@solarity/zkit 0.2.6 → 0.3.0-rc.1

package/dist/core/templates/verifier_plonk.vy.ejs

@@ -0,0 +1,650 @@
+# pragma version ~=0.4.0
+
+# AUTOGENERATED FILE BY HARDHAT-ZKIT. DO NOT EDIT.
+
+# Omega
+W1: constant(uint256) = <%=w%>
+# Scalar field size
+SCALAR_SIZE: constant(uint256) = 21888242871839275222246405745257275088548364400416034343698204186575808495617
+# Base field size
+BASE_SIZE: constant(uint256) = 21888242871839275222246405745257275088696311157297823662689037894645226208583
+
+# [1]_1
+G1_X: constant(uint256) = 1
+G1_Y: constant(uint256) = 2
+# [1]_2
+G2_X1: constant(uint256) = 10857046999023057135944570762232829481370756359578518086990519993285655852781
+G2_X2: constant(uint256) = 11559732032986387107991004021392285783925812861821192530917403151452391805634
+G2_Y1: constant(uint256) = 8495653923123431417604973247489272438418190587263600148770280649306958101930
+G2_Y2: constant(uint256) = 4082367875863433681332203403145435568316851327593401208105741076214120093531
+
+# Verification Key data
+N: constant(uint256) = <%=2**power%>
+N_PUBLIC: constant(uint256) = <%=nPublic%>
+N_LAGRANGE: constant(uint256) = <%=nPublic%>
+
+QM_X: constant(uint256) = <%=Qm[0]%>
+QM_Y: constant(uint256) = <%=Qm[0] == "0" ? "0" : Qm[1]%>
+QL_X: constant(uint256) = <%=Ql[0]%>
+QL_Y: constant(uint256) = <%=Ql[0] == "0" ? "0" : Ql[1]%>
+QR_X: constant(uint256) = <%=Qr[0]%>
+QR_Y: constant(uint256) = <%=Qr[0] == "0" ? "0" : Qr[1]%>
+QO_X: constant(uint256) = <%=Qo[0]%>
+QO_Y: constant(uint256) = <%=Qo[0] == "0" ? "0" : Qo[1]%>
+QC_X: constant(uint256) = <%=Qc[0]%>
+QC_Y: constant(uint256) = <%=Qc[0] == "0" ? "0" : Qc[1]%>
+S1_X: constant(uint256) = <%=S1[0]%>
+S1_Y: constant(uint256) = <%=S1[0] == "0" ? "0" : S1[1]%>
+S2_X: constant(uint256) = <%=S2[0]%>
+S2_Y: constant(uint256) = <%=S2[0] == "0" ? "0" : S2[1]%>
+S3_X: constant(uint256) = <%=S3[0]%>
+S3_Y: constant(uint256) = <%=S3[0] == "0" ? "0" : S3[1]%>
+K1: constant(uint256) = <%=k1%>
+K2: constant(uint256) = <%=k2%>
+X2_X1: constant(uint256) = <%=X_2[0][0]%>
+X2_X2: constant(uint256) = <%=X_2[0][1]%>
+X2_Y1: constant(uint256) = <%=X_2[1][0]%>
+X2_Y2: constant(uint256) = <%=X_2[1][1]%>
+
+# Proof values offsets
+# Byte offset of every parameter of the proof array
+# Polynomial commitments
+P_A: constant(uint256) = 0
+P_B: constant(uint256) = 2
+P_C: constant(uint256) = 4
+P_Z: constant(uint256) = 6
+P_T1: constant(uint256) = 8
+P_T2: constant(uint256) = 10
+P_T3: constant(uint256) = 12
+P_WX_I: constant(uint256) = 14
+P_WX_IW: constant(uint256) = 16
+
+# Opening evaluations
+P_EVAL_A: constant(uint256) = 18
+P_EVAL_B: constant(uint256) = 19
+P_EVAL_C: constant(uint256) = 20
+P_EVAL_S1: constant(uint256) = 21
+P_EVAL_S2: constant(uint256) = 22
+P_EVAL_ZW: constant(uint256) = 23
+
+# Memory data
+# Challenges
+P_ALPHA: constant(uint256) = 0
+P_BETA: constant(uint256) = 1
+P_GAMMA: constant(uint256) = 2
+P_XI: constant(uint256) = 3
+P_XIN: constant(uint256) = 4
+P_BETA_XI: constant(uint256) = 5
+P_V1: constant(uint256) = 6
+P_V2: constant(uint256) = 7
+P_V3: constant(uint256) = 8
+P_V4: constant(uint256) = 9
+P_V5: constant(uint256) = 10
+P_U: constant(uint256) = 11
+
+P_PI: constant(uint256) = 12
+P_EVAL_R0: constant(uint256) = 13
+P_D: constant(uint256) = 14
+P_F: constant(uint256) = 16
+P_E: constant(uint256) = 18
+P_TMP: constant(uint256) = 20
+P_ALPHA2: constant(uint256) = 22
+P_ZH: constant(uint256) = 23
+P_ZH_INV: constant(uint256) = 24
+
+P_EVAL_L1: constant(uint256) = 25
+
+P_TOTAL_SIZE: constant(uint256) = <%=25 + nPublic%>
+
+EC_ADD_PRECOMPILED_ADDRESS: constant(address) = 0x0000000000000000000000000000000000000006
+EC_MUL_PRECOMPILED_ADDRESS: constant(address) = 0x0000000000000000000000000000000000000007
+EC_PAIRING_PRECOMPILED_ADDRESS: constant(address) = 0x0000000000000000000000000000000000000008
+
+
+@pure
+@external
+def verifyProof(proofArr: uint256[24], publicSignals: uint256[<%=nPublic%>]) -> bool:
+    if not self._checkInput(proofArr):
+        return False
+
+    p: uint256[P_TOTAL_SIZE] = self._calculateChallenges(proofArr, publicSignals)
+
+    p = self._calculateLagrange(p)
+
+    p[P_PI] = self._calculatePI(p, publicSignals)
+    p[P_EVAL_R0] = self._calculateR0(p, proofArr)
+
+    success: bool = True
+    tmpPoint: uint256[2] = [0, 0]
+
+    success, tmpPoint = self._calculateD(p, proofArr)
+    if not success:
+        return False
+
+    p[P_D] = tmpPoint[0]
+    p[P_D + 1] = tmpPoint[1]
+
+    success, tmpPoint = self._calculateF(p, proofArr)
+    if not success:
+        return False
+
+    p[P_F] = tmpPoint[0]
+    p[P_F + 1] = tmpPoint[1]
+
+    success, tmpPoint = self._calculateE(p, proofArr)
+    if not success:
+        return False
+
+    p[P_E] = tmpPoint[0]
+    p[P_E + 1] = tmpPoint[1]
+
+    return self._checkPairing(p, proofArr)
+
+
+@pure
+@internal
+def _ecadd(a: uint256[2], b: uint256[2]) -> (bool, uint256[2]):
+    success: bool = True
+    response: Bytes[64] = b""
+    success, response = raw_call(
+        EC_ADD_PRECOMPILED_ADDRESS,
+        abi_encode(a, b),
+        max_outsize=64,
+        is_static_call=True,
+        revert_on_failure=False
+    )
+
+    if not success or len(response) != 64:
+        return (False, [0, 0])
+
+    x: uint256 = convert(slice(response, 0, 32), uint256)
+    y: uint256 = convert(slice(response, 32, 32), uint256)
+
+    return (True, [x, y])
+
+
+@pure
+@internal
+def _ecmul(p: uint256[2], s: uint256) -> (bool, uint256[2]):
+    success: bool = True
+    response: Bytes[64] = b""
+    success, response = raw_call(
+        EC_MUL_PRECOMPILED_ADDRESS,
+        abi_encode(p, s),
+        max_outsize=64,
+        is_static_call=True,
+        revert_on_failure=False
+    )
+
+    if not success or len(response) != 64:
+        return (False, [0, 0])
+
+    x: uint256 = convert(slice(response, 0, 32), uint256)
+    y: uint256 = convert(slice(response, 32, 32), uint256)
+
+    return (True, [x, y])
+
+
+@pure
+@internal
+def _inverse(a: uint256, q: uint256) -> uint256:
+    t: int256 = 0
+    newt: int256 = 1
+    r: uint256 = q
+    newr: uint256 = a
+    quotient: uint256 = 0
+    aux: int256 = 0
+
+    for _: uint256 in range(256):
+        if newr == 0:
+            break
+
+        quotient = r // newr
+        aux = t - convert(quotient, int256) * newt
+        t = newt
+        newt = aux
+
+        aux = convert(r - quotient * newr, int256)
+        r = newr
+        newr = convert(aux, uint256)
+
+    assert r <= 1, "Inverse does not exist."
+
+    if t < 0:
+        t += convert(q, int256)
+
+    return convert(t, uint256)
+
+
+@pure
+@internal
+def _inverseArray(pVals: uint256[<%=nPublic + 1%>]) -> uint256[<%=nPublic + 1%>]:
+    acc: uint256 = pVals[0]
+    inverses: uint256[<%=nPublic + 1%>] = empty(uint256[<%=nPublic + 1%>])
+    pAux: uint256[<%=nPublic + 1%>] = empty(uint256[<%=nPublic + 1%>])
+
+    for i: uint256 in range(1, <%=nPublic + 1%>):
+        pAux[i] = acc
+        acc = uint256_mulmod(acc, pVals[i], SCALAR_SIZE)
+
+    inv_total: uint256 = self._inverse(acc, SCALAR_SIZE)
+
+    for i: uint256 in range(<%=nPublic%>):
+        inverses[<%=nPublic%> - i] = uint256_mulmod(inv_total, pAux[<%=nPublic%> - i], SCALAR_SIZE)
+        inv_total = uint256_mulmod(inv_total, pVals[<%=nPublic%> - i], SCALAR_SIZE)
+
+    inverses[0] = inv_total
+
+    return inverses
+
+
+@pure
+@internal
+def _checkInput(proof: uint256[24]) -> bool:
+    if proof[P_EVAL_A] >= SCALAR_SIZE:
+        return False
+
+    if proof[P_EVAL_B] >= SCALAR_SIZE:
+        return False
+
+    if proof[P_EVAL_C] >= SCALAR_SIZE:
+        return False
+
+    if proof[P_EVAL_S1] >= SCALAR_SIZE:
+        return False
+
+    if proof[P_EVAL_S2] >= SCALAR_SIZE:
+        return False
+
+    if proof[P_EVAL_ZW] >= SCALAR_SIZE:
+        return False
+
+    return True
+
+
+@pure
+@internal
+def _calculateChallenges(proof: uint256[24], pubSignals: uint256[<%=nPublic%>]) -> uint256[P_TOTAL_SIZE]:
+    mIn<%=22 + nPublic%>: uint256[<%=22 + nPublic%>] = [
+        QM_X, QM_Y, QL_X, QL_Y, QR_X, QR_Y, QO_X, QO_Y, QC_X, QC_Y, S1_X, S1_Y, S2_X, S2_Y, S3_X, S3_Y,
+        <% for (let i = 0; i < nPublic; i++) { %>pubSignals[<%=i%>], <% } %>
+        proof[P_A], proof[P_A + 1], proof[P_B], proof[P_B + 1], proof[P_C], proof[P_C + 1],
+    ]
+
+    beta: uint256 = convert(keccak256(abi_encode(mIn<%=22+nPublic%>)), uint256) % SCALAR_SIZE
+
+    p: uint256[P_TOTAL_SIZE] = empty(uint256[P_TOTAL_SIZE])
+    p[P_BETA] = beta
+
+    # challenges.gamma
+    p[P_GAMMA] = convert(keccak256(abi_encode(p[P_BETA])), uint256) % SCALAR_SIZE
+
+    # challenges.alpha
+    mIn4: uint256[4] = [beta, p[P_GAMMA], proof[P_Z], proof[P_Z + 1]]
+    aux: uint256 = convert(keccak256(abi_encode(mIn4)), uint256) % SCALAR_SIZE
+    p[P_ALPHA] = aux
+    p[P_ALPHA2] = uint256_mulmod(aux, aux, SCALAR_SIZE)
+
+    # challenges.xi
+    mIn7: uint256[7] = [aux, proof[P_T1], proof[P_T1 + 1], proof[P_T2], proof[P_T2 + 1], proof[P_T3], proof[P_T3 + 1]]
+    aux = convert(keccak256(abi_encode(mIn7)), uint256) % SCALAR_SIZE
+    p[P_XI] = aux
+
+    # challenges.v
+    mIn7 = [
+        aux, proof[P_EVAL_A], proof[P_EVAL_B], proof[P_EVAL_C], proof[P_EVAL_S1], proof[P_EVAL_S2], proof[P_EVAL_ZW]
+    ]
+    v1: uint256 = convert(keccak256(abi_encode(mIn7)), uint256) % SCALAR_SIZE
+    p[P_V1] = v1
+
+    # challenges.v^2, challenges.v^3, challenges.v^4, challenges.v^5
+    p[P_V2] = uint256_mulmod(v1, v1, SCALAR_SIZE)
+    p[P_V3] = uint256_mulmod(p[P_V2], v1, SCALAR_SIZE)
+    p[P_V4] = uint256_mulmod(p[P_V3], v1, SCALAR_SIZE)
+    p[P_V5] = uint256_mulmod(p[P_V4], v1, SCALAR_SIZE)
+
+    # challenges.beta * challenges.xi
+    p[P_BETA_XI] = uint256_mulmod(beta, aux, SCALAR_SIZE)
+
+    # challenges.xi^n
+    <%for (let i = 0; i < power; i++) {%>
+    aux = uint256_mulmod(aux, aux, SCALAR_SIZE)<% } %>
+    p[P_XIN] = aux
+
+    # Zh
+    aux = uint256_addmod(aux, SCALAR_SIZE - 1, SCALAR_SIZE)
+    p[P_ZH] = aux
+    p[P_ZH_INV] = aux
+
+    # challenges.u
+    mIn4 = [proof[P_WX_I], proof[P_WX_I + 1], proof[P_WX_IW], proof[P_WX_IW + 1]]
+    p[P_U] = convert(keccak256(abi_encode(mIn4)), uint256) % SCALAR_SIZE
+
+    return p
+
+
+@pure
+@internal
+def _evaluateLagrange(w: uint256, xi: uint256) -> uint256:
+    return uint256_mulmod(N, uint256_addmod(xi, SCALAR_SIZE - w, SCALAR_SIZE), SCALAR_SIZE)
+
+
+@pure
+@internal
+def _calculateLagrange(p: uint256[P_TOTAL_SIZE]) -> uint256[P_TOTAL_SIZE]:
+    w: uint256 = 1
+
+    for i: uint256 in range(1, <%=nPublic + 1%>):
+        p[P_EVAL_L1 + (i - 1)] = self._evaluateLagrange(w, p[P_XI])
+        w = uint256_mulmod(w, W1, SCALAR_SIZE)
+
+    pointsToInverse: uint256[<%=nPublic + 1%>] = empty(uint256[<%=nPublic + 1%>])
+    for i: uint256 in range(<%=nPublic + 1%>):
+        pointsToInverse[i] = p[P_ZH_INV + i]
+
+    inverses: uint256[<%=nPublic + 1%>] = self._inverseArray(pointsToInverse)
+
+    for i: uint256 in range(<%=nPublic + 1%>):
+        p[P_ZH_INV + i] = inverses[i]
+
+    zh: uint256 = p[P_ZH]
+    w = 1
+
+    for i: uint256 in range(1, <%=nPublic + 1%>):
+        p[P_EVAL_L1 + (i - 1)] = uint256_mulmod(
+            uint256_mulmod(p[P_EVAL_L1 + (i - 1)], zh, SCALAR_SIZE),
+            w,
+            SCALAR_SIZE
+        )
+        w = uint256_mulmod(w, W1, SCALAR_SIZE)
+
+    return p
+
+
+@pure
+@internal
+def _calculatePI(p: uint256[P_TOTAL_SIZE], pPub: uint256[<%=nPublic%>]) -> uint256:
+    pl: uint256 = 0
+
+    for i: uint256 in range(<%=nPublic%>):
+        pl = uint256_addmod(
+            pl,
+            SCALAR_SIZE - uint256_mulmod(p[P_EVAL_L1 + i], pPub[i], SCALAR_SIZE),
+            SCALAR_SIZE
+        )
+
+    return pl
+
+
+@pure
+@internal
+def _calculateR0(p: uint256[P_TOTAL_SIZE], proof: uint256[24]) -> uint256:
+    e1: uint256 = p[P_PI]
+
+    e2: uint256 = uint256_mulmod(p[P_EVAL_L1], p[P_ALPHA2], SCALAR_SIZE)
+
+    e3a: uint256 = uint256_addmod(
+        proof[P_EVAL_A],
+        uint256_mulmod(p[P_BETA], proof[P_EVAL_S1], SCALAR_SIZE),
+        SCALAR_SIZE
+    )
+    e3a = uint256_addmod(e3a, p[P_GAMMA], SCALAR_SIZE)
+
+    e3b: uint256 = uint256_addmod(
+        proof[P_EVAL_B],
+        uint256_mulmod(p[P_BETA], proof[P_EVAL_S2], SCALAR_SIZE),
+        SCALAR_SIZE
+    )
+    e3b = uint256_addmod(e3b, p[P_GAMMA], SCALAR_SIZE)
+
+    e3c: uint256 = uint256_addmod(proof[P_EVAL_C], p[P_GAMMA], SCALAR_SIZE)
+
+    e3: uint256 = uint256_mulmod(uint256_mulmod(e3a, e3b, SCALAR_SIZE), e3c, SCALAR_SIZE)
+    e3 = uint256_mulmod(e3, proof[P_EVAL_ZW], SCALAR_SIZE)
+    e3 = uint256_mulmod(e3, p[P_ALPHA], SCALAR_SIZE)
+
+    r0: uint256 = uint256_addmod(e1, SCALAR_SIZE - e2, SCALAR_SIZE)
+    return uint256_addmod(r0, SCALAR_SIZE - e3, SCALAR_SIZE)
+
+
+@pure
+@internal
+def _g1_mulAccC(pR: uint256[2], point: uint256[2], s: uint256) -> (bool, uint256[2]):
+    success: bool = True
+    mP: uint256[2] = [0, 0]
+
+    success, mP = self._ecmul(point, s)
+
+    return self._ecadd(mP, pR)
+
+
+@pure
+@internal
+def _calculateD(p: uint256[P_TOTAL_SIZE], proof: uint256[24]) -> (bool, uint256[2]):
+    success: bool = True
+    pd: uint256[2] = [QC_X, QC_Y]
+
+    success, pd = self._g1_mulAccC(pd, [QM_X, QM_Y], uint256_mulmod(proof[P_EVAL_A], proof[P_EVAL_B], SCALAR_SIZE))
+    if not success:
+        return (False, [0, 0])
+
+    success, pd = self._g1_mulAccC(pd, [QL_X, QL_Y], proof[P_EVAL_A])
+    if not success:
+        return (False, [0, 0])
+
+    success, pd = self._g1_mulAccC(pd, [QR_X, QR_Y], proof[P_EVAL_B])
+    if not success:
+        return (False, [0, 0])
+
+    success, pd = self._g1_mulAccC(pd, [QO_X, QO_Y], proof[P_EVAL_C])
+    if not success:
+        return (False, [0, 0])
+
+    val1: uint256 = uint256_addmod(
+        uint256_addmod(proof[P_EVAL_A], p[P_BETA_XI], SCALAR_SIZE),
+        p[P_GAMMA],
+        SCALAR_SIZE
+    )
+
+    val2: uint256 = uint256_addmod(
+        uint256_addmod(proof[P_EVAL_B], uint256_mulmod(p[P_BETA_XI], K1, SCALAR_SIZE), SCALAR_SIZE),
+        p[P_GAMMA],
+        SCALAR_SIZE
+    )
+
+    val3: uint256 = uint256_addmod(
+        uint256_addmod(proof[P_EVAL_C], uint256_mulmod(p[P_BETA_XI], K2, SCALAR_SIZE), SCALAR_SIZE),
+        p[P_GAMMA],
+        SCALAR_SIZE
+    )
+
+    d2a: uint256 = uint256_mulmod(
+        uint256_mulmod(uint256_mulmod(val1, val2, SCALAR_SIZE), val3, SCALAR_SIZE),
+        p[P_ALPHA],
+        SCALAR_SIZE
+    )
+
+    d2b: uint256 = uint256_mulmod(p[P_EVAL_L1], p[P_ALPHA2], SCALAR_SIZE)
+
+    mP: uint256[2] = [0, 0]
+
+    success, mP = self._ecmul(
+        [proof[P_Z], proof[P_Z + 1]],
+        uint256_addmod(uint256_addmod(d2a, d2b, SCALAR_SIZE), p[P_U], SCALAR_SIZE)
+    )
+    if not success:
+        return (False, [0, 0])
+
+    val1 = uint256_addmod(
+        uint256_addmod(proof[P_EVAL_A], uint256_mulmod(p[P_BETA], proof[P_EVAL_S1], SCALAR_SIZE), SCALAR_SIZE),
+        p[P_GAMMA],
+        SCALAR_SIZE
+    )
+
+    val2 = uint256_addmod(
+        uint256_addmod(proof[P_EVAL_B], uint256_mulmod(p[P_BETA], proof[P_EVAL_S2], SCALAR_SIZE), SCALAR_SIZE),
+        p[P_GAMMA],
+        SCALAR_SIZE
+    )
+
+    val3 = uint256_mulmod(
+        uint256_mulmod(p[P_ALPHA], p[P_BETA], SCALAR_SIZE),
+        proof[P_EVAL_ZW],
+        SCALAR_SIZE
+    )
+
+    success, mP = self._ecmul(
+        [proof[P_Z], proof[P_Z + 1]],
+        uint256_addmod(uint256_addmod(d2a, d2b, SCALAR_SIZE), p[P_U], SCALAR_SIZE)
+    )
+    if not success:
+        return (False, [0, 0])
+
+    success, pd = self._ecadd(pd, mP)
+    if not success:
+        return (False, [0, 0])
+
+    success, mP = self._ecmul(
+        [S3_X, S3_Y],
+        uint256_mulmod(uint256_mulmod(val1, val2, SCALAR_SIZE), val3, SCALAR_SIZE)
+    )
+    mP[1] = (BASE_SIZE - mP[1]) % BASE_SIZE
+
+    success, pd = self._ecadd(pd, mP)
+    if not success:
+        return (False, [0, 0])
+
+    pd2: uint256[2] = [proof[P_T1], proof[P_T1 + 1]]
+    success, pd2 = self._g1_mulAccC(pd2, [proof[P_T2], proof[P_T2 + 1]], p[P_XIN])
+    if not success:
+        return (False, [0, 0])
+
+    xin2: uint256 = uint256_mulmod(p[P_XIN], p[P_XIN], SCALAR_SIZE)
+    success, pd2 = self._g1_mulAccC(pd2, [proof[P_T3], proof[P_T3 + 1]], xin2)
+    if not success:
+        return (False, [0, 0])
+
+    success, mP = self._ecmul(pd2, p[P_ZH])
+    mP[1] = (BASE_SIZE - mP[1]) % BASE_SIZE
+
+    return self._ecadd(pd, mP)
+
+
+@pure
+@internal
+def _calculateF(p: uint256[P_TOTAL_SIZE], proof: uint256[24]) -> (bool, uint256[2]):
+    success: bool = True
+    pf: uint256[2] = [p[P_D], p[P_D + 1]]
+
+    success, pf = self._g1_mulAccC(pf, [proof[P_A], proof[P_A + 1]], p[P_V1])
+    if not success:
+        return (False, [0, 0])
+
+    success, pf = self._g1_mulAccC(pf, [proof[P_B], proof[P_B + 1]], p[P_V2])
+    if not success:
+        return (False, [0, 0])
+
+    success, pf = self._g1_mulAccC(pf, [proof[P_C], proof[P_C + 1]], p[P_V3])
+    if not success:
+        return (False, [0, 0])
+
+    success, pf = self._g1_mulAccC(pf, [S1_X, S1_Y], p[P_V4])
+    if not success:
+        return (False, [0, 0])
+
+    return self._g1_mulAccC(pf, [S2_X, S2_Y], p[P_V5])
+
+
+@pure
+@internal
+def _calculateE(p: uint256[P_TOTAL_SIZE], proof: uint256[24]) -> (bool, uint256[2]):
+    s: uint256 = (SCALAR_SIZE - p[P_EVAL_R0]) % SCALAR_SIZE
+
+    s = uint256_addmod(s, uint256_mulmod(proof[P_EVAL_A], p[P_V1], SCALAR_SIZE), SCALAR_SIZE)
+    s = uint256_addmod(s, uint256_mulmod(proof[P_EVAL_B], p[P_V2], SCALAR_SIZE), SCALAR_SIZE)
+    s = uint256_addmod(s, uint256_mulmod(proof[P_EVAL_C], p[P_V3], SCALAR_SIZE), SCALAR_SIZE)
+    s = uint256_addmod(s, uint256_mulmod(proof[P_EVAL_S1], p[P_V4], SCALAR_SIZE), SCALAR_SIZE)
+    s = uint256_addmod(s, uint256_mulmod(proof[P_EVAL_S2], p[P_V5], SCALAR_SIZE), SCALAR_SIZE)
+    s = uint256_addmod(s, uint256_mulmod(proof[P_EVAL_ZW], p[P_U], SCALAR_SIZE), SCALAR_SIZE)
+
+    return self._ecmul([G1_X, G1_Y], s)
+
+
+@pure
+@internal
+def _checkPairing(p: uint256[P_TOTAL_SIZE], proof: uint256[24]) -> bool:
+    mIn: uint256[12] = empty(uint256[12])
+
+    success: bool = True
+    mP: uint256[2] = [0, 0]
+
+    # A1
+    success, mP = self._ecmul([proof[P_WX_IW], proof[P_WX_IW + 1]], p[P_U])
+    if not success:
+        return False
+
+    aP: uint256[2] = [0, 0]
+    success, aP = self._ecadd([proof[P_WX_I], proof[P_WX_I + 1]], mP)
+    if not success:
+        return False
+
+    mIn[0] = aP[0]
+    mIn[1] = (BASE_SIZE - aP[1]) % BASE_SIZE
+
+    # [X]_2
+    mIn[2] = X2_X2
+    mIn[3] = X2_X1
+    mIn[4] = X2_Y2
+    mIn[5] = X2_Y1
+
+    # B1
+    success, mP = self._ecmul([proof[P_WX_I], proof[P_WX_I + 1]], p[P_XI])
+    if not success:
+        return False
+
+    mIn[6] = mP[0]
+    mIn[7] = mP[1]
+
+    s: uint256 = uint256_mulmod(p[P_U], p[P_XI], SCALAR_SIZE)
+    s = uint256_mulmod(s, W1, SCALAR_SIZE)
+
+    success, mP = self._ecmul([proof[P_WX_IW], proof[P_WX_IW + 1]], s)
+    if not success:
+        return False
+
+    success, aP = self._ecadd([mIn[6], mIn[7]], mP)
+    if not success:
+        return False
+
+    success, aP = self._ecadd(aP, [p[P_F], p[P_F + 1]])
+    if not success:
+        return False
+
+    p[P_E + 1] = (BASE_SIZE - p[P_E + 1]) % BASE_SIZE
+
+    success, aP = self._ecadd(aP, [p[P_E], p[P_E + 1]])
+    if not success:
+        return False
+
+    mIn[6] = aP[0]
+    mIn[7] = aP[1]
+
+    # [1]_2
+    mIn[8] = G2_X2
+    mIn[9] = G2_X1
+    mIn[10] = G2_Y2
+    mIn[11] = G2_Y1
+
+    response: Bytes[32] = b""
+    success, response = raw_call(
+        EC_PAIRING_PRECOMPILED_ADDRESS,
+        abi_encode(mIn),
+        max_outsize=32,
+        is_static_call=True,
+        revert_on_failure=False
+    )
+
+    if not success:
+        return False
+
+    return convert(response, bool)

package/dist/index.d.ts

@@ -1,3 +1,6 @@
-export * from "./core/CircuitZKit";
+export { CircuitZKit } from "./core/CircuitZKit";
+export * from "./core/protocols";
 export * from "./types/circuit-zkit";
+export * from "./types/proof-utils";
+export * from "./types/protocols";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,cAAc,kBAAkB,CAAC;AAEjC,cAAc,sBAAsB,CAAC;AACrC,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC"}

package/dist/index.js

@@ -14,6 +14,11 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./core/CircuitZKit"), exports);
+exports.CircuitZKit = void 0;
+var CircuitZKit_1 = require("./core/CircuitZKit");
+Object.defineProperty(exports, "CircuitZKit", { enumerable: true, get: function () { return CircuitZKit_1.CircuitZKit; } });
+__exportStar(require("./core/protocols"), exports);
 __exportStar(require("./types/circuit-zkit"), exports);
+__exportStar(require("./types/proof-utils"), exports);
+__exportStar(require("./types/protocols"), exports);
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,uDAAqC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,kDAAiD;AAAxC,0GAAA,WAAW,OAAA;AACpB,mDAAiC;AAEjC,uDAAqC;AACrC,sDAAoC;AACpC,oDAAkC"}