zkevm-rom 0.0.1-security → 6.0.1

package/main/pairings/FP12BN254/CYCLOFP12BN254/expByXCompCycloFp12BN254.zkasm

@@ -0,0 +1,444 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP12 arithmetic
+;;
+;; expByXCompCycloFp12BN254:
+;;             in: x, a = a0 + a2·w + a4·w² + a1·w³ + a3·w⁴ + a5·w⁵ ∈ GΦ6(p²), where x = 4965661367192848881 and ai ∈ Fp2
+;;             out: a^x = c0 + c2·w + c4·w² + c1·w³ + c3·w⁴ + c5·w⁵ ∈ ∈ GΦ6(p²)
+;;
+;; NOTE: The output is not guaranteed to be in GΦ6(p²), if the input isn't.
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL expByXCompCycloFp12BN254_a0_x
+VAR GLOBAL expByXCompCycloFp12BN254_a0_y
+VAR GLOBAL expByXCompCycloFp12BN254_a2_x
+VAR GLOBAL expByXCompCycloFp12BN254_a2_y
+VAR GLOBAL expByXCompCycloFp12BN254_a4_x
+VAR GLOBAL expByXCompCycloFp12BN254_a4_y
+VAR GLOBAL expByXCompCycloFp12BN254_a1_x
+VAR GLOBAL expByXCompCycloFp12BN254_a1_y
+VAR GLOBAL expByXCompCycloFp12BN254_a3_x
+VAR GLOBAL expByXCompCycloFp12BN254_a3_y
+VAR GLOBAL expByXCompCycloFp12BN254_a5_x
+VAR GLOBAL expByXCompCycloFp12BN254_a5_y
+VAR GLOBAL expByXCompCycloFp12BN254_c0_x
+VAR GLOBAL expByXCompCycloFp12BN254_c0_y
+VAR GLOBAL expByXCompCycloFp12BN254_c2_x
+VAR GLOBAL expByXCompCycloFp12BN254_c2_y
+VAR GLOBAL expByXCompCycloFp12BN254_c4_x
+VAR GLOBAL expByXCompCycloFp12BN254_c4_y
+VAR GLOBAL expByXCompCycloFp12BN254_c1_x
+VAR GLOBAL expByXCompCycloFp12BN254_c1_y
+VAR GLOBAL expByXCompCycloFp12BN254_c3_x
+VAR GLOBAL expByXCompCycloFp12BN254_c3_y
+VAR GLOBAL expByXCompCycloFp12BN254_c5_x
+VAR GLOBAL expByXCompCycloFp12BN254_c5_y
+
+VAR GLOBAL expByXCompCycloFp12BN254_RR
+
+expByXCompCycloFp12BN254:
+        RR              :MSTORE(expByXCompCycloFp12BN254_RR)
+
+        ; Is a = 0?
+        0n => B
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a0_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a0_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a2_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a2_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a4_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a4_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a1_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a1_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a3_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a3_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a5_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue1)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a5_y)
+        $       :EQ, JMPC(expByXCompCycloFp12BN254_a_is_zero)
+                __expByXCompCycloFp12BN254_a_continue1:
+
+        ; Is a = 1?
+        1n => B
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a0_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        0n => B
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a0_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a2_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a2_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a4_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a4_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a1_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a1_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a3_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a3_y)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a5_x)
+        $       :EQ, JMPNC(__expByXCompCycloFp12BN254_a_continue2)
+        $ => A  :MLOAD(expByXCompCycloFp12BN254_a5_y)
+        $       :EQ, JMPC(expByXCompCycloFp12BN254_a_is_one)
+                __expByXCompCycloFp12BN254_a_continue2:
+
+        59 => RCX
+
+        ; We manually compute the first iterations to avoid branching: 10001
+
+        ; 1] First bit is 1 and second bit is 0, so set c = a,
+        ;    compress the input and compute the compressed square C(a²)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_a0_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_a0_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c0_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c0_y)
+        A               :MSTORE(compressFp12BN254_a0_x)
+        B               :MSTORE(compressFp12BN254_a0_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_a2_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_a2_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c2_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c2_y)
+        A               :MSTORE(compressFp12BN254_a2_x)
+        B               :MSTORE(compressFp12BN254_a2_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_a4_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_a4_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c4_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c4_y)
+        A               :MSTORE(compressFp12BN254_a4_x)
+        B               :MSTORE(compressFp12BN254_a4_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_a1_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_a1_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c1_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c1_y)
+        A               :MSTORE(compressFp12BN254_a1_x)
+        B               :MSTORE(compressFp12BN254_a1_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_a3_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_a3_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c3_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c3_y)
+        A               :MSTORE(compressFp12BN254_a3_x)
+        B               :MSTORE(compressFp12BN254_a3_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_a5_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_a5_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c5_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c5_y)
+        A               :MSTORE(compressFp12BN254_a5_x)
+        B               :MSTORE(compressFp12BN254_a5_y), CALL(compressFp12BN254)
+
+        $ => A          :MLOAD(compressFp12BN254_Ca2_x)
+        $ => B          :MLOAD(compressFp12BN254_Ca2_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca2_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca2_y)
+        $ => A          :MLOAD(compressFp12BN254_Ca3_x)
+        $ => B          :MLOAD(compressFp12BN254_Ca3_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca3_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca3_y)
+        $ => A          :MLOAD(compressFp12BN254_Ca4_x)
+        $ => B          :MLOAD(compressFp12BN254_Ca4_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca4_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca4_y)
+        $ => A          :MLOAD(compressFp12BN254_Ca5_x)
+        $ => B          :MLOAD(compressFp12BN254_Ca5_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca5_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca5_y), CALL(squareCompCycloFp12BN254)
+
+        ; 2] Third bit is 0, so compute C(c⁴)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb2_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca2_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca2_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb3_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb3_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca3_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca3_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb4_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca4_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca4_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb5_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb5_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca5_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca5_y), CALL(squareCompCycloFp12BN254)
+
+        ; 3] Fourth bit is 0, so compute C(c⁸)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb2_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca2_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca2_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb3_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb3_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca3_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca3_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb4_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca4_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca4_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb5_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb5_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca5_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca5_y), CALL(squareCompCycloFp12BN254)
+
+        ; 4] Fifth bit is 1, so compute C(c¹⁶), decompress to obtain c¹⁶ and multiply by a
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb2_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca2_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca2_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb3_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb3_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca3_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca3_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb4_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca4_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca4_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb5_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb5_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca5_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca5_y), CALL(squareCompCycloFp12BN254)
+
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb2_y)
+        A               :MSTORE(decompressFp12BN254_Ca2_x)
+        B               :MSTORE(decompressFp12BN254_Ca2_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb3_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb3_y)
+        A               :MSTORE(decompressFp12BN254_Ca3_x)
+        B               :MSTORE(decompressFp12BN254_Ca3_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb4_y)
+        A               :MSTORE(decompressFp12BN254_Ca4_x)
+        B               :MSTORE(decompressFp12BN254_Ca4_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb5_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb5_y)
+        A               :MSTORE(decompressFp12BN254_Ca5_x)
+        B               :MSTORE(decompressFp12BN254_Ca5_y), CALL(decompressFp12BN254)
+
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_c0_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_c0_y)
+        A               :MSTORE(mulFp12BN254_a11_x)
+        B               :MSTORE(mulFp12BN254_a11_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_c2_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_c2_y)
+        A               :MSTORE(mulFp12BN254_a21_x)
+        B               :MSTORE(mulFp12BN254_a21_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_c4_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_c4_y)
+        A               :MSTORE(mulFp12BN254_a12_x)
+        B               :MSTORE(mulFp12BN254_a12_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_c1_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_c1_y)
+        A               :MSTORE(mulFp12BN254_a22_x)
+        B               :MSTORE(mulFp12BN254_a22_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_c3_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_a3_y)
+        A               :MSTORE(mulFp12BN254_a13_x)
+        B               :MSTORE(mulFp12BN254_a13_y)
+        $ => A          :MLOAD(expByXCompCycloFp12BN254_c5_x)
+        $ => B          :MLOAD(expByXCompCycloFp12BN254_c5_y)
+        A               :MSTORE(mulFp12BN254_a23_x)
+        B               :MSTORE(mulFp12BN254_a23_y)
+        $ => A          :MLOAD(decompressFp12BN254_a0_x)
+        $ => B          :MLOAD(decompressFp12BN254_a0_y)
+        A               :MSTORE(mulFp12BN254_b11_x)
+        B               :MSTORE(mulFp12BN254_b11_y)
+        $ => A          :MLOAD(decompressFp12BN254_a2_x)
+        $ => B          :MLOAD(decompressFp12BN254_a2_y)
+        A               :MSTORE(mulFp12BN254_b21_x)
+        B               :MSTORE(mulFp12BN254_b21_y)
+        $ => A          :MLOAD(decompressFp12BN254_a4_x)
+        $ => B          :MLOAD(decompressFp12BN254_a4_y)
+        A               :MSTORE(mulFp12BN254_b12_x)
+        B               :MSTORE(mulFp12BN254_b12_y)
+        $ => A          :MLOAD(decompressFp12BN254_a1_x)
+        $ => B          :MLOAD(decompressFp12BN254_a1_y)
+        A               :MSTORE(mulFp12BN254_b22_x)
+        B               :MSTORE(mulFp12BN254_b22_y)
+        $ => A          :MLOAD(decompressFp12BN254_a3_x)
+        $ => B          :MLOAD(decompressFp12BN254_a3_y)
+        A               :MSTORE(mulFp12BN254_b13_x)
+        B               :MSTORE(mulFp12BN254_b13_y)
+        $ => A          :MLOAD(decompressFp12BN254_a5_x)
+        $ => B          :MLOAD(decompressFp12BN254_a5_y)
+        A               :MSTORE(mulFp12BN254_b23_x)
+        B               :MSTORE(mulFp12BN254_b23_y), CALL(mulFp12BN254)
+
+                        :JMP(expByXCompCycloFp12BN254_loop)
+
+expByXCompCycloFp12BN254_a_is_zero:
+        ; c = 0
+        0n              :MSTORE(expByXCompCycloFp12BN254_c0_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c0_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c2_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c2_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c4_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c4_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c1_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c1_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c3_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c3_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c5_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c5_y)
+
+                        :JMP(expByXCompCycloFp12BN254_end)
+
+expByXCompCycloFp12BN254_a_is_one:
+        ; c = 1
+        1n              :MSTORE(expByXCompCycloFp12BN254_c0_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c0_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c2_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c2_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c4_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c4_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c1_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c1_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c3_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c3_y)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c5_x)
+        0n              :MSTORE(expByXCompCycloFp12BN254_c5_y)
+
+                        :JMP(expByXCompCycloFp12BN254_end)
+
+expByXCompCycloFp12BN254_loop:
+        RCX - 1 => RCX         :JMPZ(expByXCompCycloFp12BN254_last)
+
+        ; We always square (in compressed form): C(c²)
+        ; We square C(c²) and store the result
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb2_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca2_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca2_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb3_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb3_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca3_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca3_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb4_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca4_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca4_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb5_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb5_y)
+        A               :MSTORE(squareCompCycloFp12BN254_Ca5_x)
+        B               :MSTORE(squareCompCycloFp12BN254_Ca5_y), CALL(squareCompCycloFp12BN254)
+
+        ; We check if the MSB b of x is either 1 or 0
+        RCX-1 => RR
+                        :CALL(@xBinDecompBN254 + RR)
+
+        ; if bit = 0, then repeat
+        B               :JMPZ(expByXCompCycloFp12BN254_loop)
+
+        ; else, multiply by the last result
+
+expByXCompCycloFp12BN254_multiply:
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb2_y)
+        A               :MSTORE(decompressFp12BN254_Ca2_x)
+        B               :MSTORE(decompressFp12BN254_Ca2_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb3_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb3_y)
+        A               :MSTORE(decompressFp12BN254_Ca3_x)
+        B               :MSTORE(decompressFp12BN254_Ca3_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb4_y)
+        A               :MSTORE(decompressFp12BN254_Ca4_x)
+        B               :MSTORE(decompressFp12BN254_Ca4_y)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Cb5_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Cb5_y)
+        A               :MSTORE(decompressFp12BN254_Ca5_x)
+        B               :MSTORE(decompressFp12BN254_Ca5_y), CALL(decompressFp12BN254)
+
+        $ => A          :MLOAD(mulFp12BN254_c11_x)
+        $ => B          :MLOAD(mulFp12BN254_c11_y)
+        A               :MSTORE(mulFp12BN254_a11_x)
+        B               :MSTORE(mulFp12BN254_a11_y)
+        $ => A          :MLOAD(mulFp12BN254_c12_x)
+        $ => B          :MLOAD(mulFp12BN254_c12_y)
+        A               :MSTORE(mulFp12BN254_a12_x)
+        B               :MSTORE(mulFp12BN254_a12_y)
+        $ => A          :MLOAD(mulFp12BN254_c13_x)
+        $ => B          :MLOAD(mulFp12BN254_c13_y)
+        A               :MSTORE(mulFp12BN254_a13_x)
+        B               :MSTORE(mulFp12BN254_a13_y)
+        $ => A          :MLOAD(mulFp12BN254_c21_x)
+        $ => B          :MLOAD(mulFp12BN254_c21_y)
+        A               :MSTORE(mulFp12BN254_a21_x)
+        B               :MSTORE(mulFp12BN254_a21_y)
+        $ => A          :MLOAD(mulFp12BN254_c22_x)
+        $ => B          :MLOAD(mulFp12BN254_c22_y)
+        A               :MSTORE(mulFp12BN254_a22_x)
+        B               :MSTORE(mulFp12BN254_a22_y)
+        $ => A          :MLOAD(mulFp12BN254_c23_x)
+        $ => B          :MLOAD(mulFp12BN254_c23_y)
+        A               :MSTORE(mulFp12BN254_a23_x)
+        B               :MSTORE(mulFp12BN254_a23_y)
+        $ => A          :MLOAD(decompressFp12BN254_a0_x)
+        $ => B          :MLOAD(decompressFp12BN254_a0_y)
+        A               :MSTORE(mulFp12BN254_b11_x)
+        B               :MSTORE(mulFp12BN254_b11_y)
+        $ => A          :MLOAD(decompressFp12BN254_a2_x)
+        $ => B          :MLOAD(decompressFp12BN254_a2_y)
+        A               :MSTORE(mulFp12BN254_b21_x)
+        B               :MSTORE(mulFp12BN254_b21_y)
+        $ => A          :MLOAD(decompressFp12BN254_a4_x)
+        $ => B          :MLOAD(decompressFp12BN254_a4_y)
+        A               :MSTORE(mulFp12BN254_b12_x)
+        B               :MSTORE(mulFp12BN254_b12_y)
+        $ => A          :MLOAD(decompressFp12BN254_a1_x)
+        $ => B          :MLOAD(decompressFp12BN254_a1_y)
+        A               :MSTORE(mulFp12BN254_b22_x)
+        B               :MSTORE(mulFp12BN254_b22_y)
+        $ => A          :MLOAD(decompressFp12BN254_a3_x)
+        $ => B          :MLOAD(decompressFp12BN254_a3_y)
+        A               :MSTORE(mulFp12BN254_b13_x)
+        B               :MSTORE(mulFp12BN254_b13_y)
+        $ => A          :MLOAD(decompressFp12BN254_a5_x)
+        $ => B          :MLOAD(decompressFp12BN254_a5_y)
+        A               :MSTORE(mulFp12BN254_b23_x)
+        B               :MSTORE(mulFp12BN254_b23_y), CALL(mulFp12BN254)
+
+                        :JMP(expByXCompCycloFp12BN254_loop)
+
+expByXCompCycloFp12BN254_last:
+        ; Last asignments
+        $ => A          :MLOAD(mulFp12BN254_c11_x)
+        $ => B          :MLOAD(mulFp12BN254_c11_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c0_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c0_y)
+        $ => A          :MLOAD(mulFp12BN254_c12_x)
+        $ => B          :MLOAD(mulFp12BN254_c12_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c4_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c4_y)
+        $ => A          :MLOAD(mulFp12BN254_c13_x)
+        $ => B          :MLOAD(mulFp12BN254_c13_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c3_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c3_y)
+        $ => A          :MLOAD(mulFp12BN254_c21_x)
+        $ => B          :MLOAD(mulFp12BN254_c21_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c2_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c2_y)
+        $ => A          :MLOAD(mulFp12BN254_c22_x)
+        $ => B          :MLOAD(mulFp12BN254_c22_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c1_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c1_y)
+        $ => A          :MLOAD(mulFp12BN254_c23_x)
+        $ => B          :MLOAD(mulFp12BN254_c23_y)
+        A               :MSTORE(expByXCompCycloFp12BN254_c5_x)
+        B               :MSTORE(expByXCompCycloFp12BN254_c5_y)
+
+expByXCompCycloFp12BN254_end:
+        $ => RR         :MLOAD(expByXCompCycloFp12BN254_RR)
+                        :RETURN
+

package/main/pairings/FP12BN254/CYCLOFP12BN254/squareCompCycloFp12BN254.zkasm

@@ -0,0 +1,212 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; squareCompCycloFp12BN254:
+;;             in: [a2,a3,a4,a5] ∈ Fp2⁴, where ai ∈ Fp2
+;;             out: C(a²) = [b2, b3, b4, b5] ∈ Fp2⁴, where:
+;;                  - b2 = 2(a2 + 3·(9+u)·B45)
+;;                  - b3 = 3·(A45 - (10+u)·B45) - 2·a3
+;;                  - b4 = 3·(A23 - (10+u)·B23) - 2·a4
+;;                  - b5 = 2·(a5 + 3·B23)
+;;                 - A23 = (a2 + a3)·(a2 + (9+u)·a3)
+;;                 - A45 = (a4 + a5)·(a4 + (9+u)·a5)
+;;                 - B23 = a2·a3
+;;                 - B45 = a4·a5
+;;
+;; NOTE: If the input is not of the form C(a), where a ∈ GΦ6(p²), then the compression-decompression
+;;       technique will not be well defined after the squaring. This means that D(C(a²)) != a².
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL squareCompCycloFp12BN254_Ca2_x
+VAR GLOBAL squareCompCycloFp12BN254_Ca2_y
+VAR GLOBAL squareCompCycloFp12BN254_Ca3_x
+VAR GLOBAL squareCompCycloFp12BN254_Ca3_y
+VAR GLOBAL squareCompCycloFp12BN254_Ca4_x
+VAR GLOBAL squareCompCycloFp12BN254_Ca4_y
+VAR GLOBAL squareCompCycloFp12BN254_Ca5_x
+VAR GLOBAL squareCompCycloFp12BN254_Ca5_y
+VAR GLOBAL squareCompCycloFp12BN254_Cb2_x
+VAR GLOBAL squareCompCycloFp12BN254_Cb2_y
+VAR GLOBAL squareCompCycloFp12BN254_Cb3_x
+VAR GLOBAL squareCompCycloFp12BN254_Cb3_y
+VAR GLOBAL squareCompCycloFp12BN254_Cb4_x
+VAR GLOBAL squareCompCycloFp12BN254_Cb4_y
+VAR GLOBAL squareCompCycloFp12BN254_Cb5_x
+VAR GLOBAL squareCompCycloFp12BN254_Cb5_y
+
+VAR GLOBAL squareCompCycloFp12BN254_B23_x
+VAR GLOBAL squareCompCycloFp12BN254_B23_y
+VAR GLOBAL squareCompCycloFp12BN254_B45_x
+VAR GLOBAL squareCompCycloFp12BN254_B45_y
+VAR GLOBAL squareCompCycloFp12BN254_A23_x
+VAR GLOBAL squareCompCycloFp12BN254_A23_y
+VAR GLOBAL squareCompCycloFp12BN254_A45_x
+VAR GLOBAL squareCompCycloFp12BN254_A45_y
+
+VAR GLOBAL squareCompCycloFp12BN254_A23right_x
+VAR GLOBAL squareCompCycloFp12BN254_A23right_y
+VAR GLOBAL squareCompCycloFp12BN254_A45right_x
+VAR GLOBAL squareCompCycloFp12BN254_A45right_y
+
+VAR GLOBAL squareCompCycloFp12BN254_twoCa3_x
+VAR GLOBAL squareCompCycloFp12BN254_twoCa3_y
+
+VAR GLOBAL squareCompCycloFp12BN254_twoCa4_x
+VAR GLOBAL squareCompCycloFp12BN254_twoCa4_y
+
+VAR GLOBAL squareCompCycloFp12BN254_RR
+
+squareCompCycloFp12BN254:
+        RR              :MSTORE(squareCompCycloFp12BN254_RR)
+
+        ; 1] B23 = a2·a3, B45 = a4·a5
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Ca2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Ca2_y)
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca3_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca3_y), CALL(mulFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_B23_x)
+        C               :MSTORE(squareCompCycloFp12BN254_B23_y)
+
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Ca4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Ca4_y)
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca5_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca5_y), CALL(mulFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_B45_x)
+        C               :MSTORE(squareCompCycloFp12BN254_B45_y)
+
+        ; 2] A23 = (a2 + a3)·(a2 + (9+u)·a3)
+        9n => A
+        1n => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca3_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca3_y), CALL(mulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca2_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca2_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_A23right_x)
+        C               :MSTORE(squareCompCycloFp12BN254_A23right_y)
+
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Ca2_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Ca2_y)
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca3_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca3_y), CALL(addFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_A23right_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_A23right_y), CALL(mulFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_A23_x)
+        C               :MSTORE(squareCompCycloFp12BN254_A23_y)
+
+        ; 3] A45 = (a4 + a5)·(a4 + (9+u)·a5)
+        9n => A
+        1n => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca5_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca5_y), CALL(mulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca4_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca4_y), CALL(addFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_A45right_x)
+        C               :MSTORE(squareCompCycloFp12BN254_A45right_y)
+
+        $ => A          :MLOAD(squareCompCycloFp12BN254_Ca4_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_Ca4_y)
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca5_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca5_y), CALL(addFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_A45right_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_A45right_y), CALL(mulFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_A45_x)
+        C               :MSTORE(squareCompCycloFp12BN254_A45_y)
+
+        ; 4] b2 = 2(a2 + 3·(9+u)·B45)
+        9n => A
+        1n => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_B45_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_B45_y), CALL(mulFp2BN254)
+        3n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca2_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca2_y), CALL(addFp2BN254)
+        2n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_Cb2_x)
+        C               :MSTORE(squareCompCycloFp12BN254_Cb2_y)
+
+        ; 5] b3 = 3·(A45 - (10+u)·B45) - 2·a3
+        2n => A
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca3_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca3_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_twoCa3_x)
+        C               :MSTORE(squareCompCycloFp12BN254_twoCa3_y)
+
+        10n => A
+        1n => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_B45_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_B45_y), CALL(mulFp2BN254)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_A45_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_A45_y)
+        C => D
+        E => C          :CALL(subFp2BN254)
+
+        3n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_twoCa3_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_twoCa3_y), CALL(subFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_Cb3_x)
+        C               :MSTORE(squareCompCycloFp12BN254_Cb3_y)
+
+        ; 6] b4 = 3·(A23 - (10+u)·B23) - 2·a4
+        2n => A
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca4_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca4_y), CALL(escalarMulFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_twoCa4_x)
+        C               :MSTORE(squareCompCycloFp12BN254_twoCa4_y)
+
+        10n => A
+        1n => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_B23_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_B23_y), CALL(mulFp2BN254)
+        $ => A          :MLOAD(squareCompCycloFp12BN254_A23_x)
+        $ => B          :MLOAD(squareCompCycloFp12BN254_A23_y)
+        C => D
+        E => C          :CALL(subFp2BN254)
+
+        3n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_twoCa4_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_twoCa4_y), CALL(subFp2BN254)
+        E               :MSTORE(squareCompCycloFp12BN254_Cb4_x)
+        C               :MSTORE(squareCompCycloFp12BN254_Cb4_y)
+
+        ; 7] b5 = 2·(a5 + 3·B23)
+        3n => A
+        $ => C          :MLOAD(squareCompCycloFp12BN254_B23_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_B23_y), CALL(escalarMulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareCompCycloFp12BN254_Ca5_x)
+        $ => D          :MLOAD(squareCompCycloFp12BN254_Ca5_y), CALL(addFp2BN254)
+        2n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+
+        E               :MSTORE(squareCompCycloFp12BN254_Cb5_x)
+        C               :MSTORE(squareCompCycloFp12BN254_Cb5_y)
+
+        $ => RR         :MLOAD(squareCompCycloFp12BN254_RR)
+                        :RETURN
+