From 655a92949506218068a1a4fa1d1bc10e52088dca Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Fri, 18 Jul 2025 10:43:31 +0200 Subject: [PATCH 01/23] feat: offsets ok --- backend/plonk/bls12-381/solidity.go | 1447 +++++++++++++++++++++++++++ backend/plonk/bls12-381/verify.go | 67 +- go.mod | 79 +- go.sum | 193 ++++ 4 files changed, 1779 insertions(+), 7 deletions(-) create mode 100644 backend/plonk/bls12-381/solidity.go diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go new file mode 100644 index 0000000000..a5cdd3acf2 --- /dev/null +++ b/backend/plonk/bls12-381/solidity.go @@ -0,0 +1,1447 @@ +package plonk + +const tmplSolidityVerifier = `// SPDX-License-Identifier: Apache-2.0 + +// Copyright 2023 Consensys Software Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by gnark DO NOT EDIT + +pragma solidity {{ .Cfg.PragmaVersion }}; + +contract PlonkVerifier { + + uint256 private constant R_MOD = 52435875175126190479447740508185965837690552500527637822603658699938581184513; + uint256 private constant R_MOD_MINUS_ONE = 52435875175126190479447740508185965837690552500527637822603658699938581184512; + {{ range $index, $element := .Vk.Kzg.G2 }} + uint256 private constant G2_SRS_{{ $index }}_X_0_lo = {{ (fpstr_lo $element.X.A1) }}; + uint256 private constant G2_SRS_{{ $index }}_X_0_hi = {{ (fpstr_hi $element.X.A1) }}; + uint256 private constant G2_SRS_{{ $index }}_X_1_lo = {{ (fpstr_lo $element.X.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_X_1_hi = {{ (fpstr_hi $element.X.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_0_lo = {{ (fpstr_lo $element.Y.A1) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_0_hi = {{ (fpstr_hi $element.Y.A1) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_1_lo = {{ (fpstr_lo $element.Y.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_1_hi = {{ (fpstr_hi $element.Y.A0) }}; + {{ end }} + uint256 private constant G1_SRS_X_lo = {{ fpstr_lo .Vk.Kzg.G1.X }}; + uint256 private constant G1_SRS_X_hi = {{ fpstr_hi .Vk.Kzg.G1.X }}; + uint256 private constant G1_SRS_Y_lo = {{ fpstr_lo .Vk.Kzg.G1.Y }}; + uint256 private constant G1_SRS_Y_hi = {{ fpstr_hi .Vk.Kzg.G1.Y }}; + + // ----------------------- vk --------------------- + uint256 private constant VK_NB_PUBLIC_INPUTS = {{ .Vk.NbPublicVariables }}; + uint256 private constant VK_DOMAIN_SIZE = {{ .Vk.Size }}; + uint256 private constant VK_INV_DOMAIN_SIZE = {{ (frstr .Vk.SizeInv) }}; + uint256 private constant VK_OMEGA = {{ (frstr .Vk.Generator) }}; + uint256 private constant VK_QL_COM_X_lo = {{ (fpstr_lo .Vk.Ql.X) }}; + uint256 private constant VK_QL_COM_X_hi = {{ (fpstr_hi .Vk.Ql.X) }}; + uint256 private constant VK_QL_COM_Y_lo = {{ (fpstr_lo .Vk.Ql.Y) }}; + uint256 private constant VK_QL_COM_Y_hi = {{ (fpstr_hi .Vk.Ql.Y) }}; + uint256 private constant VK_QR_COM_X_lo = {{ (fpstr_lo .Vk.Qr.X) }}; + uint256 private constant VK_QR_COM_X_hi = {{ (fpstr_hi .Vk.Qr.X) }}; + uint256 private constant VK_QR_COM_Y_lo = {{ (fpstr_lo .Vk.Qr.Y) }}; + uint256 private constant VK_QR_COM_Y_hi = {{ (fpstr_hi .Vk.Qr.Y) }}; + uint256 private constant VK_QM_COM_X_lo = {{ (fpstr_lo .Vk.Qm.X) }}; + uint256 private constant VK_QM_COM_X_hi = {{ (fpstr_hi .Vk.Qm.X) }}; + uint256 private constant VK_QM_COM_Y_lo = {{ (fpstr_lo .Vk.Qm.Y) }}; + uint256 private constant VK_QM_COM_Y_hi = {{ (fpstr_hi .Vk.Qm.Y) }}; + uint256 private constant VK_QO_COM_X_lo = {{ (fpstr_lo .Vk.Qo.X) }}; + uint256 private constant VK_QO_COM_X_hi = {{ (fpstr_hi .Vk.Qo.X) }}; + uint256 private constant VK_QO_COM_Y_lo = {{ (fpstr_lo .Vk.Qo.Y) }}; + uint256 private constant VK_QO_COM_Y_hi = {{ (fpstr_hi .Vk.Qo.Y) }}; + uint256 private constant VK_QK_COM_X_lo = {{ (fpstr_lo .Vk.Qk.X) }}; + uint256 private constant VK_QK_COM_X_hi = {{ (fpstr_hi .Vk.Qk.X) }}; + uint256 private constant VK_QK_COM_Y_lo = {{ (fpstr_lo .Vk.Qk.Y) }}; + uint256 private constant VK_QK_COM_Y_hi = {{ (fpstr_hi .Vk.Qk.Y) }}; + {{ range $index, $element := .Vk.S }} + uint256 private constant VK_S{{ inc $index }}_COM_X_lo = {{ (fpstr_lo $element.X) }}; + uint256 private constant VK_S{{ inc $index }}_COM_X_hi = {{ (fpstr_hi $element.X) }}; + uint256 private constant VK_S{{ inc $index }}_COM_Y_lo = {{ (fpstr_lo $element.Y) }}; + uint256 private constant VK_S{{ inc $index }}_COM_Y_hi = {{ (fpstr_hi $element.Y) }}; + {{ end }} + uint256 private constant VK_COSET_SHIFT = {{ frstr .Vk.CosetShift }}; + + {{ range $index, $element := .Vk.Qcp}} + uint256 private constant VK_QCP_{{ $index }}_X_lo = {{ (fpstr_lo $element.X) }}; + uint256 private constant VK_QCP_{{ $index }}_X_hi = {{ (fpstr_hi $element.X) }}; + uint256 private constant VK_QCP_{{ $index }}_Y_lo = {{ (fpstr_lo $element.Y) }}; + uint256 private constant VK_QCP_{{ $index }}_Y_hi = {{ (fpstr_hi $element.Y) }}; + {{ end }} + + {{ range $index, $element := .Vk.CommitmentConstraintIndexes -}} + uint256 private constant VK_INDEX_COMMIT_API_{{ $index }} = {{ $element }}; + {{ end -}} + uint256 private constant VK_NB_CUSTOM_GATES = {{ len .Vk.CommitmentConstraintIndexes }}; + + // ------------------------------------------------ + + // size of the proof without call custom gate + uint256 private constant FIXED_PROOF_SIZE = 0x300; + + // offset proof + {{ $offset := 0 }} + uint256 private constant PROOF_L_COM_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_L_COM_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_R_COM_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_R_COM_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_O_COM_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_O_COM_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + + // h = h_0 + x^{n+2}h_1 + x^{2(n+2)}h_2 + uint256 private constant PROOF_H_0_COM_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_H_0_COM_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_H_1_COM_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_H_1_COM_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_H_2_COM_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_H_2_COM_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + + // "evaluations of wire polynomials at zeta + uint256 private constant PROOF_L_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_R_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_O_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x30}} + + // S1(zeta),S2(zeta) + uint256 private constant PROOF_S1_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} // Sσ1(zeta) + uint256 private constant PROOF_S2_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} // Sσ2(zeta) + + // [Z] + uint256 private constant PROOF_GRAND_PRODUCT_COMMITMENT_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_GRAND_PRODUCT_COMMITMENT_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + + uint256 private constant PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA = {{ hex $offset }};{{ $offset = add $offset 0x20}} // z(w*zeta) + + // Folded proof for the opening of linearised poly, l, r, o, s_1, s_2, qcp + uint256 private constant PROOF_BATCH_OPENING_AT_ZETA_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_BATCH_OPENING_AT_ZETA_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + + uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + + uint256 private constant PROOF_OPENING_QCP_AT_ZETA = {{ hex $offset }}; + uint256 private constant PROOF_BSB_COMMITMENTS = {{ hex (add $offset (mul (len .Vk.CommitmentConstraintIndexes) 32 ) )}}; + + // -------- offset state + + // challenges to check the claimed quotient + {{ $offset = 0 }} + uint256 private constant STATE_ALPHA = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_BETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_GAMMA = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_ALPHA_SQUARE_LAGRANGE_0 = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_FOLDED_H_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant STATE_FOLDED_H_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant STATE_LINEARISED_POLYNOMIAL_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant STATE_LINEARISED_POLYNOMIAL_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_FOLDED_CLAIMED_VALUES = {{ hex $offset }};{{ $offset = add $offset 0x20}} // Folded proof for the opening of H, linearised poly, l, r, o, s_1, s_2, qcp + uint256 private constant STATE_FOLDED_DIGESTS_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} // linearised poly, l, r, o, s_1, s_2, qcp + uint256 private constant STATE_FOLDED_DIGESTS_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant STATE_PI = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_ZETA_POWER_N_MINUS_ONE = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_GAMMA_KZG = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_SUCCESS = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_CHECK_VAR = {{ hex $offset }};{{ $offset = add $offset 0x20}} // /!\ this slot is used for debugging only + uint256 private constant STATE_LAST_MEM = {{ hex $offset }};{{ $offset = add $offset 0x20}} + + // -------- utils (for Fiat Shamir) + uint256 private constant FS_ALPHA = 0x616C706861; // "alpha" + uint256 private constant FS_BETA = 0x62657461; // "beta" + uint256 private constant FS_GAMMA = 0x67616d6d61; // "gamma" + uint256 private constant FS_ZETA = 0x7a657461; // "zeta" + uint256 private constant FS_GAMMA_KZG = 0x67616d6d61; // "gamma" + + // -------- errors + uint256 private constant ERROR_STRING_ID = 0x08c379a000000000000000000000000000000000000000000000000000000000; // selector for function Error(string) + + {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + // -------- utils (for hash_fr) + uint256 private constant HASH_FR_BB = 340282366920938463463374607431768211456; // 2**128 + uint256 private constant HASH_FR_ZERO_UINT256 = 0; + uint8 private constant HASH_FR_LEN_IN_BYTES = 48; + uint8 private constant HASH_FR_SIZE_DOMAIN = 11; + uint8 private constant HASH_FR_ONE = 1; + uint8 private constant HASH_FR_TWO = 2; + {{ end }} + + // -------- precompiles + uint8 private constant SHA2 = 0x2; + uint8 private constant MOD_EXP = 0x5; + uint8 private constant EC_ADD = 0x6; + uint8 private constant EC_MUL = 0x7; + uint8 private constant EC_PAIR = 0x8; + + /// Verify a Plonk proof. + /// Reverts if the proof or the public inputs are malformed. + /// @param proof serialised plonk proof (using gnark's MarshalSolidity) + /// @param public_inputs (must be reduced) + /// @return success true if the proof passes false otherwise + function Verify(bytes calldata proof, uint256[] calldata public_inputs) + public view returns(bool success) { + + // assembly { + + // let mem := mload(0x40) + // let freeMem := add(mem, STATE_LAST_MEM) + + // // sanity checks + // check_number_of_public_inputs(public_inputs.length) + // check_inputs_size(public_inputs.length, public_inputs.offset) + // check_proof_size(proof.length) + // check_proof_openings_size(proof.offset) + + // // compute the challenges + // let prev_challenge_non_reduced + // prev_challenge_non_reduced := derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) + // prev_challenge_non_reduced := derive_beta(prev_challenge_non_reduced) + // prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) + // derive_zeta(proof.offset, prev_challenge_non_reduced) + + // // evaluation of Z=Xⁿ-1 at ζ, we save this value + // let zeta := mload(add(mem, STATE_ZETA)) + // let zeta_power_n_minus_one := addmod(pow(zeta, VK_DOMAIN_SIZE, freeMem), sub(R_MOD, 1), R_MOD) + // mstore(add(mem, STATE_ZETA_POWER_N_MINUS_ONE), zeta_power_n_minus_one) + + // // public inputs contribution + // let l_pi := sum_pi_wo_api_commit(public_inputs.offset, public_inputs.length, freeMem) + // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 ) -}} + // let l_pi_commit := sum_pi_commit(proof.offset, public_inputs.length, freeMem) + // l_pi := addmod(l_pi_commit, l_pi, R_MOD) + // {{ end -}} + // mstore(add(mem, STATE_PI), l_pi) + + // compute_alpha_square_lagrange_0() + // compute_opening_linearised_polynomial(proof.offset) + // fold_h(proof.offset) + // compute_commitment_linearised_polynomial(proof.offset) + // compute_gamma_kzg(proof.offset) + // fold_state(proof.offset) + // batch_verify_multi_points(proof.offset) + + // success := mload(add(mem, STATE_SUCCESS)) + + // // Beginning errors ------------------------------------------------- + + // function error_nb_public_inputs() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0x1d) + // mstore(add(ptError, 0x44), "wrong number of public inputs") + // revert(ptError, 0x64) + // } + + // /// Called when an exponentiation mod r fails + // function error_mod_exp() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0xc) + // mstore(add(ptError, 0x44), "error mod exp") + // revert(ptError, 0x64) + // } + + // /// Called when an operation on Bn254 fails + // /// @dev for instance when calling EcMul on a point not on Bn254. + // function error_ec_op() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0x12) + // mstore(add(ptError, 0x44), "error ec operation") + // revert(ptError, 0x64) + // } + + // /// Called when one of the public inputs is not reduced. + // function error_inputs_size() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0x18) + // mstore(add(ptError, 0x44), "inputs are bigger than r") + // revert(ptError, 0x64) + // } + + // /// Called when the size proof is not as expected + // /// @dev to avoid overflow attack for instance + // function error_proof_size() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0x10) + // mstore(add(ptError, 0x44), "wrong proof size") + // revert(ptError, 0x64) + // } + + // /// Called when one the openings is bigger than r + // /// The openings are the claimed evalutions of a polynomial + // /// in a Kzg proof. + // function error_proof_openings_size() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0x16) + // mstore(add(ptError, 0x44), "openings bigger than r") + // revert(ptError, 0x64) + // } + + // function error_pairing() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0xd) + // mstore(add(ptError, 0x44), "error pairing") + // revert(ptError, 0x64) + // } + + // function error_verify() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0xc) + // mstore(add(ptError, 0x44), "error verify") + // revert(ptError, 0x64) + // } + + // function error_random_generation() { + // let ptError := mload(0x40) + // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + // mstore(add(ptError, 0x4), 0x20) + // mstore(add(ptError, 0x24), 0x14) + // mstore(add(ptError, 0x44), "error random gen kzg") + // revert(ptError, 0x64) + // } + // // end errors ------------------------------------------------- + + // // Beginning checks ------------------------------------------------- + + // /// @param s actual number of public inputs + // function check_number_of_public_inputs(s) { + // if iszero(eq(s, VK_NB_PUBLIC_INPUTS)) { + // error_nb_public_inputs() + // } + // } + + // /// Checks that the public inputs are < R_MOD. + // /// @param s number of public inputs + // /// @param p pointer to the public inputs array + // function check_inputs_size(s, p) { + // for {let i} lt(i, s) {i:=add(i,1)} + // { + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_inputs_size() + // } + // p := add(p, 0x20) + // } + // } + + // /// Checks if the proof is of the correct size + // /// @param actual_proof_size size of the proof (not the expected size) + // function check_proof_size(actual_proof_size) { + // let expected_proof_size := add(FIXED_PROOF_SIZE, mul(VK_NB_CUSTOM_GATES,0x60)) + // if iszero(eq(actual_proof_size, expected_proof_size)) { + // error_proof_size() + // } + // } + + // /// Checks if the multiple openings of the polynomials are < R_MOD. + // /// @param aproof pointer to the beginning of the proof + // /// @dev the 'a' prepending proof is to have a local name + // function check_proof_openings_size(aproof) { + + // // PROOF_L_AT_ZETA + // let p := add(aproof, PROOF_L_AT_ZETA) + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_proof_openings_size() + // } + + // // PROOF_R_AT_ZETA + // p := add(aproof, PROOF_R_AT_ZETA) + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_proof_openings_size() + // } + + // // PROOF_O_AT_ZETA + // p := add(aproof, PROOF_O_AT_ZETA) + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_proof_openings_size() + // } + + // // PROOF_S1_AT_ZETA + // p := add(aproof, PROOF_S1_AT_ZETA) + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_proof_openings_size() + // } + + // // PROOF_S2_AT_ZETA + // p := add(aproof, PROOF_S2_AT_ZETA) + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_proof_openings_size() + // } + + // // PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA + // p := add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA) + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_proof_openings_size() + // } + + // // PROOF_OPENING_QCP_AT_ZETA + + // p := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // for {let i:=0} lt(i, VK_NB_CUSTOM_GATES) {i:=add(i,1)} + // { + // if gt(calldataload(p), R_MOD_MINUS_ONE) { + // error_proof_openings_size() + // } + // p := add(p, 0x20) + // } + + // } + // // end checks ------------------------------------------------- + + // // Beginning challenges ------------------------------------------------- + + // /// Derive gamma as Sha256() + // /// @param aproof pointer to the proof + // /// @param nb_pi number of public inputs + // /// @param pi pointer to the array of public inputs + // /// @return the challenge gamma, not reduced + // /// @notice The transcript is the concatenation (in this order) of: + // /// * the word "gamma" in ascii, equal to [0x67,0x61,0x6d, 0x6d, 0x61] and encoded as a uint256. + // /// * the commitments to the permutation polynomials S1, S2, S3, where we concatenate the coordinates of those points + // /// * the commitments of Ql, Qr, Qm, Qo, Qk + // /// * the public inputs + // /// * the commitments of the wires related to the custom gates (commitments_wires_commit_api) + // /// * commitments to L, R, O (proof__com_) + // /// The data described above is written starting at mPtr. "gamma" lies on 5 bytes, + // /// and is encoded as a uint256 number n. In basis b = 256, the number looks like this + // /// [0 0 0 .. 0x67 0x61 0x6d, 0x6d, 0x61]. The first non zero entry is at position 27=0x1b + // /// Gamma reduced (the actual challenge) is stored at add(state, state_gamma) + // function derive_gamma(aproof, nb_pi, pi)->gamma_not_reduced { + + // let state := mload(0x40) + // let mPtr := add(state, STATE_LAST_MEM) + + // mstore(mPtr, FS_GAMMA) // "gamma" + + // {{ $offset = 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y) {{ $offset = add $offset 0x20}} + // {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X) {{ $offset = add $offset 0x20}} + // mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y) {{ $offset = add $offset 0x20}} + // {{ end }} + // // public inputs + // let _mPtr := add(mPtr, {{ hex (add (mul (len .Vk.CommitmentConstraintIndexes) 64) 544) }}) + // let size_pi_in_bytes := mul(nb_pi, 0x20) + // calldatacopy(_mPtr, pi, size_pi_in_bytes) + // _mPtr := add(_mPtr, size_pi_in_bytes) + + // // commitments to l, r, o + // let size_commitments_lro_in_bytes := 0xc0 + // calldatacopy(_mPtr, aproof, size_commitments_lro_in_bytes) + // _mPtr := add(_mPtr, size_commitments_lro_in_bytes) + + // // total size is : + // // sizegamma(=0x5) + 11*64(=0x2c0) + // // + nb_public_inputs*0x20 + // // + nb_custom gates*0x40 + // let size := add(0x2c5, size_pi_in_bytes) + // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + // size := add(size, mul(VK_NB_CUSTOM_GATES, 0x40)) + // {{ end -}} + // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1b), size, mPtr, 0x20) //0x1b -> 000.."gamma" + // if iszero(l_success) { + // error_verify() + // } + // gamma_not_reduced := mload(mPtr) + // mstore(add(state, STATE_GAMMA), mod(gamma_not_reduced, R_MOD)) + // } + + // /// derive beta as Sha256 + // /// @param gamma_not_reduced the previous challenge (gamma) not reduced + // /// @return beta_not_reduced the next challenge, beta, not reduced + // /// @notice the transcript consists of the previous challenge only. + // /// The reduced version of beta is stored at add(state, state_beta) + // function derive_beta(gamma_not_reduced)->beta_not_reduced{ + + // let state := mload(0x40) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + + // // beta + // mstore(mPtr, FS_BETA) // "beta" + // mstore(add(mPtr, 0x20), gamma_not_reduced) + // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1c), 0x24, mPtr, 0x20) //0x1b -> 000.."gamma" + // if iszero(l_success) { + // error_verify() + // } + // beta_not_reduced := mload(mPtr) + // mstore(add(state, STATE_BETA), mod(beta_not_reduced, R_MOD)) + // } + + // /// derive alpha as sha256 + // /// @param aproof pointer to the proof object + // /// @param beta_not_reduced the previous challenge (beta) not reduced + // /// @return alpha_not_reduced the next challenge, alpha, not reduced + // /// @notice the transcript consists of the previous challenge (beta) + // /// not reduced, the commitments to the wires associated to the QCP_i, + // /// and the commitment to the grand product polynomial + // function derive_alpha(aproof, beta_not_reduced)->alpha_not_reduced { + + // let state := mload(0x40) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + // let full_size := 0x65 // size("alpha") + 0x20 (previous challenge) + + // // alpha + // mstore(mPtr, FS_ALPHA) // "alpha" + // let _mPtr := add(mPtr, 0x20) + // mstore(_mPtr, beta_not_reduced) + // _mPtr := add(_mPtr, 0x20) + // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + // // Bsb22Commitments + // let proof_bsb_commitments := add(aproof, PROOF_BSB_COMMITMENTS) + // let size_bsb_commitments := mul(0x40, VK_NB_CUSTOM_GATES) + // calldatacopy(_mPtr, proof_bsb_commitments, size_bsb_commitments) + // _mPtr := add(_mPtr, size_bsb_commitments) + // full_size := add(full_size, size_bsb_commitments) + // {{ end }} + // // [Z], the commitment to the grand product polynomial + // calldatacopy(_mPtr, add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), 0x40) + // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1b), full_size, mPtr, 0x20) + // if iszero(l_success) { + // error_verify() + // } + + // alpha_not_reduced := mload(mPtr) + // mstore(add(state, STATE_ALPHA), mod(alpha_not_reduced, R_MOD)) + // } + + // /// derive zeta as sha256 + // /// @param aproof pointer to the proof object + // /// @param alpha_not_reduced the previous challenge (alpha) not reduced + // /// The transcript consists of the previous challenge and the commitment to + // /// the quotient polynomial h. + // function derive_zeta(aproof, alpha_not_reduced) { + + // let state := mload(0x40) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + + // // zeta + // mstore(mPtr, FS_ZETA) // "zeta" + // mstore(add(mPtr, 0x20), alpha_not_reduced) + // calldatacopy(add(mPtr, 0x40), add(aproof, PROOF_H_0_COM_X), 0xc0) + // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1c), 0xe4, mPtr, 0x20) + // if iszero(l_success) { + // error_verify() + // } + // let zeta_not_reduced := mload(mPtr) + // mstore(add(state, STATE_ZETA), mod(zeta_not_reduced, R_MOD)) + // } + // // END challenges ------------------------------------------------- + + // // BEGINNING compute_pi ------------------------------------------------- + + // /// sum_pi_wo_api_commit computes the public inputs contributions, + // /// except for the public inputs coming from the custom gate + // /// @param ins pointer to the public inputs + // /// @param n number of public inputs + // /// @param mPtr free memory + // /// @return pi_wo_commit public inputs contribution (except the public inputs coming from the custom gate) + // function sum_pi_wo_api_commit(ins, n, mPtr)->pi_wo_commit { + + // let state := mload(0x40) + // let z := mload(add(state, STATE_ZETA)) + // let zpnmo := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + + // let li := mPtr + // batch_compute_lagranges_at_z(z, zpnmo, n, li) + + // let tmp := 0 + // for {let i:=0} lt(i,n) {i:=add(i,1)} + // { + // tmp := mulmod(mload(li), calldataload(ins), R_MOD) + // pi_wo_commit := addmod(pi_wo_commit, tmp, R_MOD) + // li := add(li, 0x20) + // ins := add(ins, 0x20) + // } + + // } + + // /// batch_compute_lagranges_at_z computes [L_0(z), .., L_{n-1}(z)] + // /// @param z point at which the Lagranges are evaluated + // /// @param zpnmo ζⁿ-1 + // /// @param n_pub number of public inputs (number of Lagranges to compute) + // /// @param mPtr pointer to which the results are stored + // function batch_compute_lagranges_at_z(z, zpnmo, n_pub, mPtr) { + + // let zn := mulmod(zpnmo, VK_INV_DOMAIN_SIZE, R_MOD) // 1/n * (ζⁿ - 1) + + // let _w := 1 + // let _mPtr := mPtr + // for {let i:=0} lt(i,n_pub) {i:=add(i,1)} + // { + // mstore(_mPtr, addmod(z,sub(R_MOD, _w), R_MOD)) + // _w := mulmod(_w, VK_OMEGA, R_MOD) + // _mPtr := add(_mPtr, 0x20) + // } + // batch_invert(mPtr, n_pub, _mPtr) + // _mPtr := mPtr + // _w := 1 + // for {let i:=0} lt(i,n_pub) {i:=add(i,1)} + // { + // mstore(_mPtr, mulmod(mulmod(mload(_mPtr), zn , R_MOD), _w, R_MOD)) + // _mPtr := add(_mPtr, 0x20) + // _w := mulmod(_w, VK_OMEGA, R_MOD) + // } + // } + + // /// @notice Montgomery trick for batch inversion mod R_MOD + // /// @param ins pointer to the data to batch invert + // /// @param number of elements to batch invert + // /// @param mPtr free memory + // function batch_invert(ins, nb_ins, mPtr) { + // mstore(mPtr, 1) + // let offset := 0 + // for {let i:=0} lt(i, nb_ins) {i:=add(i,1)} + // { + // let prev := mload(add(mPtr, offset)) + // let cur := mload(add(ins, offset)) + // cur := mulmod(prev, cur, R_MOD) + // offset := add(offset, 0x20) + // mstore(add(mPtr, offset), cur) + // } + // ins := add(ins, sub(offset, 0x20)) + // mPtr := add(mPtr, offset) + // let inv := pow(mload(mPtr), sub(R_MOD,2), add(mPtr, 0x20)) + // for {let i:=0} lt(i, nb_ins) {i:=add(i,1)} + // { + // mPtr := sub(mPtr, 0x20) + // let tmp := mload(ins) + // let cur := mulmod(inv, mload(mPtr), R_MOD) + // mstore(ins, cur) + // inv := mulmod(inv, tmp, R_MOD) + // ins := sub(ins, 0x20) + // } + // } + + // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + // /// Public inputs (the ones coming from the custom gate) contribution + // /// @param aproof pointer to the proof + // /// @param nb_public_inputs number of public inputs + // /// @param mPtr pointer to free memory + // /// @return pi_commit custom gate public inputs contribution + // function sum_pi_commit(aproof, nb_public_inputs, mPtr)->pi_commit { + + // let state := mload(0x40) + // let z := mload(add(state, STATE_ZETA)) + // let zpnmo := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + + // let p := add(aproof, PROOF_BSB_COMMITMENTS) + + // let h_fr, ith_lagrange + + // {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} + // h_fr := hash_fr(calldataload(p), calldataload(add(p, 0x20)), mPtr) + // ith_lagrange := compute_ith_lagrange_at_z(z, zpnmo, add(nb_public_inputs, VK_INDEX_COMMIT_API_{{ $index }}), mPtr) + // pi_commit := addmod(pi_commit, mulmod(h_fr, ith_lagrange, R_MOD), R_MOD) + // {{ if (lt (inc $index) (len $.Vk.CommitmentConstraintIndexes) )}} + // p := add(p, 0x40) + // {{ end }} + // {{ end }} + + // } + + // /// Computes L_i(zeta) = ωⁱ/n * (ζⁿ-1)/(ζ-ωⁱ) where: + // /// @param z zeta + // /// @param zpmno ζⁿ-1 + // /// @param i i-th lagrange + // /// @param mPtr free memory + // /// @return res = ωⁱ/n * (ζⁿ-1)/(ζ-ωⁱ) + // function compute_ith_lagrange_at_z(z, zpnmo, i, mPtr)->res { + + // let w := pow(VK_OMEGA, i, mPtr) // w**i + // i := addmod(z, sub(R_MOD, w), R_MOD) // z-w**i + // w := mulmod(w, VK_INV_DOMAIN_SIZE, R_MOD) // w**i/n + // i := pow(i, sub(R_MOD,2), mPtr) // (z-w**i)**-1 + // w := mulmod(w, i, R_MOD) // w**i/n*(z-w)**-1 + // res := mulmod(w, zpnmo, R_MOD) + + // } + + // /// @dev https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-5.2 + // /// @param x x coordinate of a point on Bn254(𝔽_p) + // /// @param y y coordinate of a point on Bn254(𝔽_p) + // /// @param mPtr free memory + // /// @return res an element mod R_MOD + // function hash_fr(x, y, mPtr)->res { + + // // [0x00, .. , 0x00 || x, y, || 0, 48, 0, dst, HASH_FR_SIZE_DOMAIN] + // // <- 64 bytes -> <-64b -> <- 1 bytes each -> + + // // [0x00, .., 0x00] 64 bytes of zero + // mstore(mPtr, HASH_FR_ZERO_UINT256) + // mstore(add(mPtr, 0x20), HASH_FR_ZERO_UINT256) + + // // msg = x || y , both on 32 bytes + // mstore(add(mPtr, 0x40), x) + // mstore(add(mPtr, 0x60), y) + + // // 0 || 48 || 0 all on 1 byte + // mstore8(add(mPtr, 0x80), 0) + // mstore8(add(mPtr, 0x81), HASH_FR_LEN_IN_BYTES) + // mstore8(add(mPtr, 0x82), 0) + + // // "BSB22-Plonk" = [42, 53, 42, 32, 32, 2d, 50, 6c, 6f, 6e, 6b,] + // mstore8(add(mPtr, 0x83), 0x42) + // mstore8(add(mPtr, 0x84), 0x53) + // mstore8(add(mPtr, 0x85), 0x42) + // mstore8(add(mPtr, 0x86), 0x32) + // mstore8(add(mPtr, 0x87), 0x32) + // mstore8(add(mPtr, 0x88), 0x2d) + // mstore8(add(mPtr, 0x89), 0x50) + // mstore8(add(mPtr, 0x8a), 0x6c) + // mstore8(add(mPtr, 0x8b), 0x6f) + // mstore8(add(mPtr, 0x8c), 0x6e) + // mstore8(add(mPtr, 0x8d), 0x6b) + + // // size domain + // mstore8(add(mPtr, 0x8e), HASH_FR_SIZE_DOMAIN) + + // let l_success := staticcall(gas(), SHA2, mPtr, 0x8f, mPtr, 0x20) + // if iszero(l_success) { + // error_verify() + // } + + // let b0 := mload(mPtr) + + // // [b0 || one || dst || HASH_FR_SIZE_DOMAIN] + // // <-64bytes -> <- 1 byte each -> + // mstore8(add(mPtr, 0x20), HASH_FR_ONE) // 1 + + // mstore8(add(mPtr, 0x21), 0x42) // dst + // mstore8(add(mPtr, 0x22), 0x53) + // mstore8(add(mPtr, 0x23), 0x42) + // mstore8(add(mPtr, 0x24), 0x32) + // mstore8(add(mPtr, 0x25), 0x32) + // mstore8(add(mPtr, 0x26), 0x2d) + // mstore8(add(mPtr, 0x27), 0x50) + // mstore8(add(mPtr, 0x28), 0x6c) + // mstore8(add(mPtr, 0x29), 0x6f) + // mstore8(add(mPtr, 0x2a), 0x6e) + // mstore8(add(mPtr, 0x2b), 0x6b) + + // mstore8(add(mPtr, 0x2c), HASH_FR_SIZE_DOMAIN) // size domain + // l_success := staticcall(gas(), SHA2, mPtr, 0x2d, mPtr, 0x20) + // if iszero(l_success) { + // error_verify() + // } + + // // b1 is located at mPtr. We store b2 at add(mPtr, 0x20) + + // // [b0^b1 || two || dst || HASH_FR_SIZE_DOMAIN] + // // <-64bytes -> <- 1 byte each -> + // mstore(add(mPtr, 0x20), xor(mload(mPtr), b0)) + // mstore8(add(mPtr, 0x40), HASH_FR_TWO) + + // mstore8(add(mPtr, 0x41), 0x42) // dst + // mstore8(add(mPtr, 0x42), 0x53) + // mstore8(add(mPtr, 0x43), 0x42) + // mstore8(add(mPtr, 0x44), 0x32) + // mstore8(add(mPtr, 0x45), 0x32) + // mstore8(add(mPtr, 0x46), 0x2d) + // mstore8(add(mPtr, 0x47), 0x50) + // mstore8(add(mPtr, 0x48), 0x6c) + // mstore8(add(mPtr, 0x49), 0x6f) + // mstore8(add(mPtr, 0x4a), 0x6e) + // mstore8(add(mPtr, 0x4b), 0x6b) + + // mstore8(add(mPtr, 0x4c), HASH_FR_SIZE_DOMAIN) // size domain + + // let offset := add(mPtr, 0x20) + // l_success := staticcall(gas(), SHA2, offset, 0x2d, offset, 0x20) + // if iszero(l_success) { + // error_verify() + // } + + // // at this point we have mPtr = [ b1 || b2] where b1 is on 32byes and b2 in 16bytes. + // // we interpret it as a big integer mod r in big endian (similar to regular decimal notation) + // // the result is then 2**(8*16)*mPtr[:32] + mPtr[32:48] + // res := mulmod(mload(mPtr), HASH_FR_BB, R_MOD) // <- res = 2**128 * mPtr[:32] + // let b1 := shr(128, mload(add(mPtr, 0x20))) // b1 <- [0, 0, .., 0 || b2[:16] ] + // res := addmod(res, b1, R_MOD) + + // } + // {{ end }} + // // END compute_pi ------------------------------------------------- + + // /// @notice compute α² * 1/n * (ζ{n}-1)/(ζ - 1) where + // /// * α = challenge derived in derive_gamma_beta_alpha_zeta + // /// * n = vk_domain_size + // /// * ω = vk_omega (generator of the multiplicative cyclic group of order n in (ℤ/rℤ)*) + // /// * ζ = zeta (challenge derived with Fiat Shamir) + // function compute_alpha_square_lagrange_0() { + // let state := mload(0x40) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + + // let res := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + // let den := addmod(mload(add(state, STATE_ZETA)), sub(R_MOD, 1), R_MOD) + // den := pow(den, sub(R_MOD, 2), mPtr) + // den := mulmod(den, VK_INV_DOMAIN_SIZE, R_MOD) + // res := mulmod(den, res, R_MOD) + + // let l_alpha := mload(add(state, STATE_ALPHA)) + // res := mulmod(res, l_alpha, R_MOD) + // res := mulmod(res, l_alpha, R_MOD) + // mstore(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0), res) + // } + + // /// @notice follows alg. p.13 of https://eprint.iacr.org/2019/953.pdf + // /// with t₁ = t₂ = 1, and the proofs are ([digest] + [quotient] +purported evaluation): + // /// * [state_folded_state_digests], [proof_batch_opening_at_zeta_x], state_folded_evals + // /// * [proof_grand_product_commitment], [proof_opening_at_zeta_omega_x], [proof_grand_product_at_zeta_omega] + // /// @param aproof pointer to the proof + // function batch_verify_multi_points(aproof) { + // let state := mload(0x40) + // let mPtr := add(state, STATE_LAST_MEM) + + // // derive a random number. As there is no random generator, we + // // do an FS like challenge derivation, depending on both digests and + // // ζ to ensure that the prover cannot control the random number. + // // Note: adding the other point ζω is not needed, as ω is known beforehand. + // mstore(mPtr, mload(add(state, STATE_FOLDED_DIGESTS_X))) + // mstore(add(mPtr, 0x20), mload(add(state, STATE_FOLDED_DIGESTS_Y))) + // mstore(add(mPtr, 0x40), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X))) + // mstore(add(mPtr, 0x60), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y))) + // mstore(add(mPtr, 0x80), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X))) + // mstore(add(mPtr, 0xa0), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_Y))) + // mstore(add(mPtr, 0xc0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X))) + // mstore(add(mPtr, 0xe0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_Y))) + // mstore(add(mPtr, 0x100), mload(add(state, STATE_ZETA))) + // mstore(add(mPtr, 0x120), mload(add(state, STATE_GAMMA_KZG))) + // let random := staticcall(gas(), SHA2, mPtr, 0x140, mPtr, 0x20) + // if iszero(random){ + // error_random_generation() + // } + // random := mod(mload(mPtr), R_MOD) // use the same variable as we are one variable away from getting stack-too-deep error... + + // let folded_quotients := mPtr + // mPtr := add(folded_quotients, 0x40) + // mstore(folded_quotients, calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X))) + // mstore(add(folded_quotients, 0x20), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y))) + // point_acc_mul_calldata(folded_quotients, add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), random, mPtr) + + // let folded_digests := add(state, STATE_FOLDED_DIGESTS_X) + // point_acc_mul_calldata(folded_digests, add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), random, mPtr) + + // let folded_evals := add(state, STATE_FOLDED_CLAIMED_VALUES) + // fr_acc_mul_calldata(folded_evals, add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA), random) + + // let folded_evals_commit := mPtr + // mPtr := add(folded_evals_commit, 0x40) + // mstore(folded_evals_commit, G1_SRS_X) + // mstore(add(folded_evals_commit, 0x20), G1_SRS_Y) + // mstore(add(folded_evals_commit, 0x40), mload(folded_evals)) + // let check_staticcall := staticcall(gas(), 7, folded_evals_commit, 0x60, folded_evals_commit, 0x40) + // if iszero(check_staticcall) { + // error_verify() + // } + + // let folded_evals_commit_y := add(folded_evals_commit, 0x20) + // mstore(folded_evals_commit_y, sub(P_MOD, mload(folded_evals_commit_y))) + // point_add(folded_digests, folded_digests, folded_evals_commit, mPtr) + + // let folded_points_quotients := mPtr + // mPtr := add(mPtr, 0x40) + // point_mul_calldata( + // folded_points_quotients, + // add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X), + // mload(add(state, STATE_ZETA)), + // mPtr + // ) + // let zeta_omega := mulmod(mload(add(state, STATE_ZETA)), VK_OMEGA, R_MOD) + // random := mulmod(random, zeta_omega, R_MOD) + // point_acc_mul_calldata(folded_points_quotients, add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), random, mPtr) + + // point_add(folded_digests, folded_digests, folded_points_quotients, mPtr) + + // let folded_quotients_y := add(folded_quotients, 0x20) + // mstore(folded_quotients_y, sub(P_MOD, mload(folded_quotients_y))) + + // mstore(mPtr, mload(folded_digests)) + // {{ $offset = 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), mload(add(folded_digests, 0x20))) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_X_0) {{ $offset = add $offset 0x20 }} // the 4 lines are the canonical G2 point on BN254 + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_X_1) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_Y_0) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_Y_1) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), mload(folded_quotients)) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), mload(add(folded_quotients, 0x20))) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_X_0) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_X_1) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_Y_0) {{ $offset = add $offset 0x20 }} + // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_Y_1) {{ $offset = add $offset 0x20 }} + // check_pairing_kzg(mPtr) + // } + + // /// @notice check_pairing_kzg checks the result of the final pairing product of the batched + // /// kzg verification. The purpose of this function is to avoid exhausting the stack + // /// in the function batch_verify_multi_points. + // /// @param mPtr pointer storing the tuple of pairs + // function check_pairing_kzg(mPtr) { + // let state := mload(0x40) + + // let l_success := staticcall(gas(), 8, mPtr, 0x180, 0x00, 0x20) + // if iszero(l_success) { + // error_pairing() + // } + // let res_pairing := mload(0x00) + // mstore(add(state, STATE_SUCCESS), res_pairing) + // } + + // /// @notice Fold the opening proofs at ζ: + // /// * at state+state_folded_digest we store: [Linearised_polynomial]+γ[L] + γ²[R] + γ³[O] + γ⁴[S₁] +γ⁵[S₂] + ∑ᵢγ⁵⁺ⁱ[Pi_{i}] + // /// * at state+state_folded_claimed_values we store: Linearised_polynomial(ζ)+γL(ζ) + γ²R(ζ)+ γ³O(ζ) + γ⁴S₁(ζ) +γ⁵S₂(ζ) + ∑ᵢγ⁵⁺ⁱPi_{i}(ζ) + // /// @param aproof pointer to the proof + // /// acc_gamma stores the γⁱ + // function fold_state(aproof) { + + // let state := mload(0x40) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + // let mPtr20 := add(mPtr, 0x20) + // let mPtr40 := add(mPtr, 0x40) + + // let l_gamma_kzg := mload(add(state, STATE_GAMMA_KZG)) + // let acc_gamma := l_gamma_kzg + // let state_folded_digests := add(state, STATE_FOLDED_DIGESTS_X) + + // mstore(state_folded_digests, mload(add(state, STATE_LINEARISED_POLYNOMIAL_X))) + // mstore(add(state, STATE_FOLDED_DIGESTS_Y), mload(add(state, STATE_LINEARISED_POLYNOMIAL_Y))) + // mstore(add(state, STATE_FOLDED_CLAIMED_VALUES), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) + + // point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_L_COM_X), acc_gamma, mPtr) + // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_L_AT_ZETA), acc_gamma) + + // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + // point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_R_COM_X), acc_gamma, mPtr) + // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_R_AT_ZETA), acc_gamma) + + // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + // point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_O_COM_X), acc_gamma, mPtr) + // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_O_AT_ZETA), acc_gamma) + + // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + // mstore(mPtr, VK_S1_COM_X) + // mstore(mPtr20, VK_S1_COM_Y) + // point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) + // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S1_AT_ZETA), acc_gamma) + + // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + // mstore(mPtr, VK_S2_COM_X) + // mstore(mPtr20, VK_S2_COM_Y) + // point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) + // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) + + // {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 ) }} + // let poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // {{ range $index, $element := .Vk.CommitmentConstraintIndexes }} + // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + // mstore(mPtr, VK_QCP_{{ $index }}_X) + // mstore(mPtr20, VK_QCP_{{ $index }}_Y) + // point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) + // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), poqaz, acc_gamma) + // poqaz := add(poqaz, 0x20) + // {{ end }} + // {{ end -}} + // } + + // /// @notice generate the challenge (using Fiat Shamir) to fold the opening proofs + // /// at ζ. + // /// The process for deriving γ is the same as in derive_gamma but this time the inputs are + // /// in this order (the [] means it's a commitment): + // /// * ζ + // /// * [Linearised polynomial] + // /// * [L], [R], [O] + // /// * [S₁] [S₂] + // /// * [Pi_{i}] (wires associated to custom gates) + // /// Then there are the purported evaluations of the previous committed polynomials: + // /// * Linearised_polynomial(ζ) + // /// * L(ζ), R(ζ), O(ζ), S₁(ζ), S₂(ζ) + // /// * Pi_{i}(ζ) + // /// * Z(ζω) + // /// @param aproof pointer to the proof + // function compute_gamma_kzg(aproof) { + + // let state := mload(0x40) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + // mstore(mPtr, FS_GAMMA_KZG) // "gamma" + // mstore(add(mPtr, 0x20), mload(add(state, STATE_ZETA))) + // mstore(add(mPtr,0x40), mload(add(state, STATE_LINEARISED_POLYNOMIAL_X))) + // mstore(add(mPtr,0x60), mload(add(state, STATE_LINEARISED_POLYNOMIAL_Y))) + // calldatacopy(add(mPtr, 0x80), add(aproof, PROOF_L_COM_X), 0xc0) + // mstore(add(mPtr,0x140), VK_S1_COM_X) + // mstore(add(mPtr,0x160), VK_S1_COM_Y) + // mstore(add(mPtr,0x180), VK_S2_COM_X) + // mstore(add(mPtr,0x1a0), VK_S2_COM_Y) + + // let offset := 0x1c0 + + // {{ range $index, $element := .Vk.CommitmentConstraintIndexes -}} + // mstore(add(mPtr,offset), VK_QCP_{{ $index }}_X) + // mstore(add(mPtr,add(offset, 0x20)), VK_QCP_{{ $index }}_Y) + // offset := add(offset, 0x40) + // {{ end -}} + + // mstore(add(mPtr, offset), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) + // mstore(add(mPtr, add(offset, 0x20)), calldataload(add(aproof, PROOF_L_AT_ZETA))) + // mstore(add(mPtr, add(offset, 0x40)), calldataload(add(aproof, PROOF_R_AT_ZETA))) + // mstore(add(mPtr, add(offset, 0x60)), calldataload(add(aproof, PROOF_O_AT_ZETA))) + // mstore(add(mPtr, add(offset, 0x80)), calldataload(add(aproof, PROOF_S1_AT_ZETA))) + // mstore(add(mPtr, add(offset, 0xa0)), calldataload(add(aproof, PROOF_S2_AT_ZETA))) + + // let _mPtr := add(mPtr, add(offset, 0xc0)) + + // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + // let _poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // calldatacopy(_mPtr, _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) + // _mPtr := add(_mPtr, mul(VK_NB_CUSTOM_GATES, 0x20)) + // {{ end }} + + // mstore(_mPtr, calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA))) + + // let start_input := 0x1b // 00.."gamma" + // let size_input := add(0x14, mul(VK_NB_CUSTOM_GATES,3)) // number of 32bytes elmts = 0x14 (zeta+3*6 for the digests+openings) + 3*VK_NB_CUSTOM_GATES (for the commitments of the selectors) + 1 (opening of Z at ζω) + // size_input := add(0x5, mul(size_input, 0x20)) // size in bytes: 15*32 bytes + 5 bytes for gamma + // let check_staticcall := staticcall(gas(), SHA2, add(mPtr,start_input), size_input, add(state, STATE_GAMMA_KZG), 0x20) + // if iszero(check_staticcall) { + // error_verify() + // } + // mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) + // } + + // function compute_commitment_linearised_polynomial_ec(aproof, s1, s2) { + + // let state := mload(0x40) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + + // mstore(mPtr, VK_QL_COM_X) + // mstore(add(mPtr, 0x20), VK_QL_COM_Y) + // point_mul( + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // mPtr, + // calldataload(add(aproof, PROOF_L_AT_ZETA)), + // add(mPtr, 0x40) + // ) + + // mstore(mPtr, VK_QR_COM_X) + // mstore(add(mPtr, 0x20), VK_QR_COM_Y) + // point_acc_mul( + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // mPtr, + // calldataload(add(aproof, PROOF_R_AT_ZETA)), + // add(mPtr, 0x40) + // ) + + // let rl := mulmod(calldataload(add(aproof, PROOF_L_AT_ZETA)), calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + // mstore(mPtr, VK_QM_COM_X) + // mstore(add(mPtr, 0x20), VK_QM_COM_Y) + // point_acc_mul(add(state, STATE_LINEARISED_POLYNOMIAL_X), mPtr, rl, add(mPtr, 0x40)) + + // mstore(mPtr, VK_QO_COM_X) + // mstore(add(mPtr, 0x20), VK_QO_COM_Y) + // point_acc_mul( + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // mPtr, + // calldataload(add(aproof, PROOF_O_AT_ZETA)), + // add(mPtr, 0x40) + // ) + + // mstore(mPtr, VK_QK_COM_X) + // mstore(add(mPtr, 0x20), VK_QK_COM_Y) + // point_add( + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // mPtr, + // add(mPtr, 0x40) + // ) + + // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + // let qcp_opening_at_zeta := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // let bsb_commitments := add(aproof, PROOF_BSB_COMMITMENTS) + // for { + // let i := 0 + // } lt(i, VK_NB_CUSTOM_GATES) { + // i := add(i, 1) + // } { + // mstore(mPtr, calldataload(bsb_commitments)) + // mstore(add(mPtr, 0x20), calldataload(add(bsb_commitments, 0x20))) + // point_acc_mul( + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // mPtr, + // calldataload(qcp_opening_at_zeta), + // add(mPtr, 0x40) + // ) + // qcp_opening_at_zeta := add(qcp_opening_at_zeta, 0x20) + // bsb_commitments := add(bsb_commitments, 0x40) + // } + // {{ end }} + + // mstore(mPtr, VK_S3_COM_X) + // mstore(add(mPtr, 0x20), VK_S3_COM_Y) + // point_acc_mul(add(state, STATE_LINEARISED_POLYNOMIAL_X), mPtr, s1, add(mPtr, 0x40)) + + // mstore(mPtr, calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X))) + // mstore(add(mPtr, 0x20), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_Y))) + // point_acc_mul(add(state, STATE_LINEARISED_POLYNOMIAL_X), mPtr, s2, add(mPtr, 0x40)) + + // point_add( + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // add(state, STATE_LINEARISED_POLYNOMIAL_X), + // add(state, STATE_FOLDED_H_X), + // mPtr) + // } + + // /// @notice Compute the commitment to the linearized polynomial equal to + // /// L(ζ)[Qₗ]+r(ζ)[Qᵣ]+R(ζ)L(ζ)[Qₘ]+O(ζ)[Qₒ]+[Qₖ]+Σᵢqc'ᵢ(ζ)[BsbCommitmentᵢ] + + // /// α*( Z(μζ)(L(ζ)+β*S₁(ζ)+γ)*(R(ζ)+β*S₂(ζ)+γ)[S₃]-[Z](L(ζ)+β*id_{1}(ζ)+γ)*(R(ζ)+β*id_{2}(ζ)+γ)*(O(ζ)+β*id_{3}(ζ)+γ) ) + + // /// α²*L₁(ζ)[Z] - Z_{H}(ζ)*(([H₀] + ζᵐ⁺²*[H₁] + ζ²⁽ᵐ⁺²⁾*[H₂]) + // /// where + // /// * id_1 = id, id_2 = vk_coset_shift*id, id_3 = vk_coset_shift^{2}*id + // /// * the [] means that it's a commitment (i.e. a point on Bn254(F_p)) + // /// * Z_{H}(ζ) = ζ^n-1 + // /// @param aproof pointer to the proof + // function compute_commitment_linearised_polynomial(aproof) { + // let state := mload(0x40) + // let l_beta := mload(add(state, STATE_BETA)) + // let l_gamma := mload(add(state, STATE_GAMMA)) + // let l_zeta := mload(add(state, STATE_ZETA)) + // let l_alpha := mload(add(state, STATE_ALPHA)) + + // let u := mulmod(calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), l_beta, R_MOD) + // let v := mulmod(l_beta, calldataload(add(aproof, PROOF_S1_AT_ZETA)), R_MOD) + // v := addmod(v, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + // v := addmod(v, l_gamma, R_MOD) + + // let w := mulmod(l_beta, calldataload(add(aproof, PROOF_S2_AT_ZETA)), R_MOD) + // w := addmod(w, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + // w := addmod(w, l_gamma, R_MOD) + + // let s1 := mulmod(u, v, R_MOD) + // s1 := mulmod(s1, w, R_MOD) + // s1 := mulmod(s1, l_alpha, R_MOD) + + // let coset_square := mulmod(VK_COSET_SHIFT, VK_COSET_SHIFT, R_MOD) + // let betazeta := mulmod(l_beta, l_zeta, R_MOD) + // u := addmod(betazeta, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + // u := addmod(u, l_gamma, R_MOD) + + // v := mulmod(betazeta, VK_COSET_SHIFT, R_MOD) + // v := addmod(v, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + // v := addmod(v, l_gamma, R_MOD) + + // w := mulmod(betazeta, coset_square, R_MOD) + // w := addmod(w, calldataload(add(aproof, PROOF_O_AT_ZETA)), R_MOD) + // w := addmod(w, l_gamma, R_MOD) + + // let s2 := mulmod(u, v, R_MOD) + // s2 := mulmod(s2, w, R_MOD) + // s2 := sub(R_MOD, s2) + // s2 := mulmod(s2, l_alpha, R_MOD) + // s2 := addmod(s2, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)), R_MOD) + + // // at this stage: + // // * s₁ = α*Z(μζ)(l(ζ)+β*s₁(ζ)+γ)*(r(ζ)+β*s₂(ζ)+γ)*β + // // * s₂ = -α*(l(ζ)+β*ζ+γ)*(r(ζ)+β*u*ζ+γ)*(o(ζ)+β*u²*ζ+γ) + α²*L₁(ζ) + + // compute_commitment_linearised_polynomial_ec(aproof, s1, s2) + // } + + // /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at + // /// state + state_folded_h + // /// @param aproof pointer to the proof + // function fold_h(aproof) { + // let state := mload(0x40) + // let n_plus_two := add(VK_DOMAIN_SIZE, 2) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + // let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) + // point_mul_calldata(add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_2_COM_X), zeta_power_n_plus_two, mPtr) + // point_add_calldata(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_1_COM_X), mPtr) + // point_mul(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), zeta_power_n_plus_two, mPtr) + // point_add_calldata(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_0_COM_X), mPtr) + // point_mul(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)), mPtr) + // let folded_h_y := mload(add(state, STATE_FOLDED_H_Y)) + // folded_h_y := sub(P_MOD, folded_h_y) + // mstore(add(state, STATE_FOLDED_H_Y), folded_h_y) + // } + + // /// @notice check that the opening of the linearised polynomial at zeta is equal to + // /// - [ PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) ] + // /// @param aproof pointer to the proof + // function compute_opening_linearised_polynomial(aproof) { + + // let state := mload(0x40) + + // // (l(ζ)+β*s1(ζ)+γ) + // let s1 + // s1 := mulmod(calldataload(add(aproof, PROOF_S1_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD) + // s1 := addmod(s1, mload(add(state, STATE_GAMMA)), R_MOD) + // s1 := addmod(s1, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + + // // (r(ζ)+β*s2(ζ)+γ) + // let s2 + // s2 := mulmod(calldataload(add(aproof, PROOF_S2_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD) + // s2 := addmod(s2, mload(add(state, STATE_GAMMA)), R_MOD) + // s2 := addmod(s2, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + + // // (o(ζ)+γ) + // let o + // o := addmod(calldataload(add(aproof, PROOF_O_AT_ZETA)), mload(add(state, STATE_GAMMA)), R_MOD) + + // // α*Z(μζ)*(l(ζ)+β*s1(ζ)+γ)*(r(ζ)+β*s2(ζ)+γ)*(o(ζ)+γ) + // s1 := mulmod(s1, s2, R_MOD) + // s1 := mulmod(s1, o, R_MOD) + // s1 := mulmod(s1, mload(add(state, STATE_ALPHA)), R_MOD) + // s1 := mulmod(s1, calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), R_MOD) + + // // PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) + // s1 := addmod(s1, mload(add(state, STATE_PI)), R_MOD) + // s2 := mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)) + // s2 := sub(R_MOD, s2) + // s1 := addmod(s1, s2, R_MOD) + // s1 := sub(R_MOD, s1) + + // mstore(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA), s1) + // } + + // // BEGINNING utils math functions ------------------------------------------------- + + // /// @param dst pointer storing the result + // /// @param p pointer to the first point + // /// @param q pointer to the second point + // /// @param mPtr pointer to free memory + // function point_add(dst, p, q, mPtr) { + // mstore(mPtr, mload(p)) + // mstore(add(mPtr, 0x20), mload(add(p, 0x20))) + // mstore(add(mPtr, 0x40), mload(q)) + // mstore(add(mPtr, 0x60), mload(add(q, 0x20))) + // let l_success := staticcall(gas(),EC_ADD,mPtr,0x80,dst,0x40) + // if iszero(l_success) { + // error_ec_op() + // } + // } + + // /// @param dst pointer storing the result + // /// @param p pointer to the first point (calldata) + // /// @param q pointer to the second point (calladata) + // /// @param mPtr pointer to free memory + // function point_add_calldata(dst, p, q, mPtr) { + // mstore(mPtr, mload(p)) + // mstore(add(mPtr, 0x20), mload(add(p, 0x20))) + // mstore(add(mPtr, 0x40), calldataload(q)) + // mstore(add(mPtr, 0x60), calldataload(add(q, 0x20))) + // let l_success := staticcall(gas(), EC_ADD, mPtr, 0x80, dst, 0x40) + // if iszero(l_success) { + // error_ec_op() + // } + // } + + // /// @parma dst pointer storing the result + // /// @param src pointer to a point on Bn254(𝔽_p) + // /// @param s scalar + // /// @param mPtr free memory + // function point_mul(dst,src,s, mPtr) { + // mstore(mPtr,mload(src)) + // mstore(add(mPtr,0x20),mload(add(src,0x20))) + // mstore(add(mPtr,0x40),s) + // let l_success := staticcall(gas(),EC_MUL,mPtr,0x60,dst,0x40) + // if iszero(l_success) { + // error_ec_op() + // } + // } + + // /// @parma dst pointer storing the result + // /// @param src pointer to a point on Bn254(𝔽_p) on calldata + // /// @param s scalar + // /// @param mPtr free memory + // function point_mul_calldata(dst, src, s, mPtr) { + // mstore(mPtr, calldataload(src)) + // mstore(add(mPtr, 0x20), calldataload(add(src, 0x20))) + // mstore(add(mPtr, 0x40), s) + // let l_success := staticcall(gas(), EC_MUL, mPtr, 0x60, dst, 0x40) + // if iszero(l_success) { + // error_ec_op() + // } + // } + + // /// @notice dst <- dst + [s]src (Elliptic curve) + // /// @param dst pointer accumulator point storing the result + // /// @param src pointer to the point to multiply and add + // /// @param s scalar + // /// @param mPtr free memory + // function point_acc_mul(dst,src,s, mPtr) { + // mstore(mPtr,mload(src)) + // mstore(add(mPtr,0x20),mload(add(src,0x20))) + // mstore(add(mPtr,0x40),s) + // let l_success := staticcall(gas(),7,mPtr,0x60,mPtr,0x40) + // mstore(add(mPtr,0x40),mload(dst)) + // mstore(add(mPtr,0x60),mload(add(dst,0x20))) + // l_success := and(l_success, staticcall(gas(),EC_ADD,mPtr,0x80,dst, 0x40)) + // if iszero(l_success) { + // error_ec_op() + // } + // } + + // /// @notice dst <- dst + [s]src (Elliptic curve) + // /// @param dst pointer accumulator point storing the result + // /// @param src pointer to the point to multiply and add (on calldata) + // /// @param s scalar + // /// @mPtr free memory + // function point_acc_mul_calldata(dst, src, s, mPtr) { + // mstore(mPtr, calldataload(src)) + // mstore(add(mPtr, 0x20), calldataload(add(src, 0x20))) + // mstore(add(mPtr, 0x40), s) + // let l_success := staticcall(gas(), 7, mPtr, 0x60, mPtr, 0x40) + // mstore(add(mPtr, 0x40), mload(dst)) + // mstore(add(mPtr, 0x60), mload(add(dst, 0x20))) + // l_success := and(l_success, staticcall(gas(), EC_ADD, mPtr, 0x80, dst, 0x40)) + // if iszero(l_success) { + // error_ec_op() + // } + // } + + // /// @notice dst <- dst + src*s (Fr) dst,src are addresses, s is a value + // /// @param dst pointer storing the result + // /// @param src pointer to the scalar to multiply and add (on calldata) + // /// @param s scalar + // function fr_acc_mul_calldata(dst, src, s) { + // let tmp := mulmod(calldataload(src), s, R_MOD) + // mstore(dst, addmod(mload(dst), tmp, R_MOD)) + // } + + // /// @param x element to exponentiate + // /// @param e exponent + // /// @param mPtr free memory + // /// @return res x ** e mod r + // function pow(x, e, mPtr)->res { + // mstore(mPtr, 0x20) + // mstore(add(mPtr, 0x20), 0x20) + // mstore(add(mPtr, 0x40), 0x20) + // mstore(add(mPtr, 0x60), x) + // mstore(add(mPtr, 0x80), e) + // mstore(add(mPtr, 0xa0), R_MOD) + // let check_staticcall := staticcall(gas(),MOD_EXP,mPtr,0xc0,mPtr,0x20) + // if eq(check_staticcall, 0) { + // error_mod_exp() + // } + // res := mload(mPtr) + // } + // } + return true; + } +} +` + +// MarshalSolidity converts a proof to a byte array that can be used in a +// Solidity contract. +// The marshalling of the Fp points follows https://eips.ethereum.org/EIPS/eip-2537#fine-points-and-encoding-of-base-elements +// That is a Fp point is encoded as +// [ uint256 || uint256 ] +// [ lo || hi ] , where lo, hi are in big endian. hi is on 16 bytes. +func (proof *Proof) MarshalSolidity() []byte { + + res := make([]byte, 0, 1024) + + // uint256 l_com_x; + // uint256 l_com_y; + // uint256 r_com_x; + // uint256 r_com_y; + // uint256 o_com_x; + // uint256 o_com_y; + var tmp96 [96]byte + for i := 0; i < 3; i++ { + tmp96 = proof.LRO[i].RawBytes() + res = append(res, tmp96[:]...) + } + + // uint256 h_0_x; + // uint256 h_0_y; + // uint256 h_1_x; + // uint256 h_1_y; + // uint256 h_2_x; + // uint256 h_2_y; + for i := 0; i < 3; i++ { + tmp96 = proof.H[i].RawBytes() + res = append(res, tmp96[:]...) + } + var tmp32 [32]byte + + // uint256 l_at_zeta; + // uint256 r_at_zeta; + // uint256 o_at_zeta; + // uint256 s1_at_zeta; + // uint256 s2_at_zeta; + for i := 1; i < 6; i++ { + tmp32 = proof.BatchedProof.ClaimedValues[i].Bytes() + res = append(res, tmp32[:]...) + } + + // uint256 grand_product_commitment_x; + // uint256 grand_product_commitment_y; + tmp96 = proof.Z.RawBytes() + res = append(res, tmp96[:]...) + + // uint256 grand_product_at_zeta_omega; + tmp32 = proof.ZShiftedOpening.ClaimedValue.Bytes() + res = append(res, tmp32[:]...) + + // we skip the claimed value of the linearised polynomial at zeta because it + // is recomputed by the verifier and plugged in the batch opening proof directly + + // uint256 opening_at_zeta_proof_x; + // uint256 opening_at_zeta_proof_y; + tmp96 = proof.BatchedProof.H.RawBytes() + res = append(res, tmp96[:]...) + + // uint256 opening_at_zeta_omega_proof_x; + // uint256 opening_at_zeta_omega_proof_y; + tmp96 = proof.ZShiftedOpening.H.RawBytes() + res = append(res, tmp96[:]...) + + // uint256[] selector_commit_api_at_zeta; + // uint256[] wire_committed_commitments; + for i := 0; i < len(proof.Bsb22Commitments); i++ { + tmp32 = proof.BatchedProof.ClaimedValues[6+i].Bytes() + res = append(res, tmp32[:]...) + } + + for _, bc := range proof.Bsb22Commitments { + tmp96 = bc.RawBytes() + res = append(res, tmp96[:]...) + } + + return res +} diff --git a/backend/plonk/bls12-381/verify.go b/backend/plonk/bls12-381/verify.go index edbbfa8679..3dc9ab1009 100644 --- a/backend/plonk/bls12-381/verify.go +++ b/backend/plonk/bls12-381/verify.go @@ -1,8 +1,6 @@ // Copyright 2020-2025 Consensys Software Inc. // Licensed under the Apache License, Version 2.0. See the LICENSE file for details. -// Code generated by gnark DO NOT EDIT - package plonk import ( @@ -10,6 +8,7 @@ import ( "fmt" "io" "math/big" + "text/template" "time" @@ -19,6 +18,7 @@ import ( curve "github.com/consensys/gnark-crypto/ecc/bls12-381" + "github.com/consensys/gnark-crypto/ecc/bls12-381/fp" "github.com/consensys/gnark-crypto/ecc/bls12-381/fr" "github.com/consensys/gnark-crypto/ecc/bls12-381/fr/hash_to_field" @@ -382,7 +382,66 @@ func deriveRandomness(fs *fiatshamir.Transcript, challenge string, points ...*cu return r, nil } -// ExportSolidity not implemented for BLS12-381 +// ExportSolidity exports the verifying key to a solidity smart contract. +// +// See https://github.com/Consensys/gnark-tests for example usage. +// +// Code has not been audited and is provided as-is, we make no guarantees or warranties to its safety and reliability. func (vk *VerifyingKey) ExportSolidity(w io.Writer, exportOpts ...solidity.ExportOption) error { - return errors.New("not implemented") + funcMap := template.FuncMap{ + "hex": func(i int) string { + return fmt.Sprintf("0x%x", i) + }, + "mul": func(a, b int) int { + return a * b + }, + "inc": func(i int) int { + return i + 1 + }, + "frstr": func(x fr.Element) string { + // we use big.Int to always get a positive string. + // not the most efficient hack, but it works better for .sol generation. + bv := new(big.Int) + x.BigInt(bv) + return bv.String() + }, + "fpstr_lo": func(x fp.Element) string { + bv := new(big.Int) + twoTo256 := new(big.Int) + twoTo256.SetString("115792089237316195423570985008687907853269984665640564039457584007913129639936", 10) + x.BigInt(bv) + bv.Mod(bv, twoTo256) + return bv.String() + }, + "fpstr_hi": func(x fp.Element) string { + bv := new(big.Int) + x.BigInt(bv) + bv.Rsh(bv, 256) + return bv.String() + }, + "add": func(i, j int) int { + return i + j + }, + } + + t, err := template.New("t").Funcs(funcMap).Parse(tmplSolidityVerifier) + if err != nil { + return err + } + + cfg, err := solidity.NewExportConfig(exportOpts...) + if err != nil { + return err + } + if cfg.HashToFieldFn != nil { + return fmt.Errorf("setting hash to field function is not supported for PLONK Solidity export. Hash function is hardcoded to RFC9380") + } + + return t.Execute(w, struct { + Cfg solidity.ExportConfig + Vk VerifyingKey + }{ + Cfg: cfg, + Vk: *vk, + }) } diff --git a/go.mod b/go.mod index 0cdda984c5..d52cd31e1d 100644 --- a/go.mod +++ b/go.mod @@ -19,19 +19,92 @@ require ( github.com/ronanh/intcomp v1.1.1 github.com/rs/zerolog v1.34.0 github.com/stretchr/testify v1.10.0 - golang.org/x/crypto v0.39.0 + golang.org/x/crypto v0.40.0 golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 - golang.org/x/sync v0.15.0 + golang.org/x/sync v0.16.0 ) require ( + github.com/DataDog/zstd v1.4.5 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/StackExchange/wmi v1.2.1 // indirect + github.com/VictoriaMetrics/fastcache v1.12.2 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/cockroachdb/errors v1.11.3 // indirect + github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce // indirect + github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect + github.com/cockroachdb/pebble v1.1.5 // indirect + github.com/cockroachdb/redact v1.1.5 // indirect + github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect + github.com/crate-crypto/go-eth-kzg v1.3.0 // indirect + github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a // indirect github.com/davecgh/go-spew v1.1.1 // indirect + github.com/deckarep/golang-set/v2 v2.6.0 // indirect + github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect + github.com/ethereum/c-kzg-4844/v2 v2.1.1 // indirect + github.com/ethereum/go-ethereum v1.16.1 // indirect + github.com/ethereum/go-verkle v0.2.2 // indirect + github.com/ferranbt/fastssz v0.1.2 // indirect + github.com/fsnotify/fsnotify v1.6.0 // indirect + github.com/getsentry/sentry-go v0.27.0 // indirect + github.com/go-ole/go-ole v1.3.0 // indirect + github.com/gofrs/flock v0.12.1 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang-jwt/jwt/v4 v4.5.1 // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/golang/snappy v0.0.5-0.20220116011046-fa5810519dcb // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/gorilla/websocket v1.4.2 // indirect + github.com/hashicorp/go-bexpr v0.1.10 // indirect + github.com/holiman/billy v0.0.0-20240216141850-2abb0c79d3c4 // indirect + github.com/holiman/bloomfilter/v2 v2.0.3 // indirect + github.com/holiman/uint256 v1.3.2 // indirect + github.com/huin/goupnp v1.3.0 // indirect + github.com/jackpal/go-nat-pmp v1.0.2 // indirect + github.com/klauspost/compress v1.16.0 // indirect + github.com/klauspost/cpuid/v2 v2.0.9 // indirect + github.com/kr/pretty v0.3.1 // indirect + github.com/kr/text v0.2.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mattn/go-runewidth v0.0.13 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/minio/sha256-simd v1.0.0 // indirect + github.com/mitchellh/mapstructure v1.4.1 // indirect + github.com/mitchellh/pointerstructure v1.2.0 // indirect github.com/mmcloughlin/addchain v0.4.0 // indirect + github.com/olekukonko/tablewriter v0.0.5 // indirect + github.com/pion/dtls/v2 v2.2.7 // indirect + github.com/pion/logging v0.2.2 // indirect + github.com/pion/stun/v2 v2.0.0 // indirect + github.com/pion/transport/v2 v2.2.1 // indirect + github.com/pion/transport/v3 v3.0.1 // indirect + github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/prometheus/client_golang v1.15.0 // indirect + github.com/prometheus/client_model v0.3.0 // indirect + github.com/prometheus/common v0.42.0 // indirect + github.com/prometheus/procfs v0.9.0 // indirect + github.com/rivo/uniseg v0.2.0 // indirect + github.com/rogpeppe/go-internal v1.12.0 // indirect + github.com/rs/cors v1.7.0 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible // indirect + github.com/supranational/blst v0.3.15 // indirect + github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect + github.com/tklauser/go-sysconf v0.3.12 // indirect + github.com/tklauser/numcpus v0.6.1 // indirect + github.com/urfave/cli/v2 v2.27.5 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/sys v0.33.0 // indirect + github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect + golang.org/x/sys v0.34.0 // indirect + golang.org/x/text v0.27.0 // indirect + golang.org/x/time v0.9.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect rsc.io/tmplfunc v0.0.3 // indirect ) diff --git a/go.sum b/go.sum index 61591bf151..cb69aef6c2 100644 --- a/go.sum +++ b/go.sum @@ -39,10 +39,21 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ= +github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDOSA= +github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8= +github.com/VictoriaMetrics/fastcache v1.12.2 h1:N0y9ASrJ0F6h0QaC3o6uJb3NIZ9VKLjCM7NQbSmF7WI= +github.com/VictoriaMetrics/fastcache v1.12.2/go.mod h1:AmC+Nzz1+3G2eCPapF6UcsnkThDcMsQicp4xDukwJYI= +github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bits-and-blooms/bitset v1.22.0 h1:Tquv9S8+SGaS3EhyA+up3FXzmkhxPGjQQCkcs2uw7w4= github.com/bits-and-blooms/bitset v1.22.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= @@ -50,6 +61,9 @@ github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqO github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -57,6 +71,18 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cockroachdb/errors v1.11.3 h1:5bA+k2Y6r+oz/6Z/RFlNeVCesGARKuC6YymtcDrbC/I= +github.com/cockroachdb/errors v1.11.3/go.mod h1:m4UIW4CDjx+R5cybPsNrRbreomiFqt8o1h1wUVazSd8= +github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce h1:giXvy4KSc/6g/esnpM7Geqxka4WSqI1SZc7sMJFd3y4= +github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce/go.mod h1:9/y3cnZ5GKakj/H4y9r9GTjCvAFta7KLgSHPJJYc52M= +github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b h1:r6VH0faHjZeQy818SGhaone5OnYfxFR/+AzdY3sf5aE= +github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b/go.mod h1:Vz9DsVWQQhf3vs21MhPMZpMGSht7O/2vFW2xusFUVOs= +github.com/cockroachdb/pebble v1.1.5 h1:5AAWCBWbat0uE0blr8qzufZP5tBjkRyy/jWe1QWLnvw= +github.com/cockroachdb/pebble v1.1.5/go.mod h1:17wO9el1YEigxkP/YtV8NtCivQDgoCyBg5c4VR/eOWo= +github.com/cockroachdb/redact v1.1.5 h1:u1PMllDkdFfPWaNGMyLD1+so+aq3uUItthCFqzwPJ30= +github.com/cockroachdb/redact v1.1.5/go.mod h1:BVNblN9mBWFyMyqK1k3AAiSxhvhfK2oOZZ2lK+dpvRg= +github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06 h1:zuQyyAKVxetITBuuhv3BI9cMrmStnpT18zmgmTxunpo= +github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06/go.mod h1:7nc4anLGjupUW/PeY5qiNYsdNXj7zopG+eqsS7To5IQ= github.com/consensys/bavard v0.1.31-0.20250406004941-2db259e4b582 h1:dTlIwEdFQmldzFf5F6bbTcYWhvnAgZai2g8eq3Wwxqg= github.com/consensys/bavard v0.1.31-0.20250406004941-2db259e4b582/go.mod h1:k/zVjHHC4B+PQy1Pg7fgvG3ALicQw540Crag8qx+dZs= github.com/consensys/compress v0.2.5 h1:gJr1hKzbOD36JFsF1AN8lfXz1yevnJi1YolffY19Ntk= @@ -67,9 +93,20 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= +github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/crate-crypto/go-eth-kzg v1.3.0 h1:05GrhASN9kDAidaFJOda6A4BEvgvuXbazXg/0E3OOdI= +github.com/crate-crypto/go-eth-kzg v1.3.0/go.mod h1:J9/u5sWfznSObptgfa92Jq8rTswn6ahQWEuiLHOjCUI= +github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a h1:W8mUrRp6NOVl3J+MYp5kPMoUZPp7aOYHtaua31lwRHg= +github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a/go.mod h1:sTwzHBvIzm2RfVCGNEBZgRyjwK40bVoun3ZnGOCafNM= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/deckarep/golang-set/v2 v2.6.0 h1:XfcQbWM1LlMB8BsJ8N9vW5ehnnPVIw0je80NsVHagjM= +github.com/deckarep/golang-set/v2 v2.6.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -77,16 +114,37 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/ethereum/c-kzg-4844/v2 v2.1.1 h1:KhzBVjmURsfr1+S3k/VE35T02+AW2qU9t9gr4R6YpSo= +github.com/ethereum/c-kzg-4844/v2 v2.1.1/go.mod h1:TC48kOKjJKPbN7C++qIgt0TJzZ70QznYR7Ob+WXl57E= +github.com/ethereum/go-ethereum v1.16.1 h1:7684NfKCb1+IChudzdKyZJ12l1Tq4ybPZOITiCDXqCk= +github.com/ethereum/go-ethereum v1.16.1/go.mod h1:ngYIvmMAYdo4sGW9cGzLvSsPGhDOOzL0jK5S5iXpj0g= +github.com/ethereum/go-verkle v0.2.2 h1:I2W0WjnrFUIzzVPwm8ykY+7pL2d4VhlsePn4j7cnFk8= +github.com/ethereum/go-verkle v0.2.2/go.mod h1:M3b90YRnzqKyyzBEWJGqj8Qff4IDeXnzFw0P9bFw3uk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/ferranbt/fastssz v0.1.2 h1:Dky6dXlngF6Qjc+EfDipAkE83N5I5DE68bY6O0VLNPk= +github.com/ferranbt/fastssz v0.1.2/go.mod h1:X5UPrE2u1UJjxHA8X54u04SBwdAQjG2sFtWs39YxyWs= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/getsentry/sentry-go v0.27.0 h1:Pv98CIbtB3LkMWmXi4Joa5OOcwbmnX88sF5qbK3r3Ps= +github.com/getsentry/sentry-go v0.27.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE= +github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= +github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -116,6 +174,11 @@ github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.5-0.20220116011046-fa5810519dcb h1:PBC98N2aIaM3XXiurYmW7fx4GZkL8feAMVq7nEjURHk= +github.com/golang/snappy v0.0.5-0.20220116011046-fa5810519dcb/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -152,14 +215,20 @@ github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxV github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= +github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-bexpr v0.1.10 h1:9kuI5PFotCboP3dkDYFr/wi0gg0QVbSNz5oFRpxn4uE= +github.com/hashicorp/go-bexpr v0.1.10/go.mod h1:oxlubA2vC/gFVfX1A6JGp7ls7uCDlfJn732ehYYg+g0= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= @@ -177,6 +246,15 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/holiman/billy v0.0.0-20240216141850-2abb0c79d3c4 h1:X4egAf/gcS1zATw6wn4Ej8vjuVGxeHdan+bRb2ebyv4= +github.com/holiman/billy v0.0.0-20240216141850-2abb0c79d3c4/go.mod h1:5GuXa7vkL8u9FkFuWdVvfR5ix8hRB7DbOAaYULamFpc= +github.com/holiman/bloomfilter/v2 v2.0.3 h1:73e0e/V0tCydx14a0SCYS/EWCxgwLZ18CZcZKVu0fao= +github.com/holiman/bloomfilter/v2 v2.0.3/go.mod h1:zpoh+gs7qcpqrHr3dB55AMiJwo0iURXE7ZOP9L9hSkA= +github.com/holiman/uint256 v1.3.2 h1:a9EgMPSC1AAaj1SZL5zIQD3WbwTuHrMGOerLjGmM/TA= +github.com/holiman/uint256 v1.3.2/go.mod h1:EOMSn4q6Nyt9P6efbI3bueV4e1b3dGlUCXeiRV4ng7E= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc= +github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/icza/bitio v1.1.0 h1:ysX4vtldjdi3Ygai5m1cWy4oLkhWTAi+SyO6HC8L9T0= @@ -186,12 +264,19 @@ github.com/icza/mighty v0.0.0-20180919140131-cfd07d671de6/go.mod h1:xQig96I1VNBD github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/ingonyama-zk/icicle-gnark/v3 v3.2.2 h1:B+aWVgAx+GlFLhtYjIaF0uGjU3rzpl99Wf9wZWt+Mq8= github.com/ingonyama-zk/icicle-gnark/v3 v3.2.2/go.mod h1:CH/cwcr21pPWH+9GtK/PFaa4OGTv4CtfkCKro6GpbRE= +github.com/jackpal/go-nat-pmp v1.0.2 h1:KzKSgb7qkJvOUTqYl9/Hg/me3pWgBmERKrTGD7BdWus= +github.com/jackpal/go-nat-pmp v1.0.2/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= +github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= +github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4= +github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -212,7 +297,14 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= +github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= +github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= +github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= @@ -220,7 +312,10 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/pointerstructure v1.2.0 h1:O+i9nHnXS3l/9Wu7r4NrEdwA2VFTicjUEN1uBnDo34A= +github.com/mitchellh/pointerstructure v1.2.0/go.mod h1:BRAsLI5zgXmw97Lf6s25bs8ohIXc3tViBH44KcwB2g4= github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= @@ -229,27 +324,64 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo= github.com/neelance/sourcemap v0.0.0-20200213170602-2833bce08e4c/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= +github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= +github.com/pion/dtls/v2 v2.2.7 h1:cSUBsETxepsCSFSxC3mc/aDo14qQLMSL+O6IjG28yV8= +github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s= +github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY= +github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms= +github.com/pion/stun/v2 v2.0.0 h1:A5+wXKLAypxQri59+tmQKVs7+l6mMM+3d+eER9ifRU0= +github.com/pion/stun/v2 v2.0.0/go.mod h1:22qRSh08fSEttYUmJZGlriq9+03jtVmXNODgLccj8GQ= +github.com/pion/transport/v2 v2.2.1 h1:7qYnCBlpgSJNYMbLCKuSY9KbQdBFoETvPNETv0y4N7c= +github.com/pion/transport/v2 v2.2.1/go.mod h1:cXXWavvCnFF6McHTft3DWS9iic2Mftcz1Aq29pGcU5g= +github.com/pion/transport/v3 v3.0.1 h1:gDTlPJwROfSfz6QfSi0ZmeCSkFcnWWiiR9ES0ouANiM= +github.com/pion/transport/v3 v3.0.1/go.mod h1:UY7kiITrlMv7/IKgd5eTUcaahZx5oUN3l9SzK5f5xE0= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v1.15.0 h1:5fCgGYogn0hFdhyhLbw7hEsWxufKtY9klyvdNfFlFhM= +github.com/prometheus/client_golang v1.15.0/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= +github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= +github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= +github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= +github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= +github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/ronanh/intcomp v1.1.1 h1:+1bGV/wEBiHI0FvzS7RHgzqOpfbBJzLIxkqMJ9e6yxY= github.com/ronanh/intcomp v1.1.1/go.mod h1:7FOLy3P3Zj3er/kVrU/pl+Ql7JFZj7bwliMGketo0IU= +github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik= +github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0= github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY= github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible h1:Bn1aCHHRnjv4Bl16T8rcaFjYSrGrIZvpiGO6P3Q4GpU= +github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shurcooL/go v0.0.0-20200502201357-93f07166e636/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= @@ -266,17 +398,35 @@ github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/supranational/blst v0.3.15 h1:rd9viN6tfARE5wv3KZJ9H8e1cg0jXW8syFCcsbHa76o= +github.com/supranational/blst v0.3.15/go.mod h1:jZJtfjgudtNl4en1tzwPIV3KjUnQUvG3/j+w+fVonLw= +github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 h1:epCh84lMvA70Z7CTTCmYQn2CKbY8j86K7/FAIr141uY= +github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc= +github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU= +github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= +github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk= +github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= +github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w= +github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= +github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -305,8 +455,12 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= +golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -349,6 +503,7 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -371,9 +526,11 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -386,6 +543,9 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -413,8 +573,11 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= +golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -424,9 +587,12 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -440,8 +606,10 @@ golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -460,15 +628,26 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= +golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -479,9 +658,15 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= +golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= +golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -643,15 +828,23 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From c8201bbf251c36600398dc021a8966c5d503aa63 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Sun, 20 Jul 2025 19:30:59 +0200 Subject: [PATCH 02/23] feat: compute gamma wip --- backend/plonk/bls12-381/solidity.go | 167 ++++++++++++++++------------ 1 file changed, 94 insertions(+), 73 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index a5cdd3acf2..352b0f74d4 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -181,6 +181,8 @@ contract PlonkVerifier { uint8 private constant EC_ADD = 0x6; uint8 private constant EC_MUL = 0x7; uint8 private constant EC_PAIR = 0x8; + + event PrintUint256(uint256 x); /// Verify a Plonk proof. /// Reverts if the proof or the public inputs are malformed. @@ -188,9 +190,10 @@ contract PlonkVerifier { /// @param public_inputs (must be reduced) /// @return success true if the proof passes false otherwise function Verify(bytes calldata proof, uint256[] calldata public_inputs) - public view returns(bool success) { + public returns(bool success) { - // assembly { + uint256 check; + assembly { // let mem := mload(0x40) // let freeMem := add(mem, STATE_LAST_MEM) @@ -412,76 +415,94 @@ contract PlonkVerifier { // // Beginning challenges ------------------------------------------------- - // /// Derive gamma as Sha256() - // /// @param aproof pointer to the proof - // /// @param nb_pi number of public inputs - // /// @param pi pointer to the array of public inputs - // /// @return the challenge gamma, not reduced - // /// @notice The transcript is the concatenation (in this order) of: - // /// * the word "gamma" in ascii, equal to [0x67,0x61,0x6d, 0x6d, 0x61] and encoded as a uint256. - // /// * the commitments to the permutation polynomials S1, S2, S3, where we concatenate the coordinates of those points - // /// * the commitments of Ql, Qr, Qm, Qo, Qk - // /// * the public inputs - // /// * the commitments of the wires related to the custom gates (commitments_wires_commit_api) - // /// * commitments to L, R, O (proof__com_) - // /// The data described above is written starting at mPtr. "gamma" lies on 5 bytes, - // /// and is encoded as a uint256 number n. In basis b = 256, the number looks like this - // /// [0 0 0 .. 0x67 0x61 0x6d, 0x6d, 0x61]. The first non zero entry is at position 27=0x1b - // /// Gamma reduced (the actual challenge) is stored at add(state, state_gamma) - // function derive_gamma(aproof, nb_pi, pi)->gamma_not_reduced { + /// Derive gamma as Sha256() + /// @param aproof pointer to the proof + /// @param nb_pi number of public inputs + /// @param pi pointer to the array of public inputs + /// @return the challenge gamma, not reduced + /// @notice The transcript is the concatenation (in this order) of: + /// * the word "gamma" in ascii, equal to [0x67,0x61,0x6d, 0x6d, 0x61] and encoded as a uint256. + /// * the commitments to the permutation polynomials S1, S2, S3, where we concatenate the coordinates of those points + /// * the commitments of Ql, Qr, Qm, Qo, Qk + /// * the public inputs + /// * the commitments of the wires related to the custom gates (commitments_wires_commit_api) + /// * commitments to L, R, O (proof__com_) + /// The data described above is written starting at mPtr. "gamma" lies on 5 bytes, + /// and is encoded as a uint256 number n. In basis b = 256, the number looks like this + /// [0 0 0 .. 0x67 0x61 0x6d, 0x6d, 0x61]. The first non zero entry is at position 27=0x1b + /// Gamma reduced (the actual challenge) is stored at add(state, state_gamma) + function derive_gamma(aproof, nb_pi, pi)->gamma_not_reduced { - // let state := mload(0x40) - // let mPtr := add(state, STATE_LAST_MEM) - - // mstore(mPtr, FS_GAMMA) // "gamma" - - // {{ $offset = 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y) {{ $offset = add $offset 0x20}} - // {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X) {{ $offset = add $offset 0x20}} - // mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y) {{ $offset = add $offset 0x20}} - // {{ end }} - // // public inputs - // let _mPtr := add(mPtr, {{ hex (add (mul (len .Vk.CommitmentConstraintIndexes) 64) 544) }}) - // let size_pi_in_bytes := mul(nb_pi, 0x20) - // calldatacopy(_mPtr, pi, size_pi_in_bytes) - // _mPtr := add(_mPtr, size_pi_in_bytes) - - // // commitments to l, r, o - // let size_commitments_lro_in_bytes := 0xc0 - // calldatacopy(_mPtr, aproof, size_commitments_lro_in_bytes) - // _mPtr := add(_mPtr, size_commitments_lro_in_bytes) - - // // total size is : - // // sizegamma(=0x5) + 11*64(=0x2c0) - // // + nb_public_inputs*0x20 - // // + nb_custom gates*0x40 - // let size := add(0x2c5, size_pi_in_bytes) - // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // size := add(size, mul(VK_NB_CUSTOM_GATES, 0x40)) - // {{ end -}} - // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1b), size, mPtr, 0x20) //0x1b -> 000.."gamma" - // if iszero(l_success) { - // error_verify() - // } - // gamma_not_reduced := mload(mPtr) - // mstore(add(state, STATE_GAMMA), mod(gamma_not_reduced, R_MOD)) - // } + let state := mload(0x40) + let mPtr := add(state, STATE_LAST_MEM) + + mstore(mPtr, FS_GAMMA) // "gamma" + + {{ $offset = 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y_hi) {{ $offset = add $offset 0x10}} + {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_lo) {{ $offset = add $offset 0x20}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_hi) {{ $offset = add $offset 0x10}} + {{ end }} + // public inputs + let _mPtr := add(mPtr, {{ hex (add (mul (len .Vk.CommitmentConstraintIndexes) 64) 544) }}) + let size_pi_in_bytes := mul(nb_pi, 0x20) + calldatacopy(_mPtr, pi, size_pi_in_bytes) + _mPtr := add(_mPtr, size_pi_in_bytes) + + // commitments to l, r, o + let size_commitments_lro_in_bytes := {{ hex (mul 0x30 3)}} + calldatacopy(_mPtr, aproof, size_commitments_lro_in_bytes) + _mPtr := add(_mPtr, size_commitments_lro_in_bytes) + + // total size is : + // sizegamma(=0x5) + 11*64(=0x2c0) + // + nb_public_inputs*0x20 + // + nb_custom gates*0x40 + let size := add(0x2c5, size_pi_in_bytes) + {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + size := add(size, mul(VK_NB_CUSTOM_GATES, 0x40)) + {{ end -}} + let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1b), size, mPtr, 0x20) //0x1b -> 000.."gamma" + if iszero(l_success) { + error_verify() + } + gamma_not_reduced := mload(mPtr) + mstore(add(state, STATE_GAMMA), mod(gamma_not_reduced, R_MOD)) + } // /// derive beta as Sha256 // /// @param gamma_not_reduced the previous challenge (gamma) not reduced @@ -1359,10 +1380,10 @@ contract PlonkVerifier { // } // res := mload(mPtr) // } - // } + } + emit PrintUint256(check); return true; } -} ` // MarshalSolidity converts a proof to a byte array that can be used in a From db251cfbc760186c5ebcb90eabd7609456f9cfa1 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Mon, 21 Jul 2025 10:56:09 +0200 Subject: [PATCH 03/23] feat: addition of sub function --- backend/plonk/bls12-381/verify.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/backend/plonk/bls12-381/verify.go b/backend/plonk/bls12-381/verify.go index 3dc9ab1009..6f218eb6fe 100644 --- a/backend/plonk/bls12-381/verify.go +++ b/backend/plonk/bls12-381/verify.go @@ -422,6 +422,9 @@ func (vk *VerifyingKey) ExportSolidity(w io.Writer, exportOpts ...solidity.Expor "add": func(i, j int) int { return i + j }, + "sub": func(i, j int) int { + return i - j + }, } t, err := template.New("t").Funcs(funcMap).Parse(tmplSolidityVerifier) From 9d1fc83cb0a4305368a514ece82d549a3bf5a2de Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Mon, 21 Jul 2025 12:22:50 +0200 Subject: [PATCH 04/23] fix: derive gamma ok --- backend/plonk/bls12-381/solidity.go | 115 ++++++++++++++-------------- 1 file changed, 59 insertions(+), 56 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 352b0f74d4..aa96d2ee8d 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -195,8 +195,8 @@ contract PlonkVerifier { uint256 check; assembly { - // let mem := mload(0x40) - // let freeMem := add(mem, STATE_LAST_MEM) + let mem := mload(0x40) + let freeMem := add(mem, STATE_LAST_MEM) // // sanity checks // check_number_of_public_inputs(public_inputs.length) @@ -205,8 +205,8 @@ contract PlonkVerifier { // check_proof_openings_size(proof.offset) // // compute the challenges - // let prev_challenge_non_reduced - // prev_challenge_non_reduced := derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) + let prev_challenge_non_reduced + prev_challenge_non_reduced := derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) // prev_challenge_non_reduced := derive_beta(prev_challenge_non_reduced) // prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) // derive_zeta(proof.offset, prev_challenge_non_reduced) @@ -308,14 +308,14 @@ contract PlonkVerifier { // revert(ptError, 0x64) // } - // function error_verify() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0xc) - // mstore(add(ptError, 0x44), "error verify") - // revert(ptError, 0x64) - // } + function error_verify() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0xc) + mstore(add(ptError, 0x44), "error verify") + revert(ptError, 0x64) + } // function error_random_generation() { // let ptError := mload(0x40) @@ -436,65 +436,67 @@ contract PlonkVerifier { let state := mload(0x40) let mPtr := add(state, STATE_LAST_MEM) + {{ $offset = 0x10 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y_hi) {{ $offset = add $offset 0x30}} + {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_hi) {{ $offset = add $offset 0x30}} + {{ end }} mstore(mPtr, FS_GAMMA) // "gamma" - - {{ $offset = 0x20 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y_hi) {{ $offset = add $offset 0x10}} + {{ $offset = 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_S3_COM_Y_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QL_COM_Y_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QR_COM_Y_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QM_COM_Y_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QO_COM_Y_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QK_COM_Y_lo) {{ $offset = add $offset 0x30}} {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi) {{ $offset = add $offset 0x10}} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_lo) {{ $offset = add $offset 0x20}} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_hi) {{ $offset = add $offset 0x10}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_lo) {{ $offset = add $offset 0x30}} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_lo) {{ $offset = add $offset 0x30}} {{ end }} // public inputs - let _mPtr := add(mPtr, {{ hex (add (mul (len .Vk.CommitmentConstraintIndexes) 64) 544) }}) + let _mPtr := add(mPtr, {{ hex ( sub $offset 0x10 ) }} ) let size_pi_in_bytes := mul(nb_pi, 0x20) calldatacopy(_mPtr, pi, size_pi_in_bytes) _mPtr := add(_mPtr, size_pi_in_bytes) // commitments to l, r, o - let size_commitments_lro_in_bytes := {{ hex (mul 0x30 3)}} + let size_commitments_lro_in_bytes := {{ hex (mul 0x60 3)}} calldatacopy(_mPtr, aproof, size_commitments_lro_in_bytes) _mPtr := add(_mPtr, size_commitments_lro_in_bytes) // total size is : - // sizegamma(=0x5) + 11*64(=0x2c0) + // sizegamma(=0x5) + 11*96(=0x420) // + nb_public_inputs*0x20 - // + nb_custom gates*0x40 - let size := add(0x2c5, size_pi_in_bytes) + // + nb_custom gates*0x60 + let size := add({{ hex ( add 5 ( mul 11 96 ))}}, size_pi_in_bytes) {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - size := add(size, mul(VK_NB_CUSTOM_GATES, 0x40)) + size := add(size, mul(VK_NB_CUSTOM_GATES, 0x60)) {{ end -}} let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1b), size, mPtr, 0x20) //0x1b -> 000.."gamma" if iszero(l_success) { @@ -1384,6 +1386,7 @@ contract PlonkVerifier { emit PrintUint256(check); return true; } +} ` // MarshalSolidity converts a proof to a byte array that can be used in a From c0fb88aa4a4fd3999470d0039ddbc8ffbd53dc52 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Mon, 21 Jul 2025 22:31:19 +0200 Subject: [PATCH 05/23] feat: derive_alpha ok --- backend/plonk/bls12-381/solidity.go | 114 ++++++++++++++-------------- 1 file changed, 57 insertions(+), 57 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index aa96d2ee8d..ec8fde59b0 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -107,9 +107,9 @@ contract PlonkVerifier { uint256 private constant PROOF_H_2_COM_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} // "evaluations of wire polynomials at zeta - uint256 private constant PROOF_L_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant PROOF_R_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant PROOF_O_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant PROOF_L_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant PROOF_R_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant PROOF_O_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} // S1(zeta),S2(zeta) uint256 private constant PROOF_S1_AT_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} // Sσ1(zeta) @@ -207,8 +207,8 @@ contract PlonkVerifier { // // compute the challenges let prev_challenge_non_reduced prev_challenge_non_reduced := derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) - // prev_challenge_non_reduced := derive_beta(prev_challenge_non_reduced) - // prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) + prev_challenge_non_reduced := derive_beta(prev_challenge_non_reduced) + prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) // derive_zeta(proof.offset, prev_challenge_non_reduced) // // evaluation of Z=Xⁿ-1 at ζ, we save this value @@ -506,63 +506,63 @@ contract PlonkVerifier { mstore(add(state, STATE_GAMMA), mod(gamma_not_reduced, R_MOD)) } - // /// derive beta as Sha256 - // /// @param gamma_not_reduced the previous challenge (gamma) not reduced - // /// @return beta_not_reduced the next challenge, beta, not reduced - // /// @notice the transcript consists of the previous challenge only. - // /// The reduced version of beta is stored at add(state, state_beta) - // function derive_beta(gamma_not_reduced)->beta_not_reduced{ + /// derive beta as Sha256 + /// @param gamma_not_reduced the previous challenge (gamma) not reduced + /// @return beta_not_reduced the next challenge, beta, not reduced + /// @notice the transcript consists of the previous challenge only. + /// The reduced version of beta is stored at add(state, state_beta) + function derive_beta(gamma_not_reduced)->beta_not_reduced{ - // let state := mload(0x40) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) - // // beta - // mstore(mPtr, FS_BETA) // "beta" - // mstore(add(mPtr, 0x20), gamma_not_reduced) - // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1c), 0x24, mPtr, 0x20) //0x1b -> 000.."gamma" - // if iszero(l_success) { - // error_verify() - // } - // beta_not_reduced := mload(mPtr) - // mstore(add(state, STATE_BETA), mod(beta_not_reduced, R_MOD)) - // } + // beta + mstore(mPtr, FS_BETA) // "beta" + mstore(add(mPtr, 0x20), gamma_not_reduced) + let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1c), 0x24, mPtr, 0x20) //0x1b -> 000.."gamma" + if iszero(l_success) { + error_verify() + } + beta_not_reduced := mload(mPtr) + mstore(add(state, STATE_BETA), mod(beta_not_reduced, R_MOD)) + } - // /// derive alpha as sha256 - // /// @param aproof pointer to the proof object - // /// @param beta_not_reduced the previous challenge (beta) not reduced - // /// @return alpha_not_reduced the next challenge, alpha, not reduced - // /// @notice the transcript consists of the previous challenge (beta) - // /// not reduced, the commitments to the wires associated to the QCP_i, - // /// and the commitment to the grand product polynomial - // function derive_alpha(aproof, beta_not_reduced)->alpha_not_reduced { + /// derive alpha as sha256 + /// @param aproof pointer to the proof object + /// @param beta_not_reduced the previous challenge (beta) not reduced + /// @return alpha_not_reduced the next challenge, alpha, not reduced + /// @notice the transcript consists of the previous challenge (beta) + /// not reduced, the commitments to the wires associated to the QCP_i, + /// and the commitment to the grand product polynomial + function derive_alpha(aproof, beta_not_reduced)->alpha_not_reduced { - // let state := mload(0x40) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) - // let full_size := 0x65 // size("alpha") + 0x20 (previous challenge) - - // // alpha - // mstore(mPtr, FS_ALPHA) // "alpha" - // let _mPtr := add(mPtr, 0x20) - // mstore(_mPtr, beta_not_reduced) - // _mPtr := add(_mPtr, 0x20) - // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // // Bsb22Commitments - // let proof_bsb_commitments := add(aproof, PROOF_BSB_COMMITMENTS) - // let size_bsb_commitments := mul(0x40, VK_NB_CUSTOM_GATES) - // calldatacopy(_mPtr, proof_bsb_commitments, size_bsb_commitments) - // _mPtr := add(_mPtr, size_bsb_commitments) - // full_size := add(full_size, size_bsb_commitments) - // {{ end }} - // // [Z], the commitment to the grand product polynomial - // calldatacopy(_mPtr, add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), 0x40) - // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1b), full_size, mPtr, 0x20) - // if iszero(l_success) { - // error_verify() - // } + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) + let full_size := 0x85 // "alpha" || previous challenge || grand product commitment + + // alpha + mstore(mPtr, FS_ALPHA) // "alpha" + let _mPtr := add(mPtr, 0x20) + mstore(_mPtr, beta_not_reduced) + _mPtr := add(_mPtr, 0x20) + {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + // Bsb22Commitments + let proof_bsb_commitments := add(aproof, PROOF_BSB_COMMITMENTS) + let size_bsb_commitments := mul(0x60, VK_NB_CUSTOM_GATES) + calldatacopy(_mPtr, proof_bsb_commitments, size_bsb_commitments) + _mPtr := add(_mPtr, size_bsb_commitments) + full_size := add(full_size, size_bsb_commitments) + {{ end }} + // [Z], the commitment to the grand product polynomial + calldatacopy(_mPtr, add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), 0x60) + let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1b), full_size, mPtr, 0x20) + if iszero(l_success) { + error_verify() + } - // alpha_not_reduced := mload(mPtr) - // mstore(add(state, STATE_ALPHA), mod(alpha_not_reduced, R_MOD)) - // } + alpha_not_reduced := mload(mPtr) + mstore(add(state, STATE_ALPHA), mod(alpha_not_reduced, R_MOD)) + } // /// derive zeta as sha256 // /// @param aproof pointer to the proof object From 9b8110d887af0fa0f1c18d7d4a58d0da02d8cf63 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Tue, 22 Jul 2025 10:45:32 +0200 Subject: [PATCH 06/23] feat: derive zeta ok --- backend/plonk/bls12-381/solidity.go | 42 ++++++++++++++--------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index ec8fde59b0..972b0d275a 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -209,7 +209,7 @@ contract PlonkVerifier { prev_challenge_non_reduced := derive_gamma(proof.offset, public_inputs.length, public_inputs.offset) prev_challenge_non_reduced := derive_beta(prev_challenge_non_reduced) prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) - // derive_zeta(proof.offset, prev_challenge_non_reduced) + derive_zeta(proof.offset, prev_challenge_non_reduced) // // evaluation of Z=Xⁿ-1 at ζ, we save this value // let zeta := mload(add(mem, STATE_ZETA)) @@ -564,28 +564,28 @@ contract PlonkVerifier { mstore(add(state, STATE_ALPHA), mod(alpha_not_reduced, R_MOD)) } - // /// derive zeta as sha256 - // /// @param aproof pointer to the proof object - // /// @param alpha_not_reduced the previous challenge (alpha) not reduced - // /// The transcript consists of the previous challenge and the commitment to - // /// the quotient polynomial h. - // function derive_zeta(aproof, alpha_not_reduced) { + /// derive zeta as sha256 + /// @param aproof pointer to the proof object + /// @param alpha_not_reduced the previous challenge (alpha) not reduced + /// The transcript consists of the previous challenge and the commitment to + /// the quotient polynomial h. + function derive_zeta(aproof, alpha_not_reduced) { - // let state := mload(0x40) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) - // // zeta - // mstore(mPtr, FS_ZETA) // "zeta" - // mstore(add(mPtr, 0x20), alpha_not_reduced) - // calldatacopy(add(mPtr, 0x40), add(aproof, PROOF_H_0_COM_X), 0xc0) - // let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1c), 0xe4, mPtr, 0x20) - // if iszero(l_success) { - // error_verify() - // } - // let zeta_not_reduced := mload(mPtr) - // mstore(add(state, STATE_ZETA), mod(zeta_not_reduced, R_MOD)) - // } - // // END challenges ------------------------------------------------- + // zeta + mstore(mPtr, FS_ZETA) // "zeta" + mstore(add(mPtr, 0x20), alpha_not_reduced) + calldatacopy(add(mPtr, 0x40), add(aproof, PROOF_H_0_COM_X), 0x120) + let l_success := staticcall(gas(), SHA2, add(mPtr, 0x1c), 0x144, mPtr, 0x20) + if iszero(l_success) { + error_verify() + } + let zeta_not_reduced := mload(mPtr) + mstore(add(state, STATE_ZETA), mod(zeta_not_reduced, R_MOD)) + } + // END challenges ------------------------------------------------- // // BEGINNING compute_pi ------------------------------------------------- From 0131021e757e4986ac2cc79a09a5eb9aece90f4f Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Tue, 22 Jul 2025 22:27:57 +0200 Subject: [PATCH 07/23] feat: compute public inputs ok --- backend/plonk/bls12-381/solidity.go | 504 ++++++++++++++-------------- 1 file changed, 251 insertions(+), 253 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 972b0d275a..0effd55753 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -128,8 +128,8 @@ contract PlonkVerifier { uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant PROOF_OPENING_QCP_AT_ZETA = {{ hex $offset }}; - uint256 private constant PROOF_BSB_COMMITMENTS = {{ hex (add $offset (mul (len .Vk.CommitmentConstraintIndexes) 32 ) )}}; + uint256 private constant PROOF_QCP_AT_ZETA = {{ hex $offset }}; + uint256 private constant PROOF_BSB_COMMITMENTS = {{ hex (add $offset (mul (len .Vk.CommitmentConstraintIndexes) 0x20 ) )}}; // -------- offset state @@ -211,18 +211,18 @@ contract PlonkVerifier { prev_challenge_non_reduced := derive_alpha(proof.offset, prev_challenge_non_reduced) derive_zeta(proof.offset, prev_challenge_non_reduced) - // // evaluation of Z=Xⁿ-1 at ζ, we save this value - // let zeta := mload(add(mem, STATE_ZETA)) - // let zeta_power_n_minus_one := addmod(pow(zeta, VK_DOMAIN_SIZE, freeMem), sub(R_MOD, 1), R_MOD) - // mstore(add(mem, STATE_ZETA_POWER_N_MINUS_ONE), zeta_power_n_minus_one) + // evaluation of Z=Xⁿ-1 at ζ, we save this value + let zeta := mload(add(mem, STATE_ZETA)) + let zeta_power_n_minus_one := addmod(pow(zeta, VK_DOMAIN_SIZE, freeMem), sub(R_MOD, 1), R_MOD) + mstore(add(mem, STATE_ZETA_POWER_N_MINUS_ONE), zeta_power_n_minus_one) - // // public inputs contribution - // let l_pi := sum_pi_wo_api_commit(public_inputs.offset, public_inputs.length, freeMem) - // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 ) -}} - // let l_pi_commit := sum_pi_commit(proof.offset, public_inputs.length, freeMem) - // l_pi := addmod(l_pi_commit, l_pi, R_MOD) - // {{ end -}} - // mstore(add(mem, STATE_PI), l_pi) + // public inputs contribution + let l_pi := sum_pi_wo_api_commit(public_inputs.offset, public_inputs.length, freeMem) + {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 ) -}} + let l_pi_commit := sum_pi_commit(proof.offset, public_inputs.length, freeMem) + l_pi := addmod(l_pi_commit, l_pi, R_MOD) + {{ end -}} + mstore(add(mem, STATE_PI), l_pi) // compute_alpha_square_lagrange_0() // compute_opening_linearised_polynomial(proof.offset) @@ -245,15 +245,15 @@ contract PlonkVerifier { // revert(ptError, 0x64) // } - // /// Called when an exponentiation mod r fails - // function error_mod_exp() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0xc) - // mstore(add(ptError, 0x44), "error mod exp") - // revert(ptError, 0x64) - // } + /// Called when an exponentiation mod r fails + function error_mod_exp() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0xc) + mstore(add(ptError, 0x44), "error mod exp") + revert(ptError, 0x64) + } // /// Called when an operation on Bn254 fails // /// @dev for instance when calling EcMul on a point not on Bn254. @@ -399,9 +399,9 @@ contract PlonkVerifier { // error_proof_openings_size() // } - // // PROOF_OPENING_QCP_AT_ZETA + // // PROOF_QCP_AT_ZETA - // p := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // p := add(aproof, PROOF_QCP_AT_ZETA) // for {let i:=0} lt(i, VK_NB_CUSTOM_GATES) {i:=add(i,1)} // { // if gt(calldataload(p), R_MOD_MINUS_ONE) { @@ -589,238 +589,236 @@ contract PlonkVerifier { // // BEGINNING compute_pi ------------------------------------------------- - // /// sum_pi_wo_api_commit computes the public inputs contributions, - // /// except for the public inputs coming from the custom gate - // /// @param ins pointer to the public inputs - // /// @param n number of public inputs - // /// @param mPtr free memory - // /// @return pi_wo_commit public inputs contribution (except the public inputs coming from the custom gate) - // function sum_pi_wo_api_commit(ins, n, mPtr)->pi_wo_commit { + /// sum_pi_wo_api_commit computes the public inputs contributions, + /// except for the public inputs coming from the custom gate + /// @param ins pointer to the public inputs + /// @param n number of public inputs + /// @param mPtr free memory + /// @return pi_wo_commit public inputs contribution (except the public inputs coming from the custom gate) + function sum_pi_wo_api_commit(ins, n, mPtr)->pi_wo_commit { - // let state := mload(0x40) - // let z := mload(add(state, STATE_ZETA)) - // let zpnmo := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) - - // let li := mPtr - // batch_compute_lagranges_at_z(z, zpnmo, n, li) - - // let tmp := 0 - // for {let i:=0} lt(i,n) {i:=add(i,1)} - // { - // tmp := mulmod(mload(li), calldataload(ins), R_MOD) - // pi_wo_commit := addmod(pi_wo_commit, tmp, R_MOD) - // li := add(li, 0x20) - // ins := add(ins, 0x20) - // } + let state := mload(0x40) + let z := mload(add(state, STATE_ZETA)) + let zpnmo := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + + let li := mPtr + batch_compute_lagranges_at_z(z, zpnmo, n, li) + + let tmp := 0 + for {let i:=0} lt(i,n) {i:=add(i,1)} + { + tmp := mulmod(mload(li), calldataload(ins), R_MOD) + pi_wo_commit := addmod(pi_wo_commit, tmp, R_MOD) + li := add(li, 0x20) + ins := add(ins, 0x20) + } - // } + } - // /// batch_compute_lagranges_at_z computes [L_0(z), .., L_{n-1}(z)] - // /// @param z point at which the Lagranges are evaluated - // /// @param zpnmo ζⁿ-1 - // /// @param n_pub number of public inputs (number of Lagranges to compute) - // /// @param mPtr pointer to which the results are stored - // function batch_compute_lagranges_at_z(z, zpnmo, n_pub, mPtr) { + /// batch_compute_lagranges_at_z computes [L_0(z), .., L_{n-1}(z)] + /// @param z point at which the Lagranges are evaluated + /// @param zpnmo ζⁿ-1 + /// @param n_pub number of public inputs (number of Lagranges to compute) + /// @param mPtr pointer to which the results are stored + function batch_compute_lagranges_at_z(z, zpnmo, n_pub, mPtr) { - // let zn := mulmod(zpnmo, VK_INV_DOMAIN_SIZE, R_MOD) // 1/n * (ζⁿ - 1) + let zn := mulmod(zpnmo, VK_INV_DOMAIN_SIZE, R_MOD) // 1/n * (ζⁿ - 1) - // let _w := 1 - // let _mPtr := mPtr - // for {let i:=0} lt(i,n_pub) {i:=add(i,1)} - // { - // mstore(_mPtr, addmod(z,sub(R_MOD, _w), R_MOD)) - // _w := mulmod(_w, VK_OMEGA, R_MOD) - // _mPtr := add(_mPtr, 0x20) - // } - // batch_invert(mPtr, n_pub, _mPtr) - // _mPtr := mPtr - // _w := 1 - // for {let i:=0} lt(i,n_pub) {i:=add(i,1)} - // { - // mstore(_mPtr, mulmod(mulmod(mload(_mPtr), zn , R_MOD), _w, R_MOD)) - // _mPtr := add(_mPtr, 0x20) - // _w := mulmod(_w, VK_OMEGA, R_MOD) - // } - // } - - // /// @notice Montgomery trick for batch inversion mod R_MOD - // /// @param ins pointer to the data to batch invert - // /// @param number of elements to batch invert - // /// @param mPtr free memory - // function batch_invert(ins, nb_ins, mPtr) { - // mstore(mPtr, 1) - // let offset := 0 - // for {let i:=0} lt(i, nb_ins) {i:=add(i,1)} - // { - // let prev := mload(add(mPtr, offset)) - // let cur := mload(add(ins, offset)) - // cur := mulmod(prev, cur, R_MOD) - // offset := add(offset, 0x20) - // mstore(add(mPtr, offset), cur) - // } - // ins := add(ins, sub(offset, 0x20)) - // mPtr := add(mPtr, offset) - // let inv := pow(mload(mPtr), sub(R_MOD,2), add(mPtr, 0x20)) - // for {let i:=0} lt(i, nb_ins) {i:=add(i,1)} - // { - // mPtr := sub(mPtr, 0x20) - // let tmp := mload(ins) - // let cur := mulmod(inv, mload(mPtr), R_MOD) - // mstore(ins, cur) - // inv := mulmod(inv, tmp, R_MOD) - // ins := sub(ins, 0x20) - // } - // } + let _w := 1 + let _mPtr := mPtr + for {let i:=0} lt(i,n_pub) {i:=add(i,1)} + { + mstore(_mPtr, addmod(z,sub(R_MOD, _w), R_MOD)) + _w := mulmod(_w, VK_OMEGA, R_MOD) + _mPtr := add(_mPtr, 0x20) + } + batch_invert(mPtr, n_pub, _mPtr) + _mPtr := mPtr + _w := 1 + for {let i:=0} lt(i,n_pub) {i:=add(i,1)} + { + mstore(_mPtr, mulmod(mulmod(mload(_mPtr), zn , R_MOD), _w, R_MOD)) + _mPtr := add(_mPtr, 0x20) + _w := mulmod(_w, VK_OMEGA, R_MOD) + } + } + + /// @notice Montgomery trick for batch inversion mod R_MOD + /// @param ins pointer to the data to batch invert + /// @param number of elements to batch invert + /// @param mPtr free memory + function batch_invert(ins, nb_ins, mPtr) { + mstore(mPtr, 1) + let offset := 0 + for {let i:=0} lt(i, nb_ins) {i:=add(i,1)} + { + let prev := mload(add(mPtr, offset)) + let cur := mload(add(ins, offset)) + cur := mulmod(prev, cur, R_MOD) + offset := add(offset, 0x20) + mstore(add(mPtr, offset), cur) + } + ins := add(ins, sub(offset, 0x20)) + mPtr := add(mPtr, offset) + let inv := pow(mload(mPtr), sub(R_MOD,2), add(mPtr, 0x20)) + for {let i:=0} lt(i, nb_ins) {i:=add(i,1)} + { + mPtr := sub(mPtr, 0x20) + let tmp := mload(ins) + let cur := mulmod(inv, mload(mPtr), R_MOD) + mstore(ins, cur) + inv := mulmod(inv, tmp, R_MOD) + ins := sub(ins, 0x20) + } + } - // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // /// Public inputs (the ones coming from the custom gate) contribution - // /// @param aproof pointer to the proof - // /// @param nb_public_inputs number of public inputs - // /// @param mPtr pointer to free memory - // /// @return pi_commit custom gate public inputs contribution - // function sum_pi_commit(aproof, nb_public_inputs, mPtr)->pi_commit { + {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + /// Public inputs (the ones coming from the custom gate) contribution + /// @param aproof pointer to the proof + /// @param nb_public_inputs number of public inputs + /// @param mPtr pointer to free memory + /// @return pi_commit custom gate public inputs contribution + function sum_pi_commit(aproof, nb_public_inputs, mPtr)->pi_commit { - // let state := mload(0x40) - // let z := mload(add(state, STATE_ZETA)) - // let zpnmo := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + let state := mload(0x40) + let z := mload(add(state, STATE_ZETA)) + let zpnmo := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) - // let p := add(aproof, PROOF_BSB_COMMITMENTS) + let p := add(aproof, PROOF_BSB_COMMITMENTS) - // let h_fr, ith_lagrange + let h_fr, ith_lagrange - // {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} - // h_fr := hash_fr(calldataload(p), calldataload(add(p, 0x20)), mPtr) - // ith_lagrange := compute_ith_lagrange_at_z(z, zpnmo, add(nb_public_inputs, VK_INDEX_COMMIT_API_{{ $index }}), mPtr) - // pi_commit := addmod(pi_commit, mulmod(h_fr, ith_lagrange, R_MOD), R_MOD) - // {{ if (lt (inc $index) (len $.Vk.CommitmentConstraintIndexes) )}} - // p := add(p, 0x40) - // {{ end }} - // {{ end }} + {{ range $index, $element := .Vk.CommitmentConstraintIndexes}} + h_fr := hash_fr(p, mPtr) + ith_lagrange := compute_ith_lagrange_at_z(z, zpnmo, add(nb_public_inputs, VK_INDEX_COMMIT_API_{{ $index }}), mPtr) + pi_commit := addmod(pi_commit, mulmod(h_fr, ith_lagrange, R_MOD), R_MOD) + {{ if (lt (inc $index) (len $.Vk.CommitmentConstraintIndexes) )}} + p := add(p, 0x60) + {{- end }} + {{- end }} - // } + } - // /// Computes L_i(zeta) = ωⁱ/n * (ζⁿ-1)/(ζ-ωⁱ) where: - // /// @param z zeta - // /// @param zpmno ζⁿ-1 - // /// @param i i-th lagrange - // /// @param mPtr free memory - // /// @return res = ωⁱ/n * (ζⁿ-1)/(ζ-ωⁱ) - // function compute_ith_lagrange_at_z(z, zpnmo, i, mPtr)->res { - - // let w := pow(VK_OMEGA, i, mPtr) // w**i - // i := addmod(z, sub(R_MOD, w), R_MOD) // z-w**i - // w := mulmod(w, VK_INV_DOMAIN_SIZE, R_MOD) // w**i/n - // i := pow(i, sub(R_MOD,2), mPtr) // (z-w**i)**-1 - // w := mulmod(w, i, R_MOD) // w**i/n*(z-w)**-1 - // res := mulmod(w, zpnmo, R_MOD) + /// Computes L_i(zeta) = ωⁱ/n * (ζⁿ-1)/(ζ-ωⁱ) where: + /// @param z zeta + /// @param zpmno ζⁿ-1 + /// @param i i-th lagrange + /// @param mPtr free memory + /// @return res = ωⁱ/n * (ζⁿ-1)/(ζ-ωⁱ) + function compute_ith_lagrange_at_z(z, zpnmo, i, mPtr)->res { + + let w := pow(VK_OMEGA, i, mPtr) // w**i + i := addmod(z, sub(R_MOD, w), R_MOD) // z-w**i + w := mulmod(w, VK_INV_DOMAIN_SIZE, R_MOD) // w**i/n + i := pow(i, sub(R_MOD,2), mPtr) // (z-w**i)**-1 + w := mulmod(w, i, R_MOD) // w**i/n*(z-w)**-1 + res := mulmod(w, zpnmo, R_MOD) - // } + } - // /// @dev https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-5.2 - // /// @param x x coordinate of a point on Bn254(𝔽_p) - // /// @param y y coordinate of a point on Bn254(𝔽_p) - // /// @param mPtr free memory - // /// @return res an element mod R_MOD - // function hash_fr(x, y, mPtr)->res { + /// @dev https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-06#section-5.2 + /// @param p pointer to a marshalled point on BLS12-381(𝔽_p) + /// @param mPtr free memory + /// @return res an element mod R_MOD + function hash_fr(p, mPtr)->res { - // // [0x00, .. , 0x00 || x, y, || 0, 48, 0, dst, HASH_FR_SIZE_DOMAIN] - // // <- 64 bytes -> <-64b -> <- 1 bytes each -> + // [0x00, .. , 0x00 || x, y, || 0, 48, 0, dst, HASH_FR_SIZE_DOMAIN] + // <- 64 bytes -> <-64b -> <- 1 bytes each -> - // // [0x00, .., 0x00] 64 bytes of zero - // mstore(mPtr, HASH_FR_ZERO_UINT256) - // mstore(add(mPtr, 0x20), HASH_FR_ZERO_UINT256) + // [0x00, .., 0x00] 64 bytes of zero + mstore(mPtr, HASH_FR_ZERO_UINT256) + mstore(add(mPtr, 0x20), HASH_FR_ZERO_UINT256) - // // msg = x || y , both on 32 bytes - // mstore(add(mPtr, 0x40), x) - // mstore(add(mPtr, 0x60), y) - - // // 0 || 48 || 0 all on 1 byte - // mstore8(add(mPtr, 0x80), 0) - // mstore8(add(mPtr, 0x81), HASH_FR_LEN_IN_BYTES) - // mstore8(add(mPtr, 0x82), 0) - - // // "BSB22-Plonk" = [42, 53, 42, 32, 32, 2d, 50, 6c, 6f, 6e, 6b,] - // mstore8(add(mPtr, 0x83), 0x42) - // mstore8(add(mPtr, 0x84), 0x53) - // mstore8(add(mPtr, 0x85), 0x42) - // mstore8(add(mPtr, 0x86), 0x32) - // mstore8(add(mPtr, 0x87), 0x32) - // mstore8(add(mPtr, 0x88), 0x2d) - // mstore8(add(mPtr, 0x89), 0x50) - // mstore8(add(mPtr, 0x8a), 0x6c) - // mstore8(add(mPtr, 0x8b), 0x6f) - // mstore8(add(mPtr, 0x8c), 0x6e) - // mstore8(add(mPtr, 0x8d), 0x6b) - - // // size domain - // mstore8(add(mPtr, 0x8e), HASH_FR_SIZE_DOMAIN) - - // let l_success := staticcall(gas(), SHA2, mPtr, 0x8f, mPtr, 0x20) - // if iszero(l_success) { - // error_verify() - // } + // msg = p , both on 96 bytes + calldatacopy(add(mPtr, 0x40), p, 0x60) + + // 0 || 48 || 0 all on 1 byte + mstore8(add(mPtr, 0xa0), 0) + mstore8(add(mPtr, 0xa1), HASH_FR_LEN_IN_BYTES) + mstore8(add(mPtr, 0xa2), 0) + + // "BSB22-Plonk" = [42, 53, 42, 32, 32, 2d, 50, 6c, 6f, 6e, 6b,] + mstore8(add(mPtr, 0xa3), 0x42) + mstore8(add(mPtr, 0xa4), 0x53) + mstore8(add(mPtr, 0xa5), 0x42) + mstore8(add(mPtr, 0xa6), 0x32) + mstore8(add(mPtr, 0xa7), 0x32) + mstore8(add(mPtr, 0xa8), 0x2d) + mstore8(add(mPtr, 0xa9), 0x50) + mstore8(add(mPtr, 0xaa), 0x6c) + mstore8(add(mPtr, 0xab), 0x6f) + mstore8(add(mPtr, 0xac), 0x6e) + mstore8(add(mPtr, 0xad), 0x6b) + + // size domain + mstore8(add(mPtr, 0xae), HASH_FR_SIZE_DOMAIN) + + let l_success := staticcall(gas(), SHA2, mPtr, 0xaf, mPtr, 0x20) + if iszero(l_success) { + error_verify() + } - // let b0 := mload(mPtr) + let b0 := mload(mPtr) - // // [b0 || one || dst || HASH_FR_SIZE_DOMAIN] - // // <-64bytes -> <- 1 byte each -> - // mstore8(add(mPtr, 0x20), HASH_FR_ONE) // 1 + // [b0 || one || dst || HASH_FR_SIZE_DOMAIN] + // <-64bytes -> <- 1 byte each -> + mstore8(add(mPtr, 0x20), HASH_FR_ONE) // 1 - // mstore8(add(mPtr, 0x21), 0x42) // dst - // mstore8(add(mPtr, 0x22), 0x53) - // mstore8(add(mPtr, 0x23), 0x42) - // mstore8(add(mPtr, 0x24), 0x32) - // mstore8(add(mPtr, 0x25), 0x32) - // mstore8(add(mPtr, 0x26), 0x2d) - // mstore8(add(mPtr, 0x27), 0x50) - // mstore8(add(mPtr, 0x28), 0x6c) - // mstore8(add(mPtr, 0x29), 0x6f) - // mstore8(add(mPtr, 0x2a), 0x6e) - // mstore8(add(mPtr, 0x2b), 0x6b) - - // mstore8(add(mPtr, 0x2c), HASH_FR_SIZE_DOMAIN) // size domain - // l_success := staticcall(gas(), SHA2, mPtr, 0x2d, mPtr, 0x20) - // if iszero(l_success) { - // error_verify() - // } + mstore8(add(mPtr, 0x21), 0x42) // dst + mstore8(add(mPtr, 0x22), 0x53) + mstore8(add(mPtr, 0x23), 0x42) + mstore8(add(mPtr, 0x24), 0x32) + mstore8(add(mPtr, 0x25), 0x32) + mstore8(add(mPtr, 0x26), 0x2d) + mstore8(add(mPtr, 0x27), 0x50) + mstore8(add(mPtr, 0x28), 0x6c) + mstore8(add(mPtr, 0x29), 0x6f) + mstore8(add(mPtr, 0x2a), 0x6e) + mstore8(add(mPtr, 0x2b), 0x6b) + + mstore8(add(mPtr, 0x2c), HASH_FR_SIZE_DOMAIN) // size domain + l_success := staticcall(gas(), SHA2, mPtr, 0x2d, mPtr, 0x20) + if iszero(l_success) { + error_verify() + } - // // b1 is located at mPtr. We store b2 at add(mPtr, 0x20) - - // // [b0^b1 || two || dst || HASH_FR_SIZE_DOMAIN] - // // <-64bytes -> <- 1 byte each -> - // mstore(add(mPtr, 0x20), xor(mload(mPtr), b0)) - // mstore8(add(mPtr, 0x40), HASH_FR_TWO) - - // mstore8(add(mPtr, 0x41), 0x42) // dst - // mstore8(add(mPtr, 0x42), 0x53) - // mstore8(add(mPtr, 0x43), 0x42) - // mstore8(add(mPtr, 0x44), 0x32) - // mstore8(add(mPtr, 0x45), 0x32) - // mstore8(add(mPtr, 0x46), 0x2d) - // mstore8(add(mPtr, 0x47), 0x50) - // mstore8(add(mPtr, 0x48), 0x6c) - // mstore8(add(mPtr, 0x49), 0x6f) - // mstore8(add(mPtr, 0x4a), 0x6e) - // mstore8(add(mPtr, 0x4b), 0x6b) - - // mstore8(add(mPtr, 0x4c), HASH_FR_SIZE_DOMAIN) // size domain - - // let offset := add(mPtr, 0x20) - // l_success := staticcall(gas(), SHA2, offset, 0x2d, offset, 0x20) - // if iszero(l_success) { - // error_verify() - // } + // b1 is located at mPtr. We store b2 at add(mPtr, 0x20) + + // [b0^b1 || two || dst || HASH_FR_SIZE_DOMAIN] + // <-64bytes -> <- 1 byte each -> + mstore(add(mPtr, 0x20), xor(mload(mPtr), b0)) + mstore8(add(mPtr, 0x40), HASH_FR_TWO) + + mstore8(add(mPtr, 0x41), 0x42) // dst + mstore8(add(mPtr, 0x42), 0x53) + mstore8(add(mPtr, 0x43), 0x42) + mstore8(add(mPtr, 0x44), 0x32) + mstore8(add(mPtr, 0x45), 0x32) + mstore8(add(mPtr, 0x46), 0x2d) + mstore8(add(mPtr, 0x47), 0x50) + mstore8(add(mPtr, 0x48), 0x6c) + mstore8(add(mPtr, 0x49), 0x6f) + mstore8(add(mPtr, 0x4a), 0x6e) + mstore8(add(mPtr, 0x4b), 0x6b) + + mstore8(add(mPtr, 0x4c), HASH_FR_SIZE_DOMAIN) // size domain + + let offset := add(mPtr, 0x20) + l_success := staticcall(gas(), SHA2, offset, 0x2d, offset, 0x20) + if iszero(l_success) { + error_verify() + } - // // at this point we have mPtr = [ b1 || b2] where b1 is on 32byes and b2 in 16bytes. - // // we interpret it as a big integer mod r in big endian (similar to regular decimal notation) - // // the result is then 2**(8*16)*mPtr[:32] + mPtr[32:48] - // res := mulmod(mload(mPtr), HASH_FR_BB, R_MOD) // <- res = 2**128 * mPtr[:32] - // let b1 := shr(128, mload(add(mPtr, 0x20))) // b1 <- [0, 0, .., 0 || b2[:16] ] - // res := addmod(res, b1, R_MOD) + // at this point we have mPtr = [ b1 || b2] where b1 is on 32byes and b2 in 16bytes. + // we interpret it as a big integer mod r in big endian (similar to regular decimal notation) + // the result is then 2**(8*16)*mPtr[:32] + mPtr[32:48] + res := mulmod(mload(mPtr), HASH_FR_BB, R_MOD) // <- res = 2**128 * mPtr[:32] + let b1 := shr(128, mload(add(mPtr, 0x20))) // b1 <- [0, 0, .., 0 || b2[:16] ] + res := addmod(res, b1, R_MOD) - // } - // {{ end }} - // // END compute_pi ------------------------------------------------- + } + {{ end }} + // END compute_pi ------------------------------------------------- // /// @notice compute α² * 1/n * (ζ{n}-1)/(ζ - 1) where // /// * α = challenge derived in derive_gamma_beta_alpha_zeta @@ -990,7 +988,7 @@ contract PlonkVerifier { // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) // {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 ) }} - // let poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // let poqaz := add(aproof, PROOF_QCP_AT_ZETA) // {{ range $index, $element := .Vk.CommitmentConstraintIndexes }} // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) // mstore(mPtr, VK_QCP_{{ $index }}_X) @@ -1049,7 +1047,7 @@ contract PlonkVerifier { // let _mPtr := add(mPtr, add(offset, 0xc0)) // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // let _poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // let _poqaz := add(aproof, PROOF_QCP_AT_ZETA) // calldatacopy(_mPtr, _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) // _mPtr := add(_mPtr, mul(VK_NB_CUSTOM_GATES, 0x20)) // {{ end }} @@ -1113,7 +1111,7 @@ contract PlonkVerifier { // ) // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // let qcp_opening_at_zeta := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // let qcp_opening_at_zeta := add(aproof, PROOF_QCP_AT_ZETA) // let bsb_commitments := add(aproof, PROOF_BSB_COMMITMENTS) // for { // let i := 0 @@ -1365,23 +1363,23 @@ contract PlonkVerifier { // mstore(dst, addmod(mload(dst), tmp, R_MOD)) // } - // /// @param x element to exponentiate - // /// @param e exponent - // /// @param mPtr free memory - // /// @return res x ** e mod r - // function pow(x, e, mPtr)->res { - // mstore(mPtr, 0x20) - // mstore(add(mPtr, 0x20), 0x20) - // mstore(add(mPtr, 0x40), 0x20) - // mstore(add(mPtr, 0x60), x) - // mstore(add(mPtr, 0x80), e) - // mstore(add(mPtr, 0xa0), R_MOD) - // let check_staticcall := staticcall(gas(),MOD_EXP,mPtr,0xc0,mPtr,0x20) - // if eq(check_staticcall, 0) { - // error_mod_exp() - // } - // res := mload(mPtr) - // } + /// @param x element to exponentiate + /// @param e exponent + /// @param mPtr free memory + /// @return res x ** e mod r + function pow(x, e, mPtr)->res { + mstore(mPtr, 0x20) + mstore(add(mPtr, 0x20), 0x20) + mstore(add(mPtr, 0x40), 0x20) + mstore(add(mPtr, 0x60), x) + mstore(add(mPtr, 0x80), e) + mstore(add(mPtr, 0xa0), R_MOD) + let check_staticcall := staticcall(gas(),MOD_EXP,mPtr,0xc0,mPtr,0x20) + if eq(check_staticcall, 0) { + error_mod_exp() + } + res := mload(mPtr) + } } emit PrintUint256(check); return true; From 7bde756fa6f61d2faa8ff826396c5c270ecccc0a Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Tue, 22 Jul 2025 22:38:15 +0200 Subject: [PATCH 08/23] feat: compute_alpha_square_lagrange_0 ok --- backend/plonk/bls12-381/solidity.go | 38 ++++++++++++++--------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 0effd55753..f1513a6442 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -224,7 +224,7 @@ contract PlonkVerifier { {{ end -}} mstore(add(mem, STATE_PI), l_pi) - // compute_alpha_square_lagrange_0() + compute_alpha_square_lagrange_0() // compute_opening_linearised_polynomial(proof.offset) // fold_h(proof.offset) // compute_commitment_linearised_polynomial(proof.offset) @@ -820,26 +820,26 @@ contract PlonkVerifier { {{ end }} // END compute_pi ------------------------------------------------- - // /// @notice compute α² * 1/n * (ζ{n}-1)/(ζ - 1) where - // /// * α = challenge derived in derive_gamma_beta_alpha_zeta - // /// * n = vk_domain_size - // /// * ω = vk_omega (generator of the multiplicative cyclic group of order n in (ℤ/rℤ)*) - // /// * ζ = zeta (challenge derived with Fiat Shamir) - // function compute_alpha_square_lagrange_0() { - // let state := mload(0x40) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) + /// @notice compute α² * 1/n * (ζ{n}-1)/(ζ - 1) where + /// * α = challenge derived in derive_gamma_beta_alpha_zeta + /// * n = vk_domain_size + /// * ω = vk_omega (generator of the multiplicative cyclic group of order n in (ℤ/rℤ)*) + /// * ζ = zeta (challenge derived with Fiat Shamir) + function compute_alpha_square_lagrange_0() { + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) - // let res := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) - // let den := addmod(mload(add(state, STATE_ZETA)), sub(R_MOD, 1), R_MOD) - // den := pow(den, sub(R_MOD, 2), mPtr) - // den := mulmod(den, VK_INV_DOMAIN_SIZE, R_MOD) - // res := mulmod(den, res, R_MOD) + let res := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + let den := addmod(mload(add(state, STATE_ZETA)), sub(R_MOD, 1), R_MOD) + den := pow(den, sub(R_MOD, 2), mPtr) + den := mulmod(den, VK_INV_DOMAIN_SIZE, R_MOD) + res := mulmod(den, res, R_MOD) - // let l_alpha := mload(add(state, STATE_ALPHA)) - // res := mulmod(res, l_alpha, R_MOD) - // res := mulmod(res, l_alpha, R_MOD) - // mstore(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0), res) - // } + let l_alpha := mload(add(state, STATE_ALPHA)) + res := mulmod(res, l_alpha, R_MOD) + res := mulmod(res, l_alpha, R_MOD) + mstore(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0), res) + } // /// @notice follows alg. p.13 of https://eprint.iacr.org/2019/953.pdf // /// with t₁ = t₂ = 1, and the proofs are ([digest] + [quotient] +purported evaluation): From de5f11a6b9bf8cc16c2838ac6102040d4fcec3e2 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Wed, 23 Jul 2025 18:50:37 +0200 Subject: [PATCH 09/23] feat: fold_h ok --- backend/plonk/bls12-381/solidity.go | 156 +++++++++++++++------------- 1 file changed, 84 insertions(+), 72 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index f1513a6442..cb09407d4a 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -140,14 +140,11 @@ contract PlonkVerifier { uint256 private constant STATE_GAMMA = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_ALPHA_SQUARE_LAGRANGE_0 = {{ hex $offset }};{{ $offset = add $offset 0x20}} - uint256 private constant STATE_FOLDED_H_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant STATE_FOLDED_H_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant STATE_LINEARISED_POLYNOMIAL_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant STATE_LINEARISED_POLYNOMIAL_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant STATE_FOLDED_H = {{ hex $offset }}; // each coord is on 0x40 bytes, the top 0x10 bytes equal to 0{{ $offset = add $offset 0x80}} + uint256 private constant STATE_LINEARISED_POLYNOMIAL = {{ hex $offset }};{{ $offset = add $offset 0x80}} uint256 private constant STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_FOLDED_CLAIMED_VALUES = {{ hex $offset }};{{ $offset = add $offset 0x20}} // Folded proof for the opening of H, linearised poly, l, r, o, s_1, s_2, qcp - uint256 private constant STATE_FOLDED_DIGESTS_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} // linearised poly, l, r, o, s_1, s_2, qcp - uint256 private constant STATE_FOLDED_DIGESTS_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} + uint256 private constant STATE_FOLDED_DIGESTS = {{ hex $offset }};{{ $offset = add $offset 0x80}} // linearised poly, l, r, o, s_1, s_2, qcp uint256 private constant STATE_PI = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_ZETA_POWER_N_MINUS_ONE = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_GAMMA_KZG = {{ hex $offset }};{{ $offset = add $offset 0x20}} @@ -179,8 +176,7 @@ contract PlonkVerifier { uint8 private constant SHA2 = 0x2; uint8 private constant MOD_EXP = 0x5; uint8 private constant EC_ADD = 0x6; - uint8 private constant EC_MUL = 0x7; - uint8 private constant EC_PAIR = 0x8; + uint8 private constant BLS12_MSM_G1 = 0x0c; event PrintUint256(uint256 x); @@ -225,7 +221,7 @@ contract PlonkVerifier { mstore(add(mem, STATE_PI), l_pi) compute_alpha_square_lagrange_0() - // compute_opening_linearised_polynomial(proof.offset) + compute_opening_linearised_polynomial(proof.offset) // fold_h(proof.offset) // compute_commitment_linearised_polynomial(proof.offset) // compute_gamma_kzg(proof.offset) @@ -255,16 +251,16 @@ contract PlonkVerifier { revert(ptError, 0x64) } - // /// Called when an operation on Bn254 fails - // /// @dev for instance when calling EcMul on a point not on Bn254. - // function error_ec_op() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0x12) - // mstore(add(ptError, 0x44), "error ec operation") - // revert(ptError, 0x64) - // } + /// Called when an operation on Bn254 fails + /// @dev for instance when calling EcMul on a point not on Bn254. + function error_ec_op() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0x12) + mstore(add(ptError, 0x44), "error ec operation") + revert(ptError, 0x64) + } // /// Called when one of the public inputs is not reduced. // function error_inputs_size() { @@ -1201,62 +1197,78 @@ contract PlonkVerifier { // compute_commitment_linearised_polynomial_ec(aproof, s1, s2) // } - // /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at - // /// state + state_folded_h - // /// @param aproof pointer to the proof - // function fold_h(aproof) { - // let state := mload(0x40) - // let n_plus_two := add(VK_DOMAIN_SIZE, 2) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) - // let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) - // point_mul_calldata(add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_2_COM_X), zeta_power_n_plus_two, mPtr) - // point_add_calldata(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_1_COM_X), mPtr) - // point_mul(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), zeta_power_n_plus_two, mPtr) - // point_add_calldata(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), add(aproof, PROOF_H_0_COM_X), mPtr) - // point_mul(add(state, STATE_FOLDED_H_X), add(state, STATE_FOLDED_H_X), mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)), mPtr) - // let folded_h_y := mload(add(state, STATE_FOLDED_H_Y)) - // folded_h_y := sub(P_MOD, folded_h_y) - // mstore(add(state, STATE_FOLDED_H_Y), folded_h_y) - // } + /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at + /// state + state_folded_h + /// @param aproof pointer to the proof + function fold_h(aproof) { + let state := mload(0x40) + let n_plus_two := add(VK_DOMAIN_SIZE, 2) + let mPtr := add(mload(0x40), STATE_LAST_MEM) + let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) + let zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two, zeta_power_n_plus_two, R_MOD) + let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + h_zeta := sub(R_MOD, h_zeta) + zeta_power_n_plus_two := mulmod(zeta_power_n_plus_two, h_zeta, R_MOD) + zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two_square, h_zeta, R_MOD) + mstore(mPtr, 0x00) + calldatacopy(add(mPtr, 0x10), add(aproof, PROOF_H_0_COM_X), 0x30) + mstore(add(mPtr, 0x40), 0x00) + calldatacopy(add(mPtr, 0x50), add(aproof, PROOF_H_0_COM_Y), 0x30) + mstore(add(mPtr, 0x80), h_zeta) + mstore(add(mPtr, 0xa0), 0x00) + calldatacopy(add(mPtr, 0xb0), add(aproof, PROOF_H_1_COM_X), 0x30) + mstore(add(mPtr, 0xe0), 0x00) + calldatacopy(add(mPtr, 0xf0), add(aproof, PROOF_H_1_COM_Y), 0x30) + mstore(add(mPtr, 0x120), zeta_power_n_plus_two) + mstore(add(mPtr, 0x140), 0x00) + calldatacopy(add(mPtr, 0x150), add(aproof, PROOF_H_2_COM_X), 0x30) + mstore(add(mPtr, 0x180), 0x00) + calldatacopy(add(mPtr, 0x190), add(aproof, PROOF_H_2_COM_Y), 0x30) + mstore(add(mPtr, 0x1c0), zeta_power_n_plus_two_square) + let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, 0x1e0, add(state, STATE_FOLDED_H), 0x80) + if iszero(l_success){ + error_ec_op() + } + } - // /// @notice check that the opening of the linearised polynomial at zeta is equal to - // /// - [ PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) ] - // /// @param aproof pointer to the proof - // function compute_opening_linearised_polynomial(aproof) { + /// @notice check that the opening of the linearised polynomial at zeta is equal to + /// - [ PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) ] + /// @param aproof pointer to the proof + function compute_opening_linearised_polynomial(aproof) { - // let state := mload(0x40) - - // // (l(ζ)+β*s1(ζ)+γ) - // let s1 - // s1 := mulmod(calldataload(add(aproof, PROOF_S1_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD) - // s1 := addmod(s1, mload(add(state, STATE_GAMMA)), R_MOD) - // s1 := addmod(s1, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) - - // // (r(ζ)+β*s2(ζ)+γ) - // let s2 - // s2 := mulmod(calldataload(add(aproof, PROOF_S2_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD) - // s2 := addmod(s2, mload(add(state, STATE_GAMMA)), R_MOD) - // s2 := addmod(s2, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) - - // // (o(ζ)+γ) - // let o - // o := addmod(calldataload(add(aproof, PROOF_O_AT_ZETA)), mload(add(state, STATE_GAMMA)), R_MOD) - - // // α*Z(μζ)*(l(ζ)+β*s1(ζ)+γ)*(r(ζ)+β*s2(ζ)+γ)*(o(ζ)+γ) - // s1 := mulmod(s1, s2, R_MOD) - // s1 := mulmod(s1, o, R_MOD) - // s1 := mulmod(s1, mload(add(state, STATE_ALPHA)), R_MOD) - // s1 := mulmod(s1, calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), R_MOD) - - // // PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) - // s1 := addmod(s1, mload(add(state, STATE_PI)), R_MOD) - // s2 := mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)) - // s2 := sub(R_MOD, s2) - // s1 := addmod(s1, s2, R_MOD) - // s1 := sub(R_MOD, s1) + let state := mload(0x40) - // mstore(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA), s1) - // } + // (l(ζ)+β*s1(ζ)+γ) + let s1 + s1 := mulmod(calldataload(add(aproof, PROOF_S1_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD) + s1 := addmod(s1, mload(add(state, STATE_GAMMA)), R_MOD) + s1 := addmod(s1, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + + // (r(ζ)+β*s2(ζ)+γ) + let s2 + s2 := mulmod(calldataload(add(aproof, PROOF_S2_AT_ZETA)), mload(add(state, STATE_BETA)), R_MOD) + s2 := addmod(s2, mload(add(state, STATE_GAMMA)), R_MOD) + s2 := addmod(s2, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + + // (o(ζ)+γ) + let o + o := addmod(calldataload(add(aproof, PROOF_O_AT_ZETA)), mload(add(state, STATE_GAMMA)), R_MOD) + + // α*Z(μζ)*(l(ζ)+β*s1(ζ)+γ)*(r(ζ)+β*s2(ζ)+γ)*(o(ζ)+γ) + s1 := mulmod(s1, s2, R_MOD) + s1 := mulmod(s1, o, R_MOD) + s1 := mulmod(s1, mload(add(state, STATE_ALPHA)), R_MOD) + s1 := mulmod(s1, calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), R_MOD) + + // PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) + s1 := addmod(s1, mload(add(state, STATE_PI)), R_MOD) + s2 := mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)) + s2 := sub(R_MOD, s2) + s1 := addmod(s1, s2, R_MOD) + s1 := sub(R_MOD, s1) + + mstore(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA), s1) + } // // BEGINNING utils math functions ------------------------------------------------- From 604aaa48248d2cd9142ed66b60b5dca5d9ec631e Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Wed, 23 Jul 2025 19:08:08 +0200 Subject: [PATCH 10/23] refactor: store point calldata --- backend/plonk/bls12-381/solidity.go | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index cb09407d4a..36e2115b0c 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -1197,6 +1197,18 @@ contract PlonkVerifier { // compute_commitment_linearised_polynomial_ec(aproof, s1, s2) // } + /// @notice stores a point at dst, from src. The point in src is stored + /// as [x || y] where x and y are on 0x30 bytes, and in dst the point is stored + /// as [x || y] where x and y are on 0x40 bytes, the top 0x10 bytes being 0. + /// @param dst destination pointer storing the new point + /// @param src source pointer (calldata) + function store_point_calldata(dst, src) { + mstore(dst, 0x00) + calldatacopy(add(dst, 0x10), src, 0x30) + mstore(add(dst, 0x40), 0x00) + calldatacopy(add(dst, 0x50), add(src, 0x30), 0x30) + } + /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at /// state + state_folded_h /// @param aproof pointer to the proof @@ -1210,20 +1222,11 @@ contract PlonkVerifier { h_zeta := sub(R_MOD, h_zeta) zeta_power_n_plus_two := mulmod(zeta_power_n_plus_two, h_zeta, R_MOD) zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two_square, h_zeta, R_MOD) - mstore(mPtr, 0x00) - calldatacopy(add(mPtr, 0x10), add(aproof, PROOF_H_0_COM_X), 0x30) - mstore(add(mPtr, 0x40), 0x00) - calldatacopy(add(mPtr, 0x50), add(aproof, PROOF_H_0_COM_Y), 0x30) + store_point_calldata(mPtr, add(aproof, PROOF_H_0_COM_X)) + store_point_calldata(add(mPtr, 0xa0), add(aproof, PROOF_H_1_COM_X)) + store_point_calldata(add(mPtr, 0x140), add(aproof, PROOF_H_2_COM_X)) mstore(add(mPtr, 0x80), h_zeta) - mstore(add(mPtr, 0xa0), 0x00) - calldatacopy(add(mPtr, 0xb0), add(aproof, PROOF_H_1_COM_X), 0x30) - mstore(add(mPtr, 0xe0), 0x00) - calldatacopy(add(mPtr, 0xf0), add(aproof, PROOF_H_1_COM_Y), 0x30) mstore(add(mPtr, 0x120), zeta_power_n_plus_two) - mstore(add(mPtr, 0x140), 0x00) - calldatacopy(add(mPtr, 0x150), add(aproof, PROOF_H_2_COM_X), 0x30) - mstore(add(mPtr, 0x180), 0x00) - calldatacopy(add(mPtr, 0x190), add(aproof, PROOF_H_2_COM_Y), 0x30) mstore(add(mPtr, 0x1c0), zeta_power_n_plus_two_square) let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, 0x1e0, add(state, STATE_FOLDED_H), 0x80) if iszero(l_success){ From fd4dfb9305632a4aaa05f79765ea4d92f1f8cbfa Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Wed, 23 Jul 2025 23:20:11 +0200 Subject: [PATCH 11/23] feat: wip linearised polynomial --- backend/plonk/bls12-381/solidity.go | 164 ++++++++++++++-------------- 1 file changed, 79 insertions(+), 85 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 36e2115b0c..4386431393 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -128,7 +128,7 @@ contract PlonkVerifier { uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant PROOF_QCP_AT_ZETA = {{ hex $offset }}; + uint256 private constant PROOF_OPENING_QCP_AT_ZETA = {{ hex $offset }}; uint256 private constant PROOF_BSB_COMMITMENTS = {{ hex (add $offset (mul (len .Vk.CommitmentConstraintIndexes) 0x20 ) )}}; // -------- offset state @@ -147,6 +147,8 @@ contract PlonkVerifier { uint256 private constant STATE_FOLDED_DIGESTS = {{ hex $offset }};{{ $offset = add $offset 0x80}} // linearised poly, l, r, o, s_1, s_2, qcp uint256 private constant STATE_PI = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_ZETA_POWER_N_MINUS_ONE = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant ZETA_POWER_N_PLUS_TWO = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant ZETA_POWER_N_PLUS_TWO_SQUARE = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_GAMMA_KZG = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_SUCCESS = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_CHECK_VAR = {{ hex $offset }};{{ $offset = add $offset 0x20}} // /!\ this slot is used for debugging only @@ -395,9 +397,9 @@ contract PlonkVerifier { // error_proof_openings_size() // } - // // PROOF_QCP_AT_ZETA + // // PROOF_OPENING_QCP_AT_ZETA - // p := add(aproof, PROOF_QCP_AT_ZETA) + // p := add(aproof, PROOF_OPENING_QCP_AT_ZETA) // for {let i:=0} lt(i, VK_NB_CUSTOM_GATES) {i:=add(i,1)} // { // if gt(calldataload(p), R_MOD_MINUS_ONE) { @@ -984,7 +986,7 @@ contract PlonkVerifier { // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) // {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 ) }} - // let poqaz := add(aproof, PROOF_QCP_AT_ZETA) + // let poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) // {{ range $index, $element := .Vk.CommitmentConstraintIndexes }} // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) // mstore(mPtr, VK_QCP_{{ $index }}_X) @@ -1043,7 +1045,7 @@ contract PlonkVerifier { // let _mPtr := add(mPtr, add(offset, 0xc0)) // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // let _poqaz := add(aproof, PROOF_QCP_AT_ZETA) + // let _poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) // calldatacopy(_mPtr, _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) // _mPtr := add(_mPtr, mul(VK_NB_CUSTOM_GATES, 0x20)) // {{ end }} @@ -1060,87 +1062,52 @@ contract PlonkVerifier { // mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) // } - // function compute_commitment_linearised_polynomial_ec(aproof, s1, s2) { + function compute_commitment_linearised_polynomial_ec(aproof, s1, s2) { - // let state := mload(0x40) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) - - // mstore(mPtr, VK_QL_COM_X) - // mstore(add(mPtr, 0x20), VK_QL_COM_Y) - // point_mul( - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // mPtr, - // calldataload(add(aproof, PROOF_L_AT_ZETA)), - // add(mPtr, 0x40) - // ) - - // mstore(mPtr, VK_QR_COM_X) - // mstore(add(mPtr, 0x20), VK_QR_COM_Y) - // point_acc_mul( - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // mPtr, - // calldataload(add(aproof, PROOF_R_AT_ZETA)), - // add(mPtr, 0x40) - // ) - - // let rl := mulmod(calldataload(add(aproof, PROOF_L_AT_ZETA)), calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) - // mstore(mPtr, VK_QM_COM_X) - // mstore(add(mPtr, 0x20), VK_QM_COM_Y) - // point_acc_mul(add(state, STATE_LINEARISED_POLYNOMIAL_X), mPtr, rl, add(mPtr, 0x40)) - - // mstore(mPtr, VK_QO_COM_X) - // mstore(add(mPtr, 0x20), VK_QO_COM_Y) - // point_acc_mul( - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // mPtr, - // calldataload(add(aproof, PROOF_O_AT_ZETA)), - // add(mPtr, 0x40) - // ) - - // mstore(mPtr, VK_QK_COM_X) - // mstore(add(mPtr, 0x20), VK_QK_COM_Y) - // point_add( - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // mPtr, - // add(mPtr, 0x40) - // ) - - // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // let qcp_opening_at_zeta := add(aproof, PROOF_QCP_AT_ZETA) - // let bsb_commitments := add(aproof, PROOF_BSB_COMMITMENTS) - // for { - // let i := 0 - // } lt(i, VK_NB_CUSTOM_GATES) { - // i := add(i, 1) - // } { - // mstore(mPtr, calldataload(bsb_commitments)) - // mstore(add(mPtr, 0x20), calldataload(add(bsb_commitments, 0x20))) - // point_acc_mul( - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // mPtr, - // calldataload(qcp_opening_at_zeta), - // add(mPtr, 0x40) - // ) - // qcp_opening_at_zeta := add(qcp_opening_at_zeta, 0x20) - // bsb_commitments := add(bsb_commitments, 0x40) - // } - // {{ end }} - - // mstore(mPtr, VK_S3_COM_X) - // mstore(add(mPtr, 0x20), VK_S3_COM_Y) - // point_acc_mul(add(state, STATE_LINEARISED_POLYNOMIAL_X), mPtr, s1, add(mPtr, 0x40)) - - // mstore(mPtr, calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X))) - // mstore(add(mPtr, 0x20), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_Y))) - // point_acc_mul(add(state, STATE_LINEARISED_POLYNOMIAL_X), mPtr, s2, add(mPtr, 0x40)) - - // point_add( - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // add(state, STATE_LINEARISED_POLYNOMIAL_X), - // add(state, STATE_FOLDED_H_X), - // mPtr) - // } + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) + {{ $offset = 0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_hi, VK_QL_COM_X_lo, VK_QL_COM_Y_hi, VK_QL_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_hi, VK_QR_COM_X_lo, VK_QR_COM_Y_hi, VK_QR_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_hi, VK_QM_COM_X_lo, VK_QM_COM_Y_hi, VK_QM_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_hi, VK_QO_COM_X_lo, VK_QO_COM_Y_hi, VK_QO_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_hi, VK_QK_COM_X_lo, VK_QK_COM_Y_hi, VK_QK_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_hi, VK_S3_COM_X_lo, VK_S3_COM_Y_hi, VK_S3_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X)){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_0_COM_X)){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_1_COM_X)){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_2_COM_X)){{ $offset = add $offset 0xa0 }} + {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + {{ $tmp := 0 }} + for {let i := 0} lt(i, VK_NB_CUSTOM_GATES) {i := add(i, 1)} { + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_BSB_COMMITMENTS, {{ $tmp }}))){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x60 }} + } + {{- end }} + let coeffz := addmod(s2, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)), R_MOD) + let l := calldataload(add(aproof, PROOF_L_AT_ZETA)) + let r := calldataload(add(aproof, PROOF_R_AT_ZETA)) + let rl := mulmod(l, r, R_MOD) + let o := calldataload(add(aproof, PROOF_O_AT_ZETA)) + let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + h_zeta := sub(R_MOD, h_zeta) + {{ $offset = 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), l){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), r){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), rl){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), o){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), 1){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), s1){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), coeffz){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), h_zeta){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, ZETA_POWER_N_PLUS_TWO))){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, ZETA_POWER_N_PLUS_TWO_SQUARE))){{ $offset = add $offset 0xa0 }} + {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + {{ $tmp := 0 }} + for {let i := 0} lt(i, VK_NB_CUSTOM_GATES) {i := add(i, 1)} { + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_OPENING_QCP_AT_ZETA, {{ $tmp }})), 0x20){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x20 }} + } + {{- end }} + } // /// @notice Compute the commitment to the linearized polynomial equal to // /// L(ζ)[Qₗ]+r(ζ)[Qᵣ]+R(ζ)L(ζ)[Qₘ]+O(ζ)[Qₒ]+[Qₖ]+Σᵢqc'ᵢ(ζ)[BsbCommitmentᵢ] + @@ -1208,6 +1175,33 @@ contract PlonkVerifier { mstore(add(dst, 0x40), 0x00) calldatacopy(add(dst, 0x50), add(src, 0x30), 0x30) } + + /// @param dst destination pointer storing the new point + /// @param x_hi MSB of x + /// @param x_lo LSB of x + /// @param y_hi MSB of y + /// @param y_hi LSB of y + function store_point(dst, x_hi, x_lo, y_hi, y_lo) { + mstore(dst, x_hi) + mstore(add(dst, 0x20), x_lo) + mstore(add(dst, 0x40), y_hi) + mstore(add(dst, 0x60), y_lo) + } + + /// @notice computes ζⁿ⁺² and ζ²⁽ⁿ⁺²⁾ + function compute_zeta_powers() { + let state := mload(0x40) + let n_plus_two := add(VK_DOMAIN_SIZE, 2) + let mPtr := add(mload(0x40), STATE_LAST_MEM) + let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) + let zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two, zeta_power_n_plus_two, R_MOD) + let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + h_zeta := sub(R_MOD, h_zeta) + zeta_power_n_plus_two := mulmod(zeta_power_n_plus_two, h_zeta, R_MOD) + zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two_square, h_zeta, R_MOD) + mstore(add(state, ZETA_POWER_N_PLUS_TWO), zeta_power_n_plus_two) + mstore(add(state, ZETA_POWER_N_PLUS_TWO_SQUARE), zeta_power_n_plus_two_square) + } /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at /// state + state_folded_h From 6da402a766327508354b6d99eb07289ff47e11ff Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Wed, 23 Jul 2025 23:24:49 +0200 Subject: [PATCH 12/23] clean: renaming --- backend/plonk/bls12-381/solidity.go | 32 ++++++++++++++--------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 4386431393..5dfe87b8bc 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -147,8 +147,8 @@ contract PlonkVerifier { uint256 private constant STATE_FOLDED_DIGESTS = {{ hex $offset }};{{ $offset = add $offset 0x80}} // linearised poly, l, r, o, s_1, s_2, qcp uint256 private constant STATE_PI = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_ZETA_POWER_N_MINUS_ONE = {{ hex $offset }};{{ $offset = add $offset 0x20}} - uint256 private constant ZETA_POWER_N_PLUS_TWO = {{ hex $offset }};{{ $offset = add $offset 0x20}} - uint256 private constant ZETA_POWER_N_PLUS_TWO_SQUARE = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_ZETA_POWER_N_PLUS_TWO = {{ hex $offset }};{{ $offset = add $offset 0x20}} + uint256 private constant STATE_ZETA_POWER_N_PLUS_TWO_SQUARE = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_GAMMA_KZG = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_SUCCESS = {{ hex $offset }};{{ $offset = add $offset 0x20}} uint256 private constant STATE_CHECK_VAR = {{ hex $offset }};{{ $offset = add $offset 0x20}} // /!\ this slot is used for debugging only @@ -1099,8 +1099,8 @@ contract PlonkVerifier { mstore(add(mPtr, {{ hex $offset }}), s1){{ $offset = add $offset 0xa0 }} mstore(add(mPtr, {{ hex $offset }}), coeffz){{ $offset = add $offset 0xa0 }} mstore(add(mPtr, {{ hex $offset }}), h_zeta){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), mload(add(state, ZETA_POWER_N_PLUS_TWO))){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), mload(add(state, ZETA_POWER_N_PLUS_TWO_SQUARE))){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO))){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE))){{ $offset = add $offset 0xa0 }} {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} {{ $tmp := 0 }} for {let i := 0} lt(i, VK_NB_CUSTOM_GATES) {i := add(i, 1)} { @@ -1193,14 +1193,14 @@ contract PlonkVerifier { let state := mload(0x40) let n_plus_two := add(VK_DOMAIN_SIZE, 2) let mPtr := add(mload(0x40), STATE_LAST_MEM) - let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) - let zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two, zeta_power_n_plus_two, R_MOD) + let STATE_ZETA_POWER_N_PLUS_TWO := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) + let STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, STATE_ZETA_POWER_N_PLUS_TWO, R_MOD) let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) h_zeta := sub(R_MOD, h_zeta) - zeta_power_n_plus_two := mulmod(zeta_power_n_plus_two, h_zeta, R_MOD) - zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two_square, h_zeta, R_MOD) - mstore(add(state, ZETA_POWER_N_PLUS_TWO), zeta_power_n_plus_two) - mstore(add(state, ZETA_POWER_N_PLUS_TWO_SQUARE), zeta_power_n_plus_two_square) + STATE_ZETA_POWER_N_PLUS_TWO := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, h_zeta, R_MOD) + STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO_square, h_zeta, R_MOD) + mstore(add(state, STATE_ZETA_POWER_N_PLUS_TWO), STATE_ZETA_POWER_N_PLUS_TWO) + mstore(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE), STATE_ZETA_POWER_N_PLUS_TWO_square) } /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at @@ -1210,18 +1210,18 @@ contract PlonkVerifier { let state := mload(0x40) let n_plus_two := add(VK_DOMAIN_SIZE, 2) let mPtr := add(mload(0x40), STATE_LAST_MEM) - let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) - let zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two, zeta_power_n_plus_two, R_MOD) + let STATE_ZETA_POWER_N_PLUS_TWO := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) + let STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, STATE_ZETA_POWER_N_PLUS_TWO, R_MOD) let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) h_zeta := sub(R_MOD, h_zeta) - zeta_power_n_plus_two := mulmod(zeta_power_n_plus_two, h_zeta, R_MOD) - zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two_square, h_zeta, R_MOD) + STATE_ZETA_POWER_N_PLUS_TWO := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, h_zeta, R_MOD) + STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO_square, h_zeta, R_MOD) store_point_calldata(mPtr, add(aproof, PROOF_H_0_COM_X)) store_point_calldata(add(mPtr, 0xa0), add(aproof, PROOF_H_1_COM_X)) store_point_calldata(add(mPtr, 0x140), add(aproof, PROOF_H_2_COM_X)) mstore(add(mPtr, 0x80), h_zeta) - mstore(add(mPtr, 0x120), zeta_power_n_plus_two) - mstore(add(mPtr, 0x1c0), zeta_power_n_plus_two_square) + mstore(add(mPtr, 0x120), STATE_ZETA_POWER_N_PLUS_TWO) + mstore(add(mPtr, 0x1c0), STATE_ZETA_POWER_N_PLUS_TWO_square) let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, 0x1e0, add(state, STATE_FOLDED_H), 0x80) if iszero(l_success){ error_ec_op() From 7e1060f8f7cba850c134c8780f1eb1d741cfdc26 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Thu, 24 Jul 2025 15:57:35 +0200 Subject: [PATCH 13/23] fix: compute_commitment_linearised_polynomial ok --- backend/plonk/bls12-381/solidity.go | 200 +++++++++++++++------------- 1 file changed, 104 insertions(+), 96 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 5dfe87b8bc..38603f4bac 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -223,9 +223,9 @@ contract PlonkVerifier { mstore(add(mem, STATE_PI), l_pi) compute_alpha_square_lagrange_0() + compute_zeta_powers_n_plus_two() + compute_commitment_linearised_polynomial(proof.offset) compute_opening_linearised_polynomial(proof.offset) - // fold_h(proof.offset) - // compute_commitment_linearised_polynomial(proof.offset) // compute_gamma_kzg(proof.offset) // fold_state(proof.offset) // batch_verify_multi_points(proof.offset) @@ -1062,7 +1062,64 @@ contract PlonkVerifier { // mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) // } - function compute_commitment_linearised_polynomial_ec(aproof, s1, s2) { + /// @notice Compute the commitment to the linearized polynomial equal to + /// L(ζ)[Qₗ]+r(ζ)[Qᵣ]+R(ζ)L(ζ)[Qₘ]+O(ζ)[Qₒ]+[Qₖ]+Σᵢqc'ᵢ(ζ)[BsbCommitmentᵢ] + + /// α*( Z(μζ)(L(ζ)+β*S₁(ζ)+γ)*(R(ζ)+β*S₂(ζ)+γ)[S₃]-[Z](L(ζ)+β*id_{1}(ζ)+γ)*(R(ζ)+β*id_{2}(ζ)+γ)*(O(ζ)+β*id_{3}(ζ)+γ) ) + + /// α²*L₁(ζ)[Z] - Z_{H}(ζ)*(([H₀] + ζᵐ⁺²*[H₁] + ζ²⁽ᵐ⁺²⁾*[H₂]) + /// where + /// * id_1 = id, id_2 = vk_coset_shift*id, id_3 = vk_coset_shift^{2}*id + /// * the [] means that it's a commitment (i.e. a point on Bn254(F_p)) + /// * Z_{H}(ζ) = ζ^n-1 + /// @param aproof pointer to the proof + function compute_commitment_linearised_polynomial(aproof) { + + let state := mload(0x40) + let l_beta := mload(add(state, STATE_BETA)) + let l_gamma := mload(add(state, STATE_GAMMA)) + let l_zeta := mload(add(state, STATE_ZETA)) + let l_alpha := mload(add(state, STATE_ALPHA)) + + let u := mulmod(calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), l_beta, R_MOD) + let v := mulmod(l_beta, calldataload(add(aproof, PROOF_S1_AT_ZETA)), R_MOD) + v := addmod(v, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + v := addmod(v, l_gamma, R_MOD) + + let w := mulmod(l_beta, calldataload(add(aproof, PROOF_S2_AT_ZETA)), R_MOD) + w := addmod(w, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + w := addmod(w, l_gamma, R_MOD) + + let s1 := mulmod(u, v, R_MOD) + s1 := mulmod(s1, w, R_MOD) + s1 := mulmod(s1, l_alpha, R_MOD) + + let coset_square := mulmod(VK_COSET_SHIFT, VK_COSET_SHIFT, R_MOD) + let betazeta := mulmod(l_beta, l_zeta, R_MOD) + u := addmod(betazeta, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + u := addmod(u, l_gamma, R_MOD) + + v := mulmod(betazeta, VK_COSET_SHIFT, R_MOD) + v := addmod(v, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + v := addmod(v, l_gamma, R_MOD) + + w := mulmod(betazeta, coset_square, R_MOD) + w := addmod(w, calldataload(add(aproof, PROOF_O_AT_ZETA)), R_MOD) + w := addmod(w, l_gamma, R_MOD) + + let coeff_z := mulmod(u, v, R_MOD) + coeff_z := mulmod(coeff_z, w, R_MOD) + coeff_z := sub(R_MOD, coeff_z) + coeff_z := mulmod(coeff_z, l_alpha, R_MOD) + mstore(add(state, STATE_CHECK_VAR), coeff_z) + coeff_z := addmod(coeff_z, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)), R_MOD) + + // at this stage: + // * s₁ = α*Z(μζ)(l(ζ)+β*s₁(ζ)+γ)*(r(ζ)+β*s₂(ζ)+γ)*β + // * s₂ = -α*(l(ζ)+β*ζ+γ)*(r(ζ)+β*u*ζ+γ)*(o(ζ)+β*u²*ζ+γ) + α²*L₁(ζ) + + compute_commitment_linearised_polynomial_ec(aproof, s1, coeff_z) + } + + function compute_commitment_linearised_polynomial_ec(aproof, s1, coeff_z) { let state := mload(0x40) let mPtr := add(mload(0x40), STATE_LAST_MEM) @@ -1078,12 +1135,12 @@ contract PlonkVerifier { store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_1_COM_X)){{ $offset = add $offset 0xa0 }} store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_2_COM_X)){{ $offset = add $offset 0xa0 }} {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - {{ $tmp := 0 }} - for {let i := 0} lt(i, VK_NB_CUSTOM_GATES) {i := add(i, 1)} { - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_BSB_COMMITMENTS, {{ $tmp }}))){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x60 }} - } + {{- $tmp := 0 }} + {{- range .Vk.Qcp}} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_BSB_COMMITMENTS, {{ hex $tmp }}))){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x60 }} + {{- end }} {{- end }} - let coeffz := addmod(s2, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)), R_MOD) + let l := calldataload(add(aproof, PROOF_L_AT_ZETA)) let r := calldataload(add(aproof, PROOF_R_AT_ZETA)) let rl := mulmod(l, r, R_MOD) @@ -1097,72 +1154,23 @@ contract PlonkVerifier { mstore(add(mPtr, {{ hex $offset }}), o){{ $offset = add $offset 0xa0 }} mstore(add(mPtr, {{ hex $offset }}), 1){{ $offset = add $offset 0xa0 }} mstore(add(mPtr, {{ hex $offset }}), s1){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), coeffz){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), coeff_z){{ $offset = add $offset 0xa0 }} mstore(add(mPtr, {{ hex $offset }}), h_zeta){{ $offset = add $offset 0xa0 }} mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO))){{ $offset = add $offset 0xa0 }} mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE))){{ $offset = add $offset 0xa0 }} {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - {{ $tmp := 0 }} - for {let i := 0} lt(i, VK_NB_CUSTOM_GATES) {i := add(i, 1)} { - calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_OPENING_QCP_AT_ZETA, {{ $tmp }})), 0x20){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x20 }} - } + {{- $tmp := 0 }} + {{- range .Vk.Qcp}} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_OPENING_QCP_AT_ZETA, {{ hex $tmp }})), 0x20){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x20 }} {{- end }} - } + {{- end }} + {{ $offset = sub $offset 0x80 }} + let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, {{ hex $offset }}, add(state, STATE_LINEARISED_POLYNOMIAL), 0x80) + if iszero(l_success){ + error_ec_op() + } - // /// @notice Compute the commitment to the linearized polynomial equal to - // /// L(ζ)[Qₗ]+r(ζ)[Qᵣ]+R(ζ)L(ζ)[Qₘ]+O(ζ)[Qₒ]+[Qₖ]+Σᵢqc'ᵢ(ζ)[BsbCommitmentᵢ] + - // /// α*( Z(μζ)(L(ζ)+β*S₁(ζ)+γ)*(R(ζ)+β*S₂(ζ)+γ)[S₃]-[Z](L(ζ)+β*id_{1}(ζ)+γ)*(R(ζ)+β*id_{2}(ζ)+γ)*(O(ζ)+β*id_{3}(ζ)+γ) ) + - // /// α²*L₁(ζ)[Z] - Z_{H}(ζ)*(([H₀] + ζᵐ⁺²*[H₁] + ζ²⁽ᵐ⁺²⁾*[H₂]) - // /// where - // /// * id_1 = id, id_2 = vk_coset_shift*id, id_3 = vk_coset_shift^{2}*id - // /// * the [] means that it's a commitment (i.e. a point on Bn254(F_p)) - // /// * Z_{H}(ζ) = ζ^n-1 - // /// @param aproof pointer to the proof - // function compute_commitment_linearised_polynomial(aproof) { - // let state := mload(0x40) - // let l_beta := mload(add(state, STATE_BETA)) - // let l_gamma := mload(add(state, STATE_GAMMA)) - // let l_zeta := mload(add(state, STATE_ZETA)) - // let l_alpha := mload(add(state, STATE_ALPHA)) - - // let u := mulmod(calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), l_beta, R_MOD) - // let v := mulmod(l_beta, calldataload(add(aproof, PROOF_S1_AT_ZETA)), R_MOD) - // v := addmod(v, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) - // v := addmod(v, l_gamma, R_MOD) - - // let w := mulmod(l_beta, calldataload(add(aproof, PROOF_S2_AT_ZETA)), R_MOD) - // w := addmod(w, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) - // w := addmod(w, l_gamma, R_MOD) - - // let s1 := mulmod(u, v, R_MOD) - // s1 := mulmod(s1, w, R_MOD) - // s1 := mulmod(s1, l_alpha, R_MOD) - - // let coset_square := mulmod(VK_COSET_SHIFT, VK_COSET_SHIFT, R_MOD) - // let betazeta := mulmod(l_beta, l_zeta, R_MOD) - // u := addmod(betazeta, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) - // u := addmod(u, l_gamma, R_MOD) - - // v := mulmod(betazeta, VK_COSET_SHIFT, R_MOD) - // v := addmod(v, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) - // v := addmod(v, l_gamma, R_MOD) - - // w := mulmod(betazeta, coset_square, R_MOD) - // w := addmod(w, calldataload(add(aproof, PROOF_O_AT_ZETA)), R_MOD) - // w := addmod(w, l_gamma, R_MOD) - - // let s2 := mulmod(u, v, R_MOD) - // s2 := mulmod(s2, w, R_MOD) - // s2 := sub(R_MOD, s2) - // s2 := mulmod(s2, l_alpha, R_MOD) - // s2 := addmod(s2, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)), R_MOD) - - // // at this stage: - // // * s₁ = α*Z(μζ)(l(ζ)+β*s₁(ζ)+γ)*(r(ζ)+β*s₂(ζ)+γ)*β - // // * s₂ = -α*(l(ζ)+β*ζ+γ)*(r(ζ)+β*u*ζ+γ)*(o(ζ)+β*u²*ζ+γ) + α²*L₁(ζ) - - // compute_commitment_linearised_polynomial_ec(aproof, s1, s2) - // } + } /// @notice stores a point at dst, from src. The point in src is stored /// as [x || y] where x and y are on 0x30 bytes, and in dst the point is stored @@ -1189,44 +1197,44 @@ contract PlonkVerifier { } /// @notice computes ζⁿ⁺² and ζ²⁽ⁿ⁺²⁾ - function compute_zeta_powers() { + function compute_zeta_powers_n_plus_two() { let state := mload(0x40) let n_plus_two := add(VK_DOMAIN_SIZE, 2) let mPtr := add(mload(0x40), STATE_LAST_MEM) - let STATE_ZETA_POWER_N_PLUS_TWO := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) - let STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, STATE_ZETA_POWER_N_PLUS_TWO, R_MOD) + let zeta_power_n_plus_two := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) + let zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two, zeta_power_n_plus_two, R_MOD) let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) h_zeta := sub(R_MOD, h_zeta) - STATE_ZETA_POWER_N_PLUS_TWO := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, h_zeta, R_MOD) - STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO_square, h_zeta, R_MOD) - mstore(add(state, STATE_ZETA_POWER_N_PLUS_TWO), STATE_ZETA_POWER_N_PLUS_TWO) - mstore(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE), STATE_ZETA_POWER_N_PLUS_TWO_square) + zeta_power_n_plus_two := mulmod(zeta_power_n_plus_two, h_zeta, R_MOD) + zeta_power_n_plus_two_square := mulmod(zeta_power_n_plus_two_square, h_zeta, R_MOD) + mstore(add(state, STATE_ZETA_POWER_N_PLUS_TWO), zeta_power_n_plus_two) + mstore(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE), zeta_power_n_plus_two_square) } /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at /// state + state_folded_h /// @param aproof pointer to the proof - function fold_h(aproof) { - let state := mload(0x40) - let n_plus_two := add(VK_DOMAIN_SIZE, 2) - let mPtr := add(mload(0x40), STATE_LAST_MEM) - let STATE_ZETA_POWER_N_PLUS_TWO := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) - let STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, STATE_ZETA_POWER_N_PLUS_TWO, R_MOD) - let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) - h_zeta := sub(R_MOD, h_zeta) - STATE_ZETA_POWER_N_PLUS_TWO := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, h_zeta, R_MOD) - STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO_square, h_zeta, R_MOD) - store_point_calldata(mPtr, add(aproof, PROOF_H_0_COM_X)) - store_point_calldata(add(mPtr, 0xa0), add(aproof, PROOF_H_1_COM_X)) - store_point_calldata(add(mPtr, 0x140), add(aproof, PROOF_H_2_COM_X)) - mstore(add(mPtr, 0x80), h_zeta) - mstore(add(mPtr, 0x120), STATE_ZETA_POWER_N_PLUS_TWO) - mstore(add(mPtr, 0x1c0), STATE_ZETA_POWER_N_PLUS_TWO_square) - let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, 0x1e0, add(state, STATE_FOLDED_H), 0x80) - if iszero(l_success){ - error_ec_op() - } - } + // function fold_h(aproof) { + // let state := mload(0x40) + // let n_plus_two := add(VK_DOMAIN_SIZE, 2) + // let mPtr := add(mload(0x40), STATE_LAST_MEM) + // let STATE_ZETA_POWER_N_PLUS_TWO := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) + // let STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, STATE_ZETA_POWER_N_PLUS_TWO, R_MOD) + // let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + // h_zeta := sub(R_MOD, h_zeta) + // STATE_ZETA_POWER_N_PLUS_TWO := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, h_zeta, R_MOD) + // STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO_square, h_zeta, R_MOD) + // store_point_calldata(mPtr, add(aproof, PROOF_H_0_COM_X)) + // store_point_calldata(add(mPtr, 0xa0), add(aproof, PROOF_H_1_COM_X)) + // store_point_calldata(add(mPtr, 0x140), add(aproof, PROOF_H_2_COM_X)) + // mstore(add(mPtr, 0x80), h_zeta) + // mstore(add(mPtr, 0x120), STATE_ZETA_POWER_N_PLUS_TWO) + // mstore(add(mPtr, 0x1c0), STATE_ZETA_POWER_N_PLUS_TWO_square) + // let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, 0x1e0, add(state, STATE_FOLDED_H), 0x80) + // if iszero(l_success){ + // error_ec_op() + // } + // } /// @notice check that the opening of the linearised polynomial at zeta is equal to /// - [ PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) ] From ceebfbd72c48956ecc0a847b45e9a8a1a4d2fc9a Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Thu, 24 Jul 2025 19:24:54 +0200 Subject: [PATCH 14/23] feat: compute_gamma_kzg ok --- backend/plonk/bls12-381/solidity.go | 159 +++++++++++++--------------- 1 file changed, 71 insertions(+), 88 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 38603f4bac..e54401f3aa 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -226,7 +226,7 @@ contract PlonkVerifier { compute_zeta_powers_n_plus_two() compute_commitment_linearised_polynomial(proof.offset) compute_opening_linearised_polynomial(proof.offset) - // compute_gamma_kzg(proof.offset) + compute_gamma_kzg(proof.offset) // fold_state(proof.offset) // batch_verify_multi_points(proof.offset) @@ -998,69 +998,77 @@ contract PlonkVerifier { // {{ end -}} // } - // /// @notice generate the challenge (using Fiat Shamir) to fold the opening proofs - // /// at ζ. - // /// The process for deriving γ is the same as in derive_gamma but this time the inputs are - // /// in this order (the [] means it's a commitment): - // /// * ζ - // /// * [Linearised polynomial] - // /// * [L], [R], [O] - // /// * [S₁] [S₂] - // /// * [Pi_{i}] (wires associated to custom gates) - // /// Then there are the purported evaluations of the previous committed polynomials: - // /// * Linearised_polynomial(ζ) - // /// * L(ζ), R(ζ), O(ζ), S₁(ζ), S₂(ζ) - // /// * Pi_{i}(ζ) - // /// * Z(ζω) - // /// @param aproof pointer to the proof - // function compute_gamma_kzg(aproof) { + /// @notice generate the challenge (using Fiat Shamir) to fold the opening proofs + /// at ζ. + /// The process for deriving γ is the same as in derive_gamma but this time the inputs are + /// in this order (the [] means it's a commitment): + /// * ζ + /// * [Linearised polynomial] + /// * [L], [R], [O] + /// * [S₁] [S₂] + /// * [Pi_{i}] (wires associated to custom gates) + /// Then there are the purported evaluations of the previous committed polynomials: + /// * Linearised_polynomial(ζ) + /// * L(ζ), R(ζ), O(ζ), S₁(ζ), S₂(ζ) + /// * Pi_{i}(ζ) + /// * Z(ζω) + /// @param aproof pointer to the proof + function compute_gamma_kzg(aproof) { - // let state := mload(0x40) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) - // mstore(mPtr, FS_GAMMA_KZG) // "gamma" - // mstore(add(mPtr, 0x20), mload(add(state, STATE_ZETA))) - // mstore(add(mPtr,0x40), mload(add(state, STATE_LINEARISED_POLYNOMIAL_X))) - // mstore(add(mPtr,0x60), mload(add(state, STATE_LINEARISED_POLYNOMIAL_Y))) - // calldatacopy(add(mPtr, 0x80), add(aproof, PROOF_L_COM_X), 0xc0) - // mstore(add(mPtr,0x140), VK_S1_COM_X) - // mstore(add(mPtr,0x160), VK_S1_COM_Y) - // mstore(add(mPtr,0x180), VK_S2_COM_X) - // mstore(add(mPtr,0x1a0), VK_S2_COM_Y) - - // let offset := 0x1c0 - - // {{ range $index, $element := .Vk.CommitmentConstraintIndexes -}} - // mstore(add(mPtr,offset), VK_QCP_{{ $index }}_X) - // mstore(add(mPtr,add(offset, 0x20)), VK_QCP_{{ $index }}_Y) - // offset := add(offset, 0x40) - // {{ end -}} - - // mstore(add(mPtr, offset), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) - // mstore(add(mPtr, add(offset, 0x20)), calldataload(add(aproof, PROOF_L_AT_ZETA))) - // mstore(add(mPtr, add(offset, 0x40)), calldataload(add(aproof, PROOF_R_AT_ZETA))) - // mstore(add(mPtr, add(offset, 0x60)), calldataload(add(aproof, PROOF_O_AT_ZETA))) - // mstore(add(mPtr, add(offset, 0x80)), calldataload(add(aproof, PROOF_S1_AT_ZETA))) - // mstore(add(mPtr, add(offset, 0xa0)), calldataload(add(aproof, PROOF_S2_AT_ZETA))) - - // let _mPtr := add(mPtr, add(offset, 0xc0)) - - // {{ if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - // let _poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) - // calldatacopy(_mPtr, _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) - // _mPtr := add(_mPtr, mul(VK_NB_CUSTOM_GATES, 0x20)) - // {{ end }} + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) - // mstore(_mPtr, calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA))) + {{ $offset = 0x1b0 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_hi){{ $offset = add $offset 0x30 }} + {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_hi){{ $offset = add $offset 0x30 }} + {{ end -}} + {{ $offset = 0x1d0 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_lo){{ $offset = add $offset 0x30 }} + {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_lo){{ $offset = add $offset 0x30 }} + {{ end -}} + {{ $tmp := sub $offset 0x10 }} - // let start_input := 0x1b // 00.."gamma" - // let size_input := add(0x14, mul(VK_NB_CUSTOM_GATES,3)) // number of 32bytes elmts = 0x14 (zeta+3*6 for the digests+openings) + 3*VK_NB_CUSTOM_GATES (for the commitments of the selectors) + 1 (opening of Z at ζω) - // size_input := add(0x5, mul(size_input, 0x20)) // size in bytes: 15*32 bytes + 5 bytes for gamma - // let check_staticcall := staticcall(gas(), SHA2, add(mPtr,start_input), size_input, add(state, STATE_GAMMA_KZG), 0x20) - // if iszero(check_staticcall) { - // error_verify() - // } - // mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) - // } + {{ $offset = 0 }} + mstore(mPtr, FS_GAMMA_KZG) // "gamma" {{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA))){{ $offset = add $offset 0x20 }} + mcopy(add(mPtr, {{ hex $offset }}), add(state, add(STATE_LINEARISED_POLYNOMIAL, 0x10)), 0x30){{ $offset = add $offset 0x30 }} + mcopy(add(mPtr, {{ hex $offset }}), add(state, add(STATE_LINEARISED_POLYNOMIAL, 0x50)), 0x30){{ $offset = add $offset 0x30 }} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_L_COM_X), 0x120) + + {{ $offset = $tmp }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) {{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_L_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_R_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_O_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_S1_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_S2_AT_ZETA))){{ $offset = add $offset 0x20 }} + + {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + let _poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + calldatacopy(add(mPtr, {{ hex $offset }}), _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) + {{ $offset = add $offset ( mul (len .Vk.CommitmentConstraintIndexes) 0x20 ) }} + {{ end -}} + + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA))){{ $offset = add $offset 0x20 }} + + let start_input := 0x1b // 00.."gamma" + {{ $offset = add (sub $offset 0x20 ) 0x5 }} + let check_staticcall := staticcall(gas(), SHA2, add(mPtr,start_input), {{ hex $offset }}, add(state, STATE_GAMMA_KZG), 0x20) + if iszero(check_staticcall) { + error_verify() + } + mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) + } /// @notice Compute the commitment to the linearized polynomial equal to /// L(ζ)[Qₗ]+r(ζ)[Qᵣ]+R(ζ)L(ζ)[Qₘ]+O(ζ)[Qₒ]+[Qₖ]+Σᵢqc'ᵢ(ζ)[BsbCommitmentᵢ] + @@ -1135,12 +1143,12 @@ contract PlonkVerifier { store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_1_COM_X)){{ $offset = add $offset 0xa0 }} store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_2_COM_X)){{ $offset = add $offset 0xa0 }} {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - {{- $tmp := 0 }} + {{- $tmp = 0 }} {{- range .Vk.Qcp}} store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_BSB_COMMITMENTS, {{ hex $tmp }}))){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x60 }} {{- end }} {{- end }} - + let l := calldataload(add(aproof, PROOF_L_AT_ZETA)) let r := calldataload(add(aproof, PROOF_R_AT_ZETA)) let rl := mulmod(l, r, R_MOD) @@ -1211,31 +1219,6 @@ contract PlonkVerifier { mstore(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE), zeta_power_n_plus_two_square) } - /// @notice compute -z_h(ζ)*([H₁] + ζⁿ⁺²[H₂] + ζ²⁽ⁿ⁺²⁾[H₃]) and store the result at - /// state + state_folded_h - /// @param aproof pointer to the proof - // function fold_h(aproof) { - // let state := mload(0x40) - // let n_plus_two := add(VK_DOMAIN_SIZE, 2) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) - // let STATE_ZETA_POWER_N_PLUS_TWO := pow(mload(add(state, STATE_ZETA)), n_plus_two, mPtr) - // let STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, STATE_ZETA_POWER_N_PLUS_TWO, R_MOD) - // let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) - // h_zeta := sub(R_MOD, h_zeta) - // STATE_ZETA_POWER_N_PLUS_TWO := mulmod(STATE_ZETA_POWER_N_PLUS_TWO, h_zeta, R_MOD) - // STATE_ZETA_POWER_N_PLUS_TWO_square := mulmod(STATE_ZETA_POWER_N_PLUS_TWO_square, h_zeta, R_MOD) - // store_point_calldata(mPtr, add(aproof, PROOF_H_0_COM_X)) - // store_point_calldata(add(mPtr, 0xa0), add(aproof, PROOF_H_1_COM_X)) - // store_point_calldata(add(mPtr, 0x140), add(aproof, PROOF_H_2_COM_X)) - // mstore(add(mPtr, 0x80), h_zeta) - // mstore(add(mPtr, 0x120), STATE_ZETA_POWER_N_PLUS_TWO) - // mstore(add(mPtr, 0x1c0), STATE_ZETA_POWER_N_PLUS_TWO_square) - // let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, 0x1e0, add(state, STATE_FOLDED_H), 0x80) - // if iszero(l_success){ - // error_ec_op() - // } - // } - /// @notice check that the opening of the linearised polynomial at zeta is equal to /// - [ PI(ζ) - α²*L₁(ζ) + α(l(ζ)+β*s1(ζ)+γ)(r(ζ)+β*s2(ζ)+γ)(o(ζ)+γ)*z(ωζ) ] /// @param aproof pointer to the proof From a2c7fa2961a36af8f772996c3a27fe26e1a01024 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Thu, 24 Jul 2025 23:24:02 +0200 Subject: [PATCH 15/23] feat: fold_state ok --- backend/plonk/bls12-381/solidity.go | 130 ++++++++++++++-------------- 1 file changed, 67 insertions(+), 63 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index e54401f3aa..7363a80117 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -227,7 +227,7 @@ contract PlonkVerifier { compute_commitment_linearised_polynomial(proof.offset) compute_opening_linearised_polynomial(proof.offset) compute_gamma_kzg(proof.offset) - // fold_state(proof.offset) + fold_state(proof.offset) // batch_verify_multi_points(proof.offset) // success := mload(add(mem, STATE_SUCCESS)) @@ -942,61 +942,65 @@ contract PlonkVerifier { // mstore(add(state, STATE_SUCCESS), res_pairing) // } - // /// @notice Fold the opening proofs at ζ: - // /// * at state+state_folded_digest we store: [Linearised_polynomial]+γ[L] + γ²[R] + γ³[O] + γ⁴[S₁] +γ⁵[S₂] + ∑ᵢγ⁵⁺ⁱ[Pi_{i}] - // /// * at state+state_folded_claimed_values we store: Linearised_polynomial(ζ)+γL(ζ) + γ²R(ζ)+ γ³O(ζ) + γ⁴S₁(ζ) +γ⁵S₂(ζ) + ∑ᵢγ⁵⁺ⁱPi_{i}(ζ) - // /// @param aproof pointer to the proof - // /// acc_gamma stores the γⁱ - // function fold_state(aproof) { + /// @notice Fold the opening proofs at ζ: + /// * at state+STATE_FOLDED_DIGEST we store: [Linearised_polynomial]+γ[L] + γ²[R] + γ³[O] + γ⁴[S₁] +γ⁵[S₂] + ∑ᵢγ⁵⁺ⁱ[Pi_{i}] + /// * at state+STATE_FOLDED_CLAIMED_VALUE we store: Linearised_polynomial(ζ)+γL(ζ) + γ²R(ζ)+ γ³O(ζ) + γ⁴S₁(ζ) +γ⁵S₂(ζ) + ∑ᵢγ⁵⁺ⁱPi_{i}(ζ) + /// @param aproof pointer to the proof + /// acc_gamma stores the γⁱ + function fold_state(aproof) { - // let state := mload(0x40) - // let mPtr := add(mload(0x40), STATE_LAST_MEM) - // let mPtr20 := add(mPtr, 0x20) - // let mPtr40 := add(mPtr, 0x40) - - // let l_gamma_kzg := mload(add(state, STATE_GAMMA_KZG)) - // let acc_gamma := l_gamma_kzg - // let state_folded_digests := add(state, STATE_FOLDED_DIGESTS_X) - - // mstore(state_folded_digests, mload(add(state, STATE_LINEARISED_POLYNOMIAL_X))) - // mstore(add(state, STATE_FOLDED_DIGESTS_Y), mload(add(state, STATE_LINEARISED_POLYNOMIAL_Y))) - // mstore(add(state, STATE_FOLDED_CLAIMED_VALUES), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) - - // point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_L_COM_X), acc_gamma, mPtr) - // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_L_AT_ZETA), acc_gamma) - - // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - // point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_R_COM_X), acc_gamma, mPtr) - // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_R_AT_ZETA), acc_gamma) - - // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - // point_acc_mul_calldata(state_folded_digests, add(aproof, PROOF_O_COM_X), acc_gamma, mPtr) - // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_O_AT_ZETA), acc_gamma) - - // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - // mstore(mPtr, VK_S1_COM_X) - // mstore(mPtr20, VK_S1_COM_Y) - // point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) - // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S1_AT_ZETA), acc_gamma) - - // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - // mstore(mPtr, VK_S2_COM_X) - // mstore(mPtr20, VK_S2_COM_Y) - // point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) - // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) - - // {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 ) }} - // let poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) - // {{ range $index, $element := .Vk.CommitmentConstraintIndexes }} - // acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - // mstore(mPtr, VK_QCP_{{ $index }}_X) - // mstore(mPtr20, VK_QCP_{{ $index }}_Y) - // point_acc_mul(state_folded_digests, mPtr, acc_gamma, mPtr40) - // fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), poqaz, acc_gamma) - // poqaz := add(poqaz, 0x20) - // {{ end }} - // {{ end -}} - // } + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) + + let l_gamma_kzg := mload(add(state, STATE_GAMMA_KZG)) + let acc_gamma := l_gamma_kzg + + {{ $offset = 0x00 }} + mstore(add(state, STATE_FOLDED_CLAIMED_VALUES), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) + mcopy(mPtr, add(state, STATE_LINEARISED_POLYNOMIAL), 0x80){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), 1){{ $offset = add $offset 0x20 }} + + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_L_AT_ZETA), acc_gamma) + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_L_COM_X)){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_R_AT_ZETA), acc_gamma) + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_R_COM_X)){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_O_AT_ZETA), acc_gamma) + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_O_COM_X)){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S1_AT_ZETA), acc_gamma) + store_point(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi, VK_S1_COM_X_lo, VK_S1_COM_Y_hi, VK_S1_COM_Y_lo){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) + store_point(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi, VK_S2_COM_X_lo, VK_S2_COM_Y_hi, VK_S2_COM_Y_lo){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + {{ if (gt (len .Vk.CommitmentConstraintIndexes ) 1 ) }} + {{- $offsetValues := 0x00 }} + {{- $offsetComs := 0x00 }} + {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, add(PROOF_OPENING_QCP_AT_ZETA, {{ hex $offsetValues }})), acc_gamma){{ $offsetValues = add $offsetValues 0x20 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi, VK_QCP_{{ $index }}_X_lo, VK_QCP_{{ $index }}_Y_hi, VK_QCP_{{ $index }}_Y_lo){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + {{ end -}} + {{ end }} + + let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, {{ hex $offset }}, add(state, STATE_FOLDED_DIGESTS), 0x80) + if iszero(l_success){ + error_ec_op() + } + + } /// @notice generate the challenge (using Fiat Shamir) to fold the opening proofs /// at ζ. @@ -1354,14 +1358,14 @@ contract PlonkVerifier { // } // } - // /// @notice dst <- dst + src*s (Fr) dst,src are addresses, s is a value - // /// @param dst pointer storing the result - // /// @param src pointer to the scalar to multiply and add (on calldata) - // /// @param s scalar - // function fr_acc_mul_calldata(dst, src, s) { - // let tmp := mulmod(calldataload(src), s, R_MOD) - // mstore(dst, addmod(mload(dst), tmp, R_MOD)) - // } + /// @notice dst <- dst + src*s (Fr) dst,src are addresses, s is a value + /// @param dst pointer storing the result + /// @param src pointer to the scalar to multiply and add (on calldata) + /// @param s scalar + function fr_acc_mul_calldata(dst, src, s) { + let tmp := mulmod(calldataload(src), s, R_MOD) + mstore(dst, addmod(mload(dst), tmp, R_MOD)) + } /// @param x element to exponentiate /// @param e exponent From df1001c0cbcd94311eb7aaf9d37972e5568868ee Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Thu, 24 Jul 2025 23:31:42 +0200 Subject: [PATCH 16/23] clean: renaming --- backend/plonk/bls12-381/solidity.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 7363a80117..7e2b9d1c7a 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -128,7 +128,7 @@ contract PlonkVerifier { uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_X = {{ hex $offset }};{{ $offset = add $offset 0x30}} uint256 private constant PROOF_OPENING_AT_ZETA_OMEGA_Y = {{ hex $offset }};{{ $offset = add $offset 0x30}} - uint256 private constant PROOF_OPENING_QCP_AT_ZETA = {{ hex $offset }}; + uint256 private constant PROOF_QCP_AT_ZETA = {{ hex $offset }}; uint256 private constant PROOF_BSB_COMMITMENTS = {{ hex (add $offset (mul (len .Vk.CommitmentConstraintIndexes) 0x20 ) )}}; // -------- offset state @@ -397,9 +397,9 @@ contract PlonkVerifier { // error_proof_openings_size() // } - // // PROOF_OPENING_QCP_AT_ZETA + // // PROOF_QCP_AT_ZETA - // p := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + // p := add(aproof, PROOF_QCP_AT_ZETA) // for {let i:=0} lt(i, VK_NB_CUSTOM_GATES) {i:=add(i,1)} // { // if gt(calldataload(p), R_MOD_MINUS_ONE) { @@ -989,7 +989,7 @@ contract PlonkVerifier { {{- $offsetComs := 0x00 }} {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, add(PROOF_OPENING_QCP_AT_ZETA, {{ hex $offsetValues }})), acc_gamma){{ $offsetValues = add $offsetValues 0x20 }} + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, add(PROOF_QCP_AT_ZETA, {{ hex $offsetValues }})), acc_gamma){{ $offsetValues = add $offsetValues 0x20 }} store_point(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi, VK_QCP_{{ $index }}_X_lo, VK_QCP_{{ $index }}_Y_hi, VK_QCP_{{ $index }}_Y_lo){{ $offset = add $offset 0x80 }} mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} {{ end -}} @@ -1058,7 +1058,7 @@ contract PlonkVerifier { mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_S2_AT_ZETA))){{ $offset = add $offset 0x20 }} {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - let _poqaz := add(aproof, PROOF_OPENING_QCP_AT_ZETA) + let _poqaz := add(aproof, PROOF_QCP_AT_ZETA) calldatacopy(add(mPtr, {{ hex $offset }}), _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) {{ $offset = add $offset ( mul (len .Vk.CommitmentConstraintIndexes) 0x20 ) }} {{ end -}} @@ -1173,7 +1173,7 @@ contract PlonkVerifier { {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} {{- $tmp := 0 }} {{- range .Vk.Qcp}} - calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_OPENING_QCP_AT_ZETA, {{ hex $tmp }})), 0x20){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x20 }} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_QCP_AT_ZETA, {{ hex $tmp }})), 0x20){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x20 }} {{- end }} {{- end }} {{ $offset = sub $offset 0x80 }} From 6d05d6a763b2cfae8f5ba8ccd737f119104abb94 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Fri, 25 Jul 2025 17:24:38 +0200 Subject: [PATCH 17/23] feat: pairing ok --- backend/plonk/bls12-381/solidity.go | 767 ++++++++++++---------------- 1 file changed, 319 insertions(+), 448 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 7e2b9d1c7a..256581cf85 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -25,14 +25,14 @@ contract PlonkVerifier { uint256 private constant R_MOD = 52435875175126190479447740508185965837690552500527637822603658699938581184513; uint256 private constant R_MOD_MINUS_ONE = 52435875175126190479447740508185965837690552500527637822603658699938581184512; {{ range $index, $element := .Vk.Kzg.G2 }} - uint256 private constant G2_SRS_{{ $index }}_X_0_lo = {{ (fpstr_lo $element.X.A1) }}; - uint256 private constant G2_SRS_{{ $index }}_X_0_hi = {{ (fpstr_hi $element.X.A1) }}; - uint256 private constant G2_SRS_{{ $index }}_X_1_lo = {{ (fpstr_lo $element.X.A0) }}; - uint256 private constant G2_SRS_{{ $index }}_X_1_hi = {{ (fpstr_hi $element.X.A0) }}; - uint256 private constant G2_SRS_{{ $index }}_Y_0_lo = {{ (fpstr_lo $element.Y.A1) }}; - uint256 private constant G2_SRS_{{ $index }}_Y_0_hi = {{ (fpstr_hi $element.Y.A1) }}; - uint256 private constant G2_SRS_{{ $index }}_Y_1_lo = {{ (fpstr_lo $element.Y.A0) }}; - uint256 private constant G2_SRS_{{ $index }}_Y_1_hi = {{ (fpstr_hi $element.Y.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_X_0_lo = {{ (fpstr_lo $element.X.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_X_0_hi = {{ (fpstr_hi $element.X.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_X_1_lo = {{ (fpstr_lo $element.X.A1) }}; + uint256 private constant G2_SRS_{{ $index }}_X_1_hi = {{ (fpstr_hi $element.X.A1) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_0_lo = {{ (fpstr_lo $element.Y.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_0_hi = {{ (fpstr_hi $element.Y.A0) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_1_lo = {{ (fpstr_lo $element.Y.A1) }}; + uint256 private constant G2_SRS_{{ $index }}_Y_1_hi = {{ (fpstr_hi $element.Y.A1) }}; {{ end }} uint256 private constant G1_SRS_X_lo = {{ fpstr_lo .Vk.Kzg.G1.X }}; uint256 private constant G1_SRS_X_hi = {{ fpstr_hi .Vk.Kzg.G1.X }}; @@ -179,8 +179,7 @@ contract PlonkVerifier { uint8 private constant MOD_EXP = 0x5; uint8 private constant EC_ADD = 0x6; uint8 private constant BLS12_MSM_G1 = 0x0c; - - event PrintUint256(uint256 x); + uint8 private constant BLS12_PAIR = 0x0f; /// Verify a Plonk proof. /// Reverts if the proof or the public inputs are malformed. @@ -188,9 +187,8 @@ contract PlonkVerifier { /// @param public_inputs (must be reduced) /// @return success true if the proof passes false otherwise function Verify(bytes calldata proof, uint256[] calldata public_inputs) - public returns(bool success) { + public view returns(bool success) { - uint256 check; assembly { let mem := mload(0x40) @@ -228,9 +226,8 @@ contract PlonkVerifier { compute_opening_linearised_polynomial(proof.offset) compute_gamma_kzg(proof.offset) fold_state(proof.offset) - // batch_verify_multi_points(proof.offset) - - // success := mload(add(mem, STATE_SUCCESS)) + batch_verify_multi_points(proof.offset) + success := mload(add(mem, STATE_SUCCESS)) // // Beginning errors ------------------------------------------------- @@ -297,14 +294,14 @@ contract PlonkVerifier { // revert(ptError, 0x64) // } - // function error_pairing() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0xd) - // mstore(add(ptError, 0x44), "error pairing") - // revert(ptError, 0x64) - // } + function error_pairing() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0xd) + mstore(add(ptError, 0x44), "error pairing") + revert(ptError, 0x64) + } function error_verify() { let ptError := mload(0x40) @@ -839,350 +836,319 @@ contract PlonkVerifier { mstore(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0), res) } - // /// @notice follows alg. p.13 of https://eprint.iacr.org/2019/953.pdf - // /// with t₁ = t₂ = 1, and the proofs are ([digest] + [quotient] +purported evaluation): - // /// * [state_folded_state_digests], [proof_batch_opening_at_zeta_x], state_folded_evals - // /// * [proof_grand_product_commitment], [proof_opening_at_zeta_omega_x], [proof_grand_product_at_zeta_omega] - // /// @param aproof pointer to the proof - // function batch_verify_multi_points(aproof) { - // let state := mload(0x40) - // let mPtr := add(state, STATE_LAST_MEM) - - // // derive a random number. As there is no random generator, we - // // do an FS like challenge derivation, depending on both digests and - // // ζ to ensure that the prover cannot control the random number. - // // Note: adding the other point ζω is not needed, as ω is known beforehand. - // mstore(mPtr, mload(add(state, STATE_FOLDED_DIGESTS_X))) - // mstore(add(mPtr, 0x20), mload(add(state, STATE_FOLDED_DIGESTS_Y))) - // mstore(add(mPtr, 0x40), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X))) - // mstore(add(mPtr, 0x60), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y))) - // mstore(add(mPtr, 0x80), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X))) - // mstore(add(mPtr, 0xa0), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_Y))) - // mstore(add(mPtr, 0xc0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X))) - // mstore(add(mPtr, 0xe0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_Y))) - // mstore(add(mPtr, 0x100), mload(add(state, STATE_ZETA))) - // mstore(add(mPtr, 0x120), mload(add(state, STATE_GAMMA_KZG))) - // let random := staticcall(gas(), SHA2, mPtr, 0x140, mPtr, 0x20) - // if iszero(random){ - // error_random_generation() - // } - // random := mod(mload(mPtr), R_MOD) // use the same variable as we are one variable away from getting stack-too-deep error... - - // let folded_quotients := mPtr - // mPtr := add(folded_quotients, 0x40) - // mstore(folded_quotients, calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X))) - // mstore(add(folded_quotients, 0x20), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y))) - // point_acc_mul_calldata(folded_quotients, add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), random, mPtr) - - // let folded_digests := add(state, STATE_FOLDED_DIGESTS_X) - // point_acc_mul_calldata(folded_digests, add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), random, mPtr) - - // let folded_evals := add(state, STATE_FOLDED_CLAIMED_VALUES) - // fr_acc_mul_calldata(folded_evals, add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA), random) - - // let folded_evals_commit := mPtr - // mPtr := add(folded_evals_commit, 0x40) - // mstore(folded_evals_commit, G1_SRS_X) - // mstore(add(folded_evals_commit, 0x20), G1_SRS_Y) - // mstore(add(folded_evals_commit, 0x40), mload(folded_evals)) - // let check_staticcall := staticcall(gas(), 7, folded_evals_commit, 0x60, folded_evals_commit, 0x40) - // if iszero(check_staticcall) { - // error_verify() - // } - - // let folded_evals_commit_y := add(folded_evals_commit, 0x20) - // mstore(folded_evals_commit_y, sub(P_MOD, mload(folded_evals_commit_y))) - // point_add(folded_digests, folded_digests, folded_evals_commit, mPtr) - - // let folded_points_quotients := mPtr - // mPtr := add(mPtr, 0x40) - // point_mul_calldata( - // folded_points_quotients, - // add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X), - // mload(add(state, STATE_ZETA)), - // mPtr - // ) - // let zeta_omega := mulmod(mload(add(state, STATE_ZETA)), VK_OMEGA, R_MOD) - // random := mulmod(random, zeta_omega, R_MOD) - // point_acc_mul_calldata(folded_points_quotients, add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), random, mPtr) - - // point_add(folded_digests, folded_digests, folded_points_quotients, mPtr) - - // let folded_quotients_y := add(folded_quotients, 0x20) - // mstore(folded_quotients_y, sub(P_MOD, mload(folded_quotients_y))) - - // mstore(mPtr, mload(folded_digests)) - // {{ $offset = 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), mload(add(folded_digests, 0x20))) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_X_0) {{ $offset = add $offset 0x20 }} // the 4 lines are the canonical G2 point on BN254 - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_X_1) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_Y_0) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_0_Y_1) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), mload(folded_quotients)) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), mload(add(folded_quotients, 0x20))) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_X_0) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_X_1) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_Y_0) {{ $offset = add $offset 0x20 }} - // mstore(add(mPtr, {{ hex $offset }}), G2_SRS_1_Y_1) {{ $offset = add $offset 0x20 }} - // check_pairing_kzg(mPtr) - // } + /// @notice follows alg. p.13 of https://eprint.iacr.org/2019/953.pdf + /// with t₁ = t₂ = 1, and the proofs are ([digest] + [quotient] +purported evaluation): + /// * [state_folded_state_digests], [proof_batch_opening_at_zeta_x], state_folded_evals + /// * [proof_grand_product_commitment], [proof_opening_at_zeta_omega_x], [proof_grand_product_at_zeta_omega] + /// @param aproof pointer to the proof + function batch_verify_multi_points(aproof) { + + let state := mload(0x40) + let mPtr := add(state, STATE_LAST_MEM) - // /// @notice check_pairing_kzg checks the result of the final pairing product of the batched - // /// kzg verification. The purpose of this function is to avoid exhausting the stack - // /// in the function batch_verify_multi_points. - // /// @param mPtr pointer storing the tuple of pairs - // function check_pairing_kzg(mPtr) { - // let state := mload(0x40) + // derive a random number. As there is no random generator, we + // do an FS like challenge derivation, depending on both digests and + // ζ to ensure that the prover cannot control the random number. + // Note: adding the other point ζω is not needed, as ω is known beforehand. + // mstore(mPtr, mload(add(state, STATE_FOLDED_DIGESTS_X))) + // mstore(add(mPtr, 0x20), mload(add(state, STATE_FOLDED_DIGESTS_Y))) + // mstore(add(mPtr, 0x40), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X))) + // mstore(add(mPtr, 0x60), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y))) + // mstore(add(mPtr, 0x80), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X))) + // mstore(add(mPtr, 0xa0), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_Y))) + // mstore(add(mPtr, 0xc0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X))) + // mstore(add(mPtr, 0xe0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_Y))) + // mstore(add(mPtr, 0x100), mload(add(state, STATE_ZETA))) + // mstore(add(mPtr, 0x120), mload(add(state, STATE_GAMMA_KZG))) + // let random := staticcall(gas(), SHA2, mPtr, 0x140, mPtr, 0x20) + // if iszero(random){ + // error_random_generation() + // } + // random := mod(mload(mPtr), R_MOD) // use the same variable as we are one variable away from getting stack-too-deep error... + let random := 5 + + let folded_evals := add(state, STATE_FOLDED_CLAIMED_VALUES) + fr_acc_mul_calldata(folded_evals, add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA), random) + + let folded_digests := mPtr + mcopy(folded_digests, add(state, STATE_FOLDED_DIGESTS), 0x80) + mstore(add(folded_digests, 0x80), 1) + store_point_calldata(add(folded_digests, 0xa0), add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X)) + mstore(add(folded_digests, 0x120), random) + store_point(add(folded_digests, 0x140), G1_SRS_X_hi, G1_SRS_X_lo, G1_SRS_Y_hi, G1_SRS_Y_lo) + mstore(add(folded_digests, 0x1c0), sub(R_MOD, mload(folded_evals))) + store_point_calldata(add(folded_digests, 0x1e0), add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X)) + mstore(add(folded_digests, 0x260), mload(add(state, STATE_ZETA))) + store_point_calldata(add(folded_digests, 0x280), add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X)) + let zeta_omega := mulmod(mload(add(state, STATE_ZETA)), VK_OMEGA, R_MOD) + mstore(add(folded_digests, 0x300), mulmod(random, zeta_omega, R_MOD)) + let l_success := staticcall(gas(), BLS12_MSM_G1, folded_digests, 0x320, folded_digests, 0x80) + if iszero(l_success){ + error_ec_op() + } - // let l_success := staticcall(gas(), 8, mPtr, 0x180, 0x00, 0x20) - // if iszero(l_success) { - // error_pairing() - // } - // let res_pairing := mload(0x00) - // mstore(add(state, STATE_SUCCESS), res_pairing) - // } + let folded_quotients := add(mPtr, 0x180) + store_point_calldata(folded_quotients, add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X)) + mstore(add(folded_quotients, 0x80), sub(R_MOD, 1)) + store_point_calldata(add(folded_quotients, 0xa0), add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X)) + mstore(add(folded_quotients, 0x120), sub(R_MOD, random)) + l_success := staticcall(gas(), BLS12_MSM_G1, folded_quotients, 0x140, folded_quotients, 0x80) + if iszero(l_success){ + error_ec_op() + } + + store_point(add(mPtr, 0x80), G2_SRS_0_X_0_hi, G2_SRS_0_X_0_lo, G2_SRS_0_X_1_hi, G2_SRS_0_X_1_lo) + store_point(add(mPtr, 0x100), G2_SRS_0_Y_0_hi, G2_SRS_0_Y_0_lo, G2_SRS_0_Y_1_hi, G2_SRS_0_Y_1_lo) + store_point(add(mPtr, 0x200), G2_SRS_1_X_0_hi, G2_SRS_1_X_0_lo, G2_SRS_1_X_1_hi, G2_SRS_1_X_1_lo) + store_point(add(mPtr, 0x280), G2_SRS_1_Y_0_hi, G2_SRS_1_Y_0_lo, G2_SRS_1_Y_1_hi, G2_SRS_1_Y_1_lo) + l_success := staticcall(gas(), BLS12_PAIR, mPtr, 0x300, mPtr, 0x20) + if iszero(l_success) { + error_pairing() + } + mstore(add(state, STATE_SUCCESS), mload(mPtr)) + } - /// @notice Fold the opening proofs at ζ: - /// * at state+STATE_FOLDED_DIGEST we store: [Linearised_polynomial]+γ[L] + γ²[R] + γ³[O] + γ⁴[S₁] +γ⁵[S₂] + ∑ᵢγ⁵⁺ⁱ[Pi_{i}] - /// * at state+STATE_FOLDED_CLAIMED_VALUE we store: Linearised_polynomial(ζ)+γL(ζ) + γ²R(ζ)+ γ³O(ζ) + γ⁴S₁(ζ) +γ⁵S₂(ζ) + ∑ᵢγ⁵⁺ⁱPi_{i}(ζ) - /// @param aproof pointer to the proof - /// acc_gamma stores the γⁱ - function fold_state(aproof) { + /// @notice Fold the opening proofs at ζ: + /// * at state+STATE_FOLDED_DIGEST we store: [Linearised_polynomial]+γ[L] + γ²[R] + γ³[O] + γ⁴[S₁] +γ⁵[S₂] + ∑ᵢγ⁵⁺ⁱ[Pi_{i}] + /// * at state+STATE_FOLDED_CLAIMED_VALUE we store: Linearised_polynomial(ζ)+γL(ζ) + γ²R(ζ)+ γ³O(ζ) + γ⁴S₁(ζ) +γ⁵S₂(ζ) + ∑ᵢγ⁵⁺ⁱPi_{i}(ζ) + /// @param aproof pointer to the proof + /// acc_gamma stores the γⁱ + function fold_state(aproof) { - let state := mload(0x40) - let mPtr := add(mload(0x40), STATE_LAST_MEM) + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) - let l_gamma_kzg := mload(add(state, STATE_GAMMA_KZG)) - let acc_gamma := l_gamma_kzg + let l_gamma_kzg := mload(add(state, STATE_GAMMA_KZG)) + let acc_gamma := l_gamma_kzg - {{ $offset = 0x00 }} - mstore(add(state, STATE_FOLDED_CLAIMED_VALUES), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) - mcopy(mPtr, add(state, STATE_LINEARISED_POLYNOMIAL), 0x80){{ $offset = add $offset 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), 1){{ $offset = add $offset 0x20 }} + {{ $offset = 0x00 }} + mstore(add(state, STATE_FOLDED_CLAIMED_VALUES), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) + mcopy(mPtr, add(state, STATE_LINEARISED_POLYNOMIAL), 0x80){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), 1){{ $offset = add $offset 0x20 }} - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_L_AT_ZETA), acc_gamma) - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_L_COM_X)){{ $offset = add $offset 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} - - acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_R_AT_ZETA), acc_gamma) - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_R_COM_X)){{ $offset = add $offset 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} - - acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_O_AT_ZETA), acc_gamma) - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_O_COM_X)){{ $offset = add $offset 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} - - acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S1_AT_ZETA), acc_gamma) - store_point(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi, VK_S1_COM_X_lo, VK_S1_COM_Y_hi, VK_S1_COM_Y_lo){{ $offset = add $offset 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} - - acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) - store_point(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi, VK_S2_COM_X_lo, VK_S2_COM_Y_hi, VK_S2_COM_Y_lo){{ $offset = add $offset 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} - - {{ if (gt (len .Vk.CommitmentConstraintIndexes ) 1 ) }} - {{- $offsetValues := 0x00 }} - {{- $offsetComs := 0x00 }} - {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} - acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) - fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, add(PROOF_QCP_AT_ZETA, {{ hex $offsetValues }})), acc_gamma){{ $offsetValues = add $offsetValues 0x20 }} - store_point(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi, VK_QCP_{{ $index }}_X_lo, VK_QCP_{{ $index }}_Y_hi, VK_QCP_{{ $index }}_Y_lo){{ $offset = add $offset 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} - {{ end -}} - {{ end }} - - let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, {{ hex $offset }}, add(state, STATE_FOLDED_DIGESTS), 0x80) - if iszero(l_success){ - error_ec_op() + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_L_AT_ZETA), acc_gamma) + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_L_COM_X)){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_R_AT_ZETA), acc_gamma) + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_R_COM_X)){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_O_AT_ZETA), acc_gamma) + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_O_COM_X)){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S1_AT_ZETA), acc_gamma) + store_point(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi, VK_S1_COM_X_lo, VK_S1_COM_Y_hi, VK_S1_COM_Y_lo){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, PROOF_S2_AT_ZETA), acc_gamma) + store_point(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi, VK_S2_COM_X_lo, VK_S2_COM_Y_hi, VK_S2_COM_Y_lo){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + + {{ if (gt (len .Vk.CommitmentConstraintIndexes ) 1 ) }} + {{- $offsetValues := 0x00 }} + {{- $offsetComs := 0x00 }} + {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} + acc_gamma := mulmod(acc_gamma, l_gamma_kzg, R_MOD) + fr_acc_mul_calldata(add(state, STATE_FOLDED_CLAIMED_VALUES), add(aproof, add(PROOF_QCP_AT_ZETA, {{ hex $offsetValues }})), acc_gamma){{ $offsetValues = add $offsetValues 0x20 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi, VK_QCP_{{ $index }}_X_lo, VK_QCP_{{ $index }}_Y_hi, VK_QCP_{{ $index }}_Y_lo){{ $offset = add $offset 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), acc_gamma){{ $offset = add $offset 0x20 }} + {{ end -}} + {{ end }} + + let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, {{ hex $offset }}, add(state, STATE_FOLDED_DIGESTS), 0x80) + if iszero(l_success){ + error_ec_op() + } + } - - } - /// @notice generate the challenge (using Fiat Shamir) to fold the opening proofs - /// at ζ. - /// The process for deriving γ is the same as in derive_gamma but this time the inputs are - /// in this order (the [] means it's a commitment): - /// * ζ - /// * [Linearised polynomial] - /// * [L], [R], [O] - /// * [S₁] [S₂] - /// * [Pi_{i}] (wires associated to custom gates) - /// Then there are the purported evaluations of the previous committed polynomials: - /// * Linearised_polynomial(ζ) - /// * L(ζ), R(ζ), O(ζ), S₁(ζ), S₂(ζ) - /// * Pi_{i}(ζ) - /// * Z(ζω) - /// @param aproof pointer to the proof - function compute_gamma_kzg(aproof) { - - let state := mload(0x40) - let mPtr := add(mload(0x40), STATE_LAST_MEM) - - {{ $offset = 0x1b0 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_hi){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_hi){{ $offset = add $offset 0x30 }} - {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_hi){{ $offset = add $offset 0x30 }} - {{ end -}} - {{ $offset = 0x1d0 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_lo){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_lo){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_lo){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_lo){{ $offset = add $offset 0x30 }} - {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_lo){{ $offset = add $offset 0x30 }} - mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_lo){{ $offset = add $offset 0x30 }} - {{ end -}} - {{ $tmp := sub $offset 0x10 }} - - {{ $offset = 0 }} - mstore(mPtr, FS_GAMMA_KZG) // "gamma" {{ $offset = add $offset 0x20 }} - mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA))){{ $offset = add $offset 0x20 }} - mcopy(add(mPtr, {{ hex $offset }}), add(state, add(STATE_LINEARISED_POLYNOMIAL, 0x10)), 0x30){{ $offset = add $offset 0x30 }} - mcopy(add(mPtr, {{ hex $offset }}), add(state, add(STATE_LINEARISED_POLYNOMIAL, 0x50)), 0x30){{ $offset = add $offset 0x30 }} - calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_L_COM_X), 0x120) - - {{ $offset = $tmp }} - mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) {{ $offset = add $offset 0x20 }} - mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_L_AT_ZETA))){{ $offset = add $offset 0x20 }} - mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_R_AT_ZETA))){{ $offset = add $offset 0x20 }} - mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_O_AT_ZETA))){{ $offset = add $offset 0x20 }} - mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_S1_AT_ZETA))){{ $offset = add $offset 0x20 }} - mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_S2_AT_ZETA))){{ $offset = add $offset 0x20 }} - - {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - let _poqaz := add(aproof, PROOF_QCP_AT_ZETA) - calldatacopy(add(mPtr, {{ hex $offset }}), _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) - {{ $offset = add $offset ( mul (len .Vk.CommitmentConstraintIndexes) 0x20 ) }} - {{ end -}} + /// @notice generate the challenge (using Fiat Shamir) to fold the opening proofs + /// at ζ. + /// The process for deriving γ is the same as in derive_gamma but this time the inputs are + /// in this order (the [] means it's a commitment): + /// * ζ + /// * [Linearised polynomial] + /// * [L], [R], [O] + /// * [S₁] [S₂] + /// * [Pi_{i}] (wires associated to custom gates) + /// Then there are the purported evaluations of the previous committed polynomials: + /// * Linearised_polynomial(ζ) + /// * L(ζ), R(ζ), O(ζ), S₁(ζ), S₂(ζ) + /// * Pi_{i}(ζ) + /// * Z(ζω) + /// @param aproof pointer to the proof + function compute_gamma_kzg(aproof) { - mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA))){{ $offset = add $offset 0x20 }} + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) - let start_input := 0x1b // 00.."gamma" - {{ $offset = add (sub $offset 0x20 ) 0x5 }} - let check_staticcall := staticcall(gas(), SHA2, add(mPtr,start_input), {{ hex $offset }}, add(state, STATE_GAMMA_KZG), 0x20) - if iszero(check_staticcall) { - error_verify() - } - mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) - } + {{ $offset = 0x1b0 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_hi){{ $offset = add $offset 0x30 }} + {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_hi){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_hi){{ $offset = add $offset 0x30 }} + {{ end -}} + {{ $offset = 0x1d0 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_X_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S1_COM_Y_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_X_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_S2_COM_Y_lo){{ $offset = add $offset 0x30 }} + {{- range $index, $element := .Vk.CommitmentConstraintIndexes }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_X_lo){{ $offset = add $offset 0x30 }} + mstore(add(mPtr, {{ hex $offset }}), VK_QCP_{{ $index }}_Y_lo){{ $offset = add $offset 0x30 }} + {{ end -}} + {{ $tmp := sub $offset 0x10 }} + + {{ $offset = 0 }} + mstore(mPtr, FS_GAMMA_KZG) // "gamma" {{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA))){{ $offset = add $offset 0x20 }} + mcopy(add(mPtr, {{ hex $offset }}), add(state, add(STATE_LINEARISED_POLYNOMIAL, 0x10)), 0x30){{ $offset = add $offset 0x30 }} + mcopy(add(mPtr, {{ hex $offset }}), add(state, add(STATE_LINEARISED_POLYNOMIAL, 0x50)), 0x30){{ $offset = add $offset 0x30 }} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_L_COM_X), 0x120) + + {{ $offset = $tmp }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA))) {{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_L_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_R_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_O_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_S1_AT_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_S2_AT_ZETA))){{ $offset = add $offset 0x20 }} + + {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + let _poqaz := add(aproof, PROOF_QCP_AT_ZETA) + calldatacopy(add(mPtr, {{ hex $offset }}), _poqaz, mul(VK_NB_CUSTOM_GATES, 0x20)) + {{ $offset = add $offset ( mul (len .Vk.CommitmentConstraintIndexes) 0x20 ) }} + {{ end -}} - /// @notice Compute the commitment to the linearized polynomial equal to - /// L(ζ)[Qₗ]+r(ζ)[Qᵣ]+R(ζ)L(ζ)[Qₘ]+O(ζ)[Qₒ]+[Qₖ]+Σᵢqc'ᵢ(ζ)[BsbCommitmentᵢ] + - /// α*( Z(μζ)(L(ζ)+β*S₁(ζ)+γ)*(R(ζ)+β*S₂(ζ)+γ)[S₃]-[Z](L(ζ)+β*id_{1}(ζ)+γ)*(R(ζ)+β*id_{2}(ζ)+γ)*(O(ζ)+β*id_{3}(ζ)+γ) ) + - /// α²*L₁(ζ)[Z] - Z_{H}(ζ)*(([H₀] + ζᵐ⁺²*[H₁] + ζ²⁽ᵐ⁺²⁾*[H₂]) - /// where - /// * id_1 = id, id_2 = vk_coset_shift*id, id_3 = vk_coset_shift^{2}*id - /// * the [] means that it's a commitment (i.e. a point on Bn254(F_p)) - /// * Z_{H}(ζ) = ζ^n-1 - /// @param aproof pointer to the proof - function compute_commitment_linearised_polynomial(aproof) { - - let state := mload(0x40) - let l_beta := mload(add(state, STATE_BETA)) - let l_gamma := mload(add(state, STATE_GAMMA)) - let l_zeta := mload(add(state, STATE_ZETA)) - let l_alpha := mload(add(state, STATE_ALPHA)) - - let u := mulmod(calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), l_beta, R_MOD) - let v := mulmod(l_beta, calldataload(add(aproof, PROOF_S1_AT_ZETA)), R_MOD) - v := addmod(v, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) - v := addmod(v, l_gamma, R_MOD) - - let w := mulmod(l_beta, calldataload(add(aproof, PROOF_S2_AT_ZETA)), R_MOD) - w := addmod(w, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) - w := addmod(w, l_gamma, R_MOD) - - let s1 := mulmod(u, v, R_MOD) - s1 := mulmod(s1, w, R_MOD) - s1 := mulmod(s1, l_alpha, R_MOD) - - let coset_square := mulmod(VK_COSET_SHIFT, VK_COSET_SHIFT, R_MOD) - let betazeta := mulmod(l_beta, l_zeta, R_MOD) - u := addmod(betazeta, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) - u := addmod(u, l_gamma, R_MOD) - - v := mulmod(betazeta, VK_COSET_SHIFT, R_MOD) - v := addmod(v, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) - v := addmod(v, l_gamma, R_MOD) - - w := mulmod(betazeta, coset_square, R_MOD) - w := addmod(w, calldataload(add(aproof, PROOF_O_AT_ZETA)), R_MOD) - w := addmod(w, l_gamma, R_MOD) - - let coeff_z := mulmod(u, v, R_MOD) - coeff_z := mulmod(coeff_z, w, R_MOD) - coeff_z := sub(R_MOD, coeff_z) - coeff_z := mulmod(coeff_z, l_alpha, R_MOD) - mstore(add(state, STATE_CHECK_VAR), coeff_z) - coeff_z := addmod(coeff_z, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)), R_MOD) - - // at this stage: - // * s₁ = α*Z(μζ)(l(ζ)+β*s₁(ζ)+γ)*(r(ζ)+β*s₂(ζ)+γ)*β - // * s₂ = -α*(l(ζ)+β*ζ+γ)*(r(ζ)+β*u*ζ+γ)*(o(ζ)+β*u²*ζ+γ) + α²*L₁(ζ) - - compute_commitment_linearised_polynomial_ec(aproof, s1, coeff_z) - } + mstore(add(mPtr, {{ hex $offset }}), calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA))){{ $offset = add $offset 0x20 }} - function compute_commitment_linearised_polynomial_ec(aproof, s1, coeff_z) { + let start_input := 0x1b // 00.."gamma" + {{ $offset = add (sub $offset 0x20 ) 0x5 }} + let check_staticcall := staticcall(gas(), SHA2, add(mPtr,start_input), {{ hex $offset }}, add(state, STATE_GAMMA_KZG), 0x20) + if iszero(check_staticcall) { + error_verify() + } + mstore(add(state, STATE_GAMMA_KZG), mod(mload(add(state, STATE_GAMMA_KZG)), R_MOD)) + } + + /// @notice Compute the commitment to the linearized polynomial equal to + /// L(ζ)[Qₗ]+r(ζ)[Qᵣ]+R(ζ)L(ζ)[Qₘ]+O(ζ)[Qₒ]+[Qₖ]+Σᵢqc'ᵢ(ζ)[BsbCommitmentᵢ] + + /// α*( Z(μζ)(L(ζ)+β*S₁(ζ)+γ)*(R(ζ)+β*S₂(ζ)+γ)[S₃]-[Z](L(ζ)+β*id_{1}(ζ)+γ)*(R(ζ)+β*id_{2}(ζ)+γ)*(O(ζ)+β*id_{3}(ζ)+γ) ) + + /// α²*L₁(ζ)[Z] - Z_{H}(ζ)*(([H₀] + ζᵐ⁺²*[H₁] + ζ²⁽ᵐ⁺²⁾*[H₂]) + /// where + /// * id_1 = id, id_2 = vk_coset_shift*id, id_3 = vk_coset_shift^{2}*id + /// * the [] means that it's a commitment (i.e. a point on Bn254(F_p)) + /// * Z_{H}(ζ) = ζ^n-1 + /// @param aproof pointer to the proof + function compute_commitment_linearised_polynomial(aproof) { - let state := mload(0x40) - let mPtr := add(mload(0x40), STATE_LAST_MEM) - {{ $offset = 0 }} - store_point(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_hi, VK_QL_COM_X_lo, VK_QL_COM_Y_hi, VK_QL_COM_Y_lo){{ $offset = add $offset 0xa0 }} - store_point(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_hi, VK_QR_COM_X_lo, VK_QR_COM_Y_hi, VK_QR_COM_Y_lo){{ $offset = add $offset 0xa0 }} - store_point(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_hi, VK_QM_COM_X_lo, VK_QM_COM_Y_hi, VK_QM_COM_Y_lo){{ $offset = add $offset 0xa0 }} - store_point(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_hi, VK_QO_COM_X_lo, VK_QO_COM_Y_hi, VK_QO_COM_Y_lo){{ $offset = add $offset 0xa0 }} - store_point(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_hi, VK_QK_COM_X_lo, VK_QK_COM_Y_hi, VK_QK_COM_Y_lo){{ $offset = add $offset 0xa0 }} - store_point(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_hi, VK_S3_COM_X_lo, VK_S3_COM_Y_hi, VK_S3_COM_Y_lo){{ $offset = add $offset 0xa0 }} - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X)){{ $offset = add $offset 0xa0 }} - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_0_COM_X)){{ $offset = add $offset 0xa0 }} - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_1_COM_X)){{ $offset = add $offset 0xa0 }} - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_2_COM_X)){{ $offset = add $offset 0xa0 }} - {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - {{- $tmp = 0 }} - {{- range .Vk.Qcp}} - store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_BSB_COMMITMENTS, {{ hex $tmp }}))){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x60 }} - {{- end }} - {{- end }} - - let l := calldataload(add(aproof, PROOF_L_AT_ZETA)) - let r := calldataload(add(aproof, PROOF_R_AT_ZETA)) - let rl := mulmod(l, r, R_MOD) - let o := calldataload(add(aproof, PROOF_O_AT_ZETA)) - let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) - h_zeta := sub(R_MOD, h_zeta) - {{ $offset = 0x80 }} - mstore(add(mPtr, {{ hex $offset }}), l){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), r){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), rl){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), o){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), 1){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), s1){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), coeff_z){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), h_zeta){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO))){{ $offset = add $offset 0xa0 }} - mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE))){{ $offset = add $offset 0xa0 }} - {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} - {{- $tmp := 0 }} - {{- range .Vk.Qcp}} - calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_QCP_AT_ZETA, {{ hex $tmp }})), 0x20){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x20 }} - {{- end }} - {{- end }} - {{ $offset = sub $offset 0x80 }} - let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, {{ hex $offset }}, add(state, STATE_LINEARISED_POLYNOMIAL), 0x80) - if iszero(l_success){ - error_ec_op() + let state := mload(0x40) + let l_beta := mload(add(state, STATE_BETA)) + let l_gamma := mload(add(state, STATE_GAMMA)) + let l_zeta := mload(add(state, STATE_ZETA)) + let l_alpha := mload(add(state, STATE_ALPHA)) + + let u := mulmod(calldataload(add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA)), l_beta, R_MOD) + let v := mulmod(l_beta, calldataload(add(aproof, PROOF_S1_AT_ZETA)), R_MOD) + v := addmod(v, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + v := addmod(v, l_gamma, R_MOD) + + let w := mulmod(l_beta, calldataload(add(aproof, PROOF_S2_AT_ZETA)), R_MOD) + w := addmod(w, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + w := addmod(w, l_gamma, R_MOD) + + let s1 := mulmod(u, v, R_MOD) + s1 := mulmod(s1, w, R_MOD) + s1 := mulmod(s1, l_alpha, R_MOD) + + let coset_square := mulmod(VK_COSET_SHIFT, VK_COSET_SHIFT, R_MOD) + let betazeta := mulmod(l_beta, l_zeta, R_MOD) + u := addmod(betazeta, calldataload(add(aproof, PROOF_L_AT_ZETA)), R_MOD) + u := addmod(u, l_gamma, R_MOD) + + v := mulmod(betazeta, VK_COSET_SHIFT, R_MOD) + v := addmod(v, calldataload(add(aproof, PROOF_R_AT_ZETA)), R_MOD) + v := addmod(v, l_gamma, R_MOD) + + w := mulmod(betazeta, coset_square, R_MOD) + w := addmod(w, calldataload(add(aproof, PROOF_O_AT_ZETA)), R_MOD) + w := addmod(w, l_gamma, R_MOD) + + let coeff_z := mulmod(u, v, R_MOD) + coeff_z := mulmod(coeff_z, w, R_MOD) + coeff_z := sub(R_MOD, coeff_z) + coeff_z := mulmod(coeff_z, l_alpha, R_MOD) + mstore(add(state, STATE_CHECK_VAR), coeff_z) + coeff_z := addmod(coeff_z, mload(add(state, STATE_ALPHA_SQUARE_LAGRANGE_0)), R_MOD) + + // at this stage: + // * s₁ = α*Z(μζ)(l(ζ)+β*s₁(ζ)+γ)*(r(ζ)+β*s₂(ζ)+γ)*β + // * s₂ = -α*(l(ζ)+β*ζ+γ)*(r(ζ)+β*u*ζ+γ)*(o(ζ)+β*u²*ζ+γ) + α²*L₁(ζ) + + compute_commitment_linearised_polynomial_ec(aproof, s1, coeff_z) } - } + function compute_commitment_linearised_polynomial_ec(aproof, s1, coeff_z) { + + let state := mload(0x40) + let mPtr := add(mload(0x40), STATE_LAST_MEM) + {{ $offset = 0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QL_COM_X_hi, VK_QL_COM_X_lo, VK_QL_COM_Y_hi, VK_QL_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QR_COM_X_hi, VK_QR_COM_X_lo, VK_QR_COM_Y_hi, VK_QR_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QM_COM_X_hi, VK_QM_COM_X_lo, VK_QM_COM_Y_hi, VK_QM_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QO_COM_X_hi, VK_QO_COM_X_lo, VK_QO_COM_Y_hi, VK_QO_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_QK_COM_X_hi, VK_QK_COM_X_lo, VK_QK_COM_Y_hi, VK_QK_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point(add(mPtr, {{ hex $offset }}), VK_S3_COM_X_hi, VK_S3_COM_X_lo, VK_S3_COM_Y_hi, VK_S3_COM_Y_lo){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X)){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_0_COM_X)){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_1_COM_X)){{ $offset = add $offset 0xa0 }} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_H_2_COM_X)){{ $offset = add $offset 0xa0 }} + {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + {{- $tmp = 0 }} + {{- range .Vk.Qcp}} + store_point_calldata(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_BSB_COMMITMENTS, {{ hex $tmp }}))){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x60 }} + {{- end }} + {{- end }} + + let l := calldataload(add(aproof, PROOF_L_AT_ZETA)) + let r := calldataload(add(aproof, PROOF_R_AT_ZETA)) + let rl := mulmod(l, r, R_MOD) + let o := calldataload(add(aproof, PROOF_O_AT_ZETA)) + let h_zeta := mload(add(state, STATE_ZETA_POWER_N_MINUS_ONE)) + h_zeta := sub(R_MOD, h_zeta) + {{ $offset = 0x80 }} + mstore(add(mPtr, {{ hex $offset }}), l){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), r){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), rl){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), o){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), 1){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), s1){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), coeff_z){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), h_zeta){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO))){{ $offset = add $offset 0xa0 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA_POWER_N_PLUS_TWO_SQUARE))){{ $offset = add $offset 0xa0 }} + {{- if (gt (len .Vk.CommitmentConstraintIndexes) 0 )}} + {{- $tmp := 0 }} + {{- range .Vk.Qcp}} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, add(PROOF_QCP_AT_ZETA, {{ hex $tmp }})), 0x20){{ $offset = add $offset 0xa0 }}{{ $tmp = add $tmp 0x20 }} + {{- end }} + {{- end }} + {{ $offset = sub $offset 0x80 }} + let l_success := staticcall(gas(), BLS12_MSM_G1, mPtr, {{ hex $offset }}, add(state, STATE_LINEARISED_POLYNOMIAL), 0x80) + if iszero(l_success){ + error_ec_op() + } + + } /// @notice stores a point at dst, from src. The point in src is stored /// as [x || y] where x and y are on 0x30 bytes, and in dst the point is stored @@ -1262,101 +1228,7 @@ contract PlonkVerifier { mstore(add(state, STATE_OPENING_LINEARISED_POLYNOMIAL_ZETA), s1) } - // // BEGINNING utils math functions ------------------------------------------------- - - // /// @param dst pointer storing the result - // /// @param p pointer to the first point - // /// @param q pointer to the second point - // /// @param mPtr pointer to free memory - // function point_add(dst, p, q, mPtr) { - // mstore(mPtr, mload(p)) - // mstore(add(mPtr, 0x20), mload(add(p, 0x20))) - // mstore(add(mPtr, 0x40), mload(q)) - // mstore(add(mPtr, 0x60), mload(add(q, 0x20))) - // let l_success := staticcall(gas(),EC_ADD,mPtr,0x80,dst,0x40) - // if iszero(l_success) { - // error_ec_op() - // } - // } - - // /// @param dst pointer storing the result - // /// @param p pointer to the first point (calldata) - // /// @param q pointer to the second point (calladata) - // /// @param mPtr pointer to free memory - // function point_add_calldata(dst, p, q, mPtr) { - // mstore(mPtr, mload(p)) - // mstore(add(mPtr, 0x20), mload(add(p, 0x20))) - // mstore(add(mPtr, 0x40), calldataload(q)) - // mstore(add(mPtr, 0x60), calldataload(add(q, 0x20))) - // let l_success := staticcall(gas(), EC_ADD, mPtr, 0x80, dst, 0x40) - // if iszero(l_success) { - // error_ec_op() - // } - // } - - // /// @parma dst pointer storing the result - // /// @param src pointer to a point on Bn254(𝔽_p) - // /// @param s scalar - // /// @param mPtr free memory - // function point_mul(dst,src,s, mPtr) { - // mstore(mPtr,mload(src)) - // mstore(add(mPtr,0x20),mload(add(src,0x20))) - // mstore(add(mPtr,0x40),s) - // let l_success := staticcall(gas(),EC_MUL,mPtr,0x60,dst,0x40) - // if iszero(l_success) { - // error_ec_op() - // } - // } - - // /// @parma dst pointer storing the result - // /// @param src pointer to a point on Bn254(𝔽_p) on calldata - // /// @param s scalar - // /// @param mPtr free memory - // function point_mul_calldata(dst, src, s, mPtr) { - // mstore(mPtr, calldataload(src)) - // mstore(add(mPtr, 0x20), calldataload(add(src, 0x20))) - // mstore(add(mPtr, 0x40), s) - // let l_success := staticcall(gas(), EC_MUL, mPtr, 0x60, dst, 0x40) - // if iszero(l_success) { - // error_ec_op() - // } - // } - - // /// @notice dst <- dst + [s]src (Elliptic curve) - // /// @param dst pointer accumulator point storing the result - // /// @param src pointer to the point to multiply and add - // /// @param s scalar - // /// @param mPtr free memory - // function point_acc_mul(dst,src,s, mPtr) { - // mstore(mPtr,mload(src)) - // mstore(add(mPtr,0x20),mload(add(src,0x20))) - // mstore(add(mPtr,0x40),s) - // let l_success := staticcall(gas(),7,mPtr,0x60,mPtr,0x40) - // mstore(add(mPtr,0x40),mload(dst)) - // mstore(add(mPtr,0x60),mload(add(dst,0x20))) - // l_success := and(l_success, staticcall(gas(),EC_ADD,mPtr,0x80,dst, 0x40)) - // if iszero(l_success) { - // error_ec_op() - // } - // } - - // /// @notice dst <- dst + [s]src (Elliptic curve) - // /// @param dst pointer accumulator point storing the result - // /// @param src pointer to the point to multiply and add (on calldata) - // /// @param s scalar - // /// @mPtr free memory - // function point_acc_mul_calldata(dst, src, s, mPtr) { - // mstore(mPtr, calldataload(src)) - // mstore(add(mPtr, 0x20), calldataload(add(src, 0x20))) - // mstore(add(mPtr, 0x40), s) - // let l_success := staticcall(gas(), 7, mPtr, 0x60, mPtr, 0x40) - // mstore(add(mPtr, 0x40), mload(dst)) - // mstore(add(mPtr, 0x60), mload(add(dst, 0x20))) - // l_success := and(l_success, staticcall(gas(), EC_ADD, mPtr, 0x80, dst, 0x40)) - // if iszero(l_success) { - // error_ec_op() - // } - // } + // BEGINNING utils math functions ------------------------------------------------- /// @notice dst <- dst + src*s (Fr) dst,src are addresses, s is a value /// @param dst pointer storing the result @@ -1385,8 +1257,7 @@ contract PlonkVerifier { res := mload(mPtr) } } - emit PrintUint256(check); - return true; + return success; } } ` From 0f41262c36ccfdbe6248dba1353c243be676a00f Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Fri, 25 Jul 2025 18:29:29 +0200 Subject: [PATCH 18/23] feat: sanity checks --- backend/plonk/bls12-381/solidity.go | 76 ++++++++++++++--------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 256581cf85..14338945ff 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -194,9 +194,9 @@ contract PlonkVerifier { let mem := mload(0x40) let freeMem := add(mem, STATE_LAST_MEM) - // // sanity checks - // check_number_of_public_inputs(public_inputs.length) - // check_inputs_size(public_inputs.length, public_inputs.offset) + // sanity checks + check_number_of_public_inputs(public_inputs.length) + check_inputs_size(public_inputs.length, public_inputs.offset) // check_proof_size(proof.length) // check_proof_openings_size(proof.offset) @@ -231,14 +231,14 @@ contract PlonkVerifier { // // Beginning errors ------------------------------------------------- - // function error_nb_public_inputs() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0x1d) - // mstore(add(ptError, 0x44), "wrong number of public inputs") - // revert(ptError, 0x64) - // } + function error_nb_public_inputs() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0x1d) + mstore(add(ptError, 0x44), "wrong number of public inputs") + revert(ptError, 0x64) + } /// Called when an exponentiation mod r fails function error_mod_exp() { @@ -261,15 +261,15 @@ contract PlonkVerifier { revert(ptError, 0x64) } - // /// Called when one of the public inputs is not reduced. - // function error_inputs_size() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0x18) - // mstore(add(ptError, 0x44), "inputs are bigger than r") - // revert(ptError, 0x64) - // } + /// Called when one of the public inputs is not reduced. + function error_inputs_size() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0x18) + mstore(add(ptError, 0x44), "inputs are bigger than r") + revert(ptError, 0x64) + } // /// Called when the size proof is not as expected // /// @dev to avoid overflow attack for instance @@ -324,25 +324,25 @@ contract PlonkVerifier { // // Beginning checks ------------------------------------------------- - // /// @param s actual number of public inputs - // function check_number_of_public_inputs(s) { - // if iszero(eq(s, VK_NB_PUBLIC_INPUTS)) { - // error_nb_public_inputs() - // } - // } + /// @param s actual number of public inputs + function check_number_of_public_inputs(s) { + if iszero(eq(s, VK_NB_PUBLIC_INPUTS)) { + error_nb_public_inputs() + } + } - // /// Checks that the public inputs are < R_MOD. - // /// @param s number of public inputs - // /// @param p pointer to the public inputs array - // function check_inputs_size(s, p) { - // for {let i} lt(i, s) {i:=add(i,1)} - // { - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_inputs_size() - // } - // p := add(p, 0x20) - // } - // } + /// Checks that the public inputs are < R_MOD. + /// @param s number of public inputs + /// @param p pointer to the public inputs array + function check_inputs_size(s, p) { + for {let i} lt(i, s) {i:=add(i,1)} + { + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_inputs_size() + } + p := add(p, 0x20) + } + } // /// Checks if the proof is of the correct size // /// @param actual_proof_size size of the proof (not the expected size) From 6a3ad946b49aaae9f23f9389990032b0a46cf566 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Fri, 25 Jul 2025 18:39:01 +0200 Subject: [PATCH 19/23] feat: sanity checks ok --- backend/plonk/bls12-381/solidity.go | 166 ++++++++++++++-------------- 1 file changed, 83 insertions(+), 83 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index 14338945ff..ac0cd1b1d8 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -87,7 +87,7 @@ contract PlonkVerifier { // ------------------------------------------------ // size of the proof without call custom gate - uint256 private constant FIXED_PROOF_SIZE = 0x300; + uint256 private constant FIXED_PROOF_SIZE = 0x420; // offset proof {{ $offset := 0 }} @@ -197,8 +197,8 @@ contract PlonkVerifier { // sanity checks check_number_of_public_inputs(public_inputs.length) check_inputs_size(public_inputs.length, public_inputs.offset) - // check_proof_size(proof.length) - // check_proof_openings_size(proof.offset) + check_proof_size(proof.length) + check_proof_openings_size(proof.offset) // // compute the challenges let prev_challenge_non_reduced @@ -271,28 +271,28 @@ contract PlonkVerifier { revert(ptError, 0x64) } - // /// Called when the size proof is not as expected - // /// @dev to avoid overflow attack for instance - // function error_proof_size() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0x10) - // mstore(add(ptError, 0x44), "wrong proof size") - // revert(ptError, 0x64) - // } + /// Called when the size proof is not as expected + /// @dev to avoid overflow attack for instance + function error_proof_size() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0x10) + mstore(add(ptError, 0x44), "wrong proof size") + revert(ptError, 0x64) + } - // /// Called when one the openings is bigger than r - // /// The openings are the claimed evalutions of a polynomial - // /// in a Kzg proof. - // function error_proof_openings_size() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0x16) - // mstore(add(ptError, 0x44), "openings bigger than r") - // revert(ptError, 0x64) - // } + /// Called when one the openings is bigger than r + /// The openings are the claimed evalutions of a polynomial + /// in a Kzg proof. + function error_proof_openings_size() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0x16) + mstore(add(ptError, 0x44), "openings bigger than r") + revert(ptError, 0x64) + } function error_pairing() { let ptError := mload(0x40) @@ -322,7 +322,7 @@ contract PlonkVerifier { // } // // end errors ------------------------------------------------- - // // Beginning checks ------------------------------------------------- + // Beginning checks ------------------------------------------------- /// @param s actual number of public inputs function check_number_of_public_inputs(s) { @@ -344,69 +344,69 @@ contract PlonkVerifier { } } - // /// Checks if the proof is of the correct size - // /// @param actual_proof_size size of the proof (not the expected size) - // function check_proof_size(actual_proof_size) { - // let expected_proof_size := add(FIXED_PROOF_SIZE, mul(VK_NB_CUSTOM_GATES,0x60)) - // if iszero(eq(actual_proof_size, expected_proof_size)) { - // error_proof_size() - // } - // } + /// Checks if the proof is of the correct size + /// @param actual_proof_size size of the proof (not the expected size) + function check_proof_size(actual_proof_size) { + let expected_proof_size := add(FIXED_PROOF_SIZE, mul(VK_NB_CUSTOM_GATES,0x80)) + if iszero(eq(actual_proof_size, expected_proof_size)) { + error_proof_size() + } + } - // /// Checks if the multiple openings of the polynomials are < R_MOD. - // /// @param aproof pointer to the beginning of the proof - // /// @dev the 'a' prepending proof is to have a local name - // function check_proof_openings_size(aproof) { + /// Checks if the multiple openings of the polynomials are < R_MOD. + /// @param aproof pointer to the beginning of the proof + /// @dev the 'a' prepending proof is to have a local name + function check_proof_openings_size(aproof) { - // // PROOF_L_AT_ZETA - // let p := add(aproof, PROOF_L_AT_ZETA) - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_proof_openings_size() - // } - - // // PROOF_R_AT_ZETA - // p := add(aproof, PROOF_R_AT_ZETA) - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_proof_openings_size() - // } - - // // PROOF_O_AT_ZETA - // p := add(aproof, PROOF_O_AT_ZETA) - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_proof_openings_size() - // } - - // // PROOF_S1_AT_ZETA - // p := add(aproof, PROOF_S1_AT_ZETA) - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_proof_openings_size() - // } + // PROOF_L_AT_ZETA + let p := add(aproof, PROOF_L_AT_ZETA) + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_proof_openings_size() + } + + // PROOF_R_AT_ZETA + p := add(aproof, PROOF_R_AT_ZETA) + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_proof_openings_size() + } + + // PROOF_O_AT_ZETA + p := add(aproof, PROOF_O_AT_ZETA) + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_proof_openings_size() + } + + // PROOF_S1_AT_ZETA + p := add(aproof, PROOF_S1_AT_ZETA) + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_proof_openings_size() + } - // // PROOF_S2_AT_ZETA - // p := add(aproof, PROOF_S2_AT_ZETA) - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_proof_openings_size() - // } - - // // PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA - // p := add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA) - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_proof_openings_size() - // } - - // // PROOF_QCP_AT_ZETA + // PROOF_S2_AT_ZETA + p := add(aproof, PROOF_S2_AT_ZETA) + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_proof_openings_size() + } + + // PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA + p := add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA) + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_proof_openings_size() + } + + // PROOF_QCP_AT_ZETA - // p := add(aproof, PROOF_QCP_AT_ZETA) - // for {let i:=0} lt(i, VK_NB_CUSTOM_GATES) {i:=add(i,1)} - // { - // if gt(calldataload(p), R_MOD_MINUS_ONE) { - // error_proof_openings_size() - // } - // p := add(p, 0x20) - // } + p := add(aproof, PROOF_QCP_AT_ZETA) + for {let i:=0} lt(i, VK_NB_CUSTOM_GATES) {i:=add(i,1)} + { + if gt(calldataload(p), R_MOD_MINUS_ONE) { + error_proof_openings_size() + } + p := add(p, 0x20) + } - // } - // // end checks ------------------------------------------------- + } + // end checks ------------------------------------------------- // // Beginning challenges ------------------------------------------------- From e38ea2301c78c690df62105dc06474ce60c5127a Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Fri, 25 Jul 2025 19:36:01 +0200 Subject: [PATCH 20/23] feat: gamma kzg ok --- backend/plonk/bls12-381/solidity.go | 46 +++++++++++++---------------- 1 file changed, 21 insertions(+), 25 deletions(-) diff --git a/backend/plonk/bls12-381/solidity.go b/backend/plonk/bls12-381/solidity.go index ac0cd1b1d8..96d7b11739 100644 --- a/backend/plonk/bls12-381/solidity.go +++ b/backend/plonk/bls12-381/solidity.go @@ -312,15 +312,15 @@ contract PlonkVerifier { revert(ptError, 0x64) } - // function error_random_generation() { - // let ptError := mload(0x40) - // mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) - // mstore(add(ptError, 0x4), 0x20) - // mstore(add(ptError, 0x24), 0x14) - // mstore(add(ptError, 0x44), "error random gen kzg") - // revert(ptError, 0x64) - // } - // // end errors ------------------------------------------------- + function error_random_generation() { + let ptError := mload(0x40) + mstore(ptError, ERROR_STRING_ID) // selector for function Error(string) + mstore(add(ptError, 0x4), 0x20) + mstore(add(ptError, 0x24), 0x14) + mstore(add(ptError, 0x44), "error random gen kzg") + revert(ptError, 0x64) + } + // end errors ------------------------------------------------- // Beginning checks ------------------------------------------------- @@ -850,22 +850,18 @@ contract PlonkVerifier { // do an FS like challenge derivation, depending on both digests and // ζ to ensure that the prover cannot control the random number. // Note: adding the other point ζω is not needed, as ω is known beforehand. - // mstore(mPtr, mload(add(state, STATE_FOLDED_DIGESTS_X))) - // mstore(add(mPtr, 0x20), mload(add(state, STATE_FOLDED_DIGESTS_Y))) - // mstore(add(mPtr, 0x40), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X))) - // mstore(add(mPtr, 0x60), calldataload(add(aproof, PROOF_BATCH_OPENING_AT_ZETA_Y))) - // mstore(add(mPtr, 0x80), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X))) - // mstore(add(mPtr, 0xa0), calldataload(add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_Y))) - // mstore(add(mPtr, 0xc0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X))) - // mstore(add(mPtr, 0xe0), calldataload(add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_Y))) - // mstore(add(mPtr, 0x100), mload(add(state, STATE_ZETA))) - // mstore(add(mPtr, 0x120), mload(add(state, STATE_GAMMA_KZG))) - // let random := staticcall(gas(), SHA2, mPtr, 0x140, mPtr, 0x20) - // if iszero(random){ - // error_random_generation() - // } - // random := mod(mload(mPtr), R_MOD) // use the same variable as we are one variable away from getting stack-too-deep error... - let random := 5 + {{ $offset = 0 }} + mcopy(mPtr, add(state, STATE_FOLDED_DIGESTS), 0x80){{ $offset = add $offset 0x60 }} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_BATCH_OPENING_AT_ZETA_X), 0x60){{ $offset = add $offset 0x60 }} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_GRAND_PRODUCT_COMMITMENT_X), 0x60){{ $offset = add $offset 0x60 }} + calldatacopy(add(mPtr, {{ hex $offset }}), add(aproof, PROOF_OPENING_AT_ZETA_OMEGA_X), 0x60){{ $offset = add $offset 0x60 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_ZETA))){{ $offset = add $offset 0x20 }} + mstore(add(mPtr, {{ hex $offset }}), mload(add(state, STATE_GAMMA_KZG))){{ $offset = add $offset 0x20 }} + let random := staticcall(gas(), SHA2, mPtr, {{ $offset }}, mPtr, 0x20){{ $offset = add $offset 0x20 }} + if iszero(random){ + error_random_generation() + } + random := mod(mload(mPtr), R_MOD) let folded_evals := add(state, STATE_FOLDED_CLAIMED_VALUES) fr_acc_mul_calldata(folded_evals, add(aproof, PROOF_GRAND_PRODUCT_AT_ZETA_OMEGA), random) From 4ff8a9e141701f72d009f5949873242eb6f2fd23 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Fri, 25 Jul 2025 19:42:26 +0200 Subject: [PATCH 21/23] feat: checkout go.sum, go.mod --- go.mod | 81 ++---------------------- go.sum | 195 +-------------------------------------------------------- 2 files changed, 5 insertions(+), 271 deletions(-) diff --git a/go.mod b/go.mod index d52cd31e1d..ef8d9460e4 100644 --- a/go.mod +++ b/go.mod @@ -19,92 +19,19 @@ require ( github.com/ronanh/intcomp v1.1.1 github.com/rs/zerolog v1.34.0 github.com/stretchr/testify v1.10.0 - golang.org/x/crypto v0.40.0 + golang.org/x/crypto v0.39.0 golang.org/x/exp v0.0.0-20250606033433-dcc06ee1d476 - golang.org/x/sync v0.16.0 + golang.org/x/sync v0.15.0 ) require ( - github.com/DataDog/zstd v1.4.5 // indirect - github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/StackExchange/wmi v1.2.1 // indirect - github.com/VictoriaMetrics/fastcache v1.12.2 // indirect - github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/cockroachdb/errors v1.11.3 // indirect - github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce // indirect - github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect - github.com/cockroachdb/pebble v1.1.5 // indirect - github.com/cockroachdb/redact v1.1.5 // indirect - github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect - github.com/crate-crypto/go-eth-kzg v1.3.0 // indirect - github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/deckarep/golang-set/v2 v2.6.0 // indirect - github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect - github.com/ethereum/c-kzg-4844/v2 v2.1.1 // indirect - github.com/ethereum/go-ethereum v1.16.1 // indirect - github.com/ethereum/go-verkle v0.2.2 // indirect - github.com/ferranbt/fastssz v0.1.2 // indirect - github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/getsentry/sentry-go v0.27.0 // indirect - github.com/go-ole/go-ole v1.3.0 // indirect - github.com/gofrs/flock v0.12.1 // indirect - github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.1 // indirect - github.com/golang/protobuf v1.5.4 // indirect - github.com/golang/snappy v0.0.5-0.20220116011046-fa5810519dcb // indirect - github.com/google/uuid v1.3.0 // indirect - github.com/gorilla/websocket v1.4.2 // indirect - github.com/hashicorp/go-bexpr v0.1.10 // indirect - github.com/holiman/billy v0.0.0-20240216141850-2abb0c79d3c4 // indirect - github.com/holiman/bloomfilter/v2 v2.0.3 // indirect - github.com/holiman/uint256 v1.3.2 // indirect - github.com/huin/goupnp v1.3.0 // indirect - github.com/jackpal/go-nat-pmp v1.0.2 // indirect - github.com/klauspost/compress v1.16.0 // indirect - github.com/klauspost/cpuid/v2 v2.0.9 // indirect - github.com/kr/pretty v0.3.1 // indirect - github.com/kr/text v0.2.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.13 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect - github.com/minio/sha256-simd v1.0.0 // indirect - github.com/mitchellh/mapstructure v1.4.1 // indirect - github.com/mitchellh/pointerstructure v1.2.0 // indirect github.com/mmcloughlin/addchain v0.4.0 // indirect - github.com/olekukonko/tablewriter v0.0.5 // indirect - github.com/pion/dtls/v2 v2.2.7 // indirect - github.com/pion/logging v0.2.2 // indirect - github.com/pion/stun/v2 v2.0.0 // indirect - github.com/pion/transport/v2 v2.2.1 // indirect - github.com/pion/transport/v3 v3.0.1 // indirect - github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/prometheus/client_golang v1.15.0 // indirect - github.com/prometheus/client_model v0.3.0 // indirect - github.com/prometheus/common v0.42.0 // indirect - github.com/prometheus/procfs v0.9.0 // indirect - github.com/rivo/uniseg v0.2.0 // indirect - github.com/rogpeppe/go-internal v1.12.0 // indirect - github.com/rs/cors v1.7.0 // indirect - github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible // indirect - github.com/supranational/blst v0.3.15 // indirect - github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect - github.com/tklauser/go-sysconf v0.3.12 // indirect - github.com/tklauser/numcpus v0.6.1 // indirect - github.com/urfave/cli/v2 v2.27.5 // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect - golang.org/x/sys v0.34.0 // indirect - golang.org/x/text v0.27.0 // indirect - golang.org/x/time v0.9.0 // indirect - google.golang.org/protobuf v1.34.2 // indirect - gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect + golang.org/x/sys v0.33.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect rsc.io/tmplfunc v0.0.3 // indirect -) +) \ No newline at end of file diff --git a/go.sum b/go.sum index cb69aef6c2..aca790bda2 100644 --- a/go.sum +++ b/go.sum @@ -39,21 +39,10 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ= -github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= -github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= -github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDOSA= -github.com/StackExchange/wmi v1.2.1/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8= -github.com/VictoriaMetrics/fastcache v1.12.2 h1:N0y9ASrJ0F6h0QaC3o6uJb3NIZ9VKLjCM7NQbSmF7WI= -github.com/VictoriaMetrics/fastcache v1.12.2/go.mod h1:AmC+Nzz1+3G2eCPapF6UcsnkThDcMsQicp4xDukwJYI= -github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= -github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= -github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/bits-and-blooms/bitset v1.22.0 h1:Tquv9S8+SGaS3EhyA+up3FXzmkhxPGjQQCkcs2uw7w4= github.com/bits-and-blooms/bitset v1.22.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= @@ -61,9 +50,6 @@ github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqO github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= -github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= -github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -71,18 +57,6 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= -github.com/cockroachdb/errors v1.11.3 h1:5bA+k2Y6r+oz/6Z/RFlNeVCesGARKuC6YymtcDrbC/I= -github.com/cockroachdb/errors v1.11.3/go.mod h1:m4UIW4CDjx+R5cybPsNrRbreomiFqt8o1h1wUVazSd8= -github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce h1:giXvy4KSc/6g/esnpM7Geqxka4WSqI1SZc7sMJFd3y4= -github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce/go.mod h1:9/y3cnZ5GKakj/H4y9r9GTjCvAFta7KLgSHPJJYc52M= -github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b h1:r6VH0faHjZeQy818SGhaone5OnYfxFR/+AzdY3sf5aE= -github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b/go.mod h1:Vz9DsVWQQhf3vs21MhPMZpMGSht7O/2vFW2xusFUVOs= -github.com/cockroachdb/pebble v1.1.5 h1:5AAWCBWbat0uE0blr8qzufZP5tBjkRyy/jWe1QWLnvw= -github.com/cockroachdb/pebble v1.1.5/go.mod h1:17wO9el1YEigxkP/YtV8NtCivQDgoCyBg5c4VR/eOWo= -github.com/cockroachdb/redact v1.1.5 h1:u1PMllDkdFfPWaNGMyLD1+so+aq3uUItthCFqzwPJ30= -github.com/cockroachdb/redact v1.1.5/go.mod h1:BVNblN9mBWFyMyqK1k3AAiSxhvhfK2oOZZ2lK+dpvRg= -github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06 h1:zuQyyAKVxetITBuuhv3BI9cMrmStnpT18zmgmTxunpo= -github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06/go.mod h1:7nc4anLGjupUW/PeY5qiNYsdNXj7zopG+eqsS7To5IQ= github.com/consensys/bavard v0.1.31-0.20250406004941-2db259e4b582 h1:dTlIwEdFQmldzFf5F6bbTcYWhvnAgZai2g8eq3Wwxqg= github.com/consensys/bavard v0.1.31-0.20250406004941-2db259e4b582/go.mod h1:k/zVjHHC4B+PQy1Pg7fgvG3ALicQw540Crag8qx+dZs= github.com/consensys/compress v0.2.5 h1:gJr1hKzbOD36JFsF1AN8lfXz1yevnJi1YolffY19Ntk= @@ -93,20 +67,9 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= -github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/crate-crypto/go-eth-kzg v1.3.0 h1:05GrhASN9kDAidaFJOda6A4BEvgvuXbazXg/0E3OOdI= -github.com/crate-crypto/go-eth-kzg v1.3.0/go.mod h1:J9/u5sWfznSObptgfa92Jq8rTswn6ahQWEuiLHOjCUI= -github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a h1:W8mUrRp6NOVl3J+MYp5kPMoUZPp7aOYHtaua31lwRHg= -github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a/go.mod h1:sTwzHBvIzm2RfVCGNEBZgRyjwK40bVoun3ZnGOCafNM= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/deckarep/golang-set/v2 v2.6.0 h1:XfcQbWM1LlMB8BsJ8N9vW5ehnnPVIw0je80NsVHagjM= -github.com/deckarep/golang-set/v2 v2.6.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -114,37 +77,16 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/ethereum/c-kzg-4844/v2 v2.1.1 h1:KhzBVjmURsfr1+S3k/VE35T02+AW2qU9t9gr4R6YpSo= -github.com/ethereum/c-kzg-4844/v2 v2.1.1/go.mod h1:TC48kOKjJKPbN7C++qIgt0TJzZ70QznYR7Ob+WXl57E= -github.com/ethereum/go-ethereum v1.16.1 h1:7684NfKCb1+IChudzdKyZJ12l1Tq4ybPZOITiCDXqCk= -github.com/ethereum/go-ethereum v1.16.1/go.mod h1:ngYIvmMAYdo4sGW9cGzLvSsPGhDOOzL0jK5S5iXpj0g= -github.com/ethereum/go-verkle v0.2.2 h1:I2W0WjnrFUIzzVPwm8ykY+7pL2d4VhlsePn4j7cnFk8= -github.com/ethereum/go-verkle v0.2.2/go.mod h1:M3b90YRnzqKyyzBEWJGqj8Qff4IDeXnzFw0P9bFw3uk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= -github.com/ferranbt/fastssz v0.1.2 h1:Dky6dXlngF6Qjc+EfDipAkE83N5I5DE68bY6O0VLNPk= -github.com/ferranbt/fastssz v0.1.2/go.mod h1:X5UPrE2u1UJjxHA8X54u04SBwdAQjG2sFtWs39YxyWs= -github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/getsentry/sentry-go v0.27.0 h1:Pv98CIbtB3LkMWmXi4Joa5OOcwbmnX88sF5qbK3r3Ps= -github.com/getsentry/sentry-go v0.27.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= -github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE= -github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= -github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= -github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -174,11 +116,6 @@ github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= -github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/golang/snappy v0.0.5-0.20220116011046-fa5810519dcb h1:PBC98N2aIaM3XXiurYmW7fx4GZkL8feAMVq7nEjURHk= -github.com/golang/snappy v0.0.5-0.20220116011046-fa5810519dcb/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -215,20 +152,14 @@ github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxV github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= -github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-bexpr v0.1.10 h1:9kuI5PFotCboP3dkDYFr/wi0gg0QVbSNz5oFRpxn4uE= -github.com/hashicorp/go-bexpr v0.1.10/go.mod h1:oxlubA2vC/gFVfX1A6JGp7ls7uCDlfJn732ehYYg+g0= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= @@ -246,15 +177,6 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/holiman/billy v0.0.0-20240216141850-2abb0c79d3c4 h1:X4egAf/gcS1zATw6wn4Ej8vjuVGxeHdan+bRb2ebyv4= -github.com/holiman/billy v0.0.0-20240216141850-2abb0c79d3c4/go.mod h1:5GuXa7vkL8u9FkFuWdVvfR5ix8hRB7DbOAaYULamFpc= -github.com/holiman/bloomfilter/v2 v2.0.3 h1:73e0e/V0tCydx14a0SCYS/EWCxgwLZ18CZcZKVu0fao= -github.com/holiman/bloomfilter/v2 v2.0.3/go.mod h1:zpoh+gs7qcpqrHr3dB55AMiJwo0iURXE7ZOP9L9hSkA= -github.com/holiman/uint256 v1.3.2 h1:a9EgMPSC1AAaj1SZL5zIQD3WbwTuHrMGOerLjGmM/TA= -github.com/holiman/uint256 v1.3.2/go.mod h1:EOMSn4q6Nyt9P6efbI3bueV4e1b3dGlUCXeiRV4ng7E= -github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/huin/goupnp v1.3.0 h1:UvLUlWDNpoUdYzb2TCn+MuTWtcjXKSza2n6CBdQ0xXc= -github.com/huin/goupnp v1.3.0/go.mod h1:gnGPsThkYa7bFi/KWmEysQRf48l2dvR5bxr2OFckNX8= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/icza/bitio v1.1.0 h1:ysX4vtldjdi3Ygai5m1cWy4oLkhWTAi+SyO6HC8L9T0= @@ -264,19 +186,12 @@ github.com/icza/mighty v0.0.0-20180919140131-cfd07d671de6/go.mod h1:xQig96I1VNBD github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/ingonyama-zk/icicle-gnark/v3 v3.2.2 h1:B+aWVgAx+GlFLhtYjIaF0uGjU3rzpl99Wf9wZWt+Mq8= github.com/ingonyama-zk/icicle-gnark/v3 v3.2.2/go.mod h1:CH/cwcr21pPWH+9GtK/PFaa4OGTv4CtfkCKro6GpbRE= -github.com/jackpal/go-nat-pmp v1.0.2 h1:KzKSgb7qkJvOUTqYl9/Hg/me3pWgBmERKrTGD7BdWus= -github.com/jackpal/go-nat-pmp v1.0.2/go.mod h1:QPH045xvCAeXUZOxsnwmrtiCoxIr9eob+4orBN1SBKc= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= -github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= -github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= -github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4= -github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -297,14 +212,7 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= -github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= -github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/minio/sha256-simd v1.0.0 h1:v1ta+49hkWZyvaKwrQB8elexRqm6Y0aMLjCNsrYxo6g= -github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= @@ -312,10 +220,7 @@ github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS4 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= -github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/pointerstructure v1.2.0 h1:O+i9nHnXS3l/9Wu7r4NrEdwA2VFTicjUEN1uBnDo34A= -github.com/mitchellh/pointerstructure v1.2.0/go.mod h1:BRAsLI5zgXmw97Lf6s25bs8ohIXc3tViBH44KcwB2g4= github.com/mmcloughlin/addchain v0.4.0 h1:SobOdjm2xLj1KkXN5/n0xTIWyZA2+s99UCY1iPfkHRY= github.com/mmcloughlin/addchain v0.4.0/go.mod h1:A86O+tHqZLMNO4w6ZZ4FlVQEadcoqkyU72HC5wJ4RlU= github.com/mmcloughlin/profile v0.1.1/go.mod h1:IhHD7q1ooxgwTgjxQYkACGA77oFTDdFVejUS1/tS/qU= @@ -324,64 +229,27 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo= github.com/neelance/sourcemap v0.0.0-20200213170602-2833bce08e4c/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM= -github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= -github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= -github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= -github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= -github.com/pion/dtls/v2 v2.2.7 h1:cSUBsETxepsCSFSxC3mc/aDo14qQLMSL+O6IjG28yV8= -github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s= -github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY= -github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms= -github.com/pion/stun/v2 v2.0.0 h1:A5+wXKLAypxQri59+tmQKVs7+l6mMM+3d+eER9ifRU0= -github.com/pion/stun/v2 v2.0.0/go.mod h1:22qRSh08fSEttYUmJZGlriq9+03jtVmXNODgLccj8GQ= -github.com/pion/transport/v2 v2.2.1 h1:7qYnCBlpgSJNYMbLCKuSY9KbQdBFoETvPNETv0y4N7c= -github.com/pion/transport/v2 v2.2.1/go.mod h1:cXXWavvCnFF6McHTft3DWS9iic2Mftcz1Aq29pGcU5g= -github.com/pion/transport/v3 v3.0.1 h1:gDTlPJwROfSfz6QfSi0ZmeCSkFcnWWiiR9ES0ouANiM= -github.com/pion/transport/v3 v3.0.1/go.mod h1:UY7kiITrlMv7/IKgd5eTUcaahZx5oUN3l9SzK5f5xE0= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= -github.com/prometheus/client_golang v1.15.0 h1:5fCgGYogn0hFdhyhLbw7hEsWxufKtY9klyvdNfFlFhM= -github.com/prometheus/client_golang v1.15.0/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= -github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= -github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= -github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= -github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= -github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/ronanh/intcomp v1.1.1 h1:+1bGV/wEBiHI0FvzS7RHgzqOpfbBJzLIxkqMJ9e6yxY= github.com/ronanh/intcomp v1.1.1/go.mod h1:7FOLy3P3Zj3er/kVrU/pl+Ql7JFZj7bwliMGketo0IU= -github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik= -github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0= github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY= github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= -github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= -github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible h1:Bn1aCHHRnjv4Bl16T8rcaFjYSrGrIZvpiGO6P3Q4GpU= -github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shurcooL/go v0.0.0-20200502201357-93f07166e636/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= @@ -398,35 +266,17 @@ github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= -github.com/supranational/blst v0.3.15 h1:rd9viN6tfARE5wv3KZJ9H8e1cg0jXW8syFCcsbHa76o= -github.com/supranational/blst v0.3.15/go.mod h1:jZJtfjgudtNl4en1tzwPIV3KjUnQUvG3/j+w+fVonLw= -github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 h1:epCh84lMvA70Z7CTTCmYQn2CKbY8j86K7/FAIr141uY= -github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7/go.mod h1:q4W45IWZaF22tdD+VEXcAWRA037jwmWEB5VWYORlTpc= -github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU= -github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= -github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk= -github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= -github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w= -github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= -github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -455,12 +305,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= -golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= -golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM= -golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -503,7 +349,6 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -526,11 +371,9 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= -golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -543,9 +386,6 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -573,11 +413,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= -golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= -golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -587,12 +424,9 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -606,10 +440,8 @@ golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -628,26 +460,15 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= -golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -658,15 +479,9 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= -golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= -golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -828,23 +643,15 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= -gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= @@ -862,4 +669,4 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= rsc.io/tmplfunc v0.0.3 h1:53XFQh69AfOa8Tw0Jm7t+GV7KZhOi6jzsCzTtKbMvzU= -rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= +rsc.io/tmplfunc v0.0.3/go.mod h1:AG3sTPzElb1Io3Yg4voV9AGZJuleGAwaVRxL9M49PhA= \ No newline at end of file From 10e98f8ecf75859f635b6810032eb6313c1f4ea7 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Fri, 25 Jul 2025 19:45:45 +0200 Subject: [PATCH 22/23] feat: solidity checker for bls12-381 --- test/assert_checkcircuit.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/assert_checkcircuit.go b/test/assert_checkcircuit.go index ba44ab6bc3..813a8be543 100644 --- a/test/assert_checkcircuit.go +++ b/test/assert_checkcircuit.go @@ -122,7 +122,7 @@ func (assert *Assert) CheckCircuit(circuit frontend.Circuit, opts ...TestingOpti for _, w := range validWitnesses { w := w assert.Run(func(assert *Assert) { - checkSolidity := opt.checkSolidity && curve == ecc.BN254 + checkSolidity := opt.checkSolidity && (curve == ecc.BN254 || curve == ecc.BLS12_381) proverOpts := opt.proverOpts verifierOpts := opt.verifierOpts if b == backend.GROTH16 { From d496e91e44cd4e1539f80b2e85088b4380a0eae8 Mon Sep 17 00:00:00 2001 From: Thomas Piellard Date: Tue, 29 Jul 2025 16:33:23 +0200 Subject: [PATCH 23/23] feat: add export vk in the templates --- .../zkpschemes/plonk/plonk.verify.go.tmpl | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl b/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl index 8cae28969e..43ebf3e3a1 100644 --- a/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl +++ b/internal/generator/backend/template/zkpschemes/plonk/plonk.verify.go.tmpl @@ -432,6 +432,73 @@ func (vk *VerifyingKey) ExportSolidity(w io.Writer, exportOpts ...solidity.Expor }) } +{{else if eq .Curve "BLS12-381"}} + +// ExportSolidity exports the verifying key to a solidity smart contract. +// +// Code has not been audited and is provided as-is, we make no guarantees or warranties to its safety and reliability. +func (vk *VerifyingKey) ExportSolidity(w io.Writer, exportOpts ...solidity.ExportOption) error { + funcMap := template.FuncMap{ + "hex": func(i int) string { + return fmt.Sprintf("0x%x", i) + }, + "mul": func(a, b int) int { + return a * b + }, + "inc": func(i int) int { + return i + 1 + }, + "frstr": func(x fr.Element) string { + // we use big.Int to always get a positive string. + // not the most efficient hack, but it works better for .sol generation. + bv := new(big.Int) + x.BigInt(bv) + return bv.String() + }, + "fpstr_lo": func(x fp.Element) string { + bv := new(big.Int) + twoTo256 := new(big.Int) + twoTo256.SetString("115792089237316195423570985008687907853269984665640564039457584007913129639936", 10) + x.BigInt(bv) + bv.Mod(bv, twoTo256) + return bv.String() + }, + "fpstr_hi": func(x fp.Element) string { + bv := new(big.Int) + x.BigInt(bv) + bv.Rsh(bv, 256) + return bv.String() + }, + "add": func(i, j int) int { + return i + j + }, + "sub": func(i, j int) int { + return i - j + }, + } + + t, err := template.New("t").Funcs(funcMap).Parse(tmplSolidityVerifier) + if err != nil { + return err + } + + cfg, err := solidity.NewExportConfig(exportOpts...) + if err != nil { + return err + } + if cfg.HashToFieldFn != nil { + return fmt.Errorf("setting hash to field function is not supported for PLONK Solidity export. Hash function is hardcoded to RFC9380") + } + + return t.Execute(w, struct { + Cfg solidity.ExportConfig + Vk VerifyingKey + }{ + Cfg: cfg, + Vk: *vk, + }) +} + {{else}} // ExportSolidity not implemented for {{.Curve}} func (vk *VerifyingKey) ExportSolidity(w io.Writer, exportOpts ...solidity.ExportOption) error {