@zkasm/zkevm-rom 0.0.1-security → 6.0.1

package/main/pairings/millerLoopBN254.zkasm

@@ -0,0 +1,741 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP12 arithmetic
+;;
+;;  millerLoopBN254:
+;;          input: P ∈ G1 and Q ∈ G2
+;;          output: f_{r,Q}(P) ∈ Fp12
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL millerLoopBN254_P_x
+VAR GLOBAL millerLoopBN254_P_y
+VAR GLOBAL millerLoopBN254_Q_x1
+VAR GLOBAL millerLoopBN254_Q_x2
+VAR GLOBAL millerLoopBN254_Q_y1
+VAR GLOBAL millerLoopBN254_Q_y2
+
+VAR GLOBAL millerLoopBN254_Frobenius1_Q_x1
+VAR GLOBAL millerLoopBN254_Frobenius1_Q_x2
+VAR GLOBAL millerLoopBN254_Frobenius1_Q_y1
+VAR GLOBAL millerLoopBN254_Frobenius1_Q_y2
+VAR GLOBAL millerLoopBN254_nFrobenius2_Q_x1
+VAR GLOBAL millerLoopBN254_nFrobenius2_Q_x2
+
+VAR GLOBAL millerLoopBN254_R_x1
+VAR GLOBAL millerLoopBN254_R_x2
+VAR GLOBAL millerLoopBN254_R_y1
+VAR GLOBAL millerLoopBN254_R_y2
+VAR GLOBAL millerLoopBN254_f11_x
+VAR GLOBAL millerLoopBN254_f11_y
+VAR GLOBAL millerLoopBN254_f12_x
+VAR GLOBAL millerLoopBN254_f12_y
+VAR GLOBAL millerLoopBN254_f13_x
+VAR GLOBAL millerLoopBN254_f13_y
+VAR GLOBAL millerLoopBN254_f21_x
+VAR GLOBAL millerLoopBN254_f21_y
+VAR GLOBAL millerLoopBN254_f22_x
+VAR GLOBAL millerLoopBN254_f22_y
+VAR GLOBAL millerLoopBN254_f23_x
+VAR GLOBAL millerLoopBN254_f23_y
+VAR GLOBAL millerLoopBN254_fsquare11_x
+VAR GLOBAL millerLoopBN254_fsquare11_y
+VAR GLOBAL millerLoopBN254_fsquare12_x
+VAR GLOBAL millerLoopBN254_fsquare12_y
+VAR GLOBAL millerLoopBN254_fsquare13_x
+VAR GLOBAL millerLoopBN254_fsquare13_y
+VAR GLOBAL millerLoopBN254_fsquare21_x
+VAR GLOBAL millerLoopBN254_fsquare21_y
+VAR GLOBAL millerLoopBN254_fsquare22_x
+VAR GLOBAL millerLoopBN254_fsquare22_y
+VAR GLOBAL millerLoopBN254_fsquare23_x
+VAR GLOBAL millerLoopBN254_fsquare23_y
+
+VAR GLOBAL millerLoopBN254_RR
+
+millerLoopBN254:
+    RR          :MSTORE(millerLoopBN254_RR)
+
+    65 => RCX
+
+    ; Initiliaze Miller loop with R = Q and f = 1
+    $ => A      :MLOAD(millerLoopBN254_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_Q_x2)
+    $ => C      :MLOAD(millerLoopBN254_Q_y1)
+    $ => D      :MLOAD(millerLoopBN254_Q_y2)
+    A           :MSTORE(millerLoopBN254_R_x1)
+    B           :MSTORE(millerLoopBN254_R_x2)
+    C           :MSTORE(millerLoopBN254_R_y1)
+    D           :MSTORE(millerLoopBN254_R_y2)
+    1n          :MSTORE(millerLoopBN254_f11_x)
+    0n          :MSTORE(millerLoopBN254_f11_y)
+    0n          :MSTORE(millerLoopBN254_f12_x)
+    0n          :MSTORE(millerLoopBN254_f12_y)
+    0n          :MSTORE(millerLoopBN254_f13_x)
+    0n          :MSTORE(millerLoopBN254_f13_y)
+    0n          :MSTORE(millerLoopBN254_f21_x)
+    0n          :MSTORE(millerLoopBN254_f21_y)
+    0n          :MSTORE(millerLoopBN254_f22_x)
+    0n          :MSTORE(millerLoopBN254_f22_y)
+    0n          :MSTORE(millerLoopBN254_f23_x)
+    0n          :MSTORE(millerLoopBN254_f23_y)
+
+millerLoopBN254_loop:
+    RCX - 1 => RCX    :JMPZ(millerLoopBN254_last_two_lines)
+
+    ; 1] f = f² · line_{twist(R),twist(R)}(P)
+
+    ; f²
+    $ => A      :MLOAD(millerLoopBN254_f11_x)
+    $ => B      :MLOAD(millerLoopBN254_f11_y)
+    A           :MSTORE(squareFp12BN254_a11_x)
+    B           :MSTORE(squareFp12BN254_a11_y)
+    $ => A      :MLOAD(millerLoopBN254_f12_x)
+    $ => B      :MLOAD(millerLoopBN254_f12_y)
+    A           :MSTORE(squareFp12BN254_a12_x)
+    B           :MSTORE(squareFp12BN254_a12_y)
+    $ => A      :MLOAD(millerLoopBN254_f13_x)
+    $ => B      :MLOAD(millerLoopBN254_f13_y)
+    A           :MSTORE(squareFp12BN254_a13_x)
+    B           :MSTORE(squareFp12BN254_a13_y)
+    $ => A      :MLOAD(millerLoopBN254_f21_x)
+    $ => B      :MLOAD(millerLoopBN254_f21_y)
+    A           :MSTORE(squareFp12BN254_a21_x)
+    B           :MSTORE(squareFp12BN254_a21_y)
+    $ => A      :MLOAD(millerLoopBN254_f22_x)
+    $ => B      :MLOAD(millerLoopBN254_f22_y)
+    A           :MSTORE(squareFp12BN254_a22_x)
+    B           :MSTORE(squareFp12BN254_a22_y)
+    $ => A      :MLOAD(millerLoopBN254_f23_x)
+    $ => B      :MLOAD(millerLoopBN254_f23_y)
+    A           :MSTORE(squareFp12BN254_a23_x)
+    B           :MSTORE(squareFp12BN254_a23_y), CALL(squareFp12BN254)
+
+    $ => A      :MLOAD(squareFp12BN254_c11_x)
+    $ => B      :MLOAD(squareFp12BN254_c11_y)
+    A           :MSTORE(millerLoopBN254_fsquare11_x)
+    B           :MSTORE(millerLoopBN254_fsquare11_y)
+    $ => A      :MLOAD(squareFp12BN254_c12_x)
+    $ => B      :MLOAD(squareFp12BN254_c12_y)
+    A           :MSTORE(millerLoopBN254_fsquare12_x)
+    B           :MSTORE(millerLoopBN254_fsquare12_y)
+    $ => A      :MLOAD(squareFp12BN254_c13_x)
+    $ => B      :MLOAD(squareFp12BN254_c13_y)
+    A           :MSTORE(millerLoopBN254_fsquare13_x)
+    B           :MSTORE(millerLoopBN254_fsquare13_y)
+    $ => A      :MLOAD(squareFp12BN254_c21_x)
+    $ => B      :MLOAD(squareFp12BN254_c21_y)
+    A           :MSTORE(millerLoopBN254_fsquare21_x)
+    B           :MSTORE(millerLoopBN254_fsquare21_y)
+    $ => A      :MLOAD(squareFp12BN254_c22_x)
+    $ => B      :MLOAD(squareFp12BN254_c22_y)
+    A           :MSTORE(millerLoopBN254_fsquare22_x)
+    B           :MSTORE(millerLoopBN254_fsquare22_y)
+    $ => A      :MLOAD(squareFp12BN254_c23_x)
+    $ => B      :MLOAD(squareFp12BN254_c23_y)
+    A           :MSTORE(millerLoopBN254_fsquare23_x)
+    B           :MSTORE(millerLoopBN254_fsquare23_y)
+
+    ; line_{twist(R),twist(R)}(P)
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(lineSamePointsBN254_P_x1)
+    B           :MSTORE(lineSamePointsBN254_P_x2)
+    C           :MSTORE(lineSamePointsBN254_P_y1)
+    D           :MSTORE(lineSamePointsBN254_P_y2)
+    $ => A      :MLOAD(millerLoopBN254_P_x)
+    $ => B      :MLOAD(millerLoopBN254_P_y)
+    A           :MSTORE(lineSamePointsBN254_Q_x)
+    B           :MSTORE(lineSamePointsBN254_Q_y), CALL(lineSamePointsBN254)
+
+    $ => A      :MLOAD(millerLoopBN254_fsquare11_x)
+    $ => B      :MLOAD(millerLoopBN254_fsquare11_y)
+    A           :MSTORE(sparseMulBFp12BN254_a11_x)
+    B           :MSTORE(sparseMulBFp12BN254_a11_y)
+    $ => A      :MLOAD(millerLoopBN254_fsquare12_x)
+    $ => B      :MLOAD(millerLoopBN254_fsquare12_y)
+    A           :MSTORE(sparseMulBFp12BN254_a12_x)
+    B           :MSTORE(sparseMulBFp12BN254_a12_y)
+    $ => A      :MLOAD(millerLoopBN254_fsquare13_x)
+    $ => B      :MLOAD(millerLoopBN254_fsquare13_y)
+    A           :MSTORE(sparseMulBFp12BN254_a13_x)
+    B           :MSTORE(sparseMulBFp12BN254_a13_y)
+    $ => A      :MLOAD(millerLoopBN254_fsquare21_x)
+    $ => B      :MLOAD(millerLoopBN254_fsquare21_y)
+    A           :MSTORE(sparseMulBFp12BN254_a21_x)
+    B           :MSTORE(sparseMulBFp12BN254_a21_y)
+    $ => A      :MLOAD(millerLoopBN254_fsquare22_x)
+    $ => B      :MLOAD(millerLoopBN254_fsquare22_y)
+    A           :MSTORE(sparseMulBFp12BN254_a22_x)
+    B           :MSTORE(sparseMulBFp12BN254_a22_y)
+    $ => A      :MLOAD(millerLoopBN254_fsquare23_x)
+    $ => B      :MLOAD(millerLoopBN254_fsquare23_y)
+    A           :MSTORE(sparseMulBFp12BN254_a23_x)
+    B           :MSTORE(sparseMulBFp12BN254_a23_y)
+
+    ; f² · line_{twist(R),twist(R)}(P)
+    $ => A      :MLOAD(lineSamePointsBN254_l11_x)
+    $ => B      :MLOAD(lineSamePointsBN254_l11_y)
+    A           :MSTORE(sparseMulBFp12BN254_b11_x)
+    B           :MSTORE(sparseMulBFp12BN254_b11_y)
+    $ => A      :MLOAD(lineSamePointsBN254_l13_x)
+    $ => B      :MLOAD(lineSamePointsBN254_l13_y)
+    A           :MSTORE(sparseMulBFp12BN254_b13_x)
+    B           :MSTORE(sparseMulBFp12BN254_b13_y)
+    $ => A      :MLOAD(lineSamePointsBN254_l22_x)
+    $ => B      :MLOAD(lineSamePointsBN254_l22_y)
+    A           :MSTORE(sparseMulBFp12BN254_b22_x)
+    B           :MSTORE(sparseMulBFp12BN254_b22_y), CALL(sparseMulBFp12BN254)
+
+    $ => A      :MLOAD(sparseMulBFp12BN254_c11_x)
+    $ => B      :MLOAD(sparseMulBFp12BN254_c11_y)
+    A           :MSTORE(millerLoopBN254_f11_x)
+    B           :MSTORE(millerLoopBN254_f11_y)
+    $ => A      :MLOAD(sparseMulBFp12BN254_c12_x)
+    $ => B      :MLOAD(sparseMulBFp12BN254_c12_y)
+    A           :MSTORE(millerLoopBN254_f12_x)
+    B           :MSTORE(millerLoopBN254_f12_y)
+    $ => A      :MLOAD(sparseMulBFp12BN254_c13_x)
+    $ => B      :MLOAD(sparseMulBFp12BN254_c13_y)
+    A           :MSTORE(millerLoopBN254_f13_x)
+    B           :MSTORE(millerLoopBN254_f13_y)
+    $ => A      :MLOAD(sparseMulBFp12BN254_c21_x)
+    $ => B      :MLOAD(sparseMulBFp12BN254_c21_y)
+    A           :MSTORE(millerLoopBN254_f21_x)
+    B           :MSTORE(millerLoopBN254_f21_y)
+    $ => A      :MLOAD(sparseMulBFp12BN254_c22_x)
+    $ => B      :MLOAD(sparseMulBFp12BN254_c22_y)
+    A           :MSTORE(millerLoopBN254_f22_x)
+    B           :MSTORE(millerLoopBN254_f22_y)
+    $ => A      :MLOAD(sparseMulBFp12BN254_c23_x)
+    $ => B      :MLOAD(sparseMulBFp12BN254_c23_y)
+    A           :MSTORE(millerLoopBN254_f23_x)
+    B           :MSTORE(millerLoopBN254_f23_y)
+
+    ; 2] R = 2·R
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(addPointBN254_P1_x1)
+    A           :MSTORE(addPointBN254_P2_x1)
+    B           :MSTORE(addPointBN254_P1_x2)
+    B           :MSTORE(addPointBN254_P2_x2)
+    C           :MSTORE(addPointBN254_P1_y1)
+    C           :MSTORE(addPointBN254_P2_y1)
+    D           :MSTORE(addPointBN254_P1_y2)
+    D           :MSTORE(addPointBN254_P2_y2), CALL(addPointBN254)
+
+    $ => A      :MLOAD(addPointBN254_P3_x1)
+    $ => B      :MLOAD(addPointBN254_P3_x2)
+    $ => C      :MLOAD(addPointBN254_P3_y1)
+    $ => D      :MLOAD(addPointBN254_P3_y2)
+    A           :MSTORE(millerLoopBN254_R_x1)
+    B           :MSTORE(millerLoopBN254_R_x2)
+    C           :MSTORE(millerLoopBN254_R_y1)
+    D           :MSTORE(millerLoopBN254_R_y2)
+
+    RCX-1 => RR
+                :CALL(@loopLengthBN254 + RR)
+
+    ; if bit = -1, then sub
+    B           :JMPN(millerLoopBN254_sub)
+
+    ; if bit = 0, then repeat
+    B           :JMPZ(millerLoopBN254_loop)
+
+    ; if bit = 1, then add
+
+millerLoopBN254_add:
+    ; 1] f = f · line_{twist(R),twist(Q)}(P)
+    ; line_{twist(R),twist(Q)}(P)
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(lineDiffPointsBN254_P1_x1)
+    B           :MSTORE(lineDiffPointsBN254_P1_x2)
+    C           :MSTORE(lineDiffPointsBN254_P1_y1)
+    D           :MSTORE(lineDiffPointsBN254_P1_y2)
+    $ => A      :MLOAD(millerLoopBN254_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_Q_x2)
+    $ => C      :MLOAD(millerLoopBN254_Q_y1)
+    $ => D      :MLOAD(millerLoopBN254_Q_y2)
+    A           :MSTORE(lineDiffPointsBN254_P2_x1)
+    B           :MSTORE(lineDiffPointsBN254_P2_x2)
+    C           :MSTORE(lineDiffPointsBN254_P2_y1)
+    D           :MSTORE(lineDiffPointsBN254_P2_y2)
+    $ => A      :MLOAD(millerLoopBN254_P_x)
+    $ => B      :MLOAD(millerLoopBN254_P_y)
+    A           :MSTORE(lineDiffPointsBN254_Q_x)
+    B           :MSTORE(lineDiffPointsBN254_Q_y), CALL(lineDiffPointsBN254)
+
+    $ => A      :MLOAD(millerLoopBN254_f11_x)
+    $ => B      :MLOAD(millerLoopBN254_f11_y)
+    A           :MSTORE(sparseMulAFp12BN254_a11_x)
+    B           :MSTORE(sparseMulAFp12BN254_a11_y)
+    $ => A      :MLOAD(millerLoopBN254_f12_x)
+    $ => B      :MLOAD(millerLoopBN254_f12_y)
+    A           :MSTORE(sparseMulAFp12BN254_a12_x)
+    B           :MSTORE(sparseMulAFp12BN254_a12_y)
+    $ => A      :MLOAD(millerLoopBN254_f13_x)
+    $ => B      :MLOAD(millerLoopBN254_f13_y)
+    A           :MSTORE(sparseMulAFp12BN254_a13_x)
+    B           :MSTORE(sparseMulAFp12BN254_a13_y)
+    $ => A      :MLOAD(millerLoopBN254_f21_x)
+    $ => B      :MLOAD(millerLoopBN254_f21_y)
+    A           :MSTORE(sparseMulAFp12BN254_a21_x)
+    B           :MSTORE(sparseMulAFp12BN254_a21_y)
+    $ => A      :MLOAD(millerLoopBN254_f22_x)
+    $ => B      :MLOAD(millerLoopBN254_f22_y)
+    A           :MSTORE(sparseMulAFp12BN254_a22_x)
+    B           :MSTORE(sparseMulAFp12BN254_a22_y)
+    $ => A      :MLOAD(millerLoopBN254_f23_x)
+    $ => B      :MLOAD(millerLoopBN254_f23_y)
+    A           :MSTORE(sparseMulAFp12BN254_a23_x)
+    B           :MSTORE(sparseMulAFp12BN254_a23_y)
+
+    ; f · line_{twist(R),twist(Q)}(P)
+    $ => A      :MLOAD(lineDiffPointsBN254_l12_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l12_y)
+    A           :MSTORE(sparseMulAFp12BN254_b12_x)
+    B           :MSTORE(sparseMulAFp12BN254_b12_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l22_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l22_y)
+    A           :MSTORE(sparseMulAFp12BN254_b22_x)
+    B           :MSTORE(sparseMulAFp12BN254_b22_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l23_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l23_y)
+    A           :MSTORE(sparseMulAFp12BN254_b23_x)
+    B           :MSTORE(sparseMulAFp12BN254_b23_y), CALL(sparseMulAFp12BN254)
+
+    $ => A      :MLOAD(sparseMulAFp12BN254_c11_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c11_y)
+    A           :MSTORE(millerLoopBN254_f11_x)
+    B           :MSTORE(millerLoopBN254_f11_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c12_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c12_y)
+    A           :MSTORE(millerLoopBN254_f12_x)
+    B           :MSTORE(millerLoopBN254_f12_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c13_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c13_y)
+    A           :MSTORE(millerLoopBN254_f13_x)
+    B           :MSTORE(millerLoopBN254_f13_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c21_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c21_y)
+    A           :MSTORE(millerLoopBN254_f21_x)
+    B           :MSTORE(millerLoopBN254_f21_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c22_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c22_y)
+    A           :MSTORE(millerLoopBN254_f22_x)
+    B           :MSTORE(millerLoopBN254_f22_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c23_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c23_y)
+    A           :MSTORE(millerLoopBN254_f23_x)
+    B           :MSTORE(millerLoopBN254_f23_y)
+
+    ; 2] R = R + Q
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(addPointBN254_P1_x1)
+    B           :MSTORE(addPointBN254_P1_x2)
+    C           :MSTORE(addPointBN254_P1_y1)
+    D           :MSTORE(addPointBN254_P1_y2)
+    $ => A      :MLOAD(millerLoopBN254_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_Q_x2)
+    $ => C      :MLOAD(millerLoopBN254_Q_y1)
+    $ => D      :MLOAD(millerLoopBN254_Q_y2)
+    A           :MSTORE(addPointBN254_P2_x1)
+    B           :MSTORE(addPointBN254_P2_x2)
+    C           :MSTORE(addPointBN254_P2_y1)
+    D           :MSTORE(addPointBN254_P2_y2), CALL(addPointBN254)
+
+    $ => A      :MLOAD(addPointBN254_P3_x1)
+    $ => B      :MLOAD(addPointBN254_P3_x2)
+    $ => C      :MLOAD(addPointBN254_P3_y1)
+    $ => D      :MLOAD(addPointBN254_P3_y2)
+    A           :MSTORE(millerLoopBN254_R_x1)
+    B           :MSTORE(millerLoopBN254_R_x2)
+    C           :MSTORE(millerLoopBN254_R_y1)
+    D           :MSTORE(millerLoopBN254_R_y2)
+
+                :JMP(millerLoopBN254_loop)
+
+
+millerLoopBN254_sub:
+    ; 1] f = f · line_{twist(R),twist(-Q)}(P)
+    ; line_{twist(R),twist(-Q)}(P)
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(lineDiffPointsBN254_P1_x1)
+    B           :MSTORE(lineDiffPointsBN254_P1_x2)
+    C           :MSTORE(lineDiffPointsBN254_P1_y1)
+    D           :MSTORE(lineDiffPointsBN254_P1_y2)
+    $ => A      :MLOAD(millerLoopBN254_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_Q_x2)
+    A           :MSTORE(lineDiffPointsBN254_P2_x1)
+    B           :MSTORE(lineDiffPointsBN254_P2_x2)
+
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Q_y1)
+    $           :SUB, MSTORE(lineDiffPointsBN254_P2_y1)
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Q_y2)
+    $           :SUB, MSTORE(lineDiffPointsBN254_P2_y2)
+
+    $ => A      :MLOAD(millerLoopBN254_P_x)
+    $ => B      :MLOAD(millerLoopBN254_P_y)
+    A           :MSTORE(lineDiffPointsBN254_Q_x)
+    B           :MSTORE(lineDiffPointsBN254_Q_y), CALL(lineDiffPointsBN254)
+
+    $ => A      :MLOAD(millerLoopBN254_f11_x)
+    $ => B      :MLOAD(millerLoopBN254_f11_y)
+    A           :MSTORE(sparseMulAFp12BN254_a11_x)
+    B           :MSTORE(sparseMulAFp12BN254_a11_y)
+    $ => A      :MLOAD(millerLoopBN254_f12_x)
+    $ => B      :MLOAD(millerLoopBN254_f12_y)
+    A           :MSTORE(sparseMulAFp12BN254_a12_x)
+    B           :MSTORE(sparseMulAFp12BN254_a12_y)
+    $ => A      :MLOAD(millerLoopBN254_f13_x)
+    $ => B      :MLOAD(millerLoopBN254_f13_y)
+    A           :MSTORE(sparseMulAFp12BN254_a13_x)
+    B           :MSTORE(sparseMulAFp12BN254_a13_y)
+    $ => A      :MLOAD(millerLoopBN254_f21_x)
+    $ => B      :MLOAD(millerLoopBN254_f21_y)
+    A           :MSTORE(sparseMulAFp12BN254_a21_x)
+    B           :MSTORE(sparseMulAFp12BN254_a21_y)
+    $ => A      :MLOAD(millerLoopBN254_f22_x)
+    $ => B      :MLOAD(millerLoopBN254_f22_y)
+    A           :MSTORE(sparseMulAFp12BN254_a22_x)
+    B           :MSTORE(sparseMulAFp12BN254_a22_y)
+    $ => A      :MLOAD(millerLoopBN254_f23_x)
+    $ => B      :MLOAD(millerLoopBN254_f23_y)
+    A           :MSTORE(sparseMulAFp12BN254_a23_x)
+    B           :MSTORE(sparseMulAFp12BN254_a23_y)
+
+    ; ; f · line_{twist(R),twist(-Q)}(P)
+    $ => A      :MLOAD(lineDiffPointsBN254_l12_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l12_y)
+    A           :MSTORE(sparseMulAFp12BN254_b12_x)
+    B           :MSTORE(sparseMulAFp12BN254_b12_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l22_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l22_y)
+    A           :MSTORE(sparseMulAFp12BN254_b22_x)
+    B           :MSTORE(sparseMulAFp12BN254_b22_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l23_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l23_y)
+    A           :MSTORE(sparseMulAFp12BN254_b23_x)
+    B           :MSTORE(sparseMulAFp12BN254_b23_y), CALL(sparseMulAFp12BN254)
+
+    $ => A      :MLOAD(sparseMulAFp12BN254_c11_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c11_y)
+    A           :MSTORE(millerLoopBN254_f11_x)
+    B           :MSTORE(millerLoopBN254_f11_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c12_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c12_y)
+    A           :MSTORE(millerLoopBN254_f12_x)
+    B           :MSTORE(millerLoopBN254_f12_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c13_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c13_y)
+    A           :MSTORE(millerLoopBN254_f13_x)
+    B           :MSTORE(millerLoopBN254_f13_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c21_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c21_y)
+    A           :MSTORE(millerLoopBN254_f21_x)
+    B           :MSTORE(millerLoopBN254_f21_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c22_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c22_y)
+    A           :MSTORE(millerLoopBN254_f22_x)
+    B           :MSTORE(millerLoopBN254_f22_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c23_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c23_y)
+    A           :MSTORE(millerLoopBN254_f23_x)
+    B           :MSTORE(millerLoopBN254_f23_y)
+
+    ; 2] R = R - Q
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(addPointBN254_P1_x1)
+    B           :MSTORE(addPointBN254_P1_x2)
+    C           :MSTORE(addPointBN254_P1_y1)
+    D           :MSTORE(addPointBN254_P1_y2)
+    $ => A      :MLOAD(millerLoopBN254_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_Q_x2)
+    A           :MSTORE(addPointBN254_P2_x1)
+    B           :MSTORE(addPointBN254_P2_x2)
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Q_y1)
+    $           :SUB, MSTORE(addPointBN254_P2_y1)
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Q_y2)
+    $           :SUB, MSTORE(addPointBN254_P2_y2), CALL(addPointBN254)
+
+
+    $ => A      :MLOAD(addPointBN254_P3_x1)
+    $ => B      :MLOAD(addPointBN254_P3_x2)
+    $ => C      :MLOAD(addPointBN254_P3_y1)
+    $ => D      :MLOAD(addPointBN254_P3_y2)
+    A           :MSTORE(millerLoopBN254_R_x1)
+    B           :MSTORE(millerLoopBN254_R_x2)
+    C           :MSTORE(millerLoopBN254_R_y1)
+    D           :MSTORE(millerLoopBN254_R_y2)
+
+                :JMP(millerLoopBN254_loop)
+
+millerLoopBN254_last_two_lines:
+    ; 1] Given Q = (x,y) with x,y ∈ Fp2, compute Frobenius1(Q) = (\gamma12·x̄, \gamma13·ȳ)
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Q_x2)
+    $ => B      :SUB
+    $ => A      :MLOAD(millerLoopBN254_Q_x1)
+    %FROBENIUS_GAMMA121 => C
+    %FROBENIUS_GAMMA122 => D    :CALL(mulFp2BN254)
+
+    E           :MSTORE(millerLoopBN254_Frobenius1_Q_x1)
+    C           :MSTORE(millerLoopBN254_Frobenius1_Q_x2)
+
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Q_y2)
+    $ => B      :SUB
+    $ => A      :MLOAD(millerLoopBN254_Q_y1)
+    %FROBENIUS_GAMMA131 => C
+    %FROBENIUS_GAMMA132 => D    :CALL(mulFp2BN254)
+
+    E           :MSTORE(millerLoopBN254_Frobenius1_Q_y1)
+    C           :MSTORE(millerLoopBN254_Frobenius1_Q_y2)
+
+
+    ; 2] f = f · line_{twist(R),twist(Frobenius1(Q))}(P)
+    ; line_{twist(R),twist(Frobenius1(Q))}(P)
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(lineDiffPointsBN254_P1_x1)
+    B           :MSTORE(lineDiffPointsBN254_P1_x2)
+    C           :MSTORE(lineDiffPointsBN254_P1_y1)
+    D           :MSTORE(lineDiffPointsBN254_P1_y2)
+    $ => A      :MLOAD(millerLoopBN254_Frobenius1_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_Frobenius1_Q_x2)
+    $ => C      :MLOAD(millerLoopBN254_Frobenius1_Q_y1)
+    $ => D      :MLOAD(millerLoopBN254_Frobenius1_Q_y2)
+    A           :MSTORE(lineDiffPointsBN254_P2_x1)
+    B           :MSTORE(lineDiffPointsBN254_P2_x2)
+    C           :MSTORE(lineDiffPointsBN254_P2_y1)
+    D           :MSTORE(lineDiffPointsBN254_P2_y2)
+
+    $ => A      :MLOAD(millerLoopBN254_P_x)
+    $ => B      :MLOAD(millerLoopBN254_P_y)
+    A           :MSTORE(lineDiffPointsBN254_Q_x)
+    B           :MSTORE(lineDiffPointsBN254_Q_y), CALL(lineDiffPointsBN254)
+
+    $ => A      :MLOAD(millerLoopBN254_f11_x)
+    $ => B      :MLOAD(millerLoopBN254_f11_y)
+    A           :MSTORE(sparseMulAFp12BN254_a11_x)
+    B           :MSTORE(sparseMulAFp12BN254_a11_y)
+    $ => A      :MLOAD(millerLoopBN254_f12_x)
+    $ => B      :MLOAD(millerLoopBN254_f12_y)
+    A           :MSTORE(sparseMulAFp12BN254_a12_x)
+    B           :MSTORE(sparseMulAFp12BN254_a12_y)
+    $ => A      :MLOAD(millerLoopBN254_f13_x)
+    $ => B      :MLOAD(millerLoopBN254_f13_y)
+    A           :MSTORE(sparseMulAFp12BN254_a13_x)
+    B           :MSTORE(sparseMulAFp12BN254_a13_y)
+    $ => A      :MLOAD(millerLoopBN254_f21_x)
+    $ => B      :MLOAD(millerLoopBN254_f21_y)
+    A           :MSTORE(sparseMulAFp12BN254_a21_x)
+    B           :MSTORE(sparseMulAFp12BN254_a21_y)
+    $ => A      :MLOAD(millerLoopBN254_f22_x)
+    $ => B      :MLOAD(millerLoopBN254_f22_y)
+    A           :MSTORE(sparseMulAFp12BN254_a22_x)
+    B           :MSTORE(sparseMulAFp12BN254_a22_y)
+    $ => A      :MLOAD(millerLoopBN254_f23_x)
+    $ => B      :MLOAD(millerLoopBN254_f23_y)
+    A           :MSTORE(sparseMulAFp12BN254_a23_x)
+    B           :MSTORE(sparseMulAFp12BN254_a23_y)
+
+    ; f · line_{twist(R),twist(Frobenius1(Q))}(P)
+    $ => A      :MLOAD(lineDiffPointsBN254_l12_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l12_y)
+    A           :MSTORE(sparseMulAFp12BN254_b12_x)
+    B           :MSTORE(sparseMulAFp12BN254_b12_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l22_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l22_y)
+    A           :MSTORE(sparseMulAFp12BN254_b22_x)
+    B           :MSTORE(sparseMulAFp12BN254_b22_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l23_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l23_y)
+    A           :MSTORE(sparseMulAFp12BN254_b23_x)
+    B           :MSTORE(sparseMulAFp12BN254_b23_y), CALL(sparseMulAFp12BN254)
+
+    $ => A      :MLOAD(sparseMulAFp12BN254_c11_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c11_y)
+    A           :MSTORE(millerLoopBN254_f11_x)
+    B           :MSTORE(millerLoopBN254_f11_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c12_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c12_y)
+    A           :MSTORE(millerLoopBN254_f12_x)
+    B           :MSTORE(millerLoopBN254_f12_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c13_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c13_y)
+    A           :MSTORE(millerLoopBN254_f13_x)
+    B           :MSTORE(millerLoopBN254_f13_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c21_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c21_y)
+    A           :MSTORE(millerLoopBN254_f21_x)
+    B           :MSTORE(millerLoopBN254_f21_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c22_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c22_y)
+    A           :MSTORE(millerLoopBN254_f22_x)
+    B           :MSTORE(millerLoopBN254_f22_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c23_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c23_y)
+    A           :MSTORE(millerLoopBN254_f23_x)
+    B           :MSTORE(millerLoopBN254_f23_y)
+
+    ; 3] R = R + Frobenius1(Q)
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(addPointBN254_P1_x1)
+    B           :MSTORE(addPointBN254_P1_x2)
+    C           :MSTORE(addPointBN254_P1_y1)
+    D           :MSTORE(addPointBN254_P1_y2)
+    $ => A      :MLOAD(millerLoopBN254_Frobenius1_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_Frobenius1_Q_x2)
+    $ => C      :MLOAD(millerLoopBN254_Frobenius1_Q_y1)
+    $ => D      :MLOAD(millerLoopBN254_Frobenius1_Q_y2)
+    A           :MSTORE(addPointBN254_P2_x1)
+    B           :MSTORE(addPointBN254_P2_x2)
+    C           :MSTORE(addPointBN254_P2_y1)
+    D           :MSTORE(addPointBN254_P2_y2), CALL(addPointBN254)
+
+    $ => A      :MLOAD(addPointBN254_P3_x1)
+    $ => B      :MLOAD(addPointBN254_P3_x2)
+    $ => C      :MLOAD(addPointBN254_P3_y1)
+    $ => D      :MLOAD(addPointBN254_P3_y2)
+    A           :MSTORE(millerLoopBN254_R_x1)
+    B           :MSTORE(millerLoopBN254_R_x2)
+    C           :MSTORE(millerLoopBN254_R_y1)
+    D           :MSTORE(millerLoopBN254_R_y2)
+
+    ; 4] Given Frobenius1(Q) = (x,y) with x,y ∈ Fp2, compute -Frobenius2(Q) = (\gamma12·x̄, -\gamma13·ȳ)
+
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Frobenius1_Q_x2)
+    $ => B      :SUB
+    $ => A      :MLOAD(millerLoopBN254_Frobenius1_Q_x1)
+    %FROBENIUS_GAMMA121 => C
+    %FROBENIUS_GAMMA122 => D    :CALL(mulFp2BN254)
+
+    E           :MSTORE(millerLoopBN254_nFrobenius2_Q_x1)
+    C           :MSTORE(millerLoopBN254_nFrobenius2_Q_x2)
+
+
+    %BN254_P => A
+    $ => B      :MLOAD(millerLoopBN254_Frobenius1_Q_y2)
+    $ => B      :SUB
+    $ => A      :MLOAD(millerLoopBN254_Frobenius1_Q_y1)
+    %FROBENIUS_GAMMA131_NEGATED => C
+    %FROBENIUS_GAMMA132_NEGATED => D :CALL(mulFp2BN254)
+
+
+    ; 5] f = f · line_{twist(R),twist(-Frobenius2(Q))}(P)
+    ; line_{twist(R),twist(-Frobenius2(Q))}(P)
+    $ => A      :MLOAD(millerLoopBN254_nFrobenius2_Q_x1)
+    $ => B      :MLOAD(millerLoopBN254_nFrobenius2_Q_x2)
+    C => D
+    E => C
+    A           :MSTORE(lineDiffPointsBN254_P2_x1)
+    B           :MSTORE(lineDiffPointsBN254_P2_x2)
+    C           :MSTORE(lineDiffPointsBN254_P2_y1)
+    D           :MSTORE(lineDiffPointsBN254_P2_y2)
+    $ => A      :MLOAD(millerLoopBN254_R_x1)
+    $ => B      :MLOAD(millerLoopBN254_R_x2)
+    $ => C      :MLOAD(millerLoopBN254_R_y1)
+    $ => D      :MLOAD(millerLoopBN254_R_y2)
+    A           :MSTORE(lineDiffPointsBN254_P1_x1)
+    B           :MSTORE(lineDiffPointsBN254_P1_x2)
+    C           :MSTORE(lineDiffPointsBN254_P1_y1)
+    D           :MSTORE(lineDiffPointsBN254_P1_y2)
+
+    $ => A      :MLOAD(millerLoopBN254_P_x)
+    $ => B      :MLOAD(millerLoopBN254_P_y)
+    A           :MSTORE(lineDiffPointsBN254_Q_x)
+    B           :MSTORE(lineDiffPointsBN254_Q_y), CALL(lineDiffPointsBN254)
+
+    $ => A      :MLOAD(millerLoopBN254_f11_x)
+    $ => B      :MLOAD(millerLoopBN254_f11_y)
+    A           :MSTORE(sparseMulAFp12BN254_a11_x)
+    B           :MSTORE(sparseMulAFp12BN254_a11_y)
+    $ => A      :MLOAD(millerLoopBN254_f12_x)
+    $ => B      :MLOAD(millerLoopBN254_f12_y)
+    A           :MSTORE(sparseMulAFp12BN254_a12_x)
+    B           :MSTORE(sparseMulAFp12BN254_a12_y)
+    $ => A      :MLOAD(millerLoopBN254_f13_x)
+    $ => B      :MLOAD(millerLoopBN254_f13_y)
+    A           :MSTORE(sparseMulAFp12BN254_a13_x)
+    B           :MSTORE(sparseMulAFp12BN254_a13_y)
+    $ => A      :MLOAD(millerLoopBN254_f21_x)
+    $ => B      :MLOAD(millerLoopBN254_f21_y)
+    A           :MSTORE(sparseMulAFp12BN254_a21_x)
+    B           :MSTORE(sparseMulAFp12BN254_a21_y)
+    $ => A      :MLOAD(millerLoopBN254_f22_x)
+    $ => B      :MLOAD(millerLoopBN254_f22_y)
+    A           :MSTORE(sparseMulAFp12BN254_a22_x)
+    B           :MSTORE(sparseMulAFp12BN254_a22_y)
+    $ => A      :MLOAD(millerLoopBN254_f23_x)
+    $ => B      :MLOAD(millerLoopBN254_f23_y)
+    A           :MSTORE(sparseMulAFp12BN254_a23_x)
+    B           :MSTORE(sparseMulAFp12BN254_a23_y)
+
+    ; f · line_{twist(R),twist(-Frobenius2(Q))}(P)
+    $ => A      :MLOAD(lineDiffPointsBN254_l12_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l12_y)
+    A           :MSTORE(sparseMulAFp12BN254_b12_x)
+    B           :MSTORE(sparseMulAFp12BN254_b12_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l22_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l22_y)
+    A           :MSTORE(sparseMulAFp12BN254_b22_x)
+    B           :MSTORE(sparseMulAFp12BN254_b22_y)
+    $ => A      :MLOAD(lineDiffPointsBN254_l23_x)
+    $ => B      :MLOAD(lineDiffPointsBN254_l23_y)
+    A           :MSTORE(sparseMulAFp12BN254_b23_x)
+    B           :MSTORE(sparseMulAFp12BN254_b23_y), CALL(sparseMulAFp12BN254)
+
+    $ => A      :MLOAD(sparseMulAFp12BN254_c11_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c11_y)
+    A           :MSTORE(millerLoopBN254_f11_x)
+    B           :MSTORE(millerLoopBN254_f11_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c12_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c12_y)
+    A           :MSTORE(millerLoopBN254_f12_x)
+    B           :MSTORE(millerLoopBN254_f12_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c13_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c13_y)
+    A           :MSTORE(millerLoopBN254_f13_x)
+    B           :MSTORE(millerLoopBN254_f13_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c21_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c21_y)
+    A           :MSTORE(millerLoopBN254_f21_x)
+    B           :MSTORE(millerLoopBN254_f21_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c22_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c22_y)
+    A           :MSTORE(millerLoopBN254_f22_x)
+    B           :MSTORE(millerLoopBN254_f22_y)
+    $ => A      :MLOAD(sparseMulAFp12BN254_c23_x)
+    $ => B      :MLOAD(sparseMulAFp12BN254_c23_y)
+    A           :MSTORE(millerLoopBN254_f23_x)
+    B           :MSTORE(millerLoopBN254_f23_y)
+
+millerLoopBN254_end:
+        $ => RR     :MLOAD(millerLoopBN254_RR)
+        :RETURN