@zkasm/zkevm-rom 0.0.1-security → 6.0.1

package/main/pairings/FP12BN254/CYCLOFP12BN254/squareCycloFp12BN254.zkasm

@@ -0,0 +1,228 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP4/FP2 arithmetic
+;;
+;; squareCycloFp12BN254:
+;;             in:  (a1 + a2·w) ∈ GΦ6(p²), where ai ∈ Fp6
+;;             out: (c1 + c2·w) = (a1 + a2·w)² ∈ GΦ6(p²)
+;;
+;; NOTE: The output is not guaranteed to be in GΦ6(p²), if the input isn't.
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL squareCycloFp12BN254_a11_x
+VAR GLOBAL squareCycloFp12BN254_a11_y
+VAR GLOBAL squareCycloFp12BN254_a12_x
+VAR GLOBAL squareCycloFp12BN254_a12_y
+VAR GLOBAL squareCycloFp12BN254_a13_x
+VAR GLOBAL squareCycloFp12BN254_a13_y
+VAR GLOBAL squareCycloFp12BN254_a21_x
+VAR GLOBAL squareCycloFp12BN254_a21_y
+VAR GLOBAL squareCycloFp12BN254_a22_x
+VAR GLOBAL squareCycloFp12BN254_a22_y
+VAR GLOBAL squareCycloFp12BN254_a23_x
+VAR GLOBAL squareCycloFp12BN254_a23_y
+VAR GLOBAL squareCycloFp12BN254_c11_x
+VAR GLOBAL squareCycloFp12BN254_c11_y
+VAR GLOBAL squareCycloFp12BN254_c12_x
+VAR GLOBAL squareCycloFp12BN254_c12_y
+VAR GLOBAL squareCycloFp12BN254_c13_x
+VAR GLOBAL squareCycloFp12BN254_c13_y
+VAR GLOBAL squareCycloFp12BN254_c21_x
+VAR GLOBAL squareCycloFp12BN254_c21_y
+VAR GLOBAL squareCycloFp12BN254_c22_x
+VAR GLOBAL squareCycloFp12BN254_c22_y
+VAR GLOBAL squareCycloFp12BN254_c23_x
+VAR GLOBAL squareCycloFp12BN254_c23_y
+
+VAR GLOBAL squareCycloFp12BN254_t11_x
+VAR GLOBAL squareCycloFp12BN254_t11_y
+VAR GLOBAL squareCycloFp12BN254_t22_x
+VAR GLOBAL squareCycloFp12BN254_t22_y
+VAR GLOBAL squareCycloFp12BN254_t23_x
+VAR GLOBAL squareCycloFp12BN254_t23_y
+VAR GLOBAL squareCycloFp12BN254_t12_x
+VAR GLOBAL squareCycloFp12BN254_t12_y
+VAR GLOBAL squareCycloFp12BN254_t13_x
+VAR GLOBAL squareCycloFp12BN254_t13_y
+VAR GLOBAL squareCycloFp12BN254_aux_x
+VAR GLOBAL squareCycloFp12BN254_aux_y
+VAR GLOBAL squareCycloFp12BN254_t21_x
+VAR GLOBAL squareCycloFp12BN254_t21_y
+
+VAR GLOBAL squareCycloFp12BN254_RR
+
+squareCycloFp12BN254:
+        RR              :MSTORE(squareCycloFp12BN254_RR)
+
+        ; 1] [t11,t22] = (a11 + a22·V)²
+        $ => A          :MLOAD(squareCycloFp12BN254_a11_x)
+        $ => B          :MLOAD(squareCycloFp12BN254_a11_y)
+        $ => C          :MLOAD(squareCycloFp12BN254_a22_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a22_y)
+        A               :MSTORE(squareFp4BN254_a1_x)
+        B               :MSTORE(squareFp4BN254_a1_y)
+        C               :MSTORE(squareFp4BN254_a2_x)
+        D               :MSTORE(squareFp4BN254_a2_y), CALL(squareFp4BN254)
+        $ => A          :MLOAD(squareFp4BN254_c1_x)
+        $ => B          :MLOAD(squareFp4BN254_c1_y)
+        $ => C          :MLOAD(squareFp4BN254_c2_x)
+        $ => D          :MLOAD(squareFp4BN254_c2_y)
+        A               :MSTORE(squareCycloFp12BN254_t11_x)
+        B               :MSTORE(squareCycloFp12BN254_t11_y)
+        C               :MSTORE(squareCycloFp12BN254_t22_x)
+        D               :MSTORE(squareCycloFp12BN254_t22_y)
+
+        ; 2] [t23,t12] = (a21 + a13·V)²
+        $ => A          :MLOAD(squareCycloFp12BN254_a21_x)
+        $ => B          :MLOAD(squareCycloFp12BN254_a21_y)
+        $ => C          :MLOAD(squareCycloFp12BN254_a13_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a13_y)
+        A               :MSTORE(squareFp4BN254_a1_x)
+        B               :MSTORE(squareFp4BN254_a1_y)
+        C               :MSTORE(squareFp4BN254_a2_x)
+        D               :MSTORE(squareFp4BN254_a2_y), CALL(squareFp4BN254)
+        $ => A          :MLOAD(squareFp4BN254_c1_x)
+        $ => B          :MLOAD(squareFp4BN254_c1_y)
+        $ => C          :MLOAD(squareFp4BN254_c2_x)
+        $ => D          :MLOAD(squareFp4BN254_c2_y)
+        A               :MSTORE(squareCycloFp12BN254_t23_x)
+        B               :MSTORE(squareCycloFp12BN254_t23_y)
+        C               :MSTORE(squareCycloFp12BN254_t12_x)
+        D               :MSTORE(squareCycloFp12BN254_t12_y)
+
+        ; 3] [t13,aux] = (a12 + a23·V)²
+        $ => A          :MLOAD(squareCycloFp12BN254_a12_x)
+        $ => B          :MLOAD(squareCycloFp12BN254_a12_y)
+        $ => C          :MLOAD(squareCycloFp12BN254_a23_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a23_y)
+        A               :MSTORE(squareFp4BN254_a1_x)
+        B               :MSTORE(squareFp4BN254_a1_y)
+        C               :MSTORE(squareFp4BN254_a2_x)
+        D               :MSTORE(squareFp4BN254_a2_y), CALL(squareFp4BN254)
+        $ => A          :MLOAD(squareFp4BN254_c1_x)
+        $ => B          :MLOAD(squareFp4BN254_c1_y)
+        $ => C          :MLOAD(squareFp4BN254_c2_x)
+        $ => D          :MLOAD(squareFp4BN254_c2_y)
+        A               :MSTORE(squareCycloFp12BN254_t13_x)
+        B               :MSTORE(squareCycloFp12BN254_t13_y)
+        C               :MSTORE(squareCycloFp12BN254_aux_x)
+        D               :MSTORE(squareCycloFp12BN254_aux_y)
+
+        ; 4] t21 = aux·(9+u)
+        $ => A          :MLOAD(squareCycloFp12BN254_aux_x)
+        $ => B          :MLOAD(squareCycloFp12BN254_aux_y)
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_t21_x)
+        C               :MSTORE(squareCycloFp12BN254_t21_y)
+
+       ; 5] c11 = -2·a11 + 3·t11
+        %BN254_P - 2n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_a11_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a11_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_a11_x)
+        C               :MSTORE(squareCycloFp12BN254_a11_y)
+
+        3n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_t11_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_t11_y), CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCycloFp12BN254_a11_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a11_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_c11_x)
+        C               :MSTORE(squareCycloFp12BN254_c11_y)
+
+       ; 6] c12 = -2·a12 + 3·t23
+        %BN254_P - 2n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_a12_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a12_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_a12_x)
+        C               :MSTORE(squareCycloFp12BN254_a12_y)
+
+        3n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_t23_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_t23_y), CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCycloFp12BN254_a12_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a12_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_c12_x)
+        C               :MSTORE(squareCycloFp12BN254_c12_y)
+
+       ; 7] c13 = -2·a13 + 3·t13
+        %BN254_P - 2n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_a13_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a13_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_a13_x)
+        C               :MSTORE(squareCycloFp12BN254_a13_y)
+
+        3n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_t13_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_t13_y), CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCycloFp12BN254_a13_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a13_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_c13_x)
+        C               :MSTORE(squareCycloFp12BN254_c13_y)
+
+       ; 8] c21 = 2·a21 + 3·t21
+        2n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_a21_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a21_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_a21_x)
+        C               :MSTORE(squareCycloFp12BN254_a21_y)
+
+        3n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_t21_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_t21_y), CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCycloFp12BN254_a21_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a21_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_c21_x)
+        C               :MSTORE(squareCycloFp12BN254_c21_y)
+
+       ; 9] c22 = 2·a22 + 3·t22
+        2n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_a22_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a22_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_a22_x)
+        C               :MSTORE(squareCycloFp12BN254_a22_y)
+
+        3n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_t22_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_t22_y), CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCycloFp12BN254_a22_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a22_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_c22_x)
+        C               :MSTORE(squareCycloFp12BN254_c22_y)
+
+       ; 9] c23 = 2·a23 + 3·t12
+        2n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_a23_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a23_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_a23_x)
+        C               :MSTORE(squareCycloFp12BN254_a23_y)
+
+        3n => A
+        $ => C          :MLOAD(squareCycloFp12BN254_t12_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_t12_y), CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCycloFp12BN254_a23_x)
+        $ => D          :MLOAD(squareCycloFp12BN254_a23_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCycloFp12BN254_c23_x)
+        C               :MSTORE(squareCycloFp12BN254_c23_y)
+
+
+        $ => RR         :MLOAD(squareCycloFp12BN254_RR)
+                        :RETURN

package/main/pairings/FP12BN254/CYCLOFP12BN254/xBinDecompBN254.zkasm

@@ -0,0 +1,64 @@
+;;
+;; parameter of BN254 x = 4965661367192848881, which can be expressed in (little-endian) binary as:
+;;           100011111001000010010110010100100010110101001001100101110010001
+;;
+
+xBinDecompBN254:
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    0 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN
+    1 => B                                                                :RETURN

package/main/pairings/FP12BN254/frob2Fp12BN254.zkasm

@@ -0,0 +1,80 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; frob2Fp12BN254:
+;;             in: (a1 + a2·w) = ((a11 + a12v + a13v²) + (a21 + a22v + a23v²)) ∈ Fp12, where ai ∈ Fp6 and aij ∈ Fp2
+;;             out: (a1 + a2·w)ᵖ˙ᵖ = (c1 + c2·w) ∈ Fp12, where:
+;;                  - c1 = a11     + a12·γ22·v + a13·γ24·v²
+;;                  - c2 = a21·γ21 + a22·γ23·v + a23·γ25·v²
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL frob2Fp12BN254_a11_x
+VAR GLOBAL frob2Fp12BN254_a11_y
+VAR GLOBAL frob2Fp12BN254_a12_x
+VAR GLOBAL frob2Fp12BN254_a12_y
+VAR GLOBAL frob2Fp12BN254_a13_x
+VAR GLOBAL frob2Fp12BN254_a13_y
+VAR GLOBAL frob2Fp12BN254_a21_x
+VAR GLOBAL frob2Fp12BN254_a21_y
+VAR GLOBAL frob2Fp12BN254_a22_x
+VAR GLOBAL frob2Fp12BN254_a22_y
+VAR GLOBAL frob2Fp12BN254_a23_x
+VAR GLOBAL frob2Fp12BN254_a23_y
+VAR GLOBAL frob2Fp12BN254_c11_x
+VAR GLOBAL frob2Fp12BN254_c11_y
+VAR GLOBAL frob2Fp12BN254_c12_x
+VAR GLOBAL frob2Fp12BN254_c12_y
+VAR GLOBAL frob2Fp12BN254_c13_x
+VAR GLOBAL frob2Fp12BN254_c13_y
+VAR GLOBAL frob2Fp12BN254_c21_x
+VAR GLOBAL frob2Fp12BN254_c21_y
+VAR GLOBAL frob2Fp12BN254_c22_x
+VAR GLOBAL frob2Fp12BN254_c22_y
+VAR GLOBAL frob2Fp12BN254_c23_x
+VAR GLOBAL frob2Fp12BN254_c23_y
+
+VAR GLOBAL frob2Fp12BN254_RR
+
+frob2Fp12BN254:
+        RR              :MSTORE(frob2Fp12BN254_RR)
+
+        ; 1] c1 = a11 + a12·γ22·v + a13·γ24·v²
+        $ => A          :MLOAD(frob2Fp12BN254_a11_x)
+        $ => B          :MLOAD(frob2Fp12BN254_a11_y)
+        A               :MSTORE(frob2Fp12BN254_c11_x)
+        B               :MSTORE(frob2Fp12BN254_c11_y)
+
+        %FROBENIUS_GAMMA22 => A
+        $ => C          :MLOAD(frob2Fp12BN254_a12_x)
+        $ => D          :MLOAD(frob2Fp12BN254_a12_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(frob2Fp12BN254_c12_x)
+        C               :MSTORE(frob2Fp12BN254_c12_y)
+
+        %FROBENIUS_GAMMA24 => A
+        $ => C          :MLOAD(frob2Fp12BN254_a13_x)
+        $ => D          :MLOAD(frob2Fp12BN254_a13_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(frob2Fp12BN254_c13_x)
+        C               :MSTORE(frob2Fp12BN254_c13_y)
+
+        ; 2] c2 = a21·γ21 + a22·γ23·v + a23·γ25·v²
+        %FROBENIUS_GAMMA21 => A
+        $ => C          :MLOAD(frob2Fp12BN254_a21_x)
+        $ => D          :MLOAD(frob2Fp12BN254_a21_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(frob2Fp12BN254_c21_x)
+        C               :MSTORE(frob2Fp12BN254_c21_y)
+
+        %FROBENIUS_GAMMA23 => A
+        $ => C          :MLOAD(frob2Fp12BN254_a22_x)
+        $ => D          :MLOAD(frob2Fp12BN254_a22_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(frob2Fp12BN254_c22_x)
+        C               :MSTORE(frob2Fp12BN254_c22_y)
+
+        %FROBENIUS_GAMMA25 => A
+        $ => C          :MLOAD(frob2Fp12BN254_a23_x)
+        $ => D          :MLOAD(frob2Fp12BN254_a23_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(frob2Fp12BN254_c23_x)
+        C               :MSTORE(frob2Fp12BN254_c23_y)
+
+        $ => RR         :MLOAD(frob2Fp12BN254_RR)
+                        :RETURN

package/main/pairings/FP12BN254/frob3Fp12BN254.zkasm

@@ -0,0 +1,96 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; frob3Fp12BN254:
+;;             in: (a1 + a2·w) = ((a11 + a12v + a13v²) + (a21 + a22v + a23v²)) ∈ Fp12, where ai ∈ Fp6 and aij ∈ Fp2
+;;             out: (a1 + a2·w)ᵖ˙ᵖ˙ᵖ = (c1 + c2·w) ∈ Fp12, where:
+;;                  - c1 = a̅11     + a̅12·γ32·v + a̅13·γ34·v²
+;;                  - c2 = a̅21·γ31 + a̅22·γ33·v + a̅23·γ35·v²
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL frob3Fp12BN254_a11_x
+VAR GLOBAL frob3Fp12BN254_a11_y
+VAR GLOBAL frob3Fp12BN254_a12_x
+VAR GLOBAL frob3Fp12BN254_a12_y
+VAR GLOBAL frob3Fp12BN254_a13_x
+VAR GLOBAL frob3Fp12BN254_a13_y
+VAR GLOBAL frob3Fp12BN254_a21_x
+VAR GLOBAL frob3Fp12BN254_a21_y
+VAR GLOBAL frob3Fp12BN254_a22_x
+VAR GLOBAL frob3Fp12BN254_a22_y
+VAR GLOBAL frob3Fp12BN254_a23_x
+VAR GLOBAL frob3Fp12BN254_a23_y
+VAR GLOBAL frob3Fp12BN254_c11_x
+VAR GLOBAL frob3Fp12BN254_c11_y
+VAR GLOBAL frob3Fp12BN254_c12_x
+VAR GLOBAL frob3Fp12BN254_c12_y
+VAR GLOBAL frob3Fp12BN254_c13_x
+VAR GLOBAL frob3Fp12BN254_c13_y
+VAR GLOBAL frob3Fp12BN254_c21_x
+VAR GLOBAL frob3Fp12BN254_c21_y
+VAR GLOBAL frob3Fp12BN254_c22_x
+VAR GLOBAL frob3Fp12BN254_c22_y
+VAR GLOBAL frob3Fp12BN254_c23_x
+VAR GLOBAL frob3Fp12BN254_c23_y
+
+VAR GLOBAL frob3Fp12BN254_RR
+
+frob3Fp12BN254:
+        RR              :MSTORE(frob3Fp12BN254_RR)
+
+        ; 1] c1 = a̅11 + a̅12·γ32·v + a̅13·γ34·v²
+        $ => A          :MLOAD(frob3Fp12BN254_a11_x)
+        A               :MSTORE(frob3Fp12BN254_c11_x)
+        %BN254_P => A
+        $ => B      :MLOAD(frob3Fp12BN254_a11_y)
+        $           :SUB, MSTORE(frob3Fp12BN254_c11_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frob3Fp12BN254_a12_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frob3Fp12BN254_a12_x)
+        %FROBENIUS_GAMMA321 => C
+        %FROBENIUS_GAMMA322 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frob3Fp12BN254_c12_x)
+        C               :MSTORE(frob3Fp12BN254_c12_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frob3Fp12BN254_a13_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frob3Fp12BN254_a13_x)
+        %FROBENIUS_GAMMA341 => C
+        %FROBENIUS_GAMMA342 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frob3Fp12BN254_c13_x)
+        C               :MSTORE(frob3Fp12BN254_c13_y)
+
+        ; 2] c2 = a̅21·γ11 + a̅22·γ13·v + a̅23·γ15·v²
+        %BN254_P => A
+        $ => B      :MLOAD(frob3Fp12BN254_a21_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frob3Fp12BN254_a21_x)
+        %FROBENIUS_GAMMA311 => C
+        %FROBENIUS_GAMMA312 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frob3Fp12BN254_c21_x)
+        C               :MSTORE(frob3Fp12BN254_c21_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frob3Fp12BN254_a22_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frob3Fp12BN254_a22_x)
+        %FROBENIUS_GAMMA331 => C
+        %FROBENIUS_GAMMA332 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frob3Fp12BN254_c22_x)
+        C               :MSTORE(frob3Fp12BN254_c22_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frob3Fp12BN254_a23_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frob3Fp12BN254_a23_x)
+        %FROBENIUS_GAMMA351 => C
+        %FROBENIUS_GAMMA352 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frob3Fp12BN254_c23_x)
+        C               :MSTORE(frob3Fp12BN254_c23_y)
+
+        $ => RR         :MLOAD(frob3Fp12BN254_RR)
+                        :RETURN

package/main/pairings/FP12BN254/frobFp12BN254.zkasm

@@ -0,0 +1,96 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; frobFp12BN254:
+;;             in: (a1 + a2·w) = ((a11 + a12v + a13v²) + (a21 + a22v + a23v²)·w) ∈ Fp12, where ai ∈ Fp6 and aij ∈ Fp2
+;;             out: (a1 + a2·w)ᵖ = (c1 + c2·w) ∈ Fp12, where:
+;;                  - c1 = a̅11     + a̅12·γ12·v + a̅13·γ14·v²
+;;                  - c2 = a̅21·γ11 + a̅22·γ13·v + a̅23·γ15·v²
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL frobFp12BN254_a11_x
+VAR GLOBAL frobFp12BN254_a11_y
+VAR GLOBAL frobFp12BN254_a12_x
+VAR GLOBAL frobFp12BN254_a12_y
+VAR GLOBAL frobFp12BN254_a13_x
+VAR GLOBAL frobFp12BN254_a13_y
+VAR GLOBAL frobFp12BN254_a21_x
+VAR GLOBAL frobFp12BN254_a21_y
+VAR GLOBAL frobFp12BN254_a22_x
+VAR GLOBAL frobFp12BN254_a22_y
+VAR GLOBAL frobFp12BN254_a23_x
+VAR GLOBAL frobFp12BN254_a23_y
+VAR GLOBAL frobFp12BN254_c11_x
+VAR GLOBAL frobFp12BN254_c11_y
+VAR GLOBAL frobFp12BN254_c12_x
+VAR GLOBAL frobFp12BN254_c12_y
+VAR GLOBAL frobFp12BN254_c13_x
+VAR GLOBAL frobFp12BN254_c13_y
+VAR GLOBAL frobFp12BN254_c21_x
+VAR GLOBAL frobFp12BN254_c21_y
+VAR GLOBAL frobFp12BN254_c22_x
+VAR GLOBAL frobFp12BN254_c22_y
+VAR GLOBAL frobFp12BN254_c23_x
+VAR GLOBAL frobFp12BN254_c23_y
+
+VAR GLOBAL frobFp12BN254_RR
+
+frobFp12BN254:
+        RR              :MSTORE(frobFp12BN254_RR)
+
+        ; 1] c1 = a̅11 + a̅12·γ12·v + a̅13·γ14·v²
+        $ => A          :MLOAD(frobFp12BN254_a11_x)
+        A               :MSTORE(frobFp12BN254_c11_x)
+        %BN254_P => A
+        $ => B      :MLOAD(frobFp12BN254_a11_y)
+        $           :SUB, MSTORE(frobFp12BN254_c11_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frobFp12BN254_a12_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frobFp12BN254_a12_x)
+        %FROBENIUS_GAMMA121 => C
+        %FROBENIUS_GAMMA122 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frobFp12BN254_c12_x)
+        C               :MSTORE(frobFp12BN254_c12_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frobFp12BN254_a13_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frobFp12BN254_a13_x)
+        %FROBENIUS_GAMMA141 => C
+        %FROBENIUS_GAMMA142 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frobFp12BN254_c13_x)
+        C               :MSTORE(frobFp12BN254_c13_y)
+
+        ; 2] c2 = a̅21·γ11 + a̅22·γ13·v + a̅23·γ15·v²
+        %BN254_P => A
+        $ => B      :MLOAD(frobFp12BN254_a21_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frobFp12BN254_a21_x)
+        %FROBENIUS_GAMMA111 => C
+        %FROBENIUS_GAMMA112 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frobFp12BN254_c21_x)
+        C               :MSTORE(frobFp12BN254_c21_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frobFp12BN254_a22_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frobFp12BN254_a22_x)
+        %FROBENIUS_GAMMA131 => C
+        %FROBENIUS_GAMMA132 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frobFp12BN254_c22_x)
+        C               :MSTORE(frobFp12BN254_c22_y)
+
+        %BN254_P => A
+        $ => B      :MLOAD(frobFp12BN254_a23_y)
+        $ => B      :SUB
+        $ => A          :MLOAD(frobFp12BN254_a23_x)
+        %FROBENIUS_GAMMA151 => C
+        %FROBENIUS_GAMMA152 => D        :CALL(mulFp2BN254)
+        E               :MSTORE(frobFp12BN254_c23_x)
+        C               :MSTORE(frobFp12BN254_c23_y)
+
+        $ => RR         :MLOAD(frobFp12BN254_RR)
+                        :RETURN