zkevm-rom 0.0.1-security → 6.0.1

package/main/pairings/BN254/ecAdd.zkasm

@@ -0,0 +1,312 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The resulting coordinates are in the range [0,BN254_P) because if falls back to FP arithmetic
+;;
+;; ecAdd:
+;;             in: P1 = (P1.x, P1.y), P2 = (P2.x, P2.y) ∈ E(Fp)
+;;             out: P1 + P2 = (P3.x, P3.y) ∈ E(Fp)
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Since the curve is E/Fp: y² = x³ + 3, there is no issue in representing the point at infinity as (0, 0).
+
+VAR GLOBAL ecAdd_P1_x
+VAR GLOBAL ecAdd_P1_y
+VAR GLOBAL ecAdd_P1_y_inv
+VAR GLOBAL ecAdd_P2_x
+VAR GLOBAL ecAdd_P2_y
+VAR GLOBAL ecAdd_P3_x
+VAR GLOBAL ecAdd_P3_y
+VAR GLOBAL ecAdd_lambda
+
+VAR GLOBAL ecAdd_RR
+
+; ERROR CODES (B)
+; 0 - no error
+; 1 - P1_x is too big
+; 2 - P1_y is too big
+; 3 - P2_x is too big
+; 4 - P2_y is too big
+; 5 - P1 is not in E(Fp)
+; 6 - P2 is not in E(Fp)
+
+ecAdd:
+        RR      :MSTORE(ecAdd_RR)
+
+        %BN254_P_MINUS_ONE => A
+        $ => B      :MLOAD(ecAdd_P1_x)
+        $           :LT, JMPC(ecAdd_P1x_too_big)
+        $ => B      :MLOAD(ecAdd_P1_y)
+        $           :LT, JMPC(ecAdd_P1y_too_big)
+        $ => B      :MLOAD(ecAdd_P2_x)
+        $           :LT, JMPC(ecAdd_P2x_too_big)
+        $ => B      :MLOAD(ecAdd_P2_y)
+        $           :LT, JMPC(ecAdd_P2y_too_big)
+
+        ; Is P1 = O?
+        0n => B
+        $ => A  :MLOAD(ecAdd_P1_x)
+        $       :EQ, JMPNC(__ecAdd_P1_continue)
+        $ => A  :MLOAD(ecAdd_P1_y)
+        $       :EQ, JMPC(ecAdd_P1_is_zero)
+                __ecAdd_P1_continue:
+
+        ; Is P2 = O?
+        0n => B
+        $ => A  :MLOAD(ecAdd_P2_x)
+        $       :EQ, JMPNC(__ecAdd_P2_continue1)
+        $ => A  :MLOAD(ecAdd_P2_y)
+        $       :EQ, JMPC(ecAdd_P2_is_zero)
+                __ecAdd_P2_continue1:
+
+        ; 1] Check if P1 is in E(Fp)
+        ; P1 in E iff (P1.y)² == (P1.x)³ + 3 (mod p)
+        ; 1.1] Compute LHS and RHS
+        $ => A    :MLOAD(ecAdd_P1_x), CALL(squareFpBN254)
+        ; B = (P1.x)²
+
+        $ => A      :MLOAD(ecAdd_P1_x), CALL(mulFpBN254)
+        ; C = (P1.x)³
+
+        %BN254_E_B => A     :CALL(addFpBN254)
+        ; C = (P1.x)³ + 3
+        C           :MSTORE(ecAdd_P3_x)
+
+        $ => A    :MLOAD(ecAdd_P1_y), CALL(squareFpBN254)
+        ; B = (Py)²
+
+        ; 1.2] Check if LHS == RHS
+        B => A
+        $ => B      :MLOAD(ecAdd_P3_x)
+        $           :EQ, JMPNC(ecAdd_P1_is_not_in_E)
+
+        ; 2] check if P2 is in E(Fp)
+        ; P2 in E iff (P2.y)² == (P2.x)³ + 3 (mod p)
+        ; 2.1] Compute LHS and RHS
+        $ => A    :MLOAD(ecAdd_P2_x), CALL(squareFpBN254)
+        ; B = (P2.x)²
+
+        $ => A      :MLOAD(ecAdd_P2_x), CALL(mulFpBN254)
+        ; C = (P2.x)³
+
+        %BN254_E_B => A     :CALL(addFpBN254)
+        ; C = (P2.x)³ + 3
+        C           :MSTORE(ecAdd_P3_x)
+
+        $ => A    :MLOAD(ecAdd_P2_y), CALL(squareFpBN254)
+        ; B = (Py)²
+
+        ; 2.2] Check if LHS == RHS
+        B => A
+        $ => B      :MLOAD(ecAdd_P3_x)
+        $           :EQ, JMPNC(ecAdd_P2_is_not_in_E)
+
+        ; P1 and P2 are not 0, let's check whether they are different points, the same point or inverses of each other
+        $ => A          :MLOAD(ecAdd_P1_x)
+        $ => B          :MLOAD(ecAdd_P2_x)
+
+        ; Is P1.x == P2.x?
+        $               :EQ, JMPNC(ecAdd_different)
+
+        $ => A          :MLOAD(ecAdd_P1_y)
+        $ => B          :MLOAD(ecAdd_P2_y)
+
+        ; Is P1.y == P2.y?
+        $               :EQ, JMPNC(ecAdd_P1_and_P2_are_inverted)
+
+        ; P1 == P2
+                        :JMP(ecAdd_same)
+
+ecAdd_P1_is_zero:
+        ; Is P2 = 0?
+        0n => B
+        $ => A  :MLOAD(ecAdd_P2_x)
+        $       :EQ, JMPNC(__ecAdd_P2_continue2)
+        $ => A  :MLOAD(ecAdd_P2_y)
+        $       :EQ, JMPC(ecAdd_P1_and_P2_are_zero)
+                __ecAdd_P2_continue2:
+
+        ; P2 in E iff (P2.y)² == (P2.x)³ + 3 (mod p)
+        ; 1] Compute LHS and RHS
+        $ => A    :MLOAD(ecAdd_P2_x), CALL(squareFpBN254)
+        ; B = (P2.x)²
+
+        $ => A      :MLOAD(ecAdd_P2_x), CALL(mulFpBN254)
+        ; C = (P2.x)³
+
+        %BN254_E_B => A     :CALL(addFpBN254)
+        ; C = (P2.x)³ + 3
+        C           :MSTORE(ecAdd_P3_x)
+
+        $ => A    :MLOAD(ecAdd_P2_y), CALL(squareFpBN254)
+        ; B = (Py)²
+
+        ; 2] Check if LHS == RHS
+        B => A
+        $ => B      :MLOAD(ecAdd_P3_x)
+        $           :EQ, JMPNC(ecAdd_P2_is_not_in_E)
+
+        ; P3 = P2
+        $ => A  :MLOAD(ecAdd_P2_x)
+        $ => B  :MLOAD(ecAdd_P2_y)
+        A       :MSTORE(ecAdd_P3_x)
+        B       :MSTORE(ecAdd_P3_y)
+
+                :JMP(ecAdd_correct)
+
+ecAdd_P2_is_zero:
+        ; P1 in E iff (P1.y)² == (P1.x)³ + 3 (mod p)
+        ; 1] Compute LHS and RHS
+        $ => A    :MLOAD(ecAdd_P1_x), CALL(squareFpBN254)
+        ; B = (P1.x)²
+
+        $ => A      :MLOAD(ecAdd_P1_x), CALL(mulFpBN254)
+        ; C = (P1.x)³
+
+        %BN254_E_B => A     :CALL(addFpBN254)
+        ; C = (P1.x)³ + 3
+        C           :MSTORE(ecAdd_P3_x)
+
+        $ => A    :MLOAD(ecAdd_P1_y), CALL(squareFpBN254)
+        ; B = (Py)²
+
+        ; 2] Check if LHS == RHS
+        B => A
+        $ => B      :MLOAD(ecAdd_P3_x)
+        $           :EQ, JMPNC(ecAdd_P1_is_not_in_E)
+
+        ; P3 = P1
+        $ => A  :MLOAD(ecAdd_P1_x)
+        $ => B  :MLOAD(ecAdd_P1_y)
+        A       :MSTORE(ecAdd_P3_x)
+        B       :MSTORE(ecAdd_P3_y)
+
+                :JMP(ecAdd_correct)
+
+ecAdd_P1_and_P2_are_zero:
+        ; P3 = 0
+        0n      :MSTORE(ecAdd_P3_x)
+        0n      :MSTORE(ecAdd_P3_y)
+
+                :JMP(ecAdd_correct)
+
+ecAdd_P1_and_P2_are_inverted:
+        ; P3 = 0
+        0n              :MSTORE(ecAdd_P3_x)
+        0n              :MSTORE(ecAdd_P3_y)
+
+                        :JMP(ecAdd_correct)
+
+ecAdd_same:
+        $ => A  :MLOAD(ecAdd_P1_y)
+        $ => C  :MLOAD(ecAdd_P1_y), CALL(addFpBN254)
+        ; C = 2y
+
+        C => A  :CALL(invFpBN254)
+        ; B = 1 / 2y
+        B       :MSTORE(ecAdd_P1_y_inv)
+
+        B => A,C :CALL(addFpBN254)
+        C => A
+        $ => C  :MLOAD(ecAdd_P1_y_inv), CALL(addFpBN254)
+        ; C = 3/2y
+
+        C => A
+        $ => B  :MLOAD(ecAdd_P1_x), CALL(mulFpBN254)
+        ; C = 3x/2y
+
+        C => A
+        $ => B  :MLOAD(ecAdd_P1_x), CALL(mulFpBN254)
+        ; C = lambda = 3x²/2y
+
+        C       :MSTORE(ecAdd_lambda)
+        ; C = lambda
+
+        C => A  :CALL(squareFpBN254)
+        ; B = lambda²
+
+        B => A
+        $ => C  :MLOAD(ecAdd_P1_x), CALL(subFpBN254)
+        ; C = lambda² - x
+
+        C => A
+        $ => C  :MLOAD(ecAdd_P1_x), CALL(subFpBN254)
+        ; C = lambda² - x - x
+
+                :JMP(ecAdd_common_calculate)
+
+ecAdd_different:
+        $ => A  :MLOAD(ecAdd_P2_x)
+        $ => C  :MLOAD(ecAdd_P1_x), CALL(subFpBN254)
+        ; C = P2.x - P1.x
+
+        C => A  :CALL(invFpBN254)
+        ; B = 1 / (P2.x - P1.x)
+        B       :MSTORE(ecAdd_lambda)
+
+        $ => A  :MLOAD(ecAdd_P2_y)
+        $ => C  :MLOAD(ecAdd_P1_y), CALL(subFpBN254)
+        ; C = P2.y - P1.y
+
+        C => A
+        $ => B  :MLOAD(ecAdd_lambda), CALL(mulFpBN254)
+        ; C = lambda = (P2.y - P1.y) / (P2.x - P1.x)
+        C       :MSTORE(ecAdd_lambda)
+
+        C => A  :CALL(squareFpBN254)
+        ; B = lambda²
+
+        B => A
+        $ => C  :MLOAD(ecAdd_P1_x), CALL(subFpBN254)
+        ; C = lambda² - P1.x
+
+        C => A
+        $ => C  :MLOAD(ecAdd_P2_x), CALL(subFpBN254)
+        ; C = lambda² - P1.x - P2.x
+
+ecAdd_common_calculate:
+        C           :MSTORE(ecAdd_P3_x)
+        ; P3.x = lambda² - P1.x - P2.x
+
+        $ => A  :MLOAD(ecAdd_P1_x), CALL(subFpBN254)
+        ; C = P1.x - P3.x
+
+        $ => A  :MLOAD(ecAdd_lambda)
+        C => B  :CALL(mulFpBN254)
+        ; C = lambda·(P1.x - P3.x)
+
+        C => A
+        $ => C  :MLOAD(ecAdd_P1_y), CALL(subFpBN254)
+        ; C = lambda·(P1.x - P3.x) - P1.y
+
+        C           :MSTORE(ecAdd_P3_y)
+
+                :JMP(ecAdd_correct)
+
+; ERRORS
+ecAdd_P1x_too_big:
+        1 => B      :JMP(ecAdd_error)
+
+ecAdd_P1y_too_big:
+        2 => B      :JMP(ecAdd_error)
+
+ecAdd_P2x_too_big:
+        3 => B      :JMP(ecAdd_error)
+
+ecAdd_P2y_too_big:
+        4 => B      :JMP(ecAdd_error)
+
+ecAdd_P1_is_not_in_E:
+        5 => B      :JMP(ecAdd_error)
+
+ecAdd_P2_is_not_in_E:
+        6 => B      :JMP(ecAdd_error)
+
+ecAdd_correct:
+        0 => B      :JMP(ecAdd_end)
+
+ecAdd_error:
+        0 => A
+
+ecAdd_end:
+        $ => RR         :MLOAD(ecAdd_RR)
+                        :RETURN

package/main/pairings/BN254/ecMul.zkasm

@@ -0,0 +1,159 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The resulting coordinates are in the range [0,BN254_P) because if falls back to FP arithmetic
+;;
+;; ecMul:
+;;             in: k, P = (P.x, P.y) ∈ E(Fp), where k ∈ [0,r-1]
+;;             out: k·P = (Q.x, Q.y) ∈ E(Fp)
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Since the curve is E/Fp: y² = x³ + 3, there is no issue in representing the point at infinity as (0, 0).
+
+VAR GLOBAL ecMul_k
+VAR GLOBAL ecMul_P_x
+VAR GLOBAL ecMul_P_y
+VAR GLOBAL ecMul_Q_x
+VAR GLOBAL ecMul_Q_y
+
+VAR GLOBAL ecMul_RR
+
+; ERROR CODES (B)
+; 0 - no error
+; 1 - P_x is too big
+; 2 - P_y is too big
+; 3 - P is not in E(Fp)
+
+ecMul:
+        RR      :MSTORE(ecMul_RR)
+
+        %BN254_P_MINUS_ONE => A
+        $ => B      :MLOAD(ecMul_P_x)
+        $           :LT, JMPC(ecMul_Px_too_big)
+        $ => B      :MLOAD(ecMul_P_y)
+        $           :LT, JMPC(ecMul_Py_too_big)
+
+        ; Is P = O?
+        0n => B
+        $ => A  :MLOAD(ecMul_P_x)
+        $       :EQ, JMPNC(__ecMul_P_continue)
+        $ => A  :MLOAD(ecMul_P_y)
+        $       :EQ, JMPC(ecMul_P_is_zero)
+                __ecMul_P_continue:
+
+        ; 1] Check if P is in E(Fp)
+        ; P in E iff (P.y)² == (P.x)³ + 3 (mod p)
+        ; 1.1] Compute LHS and RHS
+        $ => A    :MLOAD(ecMul_P_x), CALL(squareFpBN254)
+        ; B = (P.x)²
+
+        $ => A      :MLOAD(ecMul_P_x), CALL(mulFpBN254)
+        ; C = (P.x)³
+
+        %BN254_E_B => A     :CALL(addFpBN254)
+        ; C = (P.x)³ + 3
+        C           :MSTORE(ecMul_Q_x)
+
+        $ => A    :MLOAD(ecMul_P_y), CALL(squareFpBN254)
+        ; B = (Py)²
+
+        ; 1.2] Check if LHS == RHS
+        B => A
+        $ => B      :MLOAD(ecMul_Q_x)
+        $           :EQ, JMPNC(ecMul_P_is_not_in_E)
+
+        ; Is k ∈ [1,r-1]?
+        $ => B      :MLOAD(ecMul_k), CALL(reduceFrBN254)
+        A           :MSTORE(ecMul_k)
+        0n => B
+        $           :EQ, JMPC(ecMul_k_is_zero)
+
+        257 => RCX
+
+        $ => A  :MLOAD(ecMul_P_x)
+        $ => C  :MLOAD(ecMul_P_y)
+        A       :MSTORE(ecMul_Q_x)
+        C       :MSTORE(ecMul_Q_y)
+
+                :JMP(ecMul_find_MSB_k)
+
+ecMul_P_is_zero:
+        ; Q = O
+        0n      :MSTORE(ecMul_Q_x)
+        0n      :MSTORE(ecMul_Q_y)
+
+                :JMP(ecMul_correct)
+
+ecMul_k_is_zero:
+        ; Q = O
+        0n      :MSTORE(ecMul_Q_x)
+        0n      :MSTORE(ecMul_Q_y)
+
+                :JMP(ecMul_correct)
+
+ecMul_find_MSB_k:
+        RCX - 1 => RCX
+        $ => A,B        :MLOAD(ecMul_k)
+        ; E = 2A
+        $ => E          :ADD,MSTORE(ecMul_k), JMPNC(ecMul_find_MSB_k)
+
+
+ecMul_loop:
+        RCX - 1 => RCX    :JMPZ(ecMul_correct)
+
+        ; We always double
+        $ => A  :MLOAD(ecMul_Q_x)
+        $ => B  :MLOAD(ecMul_Q_y)
+        A       :MSTORE(ecAdd_P1_x)
+        B       :MSTORE(ecAdd_P1_y)
+        A       :MSTORE(ecAdd_P2_x)
+        B       :MSTORE(ecAdd_P2_y), CALL(ecAdd)
+        ; Q = Q + Q
+
+        $ => A  :MLOAD(ecAdd_P3_x)
+        $ => B  :MLOAD(ecAdd_P3_y)
+        A       :MSTORE(ecMul_Q_x)
+        B       :MSTORE(ecMul_Q_y)
+
+        ; We check if the MSB b of k is either 1 or 0. If b==1, we should add P to Q.
+        ; Then, update the value of k.
+        $ => A,B        :MLOAD(ecMul_k)
+        ; E = 2A
+        $ => E          :ADD, MSTORE(ecMul_k), JMPNC(ecMul_loop)
+
+ecMul_add:
+        ; We add
+        $ => A  :MLOAD(ecMul_Q_x)
+        $ => B  :MLOAD(ecMul_Q_y)
+        $ => C  :MLOAD(ecMul_P_x)
+        $ => D  :MLOAD(ecMul_P_y)
+        A       :MSTORE(ecAdd_P1_x)
+        B       :MSTORE(ecAdd_P1_y)
+        C       :MSTORE(ecAdd_P2_x)
+        D       :MSTORE(ecAdd_P2_y), CALL(ecAdd)
+        ; Q = Q + P
+
+        $ => A  :MLOAD(ecAdd_P3_x)
+        $ => B  :MLOAD(ecAdd_P3_y)
+        A       :MSTORE(ecMul_Q_x)
+        B       :MSTORE(ecMul_Q_y), JMP(ecMul_loop)
+
+
+; ERRORS
+ecMul_Px_too_big:
+        1 => B      :JMP(ecMul_error)
+
+ecMul_Py_too_big:
+        2 => B      :JMP(ecMul_error)
+
+ecMul_P_is_not_in_E:
+        3 => B      :JMP(ecMul_error)
+
+ecMul_correct:
+        0 => B      :JMP(ecMul_end)
+
+ecMul_error:
+        0 => A
+
+ecMul_end:
+        $ => RR         :MLOAD(ecMul_RR)
+                        :RETURN

package/main/pairings/BN254/escalarMulBN254.zkasm

@@ -0,0 +1,155 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; PRE: P ∈ E'(Fp2)
+;; POST: The resulting coordinates are in the range [0,BN254_P) because if falls back to addPointBN254
+;;
+;;
+;; escalarMulBN254:
+;;             in: k, P = (P.x1 + P.x2·u, P.y1 + P.y2·u) ∈ E'(Fp2), where k ∈ [0,r-1]
+;;             out: k·P = (Q.x1 + Q.x2·u, Q.y1 + Q.y2·u) ∈ E'(Fp2)
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; escalarMulBN254 assumes P belong to E'(Fp2), since it is checked in the pairing.
+; However, it must be implemented if escalarMulBN254 wants to be used independently.
+
+; Since the curve is E'/Fp2: y² = x³ + 3/(9+u), there is no issue in representing the point at infinity as (0, 0).
+
+VAR GLOBAL escalarMulBN254_k
+VAR GLOBAL escalarMulBN254_P_x1
+VAR GLOBAL escalarMulBN254_P_x2
+VAR GLOBAL escalarMulBN254_P_y1
+VAR GLOBAL escalarMulBN254_P_y2
+VAR GLOBAL escalarMulBN254_Q_x1
+VAR GLOBAL escalarMulBN254_Q_x2
+VAR GLOBAL escalarMulBN254_Q_y1
+VAR GLOBAL escalarMulBN254_Q_y2
+
+VAR GLOBAL escalarMulBN254_RR
+
+
+escalarMulBN254:
+        RR      :MSTORE(escalarMulBN254_RR)
+
+        ; Is P = O?
+        0n => B
+        $ => A  :MLOAD(escalarMulBN254_P_x1)
+        $       :EQ, JMPNC(__escalarMulBN254_P_continue)
+        $ => A  :MLOAD(escalarMulBN254_P_x2)
+        $       :EQ, JMPNC(__escalarMulBN254_P_continue)
+        $ => A  :MLOAD(escalarMulBN254_P_y1)
+        $       :EQ, JMPNC(__escalarMulBN254_P_continue)
+        $ => A  :MLOAD(escalarMulBN254_P_y2)
+        $       :EQ, JMPC(escalarMulBN254_P_is_zero)
+                __escalarMulBN254_P_continue:
+
+        ; Is k = 0?
+        $ => B      :MLOAD(escalarMulBN254_k), CALL(reduceFrBN254)
+        A           :MSTORE(escalarMulBN254_k)
+        0n => B
+        $           :EQ, JMPC(escalarMulBN254_k_is_zero)
+
+        257 => RCX
+
+        $ => A  :MLOAD(escalarMulBN254_P_x1)
+        $ => B  :MLOAD(escalarMulBN254_P_x2)
+        $ => C  :MLOAD(escalarMulBN254_P_y1)
+        $ => D  :MLOAD(escalarMulBN254_P_y2)
+        A       :MSTORE(escalarMulBN254_Q_x1)
+        B       :MSTORE(escalarMulBN254_Q_x2)
+        C       :MSTORE(escalarMulBN254_Q_y1)
+        D       :MSTORE(escalarMulBN254_Q_y2)
+
+                :JMP(escalarMulBN254_find_MSB_k)
+
+escalarMulBN254_P_is_zero:
+        ; Q = O
+        0n      :MSTORE(escalarMulBN254_Q_x1)
+        0n      :MSTORE(escalarMulBN254_Q_x2)
+        0n      :MSTORE(escalarMulBN254_Q_y1)
+        0n      :MSTORE(escalarMulBN254_Q_y2)
+
+                :JMP(escalarMulBN254_end)
+
+escalarMulBN254_k_is_zero:
+        ; Q = O
+        0n      :MSTORE(escalarMulBN254_Q_x1)
+        0n      :MSTORE(escalarMulBN254_Q_x2)
+        0n      :MSTORE(escalarMulBN254_Q_y1)
+        0n      :MSTORE(escalarMulBN254_Q_y2)
+
+                :JMP(escalarMulBN254_end)
+
+escalarMulBN254_find_MSB_k:
+        RCX - 1 => RCX
+        $ => A,B        :MLOAD(escalarMulBN254_k)
+        ; E = 2A
+        $ => E          :ADD,MSTORE(escalarMulBN254_k), JMPNC(escalarMulBN254_find_MSB_k)
+
+
+escalarMulBN254_loop:
+        RCX - 1 => RCX    :JMPZ(escalarMulBN254_end)
+
+        ; We always double
+        $ => A  :MLOAD(escalarMulBN254_Q_x1)
+        $ => B  :MLOAD(escalarMulBN254_Q_x2)
+        $ => C  :MLOAD(escalarMulBN254_Q_y1)
+        $ => D  :MLOAD(escalarMulBN254_Q_y2)
+        A       :MSTORE(addPointBN254_P1_x1)
+        B       :MSTORE(addPointBN254_P1_x2)
+        C       :MSTORE(addPointBN254_P1_y1)
+        D       :MSTORE(addPointBN254_P1_y2)
+        A       :MSTORE(addPointBN254_P2_x1)
+        B       :MSTORE(addPointBN254_P2_x2)
+        C       :MSTORE(addPointBN254_P2_y1)
+        D       :MSTORE(addPointBN254_P2_y2), CALL(addPointBN254)
+        ; Q = Q + Q
+
+        $ => A  :MLOAD(addPointBN254_P3_x1)
+        $ => B  :MLOAD(addPointBN254_P3_x2)
+        $ => C  :MLOAD(addPointBN254_P3_y1)
+        $ => D  :MLOAD(addPointBN254_P3_y2)
+        A       :MSTORE(escalarMulBN254_Q_x1)
+        B       :MSTORE(escalarMulBN254_Q_x2)
+        C       :MSTORE(escalarMulBN254_Q_y1)
+        D       :MSTORE(escalarMulBN254_Q_y2)
+
+        ; We check if the MSB b of k is either 1 or 0. If b==1, we should add P to Q.
+        ; Then, update the value of k.
+        $ => A,B        :MLOAD(escalarMulBN254_k)
+        ; E = 2A
+        $ => E          :ADD,MSTORE(escalarMulBN254_k), JMPNC(escalarMulBN254_loop)
+
+escalarMulBN254_add:
+        ; We add
+        $ => A  :MLOAD(escalarMulBN254_Q_x1)
+        $ => B  :MLOAD(escalarMulBN254_Q_x2)
+        $ => C  :MLOAD(escalarMulBN254_Q_y1)
+        $ => D  :MLOAD(escalarMulBN254_Q_y2)
+        A       :MSTORE(addPointBN254_P1_x1)
+        B       :MSTORE(addPointBN254_P1_x2)
+        C       :MSTORE(addPointBN254_P1_y1)
+        D       :MSTORE(addPointBN254_P1_y2)
+
+        $ => A  :MLOAD(escalarMulBN254_P_x1)
+        $ => B  :MLOAD(escalarMulBN254_P_x2)
+        $ => C  :MLOAD(escalarMulBN254_P_y1)
+        $ => D  :MLOAD(escalarMulBN254_P_y2)
+        A       :MSTORE(addPointBN254_P2_x1)
+        B       :MSTORE(addPointBN254_P2_x2)
+        C       :MSTORE(addPointBN254_P2_y1)
+        D       :MSTORE(addPointBN254_P2_y2), CALL(addPointBN254)
+        ; Q = Q + P
+
+        $ => A  :MLOAD(addPointBN254_P3_x1)
+        $ => B  :MLOAD(addPointBN254_P3_x2)
+        $ => C  :MLOAD(addPointBN254_P3_y1)
+        $ => D  :MLOAD(addPointBN254_P3_y2)
+        A       :MSTORE(escalarMulBN254_Q_x1)
+        B       :MSTORE(escalarMulBN254_Q_x2)
+        C       :MSTORE(escalarMulBN254_Q_y1)
+        D       :MSTORE(escalarMulBN254_Q_y2), JMP(escalarMulBN254_loop)
+
+
+escalarMulBN254_end:
+        $ => RR :MLOAD(escalarMulBN254_RR)
+                :RETURN

package/main/pairings/BN254/lineDiffPointsBN254.zkasm

@@ -0,0 +1,83 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; PRE: P1,P2 ∈ E'(Fp2) with P1 != P2,-P2 and Q ∈ E(Fp)
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; lineDiffPointsBN254:
+;;              in: P1 = (P1.x1 + P1.x2·u, P1.y1 + P1.y2·u), P2 = (P2.x1 + P2.x2·u, P2.y1 + P2.y2·u) ∈ E'(Fp2)
+;;                  and Q = (Q.x,Q.y) ∈ E(Fp)
+;;             out: line_{twist(P1), twist(P2)}(Q) = (P2.x - P1.x)·Q.y·w² + (P1.y - P2.y)·Q.x·w³ + (P1.x·P2.y - P2.x·P1.y)·w⁵ ∈ Fp12
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; The precondition is ensured by the pairing.
+; However, it must be implemented if lineDiffPointsBN254 wants to be used independently.
+
+VAR GLOBAL lineDiffPointsBN254_P1_x1
+VAR GLOBAL lineDiffPointsBN254_P1_x2
+VAR GLOBAL lineDiffPointsBN254_P1_y1
+VAR GLOBAL lineDiffPointsBN254_P1_y2
+VAR GLOBAL lineDiffPointsBN254_P2_x1
+VAR GLOBAL lineDiffPointsBN254_P2_x2
+VAR GLOBAL lineDiffPointsBN254_P2_y1
+VAR GLOBAL lineDiffPointsBN254_P2_y2
+VAR GLOBAL lineDiffPointsBN254_Q_x
+VAR GLOBAL lineDiffPointsBN254_Q_y
+
+VAR GLOBAL lineDiffPointsBN254_P2x_P1y_x
+VAR GLOBAL lineDiffPointsBN254_P2x_P1y_y
+
+VAR GLOBAL lineDiffPointsBN254_l12_x
+VAR GLOBAL lineDiffPointsBN254_l12_y
+VAR GLOBAL lineDiffPointsBN254_l22_x
+VAR GLOBAL lineDiffPointsBN254_l22_y
+VAR GLOBAL lineDiffPointsBN254_l23_x
+VAR GLOBAL lineDiffPointsBN254_l23_y
+
+VAR GLOBAL lineDiffPointsBN254_RR
+
+lineDiffPointsBN254:
+        RR              :MSTORE(lineDiffPointsBN254_RR)
+
+        ; 1] (P2.x - P1.x)·Q.y
+        $ => A          :MLOAD(lineDiffPointsBN254_P2_x1)
+        $ => B          :MLOAD(lineDiffPointsBN254_P2_x2)
+        $ => C          :MLOAD(lineDiffPointsBN254_P1_x1)
+        $ => D          :MLOAD(lineDiffPointsBN254_P1_x2), CALL(subFp2BN254)
+        $ => A          :MLOAD(lineDiffPointsBN254_Q_y)
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        E               :MSTORE(lineDiffPointsBN254_l12_x)
+        C               :MSTORE(lineDiffPointsBN254_l12_y)
+
+        ; 2] (P1.y - P2.y)·Q.x
+        $ => A          :MLOAD(lineDiffPointsBN254_P1_y1)
+        $ => B          :MLOAD(lineDiffPointsBN254_P1_y2)
+        $ => C          :MLOAD(lineDiffPointsBN254_P2_y1)
+        $ => D          :MLOAD(lineDiffPointsBN254_P2_y2), CALL(subFp2BN254)
+        $ => A          :MLOAD(lineDiffPointsBN254_Q_x)
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        E               :MSTORE(lineDiffPointsBN254_l22_x)
+        C               :MSTORE(lineDiffPointsBN254_l22_y)
+
+        ; 3] (P1.x·P2.y - P2.x·P1.y)
+        $ => A          :MLOAD(lineDiffPointsBN254_P2_x1)
+        $ => B          :MLOAD(lineDiffPointsBN254_P2_x2)
+        $ => C          :MLOAD(lineDiffPointsBN254_P1_y1)
+        $ => D          :MLOAD(lineDiffPointsBN254_P1_y2), CALL(mulFp2BN254)
+        E               :MSTORE(lineDiffPointsBN254_P2x_P1y_x)
+        C               :MSTORE(lineDiffPointsBN254_P2x_P1y_y)
+
+        $ => A          :MLOAD(lineDiffPointsBN254_P1_x1)
+        $ => B          :MLOAD(lineDiffPointsBN254_P1_x2)
+        $ => C          :MLOAD(lineDiffPointsBN254_P2_y1)
+        $ => D          :MLOAD(lineDiffPointsBN254_P2_y2), CALL(mulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(lineDiffPointsBN254_P2x_P1y_x)
+        $ => D          :MLOAD(lineDiffPointsBN254_P2x_P1y_y), CALL(subFp2BN254)
+        E               :MSTORE(lineDiffPointsBN254_l23_x)
+        C               :MSTORE(lineDiffPointsBN254_l23_y)
+
+        $ => RR         :MLOAD(lineDiffPointsBN254_RR)
+                        :RETURN