npm - @solarity/zkit - Versions diffs - 0.2.6 → 0.3.0-rc.1 - Mend

@solarity/zkit 0.2.6 → 0.3.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/dist/core/CircuitZKit.d.ts +22 -21
package/dist/core/CircuitZKit.d.ts.map +1 -1
package/dist/core/CircuitZKit.js +28 -43
package/dist/core/CircuitZKit.js.map +1 -1
package/dist/core/protocols/AbstractImplementer.d.ts +15 -0
package/dist/core/protocols/AbstractImplementer.d.ts.map +1 -0
package/dist/core/protocols/AbstractImplementer.js +36 -0
package/dist/core/protocols/AbstractImplementer.js.map +1 -0
package/dist/core/protocols/Groth16Implementer.d.ts +10 -0
package/dist/core/protocols/Groth16Implementer.d.ts.map +1 -0
package/dist/core/protocols/Groth16Implementer.js +50 -0
package/dist/core/protocols/Groth16Implementer.js.map +1 -0
package/dist/core/protocols/PlonkImplementer.d.ts +10 -0
package/dist/core/protocols/PlonkImplementer.d.ts.map +1 -0
package/dist/core/protocols/PlonkImplementer.js +51 -0
package/dist/core/protocols/PlonkImplementer.js.map +1 -0
package/dist/core/protocols/index.d.ts +4 -0
package/dist/core/protocols/index.d.ts.map +1 -0
package/dist/core/protocols/index.js +10 -0
package/dist/core/protocols/index.js.map +1 -0
package/dist/core/templates/verifier_groth16.vy.ejs +3 -3
package/dist/core/templates/verifier_plonk.sol.ejs +779 -0
package/dist/core/templates/verifier_plonk.vy.ejs +650 -0
package/dist/index.d.ts +4 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +6 -1
package/dist/index.js.map +1 -1
package/dist/types/circuit-zkit.d.ts +0 -34
package/dist/types/circuit-zkit.d.ts.map +1 -1
package/dist/types/proof-utils.d.ts +7 -0
package/dist/types/proof-utils.d.ts.map +1 -0
package/dist/types/proof-utils.js +3 -0
package/dist/types/proof-utils.js.map +1 -0
package/dist/types/protocols/groth16.d.ts +28 -0
package/dist/types/protocols/groth16.d.ts.map +1 -0
package/dist/types/protocols/groth16.js +3 -0
package/dist/types/protocols/groth16.js.map +1 -0
package/dist/types/protocols/index.d.ts +31 -0
package/dist/types/protocols/index.d.ts.map +1 -0
package/dist/types/protocols/index.js +19 -0
package/dist/types/protocols/index.js.map +1 -0
package/dist/types/protocols/plonk.d.ts +26 -0
package/dist/types/protocols/plonk.d.ts.map +1 -0
package/dist/types/{types.js → protocols/plonk.js} +1 -1
package/dist/types/protocols/plonk.js.map +1 -0
package/package.json +1 -1
package/src/core/CircuitZKit.ts +40 -63
package/src/core/protocols/AbstractImplementer.ts +67 -0
package/src/core/protocols/Groth16Implementer.ts +29 -0
package/src/core/protocols/PlonkImplementer.ts +32 -0
package/src/core/protocols/index.ts +3 -0
package/src/core/templates/verifier_groth16.vy.ejs +3 -3
package/src/core/templates/verifier_plonk.sol.ejs +779 -0
package/src/core/templates/verifier_plonk.vy.ejs +650 -0
package/src/index.ts +5 -1
package/src/types/circuit-zkit.ts +0 -31
package/src/types/proof-utils.ts +9 -0
package/src/types/protocols/groth16.ts +21 -0
package/src/types/protocols/index.ts +49 -0
package/src/types/protocols/plonk.ts +28 -0
package/dist/config/config.d.ts +0 -27
package/dist/config/config.d.ts.map +0 -1
package/dist/config/config.js +0 -19
package/dist/config/config.js.map +0 -1
package/dist/core/CircomZKit.d.ts +0 -39
package/dist/core/CircomZKit.d.ts.map +0 -1
package/dist/core/CircomZKit.js +0 -94
package/dist/core/CircomZKit.js.map +0 -1
package/dist/core/ManagerZKit.d.ts +0 -97
package/dist/core/ManagerZKit.d.ts.map +0 -1
package/dist/core/ManagerZKit.js +0 -222
package/dist/core/ManagerZKit.js.map +0 -1
package/dist/types/types.d.ts +0 -46
package/dist/types/types.d.ts.map +0 -1
package/dist/types/types.js.map +0 -1
package/dist/utils/utils.d.ts +0 -18
package/dist/utils/utils.d.ts.map +0 -1
package/dist/utils/utils.js +0 -58
package/dist/utils/utils.js.map +0 -1

package/dist/core/templates/verifier_plonk.sol.ejs ADDED Viewed

@@ -0,0 +1,779 @@
+// SPDX-License-Identifier: MIT
+/* AUTOGENERATED FILE BY HARDHAT-ZKIT. DO NOT EDIT. */
+pragma solidity >=0.7.0 <0.9.0;
+contract <%=verifier_id%> {
+    // Omega
+    uint256 constant W1 = <%=w%>;
+    // Scalar field size
+    uint256 constant SCALAR_SIZE = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
+    // Base field size
+    uint256 constant BASE_SIZE = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
+    // [1]_1
+    uint256 constant G1_X = 1;
+    uint256 constant G1_Y = 2;
+    // [1]_2
+    uint256 constant G2_X1 = 10857046999023057135944570762232829481370756359578518086990519993285655852781;
+    uint256 constant G2_X2 = 11559732032986387107991004021392285783925812861821192530917403151452391805634;
+    uint256 constant G2_Y1 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
+    uint256 constant G2_Y2 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
+    // Verification Key data
+    uint32 constant N = <%=2**power%>;
+    uint256 constant QM_X  = <%=Qm[0]%>;
+    uint256 constant QM_Y  = <%=Qm[0] == "0" ? "0" : Qm[1]%>;
+    uint256 constant QL_X  = <%=Ql[0]%>;
+    uint256 constant QL_Y  = <%=Ql[0] == "0" ? "0" : Ql[1]%>;
+    uint256 constant QR_X  = <%=Qr[0]%>;
+    uint256 constant QR_Y  = <%=Qr[0] == "0" ? "0" : Qr[1]%>;
+    uint256 constant QO_X  = <%=Qo[0]%>;
+    uint256 constant QO_Y  = <%=Qo[0] == "0" ? "0" : Qo[1]%>;
+    uint256 constant QC_X  = <%=Qc[0]%>;
+    uint256 constant QC_Y  = <%=Qc[0] == "0" ? "0" : Qc[1]%>;
+    uint256 constant S1_X  = <%=S1[0]%>;
+    uint256 constant S1_Y  = <%=S1[0] == "0" ? "0" : S1[1]%>;
+    uint256 constant S2_X  = <%=S2[0]%>;
+    uint256 constant S2_Y  = <%=S2[0] == "0" ? "0" : S2[1]%>;
+    uint256 constant S3_X  = <%=S3[0]%>;
+    uint256 constant S3_Y  = <%=S3[0] == "0" ? "0" : S3[1]%>;
+    uint256 constant K1    = <%=k1%>;
+    uint256 constant K2    = <%=k2%>;
+    uint256 constant X2_X1 = <%=X_2[0][0]%>;
+    uint256 constant X2_X2 = <%=X_2[0][1]%>;
+    uint256 constant X2_Y1 = <%=X_2[1][0]%>;
+    uint256 constant X2_Y2 = <%=X_2[1][1]%>;
+    // Proof values offsets
+    // Byte offset of every parameter of the proof array
+    // Polynomial commitments
+    uint256 constant P_A       = 0;
+    uint256 constant P_B       = 64;
+    uint256 constant P_C       = 128;
+    uint256 constant P_Z       = 192;
+    uint256 constant P_T1      = 256;
+    uint256 constant P_T2      = 320;
+    uint256 constant P_T3      = 384;
+    uint256 constant P_WX_I    = 448;
+    uint256 constant P_WX_IW   = 512;
+    // Opening evaluations
+    uint256 constant P_EVAL_A  = 576;
+    uint256 constant P_EVAL_B  = 608;
+    uint256 constant P_EVAL_C  = 640;
+    uint256 constant P_EVAL_S1 = 672;
+    uint256 constant P_EVAL_S2 = 704;
+    uint256 constant P_EVAL_ZW = 736;
+    // Memory data
+    // Challenges
+    uint256 constant P_ALPHA   = 0;
+    uint256 constant P_BETA    = 32;
+    uint256 constant P_GAMMA   = 64;
+    uint256 constant P_XI      = 96;
+    uint256 constant P_XIN     = 128;
+    uint256 constant P_BETA_XI = 160;
+    uint256 constant P_V1      = 192;
+    uint256 constant P_V2      = 224;
+    uint256 constant P_V3      = 256;
+    uint256 constant P_V4      = 288;
+    uint256 constant P_V5      = 320;
+    uint256 constant P_U       = 352;
+    uint256 constant P_PI      = 384;
+    uint256 constant P_EVAL_R0 = 416;
+    uint256 constant P_D       = 448;
+    uint256 constant P_F       = 512;
+    uint256 constant P_E       = 576;
+    uint256 constant P_TMP     = 640;
+    uint256 constant P_ALPHA2  = 704;
+    uint256 constant P_ZH      = 736;
+    uint256 constant P_ZH_INV  = 768;
+    uint256 constant P_EVAL_L1 = 800;
+    <% let pLastMem = 800+32*nPublic %>
+    uint256 constant P_TOTAL_SIZE = <%=pLastMem%>;
+    function verifyProof(
+        uint256[24] memory proofArr_,
+        uint256[<%=nPublic%>] memory publicSignals_
+    ) public view returns (bool verified_) {
+        assembly {
+            function inverse(a_, q_) -> inv {
+                let t := 0
+                let newt := 1
+                let r := q_
+                let newr := a_
+                let quotient := 0
+                let aux := 0
+                for { } newr { } {
+                    quotient := sdiv(r, newr)
+                    aux := sub(t, mul(quotient, newt))
+                    t := newt
+                    newt:= aux
+                    aux := sub(r,mul(quotient, newr))
+                    r := newr
+                    newr := aux
+                }
+                if gt(r, 1) { revert(0,0) }
+                if slt(t, 0) { t:= add(t, q_) }
+                inv := t
+            }
+            function inverseArray(pVals_, n_) {
+                let pAux := mload(64)       // Point to the next free position
+                let pIn := pVals_
+                let lastPIn := add(pVals_, mul(n_, 32))  // Read n elements
+                let acc := mload(pIn)       // Read the first element
+                pIn := add(pIn, 32)         // Point to the second element
+                let inv := 0
+                for { } lt(pIn, lastPIn) {
+                    pAux := add(pAux, 32)
+                    pIn := add(pIn, 32)
+                }
+                {
+                    mstore(pAux, acc)
+                    acc := mulmod(acc, mload(pIn), SCALAR_SIZE)
+                }
+                acc := inverse(acc, SCALAR_SIZE)
+                // At this point pAux point to the next free position, we subtract 1 to point to the last used
+                pAux := sub(pAux, 32)
+                // pIn points to the n+1 element, we subtract to point to n
+                pIn := sub(pIn, 32)
+                lastPIn := pVals_ // We don't process the first element
+                for { } gt(pIn, lastPIn) {
+                    pAux := sub(pAux, 32)
+                    pIn := sub(pIn, 32)
+                }
+                {
+                    inv := mulmod(acc, mload(pAux), SCALAR_SIZE)
+                    acc := mulmod(acc, mload(pIn), SCALAR_SIZE)
+                    mstore(pIn, inv)
+                }
+                // pIn points to first element, we just set it
+                mstore(pIn, acc)
+            }
+            function checkField(signal_) -> res_ {
+                res_ := lt(signal_, SCALAR_SIZE)
+            }
+            function checkInput(proof_) -> res_ {
+                res_ := checkField(mload(add(proof_, P_EVAL_A)))
+                res_ := and(res_, checkField(mload(add(proof_, P_EVAL_B))))
+                res_ := and(res_, checkField(mload(add(proof_, P_EVAL_C))))
+                res_ := and(res_, checkField(mload(add(proof_, P_EVAL_S1))))
+                res_ := and(res_, checkField(mload(add(proof_, P_EVAL_S2))))
+                res_ := and(res_, checkField(mload(add(proof_, P_EVAL_ZW))))
+            }
+            function calculateChallenges(pMem_, proof_, pubSignals_) {
+                let beta := 0
+                let aux := 0
+                let mIn := mload(64)     // Pointer to the next free memory position
+                // Compute challenge.beta & challenge.gamma
+                mstore(mIn, QM_X)
+                mstore(add(mIn, 32), QM_Y)
+                mstore(add(mIn, 64), QL_X)
+                mstore(add(mIn, 96), QL_Y)
+                mstore(add(mIn, 128), QR_X)
+                mstore(add(mIn, 160), QR_Y)
+                mstore(add(mIn, 192), QO_X)
+                mstore(add(mIn, 224), QO_Y)
+                mstore(add(mIn, 256), QC_X)
+                mstore(add(mIn, 288), QC_Y)
+                mstore(add(mIn, 320), S1_X)
+                mstore(add(mIn, 352), S1_Y)
+                mstore(add(mIn, 384), S2_X)
+                mstore(add(mIn, 416), S2_Y)
+                mstore(add(mIn, 448), S3_X)
+                mstore(add(mIn, 480), S3_Y)
+                <% for (let i = 0; i < nPublic; i++) {%>mstore(add(mIn, <%=512 + i * 32%>), mload(add(pubSignals_, <%=i * 32%>)))
+                <% } %>
+                mstore(add(mIn, <%=512 + nPublic * 32%>), mload(add(proof_, P_A)))
+                mstore(add(mIn, <%=512 + nPublic * 32 + 32%>), mload(add(proof_, add(P_A, 32))))
+                mstore(add(mIn, <%=512 + nPublic * 32 + 64%>), mload(add(proof_, P_B)))
+                mstore(add(mIn, <%=512 + nPublic * 32 + 96%>), mload(add(proof_, add(P_B, 32))))
+                mstore(add(mIn, <%=512 + nPublic * 32 + 128%>), mload(add(proof_, P_C)))
+                mstore(add(mIn, <%=512 + nPublic * 32 + 160%>), mload(add(proof_, add(P_C, 32))))
+                beta := mod(keccak256(mIn, <%=704 + 32 * nPublic%>), SCALAR_SIZE)
+                mstore(add(pMem_, P_BETA), beta)
+                // challenges.gamma
+                mstore(
+                    add(pMem_, P_GAMMA),
+                    mod(keccak256(add(pMem_, P_BETA), 32), SCALAR_SIZE)
+                )
+                // challenges.alpha
+                mstore(mIn, mload(add(pMem_, P_BETA)))
+                mstore(add(mIn, 32), mload(add(pMem_, P_GAMMA)))
+                mstore(add(mIn, 64), mload(add(proof_, P_Z)))
+                mstore(add(mIn, 96), mload(add(proof_, add(P_Z, 32))))
+                aux := mod(keccak256(mIn, 128), SCALAR_SIZE)
+                mstore(add(pMem_, P_ALPHA), aux)
+                mstore(add(pMem_, P_ALPHA2), mulmod(aux, aux, SCALAR_SIZE))
+                // challenges.xi
+                mstore(mIn, aux)
+                mstore(add(mIn, 32),  mload(add(proof_, P_T1)))
+                mstore(add(mIn, 64),  mload(add(proof_, add(P_T1, 32))))
+                mstore(add(mIn, 96),  mload(add(proof_, P_T2)))
+                mstore(add(mIn, 128), mload(add(proof_, add(P_T2, 32))))
+                mstore(add(mIn, 160), mload(add(proof_, P_T3)))
+                mstore(add(mIn, 192), mload(add(proof_, add(P_T3, 32))))
+                aux := mod(keccak256(mIn, 224), SCALAR_SIZE)
+                mstore(add(pMem_, P_XI), aux)
+                // challenges.v
+                mstore(mIn, aux)
+                mstore(add(mIn, 32),  mload(add(proof_, P_EVAL_A)))
+                mstore(add(mIn, 64),  mload(add(proof_, P_EVAL_B)))
+                mstore(add(mIn, 96),  mload(add(proof_, P_EVAL_C)))
+                mstore(add(mIn, 128), mload(add(proof_, P_EVAL_S1)))
+                mstore(add(mIn, 160), mload(add(proof_, P_EVAL_S2)))
+                mstore(add(mIn, 192), mload(add(proof_, P_EVAL_ZW)))
+                let v1 := mod(keccak256(mIn, 224), SCALAR_SIZE)
+                mstore(add(pMem_, P_V1), v1)
+                // challenges.beta * challenges.xi
+                mstore(add(pMem_, P_BETA_XI), mulmod(beta, aux, SCALAR_SIZE))
+                // challenges.xi^n
+                <% for (let i = 0; i < power; i++) {%>aux := mulmod(aux, aux, SCALAR_SIZE)
+                <% } %>
+                mstore(add(pMem_, P_XIN), aux)
+                // Zh
+                aux := addmod(aux, sub(SCALAR_SIZE, 1), SCALAR_SIZE)
+                mstore(add(pMem_, P_ZH), aux)
+                mstore(add(pMem_, P_ZH_INV), aux) // We will invert later together with lagrange pols
+                // challenges.v^2, challenges.v^3, challenges.v^4, challenges.v^5
+                aux := mulmod(v1, v1, SCALAR_SIZE)
+                mstore(add(pMem_, P_V2), aux)
+                aux := mulmod(aux, v1, SCALAR_SIZE)
+                mstore(add(pMem_, P_V3), aux)
+                aux := mulmod(aux, v1, SCALAR_SIZE)
+                mstore(add(pMem_, P_V4), aux)
+                aux := mulmod(aux, v1, SCALAR_SIZE)
+                mstore(add(pMem_, P_V5), aux)
+                // challenges.u
+                mstore(mIn, mload(add(proof_, P_WX_I)))
+                mstore(add(mIn, 32), mload(add(proof_, add(P_WX_I, 32))))
+                mstore(add(mIn, 64), mload(add(proof_, P_WX_IW)))
+                mstore(add(mIn, 96), mload(add(proof_, add(P_WX_IW, 32))))
+                mstore(add(pMem_, P_U), mod(keccak256(mIn, 128), SCALAR_SIZE))
+            }
+            function calculateLagrange(pMem_) {
+                let w := 1
+                for { let i := 0 } lt(i, <%=nPublic%>) { i := add(i, 1) } {
+                    mstore(
+                        add(pMem_, add(P_EVAL_L1, mul(i, 32))),
+                        mulmod(
+                            N,
+                            mod(
+                                add(sub(mload(add(pMem_, P_XI)), w), SCALAR_SIZE),
+                                SCALAR_SIZE
+                            ),
+                            SCALAR_SIZE
+                        )
+                    )
+                    w := mulmod(w, W1, SCALAR_SIZE)
+                }
+                inverseArray(add(pMem_, P_ZH_INV), <%=nPublic + 1%>)
+                let zh := mload(add(pMem_, P_ZH))
+                w := 1
+                for { let i := 0 } lt(i, <%=nPublic%>) { i := add(i, 1) } {
+                    mstore(
+                        add(pMem_, add(P_EVAL_L1, mul(i, 32))),
+                        mulmod(
+                            w,
+                            mulmod(
+                                mload(add(pMem_, add(P_EVAL_L1, mul(i, 32)))),
+                                zh,
+                                SCALAR_SIZE
+                            ),
+                            SCALAR_SIZE
+                        )
+                    )
+                    w := mulmod(w, W1, SCALAR_SIZE)
+                }
+            }
+            function calculatePI(pMem_, pPub_) {
+                let pi := 0
+                for { let i := 0 } lt(i, <%=nPublic%>) { i := add(i, 1) } {
+                    pi := addmod(
+                        sub(
+                            SCALAR_SIZE,
+                            mulmod(
+                                mload(add(pMem_, add(P_EVAL_L1, mul(i, 32)))),
+                                mload(add(pPub_, mul(i, 32))),
+                                SCALAR_SIZE
+                            )
+                        ),
+                        pi,
+                        SCALAR_SIZE
+                    )
+                }
+                mstore(add(pMem_, P_PI), pi)
+            }
+            function calculateR0(pMem_, proof_) {
+                let e1 := mload(add(pMem_, P_PI))
+                let e2 := mulmod(
+                    mload(add(pMem_, P_EVAL_L1)),
+                    mload(add(pMem_, P_ALPHA2)),
+                    SCALAR_SIZE
+                )
+                let e3a := addmod(
+                    mload(add(proof_, P_EVAL_A)),
+                    mulmod(
+                        mload(add(pMem_, P_BETA)),
+                        mload(add(proof_, P_EVAL_S1)),
+                        SCALAR_SIZE
+                    ),
+                    SCALAR_SIZE
+                )
+                e3a := addmod(e3a, mload(add(pMem_, P_GAMMA)), SCALAR_SIZE)
+                let e3b := addmod(
+                    mload(add(proof_, P_EVAL_B)),
+                    mulmod(
+                        mload(add(pMem_, P_BETA)),
+                        mload(add(proof_, P_EVAL_S2)),
+                        SCALAR_SIZE
+                    ),
+                    SCALAR_SIZE
+                )
+                e3b := addmod(e3b, mload(add(pMem_, P_GAMMA)), SCALAR_SIZE)
+                let e3c := addmod(
+                    mload(add(proof_, P_EVAL_C)),
+                    mload(add(pMem_, P_GAMMA)),
+                    SCALAR_SIZE
+                )
+                let e3 := mulmod(mulmod(e3a, e3b, SCALAR_SIZE), e3c, SCALAR_SIZE)
+                e3 := mulmod(e3, mload(add(proof_, P_EVAL_ZW)), SCALAR_SIZE)
+                e3 := mulmod(e3, mload(add(pMem_, P_ALPHA)), SCALAR_SIZE)
+                let r0 := addmod(
+                    e1,
+                    mod(sub(SCALAR_SIZE, e2), SCALAR_SIZE),
+                    SCALAR_SIZE
+                )
+                r0 := addmod(r0, mod(sub(SCALAR_SIZE, e3), SCALAR_SIZE), SCALAR_SIZE)
+                mstore(add(pMem_, P_EVAL_R0), r0)
+            }
+            function g1_set(pR_, pP_) {
+                mstore(pR_, mload(pP_))
+                mstore(add(pR_, 32), mload(add(pP_,32)))
+            }
+            function g1_setC(pR_, x_, y_) {
+                mstore(pR_, x_)
+                mstore(add(pR_, 32), y_)
+            }
+            function g1_acc(pR_, pP_) -> res_ {
+                let mIn := mload(64)
+                mstore(mIn, mload(pR_))
+                mstore(add(mIn,32), mload(add(pR_, 32)))
+                mstore(add(mIn,64), mload(pP_))
+                mstore(add(mIn,96), mload(add(pP_, 32)))
+                res_ := staticcall(sub(gas(), 2000), 6, mIn, 128, pR_, 64)
+            }
+            function g1_mulAccC(pR_, x_, y_, s_) -> res_ {
+                let mIn := mload(64)
+                mstore(mIn, x_)
+                mstore(add(mIn,32), y_)
+                mstore(add(mIn,64), s_)
+                res_ := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
+                if iszero(res_) {
+                    leave
+                }
+                mstore(add(mIn,64), mload(pR_))
+                mstore(add(mIn,96), mload(add(pR_, 32)))
+                res_ := staticcall(sub(gas(), 2000), 6, mIn, 128, pR_, 64)
+            }
+            function g1_mulSetC(pR_, x_, y_, s_) -> res_ {
+                let mIn := mload(64)
+                mstore(mIn, x_)
+                mstore(add(mIn,32), y_)
+                mstore(add(mIn,64), s_)
+                res_ := staticcall(sub(gas(), 2000), 7, mIn, 96, pR_, 64)
+            }
+            function g1_mulSet(pR_, pP_, s_) -> res_ {
+                res_ := g1_mulSetC(pR_, mload(pP_), mload(add(pP_, 32)), s_)
+            }
+            function calculateD(pMem_, proof_) -> isOk_ {
+                let _pD := add(pMem_, P_D)
+                let gamma := mload(add(pMem_, P_GAMMA))
+                let mIn := mload(64)
+                mstore(64, add(mIn, 256)) // d1, d2, d3 & d4 (4 * 64 bytes)
+                g1_setC(_pD, QC_X, QC_Y)
+                if iszero(
+                    g1_mulAccC(
+                        _pD, QM_X, QM_Y,
+                        mulmod(
+                            mload(add(proof_, P_EVAL_A)),
+                            mload(add(proof_, P_EVAL_B)),
+                            SCALAR_SIZE
+                        )
+                    )
+                ) {
+                    leave
+                }
+                if iszero(g1_mulAccC(_pD, QL_X, QL_Y, mload(add(proof_, P_EVAL_A)))) {
+                    leave
+                }
+                if iszero(g1_mulAccC(_pD, QR_X, QR_Y, mload(add(proof_, P_EVAL_B)))) {
+                    leave
+                }
+                if iszero(g1_mulAccC(_pD, QO_X, QO_Y, mload(add(proof_, P_EVAL_C)))) {
+                    leave
+                }
+                let betaxi := mload(add(pMem_, P_BETA_XI))
+                let val1 := addmod(
+                    addmod(mload(add(proof_, P_EVAL_A)), betaxi, SCALAR_SIZE),
+                    gamma,
+                    SCALAR_SIZE
+                )
+                let val2 := addmod(
+                    addmod(
+                        mload(add(proof_, P_EVAL_B)),
+                        mulmod(betaxi, K1, SCALAR_SIZE),
+                        SCALAR_SIZE
+                    ),
+                    gamma,
+                    SCALAR_SIZE
+                )
+                let val3 := addmod(
+                    addmod(
+                        mload(add(proof_, P_EVAL_C)),
+                        mulmod(betaxi, K2, SCALAR_SIZE),
+                        SCALAR_SIZE
+                    ),
+                    gamma,
+                    SCALAR_SIZE
+                )
+                let d2a := mulmod(
+                    mulmod(mulmod(val1, val2, SCALAR_SIZE), val3, SCALAR_SIZE),
+                    mload(add(pMem_, P_ALPHA)),
+                    SCALAR_SIZE
+                )
+                let d2b := mulmod(
+                    mload(add(pMem_, P_EVAL_L1)),
+                    mload(add(pMem_, P_ALPHA2)),
+                    SCALAR_SIZE
+                )
+                // We'll use mIn to save d2
+                g1_set(add(mIn, 192), add(proof_, P_Z))
+                if iszero(
+                    g1_mulSet(
+                        mIn,
+                        add(mIn, 192),
+                        addmod(
+                            addmod(d2a, d2b, SCALAR_SIZE),
+                            mload(add(pMem_, P_U)),
+                            SCALAR_SIZE
+                        )
+                    )
+                ) {
+                    leave
+                }
+                val1 := addmod(
+                    addmod(
+                        mload(add(proof_, P_EVAL_A)),
+                        mulmod(
+                            mload(add(pMem_, P_BETA)),
+                            mload(add(proof_, P_EVAL_S1)),
+                            SCALAR_SIZE
+                        ),
+                        SCALAR_SIZE
+                    ),
+                    gamma,
+                    SCALAR_SIZE
+                )
+                val2 := addmod(
+                    addmod(
+                        mload(add(proof_, P_EVAL_B)),
+                        mulmod(
+                            mload(add(pMem_, P_BETA)),
+                            mload(add(proof_, P_EVAL_S2)),
+                            SCALAR_SIZE
+                        ),
+                        SCALAR_SIZE
+                    ),
+                    gamma,
+                    SCALAR_SIZE
+                )
+                val3 := mulmod(
+                    mulmod(mload(add(pMem_, P_ALPHA)), mload(add(pMem_, P_BETA)), SCALAR_SIZE),
+                    mload(add(proof_, P_EVAL_ZW)),
+                    SCALAR_SIZE
+                )
+                // We'll use mIn + 64 to save d3
+                if iszero(
+                    g1_mulSetC(
+                        add(mIn, 64), S3_X, S3_Y,
+                        mulmod(mulmod(val1, val2, SCALAR_SIZE), val3, SCALAR_SIZE)
+                    )
+                ) {
+                    leave
+                }
+                // We'll use mIn + 128 to save d4
+                g1_set(add(mIn, 128), add(proof_, P_T1))
+                if iszero(
+                    g1_mulAccC(
+                        add(mIn, 128),
+                        mload(add(proof_, P_T2)),
+                        mload(add(proof_, add(P_T2, 32))),
+                        mload(add(pMem_, P_XIN))
+                    )
+                ) {
+                    leave
+                }
+                let xin2 := mulmod(
+                    mload(add(pMem_, P_XIN)),
+                    mload(add(pMem_, P_XIN)),
+                    SCALAR_SIZE
+                )
+                if iszero(
+                    g1_mulAccC(
+                        add(mIn, 128),
+                        mload(add(proof_, P_T3)),
+                        mload(add(proof_, add(P_T3, 32))),
+                        xin2
+                    )
+                ) {
+                    leave
+                }
+                if iszero(
+                    g1_mulSetC(
+                        add(mIn, 128),
+                        mload(add(mIn, 128)),
+                        mload(add(mIn, 160)),
+                        mload(add(pMem_, P_ZH))
+                    )
+                ) {
+                    leave
+                }
+                mstore(add(add(mIn, 64), 32), mod(sub(BASE_SIZE, mload(add(add(mIn, 64), 32))), BASE_SIZE))
+                mstore(add(mIn, 160), mod(sub(BASE_SIZE, mload(add(mIn, 160))), BASE_SIZE))
+                if iszero(g1_acc(_pD, mIn)) { leave }
+                if iszero(g1_acc(_pD, add(mIn, 64))) { leave }
+                if iszero(g1_acc(_pD, add(mIn, 128))) { leave }
+                isOk_ := 1
+            }
+            function calculateF(pMem_, proof_) -> isOk_ {
+                let p := add(pMem_, P_F)
+                g1_set(p, add(pMem_, P_D))
+                if iszero(
+                    g1_mulAccC(
+                        p,
+                        mload(add(proof_, P_A)),
+                        mload(add(proof_, add(P_A, 32))),
+                        mload(add(pMem_, P_V1))
+                    )
+                ) {
+                    leave
+                }
+                if iszero(
+                    g1_mulAccC(
+                        p,
+                        mload(add(proof_, P_B)),
+                        mload(add(proof_, add(P_B, 32))),
+                        mload(add(pMem_, P_V2))
+                    )
+                ) {
+                    leave
+                }
+                if iszero(
+                    g1_mulAccC(
+                        p,
+                        mload(add(proof_, P_C)),
+                        mload(add(proof_, add(P_C, 32))),
+                        mload(add(pMem_, P_V3))
+                    )
+                ) {
+                    leave
+                }
+                if iszero(g1_mulAccC(p, S1_X, S1_Y, mload(add(pMem_, P_V4)))) {
+                    leave
+                }
+                if iszero(g1_mulAccC(p, S2_X, S2_Y, mload(add(pMem_, P_V5)))) {
+                    leave
+                }
+                isOk_ := 1
+            }
+            function calculateE(pMem_, proof_) -> isOk_ {
+                let s := mod(sub(SCALAR_SIZE, mload(add(pMem_, P_EVAL_R0))), SCALAR_SIZE)
+                s := addmod(s, mulmod(mload(add(proof_, P_EVAL_A)),  mload(add(pMem_, P_V1)), SCALAR_SIZE), SCALAR_SIZE)
+                s := addmod(s, mulmod(mload(add(proof_, P_EVAL_B)),  mload(add(pMem_, P_V2)), SCALAR_SIZE), SCALAR_SIZE)
+                s := addmod(s, mulmod(mload(add(proof_, P_EVAL_C)),  mload(add(pMem_, P_V3)), SCALAR_SIZE), SCALAR_SIZE)
+                s := addmod(s, mulmod(mload(add(proof_, P_EVAL_S1)), mload(add(pMem_, P_V4)), SCALAR_SIZE), SCALAR_SIZE)
+                s := addmod(s, mulmod(mload(add(proof_, P_EVAL_S2)), mload(add(pMem_, P_V5)), SCALAR_SIZE), SCALAR_SIZE)
+                s := addmod(s, mulmod(mload(add(proof_, P_EVAL_ZW)), mload(add(pMem_, P_U)),  SCALAR_SIZE), SCALAR_SIZE)
+                isOk_ := g1_mulSetC(add(pMem_, P_E), G1_X, G1_Y, s)
+            }
+            function checkPairing(pMem_, proof_) -> isOk_ {
+                let mIn := mload(64)
+                mstore(64, add(mIn, 576)) // [0..383] = pairing data, [384..447] = P_WX_I, [448..512] = P_WX_IW
+                let _pWxi := add(mIn, 384)
+                let _pWxiw := add(mIn, 448)
+                let _aux := add(mIn, 512)
+                g1_set(_pWxi, add(proof_, P_WX_I))
+                g1_set(_pWxiw, add(proof_, P_WX_IW))
+                // A1
+                if iszero(g1_mulSet(mIn, _pWxiw, mload(add(pMem_, P_U)))) {
+                    leave
+                }
+                if iszero(g1_acc(mIn, _pWxi)) {
+                    leave
+                }
+                mstore(add(mIn, 32), mod(sub(BASE_SIZE, mload(add(mIn, 32))), BASE_SIZE))
+                // [X]_2
+                mstore(add(mIn,64), X2_X2)
+                mstore(add(mIn,96), X2_X1)
+                mstore(add(mIn,128), X2_Y2)
+                mstore(add(mIn,160), X2_Y1)
+                // B1
+                if iszero(g1_mulSet(add(mIn, 192), _pWxi, mload(add(pMem_, P_XI)))) {
+                    leave
+                }
+                let s := mulmod(mload(add(pMem_, P_U)), mload(add(pMem_, P_XI)), SCALAR_SIZE)
+                s := mulmod(s, W1, SCALAR_SIZE)
+                if iszero(g1_mulSet(_aux, _pWxiw, s)) {
+                    leave
+                }
+                if iszero(g1_acc(add(mIn, 192), _aux)) {
+                    leave
+                }
+                if iszero(g1_acc(add(mIn, 192), add(pMem_, P_F))) {
+                    leave
+                }
+                mstore(add(pMem_, add(P_E, 32)), mod(sub(BASE_SIZE, mload(add(pMem_, add(P_E, 32)))), BASE_SIZE))
+                if iszero(g1_acc(add(mIn, 192), add(pMem_, P_E))) {
+                    leave
+                }
+                // [1]_2
+                mstore(add(mIn,256), G2_X2)
+                mstore(add(mIn,288), G2_X1)
+                mstore(add(mIn,320), G2_Y2)
+                mstore(add(mIn,352), G2_Y1)
+                if iszero(staticcall(sub(gas(), 2000), 8, mIn, 384, mIn, 0x20)) {
+                    leave
+                }
+                isOk_ := and(1, mload(mIn))
+            }
+            let pointer_ := mload(64) // free pointer
+            mstore(64, add(pointer_, P_TOTAL_SIZE))
+            verified_ := checkInput(proofArr_)
+            /// @dev check pairings
+            if not(iszero(verified_)) {
+                calculateChallenges(pointer_, proofArr_, publicSignals_)
+                calculateLagrange(pointer_)
+                calculatePI(pointer_, publicSignals_)
+                calculateR0(pointer_, proofArr_)
+                verified_ := and(verified_, calculateD(pointer_, proofArr_))
+                verified_ := and(verified_, calculateF(pointer_, proofArr_))
+                verified_ := and(verified_, calculateE(pointer_, proofArr_))
+                verified_ := and(verified_, checkPairing(pointer_, proofArr_))
+            }
+            mstore(64, sub(pointer_, P_TOTAL_SIZE))
+        }
+    }
+}