npm - snarkjs-algorand - Versions diffs - 0.5.0 → 0.5.2 - Mend

snarkjs-algorand 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.cjs CHANGED Viewed

@@ -884,12 +884,12 @@ var LSIG_SOURCE = `#pragma version 10
 // contracts/verifier.algo.ts::program() -> uint64:
 main:
     intcblock 96 32 0 1 384 192 288 480 576 672 768 992 864 896 928 960 1024 776 784 792 800
-    bytecblock 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 0x 0x01 TMPL_ROOT_OF_UNITY 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000 TMPL_VERIFICATION_KEY
+    bytecblock 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001 0x 0x01 0x0000 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000 TMPL_VERIFICATION_KEY TMPL_ROOT_OF_UNITY
     intc_2 // 0
-    dupn 38
+    dupn 35
     bytec_1 // ""
-    dupn 5
-    // contracts/verifier.algo.ts:45
+    dupn 6
+    // contracts/verifier.algo.ts:55
     // assertMatch(Txn, { fee: 0, rekeyTo: Global.zeroAddress });
     txn Fee
     !
@@ -898,11 +898,11 @@ main:
     ==
     &&
     assert // assert target is match for conditions
-    // contracts/verifier.algo.ts:66
+    // contracts/verifier.algo.ts:76
     // const proofBytes = Txn.applicationArgs(2);
     pushint 2 // 2
     txnas ApplicationArgs
-    // contracts/verifier.algo.ts:68
+    // contracts/verifier.algo.ts:78
     // A: proofBytes.slice(0, 96).toFixed({ length: 96 }),
     dup
     len
@@ -929,7 +929,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:69
+    // contracts/verifier.algo.ts:79
     // B: proofBytes.slice(96, 192).toFixed({ length: 96 }),
     intc 5 // 192
     dig 3
@@ -947,7 +947,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:70
+    // contracts/verifier.algo.ts:80
     // C: proofBytes.slice(192, 288).toFixed({ length: 96 }),
     intc 6 // 288
     dig 4
@@ -965,7 +965,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:71
+    // contracts/verifier.algo.ts:81
     // Z: proofBytes.slice(288, 384).toFixed({ length: 96 }),
     intc 4 // 384
     dig 5
@@ -983,7 +983,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:72
+    // contracts/verifier.algo.ts:82
     // T1: proofBytes.slice(384, 480).toFixed({ length: 96 }),
     intc 7 // 480
     dig 6
@@ -1001,7 +1001,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:73
+    // contracts/verifier.algo.ts:83
     // T2: proofBytes.slice(480, 576).toFixed({ length: 96 }),
     intc 8 // 576
     dig 7
@@ -1019,7 +1019,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:74
+    // contracts/verifier.algo.ts:84
     // T3: proofBytes.slice(576, 672).toFixed({ length: 96 }),
     intc 9 // 672
     dig 8
@@ -1037,7 +1037,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:75
+    // contracts/verifier.algo.ts:85
     // Wxi: proofBytes.slice(672, 768).toFixed({ length: 96 }),
     intc 10 // 768
     dig 9
@@ -1055,7 +1055,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:76
+    // contracts/verifier.algo.ts:86
     // Wxiw: proofBytes.slice(768, 864).toFixed({ length: 96 }),
     intc 12 // 864
     dig 10
@@ -1073,7 +1073,7 @@ main:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/verifier.algo.ts:77
+    // contracts/verifier.algo.ts:87
     // eval_a: interpretAsArc4<Uint256>(proofBytes.slice(864, 896)),
     intc 13 // 896
     dig 11
@@ -1086,7 +1086,7 @@ main:
     uncover 3
     dig 2
     substring3
-    // contracts/verifier.algo.ts:78
+    // contracts/verifier.algo.ts:88
     // eval_b: interpretAsArc4<Uint256>(proofBytes.slice(896, 928)),
     intc 14 // 928
     dig 12
@@ -1099,7 +1099,7 @@ main:
     uncover 3
     dig 2
     substring3
-    // contracts/verifier.algo.ts:79
+    // contracts/verifier.algo.ts:89
     // eval_c: interpretAsArc4<Uint256>(proofBytes.slice(928, 960)),
     intc 15 // 960
     dig 13
@@ -1112,7 +1112,7 @@ main:
     uncover 3
     dig 2
     substring3
-    // contracts/verifier.algo.ts:80
+    // contracts/verifier.algo.ts:90
     // eval_s1: interpretAsArc4<Uint256>(proofBytes.slice(960, 992)),
     intc 11 // 992
     dig 14
@@ -1125,7 +1125,7 @@ main:
     uncover 3
     dig 2
     substring3
-    // contracts/verifier.algo.ts:81
+    // contracts/verifier.algo.ts:91
     // eval_s2: interpretAsArc4<Uint256>(proofBytes.slice(992, 1024)),
     intc 16 // 1024
     dig 15
@@ -1138,7 +1138,7 @@ main:
     uncover 3
     dig 2
     substring3
-    // contracts/verifier.algo.ts:82
+    // contracts/verifier.algo.ts:92
     // eval_zw: interpretAsArc4<Uint256>(proofBytes.slice(1024, 1056)),
     pushint 1056 // 1056
     dig 16
@@ -1151,7 +1151,7 @@ main:
     uncover 3
     uncover 2
     substring3
-    // contracts/verifier.algo.ts:67-83
+    // contracts/verifier.algo.ts:77-93
     // const proof: Proof = {
     //   A: proofBytes.slice(0, 96).toFixed({ length: 96 }),
     //   B: proofBytes.slice(96, 192).toFixed({ length: 96 }),
@@ -1198,23 +1198,23 @@ main:
     concat
     swap
     concat
-    // contracts/verifier.algo.ts:85
+    // contracts/verifier.algo.ts:95
     // const signalBytes = Txn.applicationArgs(1);
     intc_3 // 1
     txnas ApplicationArgs
     dup
-    // contracts/verifier.algo.ts:89
+    // contracts/verifier.algo.ts:99
     // const signals: Uint256[] = [];
-    pushbytes 0x0000
+    bytec_3 // 0x0000
     swap
-    // contracts/verifier.algo.ts:91
+    // contracts/verifier.algo.ts:100
     // for (const s of signalsArc4) {
     intc_2 // 0
     extract_uint16
     intc_2 // 0
 main_for_header@1:
-    // contracts/verifier.algo.ts:91
+    // contracts/verifier.algo.ts:100
     // for (const s of signalsArc4) {
     dup
     dig 2
@@ -1229,7 +1229,7 @@ main_for_header@1:
     *
     intc_1 // 32
     extract3 // on error: index access is out of bounds
-    // contracts/verifier.algo.ts:92
+    // contracts/verifier.algo.ts:101
     // signals.push(s);
     dig 4
     dup
@@ -1250,10 +1250,112 @@ main_for_header@1:
     b main_for_header@1
 main_after_for@4:
-    // contracts/plonk_bls12381.algo.ts:331
-    // return verify(decodeVk(vkBytes), signals, proof);
+    // contracts/verifier.algo.ts:104
+    // const lwBytes = Txn.applicationArgs(3);
+    pushint 3 // 3
+    txnas ApplicationArgs
+    // contracts/verifier.algo.ts:112
+    // xin: lwArc4.at(1),
+    dup
+    extract 2 32
+    // contracts/verifier.algo.ts:113
+    // zh: lwArc4.at(2),
+    dig 1
+    extract 34 32
+    // contracts/verifier.algo.ts:110-114
+    // const lw: LagrangeWitness = {
+    //   L: [] as Uint256[],
+    //   xin: lwArc4.at(1),
+    //   zh: lwArc4.at(2),
+    // };
+    pushbytes 0x0042
+    uncover 2
+    concat
+    swap
+    concat
+    // contracts/verifier.algo.ts:99
+    // const signals: Uint256[] = [];
+    bytec_3 // 0x0000
+    // contracts/verifier.algo.ts:110-114
+    // const lw: LagrangeWitness = {
+    //   L: [] as Uint256[],
+    //   xin: lwArc4.at(1),
+    //   zh: lwArc4.at(2),
+    // };
+    concat
+    bury 40
+    // contracts/verifier.algo.ts:116
+    // for (const v of lwArc4.at(0)) {
+    dup
+    intc_2 // 0
+    extract_uint16
+    dig 1
+    len
+    substring3
+    dup
+    bury 43
+    intc_2 // 0
+    extract_uint16
+    bury 12
+    intc_2 // 0
+    bury 8
+main_for_header@5:
+    // contracts/verifier.algo.ts:116
+    // for (const v of lwArc4.at(0)) {
+    dig 7
+    dig 12
+    <
+    bz main_after_for@8
+    dig 41
+    extract 2 0
+    dig 8
+    dup
+    cover 2
+    intc_1 // 32
+    *
+    intc_1 // 32
+    extract3 // on error: index access is out of bounds
+    // contracts/verifier.algo.ts:117
+    // lw.L.push(v);
+    dig 40
+    dup
+    intc_2 // 0
+    extract_uint16
+    dig 1
+    len
+    dig 2
+    dig 2
+    uncover 2
+    substring3
+    dup
+    uncover 4
+    concat // on error: max array length exceeded
+    swap
+    intc_2 // 0
+    extract_uint16
+    intc_3 // 1
+    +
+    itob
+    extract 6 2
+    replace2 0
+    uncover 2
+    intc_2 // 0
+    uncover 3
+    extract3
+    swap
+    concat
+    bury 40
+    intc_3 // 1
+    +
+    bury 8
+    b main_for_header@5
+main_after_for@8:
+    // contracts/plonk_bls12381.algo.ts:340
+    // return verify(decodeVk(vkBytes), signals, proof, lw);
     bytec 5 // TMPL_VERIFICATION_KEY
-    // contracts/plonk_bls12381.algo.ts:294
+    // contracts/plonk_bls12381.algo.ts:301
     // Qm: vkBytes.slice(0, 96).toFixed({ length: 96 }),
     dup
     len
@@ -1280,7 +1382,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:295
+    // contracts/plonk_bls12381.algo.ts:302
     // Ql: vkBytes.slice(96, 192).toFixed({ length: 96 }),
     intc 5 // 192
     dig 3
@@ -1298,7 +1400,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:296
+    // contracts/plonk_bls12381.algo.ts:303
     // Qr: vkBytes.slice(192, 288).toFixed({ length: 96 }),
     intc 6 // 288
     dig 4
@@ -1316,7 +1418,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:297
+    // contracts/plonk_bls12381.algo.ts:304
     // Qo: vkBytes.slice(288, 384).toFixed({ length: 96 }),
     intc 4 // 384
     dig 5
@@ -1334,7 +1436,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:298
+    // contracts/plonk_bls12381.algo.ts:305
     // Qc: vkBytes.slice(384, 480).toFixed({ length: 96 }),
     intc 7 // 480
     dig 6
@@ -1352,7 +1454,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:299
+    // contracts/plonk_bls12381.algo.ts:306
     // S1: vkBytes.slice(480, 576).toFixed({ length: 96 }),
     intc 8 // 576
     dig 7
@@ -1370,7 +1472,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:300
+    // contracts/plonk_bls12381.algo.ts:307
     // S2: vkBytes.slice(576, 672).toFixed({ length: 96 }),
     intc 9 // 672
     dig 8
@@ -1388,7 +1490,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:301
+    // contracts/plonk_bls12381.algo.ts:308
     // S3: vkBytes.slice(672, 768).toFixed({ length: 96 }),
     intc 10 // 768
     dig 9
@@ -1406,7 +1508,7 @@ main_after_for@4:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:302
+    // contracts/plonk_bls12381.algo.ts:309
     // power: op.btoi(vkBytes.slice(768, 776)),
     intc 17 // 776
     dig 10
@@ -1420,7 +1522,7 @@ main_after_for@4:
     dig 2
     substring3
     btoi
-    // contracts/plonk_bls12381.algo.ts:303
+    // contracts/plonk_bls12381.algo.ts:310
     // nPublic: op.btoi(vkBytes.slice(776, 784)),
     intc 18 // 784
     dig 11
@@ -1434,7 +1536,7 @@ main_after_for@4:
     dig 2
     substring3
     btoi
-    // contracts/plonk_bls12381.algo.ts:304
+    // contracts/plonk_bls12381.algo.ts:311
     // k1: op.btoi(vkBytes.slice(784, 792)),
     intc 19 // 792
     dig 12
@@ -1448,7 +1550,7 @@ main_after_for@4:
     dig 2
     substring3
     btoi
-    // contracts/plonk_bls12381.algo.ts:305
+    // contracts/plonk_bls12381.algo.ts:312
     // k2: op.btoi(vkBytes.slice(792, 800)),
     intc 20 // 800
     dig 13
@@ -1462,7 +1564,7 @@ main_after_for@4:
     dig 2
     substring3
     btoi
-    // contracts/plonk_bls12381.algo.ts:306
+    // contracts/plonk_bls12381.algo.ts:313
     // X_2: vkBytes.slice(800, 992).toFixed({ length: 192 }),
     intc 11 // 992
     dig 14
@@ -1480,7 +1582,7 @@ main_after_for@4:
     intc 5 // 192
     ==
     assert // Length must be 192
-    // contracts/plonk_bls12381.algo.ts:293-307
+    // contracts/plonk_bls12381.algo.ts:300-314
     // return {
     //   Qm: vkBytes.slice(0, 96).toFixed({ length: 96 }),
     //   Ql: vkBytes.slice(96, 192).toFixed({ length: 96 }),
@@ -1526,20 +1628,277 @@ main_after_for@4:
     swap
     concat
     dup
-    bury 16
-    // contracts/plonk_bls12381.algo.ts:440
+    bury 17
+    // contracts/plonk_bls12381.algo.ts:406
+    // assert(groupCheck(proof.A), "A not in G1");
+    dig 5
+    dup
+    extract 0 96
+    dup
+    bury 39
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:406
+    // assert(groupCheck(proof.A), "A not in G1");
+    assert // A not in G1
+    // contracts/plonk_bls12381.algo.ts:407
+    // assert(groupCheck(proof.B), "B not in G1");
+    dup
+    extract 96 96
+    dup
+    bury 38
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:407
+    // assert(groupCheck(proof.B), "B not in G1");
+    assert // B not in G1
+    // contracts/plonk_bls12381.algo.ts:408
+    // assert(groupCheck(proof.C), "C not in G1");
+    dup
+    extract 192 96
+    dup
+    bury 37
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:408
+    // assert(groupCheck(proof.C), "C not in G1");
+    assert // C not in G1
+    // contracts/plonk_bls12381.algo.ts:409
+    // assert(groupCheck(proof.Z), "Z not in G1");
+    dup
+    intc 6 // 288
+    intc_0 // 96
+    extract3
+    dup
+    bury 36
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:409
+    // assert(groupCheck(proof.Z), "Z not in G1");
+    assert // Z not in G1
+    // contracts/plonk_bls12381.algo.ts:410
+    // assert(groupCheck(proof.T1), "T1 not in G1");
+    dup
+    intc 4 // 384
+    intc_0 // 96
+    extract3
+    dup
+    bury 35
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:410
+    // assert(groupCheck(proof.T1), "T1 not in G1");
+    assert // T1 not in G1
+    // contracts/plonk_bls12381.algo.ts:411
+    // assert(groupCheck(proof.T2), "T2 not in G1");
+    dup
+    intc 7 // 480
+    intc_0 // 96
+    extract3
+    dup
+    bury 34
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:411
+    // assert(groupCheck(proof.T2), "T2 not in G1");
+    assert // T2 not in G1
+    // contracts/plonk_bls12381.algo.ts:412
+    // assert(groupCheck(proof.T3), "T3 not in G1");
+    dup
+    intc 8 // 576
+    intc_0 // 96
+    extract3
+    dup
+    bury 41
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:412
+    // assert(groupCheck(proof.T3), "T3 not in G1");
+    assert // T3 not in G1
+    // contracts/plonk_bls12381.algo.ts:413
+    // assert(groupCheck(proof.Wxi), "Wxi not in G1");
+    dup
+    intc 9 // 672
+    intc_0 // 96
+    extract3
+    dup
+    bury 29
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:413
+    // assert(groupCheck(proof.Wxi), "Wxi not in G1");
+    assert // Wxi not in G1
+    // contracts/plonk_bls12381.algo.ts:414
+    // assert(groupCheck(proof.Wxiw), "Wxiw not in G1");
+    dup
+    intc 10 // 768
+    intc_0 // 96
+    extract3
+    dup
+    bury 40
+    // contracts/plonk_bls12381.algo.ts:344
+    // return op.EllipticCurve.subgroupCheck(op.Ec.BLS12_381g1, p);
+    ec_subgroup_check BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:414
+    // assert(groupCheck(proof.Wxiw), "Wxiw not in G1");
+    assert // Wxiw not in G1
+    // contracts/plonk_bls12381.algo.ts:397
+    // assert(inField(proof.eval_a), "eval_a not in Fr");
+    dup
+    intc 12 // 864
+    intc_1 // 32
+    extract3
+    dup
+    bury 25
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:397
+    // assert(inField(proof.eval_a), "eval_a not in Fr");
+    assert // eval_a not in Fr
+    // contracts/plonk_bls12381.algo.ts:398
+    // assert(inField(proof.eval_b), "eval_b not in Fr");
+    dup
+    intc 13 // 896
+    intc_1 // 32
+    extract3
+    dup
+    bury 24
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:398
+    // assert(inField(proof.eval_b), "eval_b not in Fr");
+    assert // eval_b not in Fr
+    // contracts/plonk_bls12381.algo.ts:399
+    // assert(inField(proof.eval_c), "eval_c not in Fr");
+    dup
+    intc 14 // 928
+    intc_1 // 32
+    extract3
+    dup
+    bury 23
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:399
+    // assert(inField(proof.eval_c), "eval_c not in Fr");
+    assert // eval_c not in Fr
+    // contracts/plonk_bls12381.algo.ts:400
+    // assert(inField(proof.eval_s1), "eval_s1 not in Fr");
+    dup
+    intc 15 // 960
+    intc_1 // 32
+    extract3
+    dup
+    bury 22
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:400
+    // assert(inField(proof.eval_s1), "eval_s1 not in Fr");
+    assert // eval_s1 not in Fr
+    // contracts/plonk_bls12381.algo.ts:401
+    // assert(inField(proof.eval_s2), "eval_s2 not in Fr");
+    dup
+    intc 11 // 992
+    intc_1 // 32
+    extract3
+    dup
+    bury 21
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:401
+    // assert(inField(proof.eval_s2), "eval_s2 not in Fr");
+    assert // eval_s2 not in Fr
+    // contracts/plonk_bls12381.algo.ts:402
+    // assert(inField(proof.eval_zw), "eval_zw not in Fr");
+    intc 16 // 1024
+    intc_1 // 32
+    extract3
+    dup
+    bury 19
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:402
+    // assert(inField(proof.eval_zw), "eval_zw not in Fr");
+    assert // eval_zw not in Fr
+    // contracts/plonk_bls12381.algo.ts:389
+    // assert(signals.length === vk.nPublic, "Invalid number of public inputs");
+    dig 3
+    intc_2 // 0
+    extract_uint16
+    dup
+    bury 13
+    swap
+    intc 17 // 776
+    extract_uint64
+    dup
+    bury 8
+    ==
+    assert // Invalid number of public inputs
+    intc_2 // 0
+    bury 1
+main_for_header@12:
+    // contracts/plonk_bls12381.algo.ts:391
+    // for (const signal of signals) {
+    dup
+    dig 11
+    <
+    bz main_after_for@14
+    dig 2
+    extract 2 0
+    dig 1
+    dup
+    cover 2
+    intc_1 // 32
+    *
+    intc_1 // 32
+    extract3 // on error: index access is out of bounds
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:392
+    // assert(inField(signal), "public signal not in Fr");
+    assert // public signal not in Fr
+    intc_3 // 1
+    +
+    bury 1
+    b main_for_header@12
+main_after_for@14:
+    // contracts/plonk_bls12381.algo.ts:534
     // let td = op.concat(vk.Qm, vk.Ql);
+    dig 15
     dup
     extract 0 96
     dig 1
     extract 96 96
     concat
-    // contracts/plonk_bls12381.algo.ts:441
+    // contracts/plonk_bls12381.algo.ts:535
     // td = op.concat(td, vk.Qr);
     dig 1
     extract 192 96
     concat
-    // contracts/plonk_bls12381.algo.ts:442
+    // contracts/plonk_bls12381.algo.ts:536
     // td = op.concat(td, vk.Qo);
     dig 1
     intc 6 // 288
@@ -1547,60 +1906,54 @@ main_after_for@4:
     extract3
     concat
     dup
-    bury 22
-    // contracts/plonk_bls12381.algo.ts:443
+    bury 31
+    // contracts/plonk_bls12381.algo.ts:537
     // td = op.concat(td, vk.Qc);
     dig 1
     intc 4 // 384
     intc_0 // 96
     extract3
     dup
-    bury 27
+    bury 49
     concat
-    // contracts/plonk_bls12381.algo.ts:444
+    // contracts/plonk_bls12381.algo.ts:538
     // td = op.concat(td, vk.S1);
     dig 1
     intc 7 // 480
     intc_0 // 96
     extract3
     dup
-    bury 45
+    bury 48
     concat
-    // contracts/plonk_bls12381.algo.ts:445
+    // contracts/plonk_bls12381.algo.ts:539
     // td = op.concat(td, vk.S2);
     dig 1
     intc 8 // 576
     intc_0 // 96
     extract3
     dup
-    bury 44
+    bury 47
     concat
-    // contracts/plonk_bls12381.algo.ts:446
+    // contracts/plonk_bls12381.algo.ts:540
     // td = op.concat(td, vk.S3);
     swap
     intc 9 // 672
     intc_0 // 96
     extract3
     dup
-    bury 28
+    bury 45
     concat
-    bury 18
-    // contracts/plonk_bls12381.algo.ts:448
-    // for (const signal of signals) {
-    dig 2
-    intc_2 // 0
-    extract_uint16
-    bury 11
+    bury 27
     intc_2 // 0
     bury 1
-main_for_header@8:
-    // contracts/plonk_bls12381.algo.ts:448
+main_for_header@15:
+    // contracts/plonk_bls12381.algo.ts:542
     // for (const signal of signals) {
     dup
     dig 11
     <
-    bz main_after_for@10
+    bz main_after_for@17
     dig 2
     extract 2 0
     dig 1
@@ -1614,178 +1967,117 @@ main_for_header@8:
     // return a % BLS12_381_SCALAR_MODULUS;
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:449
+    // contracts/plonk_bls12381.algo.ts:543
     // td = op.concat(td, b32(frScalar(signal.native)));
     callsub b32
-    dig 19
+    dig 28
     swap
     concat
-    bury 19
+    bury 28
     intc_3 // 1
     +
     bury 1
-    b main_for_header@8
+    b main_for_header@15
-main_after_for@10:
-    // contracts/plonk_bls12381.algo.ts:453
+main_after_for@17:
+    // contracts/plonk_bls12381.algo.ts:547
     // td = op.concat(td, proof.A);
-    dig 4
-    dup
-    extract 0 96
-    dup
-    bury 42
-    dig 19
-    swap
+    dig 26
+    dig 36
     concat
-    // contracts/plonk_bls12381.algo.ts:454
+    // contracts/plonk_bls12381.algo.ts:548
     // td = op.concat(td, proof.B);
-    dig 1
-    extract 96 96
-    dup
-    bury 42
+    dig 35
     concat
-    // contracts/plonk_bls12381.algo.ts:455
+    // contracts/plonk_bls12381.algo.ts:549
     // td = op.concat(td, proof.C);
-    dig 1
-    extract 192 96
-    dup
-    bury 49
+    dig 34
     concat
-    // contracts/plonk_bls12381.algo.ts:457
+    // contracts/plonk_bls12381.algo.ts:551
     // const beta = getChallenge(td);
     callsub getChallenge
-    // contracts/plonk_bls12381.algo.ts:462
+    // contracts/plonk_bls12381.algo.ts:556
     // const gamma = getChallenge(td);
     dup
     callsub getChallenge
-    // contracts/plonk_bls12381.algo.ts:469
+    // contracts/plonk_bls12381.algo.ts:563
     // td = op.concat(td, gamma.bytes);
     concat
     dup
-    bury 20
-    // contracts/plonk_bls12381.algo.ts:470
+    bury 28
+    // contracts/plonk_bls12381.algo.ts:564
     // td = op.concat(td, proof.Z);
-    dig 1
-    intc 6 // 288
-    intc_0 // 96
-    extract3
-    dup
-    bury 30
+    dig 33
     concat
-    // contracts/plonk_bls12381.algo.ts:471
+    // contracts/plonk_bls12381.algo.ts:565
     // const alpha = getChallenge(td);
     callsub getChallenge
     dup
-    bury 40
-    // contracts/plonk_bls12381.algo.ts:478
+    bury 42
+    // contracts/plonk_bls12381.algo.ts:572
     // td = op.concat(td, proof.T1);
-    dig 1
-    intc 4 // 384
-    intc_0 // 96
-    extract3
-    dup
-    bury 48
+    dig 32
     concat
-    // contracts/plonk_bls12381.algo.ts:479
+    // contracts/plonk_bls12381.algo.ts:573
     // td = op.concat(td, proof.T2);
-    dig 1
-    intc 7 // 480
-    intc_0 // 96
-    extract3
-    dup
-    bury 47
+    dig 31
     concat
-    // contracts/plonk_bls12381.algo.ts:480
+    // contracts/plonk_bls12381.algo.ts:574
     // td = op.concat(td, proof.T3);
-    dig 1
-    intc 8 // 576
-    intc_0 // 96
-    extract3
-    dup
-    bury 46
+    dig 38
     concat
-    // contracts/plonk_bls12381.algo.ts:481
+    // contracts/plonk_bls12381.algo.ts:575
     // const xi = getChallenge(td);
     callsub getChallenge
     dup
-    bury 15
-    // contracts/plonk_bls12381.algo.ts:488
+    bury 16
+    // contracts/plonk_bls12381.algo.ts:582
     // td = op.concat(td, proof.eval_a.bytes);
-    dig 1
-    intc 12 // 864
-    intc_1 // 32
-    extract3
-    dup
-    bury 34
+    dig 22
     concat
-    // contracts/plonk_bls12381.algo.ts:489
+    // contracts/plonk_bls12381.algo.ts:583
     // td = op.concat(td, proof.eval_b.bytes);
-    dig 1
-    intc 13 // 896
-    intc_1 // 32
-    extract3
-    dup
-    bury 33
+    dig 21
     concat
-    // contracts/plonk_bls12381.algo.ts:490
+    // contracts/plonk_bls12381.algo.ts:584
     // td = op.concat(td, proof.eval_c.bytes);
-    dig 1
-    intc 14 // 928
-    intc_1 // 32
-    extract3
-    dup
-    bury 32
+    dig 20
     concat
-    // contracts/plonk_bls12381.algo.ts:491
+    // contracts/plonk_bls12381.algo.ts:585
     // td = op.concat(td, proof.eval_s1.bytes);
-    dig 1
-    intc 15 // 960
-    intc_1 // 32
-    extract3
-    dup
-    bury 37
+    dig 19
     concat
-    // contracts/plonk_bls12381.algo.ts:492
+    // contracts/plonk_bls12381.algo.ts:586
     // td = op.concat(td, proof.eval_s2.bytes);
-    dig 1
-    intc 11 // 992
-    intc_1 // 32
-    extract3
-    dup
-    bury 39
+    dig 18
     concat
-    // contracts/plonk_bls12381.algo.ts:493
+    // contracts/plonk_bls12381.algo.ts:587
     // td = op.concat(td, proof.eval_zw.bytes);
-    swap
-    intc 16 // 1024
-    intc_1 // 32
-    extract3
-    dup
-    bury 37
+    dig 17
     concat
-    // contracts/plonk_bls12381.algo.ts:495
+    // contracts/plonk_bls12381.algo.ts:589
     // const v = new FixedArray<Uint256, 6>();
     intc 5 // 192
     bzero
-    // contracts/plonk_bls12381.algo.ts:496
+    // contracts/plonk_bls12381.algo.ts:590
     // v[1] = getChallenge(td); // v1
     swap
     callsub getChallenge
     replace2 32 // on error: index access is out of bounds
-    bury 16
-    // contracts/plonk_bls12381.algo.ts:497
+    bury 25
+    // contracts/plonk_bls12381.algo.ts:591
     // for (let i: uint64 = 2; i < 6; i++) {
     pushint 2 // 2
     bury 9
-main_while_top@11:
-    // contracts/plonk_bls12381.algo.ts:497
+main_while_top@18:
+    // contracts/plonk_bls12381.algo.ts:591
     // for (let i: uint64 = 2; i < 6; i++) {
     dig 8
     pushint 6 // 6
     <
-    bz main_after_while@13
-    // contracts/plonk_bls12381.algo.ts:498
+    bz main_after_while@20
+    // contracts/plonk_bls12381.algo.ts:592
     // v[i] = new Uint256(frMul((v[i - 1] as Uint256).native, v[1].native)); // v[i] = v1^i
     dig 8
     dup
@@ -1793,7 +2085,7 @@ main_while_top@11:
     -
     intc_1 // 32
     *
-    dig 17
+    dig 26
     dup
     uncover 2
     intc_1 // 32
@@ -1805,7 +2097,7 @@ main_while_top@11:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:498
+    // contracts/plonk_bls12381.algo.ts:592
     // v[i] = new Uint256(frMul((v[i - 1] as Uint256).native, v[1].native)); // v[i] = v1^i
     dup
     len
@@ -1820,39 +2112,26 @@ main_while_top@11:
     *
     swap
     replace3 // on error: index access is out of bounds
-    bury 17
-    // contracts/plonk_bls12381.algo.ts:497
+    bury 26
+    // contracts/plonk_bls12381.algo.ts:591
     // for (let i: uint64 = 2; i < 6; i++) {
     intc_3 // 1
     +
     bury 9
-    b main_while_top@11
+    b main_while_top@18
-main_after_while@13:
-    // contracts/plonk_bls12381.algo.ts:505
-    // td = op.concat(td, proof.Wxi);
-    dig 4
-    dup
-    intc 9 // 672
-    intc_0 // 96
-    extract3
-    dup
-    cover 2
-    bury 21
-    // contracts/plonk_bls12381.algo.ts:506
+main_after_while@20:
+    // contracts/plonk_bls12381.algo.ts:600
     // td = op.concat(td, proof.Wxiw);
-    intc 10 // 768
-    intc_0 // 96
-    extract3
-    dup
-    bury 27
+    dig 25
+    dig 37
     concat
     dup
-    bury 18
-    // contracts/plonk_bls12381.algo.ts:507
+    bury 29
+    // contracts/plonk_bls12381.algo.ts:601
     // const u = getChallenge(td);
     callsub getChallenge
-    // contracts/plonk_bls12381.algo.ts:509-518
+    // contracts/plonk_bls12381.algo.ts:603-612
     // return {
     //   beta,
     //   gamma,
@@ -1863,67 +2142,146 @@ main_after_while@13:
     //   xin: new Uint256(),
     //   zh: new Uint256(),
     // };
-    dig 18
-    dig 39
+    dig 27
+    dig 42
     concat
-    dig 14
+    dig 16
     concat
-    dig 17
+    dig 26
     concat
     swap
     concat
     pushbytes 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
     concat
+    bury 40
+    // contracts/plonk_bls12381.algo.ts:352
+    // assert(inField(lw.xin), "lw.xin not in Fr");
+    dig 38
     dup
-    bury 34
-    // contracts/plonk_bls12381.algo.ts:529
+    extract 2 32
+    dup
+    bury 26
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:352
+    // assert(inField(lw.xin), "lw.xin not in Fr");
+    assert // lw.xin not in Fr
+    // contracts/plonk_bls12381.algo.ts:353
+    // assert(inField(lw.zh), "lw.zh not in Fr");
+    extract 34 32
+    dup
+    bury 24
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:353
+    // assert(inField(lw.zh), "lw.zh not in Fr");
+    assert // lw.zh not in Fr
+    // contracts/plonk_bls12381.algo.ts:354
+    // for (let i: uint64 = 0; i < lw.L.length; i++) {
+    intc_2 // 0
+    bury 9
+main_while_top@21:
+    // contracts/plonk_bls12381.algo.ts:354
+    // for (let i: uint64 = 0; i < lw.L.length; i++) {
+    dig 38
+    dup
+    intc_2 // 0
+    extract_uint16
+    dig 1
+    len
+    substring3
+    dup
+    bury 49
+    intc_2 // 0
+    extract_uint16
+    dup
+    bury 11
+    dig 9
+    >
+    bz main_after_while@23
+    // contracts/plonk_bls12381.algo.ts:354-355
+    // for (let i: uint64 = 0; i < lw.L.length; i++) {
+    //   assert(inField(lw.L[i] as Uint256), "lw.L not in Fr");
+    dig 47
+    extract 2 0
+    dig 9
+    dup
+    cover 2
+    intc_1 // 32
+    *
+    intc_1 // 32
+    extract3 // on error: index access is out of bounds
+    // contracts/plonk_bls12381.algo.ts:348
+    // return value.native < BLS12_381_SCALAR_MODULUS;
+    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
+    b<
+    // contracts/plonk_bls12381.algo.ts:355
+    // assert(inField(lw.L[i] as Uint256), "lw.L not in Fr");
+    assert // lw.L not in Fr
+    // contracts/plonk_bls12381.algo.ts:354
+    // for (let i: uint64 = 0; i < lw.L.length; i++) {
+    intc_3 // 1
+    +
+    bury 9
+    b main_while_top@21
+main_after_while@23:
+    // contracts/plonk_bls12381.algo.ts:367
+    // let nPow: uint64 = 1;
+    intc_3 // 1
+    bury 7
+    // contracts/plonk_bls12381.algo.ts:368
     // let xin = challenges.xi.native;
+    dig 39
     extract 96 32
-    bury 12
-    // contracts/plonk_bls12381.algo.ts:532
-    // let domainSize: uint64 = 1;
-    intc_3 // 1
-    bury 10
-    // contracts/plonk_bls12381.algo.ts:533
+    dup
+    bury 15
+    // contracts/plonk_bls12381.algo.ts:369
     // for (let i: uint64 = 0; i < vk.power; i++) {
     intc_2 // 0
-    bury 9
+    bury 10
+    bury 13
-main_while_top@14:
-    // contracts/plonk_bls12381.algo.ts:533
+main_while_top@24:
+    // contracts/plonk_bls12381.algo.ts:369
     // for (let i: uint64 = 0; i < vk.power; i++) {
-    dig 14
+    dig 15
     intc 10 // 768
     extract_uint64
     dig 9
     >
-    bz main_after_while@16
+    bz main_after_while@26
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    dig 11
+    dig 12
     dup
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    bury 12
-    // contracts/plonk_bls12381.algo.ts:535
-    // domainSize *= 2;
-    dig 9
+    bury 13
+    // contracts/plonk_bls12381.algo.ts:371
+    // nPow *= 2;
+    dig 6
     pushint 2 // 2
     *
-    bury 10
-    // contracts/plonk_bls12381.algo.ts:533
+    bury 7
+    // contracts/plonk_bls12381.algo.ts:369
     // for (let i: uint64 = 0; i < vk.power; i++) {
     dig 8
     intc_3 // 1
     +
     bury 9
-    b main_while_top@14
+    b main_while_top@24
-main_after_while@16:
-    // contracts/plonk_bls12381.algo.ts:538
-    // challenges.xin = new Uint256(xin);
-    dig 11
+main_after_while@26:
+    // contracts/plonk_bls12381.algo.ts:373
+    // const xinExpected = new Uint256(xin);
+    dig 12
     dup
     len
     intc_1 // 32
@@ -1932,16 +2290,18 @@ main_after_while@16:
     intc_1 // 32
     bzero
     dup
-    bury 50
-    dup2
+    bury 49
+    swap
+    dig 1
     b|
-    dig 35
-    pushint 352 // 352
-    uncover 2
-    replace3
-    // contracts/plonk_bls12381.algo.ts:539
-    // challenges.zh = new Uint256(frSub(xin, BigUint(1))); // Vanishing polynomial Z_H(\u03BE) = \u03BE^n - 1
-    uncover 2
+    // contracts/plonk_bls12381.algo.ts:374
+    // assert(lw.xin.native === xinExpected.native, "lw.xin != xi^n");
+    dig 25
+    dig 1
+    b==
+    assert // lw.xin != xi^n
+    // contracts/plonk_bls12381.algo.ts:377
+    // const zhExpected = new Uint256(frSub(xinExpected.native, BigUint(1)));
     bytec_2 // 0x01
     callsub frSub
     dup
@@ -1949,264 +2309,61 @@ main_after_while@16:
     intc_1 // 32
     <=
     assert // overflow
-    uncover 2
     b|
-    intc 4 // 384
-    swap
-    replace3
-    bury 33
-    // contracts/plonk_bls12381.algo.ts:541
-    // const n = frScalar(BigUint(domainSize));
-    dig 9
-    itob
-    // contracts/plonk_bls12381.algo.ts:158
-    // return a % BLS12_381_SCALAR_MODULUS;
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    bury 28
-    // contracts/plonk_bls12381.algo.ts:547
-    // let w = BigUint(1);
-    bytec_2 // 0x01
-    bury 14
-    // contracts/plonk_bls12381.algo.ts:556
-    // const L: Uint256[] = [new Uint256()];
-    pushbytes 0x00010000000000000000000000000000000000000000000000000000000000000000
-    bury 50
-    // contracts/plonk_bls12381.algo.ts:559
-    // const iterations: uint64 = vk.nPublic === 0 ? 1 : vk.nPublic;
-    dig 14
-    intc 17 // 776
-    extract_uint64
-    dup
-    bury 7
-    bnz main_ternary_false@18
+    // contracts/plonk_bls12381.algo.ts:378
+    // assert(lw.zh.native === zhExpected.native, "lw.zh != xi^n - 1");
+    dig 23
+    b==
+    assert // lw.zh != xi^n - 1
+    // contracts/plonk_bls12381.algo.ts:381
+    // const required: uint64 = vk.nPublic === 0 ? 1 : vk.nPublic;
+    dig 5
+    bnz main_ternary_false@28
     intc_3 // 1
-    bury 8
-main_ternary_merge@19:
-    // contracts/plonk_bls12381.algo.ts:560
-    // for (let i: uint64 = 1; i <= iterations; i++) {
+main_ternary_merge@29:
+    // contracts/plonk_bls12381.algo.ts:382
+    // assert(lw.L.length >= required + 1, "lw.L length too short"); // L[0] unused; start at index 1
     intc_3 // 1
-    bury 7
-main_while_top@20:
-    // contracts/plonk_bls12381.algo.ts:560
-    // for (let i: uint64 = 1; i <= iterations; i++) {
-    dig 6
-    dig 8
+    +
+    dig 10
     <=
-    bz main_after_while@22
-    // contracts/plonk_bls12381.algo.ts:564
-    // frMul(w, challenges.zh.native),
-    dig 32
-    dup
-    intc 4 // 384
-    intc_1 // 32
-    extract3
-    // contracts/plonk_bls12381.algo.ts:64
-    // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    dig 15
-    dup
-    uncover 2
-    b*
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    // contracts/plonk_bls12381.algo.ts:565
-    // frMul(n, frSub(challenges.xi.native, w)),
-    uncover 2
-    extract 96 32
-    uncover 2
-    callsub frSub
-    // contracts/plonk_bls12381.algo.ts:64
-    // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    dig 29
-    b*
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    // contracts/plonk_bls12381.algo.ts:158
-    // return a % BLS12_381_SCALAR_MODULUS;
-    swap
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    bury 50
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    // contracts/plonk_bls12381.algo.ts:111
-    // assert(x !== (0n as biguint), "Fr inverse of zero");
-    dup
-    bytec_1 // 0x
-    b!=
-    assert // Fr inverse of zero
-    // contracts/plonk_bls12381.algo.ts:112
-    // const inv = modPow(x, BLS12_381_R_MINUS_2, r);
-    pushbytes 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfefffffffeffffffff
-    // contracts/plonk_bls12381.algo.ts:90
-    // let result = 1n as biguint;
-    bytec_2 // 0x01
-    bury 24
-    // contracts/plonk_bls12381.algo.ts:91
-    // let b: biguint = base % mod;
-    swap
-    // contracts/plonk_bls12381.algo.ts:112
-    // const inv = modPow(x, BLS12_381_R_MINUS_2, r);
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    // contracts/plonk_bls12381.algo.ts:91
-    // let b: biguint = base % mod;
-    b%
-    bury 38
-    bury 32
-main_while_top@27:
-    // contracts/plonk_bls12381.algo.ts:93
-    // while (e > (0n as biguint)) {
-    dig 31
-    bytec_1 // 0x
-    b>
-    // contracts/plonk_bls12381.algo.ts:93-99
-    // while (e > (0n as biguint)) {
-    //   if ((e & (1n as biguint)) !== (0n as biguint)) {
-    //     result = (result * b) % mod;
-    //   }
-    //   b = (b * b) % mod;
-    //   e = e / BigUint(2);
-    // }
-    bz main_after_while@31
-    // contracts/plonk_bls12381.algo.ts:94
-    // if ((e & (1n as biguint)) !== (0n as biguint)) {
-    dig 31
+    assert // lw.L length too short
+    // contracts/plonk_bls12381.algo.ts:385
+    // assert(challenges.xi.native !== BigUint(1), "invalid xi (equals 1)");
+    dig 13
     bytec_2 // 0x01
-    b&
-    bytec_1 // 0x
     b!=
-    dig 22
-    bury 22
-    bz main_after_if_else@30
-    // contracts/plonk_bls12381.algo.ts:95
-    // result = (result * b) % mod;
-    dig 21
-    dig 37
-    b*
-    // contracts/plonk_bls12381.algo.ts:112
-    // const inv = modPow(x, BLS12_381_R_MINUS_2, r);
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    // contracts/plonk_bls12381.algo.ts:95
-    // result = (result * b) % mod;
-    b%
-    bury 21
-main_after_if_else@30:
-    dig 20
-    bury 22
-    // contracts/plonk_bls12381.algo.ts:97
-    // b = (b * b) % mod;
-    dig 36
-    dup
-    b*
-    // contracts/plonk_bls12381.algo.ts:112
-    // const inv = modPow(x, BLS12_381_R_MINUS_2, r);
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    // contracts/plonk_bls12381.algo.ts:97
-    // b = (b * b) % mod;
-    b%
-    bury 37
-    // contracts/plonk_bls12381.algo.ts:98
-    // e = e / BigUint(2);
-    dig 31
-    pushbytes 0x02
-    b/
-    bury 32
-    b main_while_top@27
-main_after_while@31:
-    // contracts/plonk_bls12381.algo.ts:125
-    // return (aN * bInv) % r;
-    dig 48
-    dig 22
-    b*
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    // contracts/plonk_bls12381.algo.ts:562-567
-    // new Uint256(
-    //   frDiv(
-    //     frMul(w, challenges.zh.native),
-    //     frMul(n, frSub(challenges.xi.native, w)),
-    //   ),
-    // ),
-    dup
-    len
-    intc_1 // 32
-    <=
-    assert // overflow
-    dig 48
-    b|
-    // contracts/plonk_bls12381.algo.ts:561-568
-    // L.push(
-    //   new Uint256(
-    //     frDiv(
-    //       frMul(w, challenges.zh.native),
-    //       frMul(n, frSub(challenges.xi.native, w)),
-    //     ),
-    //   ),
-    // );
-    dig 50
-    dup
-    uncover 2
-    concat // on error: max array length exceeded
-    swap
-    intc_2 // 0
-    extract_uint16
-    intc_3 // 1
-    +
-    itob
-    extract 6 2
-    replace2 0
-    bury 50
-    // contracts/plonk_bls12381.algo.ts:64
-    // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    dig 13
-    // contracts/plonk_bls12381.algo.ts:569
-    // w = frMul(w, ROOT_OF_UNITY); // Next root of unity step (\u03C9^i)
-    bytec_3 // TMPL_ROOT_OF_UNITY
-    // contracts/plonk_bls12381.algo.ts:64
-    // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    b*
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    bury 14
-    // contracts/plonk_bls12381.algo.ts:560
-    // for (let i: uint64 = 1; i <= iterations; i++) {
-    dig 6
-    intc_3 // 1
-    +
-    bury 7
-    b main_while_top@20
-main_after_while@22:
-    // contracts/plonk_bls12381.algo.ts:571
-    // return { L, challenges };
-    pushbytes 0x01a2
-    dig 33
-    concat
-    dig 50
-    concat
-    bury 47
-    // contracts/plonk_bls12381.algo.ts:581
+    assert // invalid xi (equals 1)
+    // contracts/plonk_bls12381.algo.ts:443
+    // challenges.xin = lw.xin;
+    dig 39
+    pushint 352 // 352
+    dig 25
+    replace3
+    // contracts/plonk_bls12381.algo.ts:444
+    // challenges.zh = lw.zh;
+    intc 4 // 384
+    dig 24
+    replace3
+    bury 40
+    // contracts/plonk_bls12381.algo.ts:675
     // let pi = BigUint(0);
     bytec_1 // 0x
-    bury 23
-    // contracts/plonk_bls12381.algo.ts:582
+    bury 30
+    // contracts/plonk_bls12381.algo.ts:676
     // for (let i: uint64 = 0; i < publicSignals.length; i++) {
     intc_2 // 0
     bury 9
-main_while_top@23:
-    // contracts/plonk_bls12381.algo.ts:582
+main_while_top@30:
+    // contracts/plonk_bls12381.algo.ts:676
     // for (let i: uint64 = 0; i < publicSignals.length; i++) {
     dig 8
     dig 11
     <
-    bz main_after_while@25
-    // contracts/plonk_bls12381.algo.ts:583
+    bz main_after_while@32
+    // contracts/plonk_bls12381.algo.ts:677
     // const w = frScalar((publicSignals[i] as Uint256).native);
     dig 2
     extract 2 0
@@ -2221,20 +2378,14 @@ main_while_top@23:
     // return a % BLS12_381_SCALAR_MODULUS;
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:584
+    // contracts/plonk_bls12381.algo.ts:678
     // pi = frSub(pi, frMul(w, (L[i + 1] as Uint256).native));
     swap
     intc_3 // 1
     +
     dup
     bury 11
-    dig 48
-    dup
-    intc_2 // 0
-    extract_uint16
-    dig 1
-    len
-    substring3
+    dig 49
     extract 2 0
     swap
     intc_1 // 32
@@ -2246,45 +2397,36 @@ main_while_top@23:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:584
+    // contracts/plonk_bls12381.algo.ts:678
     // pi = frSub(pi, frMul(w, (L[i + 1] as Uint256).native));
-    dig 23
+    dig 30
     swap
     callsub frSub
-    bury 23
-    b main_while_top@23
+    bury 30
+    b main_while_top@30
-main_after_while@25:
-    // contracts/plonk_bls12381.algo.ts:586
+main_after_while@32:
+    // contracts/plonk_bls12381.algo.ts:680
     // return new Uint256(pi);
-    dig 22
+    dig 29
     dup
     len
     intc_1 // 32
     <=
     assert // overflow
-    dig 48
+    dig 47
     dup
     cover 2
     b|
-    // contracts/plonk_bls12381.algo.ts:356
-    // const r0 = calculateR0(proof, challenges, pi, L[1] as Uint256);
-    dig 48
-    dup
-    intc_2 // 0
-    extract_uint16
-    dig 1
-    len
-    dig 2
-    cover 2
-    substring3
+    // contracts/plonk_bls12381.algo.ts:450
+    // const r0 = calculateR0(proof, challenges, pi, lw.L[1] as Uint256);
+    dig 49
     extract 34 32
-    // contracts/plonk_bls12381.algo.ts:607
+    // contracts/plonk_bls12381.algo.ts:701
     // frMul(challenges.alpha.native, challenges.alpha.native),
-    swap
-    pushints 2 416 // 2, 416
-    extract3
+    dig 42
     dup
+    cover 2
     extract 64 32
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
@@ -2293,18 +2435,18 @@ main_after_while@25:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    uncover 3
+    uncover 2
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:614
+    // contracts/plonk_bls12381.algo.ts:708
     // frMul(challenges.beta.native, proof.eval_s1.native),
     dig 2
     extract 0 32
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
     dup
-    dig 40
+    dig 25
     dup
     cover 8
     b*
@@ -2312,9 +2454,9 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:147
     // const aN: biguint = a % r;
-    dig 38
+    dig 29
     dup
-    cover 6
+    cover 7
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
     // contracts/plonk_bls12381.algo.ts:148
@@ -2328,7 +2470,7 @@ main_after_while@25:
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:616
+    // contracts/plonk_bls12381.algo.ts:710
     // e3a = frAdd(e3a, challenges.gamma.native);
     dig 5
     extract 32 32
@@ -2352,7 +2494,7 @@ main_after_while@25:
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
     dig 3
-    dig 47
+    dig 29
     dup
     cover 12
     b*
@@ -2360,7 +2502,7 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:147
     // const aN: biguint = a % r;
-    dig 42
+    dig 33
     dup
     cover 4
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
@@ -2388,9 +2530,9 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:147
     // const aN: biguint = a % r;
-    dig 43
+    dig 34
     dup
-    cover 9
+    cover 14
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
     // contracts/plonk_bls12381.algo.ts:149
@@ -2412,76 +2554,68 @@ main_after_while@25:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    dig 51
+    dig 33
     dup
-    cover 15
+    cover 14
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    dig 10
+    dig 9
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:631
+    // contracts/plonk_bls12381.algo.ts:725
     // const r0 = frSub(frSub(e1, e2), e3);
-    uncover 13
+    uncover 11
     dig 9
     callsub frSub
     swap
     callsub frSub
-    // contracts/plonk_bls12381.algo.ts:632
+    // contracts/plonk_bls12381.algo.ts:726
     // return new Uint256(r0);
     dup
     len
     intc_1 // 32
     <=
     assert // overflow
-    uncover 14
+    uncover 13
     b|
-    // contracts/plonk_bls12381.algo.ts:658
-    // dPoints = op.concat(dPoints, proof.T1);
-    dig 35
-    dig 61
+    // contracts/plonk_bls12381.algo.ts:754
+    // points = op.concat(points, proof.T1);
+    dig 44
+    dig 48
     concat
-    // contracts/plonk_bls12381.algo.ts:659
-    // dPoints = op.concat(dPoints, proof.T2);
-    dig 60
+    // contracts/plonk_bls12381.algo.ts:755
+    // points = op.concat(points, proof.T2);
+    dig 47
+    concat
+    // contracts/plonk_bls12381.algo.ts:756
+    // points = op.concat(points, proof.T3);
+    dig 54
     concat
-    // contracts/plonk_bls12381.algo.ts:660
-    // dPoints = op.concat(dPoints, proof.T3);
-    dig 59
+    // contracts/plonk_bls12381.algo.ts:757
+    // points = op.concat(points, vk.Qc);
+    dig 62
     concat
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    dig 13
+    dig 12
     dig 7
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:671
-    // frMul(BigUint(1), challenges.zh.native),
-    dig 13
+    // contracts/plonk_bls12381.algo.ts:766
+    // const quotientScalar1 = frSub(BigUint(0), challenges.zh.native); // \u2212zh (applies to T1)
+    dig 12
     intc 4 // 384
     intc_1 // 32
     extract3
-    // contracts/plonk_bls12381.algo.ts:64
-    // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    dup
-    bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
-    b%
-    // contracts/plonk_bls12381.algo.ts:670
-    // BigUint(0),
     bytec_1 // 0x
-    // contracts/plonk_bls12381.algo.ts:669-672
-    // const quotientScalar1 = frSub(
-    //   BigUint(0),
-    //   frMul(BigUint(1), challenges.zh.native),
-    // ); // -T1*zh
-    swap
+    dig 1
     callsub frSub
-    // contracts/plonk_bls12381.algo.ts:675
+    // contracts/plonk_bls12381.algo.ts:769
     // frMul(challenges.xin.native, challenges.zh.native),
-    dig 15
+    dig 14
     pushint 352 // 352
     intc_1 // 32
     extract3
@@ -2492,14 +2626,14 @@ main_after_while@25:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:674
+    // contracts/plonk_bls12381.algo.ts:768
     // BigUint(0),
     bytec_1 // 0x
-    // contracts/plonk_bls12381.algo.ts:673-676
+    // contracts/plonk_bls12381.algo.ts:767-770
     // const quotientScalar2 = frSub(
     //   BigUint(0),
     //   frMul(challenges.xin.native, challenges.zh.native),
-    // ); // -T2*xin*zh
+    // ); // \u2212xin\xB7zh (applies to T2)
     swap
     callsub frSub
     // contracts/plonk_bls12381.algo.ts:64
@@ -2513,85 +2647,26 @@ main_after_while@25:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:678
+    // contracts/plonk_bls12381.algo.ts:772
     // BigUint(0),
     bytec_1 // 0x
-    // contracts/plonk_bls12381.algo.ts:677-683
+    // contracts/plonk_bls12381.algo.ts:771-777
     // const quotientScalar3 = frSub(
     //   BigUint(0),
     //   frMul(
     //     frMul(challenges.xin.native, challenges.xin.native),
     //     challenges.zh.native,
     //   ),
-    // ); // -T3*xin\xB2*zh
+    // ); // \u2212xin\xB2\xB7zh (applies to T3)
     swap
     callsub frSub
-    // contracts/plonk_bls12381.algo.ts:686
-    // let dScalars = op.concat(b32(gateScalar1), b32(gateScalar2));
-    uncover 3
-    callsub b32
-    dig 17
-    callsub b32
-    concat
-    // contracts/plonk_bls12381.algo.ts:687
-    // dScalars = op.concat(dScalars, b32(gateScalar3));
-    dig 10
-    callsub b32
-    concat
-    // contracts/plonk_bls12381.algo.ts:688
-    // dScalars = op.concat(dScalars, b32(gateScalar4));
-    dig 14
-    callsub b32
-    concat
-    // contracts/plonk_bls12381.algo.ts:689
-    // dScalars = op.concat(dScalars, b32(quotientScalar1));
-    uncover 3
-    callsub b32
-    concat
-    // contracts/plonk_bls12381.algo.ts:690
-    // dScalars = op.concat(dScalars, b32(quotientScalar2));
-    uncover 2
-    callsub b32
-    concat
-    // contracts/plonk_bls12381.algo.ts:691
-    // dScalars = op.concat(dScalars, b32(quotientScalar3));
-    swap
-    callsub b32
-    concat
-    // contracts/plonk_bls12381.algo.ts:694-698
-    // const dBatched = op.EllipticCurve.scalarMulMulti(
-    //   op.Ec.BLS12_381g1,
-    //   dPoints,
-    //   dScalars,
-    // );
-    ec_multi_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:699
-    // let D = g1Add(dBatched.toFixed({ length: 96 }), vk.Qc); // Add Qc constant term
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:234
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    dig 40
-    ec_add BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:234-236
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    //   length: 96,
-    // });
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:702
+    // contracts/plonk_bls12381.algo.ts:780
     // const betaxi = frMul(challenges.beta.native, challenges.xi.native);
-    dig 12
+    dig 15
     extract 96 32
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    dig 9
+    dig 13
     dig 1
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
@@ -2603,7 +2678,7 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:149
     // return (aN + bN) % r;
-    uncover 10
+    uncover 14
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
@@ -2613,13 +2688,13 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:149
     // return (aN + bN) % r;
-    dig 8
+    dig 12
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:708
+    // contracts/plonk_bls12381.algo.ts:786
     // frAdd(proof.eval_b.native, frMul(betaxi, BigUint(vk.k1))),
-    dig 33
+    dig 38
     dup
     cover 3
     intc 18 // 784
@@ -2637,7 +2712,7 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:149
     // return (aN + bN) % r;
-    uncover 9
+    uncover 13
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
@@ -2647,11 +2722,11 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:149
     // return (aN + bN) % r;
-    dig 9
+    dig 13
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:712
+    // contracts/plonk_bls12381.algo.ts:790
     // frAdd(proof.eval_c.native, frMul(betaxi, BigUint(vk.k2))),
     dig 3
     intc 19 // 792
@@ -2669,7 +2744,7 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:149
     // return (aN + bN) % r;
-    uncover 8
+    uncover 12
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
@@ -2679,7 +2754,7 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:149
     // return (aN + bN) % r;
-    uncover 8
+    uncover 12
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
@@ -2692,7 +2767,7 @@ main_after_while@25:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    dig 10
+    dig 13
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
@@ -2702,7 +2777,7 @@ main_after_while@25:
     b%
     // contracts/plonk_bls12381.algo.ts:148
     // const bN: biguint = b % r;
-    uncover 8
+    uncover 12
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
     // contracts/plonk_bls12381.algo.ts:149
@@ -2710,9 +2785,9 @@ main_after_while@25:
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:720
+    // contracts/plonk_bls12381.algo.ts:798
     // const zScalar = frAdd(frAdd(d2a, d2b), challenges.u.native);
-    dig 10
+    dig 13
     pushint 320 // 320
     intc_1 // 32
     extract3
@@ -2731,180 +2806,161 @@ main_after_while@25:
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:223
-    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    dig 42
-    swap
-    ec_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:223-225
-    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    //   length: 96,
-    // });
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:234
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    uncover 4
-    swap
-    ec_add BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:234-236
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    //   length: 96,
-    // });
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
-    uncover 9
-    uncover 8
+    uncover 13
+    uncover 13
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    dig 11
+    dig 15
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    uncover 6
+    uncover 11
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:223
-    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    dig 38
-    swap
-    ec_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:223-225
-    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    //   length: 96,
-    // });
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:254
-    // return g1Add(p, g1Neg(q));
-    callsub g1Neg
-    // contracts/plonk_bls12381.algo.ts:234
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    ec_add BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:234-236
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    //   length: 96,
-    // });
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:749
-    // let fPoints = op.concat(proof.A, proof.B);
-    dig 51
+    // contracts/plonk_bls12381.algo.ts:822
+    // points = op.concat(points, proof.Z);
+    uncover 9
+    dig 50
+    concat
+    // contracts/plonk_bls12381.algo.ts:823
+    // points = op.concat(points, vk.S3);
+    dig 60
+    concat
+    // contracts/plonk_bls12381.algo.ts:824
+    // points = op.concat(points, proof.A);
+    dig 53
+    concat
+    // contracts/plonk_bls12381.algo.ts:825
+    // points = op.concat(points, proof.B);
+    dig 52
+    concat
+    // contracts/plonk_bls12381.algo.ts:826
+    // points = op.concat(points, proof.C);
     dig 51
     concat
-    // contracts/plonk_bls12381.algo.ts:750
-    // fPoints = op.concat(fPoints, proof.C);
-    dig 58
+    // contracts/plonk_bls12381.algo.ts:827
+    // points = op.concat(points, vk.S1);
+    dig 62
     concat
-    // contracts/plonk_bls12381.algo.ts:751
-    // fPoints = op.concat(fPoints, vk.S1);
-    dig 54
+    // contracts/plonk_bls12381.algo.ts:828
+    // points = op.concat(points, vk.S2);
+    dig 61
     concat
-    // contracts/plonk_bls12381.algo.ts:752
-    // fPoints = op.concat(fPoints, vk.S2);
-    dig 53
+    // contracts/plonk_bls12381.algo.ts:831
+    // let scalars = op.concat(b32(gateScalar1), b32(gateScalar2));
+    uncover 9
+    callsub b32
+    dig 13
+    callsub b32
     concat
-    // contracts/plonk_bls12381.algo.ts:756
-    // (challenges.v[1] as Uint256).bytes,
+    // contracts/plonk_bls12381.algo.ts:832
+    // scalars = op.concat(scalars, b32(gateScalar3));
+    dig 11
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:833
+    // scalars = op.concat(scalars, b32(gateScalar4));
+    dig 15
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:834
+    // scalars = op.concat(scalars, b32(quotientScalar1));
+    uncover 9
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:835
+    // scalars = op.concat(scalars, b32(quotientScalar2));
     uncover 8
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:836
+    // scalars = op.concat(scalars, b32(quotientScalar3));
+    uncover 7
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:837
+    // scalars = op.concat(scalars, b32(BigUint(1))); // Qc with scalar 1
+    bytec_2 // 0x01
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:838
+    // scalars = op.concat(scalars, b32(zScalar)); // Z with zScalar
+    uncover 3
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:839
+    // scalars = op.concat(scalars, b32(frSub(BigUint(0), s3Scalar))); // S3 with -s3Scalar
+    bytec_1 // 0x
+    uncover 3
+    callsub frSub
+    callsub b32
+    concat
+    // contracts/plonk_bls12381.algo.ts:840
+    // scalars = op.concat(scalars, (challenges.v[1] as Uint256).bytes);
+    uncover 7
     extract 128 192
     dup
     extract 32 32 // on error: index access is out of bounds
-    // contracts/plonk_bls12381.algo.ts:756-757
-    // (challenges.v[1] as Uint256).bytes,
-    // (challenges.v[2] as Uint256).bytes,
+    uncover 2
     dig 1
+    concat
+    // contracts/plonk_bls12381.algo.ts:840-841
+    // scalars = op.concat(scalars, (challenges.v[1] as Uint256).bytes);
+    // scalars = op.concat(scalars, (challenges.v[2] as Uint256).bytes);
+    dig 2
     extract 64 32 // on error: index access is out of bounds
-    // contracts/plonk_bls12381.algo.ts:755-758
-    // let fScalars = op.concat(
-    //   (challenges.v[1] as Uint256).bytes,
-    //   (challenges.v[2] as Uint256).bytes,
-    // );
-    dup2
+    // contracts/plonk_bls12381.algo.ts:841
+    // scalars = op.concat(scalars, (challenges.v[2] as Uint256).bytes);
+    swap
+    dig 1
     concat
-    // contracts/plonk_bls12381.algo.ts:759
-    // fScalars = op.concat(fScalars, (challenges.v[3] as Uint256).bytes);
+    // contracts/plonk_bls12381.algo.ts:842
+    // scalars = op.concat(scalars, (challenges.v[3] as Uint256).bytes);
     dig 3
     extract 96 32 // on error: index access is out of bounds
     swap
     dig 1
     concat
-    // contracts/plonk_bls12381.algo.ts:760
-    // fScalars = op.concat(fScalars, (challenges.v[4] as Uint256).bytes);
+    // contracts/plonk_bls12381.algo.ts:843
+    // scalars = op.concat(scalars, (challenges.v[4] as Uint256).bytes);
     dig 4
     extract 128 32 // on error: index access is out of bounds
     swap
     dig 1
     concat
-    // contracts/plonk_bls12381.algo.ts:761
-    // fScalars = op.concat(fScalars, (challenges.v[5] as Uint256).bytes);
+    // contracts/plonk_bls12381.algo.ts:844
+    // scalars = op.concat(scalars, (challenges.v[5] as Uint256).bytes);
     uncover 5
     extract 160 32 // on error: index access is out of bounds
     swap
     dig 1
     concat
-    // contracts/plonk_bls12381.algo.ts:763-767
-    // const fBatched = op.EllipticCurve.scalarMulMulti(
+    // contracts/plonk_bls12381.algo.ts:847-851
+    // const F = op.EllipticCurve.scalarMulMulti(
     //   op.Ec.BLS12_381g1,
-    //   fPoints,
-    //   fScalars,
-    // );
+    //   points,
+    //   scalars,
+    // ).toFixed({ length: 96 });
     uncover 6
     swap
     ec_multi_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:768
-    // const F = g1Add(D, fBatched.toFixed({ length: 96 }));
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:234
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    dig 6
-    swap
-    ec_add BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:234-236
-    // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    //   length: 96,
-    // });
     dup
     len
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:770
-    // return { D, F };
-    uncover 6
-    swap
-    concat
-    // contracts/plonk_bls12381.algo.ts:359
-    // const { D: d, F: f } = calculateDF(proof, challenges, vk, L[1] as Uint256);
-    extract 96 96
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
     uncover 5
-    uncover 12
+    uncover 11
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:784-787
+    // contracts/plonk_bls12381.algo.ts:867-870
     // let e = frSub(
     //   frMul((challenges.v[1] as Uint256).native, proof.eval_a.native),
     //   r0.native,
@@ -2936,7 +2992,7 @@ main_after_while@25:
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
     uncover 4
-    uncover 8
+    uncover 9
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
@@ -3021,14 +3077,14 @@ main_after_while@25:
     b+
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:800
+    // contracts/plonk_bls12381.algo.ts:883
     // const res = g1TimesFr(G1_ONE.toFixed({ length: 96 }), e);
     pushbytes 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1
-    // contracts/plonk_bls12381.algo.ts:223
+    // contracts/plonk_bls12381.algo.ts:230
     // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
     swap
     ec_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:223-225
+    // contracts/plonk_bls12381.algo.ts:230-232
     // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
     //   length: 96,
     // });
@@ -3037,12 +3093,12 @@ main_after_while@25:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:223
+    // contracts/plonk_bls12381.algo.ts:230
     // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    dig 29
+    dig 41
     dig 3
     ec_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:223-225
+    // contracts/plonk_bls12381.algo.ts:230-232
     // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
     //   length: 96,
     // });
@@ -3051,12 +3107,12 @@ main_after_while@25:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:234
+    // contracts/plonk_bls12381.algo.ts:241
     // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
-    dig 24
+    dig 31
     swap
     ec_add BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:234-236
+    // contracts/plonk_bls12381.algo.ts:241-243
     // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
     //   length: 96,
     // });
@@ -3072,27 +3128,27 @@ main_after_while@25:
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:832
+    // contracts/plonk_bls12381.algo.ts:915
     // ROOT_OF_UNITY,
-    bytec_3 // TMPL_ROOT_OF_UNITY
+    bytec 6 // TMPL_ROOT_OF_UNITY
     // contracts/plonk_bls12381.algo.ts:64
     // return (a * b) % BLS12_381_SCALAR_MODULUS;
     b*
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:834
+    // contracts/plonk_bls12381.algo.ts:917
     // const pairingScalars = op.concat(challenges.xi.bytes, b32(s));
     callsub b32
     uncover 5
     swap
     concat
-    // contracts/plonk_bls12381.algo.ts:836-840
+    // contracts/plonk_bls12381.algo.ts:919-923
     // let B1 = op.EllipticCurve.scalarMulMulti(
     //   op.Ec.BLS12_381g1,
     //   pairingPoints,
     //   pairingScalars,
     // ).toFixed({ length: 96 });
-    dig 21
+    dig 32
     swap
     ec_multi_scalar_mul BLS12_381g1
     dup
@@ -3100,11 +3156,11 @@ main_after_while@25:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:234
+    // contracts/plonk_bls12381.algo.ts:241
     // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
     uncover 3
     ec_add BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:234-236
+    // contracts/plonk_bls12381.algo.ts:241-243
     // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
     //   length: 96,
     // });
@@ -3113,14 +3169,28 @@ main_after_while@25:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:254
-    // return g1Add(p, g1Neg(q));
+    // contracts/plonk_bls12381.algo.ts:230
+    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
     uncover 2
-    callsub g1Neg
-    // contracts/plonk_bls12381.algo.ts:234
+    // contracts/plonk_bls12381.algo.ts:252
+    // return g1TimesFr(p, R_MINUS_1);
+    bytec 4 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000
+    // contracts/plonk_bls12381.algo.ts:230
+    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
+    ec_scalar_mul BLS12_381g1
+    // contracts/plonk_bls12381.algo.ts:230-232
+    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
+    //   length: 96,
+    // });
+    dup
+    len
+    intc_0 // 96
+    ==
+    assert // Length must be 96
+    // contracts/plonk_bls12381.algo.ts:241
     // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
     ec_add BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:234-236
+    // contracts/plonk_bls12381.algo.ts:241-243
     // return op.EllipticCurve.add(op.Ec.BLS12_381g1, p1, p2).toFixed({
     //   length: 96,
     // });
@@ -3129,16 +3199,16 @@ main_after_while@25:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:223
+    // contracts/plonk_bls12381.algo.ts:230
     // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
     swap
-    // contracts/plonk_bls12381.algo.ts:245
+    // contracts/plonk_bls12381.algo.ts:252
     // return g1TimesFr(p, R_MINUS_1);
     bytec 4 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000
-    // contracts/plonk_bls12381.algo.ts:223
+    // contracts/plonk_bls12381.algo.ts:230
     // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
     ec_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:223-225
+    // contracts/plonk_bls12381.algo.ts:230-232
     // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
     //   length: 96,
     // });
@@ -3147,11 +3217,11 @@ main_after_while@25:
     intc_0 // 96
     ==
     assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:847
+    // contracts/plonk_bls12381.algo.ts:930
     // op.concat(g1Neg(A1), B1), // G1 points
     swap
     concat
-    // contracts/plonk_bls12381.algo.ts:848
+    // contracts/plonk_bls12381.algo.ts:931
     // op.concat(vk.X_2, G2_ONE), // G2 points
     swap
     intc 20 // 800
@@ -3159,25 +3229,24 @@ main_after_while@25:
     extract3
     pushbytes 0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb813e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b828010606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be
     concat
-    // contracts/plonk_bls12381.algo.ts:845-849
+    // contracts/plonk_bls12381.algo.ts:928-932
     // const res = op.EllipticCurve.pairingCheck(
     //   op.Ec.BLS12_381g1,
     //   op.concat(g1Neg(A1), B1), // G1 points
     //   op.concat(vk.X_2, G2_ONE), // G2 points
     // );
     ec_pairing_check BLS12_381g1
-    // contracts/verifier.algo.ts:95
-    // assert(verifyFromTemplate(signals, proof), "Verification failed");
+    // contracts/verifier.algo.ts:120
+    // assert(verifyFromTemplate(signals, proof, lw), "Verification failed");
     assert // Verification failed
-    // contracts/verifier.algo.ts:97
+    // contracts/verifier.algo.ts:122
     // return true;
     intc_3 // 1
     return
-main_ternary_false@18:
+main_ternary_false@28:
     dig 5
-    bury 8
-    b main_ternary_merge@19
+    b main_ternary_merge@29
 // contracts/plonk_bls12381.algo.ts::frSub(a: bytes, b: bytes) -> bytes:
@@ -3231,40 +3300,12 @@ b32:
     retsub
-// contracts/plonk_bls12381.algo.ts::g1Neg(p: bytes) -> bytes:
-g1Neg:
-    // contracts/plonk_bls12381.algo.ts:244
-    // function g1Neg(p: bytes<96>): bytes<96> {
-    proto 1 1
-    // contracts/plonk_bls12381.algo.ts:223
-    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    frame_dig -1
-    // contracts/plonk_bls12381.algo.ts:245
-    // return g1TimesFr(p, R_MINUS_1);
-    bytec 4 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000
-    // contracts/plonk_bls12381.algo.ts:223
-    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    ec_scalar_mul BLS12_381g1
-    // contracts/plonk_bls12381.algo.ts:223-225
-    // return op.EllipticCurve.scalarMul(op.Ec.BLS12_381g1, p, Bytes(s)).toFixed({
-    //   length: 96,
-    // });
-    dup
-    len
-    intc_0 // 96
-    ==
-    assert // Length must be 96
-    // contracts/plonk_bls12381.algo.ts:245
-    // return g1TimesFr(p, R_MINUS_1);
-    retsub
 // contracts/plonk_bls12381.algo.ts::getChallenge(td: bytes) -> bytes:
 getChallenge:
-    // contracts/plonk_bls12381.algo.ts:423
+    // contracts/plonk_bls12381.algo.ts:517
     // export function getChallenge(td: bytes): Uint256 {
     proto 1 1
-    // contracts/plonk_bls12381.algo.ts:424
+    // contracts/plonk_bls12381.algo.ts:518
     // let hash = op.keccak256(td);
     frame_dig -1
     keccak256
@@ -3272,7 +3313,7 @@ getChallenge:
     // return a % BLS12_381_SCALAR_MODULUS;
     bytec_0 // 0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001
     b%
-    // contracts/plonk_bls12381.algo.ts:425
+    // contracts/plonk_bls12381.algo.ts:519
     // return new Uint256(frScalar(BigUint(hash)));
     dup
     len
@@ -4589,7 +4630,7 @@ async function getLagrangeWitness(proof, signals, algorand, vkBytes, rootOfUnity
     onComplete: import_algosdk5.OnApplicationComplete.DeleteApplicationOC
   });
   const simResult = await algorand.newGroup().addTransaction(calcTxn.transactions[0]).simulate({
-    extraOpcodeBudget: 700 * 255,
+    extraOpcodeBudget: 2e4 * 16,
     skipSignatures: true
   });
   const log = simResult.confirmations[0].logs.at(-1);