Field, b: Field) -> bool {
-    if is_unconstrained() {
-        // Safety: unsafe in unconstrained
-        unsafe {
-            field_less_than(b, a)
-        }
-    } else if a == b {
-        false
-    } else {
-        // Safety: Take a hint of the comparison and verify it
-        unsafe {
-            if field_less_than(a, b) {
-                assert_gt(b, a);
-                false
-            } else {
-                assert_gt(a, b);
-                true
-            }
-        }
-    }
-}
-pub fn lt(a: Field, b: Field) -> bool {
-    gt(b, a)
-}
-mod tests {
-    // TODO: Allow imports from "super"
-    use crate::field::bn254::{assert_gt, decompose, gt, lt, lte_hint, PHI, PLO, TWO_POW_128};
-    #[test]
-    fn check_decompose() {
-        assert_eq(decompose(TWO_POW_128), (0, 1));
-        assert_eq(decompose(TWO_POW_128 + 0x1234567890), (0x1234567890, 1));
-        assert_eq(decompose(0x1234567890), (0x1234567890, 0));
-    }
-    #[test]
-    unconstrained fn check_lte_hint() {
-        assert(lte_hint(0, 1));
-        assert(lte_hint(0, 0x100));
-        assert(lte_hint(0x100, TWO_POW_128 - 1));
-        assert(!lte_hint(0 - 1, 0));
-        assert(lte_hint(0, 0));
-        assert(lte_hint(0x100, 0x100));
-        assert(lte_hint(0 - 1, 0 - 1));
-    }
-    #[test]
-    fn check_gt() {
-        assert(gt(1, 0));
-        assert(gt(0x100, 0));
-        assert(gt((0 - 1), (0 - 2)));
-        assert(gt(TWO_POW_128, 0));
-        assert(!gt(0, 0));
-        assert(!gt(0, 0x100));
-        assert(gt(0 - 1, 0 - 2));
-        assert(!gt(0 - 2, 0 - 1));
-        assert_gt(0 - 1, 0);
-    }
-    #[test]
-    fn check_plo_phi() {
-        assert_eq(PLO + PHI * TWO_POW_128, 0);
-        let p_bytes = crate::field::modulus_le_bytes();
-        let mut p_low: Field = 0;
-        let mut p_high: Field = 0;
-        let mut offset = 1;
-        for i in 0..16 {
-            p_low += (p_bytes[i] as Field) * offset;
-            p_high += (p_bytes[i + 16] as Field) * offset;
-            offset *= 256;
-        }
-        assert_eq(p_low, PLO);
-        assert_eq(p_high, PHI);
-    }
-    #[test]
-    fn check_decompose_edge_cases() {
-        assert_eq(decompose(0), (0, 0));
-        assert_eq(decompose(TWO_POW_128 - 1), (TWO_POW_128 - 1, 0));
-        assert_eq(decompose(TWO_POW_128 + 1), (1, 1));
-        assert_eq(decompose(TWO_POW_128 * 2), (0, 2));
-        assert_eq(decompose(TWO_POW_128 * 2 + 0x1234567890), (0x1234567890, 2));
-    }
-    #[test]
-    fn check_decompose_large_values() {
-        let large_field = 0xffffffffffffffff;
-        let (lo, hi) = decompose(large_field);
-        assert_eq(large_field, lo + TWO_POW_128 * hi);
-        let large_value = large_field - TWO_POW_128;
-        let (lo2, hi2) = decompose(large_value);
-        assert_eq(large_value, lo2 + TWO_POW_128 * hi2);
-    }
-    #[test]
-    fn check_lt_comprehensive() {
-        assert(lt(0, 1));
-        assert(!lt(1, 0));
-        assert(!lt(0, 0));
-        assert(!lt(42, 42));
-        assert(lt(TWO_POW_128 - 1, TWO_POW_128));
-        assert(!lt(TWO_POW_128, TWO_POW_128 - 1));
-    }
-}
-`, path: "std/field/bn254.nr" }, "19": { source: '// Exposed only for usage in `std::meta`\npub(crate) mod poseidon2;\n\nuse crate::default::Default;\nuse crate::embedded_curve_ops::{\n    EmbeddedCurvePoint, EmbeddedCurveScalar, multi_scalar_mul, multi_scalar_mul_array_return,\n};\nuse crate::meta::derive_via;\n\n#[foreign(sha256_compression)]\n// docs:start:sha256_compression\npub fn sha256_compression(input: [u32; 16], state: [u32; 8]) -> [u32; 8] {}\n// docs:end:sha256_compression\n\n#[foreign(keccakf1600)]\n// docs:start:keccakf1600\npub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {}\n// docs:end:keccakf1600\n\npub mod keccak {\n    #[deprecated("This function has been moved to std::hash::keccakf1600")]\n    pub fn keccakf1600(input: [u64; 25]) -> [u64; 25] {\n        super::keccakf1600(input)\n    }\n}\n\n#[foreign(blake2s)]\n// docs:start:blake2s\npub fn blake2s<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake2s\n{}\n\n// docs:start:blake3\npub fn blake3<let N: u32>(input: [u8; N]) -> [u8; 32]\n// docs:end:blake3\n{\n    if crate::runtime::is_unconstrained() {\n        // Temporary measure while Barretenberg is main proving system.\n        // Please open an issue if you\'re working on another proving system and running into problems due to this.\n        crate::static_assert(\n            N <= 1024,\n            "Barretenberg cannot prove blake3 hashes with inputs larger than 1024 bytes",\n        );\n    }\n    __blake3(input)\n}\n\n#[foreign(blake3)]\nfn __blake3<let N: u32>(input: [u8; N]) -> [u8; 32] {}\n\n// docs:start:pedersen_commitment\npub fn pedersen_commitment<let N: u32>(input: [Field; N]) -> EmbeddedCurvePoint {\n    // docs:end:pedersen_commitment\n    pedersen_commitment_with_separator(input, 0)\n}\n\n#[inline_always]\npub fn pedersen_commitment_with_separator<let N: u32>(\n    input: [Field; N],\n    separator: u32,\n) -> EmbeddedCurvePoint {\n    let mut points = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N];\n    for i in 0..N {\n        // we use the unsafe version because the multi_scalar_mul will constrain the scalars.\n        points[i] = from_field_unsafe(input[i]);\n    }\n    let generators = derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n    multi_scalar_mul(generators, points)\n}\n\n// docs:start:pedersen_hash\npub fn pedersen_hash<let N: u32>(input: [Field; N]) -> Field\n// docs:end:pedersen_hash\n{\n    pedersen_hash_with_separator(input, 0)\n}\n\n#[no_predicates]\npub fn pedersen_hash_with_separator<let N: u32>(input: [Field; N], separator: u32) -> Field {\n    let mut scalars: [EmbeddedCurveScalar; N + 1] = [EmbeddedCurveScalar { lo: 0, hi: 0 }; N + 1];\n    let mut generators: [EmbeddedCurvePoint; N + 1] =\n        [EmbeddedCurvePoint::point_at_infinity(); N + 1];\n    let domain_generators: [EmbeddedCurvePoint; N] =\n        derive_generators("DEFAULT_DOMAIN_SEPARATOR".as_bytes(), separator);\n\n    for i in 0..N {\n        scalars[i] = from_field_unsafe(input[i]);\n        generators[i] = domain_generators[i];\n    }\n    scalars[N] = EmbeddedCurveScalar { lo: N as Field, hi: 0 as Field };\n\n    let length_generator: [EmbeddedCurvePoint; 1] =\n        derive_generators("pedersen_hash_length".as_bytes(), 0);\n    generators[N] = length_generator[0];\n    multi_scalar_mul_array_return(generators, scalars, true)[0].x\n}\n\n#[field(bn254)]\n#[inline_always]\npub fn derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {\n    crate::assert_constant(domain_separator_bytes);\n    // TODO(https://github.com/noir-lang/noir/issues/5672): Add back assert_constant on starting_index\n    __derive_generators(domain_separator_bytes, starting_index)\n}\n\n#[builtin(derive_pedersen_generators)]\n#[field(bn254)]\nfn __derive_generators<let N: u32, let M: u32>(\n    domain_separator_bytes: [u8; M],\n    starting_index: u32,\n) -> [EmbeddedCurvePoint; N] {}\n\n#[field(bn254)]\n// Same as from_field but:\n// does not assert the limbs are 128 bits\n// does not assert the decomposition does not overflow the EmbeddedCurveScalar\nfn from_field_unsafe(scalar: Field) -> EmbeddedCurveScalar {\n    // Safety: xlo and xhi decomposition is checked below\n    let (xlo, xhi) = unsafe { crate::field::bn254::decompose_hint(scalar) };\n    // Check that the decomposition is correct\n    assert_eq(scalar, xlo + crate::field::bn254::TWO_POW_128 * xhi);\n    EmbeddedCurveScalar { lo: xlo, hi: xhi }\n}\n\npub fn poseidon2_permutation<let N: u32>(input: [Field; N], state_len: u32) -> [Field; N] {\n    assert_eq(input.len(), state_len);\n    poseidon2_permutation_internal(input)\n}\n\n#[foreign(poseidon2_permutation)]\nfn poseidon2_permutation_internal<let N: u32>(input: [Field; N]) -> [Field; N] {}\n\n// Generic hashing support.\n// Partially ported and impacted by rust.\n\n// Hash trait shall be implemented per type.\n#[derive_via(derive_hash)]\npub trait Hash {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher;\n}\n\n// docs:start:derive_hash\ncomptime fn derive_hash(s: TypeDefinition) -> Quoted {\n    let name = quote { $crate::hash::Hash };\n    let signature = quote { fn hash<H>(_self: Self, _state: &mut H) where H: $crate::hash::Hasher };\n    let for_each_field = |name| quote { _self.$name.hash(_state); };\n    crate::meta::make_trait_impl(\n        s,\n        name,\n        signature,\n        for_each_field,\n        quote {},\n        |fields| fields,\n    )\n}\n// docs:end:derive_hash\n\n// Hasher trait shall be implemented by algorithms to provide hash-agnostic means.\n// TODO: consider making the types generic here ([u8], [Field], etc.)\npub trait Hasher {\n    fn finish(self) -> Field;\n\n    fn write(&mut self, input: Field);\n}\n\n// BuildHasher is a factory trait, responsible for production of specific Hasher.\npub trait BuildHasher {\n    type H: Hasher;\n\n    fn build_hasher(self) -> H;\n}\n\npub struct BuildHasherDefault<H>;\n\nimpl<H> BuildHasher for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    type H = H;\n\n    fn build_hasher(_self: Self) -> H {\n        H::default()\n    }\n}\n\nimpl<H> Default for BuildHasherDefault<H>\nwhere\n    H: Hasher + Default,\n{\n    fn default() -> Self {\n        BuildHasherDefault {}\n    }\n}\n\nimpl Hash for Field {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self);\n    }\n}\n\nimpl Hash for u1 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for u128 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for i8 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u8 as Field);\n    }\n}\n\nimpl Hash for i16 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u16 as Field);\n    }\n}\n\nimpl Hash for i32 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u32 as Field);\n    }\n}\n\nimpl Hash for i64 {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as u64 as Field);\n    }\n}\n\nimpl Hash for bool {\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        H::write(state, self as Field);\n    }\n}\n\nimpl Hash for () {\n    fn hash<H>(_self: Self, _state: &mut H)\n    where\n        H: Hasher,\n    {}\n}\n\nimpl<T, let N: u32> Hash for [T; N]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<T> Hash for [T]\nwhere\n    T: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.len().hash(state);\n        for elem in self {\n            elem.hash(state);\n        }\n    }\n}\n\nimpl<A, B> Hash for (A, B)\nwhere\n    A: Hash,\n    B: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n    }\n}\n\nimpl<A, B, C> Hash for (A, B, C)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n    }\n}\n\nimpl<A, B, C, D> Hash for (A, B, C, D)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n    }\n}\n\nimpl<A, B, C, D, E> Hash for (A, B, C, D, E)\nwhere\n    A: Hash,\n    B: Hash,\n    C: Hash,\n    D: Hash,\n    E: Hash,\n{\n    fn hash<H>(self, state: &mut H)\n    where\n        H: Hasher,\n    {\n        self.0.hash(state);\n        self.1.hash(state);\n        self.2.hash(state);\n        self.3.hash(state);\n        self.4.hash(state);\n    }\n}\n\n// Some test vectors for Pedersen hash and Pedersen Commitment.\n// They have been generated using the same functions so the tests are for now useless\n// but they will be useful when we switch to Noir implementation.\n#[test]\nfn assert_pedersen() {\n    assert_eq(\n        pedersen_hash_with_separator([1], 1),\n        0x1b3f4b1a83092a13d8d1a59f7acb62aba15e7002f4440f2275edb99ebbc2305f,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1], 1),\n        EmbeddedCurvePoint {\n            x: 0x054aa86a73cb8a34525e5bbed6e43ba1198e860f5f3950268f71df4591bde402,\n            y: 0x209dcfbf2cfb57f9f6046f44d71ac6faf87254afc7407c04eb621a6287cac126,\n            is_infinite: false,\n        },\n    );\n\n    assert_eq(\n        pedersen_hash_with_separator([1, 2], 2),\n        0x26691c129448e9ace0c66d11f0a16d9014a9e8498ee78f4d69f0083168188255,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2], 2),\n        EmbeddedCurvePoint {\n            x: 0x2e2b3b191e49541fe468ec6877721d445dcaffe41728df0a0eafeb15e87b0753,\n            y: 0x2ff4482400ad3a6228be17a2af33e2bcdf41be04795f9782bd96efe7e24f8778,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3], 3),\n        0x0bc694b7a1f8d10d2d8987d07433f26bd616a2d351bc79a3c540d85b6206dbe4,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3], 3),\n        EmbeddedCurvePoint {\n            x: 0x1fee4e8cf8d2f527caa2684236b07c4b1bad7342c01b0f75e9a877a71827dc85,\n            y: 0x2f9fedb9a090697ab69bf04c8bc15f7385b3e4b68c849c1536e5ae15ff138fd1,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4], 4),\n        0xdae10fb32a8408521803905981a2b300d6a35e40e798743e9322b223a5eddc,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4], 4),\n        EmbeddedCurvePoint {\n            x: 0x07ae3e202811e1fca39c2d81eabe6f79183978e6f12be0d3b8eda095b79bdbc9,\n            y: 0x0afc6f892593db6fbba60f2da558517e279e0ae04f95758587760ba193145014,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5], 5),\n        0xfc375b062c4f4f0150f7100dfb8d9b72a6d28582dd9512390b0497cdad9c22,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5], 5),\n        EmbeddedCurvePoint {\n            x: 0x1754b12bd475a6984a1094b5109eeca9838f4f81ac89c5f0a41dbce53189bb29,\n            y: 0x2da030e3cfcdc7ddad80eaf2599df6692cae0717d4e9f7bfbee8d073d5d278f7,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6], 6),\n        0x1696ed13dc2730062a98ac9d8f9de0661bb98829c7582f699d0273b18c86a572,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6], 6),\n        EmbeddedCurvePoint {\n            x: 0x190f6c0e97ad83e1e28da22a98aae156da083c5a4100e929b77e750d3106a697,\n            y: 0x1f4b60f34ef91221a0b49756fa0705da93311a61af73d37a0c458877706616fb,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        0x128c0ff144fc66b6cb60eeac8a38e23da52992fc427b92397a7dffd71c45ede3,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7], 7),\n        EmbeddedCurvePoint {\n            x: 0x015441e9d29491b06563fac16fc76abf7a9534c715421d0de85d20dbe2965939,\n            y: 0x1d2575b0276f4e9087e6e07c2cb75aa1baafad127af4be5918ef8a2ef2fea8fc,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        0x2f960e117482044dfc99d12fece2ef6862fba9242be4846c7c9a3e854325a55c,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8], 8),\n        EmbeddedCurvePoint {\n            x: 0x1657737676968887fceb6dd516382ea13b3a2c557f509811cd86d5d1199bc443,\n            y: 0x1f39f0cb569040105fa1e2f156521e8b8e08261e635a2b210bdc94e8d6d65f77,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        0x0c96db0790602dcb166cc4699e2d306c479a76926b81c2cb2aaa92d249ec7be7,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9], 9),\n        EmbeddedCurvePoint {\n            x: 0x0a3ceae42d14914a432aa60ec7fded4af7dad7dd4acdbf2908452675ec67e06d,\n            y: 0xfc19761eaaf621ad4aec9a8b2e84a4eceffdba78f60f8b9391b0bd9345a2f2,\n            is_infinite: false,\n        },\n    );\n    assert_eq(\n        pedersen_hash_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        0x2cd37505871bc460a62ea1e63c7fe51149df5d0801302cf1cbc48beb8dff7e94,\n    );\n    assert_eq(\n        pedersen_commitment_with_separator([1, 2, 3, 4, 5, 6, 7, 8, 9, 10], 10),\n        EmbeddedCurvePoint {\n            x: 0x2fb3f8b3d41ddde007c8c3c62550f9a9380ee546fcc639ffbb3fd30c8d8de30c,\n            y: 0x300783be23c446b11a4c0fabf6c91af148937cea15fcf5fb054abf7f752ee245,\n            is_infinite: false,\n        },\n    );\n}\n', path: "std/hash/mod.nr" }, "50": { source: `/// Fulfillment Proof Circuit
-///
-/// Proves: "The solver correctly executed the intent and delivered
-/// the required output to the recipient, without revealing execution
-/// path, liquidity sources, or intermediate transactions."
-///
-/// @see docs/specs/FULFILLMENT-PROOF.md
-use std::hash::pedersen_hash;
-use std::hash::pedersen_commitment;
-use std::ecdsa_secp256k1::verify_signature;
-// --- Main Circuit ---
-/// Main fulfillment proof entry point
-///
-/// Public inputs: intent_hash, output_commitment, recipient_stealth,
-///                min_output_amount, solver_id, fulfillment_time, expiry
-/// Private inputs: output_amount, output_blinding, attestation data, solver_secret
-///
-/// Constraints:
-/// 1. output_amount >= min_output_amount (range proof via u64)
-/// 2. output_commitment = Pedersen(output_amount, output_blinding)
-/// 3. Oracle attestation is valid and matches claimed values
-/// 4. Solver is authorized (solver_id derived from solver_secret)
-/// 5. fulfillment_time <= expiry
-pub fn main(
-    // Public inputs
-    intent_hash: pub Field,
-    output_commitment_x: pub Field,
-    output_commitment_y: pub Field,
-    recipient_stealth: pub Field,
-    min_output_amount: pub u64,
-    solver_id: pub Field,
-    fulfillment_time: pub u64,
-    expiry: pub u64,
-    // Private inputs
-    output_amount: u64,
-    output_blinding: Field,
-    solver_secret: Field,
-    // Oracle attestation (private)
-    attestation_recipient: Field,
-    attestation_amount: u64,
-    attestation_tx_hash: Field,
-    attestation_block: u64,
-    oracle_signature: [u8; 64],
-    oracle_message_hash: [u8; 32],
-    oracle_pub_key_x: [u8; 32],
-    oracle_pub_key_y: [u8; 32],
-) {
-    // Constraint 1: Output meets minimum requirement
-    // Range proof is implicit via u64 type comparison
-    assert(output_amount >= min_output_amount, "Output below minimum");
-    // Constraint 2: Output commitment is valid
-    // C = Pedersen(output_amount, output_blinding)
-    let commitment = pedersen_commitment([output_amount as Field, output_blinding]);
-    assert(commitment.x == output_commitment_x, "Commitment X mismatch");
-    assert(commitment.y == output_commitment_y, "Commitment Y mismatch");
-    // Constraint 3a: Attestation matches claimed values
-    assert(attestation_recipient == recipient_stealth, "Recipient mismatch in attestation");
-    assert(attestation_amount == output_amount, "Amount mismatch in attestation");
-    // Constraint 3b: Oracle signature is valid
-    let valid_attestation = verify_signature(
-        oracle_pub_key_x,
-        oracle_pub_key_y,
-        oracle_signature,
-        oracle_message_hash
-    );
-    assert(valid_attestation, "Invalid oracle attestation signature");
-    // Constraint 4: Solver authorization
-    // solver_id = pedersen_hash(solver_secret)
-    let computed_solver_id = pedersen_hash([solver_secret]);
-    assert(computed_solver_id == solver_id, "Unauthorized solver");
-    // Constraint 5: Time constraint
-    assert(fulfillment_time <= expiry, "Fulfillment after expiry");
-    // Intent hash binding (ensures this proof is for this specific intent)
-    // The intent_hash is a public input, binding this proof to the intent
-    // No additional constraint needed - it's enforced by the verifier checking public inputs
-    let _ = intent_hash;
-    // Attestation metadata (tx_hash and block) are included for auditability
-    // but not strictly constrained in circuit (oracle signature covers them)
-    let _ = attestation_tx_hash;
-    let _ = attestation_block;
-}
-// --- Tests ---
-#[test]
-fn test_output_commitment() {
-    // Test that commitment is correctly computed
-    let output_amount: u64 = 1000000;
-    let output_blinding: Field = 0x123456789;
-    let commitment1 = pedersen_commitment([output_amount as Field, output_blinding]);
-    let commitment2 = pedersen_commitment([output_amount as Field, output_blinding]);
-    // Commitment should be deterministic
-    assert(commitment1.x == commitment2.x, "Commitment X should be deterministic");
-    assert(commitment1.y == commitment2.y, "Commitment Y should be deterministic");
-}
-#[test]
-fn test_solver_authorization() {
-    // Test solver_id derivation
-    let solver_secret: Field = 0x1234567890ABCDEF;
-    let solver_id1 = pedersen_hash([solver_secret]);
-    let solver_id2 = pedersen_hash([solver_secret]);
-    // Solver ID should be deterministic
-    assert(solver_id1 == solver_id2, "Solver ID should be deterministic");
-    // Different secret should give different solver_id
-    let different_secret: Field = 0xFEDCBA0987654321;
-    let different_id = pedersen_hash([different_secret]);
-    assert(solver_id1 != different_id, "Different secrets should give different solver IDs");
-}
-#[test]
-fn test_range_proof_passes() {
-    // Test that output >= min passes
-    let output_amount: u64 = 1050000;
-    let min_output_amount: u64 = 1000000;
-    assert(output_amount >= min_output_amount, "Output should be >= minimum");
-}
-#[test]
-fn test_time_constraint_valid() {
-    // Test valid time constraint
-    let fulfillment_time: u64 = 1732650000;
-    let expiry: u64 = 1732686400;
-    assert(fulfillment_time <= expiry, "Fulfillment time should be <= expiry");
-}
-#[test]
-fn test_time_constraint_edge_case() {
-    // Edge case: exactly at expiry should be valid
-    let fulfillment_time: u64 = 1732686400;
-    let expiry: u64 = 1732686400;
-    assert(fulfillment_time <= expiry, "Fulfillment at exactly expiry should be valid");
-}
-// NOTE: Full integration tests with ECDSA oracle signatures require TypeScript SDK
-// The NoirProofProvider will generate valid oracle signature test vectors
-`, path: "/Users/rz/local-dev/sip-protocol/packages/circuits/fulfillment_proof/src/main.nr" } }, expression_width: { Bounded: { width: 4 } } };
-// src/proofs/noir.ts
-var NoirProofProvider = class {
-  framework = "noir";
-  _isReady = false;
-  config;
-  // Circuit instances
-  fundingNoir = null;
-  fundingBackend = null;
-  validityNoir = null;
-  validityBackend = null;
-  fulfillmentNoir = null;
-  fulfillmentBackend = null;
-  constructor(config = {}) {
-    this.config = {
-      backend: "barretenberg",
-      verbose: false,
-      ...config
-    };
-  }
-  get isReady() {
-    return this._isReady;
-  }
-  /**
-   * Derive secp256k1 public key coordinates from a private key
-   *
-   * Utility method that can be used to generate public key coordinates
-   * for use in ValidityProofParams.senderPublicKey or NoirProviderConfig.oraclePublicKey
-   *
-   * @param privateKey - 32-byte private key
-   * @returns X and Y coordinates as 32-byte arrays
-   *
-   * @example
-   * ```typescript
-   * const privateKey = new Uint8Array(32).fill(1) // Your secret key
-   * const publicKey = NoirProofProvider.derivePublicKey(privateKey)
-   *
-   * // Use for oracle configuration
-   * const provider = new NoirProofProvider({
-   *   oraclePublicKey: publicKey
-   * })
-   *
-   * // Or use for validity proof params
-   * const validityParams = {
-   *   // ... other params
-   *   senderPublicKey: {
-   *     x: new Uint8Array(publicKey.x),
-   *     y: new Uint8Array(publicKey.y)
-   *   }
-   * }
-   * ```
-   */
-  static derivePublicKey(privateKey) {
-    const uncompressedPubKey = import_secp256k13.secp256k1.getPublicKey(privateKey, false);
-    const x = Array.from(uncompressedPubKey.slice(1, 33));
-    const y = Array.from(uncompressedPubKey.slice(33, 65));
-    return { x, y };
-  }
-  /**
-   * Initialize the Noir provider
-   *
-   * Loads circuit artifacts and initializes the proving backend.
-   */
-  async initialize() {
-    if (this._isReady) {
-      return;
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Initializing...");
-      }
-      const fundingCircuit = funding_proof_default;
-      this.fundingBackend = new import_bb.UltraHonkBackend(fundingCircuit.bytecode);
-      this.fundingNoir = new import_noir_js.Noir(fundingCircuit);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Funding circuit loaded");
-        const artifactVersion = funding_proof_default.noir_version;
-        console.log(`[NoirProofProvider] Noir version: ${artifactVersion ?? "unknown"}`);
-      }
-      const validityCircuit = validity_proof_default;
-      this.validityBackend = new import_bb.UltraHonkBackend(validityCircuit.bytecode);
-      this.validityNoir = new import_noir_js.Noir(validityCircuit);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity circuit loaded");
-      }
-      const fulfillmentCircuit = fulfillment_proof_default;
-      this.fulfillmentBackend = new import_bb.UltraHonkBackend(fulfillmentCircuit.bytecode);
-      this.fulfillmentNoir = new import_noir_js.Noir(fulfillmentCircuit);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment circuit loaded");
-      }
-      this._isReady = true;
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Initialization complete");
-      }
-    } catch (error) {
-      throw new ProofError(
-        `Failed to initialize NoirProofProvider: ${error instanceof Error ? error.message : String(error)}`,
-        "SIP_4003" /* PROOF_NOT_IMPLEMENTED */,
-        { context: { error } }
-      );
-    }
-  }
-  /**
-   * Generate a Funding Proof using Noir circuits
-   *
-   * Proves: balance >= minimumRequired without revealing balance
-   *
-   * @see docs/specs/FUNDING-PROOF.md
-   */
-  async generateFundingProof(params) {
-    this.ensureReady();
-    if (!this.fundingNoir || !this.fundingBackend) {
-      throw new ProofGenerationError(
-        "funding",
-        "Funding circuit not initialized"
-      );
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Generating funding proof...");
-      }
-      const { commitmentHash, blindingField } = await this.computeCommitmentHash(
-        params.balance,
-        params.blindingFactor,
-        params.assetId
-      );
-      const witnessInputs = {
-        // Public inputs
-        commitment_hash: commitmentHash,
-        minimum_required: params.minimumRequired.toString(),
-        asset_id: this.assetIdToField(params.assetId),
-        // Private inputs
-        balance: params.balance.toString(),
-        blinding: blindingField
-      };
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Witness inputs:", {
-          commitment_hash: commitmentHash,
-          minimum_required: params.minimumRequired.toString(),
-          asset_id: this.assetIdToField(params.assetId),
-          balance: "[PRIVATE]",
-          blinding: "[PRIVATE]"
-        });
-      }
-      const { witness } = await this.fundingNoir.execute(witnessInputs);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Witness generated, creating proof...");
-      }
-      const proofData = await this.fundingBackend.generateProof(witness);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Proof generated successfully");
-      }
-      const publicInputs = [
-        `0x${commitmentHash}`,
-        `0x${params.minimumRequired.toString(16).padStart(16, "0")}`,
-        `0x${this.assetIdToField(params.assetId)}`
-      ];
-      const proof = {
-        type: "funding",
-        proof: `0x${Buffer.from(proofData.proof).toString("hex")}`,
-        publicInputs
-      };
-      return {
-        proof,
-        publicInputs
-      };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Insufficient balance")) {
-        throw new ProofGenerationError(
-          "funding",
-          "Insufficient balance to generate proof",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Commitment hash mismatch")) {
-        throw new ProofGenerationError(
-          "funding",
-          "Commitment hash verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      throw new ProofGenerationError(
-        "funding",
-        `Failed to generate funding proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Generate a Validity Proof using Noir circuits
-   *
-   * Proves: Intent is authorized by sender without revealing identity
-   *
-   * @see docs/specs/VALIDITY-PROOF.md
-   */
-  async generateValidityProof(params) {
-    this.ensureReady();
-    if (!this.validityNoir || !this.validityBackend) {
-      throw new ProofGenerationError(
-        "validity",
-        "Validity circuit not initialized"
-      );
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Generating validity proof...");
-      }
-      const intentHashField = this.hexToField(params.intentHash);
-      const senderAddressField = this.hexToField(params.senderAddress);
-      const senderBlindingField = this.bytesToField(params.senderBlinding);
-      const senderSecretField = this.bytesToField(params.senderSecret);
-      const nonceField = this.bytesToField(params.nonce);
-      const { commitmentX, commitmentY } = await this.computeSenderCommitment(
-        senderAddressField,
-        senderBlindingField
-      );
-      const nullifier = await this.computeNullifier(
-        senderSecretField,
-        intentHashField,
-        nonceField
-      );
-      const signature = Array.from(params.authorizationSignature);
-      const messageHash = this.fieldToBytes32(intentHashField);
-      let pubKeyX;
-      let pubKeyY;
-      if (params.senderPublicKey) {
-        pubKeyX = Array.from(params.senderPublicKey.x);
-        pubKeyY = Array.from(params.senderPublicKey.y);
-      } else {
-        const coords = this.getPublicKeyCoordinates(params.senderSecret);
-        pubKeyX = coords.x;
-        pubKeyY = coords.y;
-      }
-      const witnessInputs = {
-        // Public inputs
-        intent_hash: intentHashField,
-        sender_commitment_x: commitmentX,
-        sender_commitment_y: commitmentY,
-        nullifier,
-        timestamp: params.timestamp.toString(),
-        expiry: params.expiry.toString(),
-        // Private inputs
-        sender_address: senderAddressField,
-        sender_blinding: senderBlindingField,
-        sender_secret: senderSecretField,
-        pub_key_x: pubKeyX,
-        pub_key_y: pubKeyY,
-        signature,
-        message_hash: messageHash,
-        nonce: nonceField
-      };
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity witness inputs:", {
-          intent_hash: intentHashField,
-          sender_commitment_x: commitmentX,
-          sender_commitment_y: commitmentY,
-          nullifier,
-          timestamp: params.timestamp,
-          expiry: params.expiry,
-          sender_address: "[PRIVATE]",
-          sender_blinding: "[PRIVATE]",
-          sender_secret: "[PRIVATE]",
-          signature: "[PRIVATE]"
-        });
-      }
-      const { witness } = await this.validityNoir.execute(witnessInputs);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity witness generated, creating proof...");
-      }
-      const proofData = await this.validityBackend.generateProof(witness);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Validity proof generated successfully");
-      }
-      const publicInputs = [
-        `0x${intentHashField}`,
-        `0x${commitmentX}`,
-        `0x${commitmentY}`,
-        `0x${nullifier}`,
-        `0x${params.timestamp.toString(16).padStart(16, "0")}`,
-        `0x${params.expiry.toString(16).padStart(16, "0")}`
-      ];
-      const proof = {
-        type: "validity",
-        proof: `0x${Buffer.from(proofData.proof).toString("hex")}`,
-        publicInputs
-      };
-      return {
-        proof,
-        publicInputs
-      };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Sender commitment")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Sender commitment verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Invalid ECDSA")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Authorization signature verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Nullifier mismatch")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Nullifier derivation failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Intent expired")) {
-        throw new ProofGenerationError(
-          "validity",
-          "Intent has expired (timestamp >= expiry)",
-          error instanceof Error ? error : void 0
-        );
-      }
-      throw new ProofGenerationError(
-        "validity",
-        `Failed to generate validity proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Generate a Fulfillment Proof using Noir circuits
-   *
-   * Proves: Solver correctly executed the intent and delivered the required
-   * output to the recipient, without revealing execution path or liquidity sources.
-   *
-   * @see docs/specs/FULFILLMENT-PROOF.md
-   */
-  async generateFulfillmentProof(params) {
-    this.ensureReady();
-    if (!this.fulfillmentNoir || !this.fulfillmentBackend) {
-      throw new ProofGenerationError(
-        "fulfillment",
-        "Fulfillment circuit not initialized"
-      );
-    }
-    try {
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Generating fulfillment proof...");
-      }
-      const intentHashField = this.hexToField(params.intentHash);
-      const recipientStealthField = this.hexToField(params.recipientStealth);
-      const { commitmentX, commitmentY } = await this.computeOutputCommitment(
-        params.outputAmount,
-        params.outputBlinding
-      );
-      const solverSecretField = this.bytesToField(params.solverSecret);
-      const solverId = await this.computeSolverId(solverSecretField);
-      const outputBlindingField = this.bytesToField(params.outputBlinding);
-      const attestation = params.oracleAttestation;
-      const attestationRecipientField = this.hexToField(attestation.recipient);
-      const attestationTxHashField = this.hexToField(attestation.txHash);
-      const oracleSignature = Array.from(attestation.signature);
-      const oracleMessageHash = await this.computeOracleMessageHash(
-        attestation.recipient,
-        attestation.amount,
-        attestation.txHash,
-        attestation.blockNumber
-      );
-      const oraclePubKeyX = this.config.oraclePublicKey?.x ?? new Array(32).fill(0);
-      const oraclePubKeyY = this.config.oraclePublicKey?.y ?? new Array(32).fill(0);
-      if (!this.config.oraclePublicKey && this.config.verbose) {
-        console.warn("[NoirProofProvider] Warning: No oracle public key configured. Using placeholder keys.");
-      }
-      const witnessInputs = {
-        // Public inputs
-        intent_hash: intentHashField,
-        output_commitment_x: commitmentX,
-        output_commitment_y: commitmentY,
-        recipient_stealth: recipientStealthField,
-        min_output_amount: params.minOutputAmount.toString(),
-        solver_id: solverId,
-        fulfillment_time: params.fulfillmentTime.toString(),
-        expiry: params.expiry.toString(),
-        // Private inputs
-        output_amount: params.outputAmount.toString(),
-        output_blinding: outputBlindingField,
-        solver_secret: solverSecretField,
-        attestation_recipient: attestationRecipientField,
-        attestation_amount: attestation.amount.toString(),
-        attestation_tx_hash: attestationTxHashField,
-        attestation_block: attestation.blockNumber.toString(),
-        oracle_signature: oracleSignature,
-        oracle_message_hash: oracleMessageHash,
-        oracle_pub_key_x: oraclePubKeyX,
-        oracle_pub_key_y: oraclePubKeyY
-      };
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment witness inputs:", {
-          intent_hash: intentHashField,
-          output_commitment_x: commitmentX,
-          output_commitment_y: commitmentY,
-          recipient_stealth: recipientStealthField,
-          min_output_amount: params.minOutputAmount.toString(),
-          solver_id: solverId,
-          fulfillment_time: params.fulfillmentTime,
-          expiry: params.expiry,
-          output_amount: "[PRIVATE]",
-          output_blinding: "[PRIVATE]",
-          solver_secret: "[PRIVATE]",
-          oracle_attestation: "[PRIVATE]"
-        });
-      }
-      const { witness } = await this.fulfillmentNoir.execute(witnessInputs);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment witness generated, creating proof...");
-      }
-      const proofData = await this.fulfillmentBackend.generateProof(witness);
-      if (this.config.verbose) {
-        console.log("[NoirProofProvider] Fulfillment proof generated successfully");
-      }
-      const publicInputs = [
-        `0x${intentHashField}`,
-        `0x${commitmentX}`,
-        `0x${commitmentY}`,
-        `0x${recipientStealthField}`,
-        `0x${params.minOutputAmount.toString(16).padStart(16, "0")}`,
-        `0x${solverId}`,
-        `0x${params.fulfillmentTime.toString(16).padStart(16, "0")}`,
-        `0x${params.expiry.toString(16).padStart(16, "0")}`
-      ];
-      const proof = {
-        type: "fulfillment",
-        proof: `0x${Buffer.from(proofData.proof).toString("hex")}`,
-        publicInputs
-      };
-      return {
-        proof,
-        publicInputs
-      };
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      if (message.includes("Output below minimum")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Output amount is below minimum required",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Commitment") && message.includes("mismatch")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Output commitment verification failed",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Recipient mismatch")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Attestation recipient does not match",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Invalid oracle")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Oracle attestation signature is invalid",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Unauthorized solver")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Solver not authorized for this intent",
-          error instanceof Error ? error : void 0
-        );
-      }
-      if (message.includes("Fulfillment after expiry")) {
-        throw new ProofGenerationError(
-          "fulfillment",
-          "Fulfillment occurred after intent expiry",
-          error instanceof Error ? error : void 0
-        );
-      }
-      throw new ProofGenerationError(
-        "fulfillment",
-        `Failed to generate fulfillment proof: ${message}`,
-        error instanceof Error ? error : void 0
-      );
-    }
-  }
-  /**
-   * Verify a Noir proof
-   */
-  async verifyProof(proof) {
-    this.ensureReady();
-    let backend = null;
-    switch (proof.type) {
-      case "funding":
-        backend = this.fundingBackend;
-        break;
-      case "validity":
-        backend = this.validityBackend;
-        break;
-      case "fulfillment":
-        backend = this.fulfillmentBackend;
-        break;
-      default:
-        throw new ProofError(
-          `Unknown proof type: ${proof.type}`,
-          "SIP_4003" /* PROOF_NOT_IMPLEMENTED */
-        );
-    }
-    if (!backend) {
-      throw new ProofError(
-        `${proof.type} backend not initialized`,
-        "SIP_4004" /* PROOF_PROVIDER_NOT_READY */
-      );
-    }
-    try {
-      const proofHex = proof.proof.startsWith("0x") ? proof.proof.slice(2) : proof.proof;
-      const proofBytes = new Uint8Array(Buffer.from(proofHex, "hex"));
-      const isValid = await backend.verifyProof({
-        proof: proofBytes,
-        publicInputs: proof.publicInputs.map(
-          (input) => input.startsWith("0x") ? input.slice(2) : input
-        )
-      });
-      return isValid;
-    } catch (error) {
-      if (this.config.verbose) {
-        console.error("[NoirProofProvider] Verification error:", error);
-      }
-      return false;
-    }
-  }
-  /**
-   * Destroy the provider and free resources
-   */
-  async destroy() {
-    if (this.fundingBackend) {
-      await this.fundingBackend.destroy();
-      this.fundingBackend = null;
-    }
-    if (this.validityBackend) {
-      await this.validityBackend.destroy();
-      this.validityBackend = null;
-    }
-    if (this.fulfillmentBackend) {
-      await this.fulfillmentBackend.destroy();
-      this.fulfillmentBackend = null;
-    }
-    this.fundingNoir = null;
-    this.validityNoir = null;
-    this.fulfillmentNoir = null;
-    this._isReady = false;
-  }
-  // ─── Private Methods ───────────────────────────────────────────────────────
-  ensureReady() {
-    if (!this._isReady) {
-      throw new ProofError(
-        "NoirProofProvider not initialized. Call initialize() first.",
-        "SIP_4004" /* PROOF_PROVIDER_NOT_READY */
-      );
-    }
-  }
-  /**
-   * Compute the commitment hash that the circuit expects
-   *
-   * The circuit computes:
-   * 1. commitment = pedersen_commitment([balance, blinding])
-   * 2. commitment_hash = pedersen_hash([commitment.x, commitment.y, asset_id])
-   *
-   * We need to compute this outside to pass as a public input.
-   *
-   * **IMPORTANT**: This SDK uses SHA256 as a deterministic stand-in for Pedersen hash.
-   * Both the SDK and circuit MUST use the same hash function. The bundled circuit
-   * artifacts are configured to use SHA256 for compatibility. If you use custom
-   * circuits with actual Pedersen hashing, you must update this implementation.
-   *
-   * @see docs/specs/HASH-COMPATIBILITY.md for hash function requirements
-   */
-  async computeCommitmentHash(balance, blindingFactor, assetId) {
-    const blindingField = this.bytesToField(blindingFactor);
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const preimage = new Uint8Array([
-      ...this.bigintToBytes(balance, 8),
-      ...blindingFactor.slice(0, 32),
-      ...this.hexToBytes(this.assetIdToField(assetId))
-    ]);
-    const hash2 = sha25611(preimage);
-    const commitmentHash = bytesToHex15(hash2);
-    return { commitmentHash, blindingField };
-  }
-  /**
-   * Convert asset ID to field element
-   */
-  assetIdToField(assetId) {
-    if (assetId.startsWith("0x")) {
-      return assetId.slice(2).padStart(64, "0");
-    }
-    const encoder = new TextEncoder();
-    const bytes = encoder.encode(assetId);
-    let result = 0n;
-    for (let i = 0; i < bytes.length && i < 31; i++) {
-      result = result * 256n + BigInt(bytes[i]);
-    }
-    return result.toString(16).padStart(64, "0");
-  }
-  /**
-   * Convert bytes to field element string
-   */
-  bytesToField(bytes) {
-    let result = 0n;
-    const len = Math.min(bytes.length, 31);
-    for (let i = 0; i < len; i++) {
-      result = result * 256n + BigInt(bytes[i]);
-    }
-    return result.toString();
-  }
-  /**
-   * Convert bigint to bytes
-   */
-  bigintToBytes(value, length) {
-    const bytes = new Uint8Array(length);
-    let v = value;
-    for (let i = length - 1; i >= 0; i--) {
-      bytes[i] = Number(v & 0xffn);
-      v = v >> 8n;
-    }
-    return bytes;
-  }
-  /**
-   * Convert hex string to bytes
-   */
-  hexToBytes(hex) {
-    const h = hex.startsWith("0x") ? hex.slice(2) : hex;
-    const bytes = new Uint8Array(h.length / 2);
-    for (let i = 0; i < bytes.length; i++) {
-      bytes[i] = parseInt(h.slice(i * 2, i * 2 + 2), 16);
-    }
-    return bytes;
-  }
-  /**
-   * Convert hex string to field element string
-   */
-  hexToField(hex) {
-    const h = hex.startsWith("0x") ? hex.slice(2) : hex;
-    return h.padStart(64, "0");
-  }
-  /**
-   * Convert field string to 32-byte array
-   */
-  fieldToBytes32(field) {
-    const hex = field.padStart(64, "0");
-    const bytes = [];
-    for (let i = 0; i < 32; i++) {
-      bytes.push(parseInt(hex.slice(i * 2, i * 2 + 2), 16));
-    }
-    return bytes;
-  }
-  /**
-   * Compute sender commitment for validity proof
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeSenderCommitment(senderAddressField, senderBlindingField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const addressBytes = this.hexToBytes(senderAddressField);
-    const blindingBytes = this.hexToBytes(senderBlindingField.padStart(64, "0"));
-    const preimage = new Uint8Array([...addressBytes, ...blindingBytes]);
-    const hash2 = sha25611(preimage);
-    const commitmentX = bytesToHex15(hash2.slice(0, 16)).padStart(64, "0");
-    const commitmentY = bytesToHex15(hash2.slice(16, 32)).padStart(64, "0");
-    return { commitmentX, commitmentY };
-  }
-  /**
-   * Compute nullifier for validity proof
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeNullifier(senderSecretField, intentHashField, nonceField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const secretBytes = this.hexToBytes(senderSecretField.padStart(64, "0"));
-    const intentBytes = this.hexToBytes(intentHashField);
-    const nonceBytes = this.hexToBytes(nonceField.padStart(64, "0"));
-    const preimage = new Uint8Array([...secretBytes, ...intentBytes, ...nonceBytes]);
-    const hash2 = sha25611(preimage);
-    return bytesToHex15(hash2);
-  }
-  /**
-   * Compute output commitment for fulfillment proof
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeOutputCommitment(outputAmount, outputBlinding) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const amountBytes = this.bigintToBytes(outputAmount, 8);
-    const blindingBytes = outputBlinding.slice(0, 32);
-    const preimage = new Uint8Array([...amountBytes, ...blindingBytes]);
-    const hash2 = sha25611(preimage);
-    const commitmentX = bytesToHex15(hash2.slice(0, 16)).padStart(64, "0");
-    const commitmentY = bytesToHex15(hash2.slice(16, 32)).padStart(64, "0");
-    return { commitmentX, commitmentY };
-  }
-  /**
-   * Compute solver ID from solver secret
-   *
-   * Uses SHA256 for SDK-side computation. The bundled circuit artifacts
-   * are compiled to use SHA256 for compatibility with this SDK.
-   *
-   * @see computeCommitmentHash for hash function compatibility notes
-   */
-  async computeSolverId(solverSecretField) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const { bytesToHex: bytesToHex15 } = await import("@noble/hashes/utils");
-    const secretBytes = this.hexToBytes(solverSecretField.padStart(64, "0"));
-    const hash2 = sha25611(secretBytes);
-    return bytesToHex15(hash2);
-  }
-  /**
-   * Compute oracle message hash for fulfillment proof
-   *
-   * Hash of attestation data that oracle signs
-   */
-  async computeOracleMessageHash(recipient, amount, txHash, blockNumber) {
-    const { sha256: sha25611 } = await import("@noble/hashes/sha256");
-    const recipientBytes = this.hexToBytes(this.hexToField(recipient));
-    const amountBytes = this.bigintToBytes(amount, 8);
-    const txHashBytes = this.hexToBytes(this.hexToField(txHash));
-    const blockBytes = this.bigintToBytes(blockNumber, 8);
-    const preimage = new Uint8Array([
-      ...recipientBytes,
-      ...amountBytes,
-      ...txHashBytes,
-      ...blockBytes
-    ]);
-    const hash2 = sha25611(preimage);
-    return Array.from(hash2);
-  }
-  /**
-   * Derive secp256k1 public key coordinates from a private key
-   *
-   * @param privateKey - 32-byte private key as Uint8Array
-   * @returns X and Y coordinates as 32-byte arrays
-   */
-  getPublicKeyCoordinates(privateKey) {
-    const uncompressedPubKey = import_secp256k13.secp256k1.getPublicKey(privateKey, false);
-    const x = Array.from(uncompressedPubKey.slice(1, 33));
-    const y = Array.from(uncompressedPubKey.slice(33, 65));
-    return { x, y };
-  }
-  /**
-   * Derive public key coordinates from a field string (private key)
-   *
-   * @param privateKeyField - Private key as hex field string
-   * @returns X and Y coordinates as 32-byte arrays
-   */
-  getPublicKeyFromField(privateKeyField) {
-    const privateKeyBytes = this.hexToBytes(privateKeyField.padStart(64, "0"));
-    return this.getPublicKeyCoordinates(privateKeyBytes);
-  }
-};
 // src/proofs/browser-utils.ts
 function hexToBytes5(hex) {
   const h = hex.startsWith("0x") ? hex.slice(2) : hex;
@@ -7049,7 +5300,7 @@ function getPaymentSummary(payment) {
 // src/treasury/treasury.ts
 var import_types12 = require("@sip-protocol/types");
-var import_secp256k14 = require("@noble/curves/secp256k1");
+var import_secp256k13 = require("@noble/curves/secp256k1");
 var import_sha25610 = require("@noble/hashes/sha256");
 var import_utils12 = require("@noble/hashes/utils");
 var DEFAULT_PROPOSAL_TTL = 7 * 24 * 60 * 60;
@@ -7565,7 +5816,7 @@ function signMessage(messageHash, privateKey) {
   const keyHex = privateKey.startsWith("0x") ? privateKey.slice(2) : privateKey;
   const keyBytes = (0, import_utils12.hexToBytes)(keyHex);
   try {
-    const signature = import_secp256k14.secp256k1.sign(messageHash, keyBytes);
+    const signature = import_secp256k13.secp256k1.sign(messageHash, keyBytes);
     return `0x${signature.toCompactHex()}`;
   } finally {
     secureWipe(keyBytes);
@@ -7577,7 +5828,7 @@ function verifySignature(messageHash, signature, publicKey) {
   try {
     const sigBytes = (0, import_utils12.hexToBytes)(sigHex);
     const pubKeyBytes = (0, import_utils12.hexToBytes)(pubKeyHex);
-    return import_secp256k14.secp256k1.verify(sigBytes, messageHash, pubKeyBytes);
+    return import_secp256k13.secp256k1.verify(sigBytes, messageHash, pubKeyBytes);
   } catch {
     return false;
   }
@@ -12132,7 +10383,6 @@ var import_types32 = require("@sip-protocol/types");
   NATIVE_TOKENS,
   NEARIntentsAdapter,
   NetworkError,
-  NoirProofProvider,
   ORACLE_DOMAIN,
   OneClickClient,
   OneClickDepositMode,