zkevm-rom 0.0.1-security → 6.0.1

package/main/pairings/FP6BN254/sparseMulCFp6BN254.zkasm

@@ -0,0 +1,128 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; sparseMulCFp6BN254:
+;;             in: (a1 + a2·v + a3·v²),(b1 + b3·v²) ∈ Fp6, where ai,bi ∈ Fp2
+;;             out: (c1 + c2·v + c3·v²) ∈ Fp6, where:
+;;                  - c1 = a1·b1 + a2·b3·(9+u)
+;;                  - c2 = a2·b1 + a3·b3·(9+u)
+;;                  - c3 = (a1 + a3)·(b1 + b3) - a1·b1 - a3·b3
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL sparseMulCFp6BN254_a1_x
+VAR GLOBAL sparseMulCFp6BN254_a1_y
+VAR GLOBAL sparseMulCFp6BN254_a2_x
+VAR GLOBAL sparseMulCFp6BN254_a2_y
+VAR GLOBAL sparseMulCFp6BN254_a3_x
+VAR GLOBAL sparseMulCFp6BN254_a3_y
+
+VAR GLOBAL sparseMulCFp6BN254_b1_x
+VAR GLOBAL sparseMulCFp6BN254_b1_y
+VAR GLOBAL sparseMulCFp6BN254_b3_x
+VAR GLOBAL sparseMulCFp6BN254_b3_y
+
+VAR GLOBAL sparseMulCFp6BN254_c1_x
+VAR GLOBAL sparseMulCFp6BN254_c1_y
+VAR GLOBAL sparseMulCFp6BN254_c2_x
+VAR GLOBAL sparseMulCFp6BN254_c2_y
+VAR GLOBAL sparseMulCFp6BN254_c3_x
+VAR GLOBAL sparseMulCFp6BN254_c3_y
+
+VAR GLOBAL sparseMulCFp6BN254_a1b1_x
+VAR GLOBAL sparseMulCFp6BN254_a1b1_y
+VAR GLOBAL sparseMulCFp6BN254_a3b3_x
+VAR GLOBAL sparseMulCFp6BN254_a3b3_y
+VAR GLOBAL sparseMulCFp6BN254_a2b1_x
+VAR GLOBAL sparseMulCFp6BN254_a2b1_y
+VAR GLOBAL sparseMulCFp6BN254_a1a3sum_x
+VAR GLOBAL sparseMulCFp6BN254_a1a3sum_y
+
+VAR GLOBAL sparseMulCFp6BN254_RR
+
+sparseMulCFp6BN254:
+        RR              :MSTORE(sparseMulCFp6BN254_RR)
+
+        ; 1] a1·b1, a3·b3
+        $ => A          :MLOAD(sparseMulCFp6BN254_a1_x)
+        $ => B          :MLOAD(sparseMulCFp6BN254_a1_y)
+        $ => C          :MLOAD(sparseMulCFp6BN254_b1_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_b1_y), CALL(mulFp2BN254)
+        E               :MSTORE(sparseMulCFp6BN254_a1b1_x)
+        C               :MSTORE(sparseMulCFp6BN254_a1b1_y)
+
+        $ => A          :MLOAD(sparseMulCFp6BN254_a3_x)
+        $ => B          :MLOAD(sparseMulCFp6BN254_a3_y)
+        $ => C          :MLOAD(sparseMulCFp6BN254_b3_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_b3_y), CALL(mulFp2BN254)
+        E               :MSTORE(sparseMulCFp6BN254_a3b3_x)
+        C               :MSTORE(sparseMulCFp6BN254_a3b3_y)
+
+        ; 2] c1 = a1·b1 + a2·b3·(9+u)
+        $ => A          :MLOAD(sparseMulCFp6BN254_a2_x)
+        $ => B          :MLOAD(sparseMulCFp6BN254_a2_y)
+        $ => C          :MLOAD(sparseMulCFp6BN254_b3_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_b3_y), CALL(mulFp2BN254)
+        E => A
+        C => B
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(sparseMulCFp6BN254_a1b1_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_a1b1_y), CALL(addFp2BN254)
+        E               :MSTORE(sparseMulCFp6BN254_c1_x)
+        C               :MSTORE(sparseMulCFp6BN254_c1_y)
+
+        ; 3] c2 = a2·b1 + a3·b3·(9+u)
+        $ => A          :MLOAD(sparseMulCFp6BN254_a2_x)
+        $ => B          :MLOAD(sparseMulCFp6BN254_a2_y)
+        $ => C          :MLOAD(sparseMulCFp6BN254_b1_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_b1_y), CALL(mulFp2BN254)
+        E               :MSTORE(sparseMulCFp6BN254_a2b1_x)
+        C               :MSTORE(sparseMulCFp6BN254_a2b1_y)
+
+        $ => A          :MLOAD(sparseMulCFp6BN254_a3b3_x)
+        $ => B          :MLOAD(sparseMulCFp6BN254_a3b3_y)
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(sparseMulCFp6BN254_a2b1_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_a2b1_y), CALL(addFp2BN254)
+        E               :MSTORE(sparseMulCFp6BN254_c2_x)
+        C               :MSTORE(sparseMulCFp6BN254_c2_y)
+
+
+        ; 4] c3 = (a1 + a3)·(b1 + b3) - a1·b1 - a3·b3
+        $ => A          :MLOAD(sparseMulCFp6BN254_a1_x)
+        $ => B          :MLOAD(sparseMulCFp6BN254_a1_y)
+        $ => C          :MLOAD(sparseMulCFp6BN254_a3_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_a3_y), CALL(addFp2BN254)
+        E               :MSTORE(sparseMulCFp6BN254_a1a3sum_x)
+        C               :MSTORE(sparseMulCFp6BN254_a1a3sum_y)
+
+        $ => A          :MLOAD(sparseMulCFp6BN254_b1_x)
+        $ => B          :MLOAD(sparseMulCFp6BN254_b1_y)
+        $ => C          :MLOAD(sparseMulCFp6BN254_b3_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_b3_y), CALL(addFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(sparseMulCFp6BN254_a1a3sum_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_a1a3sum_y), CALL(mulFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(sparseMulCFp6BN254_a1b1_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_a1b1_y), CALL(subFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(sparseMulCFp6BN254_a3b3_x)
+        $ => D          :MLOAD(sparseMulCFp6BN254_a3b3_y), CALL(subFp2BN254)
+        E               :MSTORE(sparseMulCFp6BN254_c3_x)
+        C               :MSTORE(sparseMulCFp6BN254_c3_y)
+
+
+        $ => RR         :MLOAD(sparseMulCFp6BN254_RR)
+                        :RETURN

package/main/pairings/FP6BN254/squareFp6BN254.zkasm

@@ -0,0 +1,147 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; squareFp6BN254:
+;;             in: (a1 + a2·v + a3·v²) ∈ Fp6, where ai ∈ Fp2
+;;             out: (c1 + c2·v + c3·v²) ∈ Fp6, where:
+;;                  - c1 = 2·a2·a3·(9 + u) + a1²
+;;                  - c2 = a3²·(9 + u) + 2·a1·a2
+;;                  - c3 = 2·a1·a2 - a3² + (a1 - a2 + a3)² + 2·a2·a3 - a1²
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL squareFp6BN254_a1_x
+VAR GLOBAL squareFp6BN254_a1_y
+VAR GLOBAL squareFp6BN254_a2_x
+VAR GLOBAL squareFp6BN254_a2_y
+VAR GLOBAL squareFp6BN254_a3_x
+VAR GLOBAL squareFp6BN254_a3_y
+VAR GLOBAL squareFp6BN254_c1_x
+VAR GLOBAL squareFp6BN254_c1_y
+VAR GLOBAL squareFp6BN254_c2_x
+VAR GLOBAL squareFp6BN254_c2_y
+VAR GLOBAL squareFp6BN254_c3_x
+VAR GLOBAL squareFp6BN254_c3_y
+
+VAR GLOBAL squareFp6BN254_2a1a2mul_x
+VAR GLOBAL squareFp6BN254_2a1a2mul_y
+VAR GLOBAL squareFp6BN254_a3square_x
+VAR GLOBAL squareFp6BN254_a3square_y
+VAR GLOBAL squareFp6BN254_2a1a2a3sqsub_x
+VAR GLOBAL squareFp6BN254_2a1a2a3sqsub_y
+VAR GLOBAL squareFp6BN254_a1square_x
+VAR GLOBAL squareFp6BN254_a1square_y
+VAR GLOBAL squareFp6BN254_a1a2a3sub_x
+VAR GLOBAL squareFp6BN254_a1a2a3sub_y
+VAR GLOBAL squareFp6BN254_2a2a3mul_x
+VAR GLOBAL squareFp6BN254_2a2a3mul_y
+
+VAR GLOBAL squareFp6BN254_RR
+
+squareFp6BN254:
+        RR              :MSTORE(squareFp6BN254_RR)
+
+        ; 1] 2·a1·a2
+        $ => A          :MLOAD(squareFp6BN254_a1_x)
+        $ => B          :MLOAD(squareFp6BN254_a1_y)
+        $ => C          :MLOAD(squareFp6BN254_a2_x)
+        $ => D          :MLOAD(squareFp6BN254_a2_y), CALL(mulFp2BN254)
+        2n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+
+        E               :MSTORE(squareFp6BN254_2a1a2mul_x)
+        C               :MSTORE(squareFp6BN254_2a1a2mul_y)
+
+        ; 2] a3²
+        $ => A          :MLOAD(squareFp6BN254_a3_x)
+        $ => B          :MLOAD(squareFp6BN254_a3_y), CALL(squareFp2BN254)
+        E               :MSTORE(squareFp6BN254_a3square_x)
+        C               :MSTORE(squareFp6BN254_a3square_y)
+
+        ; 3] c2 = a3²·(9 + u) + 2·a1·a2
+        $ => A          :MLOAD(squareFp6BN254_a3square_x)
+        $ => B          :MLOAD(squareFp6BN254_a3square_y)
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+
+        $ => A          :MLOAD(squareFp6BN254_2a1a2mul_x)
+        $ => B          :MLOAD(squareFp6BN254_2a1a2mul_y)
+        C => D
+        E => C          :CALL(addFp2BN254)
+
+        E               :MSTORE(squareFp6BN254_c2_x)
+        C               :MSTORE(squareFp6BN254_c2_y)
+
+        ; 4] 2·a1·a2 - a3²
+        $ => A          :MLOAD(squareFp6BN254_2a1a2mul_x)
+        $ => B          :MLOAD(squareFp6BN254_2a1a2mul_y)
+        $ => C          :MLOAD(squareFp6BN254_a3square_x)
+        $ => D          :MLOAD(squareFp6BN254_a3square_y), CALL(subFp2BN254)
+        E               :MSTORE(squareFp6BN254_2a1a2a3sqsub_x)
+        C               :MSTORE(squareFp6BN254_2a1a2a3sqsub_y)
+
+        ; 5] a1²
+        $ => A          :MLOAD(squareFp6BN254_a1_x)
+        $ => B          :MLOAD(squareFp6BN254_a1_y), CALL(squareFp2BN254)
+        E               :MSTORE(squareFp6BN254_a1square_x)
+        C               :MSTORE(squareFp6BN254_a1square_y)
+
+        ; 6] (a1 - a2 + a3)²
+        $ => A          :MLOAD(squareFp6BN254_a1_x)
+        $ => B          :MLOAD(squareFp6BN254_a1_y)
+        $ => C          :MLOAD(squareFp6BN254_a2_x)
+        $ => D          :MLOAD(squareFp6BN254_a2_y), CALL(subFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareFp6BN254_a3_x)
+        $ => D          :MLOAD(squareFp6BN254_a3_y), CALL(addFp2BN254)
+        E => A
+        C => B          :CALL(squareFp2BN254)
+
+        E               :MSTORE(squareFp6BN254_a1a2a3sub_x)
+        C               :MSTORE(squareFp6BN254_a1a2a3sub_y)
+
+        ; 7] 2·a2·a3
+        $ => A          :MLOAD(squareFp6BN254_a2_x)
+        $ => B          :MLOAD(squareFp6BN254_a2_y)
+        $ => C          :MLOAD(squareFp6BN254_a3_x)
+        $ => D          :MLOAD(squareFp6BN254_a3_y), CALL(mulFp2BN254)
+        2n => A
+        C => D
+        E => C          :CALL(escalarMulFp2BN254)
+
+        E               :MSTORE(squareFp6BN254_2a2a3mul_x)
+        C               :MSTORE(squareFp6BN254_2a2a3mul_y)
+
+        ; 8] c1 = 2·a2·a3·(9 + u) + a1²
+        $ => A          :MLOAD(squareFp6BN254_2a2a3mul_x)
+        $ => B          :MLOAD(squareFp6BN254_2a2a3mul_y)
+        9n => C
+        1n => D         :CALL(mulFp2BN254)
+
+        E => A
+        C => B
+        $ => C          :MLOAD(squareFp6BN254_a1square_x)
+        $ => D          :MLOAD(squareFp6BN254_a1square_y), CALL(addFp2BN254)
+        E               :MSTORE(squareFp6BN254_c1_x)
+        C               :MSTORE(squareFp6BN254_c1_y)
+
+        ; 9] c3 = 2·a1·a2 - a3² + (a1 - a2 + a3)² + 2·a2·a3 - a1²
+        $ => A          :MLOAD(squareFp6BN254_2a1a2a3sqsub_x)
+        $ => B          :MLOAD(squareFp6BN254_2a1a2a3sqsub_y)
+        $ => C          :MLOAD(squareFp6BN254_a1a2a3sub_x)
+        $ => D          :MLOAD(squareFp6BN254_a1a2a3sub_y), CALL(addFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareFp6BN254_2a2a3mul_x)
+        $ => D          :MLOAD(squareFp6BN254_2a2a3mul_y), CALL(addFp2BN254)
+        E => A
+        C => B
+        $ => C          :MLOAD(squareFp6BN254_a1square_x)
+        $ => D          :MLOAD(squareFp6BN254_a1square_y), CALL(subFp2BN254)
+        E               :MSTORE(squareFp6BN254_c3_x)
+        C               :MSTORE(squareFp6BN254_c3_y)
+
+        $ => RR         :MLOAD(squareFp6BN254_RR)
+                        :RETURN

package/main/pairings/FP6BN254/subFp6BN254.zkasm

@@ -0,0 +1,59 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P) because if falls back to FP2 arithmetic
+;;
+;; subFp6BN254:
+;;             in: (a1 + a2·v + a3·v²),(b1 + b2·v + b3·v²) ∈ Fp6, where ai,bi ∈ Fp2
+;;             out: (c1 + c2·v + c3·v²) = (a1-b1) + (a2-b2)·v + (a3-b3)·v² ∈ Fp6
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL subFp6BN254_a1_x
+VAR GLOBAL subFp6BN254_a1_y
+VAR GLOBAL subFp6BN254_a2_x
+VAR GLOBAL subFp6BN254_a2_y
+VAR GLOBAL subFp6BN254_a3_x
+VAR GLOBAL subFp6BN254_a3_y
+VAR GLOBAL subFp6BN254_b1_x
+VAR GLOBAL subFp6BN254_b1_y
+VAR GLOBAL subFp6BN254_b2_x
+VAR GLOBAL subFp6BN254_b2_y
+VAR GLOBAL subFp6BN254_b3_x
+VAR GLOBAL subFp6BN254_b3_y
+VAR GLOBAL subFp6BN254_c1_x
+VAR GLOBAL subFp6BN254_c1_y
+VAR GLOBAL subFp6BN254_c2_x
+VAR GLOBAL subFp6BN254_c2_y
+VAR GLOBAL subFp6BN254_c3_x
+VAR GLOBAL subFp6BN254_c3_y
+
+VAR GLOBAL subFp6BN254_RR
+
+subFp6BN254:
+        RR              :MSTORE(subFp6BN254_RR)
+
+        ; 1] c1 = a1-b1
+        $ => A          :MLOAD(subFp6BN254_a1_x)
+        $ => B          :MLOAD(subFp6BN254_a1_y)
+        $ => C          :MLOAD(subFp6BN254_b1_x)
+        $ => D          :MLOAD(subFp6BN254_b1_y), CALL(subFp2BN254)
+        E               :MSTORE(subFp6BN254_c1_x)
+        C               :MSTORE(subFp6BN254_c1_y)
+
+        ; 2] c2 = a2-b2
+        $ => A          :MLOAD(subFp6BN254_a2_x)
+        $ => B          :MLOAD(subFp6BN254_a2_y)
+        $ => C          :MLOAD(subFp6BN254_b2_x)
+        $ => D          :MLOAD(subFp6BN254_b2_y), CALL(subFp2BN254)
+        E               :MSTORE(subFp6BN254_c2_x)
+        C               :MSTORE(subFp6BN254_c2_y)
+
+        ; 3] c3 = a3-b3
+        $ => A          :MLOAD(subFp6BN254_a3_x)
+        $ => B          :MLOAD(subFp6BN254_a3_y)
+        $ => C          :MLOAD(subFp6BN254_b3_x)
+        $ => D          :MLOAD(subFp6BN254_b3_y), CALL(subFp2BN254)
+        E               :MSTORE(subFp6BN254_c3_x)
+        C               :MSTORE(subFp6BN254_c3_y)
+
+        $ => RR         :MLOAD(subFp6BN254_RR)
+                        :RETURN

package/main/pairings/FPBN254/addFpBN254.zkasm

@@ -0,0 +1,29 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P)
+;;
+;; addFpBN254:
+;;             in: A,C ∈ Fp
+;;             out: C = A + C (mod BN254_P) ∈ Fp
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+addFpBN254:
+        ; 1] Compute and check the sum over Z
+        ; A·[1] + C = [D]·2²⁵⁶ + [E]
+        1 => B
+        $${var _addFpBN254_AC = A + C}
+        ${_addFpBN254_AC >> 256} => D
+        ${_addFpBN254_AC} => E :ARITH
+
+        ; 2] Check it over Fp, that is, it must be satisfied that:
+        ; [BN254_P]·[(A+C) / p] + [(A+C) % p] = D·2²⁵⁶ + E
+        ; where C < BN254_P
+        %BN254_P => A
+        ${_addFpBN254_AC / const.BN254_P} => B        ; quotient  (256 bits)
+        ${_addFpBN254_AC % const.BN254_P} => C        ; residue (256 bits)
+        E :ARITH
+
+        ; 3] Check that the result is lower than BN254_P
+        A => B
+        C => A
+        1       :LT, RETURN

package/main/pairings/FPBN254/invFpBN254.zkasm

@@ -0,0 +1,55 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P)
+;;
+;; invFpBN254:
+;;             in: A ∈ Fp
+;;             out: B = A⁻¹ (mod BN254_P) ∈ Fp
+;;
+;; NOTE: On input 0, it returns 0
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL invFpBN254_tmp
+VAR GLOBAL invFpBN254_RR
+
+invFpBN254:
+        RR              :MSTORE(invFpBN254_RR)
+
+        ; Normalization of A
+        %BN254_P => B
+        $       :LT, JMPC(invFpBN254_zero_check)
+                :CALL(reduceFpBN254)
+        ; From here, it is guaranteed that A ∈ [0,BN254_P)
+
+invFpBN254_zero_check:
+        ; Check if A = 0, and if so, return 0
+        0 => B
+        $       :EQ, JMPC(invFpBN254_A_is_zero)
+
+invFpBN254_normalized:
+        ; 1] Compute and check the inverse over Z
+        ; A·A⁻¹ + [0] = [D]·2²⁵⁶ + [E]
+        0 => C
+        ${var _invFpBN254_A = fpBN254inv(A)} => B :MSTORE(invFpBN254_tmp);
+        $${var _invFpBN254_AB = A * _invFpBN254_A}
+        ${_invFpBN254_AB >> 256} => D
+        ${_invFpBN254_AB} => E :ARITH
+
+        ; 2] Check it over Fp, that is, it must be satisfied that:
+        ; [BN254_P]·[(A·A⁻¹) / BN254_P] + [1] = D·2²⁵⁶ + E
+        %BN254_P => A
+        ${_invFpBN254_AB / const.BN254_P} => B        ; quotient  (256 bits)
+        1n => C                                       ; residue (1 bit)
+        E :ARITH
+
+        ; 3] Check that the result is lower than BN254_P
+        A => B
+        $ => A          :MLOAD(invFpBN254_tmp)
+        1               :LT
+        A => B          :JMP(invFpBN254_end)
+
+invFpBN254_A_is_zero:
+        0 => B
+
+invFpBN254_end:
+        $ => RR         :MLOAD(invFpBN254_RR)
+                        :RETURN

package/main/pairings/FPBN254/mulFpBN254.zkasm

@@ -0,0 +1,29 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P)
+;;
+;; mulFpBN254:
+;;             in: A,B ∈ Fp
+;;             out: C = A·B (mod BN254_P) ∈ Fp
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+mulFpBN254:
+        ; 1] Compute and check the sum over Z
+        ; A·B + [0] = [D]·2²⁵⁶ + [E]
+        0 => C
+        $${var _mulFpBN254_AB = A*B}
+        ${_mulFpBN254_AB >> 256} => D
+        ${_mulFpBN254_AB} => E :ARITH
+
+        ; 2] Check it over Fp, that is, it must be satisfied that:
+        ; [BN254_P]·[(A·B) / p] + [C / p] = D·2²⁵⁶ + E
+        ; where C < BN254_P
+        %BN254_P => A
+        ${_mulFpBN254_AB / const.BN254_P} => B        ; quotient  (256 bits)
+        ${_mulFpBN254_AB % const.BN254_P} => C        ; residue (256 bits)
+        E :ARITH
+
+        ; 3] Check that the result is lower than BN254_P
+        A => B
+        C => A
+        1       :LT, RETURN

package/main/pairings/FPBN254/reduceFpBN254.zkasm

@@ -0,0 +1,25 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P)
+;;
+;; reduceFpBN254:
+;;             in: A ∈ [0, 2²⁵⁶-1]
+;;             out: A (mod BN254_P) ∈ Fp
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL reduceFpBN254_tmp
+
+reduceFpBN254:
+        ; 1] It must be satisfied that:
+        ; [BN254_P]·[A / p] + [A % p] = [0]·2²⁵⁶ + A
+        A       :MSTORE(reduceFpBN254_tmp)
+        ${A / const.BN254_P} => B        ; quotient  (256 bits)
+        ${A % const.BN254_P} => C        ; residue (256 bits)
+        %BN254_P => A
+        0n => D
+        $       :MLOAD(reduceFpBN254_tmp), ARITH
+
+        ; 2] Check the the residue is less than p
+        A => B
+        C => A
+        1       :LT, RETURN

package/main/pairings/FPBN254/squareFpBN254.zkasm

@@ -0,0 +1,31 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P)
+;;
+;; squareFpBN254:
+;;             in: A ∈ Fp
+;;             out: B = A² (mod BN254_P) ∈ Fp
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+squareFpBN254:
+        ; 1] Compute and check the inverse over Z
+        ; A·A + [0] = [D]·2²⁵⁶ + [E]
+        A => B
+        0 => C
+        $${var _squareFpBN254_AA = A * A}
+        ${_squareFpBN254_AA >> 256} => D
+        ${_squareFpBN254_AA} => E :ARITH
+
+        ; 2] Check it over Fp, that is, it must be satisfied that:
+        ; [BN254_P]·[A² / p] + [A² % p] = D·2²⁵⁶ + E
+        ; where C < BN254_P
+        %BN254_P => A
+        ${_squareFpBN254_AA / const.BN254_P} => B        ; quotient  (256 bits)
+        ${_squareFpBN254_AA % const.BN254_P} => C        ; residue  (256 bits)
+        E :ARITH
+
+        ; 3] Check that the result is lower than BN254_P
+        A => B
+        C => A
+        1       :LT
+        A => B  :RETURN

package/main/pairings/FPBN254/subFpBN254.zkasm

@@ -0,0 +1,36 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,BN254_P)
+;;
+;; subFpBN254:
+;;             in: A,C ∈ Fp
+;;             out: C = A - C (mod BN254_P) ∈ Fp
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+subFpBN254:
+        ; 0] Negate C
+        A => D
+        %BN254_P => A
+        C => B
+        $ => C      :SUB
+        D => A
+
+        ; 1] Compute and check the sub over Z
+        ; A·[1] + [BN254_P-C] = [D]·2²⁵⁶ + [E]
+        1 => B
+        $${var _subFpBN254_AC = A + C}
+        ${_subFpBN254_AC >> 256} => D
+        ${_subFpBN254_AC} => E :ARITH
+
+        ; 2] Check it over Fp, that is, it must be satisfied that:
+        ; [BN254_P]·[(A - C) / p] + [(A - C) % p] = D·2²⁵⁶ + E
+        ; where C < BN254_P
+        %BN254_P => A
+        ${_subFpBN254_AC / const.BN254_P} => B        ; quotient  (256 bits)
+        ${_subFpBN254_AC % const.BN254_P} => C        ; residue (256 bits)
+        E :ARITH
+
+        ; 3] Check that the result is lower than BN254_P
+        A => B
+        C => A
+        1       :LT, RETURN

package/main/pairings/FRBN254/reduceFrBN254.zkasm

@@ -0,0 +1,25 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; POST: The result is in the range [0,r)
+;;
+;; reduceFrBN254:
+;;             in: B ∈ [0, 2²⁵⁶-1]
+;;             out: A = B (mod BN254_R) ∈ Fr
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+VAR GLOBAL reduceFrBN254_tmp
+
+reduceFrBN254:
+        ; 1] It must be satisfied that:
+        ; [BN254_R]·[B / r] + [B % r] = [0]·2²⁵⁶ + E
+        B       :MSTORE(reduceFrBN254_tmp)
+        ${B % const.BN254_R} => C        ; residue (256 bits)
+        ${B / const.BN254_R} => B        ; quotient  (256 bits)
+        %BN254_R => A
+        0n => D
+        $       :MLOAD(reduceFrBN254_tmp), ARITH
+
+        ; 2] Check the the residue is less than r
+        A => B
+        C => A
+        1       :LT, RETURN

package/main/pairings/constants.zkasm

@@ -0,0 +1,62 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;
+;;  Constants of the optimal Ate pairing over the BN254 curve
+;;                      e: G1 x G2 --> GT
+;;  where G1 = E(Fp)[r] = E(Fp), G2 = E'(Fp2)[r] and GT = mu_r (the r-th roots of unity over Fp12* over the curves:
+;;              E/Fp: y² = x³ + 3,    E'/Fp2: y² = x³ + 3/(9+u)
+;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; Basic constants: X = "BN family parameter", P = "base field order", R = "scalar field order"
+; CONSTL %BN254_X = 4965661367192848881n ; Unused, just for reference
+CONSTL %BN254_P = 21888242871839275222246405745257275088696311157297823662689037894645226208583n ; 36n * X ** 4n + 36n * X ** 3n + 24n * X ** 2n + 6n * X + 1n
+; NOTE: It is satisfied that 5·p < 2²⁵⁶ < 6·p
+CONSTL %BN254_P_MINUS_ONE = 21888242871839275222246405745257275088696311157297823662689037894645226208582n
+CONSTL %BN254_R = 21888242871839275222246405745257275088548364400416034343698204186575808495617n ; 36n * X ** 4n + 36n * X ** 3n + 18n * X ** 2n + 6n * X + 1n
+CONSTL %BN254_R_MINUS_ONE = 21888242871839275222246405745257275088548364400416034343698204186575808495616n
+
+; Precomputed values: 3/(9+u) and 6x²
+CONSTL %BN254_E_B = 3n
+CONSTL %BN254_ETWISTED_B_X = 19485874751759354771024239261021720505790618469301721065564631296452457478373n
+CONSTL %BN254_ETWISTED_B_Y = 266929791119991161246907387137283842545076965332900288569378510910307636690n
+CONSTL %BN254_SIX_TIMES_X_SQ = 147946756881789318990833708069417712966n
+
+; Coordinates of the generator of the group G1
+CONSTL %PAIRING_P1X = 1n
+CONSTL %PAIRING_P1Y = 2n
+
+; Coordinates of the generator of the group G2
+CONSTL %PAIRING_P2X1 = 10857046999023057135944570762232829481370756359578518086990519993285655852781n
+CONSTL %PAIRING_P2X2 = 11559732032986387107991004021392285783925812861821192530917403151452391805634n
+CONSTL %PAIRING_P2Y1 = 8495653923123431417604973247489272438418190587263600148770280649306958101930n
+CONSTL %PAIRING_P2Y2 = 4082367875863433681332203403145435568316851327593401208105741076214120093531n
+
+; Precomputed frobenius operator constants. These are used to compute f^p, f^p2 and f^p3 cheaply, where f ∈ Fp12
+; See: https://hackmd.io/kcEJAWISQ56eE6YpBnurgw#Frobenius-Operator
+CONSTL %FROBENIUS_GAMMA111 = 8376118865763821496583973867626364092589906065868298776909617916018768340080n
+CONSTL %FROBENIUS_GAMMA112 = 16469823323077808223889137241176536799009286646108169935659301613961712198316n
+CONSTL %FROBENIUS_GAMMA121 = 21575463638280843010398324269430826099269044274347216827212613867836435027261n
+CONSTL %FROBENIUS_GAMMA122 = 10307601595873709700152284273816112264069230130616436755625194854815875713954n
+CONSTL %FROBENIUS_GAMMA131 = 2821565182194536844548159561693502659359617185244120367078079554186484126554n
+CONSTL %FROBENIUS_GAMMA132 = 3505843767911556378687030309984248845540243509899259641013678093033130930403n
+CONSTL %FROBENIUS_GAMMA131_NEGATED = 19066677689644738377698246183563772429336693972053703295610958340458742082029n ;%BN254_P - %FROBENIUS_GAMMA131
+CONSTL %FROBENIUS_GAMMA132_NEGATED = 18382399103927718843559375435273026243156067647398564021675359801612095278180n ;%BN254_P - %FROBENIUS_GAMMA132
+CONSTL %FROBENIUS_GAMMA141 = 2581911344467009335267311115468803099551665605076196740867805258568234346338n
+CONSTL %FROBENIUS_GAMMA142 = 19937756971775647987995932169929341994314640652964949448313374472400716661030n
+CONSTL %FROBENIUS_GAMMA151 = 685108087231508774477564247770172212460312782337200605669322048753928464687n
+CONSTL %FROBENIUS_GAMMA152 = 8447204650696766136447902020341177575205426561248465145919723016860428151883n
+CONSTL %FROBENIUS_GAMMA21 = 21888242871839275220042445260109153167277707414472061641714758635765020556617n
+CONSTL %FROBENIUS_GAMMA22 = 21888242871839275220042445260109153167277707414472061641714758635765020556616n
+CONSTL %FROBENIUS_GAMMA23 = 21888242871839275222246405745257275088696311157297823662689037894645226208582n
+CONSTL %FROBENIUS_GAMMA24 = 2203960485148121921418603742825762020974279258880205651966n
+CONSTL %FROBENIUS_GAMMA25 = 2203960485148121921418603742825762020974279258880205651967n
+CONSTL %FROBENIUS_GAMMA311 = 11697423496358154304825782922584725312912383441159505038794027105778954184319n
+CONSTL %FROBENIUS_GAMMA312 = 303847389135065887422783454877609941456349188919719272345083954437860409601n
+CONSTL %FROBENIUS_GAMMA321 = 3772000881919853776433695186713858239009073593817195771773381919316419345261n
+CONSTL %FROBENIUS_GAMMA322 = 2236595495967245188281701248203181795121068902605861227855261137820944008926n
+CONSTL %FROBENIUS_GAMMA331 = 19066677689644738377698246183563772429336693972053703295610958340458742082029n
+CONSTL %FROBENIUS_GAMMA332 = 18382399103927718843559375435273026243156067647398564021675359801612095278180n
+CONSTL %FROBENIUS_GAMMA341 = 5324479202449903542726783395506214481928257762400643279780343368557297135718n
+CONSTL %FROBENIUS_GAMMA342 = 16208900380737693084919495127334387981393726419856888799917914180988844123039n
+CONSTL %FROBENIUS_GAMMA351 = 8941241848238582420466759817324047081148088512956452953208002715982955420483n
+CONSTL %FROBENIUS_GAMMA352 = 10338197737521362862238855242243140895517409139741313354160881284257516364953n