zkevm-rom 0.0.1-security → 6.0.1

package/main/opcodes/storage-memory.zkasm

@@ -0,0 +1,313 @@
+/**
+ * @link [https://www.evm.codes/#51?fork=berlin]
+ * @zk-counters
+ *  - 100 steps
+ * @process-opcode
+ *  - stack input: [offset]
+ *  - stack output: [value]
+ */
+opMLOAD:
+    ; checks zk-counters
+    %MAX_CNT_STEPS - STEP - 100 :JMPN(outOfCountersStep)
+
+    ; check stack underflow
+    SP - 1 => SP    :JMPN(stackUnderflow)
+
+    ; check out-of-gas
+    GAS - %GAS_FASTEST_STEP => GAS  :JMPN(outOfGas)
+
+    $ => E          :MLOAD(SP); [offset => E]
+    ; store lastMemOffset for memory expansion gas cost
+    E               :MSTORE(lastMemOffset)
+    ; store lastMemLength for memory expansion gas cost
+    ; compute memory expansion gas cost
+    32              :MSTORE(lastMemLength), CALL(saveMem); in: [lastMemOffset, lastMemLength]
+    ; read and store stack output
+                    :CALL(MLOAD32); in: [E: offset] out: [A: value, E: new offset]
+    A               :MSTORE(SP++), JMP(readCode); [value(A) => SP]
+
+/**
+ * @link [https://www.evm.codes/#52?fork=berlin]
+ * @zk-counters
+ *  - 100 steps
+ * @process-opcode
+ *  - stack input: [offset, value]
+ *  - stack output: none
+ */
+ VAR GLOBAL mstoreAux
+ opMSTORE:
+    ; checks zk-counters
+    %MAX_CNT_STEPS - STEP - 100 :JMPN(outOfCountersStep)
+    %MAX_CNT_MEM_ALIGN - CNT_MEM_ALIGN - 1   :JMPN(outOfCountersMemalign)
+
+    ; check stack underflow
+    SP - 2 => SP          :JMPN(stackUnderflow)
+
+    ; check out-of-gas
+    GAS - %GAS_FASTEST_STEP => GAS  :JMPN(outOfGas)
+
+    $ => E          :MLOAD(SP+1); [offset => E]
+    $ => B          :MLOAD(SP); [value => B]
+
+    ; store lastMemOffset for memory expansion gas cost
+    E               :MSTORE(lastMemOffset)
+    ; store lastMemLength for memory expansion gas cost
+    32              :MSTORE(lastMemLength), CALL(saveMem); in: [lastMemOffset, lastMemLength]
+    ; store bytesToStore for memalign execution
+    B               :MSTORE(bytesToStore)
+    E => A          :CALL(offsetUtil); in: [A: offset] out: [E: offset/32, C: offset%32]
+
+    E               :MSTORE(mstoreAux)
+    $ => A          :MLOAD(MEM:E)
+    $ => B          :MLOAD(MEM:E+1)
+    ${memAlignWR_W0(A,mem.bytesToStore,C)} => D                    ; no trust calculate W0
+    ${memAlignWR_W1(B,mem.bytesToStore,C)} => E                    ; no trust calculate W1
+    $               :MEM_ALIGN_WR,MLOAD(bytesToStore)
+    E => A
+    $ => E          :MLOAD(mstoreAux)
+    D               :MSTORE(MEM:E)          ; write W0
+    A               :MSTORE(MEM:E+1)        ; write W1
+                    :JMP(readCode)
+
+/**
+ * @link [https://www.evm.codes/#53?fork=berlin]
+ * @zk-counters
+ *  - 100 steps
+ *  - 1 mem align
+ * @process-opcode
+ *  - stack input: [offset, value]
+ *  - stack output: none
+ */
+opMSTORE8:
+    ; checks zk-counters
+    %MAX_CNT_STEPS - STEP - 100 :JMPN(outOfCountersStep)
+    %MAX_CNT_MEM_ALIGN - CNT_MEM_ALIGN  - 1 :JMPN(outOfCountersMemalign)
+
+    ; check stack underflow
+    SP - 2 => SP          :JMPN(stackUnderflow)
+
+    ; check out-of-gas
+    GAS - %GAS_FASTEST_STEP => GAS  :JMPN(outOfGas)
+
+    $ => B          :MLOAD(SP+1); [offset => B]
+    ; store lastMemOffset for memory expansion gas cost
+    B               :MSTORE(lastMemOffset)
+    ; store lastMemLength for memory expansion gas cost. In case of MSTORE8, always 1 byte
+    1               :MSTORE(lastMemLength), CALL(saveMem); in: [lastMemOffset, lastMemLength]
+    B => A          :CALL(offsetUtil); in: [A: offset] out: [E: offset/32, C: offset%32]
+    $ => B          :MLOAD(SP); [value => B]
+    ; read from memory position E
+    $ => A          :MLOAD(MEM:E)
+    ${memAlignWR8_W0(A,B,C)} => D  ; no trust calculate W0
+    B               :MEM_ALIGN_WR8 ; only use LSB of B, rest of bytes could be non zero.
+    ; write at memory position E
+    D               :MSTORE(MEM:E), JMP(readCode)
+
+/**
+ * @link [https://www.evm.codes/#59?fork=berlin]
+ * @zk-counters
+ *  - 100 steps
+ * @process-opcode
+ *  - stack input: none
+ *  - stack output: [size]
+ */
+opMSIZE:
+    ; checks zk-counters
+    %MAX_CNT_STEPS - STEP - 100 :JMPN(outOfCountersStep)
+
+    ; check out-of-gas
+    GAS - %GAS_QUICK_STEP => GAS      :JMPN(outOfGas)
+
+    ; load current memory length
+    $ => E              :MLOAD(memLength)
+    ; MSIZE should be multiple of a word (32 bytes)
+    ; Div operation with Arith
+    E               :MSTORE(arithA)
+    32              :MSTORE(arithB)
+                    :CALL(divARITH); in: [arithA, arithB] out: [arithRes1: arithA/arithB, arithRes2: arithA%arithB]
+    $ => C          :MLOAD(arithRes1)
+    $ => B          :MLOAD(arithRes2)
+    ; check arithRes2 is 0, no need to round in this case
+    0 => A
+    %MAX_CNT_BINARY - CNT_BINARY - 1 :JMPN(outOfCountersBinary)
+    $               :EQ, JMPC(MSIZEend)
+    ; Round size to 32bytes multiple
+    C + 1 => C
+    C * 32 => E
+
+MSIZEend:
+    E               :MSTORE(SP++); [size(E) => SP]
+    ; check stack overflow
+    %MAX_STACK_SIZE - SP       :JMPN(stackOverflow, readCode)
+/**
+ * @link [https://www.evm.codes/#54?fork=berlin]
+ * @zk-counters
+ *  - 100 steps
+ *  - %MAX_CNT_POSEIDON_SLOAD_SSTORE poseidon
+ * @process-opcode
+ *  - stack input: [key]
+ *  - stack output: [value]
+ */
+opSLOAD:
+    ; checks zk-counters
+    %MAX_CNT_STEPS - STEP - 100 :JMPN(outOfCountersStep)
+    %MAX_CNT_POSEIDON_G - CNT_POSEIDON_G - %MAX_CNT_POSEIDON_SLOAD_SSTORE :JMPN(outOfCountersPoseidon)
+
+    ; check stack underflow
+    SP - 1 => SP    :JMPN(stackUnderflow)
+
+    $ => C          :MLOAD(SP); [key => C]
+    ; get current storage address
+    $ => A          :MLOAD(storageAddr)
+    ; set key for smt storage query
+    %SMT_KEY_SC_STORAGE => B
+    $ => E          :SLOAD
+    $${eventLog(onUpdateStorage(C, E))}
+    ; set key(C) as warmed storage for address(A)
+    E               :MSTORE(SP++), CALL(isColdSlot); [value(E) => SP]
+    ; check out-of-gas
+    GAS - %SLOAD_GAS - A * %COLD_SLOAD_COST_REDUCED => GAS    :JMPN(outOfGas, readCode)
+
+VAR GLOBAL tmpVarCsstore
+/**
+ * @link [https://www.evm.codes/#55?fork=berlin]
+ * @zk-counters
+ *  - 400 steps
+ *  - 10 binary
+ *  - %MAX_CNT_POSEIDON_SLOAD_SSTORE*3 poseidon
+ * @process-opcode
+ *  - stack input: [key, value]
+ *  - stack output: none
+ */
+opSSTORE:
+    ; checks zk-counters
+    %MAX_CNT_STEPS - STEP - 400 :JMPN(outOfCountersStep)
+    %MAX_CNT_BINARY - CNT_BINARY - 10 :JMPN(outOfCountersBinary)
+    %MAX_CNT_POSEIDON_G - CNT_POSEIDON_G - %MAX_CNT_POSEIDON_SLOAD_SSTORE*3 :JMPN(outOfCountersPoseidon)
+
+    ; check stack underflow
+    SP - 2  => SP        :JMPN(stackUnderflow)
+
+    $ => C          :MLOAD(SP+1) ; [key => C]
+    C               :MSTORE(tmpVarCsstore)
+    $ => D          :MLOAD(SP) ; [value => D]
+
+    $${eventLog(onUpdateStorage(C, D))}
+
+    ; check out-of-gas
+    GAS - %SSTORE_ENTRY_EIP_2200_GAS - 1  :JMPN(outOfGas)
+    ; check is static call
+    $ => A          :MLOAD(isStaticCall), JMPNZ(invalidStaticTx)
+    ; check if is a create call
+    $ => A          :MLOAD(isCreateContract), JMPNZ(deploymentSSTORE)
+    ; load current storage address
+    $ => A          :MLOAD(storageAddr), JMP(opSSTOREinit)
+
+deploymentSSTORE:
+    ; in case of create, the storage address is the create contract address
+    $ => A          :MLOAD(createContractAddress)
+
+opSSTOREinit:
+    ; set key for smt storage query
+    %SMT_KEY_SC_STORAGE => B
+    $ => E          :SLOAD
+    ; change context to check storage original value
+    SR              :MSTORE(auxSR)
+    $ => SR         :MLOAD(originSR)
+    $ => B          :SLOAD ; origin value
+    ; set key(C) as warmed storage for address(A)
+    $ => SR         :MLOAD(auxSR), CALL(isColdSlot)
+    B => C           ; origin value
+    ; check out-of-gas
+    GAS - A*%COLD_SLOAD_COST => GAS    :JMPN(outOfGas)
+    E => A
+    D => B
+    $ => A          :EQ, JMPNC(opSSTOREdif)
+    ; if new_val == current_val
+    ; check out-of-gas
+    GAS - %SSTORE_DYNAMIC_GAS => GAS:JMPN(outOfGas, opSSTOREend)
+
+opSSTOREdif:
+    ; if new_val != current_val
+    C => A
+    E => B
+    $ => A          :EQ, JMPNC(opSSTOREdifA)
+    ; if current_val == orig_val
+    0 => A
+    C => B
+    $ => A          :EQ, JMPNC(opSSTOREdifB)
+    ; if origin_val == 0
+    ; check out-of-gas
+    GAS - %SSTORE_SET_GAS => GAS    :JMPN(outOfGas, opSSTOREend)
+
+opSSTOREdifA:
+    ; if current_val != orig_val
+    GAS - %SSTORE_DYNAMIC_GAS => GAS:JMPN(outOfGas)
+    0 => A
+    C => B
+    $ => A          :EQ, JMPNC(opSSTOREdifA1)
+    ; if origin_value == 0
+
+opSSTOREdifAB:
+    ; if origin_value == 0
+    D => A
+    C => B
+    $ => A          :EQ, JMPNC(opSSTOREend)
+    ; if new_val == orig_val
+    0 => A
+    $ => A          :EQ, JMPNC(opSSTOREdifA2)
+    ; if orig_val == 0
+    $ => A          :MLOAD(gasRefund)
+    A + %SSTORE_SET_GAS_REDUCED => A  :MSTORE(gasRefund), JMP(opSSTOREend)
+
+opSSTOREdifA1:
+    ; if orig_val != 0
+    0 => A
+    E => B
+    $ => A          :EQ, JMPNC(opSSTOREdifA12)
+    ; if current_val == 0
+    ; compute gas refund
+    $ => A          :MLOAD(gasRefund)
+    A - %SSTORE_CLEARS_SCHEDULE => A  :MSTORE(gasRefund), JMP(opSSTOREdifAB)
+opSSTOREdifA12:
+    ;if current_val != 0
+    0 => A
+    D => B
+    $ => A          :EQ, JMPNC(opSSTOREdifAB)
+    ; if new_val == 0
+    ; compute gas refund
+    $ => A          :MLOAD(gasRefund)
+    A + %SSTORE_CLEARS_SCHEDULE => A  :MSTORE(gasRefund), JMP(opSSTOREdifAB)
+
+opSSTOREdifA2:
+    ; if orig_val != 0
+    ; compute gas refund
+    $ => A          :MLOAD(gasRefund)
+    A + %SSTORE_RESET_GAS_REDUCED => A   :MSTORE(gasRefund), JMP(opSSTOREend)
+
+opSSTOREdifB:
+    ; if orig_val != 0
+    ; check out-of-gas
+    GAS - %SSTORE_RESET_GAS => GAS    :JMPN(outOfGas)
+    0 => A
+    D => B
+    $ => A          :EQ, JMPNC(opSSTOREend)
+    ; if new_val == 0
+    ; compute gas refund
+    $ => A          :MLOAD(gasRefund)
+    A + %SSTORE_CLEARS_SCHEDULE => A  :MSTORE(gasRefund)
+                    :JMP(opSSTOREend)
+
+opSSTOREend:
+    $ => A          :MLOAD(isCreateContract), JMPNZ(mloadContract)
+    $ => A          :MLOAD(storageAddr), JMP(opSSTOREsr)
+
+mloadContract:
+    ; if is a create, use create contract address storage
+    $ => A          :MLOAD(createContractAddress)
+
+opSSTOREsr:
+    ; set key for smt storage query
+    %SMT_KEY_SC_STORAGE => B
+    $ => C          :MLOAD(tmpVarCsstore); key => C
+    $ => SR         :SSTORE, JMP(readCode)

package/main/pairings/BN254/addPointBN254.zkasm

@@ -0,0 +1,245 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; PRE: P1,P2 ∈ E'(Fp2)
+;; POST: The resulting coordinates are in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; addPointBN254:
+;;             in: P1 = (P1.x1 + P1.x2·u, P1.y1 + P1.y2·u), P2 = (P2.x1 + P2.x2·u, P2.y1 + P2.y2·u) ∈ E'(Fp2)
+;;             out: P1 + P2 = (P3.x1 + P3.x2·u, P3.y1 + P3.y2·u) ∈ E'(Fp2)
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; addPointBN254 assumes both P1 and P2 belong to E'(Fp2), since it is checked in the pairing.
+; However, it must be implemented if addPointBN254 wants to be used independently.
+
+; Since the curve is E'/Fp2: y² = x³ + 3/(9+u), there is no issue in representing the point at infinity as (0, 0).
+
+VAR GLOBAL addPointBN254_P1_x1
+VAR GLOBAL addPointBN254_P1_x2
+VAR GLOBAL addPointBN254_P1_y1
+VAR GLOBAL addPointBN254_P1_y2
+VAR GLOBAL addPointBN254_P2_x1
+VAR GLOBAL addPointBN254_P2_x2
+VAR GLOBAL addPointBN254_P2_y1
+VAR GLOBAL addPointBN254_P2_y2
+VAR GLOBAL addPointBN254_P3_x1
+VAR GLOBAL addPointBN254_P3_x2
+VAR GLOBAL addPointBN254_P3_y1
+VAR GLOBAL addPointBN254_P3_y2
+VAR GLOBAL addPointBN254_lambda_x
+VAR GLOBAL addPointBN254_lambda_y
+VAR GLOBAL addPointBN254_RR
+
+addPointBN254:
+        RR      :MSTORE(addPointBN254_RR)
+
+        ; Is P1 = O?
+        0n => B
+        $ => A  :MLOAD(addPointBN254_P1_x1)
+        $       :EQ, JMPNC(__addPointBN254_P1_continue)
+        $ => A  :MLOAD(addPointBN254_P1_x2)
+        $       :EQ, JMPNC(__addPointBN254_P1_continue)
+        $ => A  :MLOAD(addPointBN254_P1_y1)
+        $       :EQ, JMPNC(__addPointBN254_P1_continue)
+        $ => A  :MLOAD(addPointBN254_P1_y2)
+        $       :EQ, JMPC(addPointBN254_P1_is_zero)
+                __addPointBN254_P1_continue:
+
+        ; Is P2 = 0?
+        0n => B
+        $ => A  :MLOAD(addPointBN254_P2_x1)
+        $       :EQ, JMPNC(__addPointBN254_P2_continue)
+        $ => A  :MLOAD(addPointBN254_P2_x2)
+        $       :EQ, JMPNC(__addPointBN254_P2_continue)
+        $ => A  :MLOAD(addPointBN254_P2_y1)
+        $       :EQ, JMPNC(__addPointBN254_P2_continue)
+        $ => A  :MLOAD(addPointBN254_P2_y2)
+        $       :EQ, JMPC(addPointBN254_P2_is_zero)
+                __addPointBN254_P2_continue:
+
+        ; P1 and P2 are not 0, let's check whether they are different points, the same point or inverses of each other
+        ; Is P1.x == P2.x?
+        $ => A  :MLOAD(addPointBN254_P1_x1)
+        $ => B  :MLOAD(addPointBN254_P2_x1)
+        $       :EQ, JMPNC(addPointBN254_different)
+        $ => A  :MLOAD(addPointBN254_P1_x2)
+        $ => B  :MLOAD(addPointBN254_P2_x2)
+        $       :EQ, JMPNC(addPointBN254_different)
+
+        ; Is P1.y == P2.y?
+        $ => A  :MLOAD(addPointBN254_P1_y1)
+        $ => B  :MLOAD(addPointBN254_P2_y1)
+        $       :EQ, JMPNC(addPointBN254_P1_and_P2_are_inverted)
+        $ => A  :MLOAD(addPointBN254_P1_y2)
+        $ => B  :MLOAD(addPointBN254_P2_y2)
+        $       :EQ, JMPNC(addPointBN254_P1_and_P2_are_inverted)
+
+        ; P1 == P2
+                                    :JMP(addPointBN254_same)
+
+addPointBN254_P1_is_zero:
+        ; P3 = P2
+        $ => A  :MLOAD(addPointBN254_P2_x1)
+        $ => B  :MLOAD(addPointBN254_P2_x2)
+        $ => C  :MLOAD(addPointBN254_P2_y1)
+        $ => D  :MLOAD(addPointBN254_P2_y2)
+        A       :MSTORE(addPointBN254_P3_x1)
+        B       :MSTORE(addPointBN254_P3_x2)
+        C       :MSTORE(addPointBN254_P3_y1)
+        D       :MSTORE(addPointBN254_P3_y2)
+
+                :JMP(addPointBN254_end)
+
+addPointBN254_P2_is_zero:
+        ; P3 = P1
+        $ => A  :MLOAD(addPointBN254_P1_x1)
+        $ => B  :MLOAD(addPointBN254_P1_x2)
+        $ => C  :MLOAD(addPointBN254_P1_y1)
+        $ => D  :MLOAD(addPointBN254_P1_y2)
+        A       :MSTORE(addPointBN254_P3_x1)
+        B       :MSTORE(addPointBN254_P3_x2)
+        C       :MSTORE(addPointBN254_P3_y1)
+        D       :MSTORE(addPointBN254_P3_y2)
+
+                :JMP(addPointBN254_end)
+
+addPointBN254_P1_and_P2_are_inverted:
+        ; Check -P1.y == P2.y
+        %BN254_P => A
+        $ => B          :MLOAD(addPointBN254_P1_y1)
+        $ => C          :SUB
+        $ => B          :MLOAD(addPointBN254_P1_y2)
+        $ => D          :SUB
+
+        $ => A          :MLOAD(addPointBN254_P2_y1)
+        C               :ASSERT
+        $ => A          :MLOAD(addPointBN254_P2_y2)
+        D               :ASSERT
+
+        ; P3 = O
+        0n      :MSTORE(addPointBN254_P3_x1)
+        0n      :MSTORE(addPointBN254_P3_x2)
+        0n      :MSTORE(addPointBN254_P3_y1)
+        0n      :MSTORE(addPointBN254_P3_y2)
+
+                :JMP(addPointBN254_end)
+
+addPointBN254_same:
+        $ => A  :MLOAD(addPointBN254_P1_y1)
+        $ => B  :MLOAD(addPointBN254_P1_y2)
+        $ => C  :MLOAD(addPointBN254_P1_y1)
+        $ => D  :MLOAD(addPointBN254_P1_y2), CALL(addFp2BN254)
+        ; E + C·u = 2y
+
+        E => A
+        C => B  :CALL(invFp2BN254)
+        ; C + D·u = 1 / 2y
+
+        3n => A :CALL(escalarMulFp2BN254)
+        ; E + C·u = 3/2y
+
+        $ => A  :MLOAD(addPointBN254_P1_x1)
+        $ => B  :MLOAD(addPointBN254_P1_x2)
+        C => D
+        E => C  :CALL(mulFp2BN254)
+        ; E + C·u = 3x/2y
+
+        $ => A  :MLOAD(addPointBN254_P1_x1)
+        $ => B  :MLOAD(addPointBN254_P1_x2)
+        C => D
+        E => C  :CALL(mulFp2BN254)
+        ; E + C·u = lambda = 3x²/2y
+
+        E       :MSTORE(addPointBN254_lambda_x)
+        C       :MSTORE(addPointBN254_lambda_y)
+        ; E + C·u = lambda
+
+        E => A
+        C => B  :CALL(squareFp2BN254)
+        ; E + C·u = lambda²
+
+        E => A
+        C => B
+        $ => C  :MLOAD(addPointBN254_P1_x1)
+        $ => D  :MLOAD(addPointBN254_P1_x2), CALL(subFp2BN254)
+        ; E + C·u = lambda² - x
+
+        E => A
+        C => B
+        $ => C  :MLOAD(addPointBN254_P1_x1)
+        $ => D  :MLOAD(addPointBN254_P1_x2), CALL(subFp2BN254)
+        ; E + C·u = lambda² - x - x
+
+                :JMP(addPointBN254_common_calculate)
+
+addPointBN254_different:
+        $ => A  :MLOAD(addPointBN254_P2_x1)
+        $ => B  :MLOAD(addPointBN254_P2_x2)
+        $ => C  :MLOAD(addPointBN254_P1_x1)
+        $ => D  :MLOAD(addPointBN254_P1_x2), CALL(subFp2BN254)
+        ; E + C·u = P2.x - P1.x
+
+        E => A
+        C => B  :CALL(invFp2BN254)
+        ; C + D·u = 1 / (P2_x - P1_x)
+        C       :MSTORE(addPointBN254_lambda_x)
+        D       :MSTORE(addPointBN254_lambda_y)
+
+        $ => A  :MLOAD(addPointBN254_P2_y1)
+        $ => B  :MLOAD(addPointBN254_P2_y2)
+        $ => C  :MLOAD(addPointBN254_P1_y1)
+        $ => D  :MLOAD(addPointBN254_P1_y2), CALL(subFp2BN254)
+        ; E + C·u = P2.y - P1.y
+
+        $ => A  :MLOAD(addPointBN254_lambda_x)
+        $ => B  :MLOAD(addPointBN254_lambda_y)
+        C => D
+        E => C  :CALL(mulFp2BN254)
+        ; E + C·u = lambda = (P2_y - P1_y) / (P2_x - P1_x)
+        E       :MSTORE(addPointBN254_lambda_x)
+        C       :MSTORE(addPointBN254_lambda_y)
+
+        E => A
+        C => B  :CALL(squareFp2BN254)
+        ; E + C·u = lambda²
+
+        E => A
+        C => B
+        $ => C  :MLOAD(addPointBN254_P1_x1)
+        $ => D  :MLOAD(addPointBN254_P1_x2), CALL(subFp2BN254)
+        ; E + C·u = lambda² - P1.x
+
+        E => A
+        C => B
+        $ => C  :MLOAD(addPointBN254_P2_x1)
+        $ => D  :MLOAD(addPointBN254_P2_x2), CALL(subFp2BN254)
+        ; E + C·u = lambda² - P1.x - P2.x
+
+addPointBN254_common_calculate:
+        E           :MSTORE(addPointBN254_P3_x1)
+        C           :MSTORE(addPointBN254_P3_x2)
+        ; P3.x = lambda² - P1.x - P2.x
+
+        $ => A  :MLOAD(addPointBN254_P1_x1)
+        $ => B  :MLOAD(addPointBN254_P1_x2)
+        C => D
+        E => C  :CALL(subFp2BN254)
+        ; E + C·u = P1.x - P3.x
+
+        $ => A  :MLOAD(addPointBN254_lambda_x)
+        $ => B  :MLOAD(addPointBN254_lambda_y)
+        C => D
+        E => C  :CALL(mulFp2BN254)
+        ; E + C·u = lambda·(P1.x - P3.x)
+
+        E => A
+        C => B
+        $ => C  :MLOAD(addPointBN254_P1_y1)
+        $ => D  :MLOAD(addPointBN254_P1_y2), CALL(subFp2BN254)
+        ; E + C·u = lambda·(P1.x - P3.x) - P1.y
+
+        E           :MSTORE(addPointBN254_P3_y1)
+        C           :MSTORE(addPointBN254_P3_y2)
+
+addPointBN254_end:
+        $ => RR         :MLOAD(addPointBN254_RR)
+                        :RETURN