@zkasm/zkevm-rom 0.0.1-security → 6.0.1

package/main/pairings/BN254/lineSamePointsBN254.zkasm

@@ -0,0 +1,96 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; PRE: P ∈ E'(Fp2) and Q ∈ E(Fp)
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; lineSamePointsBN254:
+;;              in: P = (P.x1 + P.x2·u, P.y1 + P.y2·u) ∈ E'(Fp2) and Q = (Q.x,Q.y) ∈ E(Fp)
+;;             out: line_{twist(P), twist(P)}(Q) = (3·P.x1³ - 2·P.y1²)·(9 + u) + (2·Q.y·P.y1)·w³ + (-3·Q.x·P.x1²)·w⁴ ∈ Fp12
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; The precondition is ensured by the pairing.
+; However, it must be implemented if lineSamePointsBN254 wants to be used independently.
+
+VAR GLOBAL lineSamePointsBN254_P_x1
+VAR GLOBAL lineSamePointsBN254_P_x2
+VAR GLOBAL lineSamePointsBN254_P_y1
+VAR GLOBAL lineSamePointsBN254_P_y2
+VAR GLOBAL lineSamePointsBN254_Q_x
+VAR GLOBAL lineSamePointsBN254_Q_y
+
+VAR GLOBAL lineSamePointsBN254_P_x1_square
+VAR GLOBAL lineSamePointsBN254_P_x2_square
+VAR GLOBAL lineSamePointsBN254_P_y1_square
+VAR GLOBAL lineSamePointsBN254_P_y2_square
+
+VAR GLOBAL lineSamePointsBN254_l11_x
+VAR GLOBAL lineSamePointsBN254_l11_y
+VAR GLOBAL lineSamePointsBN254_l13_x
+VAR GLOBAL lineSamePointsBN254_l13_y
+VAR GLOBAL lineSamePointsBN254_l22_x
+VAR GLOBAL lineSamePointsBN254_l22_y
+
+VAR GLOBAL lineSamePointsBN254_RR
+
+lineSamePointsBN254:
+        RR              :MSTORE(lineSamePointsBN254_RR)
+
+        ; 1] (3·P.x1³ - 2·P.y1²)·(9 + u)
+        $ => A          :MLOAD(lineSamePointsBN254_P_y1)
+        $ => B          :MLOAD(lineSamePointsBN254_P_y2), CALL(squareFp2BN254)
+        C => D
+        E => C
+        2n => A         :CALL(escalarMulFp2BN254)
+        E               :MSTORE(lineSamePointsBN254_P_y1_square)
+        C               :MSTORE(lineSamePointsBN254_P_y2_square)
+
+        $ => A          :MLOAD(lineSamePointsBN254_P_x1)
+        $ => B          :MLOAD(lineSamePointsBN254_P_x2), CALL(squareFp2BN254)
+        ; save it for the last step
+        E               :MSTORE(lineSamePointsBN254_P_x1_square)
+        C               :MSTORE(lineSamePointsBN254_P_x2_square)
+        E => A
+        C => B
+        $ => C          :MLOAD(lineSamePointsBN254_P_x1)
+        $ => D          :MLOAD(lineSamePointsBN254_P_x2), CALL(mulFp2BN254)
+        C => D
+        E => C
+        3n => A         :CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(lineSamePointsBN254_P_y1_square)
+        $ => D          :MLOAD(lineSamePointsBN254_P_y2_square), CALL(subFp2BN254)
+
+        E => A
+        C => B
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+
+        E               :MSTORE(lineSamePointsBN254_l11_x)
+        C               :MSTORE(lineSamePointsBN254_l11_y)
+
+
+        ; 2] 2·Q.y·P.y1
+        2n => A
+        $ => B          :MLOAD(lineSamePointsBN254_Q_y), CALL(mulFpBN254)
+
+        C => A
+        $ => C          :MLOAD(lineSamePointsBN254_P_y1)
+        $ => D          :MLOAD(lineSamePointsBN254_P_y2), CALL(escalarMulFp2BN254)
+
+        E               :MSTORE(lineSamePointsBN254_l22_x)
+        C               :MSTORE(lineSamePointsBN254_l22_y)
+
+        ; 3] -3·Q.x·P.x1²
+        %BN254_P - 3n => A ; This clearly assumes that %BN254_P >= 3n
+        $ => B          :MLOAD(lineSamePointsBN254_Q_x), CALL(mulFpBN254)
+        C => A
+        $ => C          :MLOAD(lineSamePointsBN254_P_x1_square)
+        $ => D          :MLOAD(lineSamePointsBN254_P_x2_square), CALL(escalarMulFp2BN254)
+
+        E               :MSTORE(lineSamePointsBN254_l13_x)
+        C               :MSTORE(lineSamePointsBN254_l13_y)
+
+        $ => RR         :MLOAD(lineSamePointsBN254_RR)
+                        :RETURN

package/main/pairings/FP12BN254/CYCLOFP12BN254/compressFp12BN254.zkasm

@@ -0,0 +1,49 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;; compressFp12BN254:
+;;             in: a = a0 + a2·w + a4·w² + a1·w³ + a3·w⁴ + a5·w⁵ ∈ GΦ6(p²), where ai ∈ Fp2
+;;             out: C(a) = [a2,a3,a4,a5] ∈ Fp2⁴
+;;
+;; NOTE: If the input does not belong to the cyclotomic subgroup GΦ6(p²), then the compression-decompression
+;;       technique is not well defined. This means that D(C(a)) != a.
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL compressFp12BN254_a0_x
+VAR GLOBAL compressFp12BN254_a0_y
+VAR GLOBAL compressFp12BN254_a2_x
+VAR GLOBAL compressFp12BN254_a2_y
+VAR GLOBAL compressFp12BN254_a4_x
+VAR GLOBAL compressFp12BN254_a4_y
+VAR GLOBAL compressFp12BN254_a1_x
+VAR GLOBAL compressFp12BN254_a1_y
+VAR GLOBAL compressFp12BN254_a3_x
+VAR GLOBAL compressFp12BN254_a3_y
+VAR GLOBAL compressFp12BN254_a5_x
+VAR GLOBAL compressFp12BN254_a5_y
+VAR GLOBAL compressFp12BN254_Ca2_x
+VAR GLOBAL compressFp12BN254_Ca2_y
+VAR GLOBAL compressFp12BN254_Ca3_x
+VAR GLOBAL compressFp12BN254_Ca3_y
+VAR GLOBAL compressFp12BN254_Ca4_x
+VAR GLOBAL compressFp12BN254_Ca4_y
+VAR GLOBAL compressFp12BN254_Ca5_x
+VAR GLOBAL compressFp12BN254_Ca5_y
+
+compressFp12BN254:
+        $ => A          :MLOAD(compressFp12BN254_a2_x)
+        $ => B          :MLOAD(compressFp12BN254_a2_y)
+        A               :MSTORE(compressFp12BN254_Ca2_x)
+        B               :MSTORE(compressFp12BN254_Ca2_y)
+        $ => A          :MLOAD(compressFp12BN254_a3_x)
+        $ => B          :MLOAD(compressFp12BN254_a3_y)
+        A               :MSTORE(compressFp12BN254_Ca3_x)
+        B               :MSTORE(compressFp12BN254_Ca3_y)
+        $ => A          :MLOAD(compressFp12BN254_a4_x)
+        $ => B          :MLOAD(compressFp12BN254_a4_y)
+        A               :MSTORE(compressFp12BN254_Ca4_x)
+        B               :MSTORE(compressFp12BN254_Ca4_y)
+        $ => A          :MLOAD(compressFp12BN254_a5_x)
+        $ => B          :MLOAD(compressFp12BN254_a5_y)
+        A               :MSTORE(compressFp12BN254_Ca5_x)
+        B               :MSTORE(compressFp12BN254_Ca5_y)
+                        :RETURN

package/main/pairings/FP12BN254/CYCLOFP12BN254/decompressFp12BN254.zkasm

@@ -0,0 +1,236 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; decompressFp12BN254:
+;;             in: [a2,a3,a4,a5] ∈ Fp2⁴, where ai ∈ Fp2
+;;             out: D(a) = a0 + a2·w + a4·w² + a1·w³ + a3·w⁴ + a5·w⁵ ∈ GΦ6(p²), where:
+;;                  - if a2 != 0, then:
+;;                      · a1 = (a5²·(9+u) + 3·a4² - 2·a3)/(4·a2)
+;;                      · a0 = (2·a1² + a2·a5 - 3·a3·a4)(9+u) + 1
+;;                  - if a2 == 0, then:
+;;                      · a1 = (2·a4·a5)/a3
+;;                      · a0 = (2·a1² - 3·a3·a4)(9+u) + 1
+;;
+;; NOTE: If the input is not of the form C(a), where a ∈ GΦ6(p²), then the compression-decompression
+;;       technique is not well defined. This means that D(C(a)) != a.
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL decompressFp12BN254_Ca2_x
+VAR GLOBAL decompressFp12BN254_Ca2_y
+VAR GLOBAL decompressFp12BN254_Ca3_x
+VAR GLOBAL decompressFp12BN254_Ca3_y
+VAR GLOBAL decompressFp12BN254_Ca4_x
+VAR GLOBAL decompressFp12BN254_Ca4_y
+VAR GLOBAL decompressFp12BN254_Ca5_x
+VAR GLOBAL decompressFp12BN254_Ca5_y
+VAR GLOBAL decompressFp12BN254_a0_x
+VAR GLOBAL decompressFp12BN254_a0_y
+VAR GLOBAL decompressFp12BN254_a2_x
+VAR GLOBAL decompressFp12BN254_a2_y
+VAR GLOBAL decompressFp12BN254_a4_x
+VAR GLOBAL decompressFp12BN254_a4_y
+VAR GLOBAL decompressFp12BN254_a1_x
+VAR GLOBAL decompressFp12BN254_a1_y
+VAR GLOBAL decompressFp12BN254_a3_x
+VAR GLOBAL decompressFp12BN254_a3_y
+VAR GLOBAL decompressFp12BN254_a5_x
+VAR GLOBAL decompressFp12BN254_a5_y
+
+VAR GLOBAL decompressFp12BN254_Ca3inv_x
+VAR GLOBAL decompressFp12BN254_Ca3inv_y
+VAR GLOBAL decompressFp12BN254_twoCa1sq_x
+VAR GLOBAL decompressFp12BN254_twoCa1sq_y
+VAR GLOBAL decompressFp12BN254_threeCa3Ca4_x
+VAR GLOBAL decompressFp12BN254_threeCa3Ca4_y
+
+VAR GLOBAL decompressFp12BN254_fourCa2inv_x
+VAR GLOBAL decompressFp12BN254_fourCa2inv_y
+VAR GLOBAL decompressFp12BN254_twoCa1sq2_x
+VAR GLOBAL decompressFp12BN254_twoCa1sq2_y
+VAR GLOBAL decompressFp12BN254_Ca5sq_x
+VAR GLOBAL decompressFp12BN254_Ca5sq_y
+VAR GLOBAL decompressFp12BN254_threeCa4sq_x
+VAR GLOBAL decompressFp12BN254_threeCa4sq_y
+VAR GLOBAL decompressFp12BN254_sum_x
+VAR GLOBAL decompressFp12BN254_sum_y
+
+VAR GLOBAL decompressFp12BN254_RR
+
+decompressFp12BN254:
+        RR              :MSTORE(decompressFp12BN254_RR)
+
+        ; Move Ca2, Ca3, Ca4, Ca5 to a2, a3, a4, a5
+        $ => A          :MLOAD(decompressFp12BN254_Ca2_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca2_y)
+        A               :MSTORE(decompressFp12BN254_a2_x)
+        B               :MSTORE(decompressFp12BN254_a2_y)
+        $ => A          :MLOAD(decompressFp12BN254_Ca3_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca3_y)
+        A               :MSTORE(decompressFp12BN254_a3_x)
+        B               :MSTORE(decompressFp12BN254_a3_y)
+        $ => A          :MLOAD(decompressFp12BN254_Ca4_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca4_y)
+        A               :MSTORE(decompressFp12BN254_a4_x)
+        B               :MSTORE(decompressFp12BN254_a4_y)
+        $ => A          :MLOAD(decompressFp12BN254_Ca5_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca5_y)
+        A               :MSTORE(decompressFp12BN254_a5_x)
+        B               :MSTORE(decompressFp12BN254_a5_y)
+
+        ; Is Ca2 = 0?
+        0n => B
+        $ => A  :MLOAD(decompressFp12BN254_Ca2_x)
+        $       :EQ, JMPNC(__decompressFp12BN254_Ca2_continue)
+        $ => A  :MLOAD(decompressFp12BN254_Ca2_y)
+        $       :EQ, JMPC(decompressFp12BN254_Ca2_is_zero)
+                __decompressFp12BN254_Ca2_continue:
+
+                        :JMP(decompressFp12BN254_Ca2_is_not_zero)
+
+decompressFp12BN254_Ca2_is_zero:
+        ; 1] Compute a1 = (2·a4·a5)/a3
+        $ => A          :MLOAD(decompressFp12BN254_Ca3_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca3_y), CALL(invFp2BN254)
+        C               :MSTORE(decompressFp12BN254_Ca3inv_x)
+        D               :MSTORE(decompressFp12BN254_Ca3inv_y)
+
+        2n => A
+        $ => C          :MLOAD(decompressFp12BN254_Ca4_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca4_y), CALL(escalarMulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(decompressFp12BN254_Ca5_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca5_y), CALL(mulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(decompressFp12BN254_Ca3inv_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca3inv_y), CALL(mulFp2BN254)
+        E               :MSTORE(decompressFp12BN254_a1_x)
+        C               :MSTORE(decompressFp12BN254_a1_y)
+
+        ; 2] Compute a0 = (2·a1² - 3·a3·a4)(9+u) + 1
+        $ => A          :MLOAD(decompressFp12BN254_a1_x)
+        $ => B          :MLOAD(decompressFp12BN254_a1_y), CALL(squareFp2BN254)
+        2n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        E               :MSTORE(decompressFp12BN254_twoCa1sq_x)
+        C               :MSTORE(decompressFp12BN254_twoCa1sq_y)
+
+        3n => A
+        $ => C          :MLOAD(decompressFp12BN254_Ca3_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca3_y), CALL(escalarMulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(decompressFp12BN254_Ca4_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca4_y), CALL(mulFp2BN254)
+        E               :MSTORE(decompressFp12BN254_threeCa3Ca4_x)
+        C               :MSTORE(decompressFp12BN254_threeCa3Ca4_y)
+
+        $ => A          :MLOAD(decompressFp12BN254_twoCa1sq_x)
+        $ => B          :MLOAD(decompressFp12BN254_twoCa1sq_y)
+        C => D
+        E => C          :CALL(subFp2BN254)
+        E => A
+        C => B
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+        C               :MSTORE(decompressFp12BN254_a0_y)
+        E => A
+        1n => C         :CALL(addFpBN254)
+        C               :MSTORE(decompressFp12BN254_a0_x)
+
+                        :JMP(decompressFp12BN254_end)
+
+
+decompressFp12BN254_Ca2_is_not_zero:
+        ; 1] Compute a1 = (a5²·(9+u) + 3·a4² - 2·a3)/(4·a2)
+        4n => A
+        $ => C          :MLOAD(decompressFp12BN254_Ca2_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca2_y), CALL(escalarMulFp2BN254)
+        E => A
+        C => B          :CALL(invFp2BN254)
+        C               :MSTORE(decompressFp12BN254_fourCa2inv_x)
+        D               :MSTORE(decompressFp12BN254_fourCa2inv_y)
+
+        $ => A          :MLOAD(decompressFp12BN254_Ca5_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca5_y), CALL(squareFp2BN254)
+        E => A
+        C => B
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+        E               :MSTORE(decompressFp12BN254_Ca5sq_x)
+        C               :MSTORE(decompressFp12BN254_Ca5sq_y)
+
+        $ => A          :MLOAD(decompressFp12BN254_Ca4_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca4_y), CALL(squareFp2BN254)
+        3n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        E               :MSTORE(decompressFp12BN254_threeCa4sq_x)
+        C               :MSTORE(decompressFp12BN254_threeCa4sq_y)
+
+        2n => A
+        $ => C          :MLOAD(decompressFp12BN254_Ca3_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca3_y), CALL(escalarMulFp2BN254)
+        $ => A          :MLOAD(decompressFp12BN254_threeCa4sq_x)
+        $ => B          :MLOAD(decompressFp12BN254_threeCa4sq_y)
+        C => D
+        E => C          :CALL(subFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(decompressFp12BN254_Ca5sq_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca5sq_y), CALL(addFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(decompressFp12BN254_fourCa2inv_x)
+        $ => D          :MLOAD(decompressFp12BN254_fourCa2inv_y), CALL(mulFp2BN254)
+        E               :MSTORE(decompressFp12BN254_a1_x)
+        C               :MSTORE(decompressFp12BN254_a1_y)
+
+        ; 2] Compute a0 = (2·a1² + a2·a5 - 3·a3·a4)(9+u) + 1
+        $ => A          :MLOAD(decompressFp12BN254_a1_x)
+        $ => B          :MLOAD(decompressFp12BN254_a1_y), CALL(squareFp2BN254)
+        2n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        E               :MSTORE(decompressFp12BN254_twoCa1sq2_x)
+        C               :MSTORE(decompressFp12BN254_twoCa1sq2_y)
+
+        $ => A          :MLOAD(decompressFp12BN254_Ca2_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca2_y)
+        $ => C          :MLOAD(decompressFp12BN254_Ca5_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca5_y), CALL(mulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(decompressFp12BN254_twoCa1sq2_x)
+        $ => D          :MLOAD(decompressFp12BN254_twoCa1sq2_y), CALL(addFp2BN254)
+
+        E               :MSTORE(decompressFp12BN254_sum_x)
+        C               :MSTORE(decompressFp12BN254_sum_y)
+
+        $ => A          :MLOAD(decompressFp12BN254_Ca3_x)
+        $ => B          :MLOAD(decompressFp12BN254_Ca3_y)
+        $ => C          :MLOAD(decompressFp12BN254_Ca4_x)
+        $ => D          :MLOAD(decompressFp12BN254_Ca4_y), CALL(mulFp2BN254)
+        3n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        $ => A          :MLOAD(decompressFp12BN254_sum_x)
+        $ => B          :MLOAD(decompressFp12BN254_sum_y)
+        C => D
+        E => C          :CALL(subFp2BN254)
+        E => A
+        C => B
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+        C               :MSTORE(decompressFp12BN254_a0_y)
+        E => A
+        1n => C         :CALL(addFpBN254)
+        C               :MSTORE(decompressFp12BN254_a0_x)
+
+                        :JMP(decompressFp12BN254_end)
+
+decompressFp12BN254_end:
+        $ => RR         :MLOAD(decompressFp12BN254_RR)
+                        :RETURN