@solarity/zkit 0.3.0-rc.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/README.md +42 -25
  2. package/dist/constants.d.ts +2 -0
  3. package/dist/constants.d.ts.map +1 -0
  4. package/dist/constants.js +5 -0
  5. package/dist/constants.js.map +1 -0
  6. package/dist/core/CircuitZKit.d.ts.map +1 -1
  7. package/dist/core/CircuitZKit.js +2 -1
  8. package/dist/core/CircuitZKit.js.map +1 -1
  9. package/dist/core/protocols/Groth16Implementer.d.ts.map +1 -1
  10. package/dist/core/protocols/Groth16Implementer.js +7 -2
  11. package/dist/core/protocols/Groth16Implementer.js.map +1 -1
  12. package/dist/core/protocols/PlonkImplementer.d.ts.map +1 -1
  13. package/dist/core/protocols/PlonkImplementer.js +7 -2
  14. package/dist/core/protocols/PlonkImplementer.js.map +1 -1
  15. package/dist/core/templates/verifier_groth16.vy.ejs +3 -3
  16. package/dist/core/templates/verifier_plonk.sol.ejs +534 -436
  17. package/dist/core/templates/verifier_plonk.vy.ejs +92 -92
  18. package/dist/utils.d.ts +2 -0
  19. package/dist/utils.d.ts.map +1 -0
  20. package/dist/utils.js +32 -0
  21. package/dist/utils.js.map +1 -0
  22. package/package.json +2 -2
  23. package/src/constants.ts +1 -0
  24. package/src/core/CircuitZKit.ts +3 -1
  25. package/src/core/protocols/Groth16Implementer.ts +12 -2
  26. package/src/core/protocols/PlonkImplementer.ts +12 -2
  27. package/src/core/templates/verifier_groth16.vy.ejs +3 -3
  28. package/src/core/templates/verifier_plonk.sol.ejs +534 -436
  29. package/src/core/templates/verifier_plonk.vy.ejs +92 -92
  30. package/src/utils.ts +6 -0
package/dist/core/templates/verifier_plonk.sol.ejs CHANGED
@@ -6,11 +6,11 @@ pragma solidity >=0.7.0 <0.9.0;
6
6
 
7
7
  contract <%=verifier_id%> {
8
8
  // Omega
9
- uint256 constant W1 = <%=w%>;
9
+ uint256 constant W1 = <%=w%>;
10
10
  // Scalar field size
11
- uint256 constant Q = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
11
+ uint256 constant SCALAR_SIZE = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
12
12
  // Base field size
13
- uint256 constant QF = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
13
+ uint256 constant BASE_SIZE = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
14
14
 
15
15
  // [1]_1
16
16
  uint256 constant G1_X = 1;
@@ -22,10 +22,8 @@ contract <%=verifier_id%> {
22
22
  uint256 constant G2_Y2 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
23
23
 
24
24
  // Verification Key data
25
- uint32 constant N = <%=2**power%>;
26
- uint16 constant N_PUBLIC = <%=nPublic%>;
27
- uint16 constant N_LAGRANGE = <%=Math.max(nPublic, 1)%>;
28
-
25
+ uint32 constant N = <%=2**power%>;
26
+
29
27
  uint256 constant QM_X = <%=Qm[0]%>;
30
28
  uint256 constant QM_Y = <%=Qm[0] == "0" ? "0" : Qm[1]%>;
31
29
  uint256 constant QL_X = <%=Ql[0]%>;
@@ -49,71 +47,72 @@ contract <%=verifier_id%> {
49
47
  uint256 constant X2_Y1 = <%=X_2[1][0]%>;
50
48
  uint256 constant X2_Y2 = <%=X_2[1][1]%>;
51
49
 
52
- // Proof calldata
53
- // Byte offset of every parameter of the calldata
50
+ // Proof values offsets
51
+ // Byte offset of every parameter of the proof array
54
52
  // Polynomial commitments
55
- uint16 constant P_A = 4 + 0;
56
- uint16 constant P_B = 4 + 64;
57
- uint16 constant P_C = 4 + 128;
58
- uint16 constant P_Z = 4 + 192;
59
- uint16 constant P_T1 = 4 + 256;
60
- uint16 constant P_T2 = 4 + 320;
61
- uint16 constant P_T3 = 4 + 384;
62
- uint16 constant P_WX_I = 4 + 448;
63
- uint16 constant P_WX_IW = 4 + 512;
53
+ uint256 constant P_A = 0;
54
+ uint256 constant P_B = 64;
55
+ uint256 constant P_C = 128;
56
+ uint256 constant P_Z = 192;
57
+ uint256 constant P_T1 = 256;
58
+ uint256 constant P_T2 = 320;
59
+ uint256 constant P_T3 = 384;
60
+ uint256 constant P_WX_I = 448;
61
+ uint256 constant P_WX_IW = 512;
64
62
  // Opening evaluations
65
- uint16 constant P_EVAL_A = 4 + 576;
66
- uint16 constant P_EVAL_B = 4 + 608;
67
- uint16 constant P_EVAL_C = 4 + 640;
68
- uint16 constant P_EVAL_S1 = 4 + 672;
69
- uint16 constant P_EVAL_S2 = 4 + 704;
70
- uint16 constant P_EVAL_ZW = 4 + 736;
63
+ uint256 constant P_EVAL_A = 576;
64
+ uint256 constant P_EVAL_B = 608;
65
+ uint256 constant P_EVAL_C = 640;
66
+ uint256 constant P_EVAL_S1 = 672;
67
+ uint256 constant P_EVAL_S2 = 704;
68
+ uint256 constant P_EVAL_ZW = 736;
71
69
 
72
70
  // Memory data
73
71
  // Challenges
74
- uint16 constant P_ALPHA = 0;
75
- uint16 constant P_BETA = 32;
76
- uint16 constant P_GAMMA = 64;
77
- uint16 constant P_XI = 96;
78
- uint16 constant P_XIN = 128;
79
- uint16 constant P_BETA_XI = 160;
80
- uint16 constant P_V1 = 192;
81
- uint16 constant P_V2 = 224;
82
- uint16 constant P_V3 = 256;
83
- uint16 constant P_V4 = 288;
84
- uint16 constant P_V5 = 320;
85
- uint16 constant P_U = 352;
72
+ uint256 constant P_ALPHA = 0;
73
+ uint256 constant P_BETA = 32;
74
+ uint256 constant P_GAMMA = 64;
75
+ uint256 constant P_XI = 96;
76
+ uint256 constant P_XIN = 128;
77
+ uint256 constant P_BETA_XI = 160;
78
+ uint256 constant P_V1 = 192;
79
+ uint256 constant P_V2 = 224;
80
+ uint256 constant P_V3 = 256;
81
+ uint256 constant P_V4 = 288;
82
+ uint256 constant P_V5 = 320;
83
+ uint256 constant P_U = 352;
86
84
 
87
- uint16 constant P_PI = 384;
88
- uint16 constant P_EVAL_R0 = 416;
89
- uint16 constant P_D = 448;
90
- uint16 constant P_F = 512;
91
- uint16 constant P_E = 576;
92
- uint16 constant P_TMP = 640;
93
- uint16 constant P_ALPHA2 = 704;
94
- uint16 constant P_ZH = 736;
95
- uint16 constant P_ZH_INV = 768;
96
-
97
- <% for (let i=1; i<=Math.max(nPublic, 1); i++) { %>
98
- uint16 constant P_EVAL_L<%=i%> = <%=768+i*32%>;
99
- <% } %>
100
- <% let pLastMem = 800+32*Math.max(nPublic,1) %>
101
- uint16 constant LAST_MEM = <%=pLastMem%>;
102
-
103
- function verifyProof(uint256[24] calldata proof_, uint256[<%=nPublic%>] calldata pubSignals_) public view returns (bool) {
85
+ uint256 constant P_PI = 384;
86
+ uint256 constant P_EVAL_R0 = 416;
87
+ uint256 constant P_D = 448;
88
+ uint256 constant P_F = 512;
89
+ uint256 constant P_E = 576;
90
+ uint256 constant P_TMP = 640;
91
+ uint256 constant P_ALPHA2 = 704;
92
+ uint256 constant P_ZH = 736;
93
+ uint256 constant P_ZH_INV = 768;
94
+
95
+ uint256 constant P_EVAL_L1 = 800;
96
+ <% let pLastMem = 800+32*nPublic %>
97
+ uint256 constant P_TOTAL_SIZE = <%=pLastMem%>;
98
+
99
+ function verifyProof(
100
+ uint256[24] memory proofArr_,
101
+ uint256[<%=nPublic%>] memory publicSignals_
102
+ ) public view returns (bool verified_) {
104
103
  assembly {
105
- function inverse(a, q) -> inv {
106
- let t := 0
104
+ function inverse(a_, q_) -> inv {
105
+ let t := 0
107
106
  let newt := 1
108
- let r := q
109
- let newr := a
110
- let quotient
111
- let aux
107
+ let r := q_
108
+ let newr := a_
109
+ let quotient := 0
110
+ let aux := 0
112
111
 
113
112
  for { } newr { } {
114
113
  quotient := sdiv(r, newr)
115
114
  aux := sub(t, mul(quotient, newt))
116
- t:= newt
115
+ t := newt
117
116
  newt:= aux
118
117
 
119
118
  aux := sub(r,mul(quotient, newr))
@@ -122,68 +121,66 @@ contract <%=verifier_id%> {
122
121
  }
123
122
 
124
123
  if gt(r, 1) { revert(0,0) }
125
- if slt(t, 0) { t:= add(t, q) }
124
+ if slt(t, 0) { t:= add(t, q_) }
126
125
 
127
126
  inv := t
128
127
  }
129
128
 
130
- function inverseArray(pVals, n) {
131
- let pAux := mload(0x40) // Point to the next free position
132
- let pIn := pVals
133
- let lastPIn := add(pVals, mul(n, 32)) // Read n elemnts
129
+ function inverseArray(pVals_, n_) {
130
+ let pAux := mload(64) // Point to the next free position
131
+ let pIn := pVals_
132
+ let lastPIn := add(pVals_, mul(n_, 32)) // Read n elements
134
133
  let acc := mload(pIn) // Read the first element
135
134
  pIn := add(pIn, 32) // Point to the second element
136
- let inv
135
+ let inv := 0
137
136
 
138
- for { } lt(pIn, lastPIn) {
139
- pAux := add(pAux, 32)
137
+ for { } lt(pIn, lastPIn) {
138
+ pAux := add(pAux, 32)
140
139
  pIn := add(pIn, 32)
141
140
  }
142
141
  {
143
142
  mstore(pAux, acc)
144
- acc := mulmod(acc, mload(pIn), Q)
143
+ acc := mulmod(acc, mload(pIn), SCALAR_SIZE)
145
144
  }
146
- acc := inverse(acc, Q)
147
-
148
- // At this point pAux pint to the next free position we substract 1 to point to the last used
145
+
146
+ acc := inverse(acc, SCALAR_SIZE)
147
+
148
+ // At this point pAux point to the next free position, we subtract 1 to point to the last used
149
149
  pAux := sub(pAux, 32)
150
- // pIn points to the n+1 element, we substract to point to n
150
+ // pIn points to the n+1 element, we subtract to point to n
151
151
  pIn := sub(pIn, 32)
152
- lastPIn := pVals // We don't process the first element
153
- for { } gt(pIn, lastPIn) {
154
- pAux := sub(pAux, 32)
152
+ lastPIn := pVals_ // We don't process the first element
153
+
154
+ for { } gt(pIn, lastPIn) {
155
+ pAux := sub(pAux, 32)
155
156
  pIn := sub(pIn, 32)
156
157
  }
157
158
  {
158
- inv := mulmod(acc, mload(pAux), Q)
159
- acc := mulmod(acc, mload(pIn), Q)
159
+ inv := mulmod(acc, mload(pAux), SCALAR_SIZE)
160
+ acc := mulmod(acc, mload(pIn), SCALAR_SIZE)
160
161
  mstore(pIn, inv)
161
162
  }
162
- // pIn points to first element, we just set it.
163
+ // pIn points to first element, we just set it
163
164
  mstore(pIn, acc)
164
165
  }
165
-
166
- function checkField(v) {
167
- if iszero(lt(v, Q)) {
168
- mstore(0, 0)
169
- return(0,0x20)
170
- }
166
+
167
+ function checkField(signal_) -> res_ {
168
+ res_ := lt(signal_, SCALAR_SIZE)
171
169
  }
172
-
173
- function checkInput() {
174
- checkField(calldataload(P_EVAL_A))
175
- checkField(calldataload(P_EVAL_B))
176
- checkField(calldataload(P_EVAL_C))
177
- checkField(calldataload(P_EVAL_S1))
178
- checkField(calldataload(P_EVAL_S2))
179
- checkField(calldataload(P_EVAL_ZW))
170
+
171
+ function checkInput(proof_) -> res_ {
172
+ res_ := checkField(mload(add(proof_, P_EVAL_A)))
173
+ res_ := and(res_, checkField(mload(add(proof_, P_EVAL_B))))
174
+ res_ := and(res_, checkField(mload(add(proof_, P_EVAL_C))))
175
+ res_ := and(res_, checkField(mload(add(proof_, P_EVAL_S1))))
176
+ res_ := and(res_, checkField(mload(add(proof_, P_EVAL_S2))))
177
+ res_ := and(res_, checkField(mload(add(proof_, P_EVAL_ZW))))
180
178
  }
181
179
 
182
- function calculateChallenges(pMem, pPublic) {
183
- let beta
184
- let aux
185
-
186
- let mIn := mload(0x40) // Pointer to the next free memory position
180
+ function calculateChallenges(pMem_, proof_, pubSignals_) {
181
+ let beta := 0
182
+ let aux := 0
183
+ let mIn := mload(64) // Pointer to the next free memory position
187
184
 
188
185
  // Compute challenge.beta & challenge.gamma
189
186
  mstore(mIn, QM_X)
@@ -203,433 +200,517 @@ contract <%=verifier_id%> {
203
200
  mstore(add(mIn, 448), S3_X)
204
201
  mstore(add(mIn, 480), S3_Y)
205
202
 
206
- <%for (let i=0; i<nPublic;i++) {%>
207
- mstore(add(mIn, <%= 512 + i*32 %>), calldataload(add(pPublic, <%=i*32%>)))
208
- <%}%>
209
- mstore(add(mIn, <%= 512 + nPublic*32 + 0 %> ), calldataload(P_A))
210
- mstore(add(mIn, <%= 512 + nPublic*32 + 32 %> ), calldataload(add(P_A, 32)))
211
- mstore(add(mIn, <%= 512 + nPublic*32 + 64 %> ), calldataload(P_B))
212
- mstore(add(mIn, <%= 512 + nPublic*32 + 96 %> ), calldataload(add(P_B, 32)))
213
- mstore(add(mIn, <%= 512 + nPublic*32 + 128 %> ), calldataload(P_C))
214
- mstore(add(mIn, <%= 512 + nPublic*32 + 160 %> ), calldataload(add(P_C, 32)))
203
+ <% for (let i = 0; i < nPublic; i++) {%>mstore(add(mIn, <%=512 + i * 32%>), mload(add(pubSignals_, <%=i * 32%>)))
204
+ <% } %>
205
+ mstore(add(mIn, <%=512 + nPublic * 32%>), mload(add(proof_, P_A)))
206
+ mstore(add(mIn, <%=512 + nPublic * 32 + 32%>), mload(add(proof_, add(P_A, 32))))
207
+ mstore(add(mIn, <%=512 + nPublic * 32 + 64%>), mload(add(proof_, P_B)))
208
+ mstore(add(mIn, <%=512 + nPublic * 32 + 96%>), mload(add(proof_, add(P_B, 32))))
209
+ mstore(add(mIn, <%=512 + nPublic * 32 + 128%>), mload(add(proof_, P_C)))
210
+ mstore(add(mIn, <%=512 + nPublic * 32 + 160%>), mload(add(proof_, add(P_C, 32))))
215
211
 
216
- beta := mod(keccak256(mIn, <%= 704 + 32 * nPublic %>), Q)
217
- mstore(add(pMem, P_BETA), beta)
212
+ beta := mod(keccak256(mIn, <%=704 + 32 * nPublic%>), SCALAR_SIZE)
213
+ mstore(add(pMem_, P_BETA), beta)
218
214
 
219
215
  // challenges.gamma
220
- mstore(add(pMem, P_GAMMA), mod(keccak256(add(pMem, P_BETA), 32), Q))
216
+ mstore(
217
+ add(pMem_, P_GAMMA),
218
+ mod(keccak256(add(pMem_, P_BETA), 32), SCALAR_SIZE)
219
+ )
221
220
 
222
221
  // challenges.alpha
223
- mstore(mIn, mload(add(pMem, P_BETA)))
224
- mstore(add(mIn, 32), mload(add(pMem, P_GAMMA)))
225
- mstore(add(mIn, 64), calldataload(P_Z))
226
- mstore(add(mIn, 96), calldataload(add(P_Z, 32)))
222
+ mstore(mIn, mload(add(pMem_, P_BETA)))
223
+ mstore(add(mIn, 32), mload(add(pMem_, P_GAMMA)))
224
+ mstore(add(mIn, 64), mload(add(proof_, P_Z)))
225
+ mstore(add(mIn, 96), mload(add(proof_, add(P_Z, 32))))
227
226
 
228
- aux := mod(keccak256(mIn, 128), Q)
229
- mstore(add(pMem, P_ALPHA), aux)
230
- mstore(add(pMem, P_ALPHA2), mulmod(aux, aux, Q))
227
+ aux := mod(keccak256(mIn, 128), SCALAR_SIZE)
228
+ mstore(add(pMem_, P_ALPHA), aux)
229
+ mstore(add(pMem_, P_ALPHA2), mulmod(aux, aux, SCALAR_SIZE))
231
230
 
232
231
  // challenges.xi
233
232
  mstore(mIn, aux)
234
- mstore(add(mIn, 32), calldataload(P_T1))
235
- mstore(add(mIn, 64), calldataload(add(P_T1, 32)))
236
- mstore(add(mIn, 96), calldataload(P_T2))
237
- mstore(add(mIn, 128), calldataload(add(P_T2, 32)))
238
- mstore(add(mIn, 160), calldataload(P_T3))
239
- mstore(add(mIn, 192), calldataload(add(P_T3, 32)))
233
+ mstore(add(mIn, 32), mload(add(proof_, P_T1)))
234
+ mstore(add(mIn, 64), mload(add(proof_, add(P_T1, 32))))
235
+ mstore(add(mIn, 96), mload(add(proof_, P_T2)))
236
+ mstore(add(mIn, 128), mload(add(proof_, add(P_T2, 32))))
237
+ mstore(add(mIn, 160), mload(add(proof_, P_T3)))
238
+ mstore(add(mIn, 192), mload(add(proof_, add(P_T3, 32))))
240
239
 
241
- aux := mod(keccak256(mIn, 224), Q)
242
- mstore( add(pMem, P_XI), aux)
240
+ aux := mod(keccak256(mIn, 224), SCALAR_SIZE)
241
+ mstore(add(pMem_, P_XI), aux)
243
242
 
244
243
  // challenges.v
245
244
  mstore(mIn, aux)
246
- mstore(add(mIn, 32), calldataload(P_EVAL_A))
247
- mstore(add(mIn, 64), calldataload(P_EVAL_B))
248
- mstore(add(mIn, 96), calldataload(P_EVAL_C))
249
- mstore(add(mIn, 128), calldataload(P_EVAL_S1))
250
- mstore(add(mIn, 160), calldataload(P_EVAL_S2))
251
- mstore(add(mIn, 192), calldataload(P_EVAL_ZW))
245
+ mstore(add(mIn, 32), mload(add(proof_, P_EVAL_A)))
246
+ mstore(add(mIn, 64), mload(add(proof_, P_EVAL_B)))
247
+ mstore(add(mIn, 96), mload(add(proof_, P_EVAL_C)))
248
+ mstore(add(mIn, 128), mload(add(proof_, P_EVAL_S1)))
249
+ mstore(add(mIn, 160), mload(add(proof_, P_EVAL_S2)))
250
+ mstore(add(mIn, 192), mload(add(proof_, P_EVAL_ZW)))
252
251
 
253
- let v1 := mod(keccak256(mIn, 224), Q)
254
- mstore(add(pMem, P_V1), v1)
252
+ let v1 := mod(keccak256(mIn, 224), SCALAR_SIZE)
253
+ mstore(add(pMem_, P_V1), v1)
255
254
 
256
255
  // challenges.beta * challenges.xi
257
- mstore(add(pMem, P_BETA_XI), mulmod(beta, aux, Q))
256
+ mstore(add(pMem_, P_BETA_XI), mulmod(beta, aux, SCALAR_SIZE))
258
257
 
259
258
  // challenges.xi^n
260
- <%for (let i=0; i<power;i++) {%>
261
- aux:= mulmod(aux, aux, Q)
262
- <%}%>
263
- mstore(add(pMem, P_XIN), aux)
259
+ <% for (let i = 0; i < power; i++) {%>aux := mulmod(aux, aux, SCALAR_SIZE)
260
+ <% } %>
261
+ mstore(add(pMem_, P_XIN), aux)
264
262
 
265
263
  // Zh
266
- aux:= mod(add(sub(aux, 1), Q), Q)
267
- mstore(add(pMem, P_ZH), aux)
268
- mstore(add(pMem, P_ZH_INV), aux) // We will invert later together with lagrange pols
264
+ aux := addmod(aux, sub(SCALAR_SIZE, 1), SCALAR_SIZE)
265
+ mstore(add(pMem_, P_ZH), aux)
266
+ mstore(add(pMem_, P_ZH_INV), aux) // We will invert later together with lagrange pols
269
267
 
270
268
  // challenges.v^2, challenges.v^3, challenges.v^4, challenges.v^5
271
- aux := mulmod(v1, v1, Q)
272
- mstore(add(pMem, P_V2), aux)
273
- aux := mulmod(aux, v1, Q)
274
- mstore(add(pMem, P_V3), aux)
275
- aux := mulmod(aux, v1, Q)
276
- mstore(add(pMem, P_V4), aux)
277
- aux := mulmod(aux, v1, Q)
278
- mstore(add(pMem, P_V5), aux)
269
+ aux := mulmod(v1, v1, SCALAR_SIZE)
270
+ mstore(add(pMem_, P_V2), aux)
271
+ aux := mulmod(aux, v1, SCALAR_SIZE)
272
+ mstore(add(pMem_, P_V3), aux)
273
+ aux := mulmod(aux, v1, SCALAR_SIZE)
274
+ mstore(add(pMem_, P_V4), aux)
275
+ aux := mulmod(aux, v1, SCALAR_SIZE)
276
+ mstore(add(pMem_, P_V5), aux)
279
277
 
280
278
  // challenges.u
281
- mstore(mIn, calldataload(P_WX_I))
282
- mstore(add(mIn, 32), calldataload(add(P_WX_I, 32)))
283
- mstore(add(mIn, 64), calldataload(P_WX_IW))
284
- mstore(add(mIn, 96), calldataload(add(P_WX_IW, 32)))
279
+ mstore(mIn, mload(add(proof_, P_WX_I)))
280
+ mstore(add(mIn, 32), mload(add(proof_, add(P_WX_I, 32))))
281
+ mstore(add(mIn, 64), mload(add(proof_, P_WX_IW)))
282
+ mstore(add(mIn, 96), mload(add(proof_, add(P_WX_IW, 32))))
285
283
 
286
- mstore(add(pMem, P_U), mod(keccak256(mIn, 128), Q))
284
+ mstore(add(pMem_, P_U), mod(keccak256(mIn, 128), SCALAR_SIZE))
287
285
  }
288
286
 
289
- function calculateLagrange(pMem) {
290
- let w := 1
291
- <% for (let i=1; i<=Math.max(nPublic, 1); i++) { %>
292
- mstore(
293
- add(pMem, P_EVAL_L<%=i%>),
294
- mulmod(
295
- N,
296
- mod(
297
- add(
298
- sub(
299
- mload(add(pMem, P_XI)),
300
- w
301
- ),
302
- Q
287
+ function calculateLagrange(pMem_) {
288
+ let w := 1
289
+
290
+ for { let i := 0 } lt(i, <%=nPublic%>) { i := add(i, 1) } {
291
+ mstore(
292
+ add(pMem_, add(P_EVAL_L1, mul(i, 32))),
293
+ mulmod(
294
+ N,
295
+ mod(
296
+ add(sub(mload(add(pMem_, P_XI)), w), SCALAR_SIZE),
297
+ SCALAR_SIZE
303
298
  ),
304
- Q
305
- ),
306
- Q
299
+ SCALAR_SIZE
300
+ )
307
301
  )
308
- )
309
- <% if (i<Math.max(nPublic, 1)) { %>
310
- w := mulmod(w, W1, Q)
311
- <% } %>
312
- <% } %>
313
-
314
- inverseArray(add(pMem, P_ZH_INV), <%=Math.max(nPublic, 1)+1%> )
302
+
303
+ w := mulmod(w, W1, SCALAR_SIZE)
304
+ }
305
+
306
+ inverseArray(add(pMem_, P_ZH_INV), <%=nPublic + 1%>)
315
307
 
316
- let zh := mload(add(pMem, P_ZH))
308
+ let zh := mload(add(pMem_, P_ZH))
317
309
  w := 1
318
- <% for (let i=1; i<=Math.max(nPublic, 1); i++) { %>
319
- <% if (i==1) { %>
320
- mstore(
321
- add(pMem, P_EVAL_L1 ),
322
- mulmod(
323
- mload(add(pMem, P_EVAL_L1 )),
324
- zh,
325
- Q
326
- )
327
- )
328
- <% } else { %>
329
- mstore(
330
- add(pMem, P_EVAL_L<%=i%>),
331
- mulmod(
332
- w,
310
+
311
+ for { let i := 0 } lt(i, <%=nPublic%>) { i := add(i, 1) } {
312
+ mstore(
313
+ add(pMem_, add(P_EVAL_L1, mul(i, 32))),
333
314
  mulmod(
334
- mload(add(pMem, P_EVAL_L<%=i%>)),
335
- zh,
336
- Q
337
- ),
338
- Q
315
+ w,
316
+ mulmod(
317
+ mload(add(pMem_, add(P_EVAL_L1, mul(i, 32)))),
318
+ zh,
319
+ SCALAR_SIZE
320
+ ),
321
+ SCALAR_SIZE
322
+ )
339
323
  )
340
- )
341
- <% } %>
342
- <% if (i<Math.max(nPublic, 1)) { %>
343
- w := mulmod(w, W1, Q)
344
- <% } %>
345
- <% } %>
346
-
347
324
 
325
+ w := mulmod(w, W1, SCALAR_SIZE)
326
+ }
348
327
  }
349
328
 
350
- function calculatePI(pMem, pPub) {
351
- let pl := 0
352
-
353
- <% for (let i=0; i<nPublic; i++) { %>
354
- pl := mod(
355
- add(
329
+ function calculatePI(pMem_, pPub_) {
330
+ let pi := 0
331
+
332
+ for { let i := 0 } lt(i, <%=nPublic%>) { i := add(i, 1) } {
333
+ pi := addmod(
356
334
  sub(
357
- pl,
335
+ SCALAR_SIZE,
358
336
  mulmod(
359
- mload(add(pMem, P_EVAL_L<%=i+1%>)),
360
- calldataload(add(pPub, <%=i*32%>)),
361
- Q
337
+ mload(add(pMem_, add(P_EVAL_L1, mul(i, 32)))),
338
+ mload(add(pPub_, mul(i, 32))),
339
+ SCALAR_SIZE
362
340
  )
363
341
  ),
364
- Q
365
- ),
366
- Q
367
- )
368
- <% } %>
369
-
370
- mstore(add(pMem, P_PI), pl)
342
+ pi,
343
+ SCALAR_SIZE
344
+ )
345
+ }
346
+
347
+ mstore(add(pMem_, P_PI), pi)
371
348
  }
372
349
 
373
- function calculateR0(pMem) {
374
- let e1 := mload(add(pMem, P_PI))
350
+ function calculateR0(pMem_, proof_) {
351
+ let e1 := mload(add(pMem_, P_PI))
375
352
 
376
- let e2 := mulmod(mload(add(pMem, P_EVAL_L1)), mload(add(pMem, P_ALPHA2)), Q)
353
+ let e2 := mulmod(
354
+ mload(add(pMem_, P_EVAL_L1)),
355
+ mload(add(pMem_, P_ALPHA2)),
356
+ SCALAR_SIZE
357
+ )
377
358
 
378
359
  let e3a := addmod(
379
- calldataload(P_EVAL_A),
380
- mulmod(mload(add(pMem, P_BETA)), calldataload(P_EVAL_S1), Q),
381
- Q)
382
- e3a := addmod(e3a, mload(add(pMem, P_GAMMA)), Q)
360
+ mload(add(proof_, P_EVAL_A)),
361
+ mulmod(
362
+ mload(add(pMem_, P_BETA)),
363
+ mload(add(proof_, P_EVAL_S1)),
364
+ SCALAR_SIZE
365
+ ),
366
+ SCALAR_SIZE
367
+ )
368
+ e3a := addmod(e3a, mload(add(pMem_, P_GAMMA)), SCALAR_SIZE)
383
369
 
384
370
  let e3b := addmod(
385
- calldataload(P_EVAL_B),
386
- mulmod(mload(add(pMem, P_BETA)), calldataload(P_EVAL_S2), Q),
387
- Q)
388
- e3b := addmod(e3b, mload(add(pMem, P_GAMMA)), Q)
371
+ mload(add(proof_, P_EVAL_B)),
372
+ mulmod(
373
+ mload(add(pMem_, P_BETA)),
374
+ mload(add(proof_, P_EVAL_S2)),
375
+ SCALAR_SIZE
376
+ ),
377
+ SCALAR_SIZE
378
+ )
379
+ e3b := addmod(e3b, mload(add(pMem_, P_GAMMA)), SCALAR_SIZE)
389
380
 
390
381
  let e3c := addmod(
391
- calldataload(P_EVAL_C),
392
- mload(add(pMem, P_GAMMA)),
393
- Q)
382
+ mload(add(proof_, P_EVAL_C)),
383
+ mload(add(pMem_, P_GAMMA)),
384
+ SCALAR_SIZE
385
+ )
394
386
 
395
- let e3 := mulmod(mulmod(e3a, e3b, Q), e3c, Q)
396
- e3 := mulmod(e3, calldataload(P_EVAL_ZW), Q)
397
- e3 := mulmod(e3, mload(add(pMem, P_ALPHA)), Q)
387
+ let e3 := mulmod(mulmod(e3a, e3b, SCALAR_SIZE), e3c, SCALAR_SIZE)
388
+ e3 := mulmod(e3, mload(add(proof_, P_EVAL_ZW)), SCALAR_SIZE)
389
+ e3 := mulmod(e3, mload(add(pMem_, P_ALPHA)), SCALAR_SIZE)
398
390
 
399
- let r0 := addmod(e1, mod(sub(Q, e2), Q), Q)
400
- r0 := addmod(r0, mod(sub(Q, e3), Q), Q)
391
+ let r0 := addmod(
392
+ e1,
393
+ mod(sub(SCALAR_SIZE, e2), SCALAR_SIZE),
394
+ SCALAR_SIZE
395
+ )
396
+ r0 := addmod(r0, mod(sub(SCALAR_SIZE, e3), SCALAR_SIZE), SCALAR_SIZE)
401
397
 
402
- mstore(add(pMem, P_EVAL_R0) , r0)
398
+ mstore(add(pMem_, P_EVAL_R0), r0)
403
399
  }
404
400
 
405
- function g1_set(pR, pP) {
406
- mstore(pR, mload(pP))
407
- mstore(add(pR, 32), mload(add(pP,32)))
401
+ function g1_set(pR_, pP_) {
402
+ mstore(pR_, mload(pP_))
403
+ mstore(add(pR_, 32), mload(add(pP_,32)))
408
404
  }
409
405
 
410
- function g1_setC(pR, x, y) {
411
- mstore(pR, x)
412
- mstore(add(pR, 32), y)
413
- }
414
-
415
- function g1_calldataSet(pR, pP) {
416
- mstore(pR, calldataload(pP))
417
- mstore(add(pR, 32), calldataload(add(pP, 32)))
406
+ function g1_setC(pR_, x_, y_) {
407
+ mstore(pR_, x_)
408
+ mstore(add(pR_, 32), y_)
418
409
  }
419
410
 
420
- function g1_acc(pR, pP) {
421
- let mIn := mload(0x40)
422
- mstore(mIn, mload(pR))
423
- mstore(add(mIn,32), mload(add(pR, 32)))
424
- mstore(add(mIn,64), mload(pP))
425
- mstore(add(mIn,96), mload(add(pP, 32)))
411
+ function g1_acc(pR_, pP_) -> res_ {
412
+ let mIn := mload(64)
413
+ mstore(mIn, mload(pR_))
414
+ mstore(add(mIn,32), mload(add(pR_, 32)))
415
+ mstore(add(mIn,64), mload(pP_))
416
+ mstore(add(mIn,96), mload(add(pP_, 32)))
426
417
 
427
- let success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
428
-
429
- if iszero(success) {
430
- mstore(0, 0)
431
- return(0,0x20)
432
- }
418
+ res_ := staticcall(sub(gas(), 2000), 6, mIn, 128, pR_, 64)
433
419
  }
434
420
 
435
- function g1_mulAcc(pR, pP, s) {
436
- let success
437
- let mIn := mload(0x40)
438
- mstore(mIn, mload(pP))
439
- mstore(add(mIn,32), mload(add(pP, 32)))
440
- mstore(add(mIn,64), s)
421
+ function g1_mulAccC(pR_, x_, y_, s_) -> res_ {
422
+ let mIn := mload(64)
423
+ mstore(mIn, x_)
424
+ mstore(add(mIn,32), y_)
425
+ mstore(add(mIn,64), s_)
441
426
 
442
- success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
443
-
444
- if iszero(success) {
445
- mstore(0, 0)
446
- return(0,0x20)
447
- }
448
-
449
- mstore(add(mIn,64), mload(pR))
450
- mstore(add(mIn,96), mload(add(pR, 32)))
427
+ res_ := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
451
428
 
452
- success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
453
-
454
- if iszero(success) {
455
- mstore(0, 0)
456
- return(0,0x20)
429
+ if iszero(res_) {
430
+ leave
457
431
  }
458
-
459
- }
460
432
 
461
- function g1_mulAccC(pR, x, y, s) {
462
- let success
463
- let mIn := mload(0x40)
464
- mstore(mIn, x)
465
- mstore(add(mIn,32), y)
466
- mstore(add(mIn,64), s)
433
+ mstore(add(mIn,64), mload(pR_))
434
+ mstore(add(mIn,96), mload(add(pR_, 32)))
467
435
 
468
- success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
469
-
470
- if iszero(success) {
471
- mstore(0, 0)
472
- return(0,0x20)
473
- }
474
-
475
- mstore(add(mIn,64), mload(pR))
476
- mstore(add(mIn,96), mload(add(pR, 32)))
477
-
478
- success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
479
-
480
- if iszero(success) {
481
- mstore(0, 0)
482
- return(0,0x20)
483
- }
436
+ res_ := staticcall(sub(gas(), 2000), 6, mIn, 128, pR_, 64)
484
437
  }
485
438
 
486
- function g1_mulSetC(pR, x, y, s) {
487
- let success
488
- let mIn := mload(0x40)
489
- mstore(mIn, x)
490
- mstore(add(mIn,32), y)
491
- mstore(add(mIn,64), s)
439
+ function g1_mulSetC(pR_, x_, y_, s_) -> res_ {
440
+ let mIn := mload(64)
441
+ mstore(mIn, x_)
442
+ mstore(add(mIn,32), y_)
443
+ mstore(add(mIn,64), s_)
492
444
 
493
- success := staticcall(sub(gas(), 2000), 7, mIn, 96, pR, 64)
494
-
495
- if iszero(success) {
496
- mstore(0, 0)
497
- return(0,0x20)
498
- }
445
+ res_ := staticcall(sub(gas(), 2000), 7, mIn, 96, pR_, 64)
499
446
  }
500
447
 
501
- function g1_mulSet(pR, pP, s) {
502
- g1_mulSetC(pR, mload(pP), mload(add(pP, 32)), s)
448
+ function g1_mulSet(pR_, pP_, s_) -> res_ {
449
+ res_ := g1_mulSetC(pR_, mload(pP_), mload(add(pP_, 32)), s_)
503
450
  }
504
451
 
505
- function calculateD(pMem) {
506
- let _pD:= add(pMem, P_D)
507
- let gamma := mload(add(pMem, P_GAMMA))
508
- let mIn := mload(0x40)
509
- mstore(0x40, add(mIn, 256)) // d1, d2, d3 & d4 (4*64 bytes)
452
+ function calculateD(pMem_, proof_) -> isOk_ {
453
+ let _pD := add(pMem_, P_D)
454
+ let gamma := mload(add(pMem_, P_GAMMA))
455
+ let mIn := mload(64)
456
+ mstore(64, add(mIn, 256)) // d1, d2, d3 & d4 (4 * 64 bytes)
510
457
 
511
458
  g1_setC(_pD, QC_X, QC_Y)
512
- g1_mulAccC(_pD, QM_X, QM_Y, mulmod(calldataload(P_EVAL_A), calldataload(P_EVAL_B), Q))
513
- g1_mulAccC(_pD, QL_X, QL_Y, calldataload(P_EVAL_A))
514
- g1_mulAccC(_pD, QR_X, QR_Y, calldataload(P_EVAL_B))
515
- g1_mulAccC(_pD, QO_X, QO_Y, calldataload(P_EVAL_C))
516
459
 
517
- let betaxi := mload(add(pMem, P_BETA_XI))
460
+ if iszero(
461
+ g1_mulAccC(
462
+ _pD, QM_X, QM_Y,
463
+ mulmod(
464
+ mload(add(proof_, P_EVAL_A)),
465
+ mload(add(proof_, P_EVAL_B)),
466
+ SCALAR_SIZE
467
+ )
468
+ )
469
+ ) {
470
+ leave
471
+ }
472
+ if iszero(g1_mulAccC(_pD, QL_X, QL_Y, mload(add(proof_, P_EVAL_A)))) {
473
+ leave
474
+ }
475
+ if iszero(g1_mulAccC(_pD, QR_X, QR_Y, mload(add(proof_, P_EVAL_B)))) {
476
+ leave
477
+ }
478
+ if iszero(g1_mulAccC(_pD, QO_X, QO_Y, mload(add(proof_, P_EVAL_C)))) {
479
+ leave
480
+ }
481
+
482
+ let betaxi := mload(add(pMem_, P_BETA_XI))
518
483
  let val1 := addmod(
519
- addmod(calldataload(P_EVAL_A), betaxi, Q),
520
- gamma, Q)
484
+ addmod(mload(add(proof_, P_EVAL_A)), betaxi, SCALAR_SIZE),
485
+ gamma,
486
+ SCALAR_SIZE
487
+ )
521
488
 
522
489
  let val2 := addmod(
523
490
  addmod(
524
- calldataload(P_EVAL_B),
525
- mulmod(betaxi, K1, Q),
526
- Q), gamma, Q)
491
+ mload(add(proof_, P_EVAL_B)),
492
+ mulmod(betaxi, K1, SCALAR_SIZE),
493
+ SCALAR_SIZE
494
+ ),
495
+ gamma,
496
+ SCALAR_SIZE
497
+ )
527
498
 
528
499
  let val3 := addmod(
529
500
  addmod(
530
- calldataload(P_EVAL_C),
531
- mulmod(betaxi, K2, Q),
532
- Q), gamma, Q)
501
+ mload(add(proof_, P_EVAL_C)),
502
+ mulmod(betaxi, K2, SCALAR_SIZE),
503
+ SCALAR_SIZE
504
+ ),
505
+ gamma,
506
+ SCALAR_SIZE
507
+ )
533
508
 
534
509
  let d2a := mulmod(
535
- mulmod(mulmod(val1, val2, Q), val3, Q),
536
- mload(add(pMem, P_ALPHA)),
537
- Q
510
+ mulmod(mulmod(val1, val2, SCALAR_SIZE), val3, SCALAR_SIZE),
511
+ mload(add(pMem_, P_ALPHA)),
512
+ SCALAR_SIZE
538
513
  )
539
514
 
540
515
  let d2b := mulmod(
541
- mload(add(pMem, P_EVAL_L1)),
542
- mload(add(pMem, P_ALPHA2)),
543
- Q
516
+ mload(add(pMem_, P_EVAL_L1)),
517
+ mload(add(pMem_, P_ALPHA2)),
518
+ SCALAR_SIZE
544
519
  )
545
520
 
546
521
  // We'll use mIn to save d2
547
- g1_calldataSet(add(mIn, 192), P_Z)
548
- g1_mulSet(
549
- mIn,
550
- add(mIn, 192),
551
- addmod(addmod(d2a, d2b, Q), mload(add(pMem, P_U)), Q))
552
-
522
+ g1_set(add(mIn, 192), add(proof_, P_Z))
523
+
524
+ if iszero(
525
+ g1_mulSet(
526
+ mIn,
527
+ add(mIn, 192),
528
+ addmod(
529
+ addmod(d2a, d2b, SCALAR_SIZE),
530
+ mload(add(pMem_, P_U)),
531
+ SCALAR_SIZE
532
+ )
533
+ )
534
+ ) {
535
+ leave
536
+ }
553
537
 
554
538
  val1 := addmod(
555
539
  addmod(
556
- calldataload(P_EVAL_A),
557
- mulmod(mload(add(pMem, P_BETA)), calldataload(P_EVAL_S1), Q),
558
- Q), gamma, Q)
540
+ mload(add(proof_, P_EVAL_A)),
541
+ mulmod(
542
+ mload(add(pMem_, P_BETA)),
543
+ mload(add(proof_, P_EVAL_S1)),
544
+ SCALAR_SIZE
545
+ ),
546
+ SCALAR_SIZE
547
+ ),
548
+ gamma,
549
+ SCALAR_SIZE
550
+ )
559
551
 
560
552
  val2 := addmod(
561
553
  addmod(
562
- calldataload(P_EVAL_B),
563
- mulmod(mload(add(pMem, P_BETA)), calldataload(P_EVAL_S2), Q),
564
- Q), gamma, Q)
565
-
554
+ mload(add(proof_, P_EVAL_B)),
555
+ mulmod(
556
+ mload(add(pMem_, P_BETA)),
557
+ mload(add(proof_, P_EVAL_S2)),
558
+ SCALAR_SIZE
559
+ ),
560
+ SCALAR_SIZE
561
+ ),
562
+ gamma,
563
+ SCALAR_SIZE
564
+ )
565
+
566
566
  val3 := mulmod(
567
- mulmod(mload(add(pMem, P_ALPHA)), mload(add(pMem, P_BETA)), Q),
568
- calldataload(P_EVAL_ZW), Q)
569
-
567
+ mulmod(mload(add(pMem_, P_ALPHA)), mload(add(pMem_, P_BETA)), SCALAR_SIZE),
568
+ mload(add(proof_, P_EVAL_ZW)),
569
+ SCALAR_SIZE
570
+ )
570
571
 
571
572
  // We'll use mIn + 64 to save d3
572
- g1_mulSetC(
573
- add(mIn, 64),
574
- S3_X,
575
- S3_Y,
576
- mulmod(mulmod(val1, val2, Q), val3, Q))
573
+ if iszero(
574
+ g1_mulSetC(
575
+ add(mIn, 64), S3_X, S3_Y,
576
+ mulmod(mulmod(val1, val2, SCALAR_SIZE), val3, SCALAR_SIZE)
577
+ )
578
+ ) {
579
+ leave
580
+ }
577
581
 
578
582
  // We'll use mIn + 128 to save d4
579
- g1_calldataSet(add(mIn, 128), P_T1)
583
+ g1_set(add(mIn, 128), add(proof_, P_T1))
584
+
585
+ if iszero(
586
+ g1_mulAccC(
587
+ add(mIn, 128),
588
+ mload(add(proof_, P_T2)),
589
+ mload(add(proof_, add(P_T2, 32))),
590
+ mload(add(pMem_, P_XIN))
591
+ )
592
+ ) {
593
+ leave
594
+ }
580
595
 
581
- g1_mulAccC(add(mIn, 128), calldataload(P_T2), calldataload(add(P_T2, 32)), mload(add(pMem, P_XIN)))
582
- let xin2 := mulmod(mload(add(pMem, P_XIN)), mload(add(pMem, P_XIN)), Q)
583
- g1_mulAccC(add(mIn, 128), calldataload(P_T3), calldataload(add(P_T3, 32)) , xin2)
584
-
585
- g1_mulSetC(add(mIn, 128), mload(add(mIn, 128)), mload(add(mIn, 160)), mload(add(pMem, P_ZH)))
596
+ let xin2 := mulmod(
597
+ mload(add(pMem_, P_XIN)),
598
+ mload(add(pMem_, P_XIN)),
599
+ SCALAR_SIZE
600
+ )
601
+
602
+ if iszero(
603
+ g1_mulAccC(
604
+ add(mIn, 128),
605
+ mload(add(proof_, P_T3)),
606
+ mload(add(proof_, add(P_T3, 32))),
607
+ xin2
608
+ )
609
+ ) {
610
+ leave
611
+ }
612
+
613
+ if iszero(
614
+ g1_mulSetC(
615
+ add(mIn, 128),
616
+ mload(add(mIn, 128)),
617
+ mload(add(mIn, 160)),
618
+ mload(add(pMem_, P_ZH))
619
+ )
620
+ ) {
621
+ leave
622
+ }
623
+
624
+ mstore(add(add(mIn, 64), 32), mod(sub(BASE_SIZE, mload(add(add(mIn, 64), 32))), BASE_SIZE))
625
+ mstore(add(mIn, 160), mod(sub(BASE_SIZE, mload(add(mIn, 160))), BASE_SIZE))
586
626
 
587
- mstore(add(add(mIn, 64), 32), mod(sub(QF, mload(add(add(mIn, 64), 32))), QF))
588
- mstore(add(mIn, 160), mod(sub(QF, mload(add(mIn, 160))), QF))
589
- g1_acc(_pD, mIn)
590
- g1_acc(_pD, add(mIn, 64))
591
- g1_acc(_pD, add(mIn, 128))
627
+ if iszero(g1_acc(_pD, mIn)) { leave }
628
+ if iszero(g1_acc(_pD, add(mIn, 64))) { leave }
629
+ if iszero(g1_acc(_pD, add(mIn, 128))) { leave }
630
+
631
+ isOk_ := 1
592
632
  }
593
633
 
594
- function calculateF(pMem) {
595
- let p := add(pMem, P_F)
596
-
597
- g1_set(p, add(pMem, P_D))
598
- g1_mulAccC(p, calldataload(P_A), calldataload(add(P_A, 32)), mload(add(pMem, P_V1)))
599
- g1_mulAccC(p, calldataload(P_B), calldataload(add(P_B, 32)), mload(add(pMem, P_V2)))
600
- g1_mulAccC(p, calldataload(P_C), calldataload(add(P_C, 32)), mload(add(pMem, P_V3)))
601
- g1_mulAccC(p, S1_X, S1_Y, mload(add(pMem, P_V4)))
602
- g1_mulAccC(p, S2_X, S2_Y, mload(add(pMem, P_V5)))
634
+ function calculateF(pMem_, proof_) -> isOk_ {
635
+ let p := add(pMem_, P_F)
636
+
637
+ g1_set(p, add(pMem_, P_D))
638
+
639
+ if iszero(
640
+ g1_mulAccC(
641
+ p,
642
+ mload(add(proof_, P_A)),
643
+ mload(add(proof_, add(P_A, 32))),
644
+ mload(add(pMem_, P_V1))
645
+ )
646
+ ) {
647
+ leave
648
+ }
649
+
650
+ if iszero(
651
+ g1_mulAccC(
652
+ p,
653
+ mload(add(proof_, P_B)),
654
+ mload(add(proof_, add(P_B, 32))),
655
+ mload(add(pMem_, P_V2))
656
+ )
657
+ ) {
658
+ leave
659
+ }
660
+
661
+ if iszero(
662
+ g1_mulAccC(
663
+ p,
664
+ mload(add(proof_, P_C)),
665
+ mload(add(proof_, add(P_C, 32))),
666
+ mload(add(pMem_, P_V3))
667
+ )
668
+ ) {
669
+ leave
670
+ }
671
+
672
+ if iszero(g1_mulAccC(p, S1_X, S1_Y, mload(add(pMem_, P_V4)))) {
673
+ leave
674
+ }
675
+ if iszero(g1_mulAccC(p, S2_X, S2_Y, mload(add(pMem_, P_V5)))) {
676
+ leave
677
+ }
678
+
679
+ isOk_ := 1
603
680
  }
604
681
 
605
- function calculateE(pMem) {
606
- let s := mod(sub(Q, mload(add(pMem, P_EVAL_R0))), Q)
682
+ function calculateE(pMem_, proof_) -> isOk_ {
683
+ let s := mod(sub(SCALAR_SIZE, mload(add(pMem_, P_EVAL_R0))), SCALAR_SIZE)
607
684
 
608
- s := addmod(s, mulmod(calldataload(P_EVAL_A), mload(add(pMem, P_V1)), Q), Q)
609
- s := addmod(s, mulmod(calldataload(P_EVAL_B), mload(add(pMem, P_V2)), Q), Q)
610
- s := addmod(s, mulmod(calldataload(P_EVAL_C), mload(add(pMem, P_V3)), Q), Q)
611
- s := addmod(s, mulmod(calldataload(P_EVAL_S1), mload(add(pMem, P_V4)), Q), Q)
612
- s := addmod(s, mulmod(calldataload(P_EVAL_S2), mload(add(pMem, P_V5)), Q), Q)
613
- s := addmod(s, mulmod(calldataload(P_EVAL_ZW), mload(add(pMem, P_U)), Q), Q)
685
+ s := addmod(s, mulmod(mload(add(proof_, P_EVAL_A)), mload(add(pMem_, P_V1)), SCALAR_SIZE), SCALAR_SIZE)
686
+ s := addmod(s, mulmod(mload(add(proof_, P_EVAL_B)), mload(add(pMem_, P_V2)), SCALAR_SIZE), SCALAR_SIZE)
687
+ s := addmod(s, mulmod(mload(add(proof_, P_EVAL_C)), mload(add(pMem_, P_V3)), SCALAR_SIZE), SCALAR_SIZE)
688
+ s := addmod(s, mulmod(mload(add(proof_, P_EVAL_S1)), mload(add(pMem_, P_V4)), SCALAR_SIZE), SCALAR_SIZE)
689
+ s := addmod(s, mulmod(mload(add(proof_, P_EVAL_S2)), mload(add(pMem_, P_V5)), SCALAR_SIZE), SCALAR_SIZE)
690
+ s := addmod(s, mulmod(mload(add(proof_, P_EVAL_ZW)), mload(add(pMem_, P_U)), SCALAR_SIZE), SCALAR_SIZE)
614
691
 
615
- g1_mulSetC(add(pMem, P_E), G1_X, G1_Y, s)
692
+ isOk_ := g1_mulSetC(add(pMem_, P_E), G1_X, G1_Y, s)
616
693
  }
617
694
 
618
- function checkPairing(pMem) -> isOk {
619
- let mIn := mload(0x40)
620
- mstore(0x40, add(mIn, 576)) // [0..383] = pairing data, [384..447] = P_WX_I, [448..512] = P_WX_IW
695
+ function checkPairing(pMem_, proof_) -> isOk_ {
696
+ let mIn := mload(64)
697
+ mstore(64, add(mIn, 576)) // [0..383] = pairing data, [384..447] = P_WX_I, [448..512] = P_WX_IW
621
698
 
622
699
  let _pWxi := add(mIn, 384)
623
700
  let _pWxiw := add(mIn, 448)
624
701
  let _aux := add(mIn, 512)
625
702
 
626
- g1_calldataSet(_pWxi, P_WX_I)
627
- g1_calldataSet(_pWxiw, P_WX_IW)
703
+ g1_set(_pWxi, add(proof_, P_WX_I))
704
+ g1_set(_pWxiw, add(proof_, P_WX_IW))
628
705
 
629
706
  // A1
630
- g1_mulSet(mIn, _pWxiw, mload(add(pMem, P_U)))
631
- g1_acc(mIn, _pWxi)
632
- mstore(add(mIn, 32), mod(sub(QF, mload(add(mIn, 32))), QF))
707
+ if iszero(g1_mulSet(mIn, _pWxiw, mload(add(pMem_, P_U)))) {
708
+ leave
709
+ }
710
+ if iszero(g1_acc(mIn, _pWxi)) {
711
+ leave
712
+ }
713
+ mstore(add(mIn, 32), mod(sub(BASE_SIZE, mload(add(mIn, 32))), BASE_SIZE))
633
714
 
634
715
  // [X]_2
635
716
  mstore(add(mIn,64), X2_X2)
@@ -638,44 +719,61 @@ contract <%=verifier_id%> {
638
719
  mstore(add(mIn,160), X2_Y1)
639
720
 
640
721
  // B1
641
- g1_mulSet(add(mIn, 192), _pWxi, mload(add(pMem, P_XI)))
722
+ if iszero(g1_mulSet(add(mIn, 192), _pWxi, mload(add(pMem_, P_XI)))) {
723
+ leave
724
+ }
725
+
726
+ let s := mulmod(mload(add(pMem_, P_U)), mload(add(pMem_, P_XI)), SCALAR_SIZE)
727
+ s := mulmod(s, W1, SCALAR_SIZE)
642
728
 
643
- let s := mulmod(mload(add(pMem, P_U)), mload(add(pMem, P_XI)), Q)
644
- s := mulmod(s, W1, Q)
645
- g1_mulSet(_aux, _pWxiw, s)
646
- g1_acc(add(mIn, 192), _aux)
647
- g1_acc(add(mIn, 192), add(pMem, P_F))
648
- mstore(add(pMem, add(P_E, 32)), mod(sub(QF, mload(add(pMem, add(P_E, 32)))), QF))
649
- g1_acc(add(mIn, 192), add(pMem, P_E))
729
+ if iszero(g1_mulSet(_aux, _pWxiw, s)) {
730
+ leave
731
+ }
732
+ if iszero(g1_acc(add(mIn, 192), _aux)) {
733
+ leave
734
+ }
735
+ if iszero(g1_acc(add(mIn, 192), add(pMem_, P_F))) {
736
+ leave
737
+ }
738
+
739
+ mstore(add(pMem_, add(P_E, 32)), mod(sub(BASE_SIZE, mload(add(pMem_, add(P_E, 32)))), BASE_SIZE))
740
+
741
+ if iszero(g1_acc(add(mIn, 192), add(pMem_, P_E))) {
742
+ leave
743
+ }
650
744
 
651
745
  // [1]_2
652
746
  mstore(add(mIn,256), G2_X2)
653
747
  mstore(add(mIn,288), G2_X1)
654
748
  mstore(add(mIn,320), G2_Y2)
655
749
  mstore(add(mIn,352), G2_Y1)
656
-
657
- let success := staticcall(sub(gas(), 2000), 8, mIn, 384, mIn, 0x20)
658
-
659
- isOk := and(success, mload(mIn))
750
+
751
+ if iszero(staticcall(sub(gas(), 2000), 8, mIn, 384, mIn, 0x20)) {
752
+ leave
753
+ }
754
+
755
+ isOk_ := and(1, mload(mIn))
660
756
  }
661
757
 
662
- let pMem := mload(0x40)
663
- mstore(0x40, add(pMem, LAST_MEM))
664
-
665
- checkInput()
666
- calculateChallenges(pMem, pubSignals_)
667
- calculateLagrange(pMem)
668
- calculatePI(pMem, pubSignals_)
669
- calculateR0(pMem)
670
- calculateD(pMem)
671
- calculateF(pMem)
672
- calculateE(pMem)
673
- let isValid := checkPairing(pMem)
674
-
675
- mstore(0x40, sub(pMem, LAST_MEM))
676
- mstore(0, isValid)
677
- return(0,0x20)
758
+ let pointer_ := mload(64) // free pointer
759
+ mstore(64, add(pointer_, P_TOTAL_SIZE))
760
+
761
+ verified_ := checkInput(proofArr_)
762
+
763
+ /// @dev check pairings
764
+ if not(iszero(verified_)) {
765
+ calculateChallenges(pointer_, proofArr_, publicSignals_)
766
+ calculateLagrange(pointer_)
767
+ calculatePI(pointer_, publicSignals_)
768
+ calculateR0(pointer_, proofArr_)
769
+
770
+ verified_ := and(verified_, calculateD(pointer_, proofArr_))
771
+ verified_ := and(verified_, calculateF(pointer_, proofArr_))
772
+ verified_ := and(verified_, calculateE(pointer_, proofArr_))
773
+ verified_ := and(verified_, checkPairing(pointer_, proofArr_))
774
+ }
775
+
776
+ mstore(64, sub(pointer_, P_TOTAL_SIZE))
678
777
  }
679
-
680
778
  }
681
- }
779
+ }