Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Greybeard
momiji-node-mainnet
Commits
671a85fd
Commit
671a85fd
authored
11 months ago
by
John Doe
Browse files
Options
Download
Email Patches
Plain Diff
🟣
⛵
🏴
☠
️
parent
aff1f6e0
Pipeline
#49
failed with stages
in 0 seconds
Changes
335
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
20 changed files
with
3900 additions
and
0 deletions
+3900
-0
momiji-helpers/circuits/helpers/codegen/rollup_transaction.ts
...ji-helpers/circuits/helpers/codegen/rollup_transaction.ts
+51
-0
momiji-helpers/circuits/helpers/codegen/tx_as_hash.ts
momiji-helpers/circuits/helpers/codegen/tx_as_hash.ts
+30
-0
momiji-helpers/circuits/helpers/codegen/utxo_to_commitment.ts
...ji-helpers/circuits/helpers/codegen/utxo_to_commitment.ts
+25
-0
momiji-helpers/circuits/helpers/src/hash.nr
momiji-helpers/circuits/helpers/src/hash.nr
+267
-0
momiji-helpers/circuits/helpers/src/lib.nr
momiji-helpers/circuits/helpers/src/lib.nr
+363
-0
momiji-helpers/circuits/helpers/src/structs.nr
momiji-helpers/circuits/helpers/src/structs.nr
+253
-0
momiji-helpers/circuits/publish/Nargo.toml
momiji-helpers/circuits/publish/Nargo.toml
+8
-0
momiji-helpers/circuits/publish/Prover.toml
momiji-helpers/circuits/publish/Prover.toml
+0
-0
momiji-helpers/circuits/publish/Verifier.toml
momiji-helpers/circuits/publish/Verifier.toml
+0
-0
momiji-helpers/circuits/publish/contract/publish/plonk_vk.sol
...ji-helpers/circuits/publish/contract/publish/plonk_vk.sol
+2777
-0
momiji-helpers/circuits/publish/proofs/publish.proof
momiji-helpers/circuits/publish/proofs/publish.proof
+1
-0
momiji-helpers/circuits/publish/src/main.nr
momiji-helpers/circuits/publish/src/main.nr
+67
-0
momiji-helpers/circuits/recursion/Nargo.toml
momiji-helpers/circuits/recursion/Nargo.toml
+8
-0
momiji-helpers/circuits/recursion/Prover.toml
momiji-helpers/circuits/recursion/Prover.toml
+0
-0
momiji-helpers/circuits/recursion/Verifier.toml
momiji-helpers/circuits/recursion/Verifier.toml
+0
-0
momiji-helpers/circuits/recursion/proofs/proof
momiji-helpers/circuits/recursion/proofs/proof
+0
-0
momiji-helpers/circuits/recursion/src/main.nr
momiji-helpers/circuits/recursion/src/main.nr
+49
-0
momiji-helpers/circuits/recursion/target/acir.gz
momiji-helpers/circuits/recursion/target/acir.gz
+0
-0
momiji-helpers/circuits/recursion/target/vk
momiji-helpers/circuits/recursion/target/vk
+0
-0
momiji-helpers/circuits/recursion/target/vk_fields.json
momiji-helpers/circuits/recursion/target/vk_fields.json
+1
-0
No files found.
Too many changes to show.
To preserve performance only
335 of 335+
files are displayed.
Plain diff
Email patch
momiji-helpers/circuits/helpers/codegen/rollup_transaction.ts
0 → 100644
View file @
671a85fd
/* Autogenerated file, do not edit! */
/* eslint-disable */
import
{
Noir
,
InputMap
,
CompiledCircuit
,
ForeignCallHandler
}
from
"
@noir-lang/noir_js
"
export
type
{
ForeignCallHandler
}
from
"
@noir-lang/noir_js
"
export
type
Field
=
string
;
export
type
VerifierTx
=
{
key_hash
:
Field
;
verification_key
:
Field
[];
proof
:
Field
[];
};
export
type
Verifier
=
{
key_hash
:
Field
;
verification_key
:
Field
[];
proof
:
Field
[];
aggregation_object
:
Field
[];
};
export
type
PublicInputs
=
{
current_root
:
Field
;
utxo_root
:
Field
;
deposit_amount
:
Field
;
withdrawals
:
Field
;
commitment_in
:
Field
[];
commitment_out
:
Field
[];
nullifier_hashes
:
Field
[];
contract_only_inputs
:
Field
;
};
export
type
RecursionInputs
=
{
accumulator
:
Field
;
tx_verifier
:
VerifierTx
;
recursion_verifier
:
Verifier
;
previous_accumulator
:
Field
;
tx
:
PublicInputs
;
};
export
const
rollup_transaction_circuit
:
CompiledCircuit
=
{
"
abi
"
:{
"
parameters
"
:[{
"
name
"
:
"
tx_verifier
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::VerifierTx
"
,
"
fields
"
:[{
"
name
"
:
"
key_hash
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
verification_key
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
114
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
proof
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
93
,
"
type
"
:{
"
kind
"
:
"
field
"
}}}]},
"
visibility
"
:
"
private
"
},{
"
name
"
:
"
recursion_verifier
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::Verifier
"
,
"
fields
"
:[{
"
name
"
:
"
key_hash
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
verification_key
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
114
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
proof
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
109
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
aggregation_object
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}}]},
"
visibility
"
:
"
private
"
},{
"
name
"
:
"
previous_accumulator
"
,
"
type
"
:{
"
kind
"
:
"
field
"
},
"
visibility
"
:
"
private
"
},{
"
name
"
:
"
tx
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::PublicInputs
"
,
"
fields
"
:[{
"
name
"
:
"
current_root
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
utxo_root
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
deposit_amount
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
withdrawals
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
commitment_in
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
commitment_out
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
nullifier_hashes
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
contract_only_inputs
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}}]},
"
visibility
"
:
"
private
"
}],
"
param_witnesses
"
:{
"
previous_accumulator
"
:[{
"
start
"
:
448
,
"
end
"
:
449
}],
"
recursion_verifier
"
:[{
"
start
"
:
208
,
"
end
"
:
448
}],
"
tx
"
:[{
"
start
"
:
449
,
"
end
"
:
502
}],
"
tx_verifier
"
:[{
"
start
"
:
0
,
"
end
"
:
208
}]},
"
return_type
"
:{
"
abi_type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::RecursionInputs
"
,
"
fields
"
:[{
"
name
"
:
"
accumulator
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
tx_verifier
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::VerifierTx
"
,
"
fields
"
:[{
"
name
"
:
"
key_hash
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
verification_key
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
114
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
proof
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
93
,
"
type
"
:{
"
kind
"
:
"
field
"
}}}]}},{
"
name
"
:
"
recursion_verifier
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::Verifier
"
,
"
fields
"
:[{
"
name
"
:
"
key_hash
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
verification_key
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
114
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
proof
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
109
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
aggregation_object
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}}]}},{
"
name
"
:
"
previous_accumulator
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
tx
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::PublicInputs
"
,
"
fields
"
:[{
"
name
"
:
"
current_root
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
utxo_root
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
deposit_amount
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
withdrawals
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
commitment_in
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
commitment_out
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
nullifier_hashes
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
contract_only_inputs
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}}]}}]},
"
visibility
"
:
"
public
"
},
"
return_witnesses
"
:[
6360
,
0
,
1
,
2
,
3
,
4
,
5
,
6
,
7
,
8
,
9
,
10
,
11
,
12
,
13
,
14
,
15
,
16
,
17
,
18
,
19
,
20
,
21
,
22
,
23
,
24
,
25
,
26
,
27
,
28
,
29
,
30
,
31
,
32
,
33
,
34
,
35
,
36
,
37
,
38
,
39
,
40
,
41
,
42
,
43
,
44
,
45
,
46
,
47
,
48
,
49
,
50
,
51
,
52
,
53
,
54
,
55
,
56
,
57
,
58
,
59
,
60
,
61
,
62
,
63
,
64
,
65
,
66
,
67
,
68
,
69
,
70
,
71
,
72
,
73
,
74
,
75
,
76
,
77
,
78
,
79
,
80
,
81
,
82
,
83
,
84
,
85
,
86
,
87
,
88
,
89
,
90
,
91
,
92
,
93
,
94
,
95
,
96
,
97
,
98
,
99
,
100
,
101
,
102
,
103
,
104
,
105
,
106
,
107
,
108
,
109
,
110
,
111
,
112
,
113
,
114
,
115
,
116
,
117
,
118
,
119
,
120
,
121
,
122
,
123
,
124
,
125
,
126
,
127
,
128
,
129
,
130
,
131
,
132
,
133
,
134
,
135
,
136
,
137
,
138
,
139
,
140
,
141
,
142
,
143
,
144
,
145
,
146
,
147
,
148
,
149
,
150
,
151
,
152
,
153
,
154
,
155
,
156
,
157
,
158
,
159
,
160
,
161
,
162
,
163
,
164
,
165
,
166
,
167
,
168
,
169
,
170
,
171
,
172
,
173
,
174
,
175
,
176
,
177
,
178
,
179
,
180
,
181
,
182
,
183
,
184
,
185
,
186
,
187
,
188
,
189
,
190
,
191
,
192
,
193
,
194
,
195
,
196
,
197
,
198
,
199
,
200
,
201
,
202
,
203
,
204
,
205
,
206
,
207
,
208
,
209
,
210
,
211
,
212
,
213
,
214
,
215
,
216
,
217
,
218
,
219
,
220
,
221
,
222
,
223
,
224
,
225
,
226
,
227
,
228
,
229
,
230
,
231
,
232
,
233
,
234
,
235
,
236
,
237
,
238
,
239
,
240
,
241
,
242
,
243
,
244
,
245
,
246
,
247
,
248
,
249
,
250
,
251
,
252
,
253
,
254
,
255
,
256
,
257
,
258
,
259
,
260
,
261
,
262
,
263
,
264
,
265
,
266
,
267
,
268
,
269
,
270
,
271
,
272
,
273
,
274
,
275
,
276
,
277
,
278
,
279
,
280
,
281
,
282
,
283
,
284
,
285
,
286
,
287
,
288
,
289
,
290
,
291
,
292
,
293
,
294
,
295
,
296
,
297
,
298
,
299
,
300
,
301
,
302
,
303
,
304
,
305
,
306
,
307
,
308
,
309
,
310
,
311
,
312
,
313
,
314
,
315
,
316
,
317
,
318
,
319
,
320
,
321
,
322
,
323
,
324
,
325
,
326
,
327
,
328
,
329
,
330
,
331
,
332
,
333
,
334
,
335
,
336
,
337
,
338
,
339
,
340
,
341
,
342
,
343
,
344
,
345
,
346
,
347
,
348
,
349
,
350
,
351
,
352
,
353
,
354
,
355
,
356
,
357
,
358
,
359
,
360
,
361
,
362
,
363
,
364
,
365
,
366
,
367
,
368
,
369
,
370
,
371
,
372
,
373
,
374
,
375
,
376
,
377
,
378
,
379
,
380
,
381
,
382
,
383
,
384
,
385
,
386
,
387
,
388
,
389
,
390
,
391
,
392
,
393
,
394
,
395
,
396
,
397
,
398
,
399
,
400
,
401
,
402
,
403
,
404
,
405
,
406
,
407
,
408
,
409
,
410
,
411
,
412
,
413
,
414
,
415
,
416
,
417
,
418
,
419
,
420
,
421
,
422
,
423
,
424
,
425
,
426
,
427
,
428
,
429
,
430
,
431
,
432
,
433
,
434
,
435
,
436
,
437
,
438
,
439
,
440
,
441
,
442
,
443
,
444
,
445
,
446
,
447
,
448
,
449
,
450
,
451
,
452
,
453
,
454
,
455
,
456
,
457
,
458
,
459
,
460
,
461
,
462
,
463
,
464
,
465
,
466
,
467
,
468
,
469
,
470
,
471
,
472
,
473
,
474
,
475
,
476
,
477
,
478
,
479
,
480
,
481
,
482
,
483
,
484
,
485
,
486
,
487
,
488
,
489
,
490
,
491
,
492
,
493
,
494
,
495
,
496
,
497
,
498
,
499
,
500
,
501
]},
"
bytecode
"
:
"

"
};
export
async
function
rollup_transaction
(
tx_verifier
:
VerifierTx
,
recursion_verifier
:
Verifier
,
previous_accumulator
:
Field
,
tx
:
PublicInputs
,
foreignCallHandler
?:
ForeignCallHandler
):
Promise
<
RecursionInputs
>
{
const
program
=
new
Noir
(
rollup_transaction_circuit
);
const
args
:
InputMap
=
{
tx_verifier
,
recursion_verifier
,
previous_accumulator
,
tx
};
const
{
returnValue
}
=
await
program
.
execute
(
args
,
foreignCallHandler
);
return
returnValue
as
RecursionInputs
;
}
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/helpers/codegen/tx_as_hash.ts
0 → 100644
View file @
671a85fd
/* Autogenerated file, do not edit! */
/* eslint-disable */
import
{
Noir
,
InputMap
,
CompiledCircuit
,
ForeignCallHandler
}
from
"
@noir-lang/noir_js
"
export
type
{
ForeignCallHandler
}
from
"
@noir-lang/noir_js
"
export
type
Field
=
string
;
export
type
PublicInputs
=
{
current_root
:
Field
;
utxo_root
:
Field
;
deposit_amount
:
Field
;
withdrawals
:
Field
;
commitment_in
:
Field
[];
commitment_out
:
Field
[];
nullifier_hashes
:
Field
[];
contract_only_inputs
:
Field
;
};
export
const
tx_as_hash_circuit
:
CompiledCircuit
=
{
"
abi
"
:{
"
parameters
"
:[{
"
name
"
:
"
tx
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::PublicInputs
"
,
"
fields
"
:[{
"
name
"
:
"
current_root
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
utxo_root
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
deposit_amount
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
withdrawals
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
commitment_in
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
commitment_out
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
nullifier_hashes
"
,
"
type
"
:{
"
kind
"
:
"
array
"
,
"
length
"
:
16
,
"
type
"
:{
"
kind
"
:
"
field
"
}}},{
"
name
"
:
"
contract_only_inputs
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}}]},
"
visibility
"
:
"
private
"
}],
"
param_witnesses
"
:{
"
tx
"
:[{
"
start
"
:
0
,
"
end
"
:
53
}]},
"
return_type
"
:{
"
abi_type
"
:{
"
kind
"
:
"
field
"
},
"
visibility
"
:
"
private
"
},
"
return_witnesses
"
:[
53
]},
"
bytecode
"
:
"
H4sIAAAAAAAA/13R1QpCURRFUdtrd3d36///mag4FPGADLlve65w6P1uz1/Y/5eBb5939/1lhFHGGGeCSQZMMc0Ms8wxzwKLLLHMCqussc4Gm2yxzQ677LHPAYccccwJp5xxzgWXXHHNDbfccc8DjzzxzAuv/Oz4a8huEXvF7JSwT2CXtD2ydsjrX9S9rHdV57q+TV3benZ17Os31G2s11SnuT5LXdZ6bHXYu//o7rN7r393/d/6fQ/p5LXj2QIAAA==
"
};
export
async
function
tx_as_hash
(
tx
:
PublicInputs
,
foreignCallHandler
?:
ForeignCallHandler
):
Promise
<
Field
>
{
const
program
=
new
Noir
(
tx_as_hash_circuit
);
const
args
:
InputMap
=
{
tx
};
const
{
returnValue
}
=
await
program
.
execute
(
args
,
foreignCallHandler
);
return
returnValue
as
Field
;
}
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/helpers/codegen/utxo_to_commitment.ts
0 → 100644
View file @
671a85fd
/* Autogenerated file, do not edit! */
/* eslint-disable */
import
{
Noir
,
InputMap
,
CompiledCircuit
,
ForeignCallHandler
}
from
"
@noir-lang/noir_js
"
export
type
{
ForeignCallHandler
}
from
"
@noir-lang/noir_js
"
export
type
Field
=
string
;
export
type
UTXO_New
=
{
secret
:
Field
;
amount
:
Field
;
asset_type
:
Field
;
};
export
const
utxo_to_commitment_circuit
:
CompiledCircuit
=
{
"
abi
"
:{
"
parameters
"
:[{
"
name
"
:
"
utxo
"
,
"
type
"
:{
"
kind
"
:
"
struct
"
,
"
path
"
:
"
structs::UTXO_New
"
,
"
fields
"
:[{
"
name
"
:
"
secret
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
amount
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}},{
"
name
"
:
"
asset_type
"
,
"
type
"
:{
"
kind
"
:
"
field
"
}}]},
"
visibility
"
:
"
private
"
}],
"
param_witnesses
"
:{
"
utxo
"
:[{
"
start
"
:
0
,
"
end
"
:
3
}]},
"
return_type
"
:{
"
abi_type
"
:{
"
kind
"
:
"
field
"
},
"
visibility
"
:
"
private
"
},
"
return_witnesses
"
:[
4
]},
"
bytecode
"
:
"
H4sIAAAAAAAA/11MWwoAMAjqsY/d/8CyYAaWIJaKbh+nGLy9eKkNUFPyFA/0wR3Irkm392P92h14YkM2CqEAAAA=
"
};
export
async
function
utxo_to_commitment
(
utxo
:
UTXO_New
,
foreignCallHandler
?:
ForeignCallHandler
):
Promise
<
Field
>
{
const
program
=
new
Noir
(
utxo_to_commitment_circuit
);
const
args
:
InputMap
=
{
utxo
};
const
{
returnValue
}
=
await
program
.
execute
(
args
,
foreignCallHandler
);
return
returnValue
as
Field
;
}
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/helpers/src/hash.nr
0 → 100644
View file @
671a85fd
use dep::std;
use crate::structs;
fn field_to_u8(_value: Field) -> [u8; 32] {
let _array = _value.to_be_bytes(32);
let mut array: [u8; 32] = [0; 32];
for i in 0 .. 32 {
array[i] = _array[i];
}
array
}
fn hash<N>(data: [Field; N]) -> Field {
std::hash::pedersen_hash(data)
}
#[export]
fn utxo_to_commitment(utxo: structs::UTXO_New) -> Field {
utxo.to_commitment()
}
#[export]
fn pedersen_left_right(left: Field, right: Field) -> Field {
std::hash::pedersen_hash([left, right])
}
#[export]
fn keccak_tx(tx: structs::PublicInputs) -> Field {
let mut hash_array: [Field; 53] = [0; 53];
hash_array[0] = tx.current_root;
hash_array[1] = tx.utxo_root;
hash_array[2] = tx.deposit_amount;
hash_array[3] = tx.contract_only_inputs;
hash_array[4] = tx.withdrawals;
for i in 0..16 {
hash_array[5 + i] = tx.commitment_in[i];
hash_array[21 + i] = tx.commitment_out[i];
hash_array[37 + i] = tx.nullifier_hashes[i];
}
let u8_array = tx_to_u8(hash_array);
hash_to_field(std::hash::keccak256(u8_array, u8_array.len() as u32))
}
fn bytes_tx_without_deposit(tx: structs::PublicInputs) -> [u8; 1696] {
let mut hash_array: [Field; 53] = [0; 53];
hash_array[0] = tx.current_root;
hash_array[1] = tx.utxo_root;
hash_array[2] = tx.deposit_amount;
hash_array[3] = tx.contract_only_inputs;
hash_array[4] = tx.withdrawals;
for i in 0..16 {
hash_array[5 + i] = tx.commitment_in[i];
hash_array[21 + i] = tx.commitment_out[i];
hash_array[37 + i] = tx.nullifier_hashes[i];
}
tx_to_u8(hash_array)
}
#[export]
fn keccak_contract_only_inputs(contract_only_inputs: structs::ContractOnlyInputs) -> Field {
let mut hash_array: [Field; 100] = [0; 100];
hash_array[0] = contract_only_inputs.timestamp;
hash_array[1] = contract_only_inputs.deadline;
hash_array[2] = contract_only_inputs.signature_hash;
hash_array[3] = contract_only_inputs.price_limit;
for i in 0..16 {
hash_array[4 + i] = contract_only_inputs.recipients[i];
hash_array[20 + i] = contract_only_inputs.swap_amounts[i];
hash_array[36 + i] = contract_only_inputs.uids[i];
hash_array[52 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].secret;
hash_array[53 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].amount;
hash_array[54 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].data;
}
let u8_array = contract_only_to_u8(hash_array);
hash_to_field(std::hash::keccak256(u8_array, u8_array.len() as u32))
}
#[export]
fn keccak_contract_only_inputs_without_deposit(contract_only_inputs: structs::ContractOnlyInputs) -> Field {
let mut hash_array: [Field; 99] = [0; 99];
hash_array[0] = contract_only_inputs.timestamp;
hash_array[1] = contract_only_inputs.deadline;
hash_array[2] = contract_only_inputs.price_limit;
for i in 0..16 {
hash_array[3 + i] = contract_only_inputs.recipients[i];
hash_array[19 + i] = contract_only_inputs.swap_amounts[i];
hash_array[35 + i] = contract_only_inputs.uids[i];
hash_array[51 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].secret;
hash_array[52 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].amount;
hash_array[53 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].data;
}
let u8_array = contract_only_without_deposit_to_u8(hash_array);
hash_to_field(std::hash::keccak256(u8_array, u8_array.len() as u32))
}
fn bytes_contract_only_inputs_without_deposit(contract_only_inputs: structs::ContractOnlyInputs) -> [u8; 3168] {
let mut hash_array: [Field; 99] = [0; 99];
hash_array[0] = contract_only_inputs.timestamp;
hash_array[1] = contract_only_inputs.deadline;
hash_array[2] = contract_only_inputs.price_limit;
for i in 0..16 {
hash_array[3 + i] = contract_only_inputs.recipients[i];
hash_array[19 + i] = contract_only_inputs.swap_amounts[i];
hash_array[35 + i] = contract_only_inputs.uids[i];
hash_array[51 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].secret;
hash_array[52 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].amount;
hash_array[53 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].data;
}
contract_only_without_deposit_to_u8(hash_array)
}
#[export]
fn contract_only_inputs_with_signature_hash(contract_only_inputs: structs::ContractOnlyInputs) -> structs::ContractOnlyInputs {
let mut hash_array: [Field; 99] = [0; 99];
hash_array[0] = contract_only_inputs.timestamp;
hash_array[1] = contract_only_inputs.deadline;
hash_array[2] = contract_only_inputs.price_limit;
for i in 0..16 {
hash_array[3 + i] = contract_only_inputs.recipients[i];
hash_array[19 + i] = contract_only_inputs.swap_amounts[i];
hash_array[35 + i] = contract_only_inputs.uids[i];
hash_array[51 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].secret;
hash_array[52 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].amount;
hash_array[53 + (i * 3)] = contract_only_inputs.encrypted_utxo[i].data;
}
let u8_array = contract_only_without_deposit_to_u8(hash_array);
let contract_only_inputs_with_hash = structs::ContractOnlyInputs {
timestamp: contract_only_inputs.timestamp,
deadline: contract_only_inputs.deadline,
signature_hash: hash_to_field(std::hash::keccak256(u8_array, u8_array.len() as u32)),
price_limit: contract_only_inputs.price_limit,
recipients: contract_only_inputs.recipients,
swap_amounts: contract_only_inputs.swap_amounts,
uids: contract_only_inputs.uids,
encrypted_utxo: contract_only_inputs.encrypted_utxo
};
contract_only_inputs_with_hash
}
fn hash_tx(tx: structs::PublicInputs) -> Field {
let mut hash_array: [Field; 53] = [0; 53];
hash_array[0] = tx.current_root;
hash_array[1] = tx.utxo_root;
hash_array[2] = tx.deposit_amount;
hash_array[3] = tx.withdrawals;
for i in 0..16 {
hash_array[4 + i] = tx.commitment_in[i];
hash_array[20 + i] = tx.commitment_out[i];
hash_array[36 + i] = tx.nullifier_hashes[i];
}
hash_array[52] = tx.contract_only_inputs;
hash(hash_array)
}
fn hash_to_field(hash: [u8; 32]) -> Field {
let mut keccak_field: Field = 0;
for p in 0..32 {
let bytes_field: Field = hash[31 - p] as Field;
keccak_field += bytes_field * 256.pow_32(p as Field);
}
keccak_field
}
fn tx_to_u8(pi_fields: [Field; 53]) -> [u8; 1696] {
let mut keccak_array: [u8; 1696] = [0; 1696];
for i in 0..pi_fields.len() {
let mut byte_slice = pi_fields[i].to_be_bytes(32);
for j in 0..32 {
keccak_array[32*i + j] = byte_slice[j];
}
}
keccak_array
}
fn contract_only_to_u8(pi_fields: [Field; 100]) -> [u8; 3200] {
let mut keccak_array: [u8; 3200] = [0; 3200];
for i in 0..pi_fields.len() {
let mut byte_slice = pi_fields[i].to_be_bytes(32);
for j in 0..32 {
keccak_array[32*i + j] = byte_slice[j];
}
}
keccak_array
}
fn contract_only_without_deposit_to_u8(pi_fields: [Field; 99]) -> [u8; 3168] {
let mut keccak_array: [u8; 3168] = [0; 3168];
for i in 0..pi_fields.len() {
let mut byte_slice = pi_fields[i].to_be_bytes(32);
for j in 0..32 {
keccak_array[32*i + j] = byte_slice[j];
}
}
keccak_array
}
fn batch_to_u8(pi_fields: [Field; 19]) -> [u8; 608] {
let mut keccak_array: [u8; 608] = [0; 608];
for i in 0..pi_fields.len() {
let mut byte_slice = pi_fields[i].to_be_bytes(32);
for j in 0..32 {
keccak_array[32*i + j] = byte_slice[j];
}
}
keccak_array
}
fn hash_tree_four(leaves: [Field; 16]) -> Field {
let mut tx_tree: [Field; 16] = leaves;
for l in 0..8 { tx_tree[l] = hash([tx_tree[2*l], tx_tree[2*l + 1]]); }
for l in 0..4 { tx_tree[l] = hash([tx_tree[2*l], tx_tree[2*l + 1]]); }
for l in 0..2 { tx_tree[l] = hash([tx_tree[2*l], tx_tree[2*l + 1]]); }
hash([tx_tree[0], tx_tree[1]])
}
fn compute_merkle_root<N>(leaf: Field, index: Field, hash_path: [Field; N]) -> Field {
let n = hash_path.len();
let index_bits = index.to_le_bits(n as u32);
let mut current = leaf;
for i in 0..n {
let path_bit = index_bits[i] as bool;
let (hash_left, hash_right) = if path_bit {
(hash_path[i], current)
} else {
(current, hash_path[i])
};
current = hash([hash_left, hash_right]);
}
current
}
fn compute_sibling_path<N>(sibling_path: [Field; N], new_leaf: Field, insertion_index: Field) -> [Field; N] {
let index_bits: [u1] = insertion_index.to_le_bits(N as u32);
let mut new_sibling_path: [Field; N] = [0; N];
let mut current_hash: Field = new_leaf;
let mut zero_found: bool = false;
for i in 0..N {
let path_bit = index_bits[i] as bool;
if (!zero_found) {
if (!path_bit) {
zero_found = true;
new_sibling_path[i] = current_hash;
} else {
new_sibling_path[i] = structs::zero_hashes[i];
}
} else {
new_sibling_path[i] = sibling_path[i];
}
if (path_bit) {
current_hash = hash([sibling_path[i], current_hash]);
} else {
current_hash = hash([current_hash, sibling_path[i]]);
}
}
new_sibling_path
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/helpers/src/lib.nr
0 → 100644
View file @
671a85fd
use dep::std;
mod structs;
mod hash;
global utxo_depth = 4;
global batch_depth = 4;
global state_depth = 20;
global ZERO_VALUE = 0x016a430aa58685aba1311244a973a3bc358859da86784be51094368e8fb6f720;
// Levels of an empty pedersen Merkle tree with zero_leaf = sha256("Momiji") % Field Modulus
global zero_hashes: [Field; 20] = [
0x016a430aa58685aba1311244a973a3bc358859da86784be51094368e8fb6f720,
0x018d39625c19fa2cfbebdb940a66d7040bb0ef1b59ff6afd92a13a6b9b2d9865,
0x096c00ebc0c52478316b6b9fd16d0cd94c5f45bbe45bbfa8c606197c6119d41f,
0x2eaefd3bdd1bfbddd8fc5d972ded58617f752b3e88bd17b791e85e7b8eaacb47,
0x11d25ff6aa8a431fbce8e8d9a87a2d7986adf38e724fbe47f15752d0931f14d8,
0x01e8677aa02546bd7105a7a9fd31c4ef16b69d1bde90f36e97585d7cc31d50e4,
0x2520a755a532994c78f35b89938fbc864ec31ec4fc00363f83f9b12f04980c6a,
0x21a666842842d5323e51fdda10300c763d6b07e1b797ef3b0bd3690d667445bc,
0x1ce681d6f42b70668c369e7f786166e421dc840f0529bbd065d6b02d14ae0fe8,
0x1819b90a43ee28f652735708b2ef01428e21b84872bb3c7576de6e35d107c8ed,
0x063d7001431110a5949f5946a501fd28f64159f36ab4b80601ca305ac107b3db,
0x09aeef7a06f7daf368d797c2e686c7e9884f000de0bd9d8e73392378b0b1be38,
0x137121fd5d795eeecc61ec6a6de66abc589d241540139178cd5408b6ccb32a6e,
0x01a93f70a1b7482e0b32e76ce49a1e3c1fc2b5cd4789b6af749d78c42791c21a,
0x217bf2cc1f1b505a29b162a7889866af2728f5c6708560c9cc5e987b194c9c81,
0x1461dae57d7df7e580279637e5d94e0d734b908dc22aec5c52ed00187050a030,
0x295933dd65294cbf4b2c64d8a0daa6983d35d1f64d5adc2c44bd9d370086d7dc,
0x24650084f0db0fa4e8234fb251ad046b3ddcb7d6f59160b35cc4086e9e196b80,
0x15086d0394bd68847e3e36241cc7b3966f96efdd30a37e9e1e85027a6dacbed2,
0x1f87a17564f06581c1e1b2d716120990f898893ecc0e076363c56c5e3b56ef7b
];
global zero_root: Field = 0x06f93f503e77fcdcacfe622e66adc639b63e8c0083f5cab5d71d461aa4562c92;
#[export]
fn keccak_tx_with_deposit(
current_root: Field,
deposit_amount: Field,
withdrawals: [Field; 16],
utxo_spendable: [structs::UTXO_Spendable; 16],
utxo_new: [structs::UTXO_New; 16],
contract_only_inputs: structs::ContractOnlyInputs
) -> Field {
let withdrawal_amount: Field = withdrawals.reduce(|a,b| a + b);
let mut commitment_in: [Field; 16] = [ZERO_VALUE; 16];
let mut commitment_out: [Field; 16] = [ZERO_VALUE; 16];
let mut utxo_root: Field = 0;
let empty_utxo = structs::UTXO {owner: 0, amount: ZERO_VALUE, asset_type: 0};
let mut utxo_out: [structs::UTXO; 16] = [empty_utxo; 16];
let mut secrets: [Field; 16] = [0; 16];
let mut oracle: [Field; 16] = [ZERO_VALUE; 16];
let mut old_root_proof: [Field; 16] = [0; 16];
let mut utxo_in: [structs::UTXO; 16] = [empty_utxo; 16];
let mut nullifier_hashes: [Field; 16] = [ZERO_VALUE; 16];
let empty_merkle_proofs = structs::MerkleProof {
path_utxo: [0; utxo_depth],
path_tx: [0; batch_depth],
path_historic: [0; state_depth],
index_utxo: 0,
index_tx: 0,
index_historic: 0
};
let mut merkle_proofs: [structs::MerkleProof; 16] = [empty_merkle_proofs; 16];
for i in 0..16 {
if (utxo_spendable[i].amount != ZERO_VALUE) {
utxo_in[i] = structs::UTXO {owner: utxo_spendable[i].owner(), amount: utxo_spendable[i].amount, asset_type: utxo_spendable[i].asset_type};
secrets[i] = utxo_spendable[i].secret;
nullifier_hashes[i] = utxo_spendable[i].nullifier_hash();
commitment_in[i] = utxo_spendable[i].to_commitment();
if (utxo_spendable[i].spend_in_same_batch == false) {
commitment_in[i] = ZERO_VALUE;
old_root_proof[i] = utxo_spendable[i].old_root_proof;
merkle_proofs[i] = utxo_spendable[i].merkle_proof;
}
}
if (utxo_new[i].secret != 0) {
commitment_out[i] = utxo_new[i].to_commitment();
utxo_out[i] = structs::UTXO { owner: utxo_new[i].owner(), amount: utxo_new[i].amount, asset_type: utxo_new[i].asset_type };
}
}
utxo_root = hash::hash_tree_four(commitment_out);
let public_inputs = structs::PublicInputs {
current_root: current_root,
utxo_root: utxo_root,
deposit_amount: deposit_amount,
withdrawals: withdrawal_amount,
commitment_in: commitment_in,
commitment_out: commitment_out,
nullifier_hashes: nullifier_hashes,
contract_only_inputs: contract_only_inputs.as_keccak()
};
public_inputs.as_keccak()
}
#[export]
fn keccak_tx_no_deposit(
current_root: Field,
deposit_amount: Field,
withdrawals: [Field; 16],
utxo_spendable: [structs::UTXO_Spendable; 16],
utxo_new: [structs::UTXO_New; 16],
contract_only_inputs: structs::ContractOnlyInputs
) -> Field {
let withdrawal_amount: Field = withdrawals.reduce(|a,b| a + b);
let mut commitment_in: [Field; 16] = [ZERO_VALUE; 16];
let mut commitment_out: [Field; 16] = [ZERO_VALUE; 16];
let mut utxo_root: Field = 0;
let empty_utxo = structs::UTXO {owner: 0, amount: ZERO_VALUE, asset_type: 0};
let mut utxo_out: [structs::UTXO; 16] = [empty_utxo; 16];
let mut secrets: [Field; 16] = [0; 16];
let mut oracle: [Field; 16] = [ZERO_VALUE; 16];
let mut old_root_proof: [Field; 16] = [0; 16];
let mut utxo_in: [structs::UTXO; 16] = [empty_utxo; 16];
let mut nullifier_hashes: [Field; 16] = [ZERO_VALUE; 16];
let empty_merkle_proofs = structs::MerkleProof {
path_utxo: [0; utxo_depth],
path_tx: [0; batch_depth],
path_historic: [0; state_depth],
index_utxo: 0,
index_tx: 0,
index_historic: 0
};
let mut merkle_proofs: [structs::MerkleProof; 16] = [empty_merkle_proofs; 16];
for i in 0..16 {
if (utxo_spendable[i].amount != ZERO_VALUE) {
utxo_in[i] = structs::UTXO {owner: utxo_spendable[i].owner(), amount: utxo_spendable[i].amount, asset_type: utxo_spendable[i].asset_type};
secrets[i] = utxo_spendable[i].secret;
nullifier_hashes[i] = utxo_spendable[i].nullifier_hash();
commitment_in[i] = utxo_spendable[i].to_commitment();
if (utxo_spendable[i].spend_in_same_batch == false) {
commitment_in[i] = ZERO_VALUE;
old_root_proof[i] = utxo_spendable[i].old_root_proof;
merkle_proofs[i] = utxo_spendable[i].merkle_proof;
}
}
if (utxo_new[i].secret != 0) {
commitment_out[i] = utxo_new[i].to_commitment();
utxo_out[i] = structs::UTXO { owner: utxo_new[i].owner(), amount: utxo_new[i].amount, asset_type: utxo_new[i].asset_type };
}
}
utxo_root = hash::hash_tree_four(commitment_out);
let public_inputs = structs::PublicInputs {
current_root: current_root,
utxo_root: utxo_root,
deposit_amount: deposit_amount,
withdrawals: withdrawal_amount,
commitment_in: commitment_in,
commitment_out: commitment_out,
nullifier_hashes: nullifier_hashes,
contract_only_inputs: contract_only_inputs.as_keccak_without_deposit()
};
public_inputs.as_keccak()
}
#[export]
fn create_transaction(
current_root: Field,
deposit_amount: Field,
withdrawals: [Field; 16],
utxo_spendable: [structs::UTXO_Spendable; 16],
utxo_new: [structs::UTXO_New; 16],
contract_only_inputs: structs::ContractOnlyInputs
) -> pub structs::TransactionInputs {
let withdrawal_amount: Field = withdrawals.reduce(|a,b| a + b);
let mut commitment_in: [Field; 16] = [ZERO_VALUE; 16];
let mut commitment_out: [Field; 16] = [ZERO_VALUE; 16];
let mut utxo_root: Field = 0;
let empty_utxo = structs::UTXO {owner: 0, amount: ZERO_VALUE, asset_type: 0};
let mut utxo_out: [structs::UTXO; 16] = [empty_utxo; 16];
let mut secrets: [Field; 16] = [0; 16];
let mut oracle: [Field; 16] = [ZERO_VALUE; 16];
let mut old_root_proof: [Field; 16] = [0; 16];
let mut utxo_in: [structs::UTXO; 16] = [empty_utxo; 16];
let mut nullifier_hashes: [Field; 16] = [ZERO_VALUE; 16];
let empty_merkle_proofs = structs::MerkleProof {
path_utxo: [0; utxo_depth],
path_tx: [0; batch_depth],
path_historic: [0; state_depth],
index_utxo: 0,
index_tx: 0,
index_historic: 0
};
let mut merkle_proofs: [structs::MerkleProof; 16] = [empty_merkle_proofs; 16];
for i in 0..16 {
if (utxo_spendable[i].amount != ZERO_VALUE) {
utxo_in[i] = structs::UTXO {owner: utxo_spendable[i].owner(), amount: utxo_spendable[i].amount, asset_type: utxo_spendable[i].asset_type};
secrets[i] = utxo_spendable[i].secret;
nullifier_hashes[i] = utxo_spendable[i].nullifier_hash();
commitment_in[i] = utxo_spendable[i].to_commitment();
if (utxo_spendable[i].spend_in_same_batch == false) {
commitment_in[i] = ZERO_VALUE;
old_root_proof[i] = utxo_spendable[i].old_root_proof;
merkle_proofs[i] = utxo_spendable[i].merkle_proof;
}
}
if (utxo_new[i].secret != 0) {
commitment_out[i] = utxo_new[i].to_commitment();
utxo_out[i] = structs::UTXO { owner: utxo_new[i].owner(), amount: utxo_new[i].amount, asset_type: utxo_new[i].asset_type };
}
}
utxo_root = hash::hash_tree_four(commitment_out);
let public_inputs = structs::PublicInputs {
current_root: current_root,
utxo_root: utxo_root,
deposit_amount: deposit_amount,
withdrawals: withdrawal_amount,
commitment_in: commitment_in,
commitment_out: commitment_out,
nullifier_hashes: nullifier_hashes,
contract_only_inputs: contract_only_inputs.as_keccak()
};
let private_inputs = structs::PrivateInputs {
oracle: oracle,
old_root_proof: old_root_proof,
secrets: secrets,
utxo_in: utxo_in,
merkle_proofs: merkle_proofs,
utxo_out: utxo_out
};
let public_inputs_hash: Field = hash::hash_tx(public_inputs);
let transaction_inputs = structs::TransactionInputs {
public_inputs_hash: public_inputs_hash,
public_inputs: public_inputs,
private_inputs: private_inputs
};
transaction_inputs
}
#[export]
fn tx_as_hash(
tx: structs::PublicInputs
) -> Field {
tx.as_hash()
}
#[export]
fn rollup_transaction(
tx_verifier: structs::VerifierTx,
recursion_verifier: structs::Verifier,
previous_accumulator: Field,
tx: structs::PublicInputs
) -> pub structs::RecursionInputs {
let tx_as_keccak: Field = tx.as_keccak();
let mut accumulator_preimage: [u8; 128] = [0; 128];
for i in 0..32 {
accumulator_preimage[i] = hash::field_to_u8(previous_accumulator)[i];
accumulator_preimage[i + 32] = hash::field_to_u8(tx_as_keccak)[i];
accumulator_preimage[i + 64] = hash::field_to_u8(tx_verifier.key_hash)[i];
accumulator_preimage[i + 96] = hash::field_to_u8(recursion_verifier.key_hash)[i];
}
let accumulator: Field = hash::hash_to_field(std::hash::keccak256(accumulator_preimage, accumulator_preimage.len() as u32));
let recursion_inputs = structs::RecursionInputs {
accumulator: accumulator,
tx_verifier: tx_verifier,
recursion_verifier: recursion_verifier,
previous_accumulator: previous_accumulator,
tx: tx
};
recursion_inputs
}
#[export]
fn publish_batch(
accumulator: Field,
hist_tree_input: structs::HistoricTreeInput,
tx_verifier: structs::VerifierTx,
recursion_verifier: structs::Verifier
) -> pub structs::PublishInputs {
let old_state_root: Field = hist_tree_input.leaf;
let tx_root: Field = hash::hash_tree_four(hist_tree_input.utxo_roots);
let batch_oracle: Field = ZERO_VALUE;
let batch_root: Field = hash::hash([tx_root, batch_oracle]);
let new_state_root: Field = hash::hash([batch_root, old_state_root]);
let new_historic_path: [Field; state_depth] = hash::compute_sibling_path(
hist_tree_input.path,
hist_tree_input.leaf,
hist_tree_input.index
);
let new_historic_root: Field = hash::compute_merkle_root(
new_state_root,
hist_tree_input.index + 1,
new_historic_path
);
let hist_tree = structs::HistoricTree {
root: hist_tree_input.root,
new_root: new_historic_root,
leaf: hist_tree_input.leaf,
index: hist_tree_input.index,
old_path: hist_tree_input.path,
new_path: new_historic_path
};
let batch = structs::Batch {
hist_tree: hist_tree,
old_state_root: old_state_root,
new_state_root: new_state_root,
batch_oracle: batch_oracle,
utxo_roots: hist_tree_input.utxo_roots
};
let mut hash_validation: [u8; 832] = [0; 832];
for i in 0..32 {
hash_validation[i] = hash::field_to_u8(batch.new_state_root)[i];
hash_validation[i + 32] = hash::field_to_u8(batch.hist_tree.root)[i];
hash_validation[i + 64] = hash::field_to_u8(batch.hist_tree.new_root)[i];
hash_validation[i + 96] = hash::field_to_u8(accumulator)[i];
hash_validation[i + 128] = hash::field_to_u8(tx_verifier.key_hash)[i];
hash_validation[i + 160] = hash::field_to_u8(recursion_verifier.key_hash)[i];
for j in 0..20 {
hash_validation[i + 192 + (32 * j)] = hash::field_to_u8(batch.hist_tree.new_path[j])[i];
}
}
let pi_contract_hash: Field = hash::hash_to_field(std::hash::keccak256(hash_validation, hash_validation.len() as u32));
let publish_inputs = structs::PublishInputs {
pi_contract_hash: pi_contract_hash,
accumulator: accumulator,
batch: batch,
tx_verifier: tx_verifier,
recursion_verifier: recursion_verifier
};
publish_inputs
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/helpers/src/structs.nr
0 → 100644
View file @
671a85fd
use crate::hash;
global utxo_depth = 4;
global batch_depth = 4;
global state_depth = 20;
global ZERO_VALUE = 0x016a430aa58685aba1311244a973a3bc358859da86784be51094368e8fb6f720;
// Levels of an empty pedersen Merkle tree with zero_leaf = sha256("Momiji") % Field Modulus
global zero_hashes: [Field; 20] = [
0x016a430aa58685aba1311244a973a3bc358859da86784be51094368e8fb6f720,
0x018d39625c19fa2cfbebdb940a66d7040bb0ef1b59ff6afd92a13a6b9b2d9865,
0x096c00ebc0c52478316b6b9fd16d0cd94c5f45bbe45bbfa8c606197c6119d41f,
0x2eaefd3bdd1bfbddd8fc5d972ded58617f752b3e88bd17b791e85e7b8eaacb47,
0x11d25ff6aa8a431fbce8e8d9a87a2d7986adf38e724fbe47f15752d0931f14d8,
0x01e8677aa02546bd7105a7a9fd31c4ef16b69d1bde90f36e97585d7cc31d50e4,
0x2520a755a532994c78f35b89938fbc864ec31ec4fc00363f83f9b12f04980c6a,
0x21a666842842d5323e51fdda10300c763d6b07e1b797ef3b0bd3690d667445bc,
0x1ce681d6f42b70668c369e7f786166e421dc840f0529bbd065d6b02d14ae0fe8,
0x1819b90a43ee28f652735708b2ef01428e21b84872bb3c7576de6e35d107c8ed,
0x063d7001431110a5949f5946a501fd28f64159f36ab4b80601ca305ac107b3db,
0x09aeef7a06f7daf368d797c2e686c7e9884f000de0bd9d8e73392378b0b1be38,
0x137121fd5d795eeecc61ec6a6de66abc589d241540139178cd5408b6ccb32a6e,
0x01a93f70a1b7482e0b32e76ce49a1e3c1fc2b5cd4789b6af749d78c42791c21a,
0x217bf2cc1f1b505a29b162a7889866af2728f5c6708560c9cc5e987b194c9c81,
0x1461dae57d7df7e580279637e5d94e0d734b908dc22aec5c52ed00187050a030,
0x295933dd65294cbf4b2c64d8a0daa6983d35d1f64d5adc2c44bd9d370086d7dc,
0x24650084f0db0fa4e8234fb251ad046b3ddcb7d6f59160b35cc4086e9e196b80,
0x15086d0394bd68847e3e36241cc7b3966f96efdd30a37e9e1e85027a6dacbed2,
0x1f87a17564f06581c1e1b2d716120990f898893ecc0e076363c56c5e3b56ef7b
];
// sha256("Momiji") % Field Modulus
global zero_root: Field = 0x06f93f503e77fcdcacfe622e66adc639b63e8c0083f5cab5d71d461aa4562c92;
struct Verifier {
key_hash: Field,
verification_key: [Field; 114],
proof: [Field; 109],
aggregation_object: [Field; 16]
}
struct VerifierTx {
key_hash: Field,
verification_key: [Field; 114],
proof: [Field; 93]
}
impl Verifier {
fn as_fields(self) -> [Field; 208] {
let mut verifier_as_fields: [Field; 208] = [0; 208];
verifier_as_fields[0] = self.key_hash;
for i in 0..114 {
verifier_as_fields[i + 1] = self.verification_key[i];
}
for j in 0..93 {
verifier_as_fields[j + 115] = self.proof[j];
}
verifier_as_fields
}
fn concatenate(self) -> [Field; 109] {
let mut proof_with_agg: [Field; 109] = [0; 109];
for i in 0..16 {
proof_with_agg[i] = self.aggregation_object[i];
}
for j in 0..93 {
proof_with_agg[j + 16] = self.proof[j];
}
proof_with_agg
}
}
struct UTXO {
owner: Field,
amount: Field,
asset_type: Field
}
struct UTXO_New {
secret: Field,
amount: Field,
asset_type: Field
}
impl UTXO_New {
fn owner(self) -> Field {
hash::hash([self.secret])
}
fn nullifier_hash(self) -> Field {
hash::hash([self.secret, self.secret])
}
fn to_commitment(self) -> Field {
hash::hash([self.owner(), self.amount, self.asset_type])
}
}
struct UTXO_Spendable {
secret: Field,
amount: Field,
asset_type: Field,
oracle: Field,
old_root_proof: Field,
merkle_proof: MerkleProof,
spend_in_same_batch: bool
}
impl UTXO_Spendable {
fn owner(self) -> Field {
hash::hash([self.secret])
}
fn nullifier_hash(self) -> Field {
hash::hash([self.secret, self.secret])
}
fn to_commitment(self) -> Field {
hash::hash([self.owner(), self.amount, self.asset_type])
}
}
struct PublicInputs {
current_root: Field,
utxo_root: Field,
deposit_amount: Field,
withdrawals: Field,
commitment_in: [Field; 16],
commitment_out: [Field; 16],
nullifier_hashes: [Field; 16],
contract_only_inputs: Field
}
impl PublicInputs {
fn as_fields(self) -> [Field; 53] {
let mut public_fields: [Field; 53] = [0; 53];
public_fields[0] = self.current_root;
public_fields[1] = self.utxo_root;
public_fields[2] = self.deposit_amount;
public_fields[3] = self.withdrawals;
for i in 0..16 {
public_fields[4 + i] = self.commitment_in[i];
public_fields[20 + i] = self.commitment_out[i];
public_fields[36 + i] = self.nullifier_hashes[i];
}
public_fields[50] = self.contract_only_inputs;
public_fields
}
fn as_hash(self) -> Field {
hash::hash_tx(self)
}
fn as_keccak(self) -> Field {
hash::keccak_tx(self)
}
fn as_u8(self) -> [u8; 1696] {
hash::tx_to_u8(self.as_fields())
}
}
struct PrivateInputs {
oracle: [Field; 16],
old_root_proof: [Field; 16],
secrets: [Field; 16],
utxo_in: [UTXO; 16],
merkle_proofs: [MerkleProof; 16],
utxo_out: [UTXO; 16],
}
struct TransactionInputs {
public_inputs_hash: Field,
public_inputs: PublicInputs,
private_inputs: PrivateInputs
}
struct RecursionInputs {
accumulator: Field,
tx_verifier: VerifierTx,
recursion_verifier: Verifier,
previous_accumulator: Field,
tx: PublicInputs
}
struct PublishInputs {
pi_contract_hash: Field,
accumulator: Field,
batch: Batch,
tx_verifier: VerifierTx,
recursion_verifier: Verifier
}
struct Batch {
hist_tree: HistoricTree,
old_state_root: Field,
new_state_root: Field,
batch_oracle: Field,
utxo_roots: [Field; 16]
}
struct EncryptedUTXO {
secret: Field,
amount: Field,
data: Field
}
struct ContractOnlyInputs {
timestamp: Field,
deadline: Field,
signature_hash: Field,
price_limit: Field,
recipients: [Field; 16],
swap_amounts: [Field; 16],
uids: [Field; 16],
encrypted_utxo: [EncryptedUTXO; 16]
}
impl ContractOnlyInputs {
fn as_keccak_without_deposit(self) -> Field {
hash::keccak_contract_only_inputs_without_deposit(self)
}
fn as_keccak(self) -> Field {
hash::keccak_contract_only_inputs(self)
}
}
struct MerkleProof {
path_utxo: [Field; utxo_depth],
path_tx: [Field; batch_depth],
path_historic: [Field; state_depth],
index_utxo: Field,
index_tx: Field,
index_historic: Field
}
struct HistoricTree {
root: Field,
new_root: Field,
leaf: Field,
index: Field,
old_path: [Field; state_depth],
new_path: [Field; state_depth],
}
struct HistoricTreeInput {
root: Field,
leaf: Field,
index: Field,
path: [Field; state_depth],
utxo_roots: [Field; 16],
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/publish/Nargo.toml
0 → 100644
View file @
671a85fd
[package]
name
=
"publish"
type
=
"bin"
authors
=
[""]
compiler_version
=
">=0.19.2"
[dependencies]
helpers
=
{
path
=
"../helpers"
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/publish/Prover.toml
0 → 100644
View file @
671a85fd
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/publish/Verifier.toml
0 → 100644
View file @
671a85fd
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/publish/contract/publish/plonk_vk.sol
0 → 100644
View file @
671a85fd
// Verification Key Hash: 066e0b06b13ec4c45dbeb0b625dbfab874ecdc411cdb43bae4346e880b09e16c
// SPDX-License-Identifier: Apache-2.0
// Copyright 2022 Aztec
pragma
solidity
>=
0.8
.
4
;
library
UltraVerificationKey
{
function
verificationKeyHash
()
internal
pure
returns
(
bytes32
)
{
return
0x066e0b06b13ec4c45dbeb0b625dbfab874ecdc411cdb43bae4346e880b09e16c
;
}
function
loadVerificationKey
(
uint256
_vk
,
uint256
_omegaInverseLoc
)
internal
pure
{
assembly
{
mstore
(
add
(
_vk
,
0x00
),
0x0000000000000000000000000000000000000000000000000000000000080000
)
// vk.circuit_size
mstore
(
add
(
_vk
,
0x20
),
0x0000000000000000000000000000000000000000000000000000000000000011
)
// vk.num_inputs
mstore
(
add
(
_vk
,
0x40
),
0x2260e724844bca5251829353968e4915305258418357473a5c1d597f613f6cbd
)
// vk.work_root
mstore
(
add
(
_vk
,
0x60
),
0x3064486657634403844b0eac78ca882cfd284341fcb0615a15cfcd17b14d8201
)
// vk.domain_inverse
mstore
(
add
(
_vk
,
0x80
),
0x174c5c19a31444028bb6368ff05acd095502e7d022af18c746a364dab4c7346e
)
// vk.Q1.x
mstore
(
add
(
_vk
,
0xa0
),
0x2e6d6b74f09bdcf37e2be6f0a05552f34840f8693d1c73edce05639d0698ea36
)
// vk.Q1.y
mstore
(
add
(
_vk
,
0xc0
),
0x243678b1fa4062f90887453567ef78c256421a5907513427b5c52aa3cb1e6a17
)
// vk.Q2.x
mstore
(
add
(
_vk
,
0xe0
),
0x10425e273dc8dd43dbb983a295f7f990b9475fca570f56f1d7f972166e5bf0d8
)
// vk.Q2.y
mstore
(
add
(
_vk
,
0x100
),
0x23b6836088c547e90ddfdb8146a5f7b3608aad75f4d0d5a050f119e6eea92c22
)
// vk.Q3.x
mstore
(
add
(
_vk
,
0x120
),
0x0cafbde5fed53b2d75343797c5718363f54c3b391730f7b49a8ae09cd79b8b20
)
// vk.Q3.y
mstore
(
add
(
_vk
,
0x140
),
0x06acf52ef347e83eae253c24631c08d66d76669d97c0cce87b0320363e0188bd
)
// vk.Q4.x
mstore
(
add
(
_vk
,
0x160
),
0x1f8257e9bfac704d9b0171c74f4f35ec94c608ae5ff55962db5bc4fd9e1aba89
)
// vk.Q4.y
mstore
(
add
(
_vk
,
0x180
),
0x11931c54c38fba5131f7a317e782a12a8e3e3726dc2eaa490049ce2ca8ca1cbb
)
// vk.Q_M.x
mstore
(
add
(
_vk
,
0x1a0
),
0x0565f2552174d90b7b0e9645969affd0015d483dffec9d93ede1b63be6dc3c16
)
// vk.Q_M.y
mstore
(
add
(
_vk
,
0x1c0
),
0x0bca92d0bac2e3d19be0265337ec7f4574f8195e313af04d651f342bb3159fb8
)
// vk.Q_C.x
mstore
(
add
(
_vk
,
0x1e0
),
0x1ecb4bbed3bfe4b4e91afe37b7871694eda583ff1d1111be20aa9eb8edf50a77
)
// vk.Q_C.y
mstore
(
add
(
_vk
,
0x200
),
0x0c1be01afc0073d9a1f1e23184a1d005a89d087265ea3a85f523ecd062212260
)
// vk.Q_ARITHMETIC.x
mstore
(
add
(
_vk
,
0x220
),
0x25a9e732ab54e2ebe8d031c166997a26a5d5dc143dc246b4b046b170406da4f1
)
// vk.Q_ARITHMETIC.y
mstore
(
add
(
_vk
,
0x240
),
0x2498b2e14394f700cac156f42ef63ba194ed99764e03f2e433cb0be94d0fc89f
)
// vk.QSORT.x
mstore
(
add
(
_vk
,
0x260
),
0x206103c2ff58564c9a4746efd3fff7637a46052eb129af96844c2d850d11d8f3
)
// vk.QSORT.y
mstore
(
add
(
_vk
,
0x280
),
0x212dfe13df5b9cfb846570ecf8269ed3648c24827e7dceafdeca6235e1dd5e38
)
// vk.Q_ELLIPTIC.x
mstore
(
add
(
_vk
,
0x2a0
),
0x284d15304c372e9c33d76628c66bd6c48ef526d08146e9b401dc7d1e373ccd3a
)
// vk.Q_ELLIPTIC.y
mstore
(
add
(
_vk
,
0x2c0
),
0x126a3a8e4c678d476c3c864cde50f9776d880443976f62a438b9db897b433ffa
)
// vk.Q_AUX.x
mstore
(
add
(
_vk
,
0x2e0
),
0x2866186a79faf6dde910250342628d6a7a1c6d32f88b1991b276852874bd73dc
)
// vk.Q_AUX.y
mstore
(
add
(
_vk
,
0x300
),
0x2bd3d50520f90ab39921a0f2ce6c8f5d5cc8a989720e939dbb4a8951d878f579
)
// vk.SIGMA1.x
mstore
(
add
(
_vk
,
0x320
),
0x0b5652d8de0be47d4a6496260931f15984d6cc0eb21e61c15991554eee8bfe91
)
// vk.SIGMA1.y
mstore
(
add
(
_vk
,
0x340
),
0x135cdf64147af6820b82eff62e1e62efb848f20c81dffc2ed36cc4d3ef9d6ee3
)
// vk.SIGMA2.x
mstore
(
add
(
_vk
,
0x360
),
0x16ce92a14e25ca8f353781ad6bf4c105139a2029c682b0e62606b721e9d8c848
)
// vk.SIGMA2.y
mstore
(
add
(
_vk
,
0x380
),
0x0c9177240c1a64d39bbdc9113347b71c8ad5899a9a617b70450e43ca0f08c0b9
)
// vk.SIGMA3.x
mstore
(
add
(
_vk
,
0x3a0
),
0x26486bfd9b1989300948793829dda7ebd3c783b85ef797363b15bdf9932d624f
)
// vk.SIGMA3.y
mstore
(
add
(
_vk
,
0x3c0
),
0x0933b476f487753e6b6a6c07579f099b3bd03e1d4fad080cdf864233e378e6f7
)
// vk.SIGMA4.x
mstore
(
add
(
_vk
,
0x3e0
),
0x19fa964521f482600ad8f48f2d74204aa35665cefec49c73255bcd7bb9cf1d2e
)
// vk.SIGMA4.y
mstore
(
add
(
_vk
,
0x400
),
0x1cadeb85ec1d913dbbebd04a2e9c216fffb782a908252de688cb3f87a9960239
)
// vk.TABLE1.x
mstore
(
add
(
_vk
,
0x420
),
0x140ce35846522600428e89cedfc30ef4f906e759e4b262f982f41b11e232bef0
)
// vk.TABLE1.y
mstore
(
add
(
_vk
,
0x440
),
0x186c47255bd1cac8572abe17f302a4a778dc042d05b5ad10ec72ccf87db72cbd
)
// vk.TABLE2.x
mstore
(
add
(
_vk
,
0x460
),
0x2696b8ea9abe2e21817826ff8ffdd70455306100f722aee5047d7b61d23be470
)
// vk.TABLE2.y
mstore
(
add
(
_vk
,
0x480
),
0x203c78601f28e6739d2031447af9f5015f00e4a92298c8e0af4906929ce4aa23
)
// vk.TABLE3.x
mstore
(
add
(
_vk
,
0x4a0
),
0x0b82d8af3657b8dacf80c03e267415e27c1b22c5b110041433f5f7a0077d6163
)
// vk.TABLE3.y
mstore
(
add
(
_vk
,
0x4c0
),
0x1ca5d2fc76408b3d82cd070612b1f00b2910e92b606943f0a66d4064ac05d6f3
)
// vk.TABLE4.x
mstore
(
add
(
_vk
,
0x4e0
),
0x12889680e44151655a6fb88176f0eb0e09e60039ec5cbc978bcb081ca4d41c1e
)
// vk.TABLE4.y
mstore
(
add
(
_vk
,
0x500
),
0x269c3c1e6be15df4cd6e18678103fb6a22fc4e79890d0e7d18259353640bf580
)
// vk.TABLE_TYPE.x
mstore
(
add
(
_vk
,
0x520
),
0x073ef16b8836c3c34ac6e02937c25aaf47728e8aaa50eea7a2a7e2d87b2a051c
)
// vk.TABLE_TYPE.y
mstore
(
add
(
_vk
,
0x540
),
0x0642a0979a2c84f7f2c1ae9c5285e8b54bc1a57e51ec50588ec003e5ccaa1ef0
)
// vk.ID1.x
mstore
(
add
(
_vk
,
0x560
),
0x10759f71ebeb64070c9bde2e55126711646725544ef4273f9a391b9b9b0af13d
)
// vk.ID1.y
mstore
(
add
(
_vk
,
0x580
),
0x05107532383658086d131205993b32158da27ddcf4a41708cf50e4e6ca986205
)
// vk.ID2.x
mstore
(
add
(
_vk
,
0x5a0
),
0x1c67ba6b417eddf6928c56e1fece6ba9c73c4579c446ff0bd86e794121b4957c
)
// vk.ID2.y
mstore
(
add
(
_vk
,
0x5c0
),
0x030c58a082fe2a8a256a3c7596ca585a024396e2377db7e854bf7f14514759b8
)
// vk.ID3.x
mstore
(
add
(
_vk
,
0x5e0
),
0x1606bd0cae6fbb354de28025f6deb12a003c43b7dafa272c94b35c752ceaa696
)
// vk.ID3.y
mstore
(
add
(
_vk
,
0x600
),
0x1e1a0bd62a0746fb76e5d6727d5db536662c58d163cf29375fff76b669856e5f
)
// vk.ID4.x
mstore
(
add
(
_vk
,
0x620
),
0x0f786242d4fd388fd0e83bc4074cef1a36162d3403af146af654e72acb72e4c6
)
// vk.ID4.y
mstore
(
add
(
_vk
,
0x640
),
0x01
)
// vk.contains_recursive_proof
mstore
(
add
(
_vk
,
0x660
),
1
)
// vk.recursive_proof_public_input_indices
mstore
(
add
(
_vk
,
0x680
),
0x260e01b251f6f1c7e7ff4e580791dee8ea51d87a358e038b4efe30fac09383c1
)
// vk.g2_x.X.c1
mstore
(
add
(
_vk
,
0x6a0
),
0x0118c4d5b837bcc2bc89b5b398b5974e9f5944073b32078b7e231fec938883b0
)
// vk.g2_x.X.c0
mstore
(
add
(
_vk
,
0x6c0
),
0x04fc6369f7110fe3d25156c1bb9a72859cf2a04641f99ba4ee413c80da6a5fe4
)
// vk.g2_x.Y.c1
mstore
(
add
(
_vk
,
0x6e0
),
0x22febda3c0c0632a56475b4214e5615e11e6dd3f96e6cea2854a87d4dacc5e55
)
// vk.g2_x.Y.c0
mstore
(
_omegaInverseLoc
,
0x06e402c0a314fb67a15cf806664ae1b722dbc0efe66e6c81d98f9924ca535321
)
// vk.work_root_inverse
}
}
}
/**
* @title Ultra Plonk proof verification contract
* @dev Top level Plonk proof verification contract, which allows Plonk proof to be verified
*/
abstract
contract
BaseUltraVerifier
{
// VERIFICATION KEY MEMORY LOCATIONS
uint256
internal
constant
N_LOC
=
0x380
;
uint256
internal
constant
NUM_INPUTS_LOC
=
0x3a0
;
uint256
internal
constant
OMEGA_LOC
=
0x3c0
;
uint256
internal
constant
DOMAIN_INVERSE_LOC
=
0x3e0
;
uint256
internal
constant
Q1_X_LOC
=
0x400
;
uint256
internal
constant
Q1_Y_LOC
=
0x420
;
uint256
internal
constant
Q2_X_LOC
=
0x440
;
uint256
internal
constant
Q2_Y_LOC
=
0x460
;
uint256
internal
constant
Q3_X_LOC
=
0x480
;
uint256
internal
constant
Q3_Y_LOC
=
0x4a0
;
uint256
internal
constant
Q4_X_LOC
=
0x4c0
;
uint256
internal
constant
Q4_Y_LOC
=
0x4e0
;
uint256
internal
constant
QM_X_LOC
=
0x500
;
uint256
internal
constant
QM_Y_LOC
=
0x520
;
uint256
internal
constant
QC_X_LOC
=
0x540
;
uint256
internal
constant
QC_Y_LOC
=
0x560
;
uint256
internal
constant
QARITH_X_LOC
=
0x580
;
uint256
internal
constant
QARITH_Y_LOC
=
0x5a0
;
uint256
internal
constant
QSORT_X_LOC
=
0x5c0
;
uint256
internal
constant
QSORT_Y_LOC
=
0x5e0
;
uint256
internal
constant
QELLIPTIC_X_LOC
=
0x600
;
uint256
internal
constant
QELLIPTIC_Y_LOC
=
0x620
;
uint256
internal
constant
QAUX_X_LOC
=
0x640
;
uint256
internal
constant
QAUX_Y_LOC
=
0x660
;
uint256
internal
constant
SIGMA1_X_LOC
=
0x680
;
uint256
internal
constant
SIGMA1_Y_LOC
=
0x6a0
;
uint256
internal
constant
SIGMA2_X_LOC
=
0x6c0
;
uint256
internal
constant
SIGMA2_Y_LOC
=
0x6e0
;
uint256
internal
constant
SIGMA3_X_LOC
=
0x700
;
uint256
internal
constant
SIGMA3_Y_LOC
=
0x720
;
uint256
internal
constant
SIGMA4_X_LOC
=
0x740
;
uint256
internal
constant
SIGMA4_Y_LOC
=
0x760
;
uint256
internal
constant
TABLE1_X_LOC
=
0x780
;
uint256
internal
constant
TABLE1_Y_LOC
=
0x7a0
;
uint256
internal
constant
TABLE2_X_LOC
=
0x7c0
;
uint256
internal
constant
TABLE2_Y_LOC
=
0x7e0
;
uint256
internal
constant
TABLE3_X_LOC
=
0x800
;
uint256
internal
constant
TABLE3_Y_LOC
=
0x820
;
uint256
internal
constant
TABLE4_X_LOC
=
0x840
;
uint256
internal
constant
TABLE4_Y_LOC
=
0x860
;
uint256
internal
constant
TABLE_TYPE_X_LOC
=
0x880
;
uint256
internal
constant
TABLE_TYPE_Y_LOC
=
0x8a0
;
uint256
internal
constant
ID1_X_LOC
=
0x8c0
;
uint256
internal
constant
ID1_Y_LOC
=
0x8e0
;
uint256
internal
constant
ID2_X_LOC
=
0x900
;
uint256
internal
constant
ID2_Y_LOC
=
0x920
;
uint256
internal
constant
ID3_X_LOC
=
0x940
;
uint256
internal
constant
ID3_Y_LOC
=
0x960
;
uint256
internal
constant
ID4_X_LOC
=
0x980
;
uint256
internal
constant
ID4_Y_LOC
=
0x9a0
;
uint256
internal
constant
CONTAINS_RECURSIVE_PROOF_LOC
=
0x9c0
;
uint256
internal
constant
RECURSIVE_PROOF_PUBLIC_INPUT_INDICES_LOC
=
0x9e0
;
uint256
internal
constant
G2X_X0_LOC
=
0xa00
;
uint256
internal
constant
G2X_X1_LOC
=
0xa20
;
uint256
internal
constant
G2X_Y0_LOC
=
0xa40
;
uint256
internal
constant
G2X_Y1_LOC
=
0xa60
;
// ### PROOF DATA MEMORY LOCATIONS
uint256
internal
constant
W1_X_LOC
=
0x1200
;
uint256
internal
constant
W1_Y_LOC
=
0x1220
;
uint256
internal
constant
W2_X_LOC
=
0x1240
;
uint256
internal
constant
W2_Y_LOC
=
0x1260
;
uint256
internal
constant
W3_X_LOC
=
0x1280
;
uint256
internal
constant
W3_Y_LOC
=
0x12a0
;
uint256
internal
constant
W4_X_LOC
=
0x12c0
;
uint256
internal
constant
W4_Y_LOC
=
0x12e0
;
uint256
internal
constant
S_X_LOC
=
0x1300
;
uint256
internal
constant
S_Y_LOC
=
0x1320
;
uint256
internal
constant
Z_X_LOC
=
0x1340
;
uint256
internal
constant
Z_Y_LOC
=
0x1360
;
uint256
internal
constant
Z_LOOKUP_X_LOC
=
0x1380
;
uint256
internal
constant
Z_LOOKUP_Y_LOC
=
0x13a0
;
uint256
internal
constant
T1_X_LOC
=
0x13c0
;
uint256
internal
constant
T1_Y_LOC
=
0x13e0
;
uint256
internal
constant
T2_X_LOC
=
0x1400
;
uint256
internal
constant
T2_Y_LOC
=
0x1420
;
uint256
internal
constant
T3_X_LOC
=
0x1440
;
uint256
internal
constant
T3_Y_LOC
=
0x1460
;
uint256
internal
constant
T4_X_LOC
=
0x1480
;
uint256
internal
constant
T4_Y_LOC
=
0x14a0
;
uint256
internal
constant
W1_EVAL_LOC
=
0x1600
;
uint256
internal
constant
W2_EVAL_LOC
=
0x1620
;
uint256
internal
constant
W3_EVAL_LOC
=
0x1640
;
uint256
internal
constant
W4_EVAL_LOC
=
0x1660
;
uint256
internal
constant
S_EVAL_LOC
=
0x1680
;
uint256
internal
constant
Z_EVAL_LOC
=
0x16a0
;
uint256
internal
constant
Z_LOOKUP_EVAL_LOC
=
0x16c0
;
uint256
internal
constant
Q1_EVAL_LOC
=
0x16e0
;
uint256
internal
constant
Q2_EVAL_LOC
=
0x1700
;
uint256
internal
constant
Q3_EVAL_LOC
=
0x1720
;
uint256
internal
constant
Q4_EVAL_LOC
=
0x1740
;
uint256
internal
constant
QM_EVAL_LOC
=
0x1760
;
uint256
internal
constant
QC_EVAL_LOC
=
0x1780
;
uint256
internal
constant
QARITH_EVAL_LOC
=
0x17a0
;
uint256
internal
constant
QSORT_EVAL_LOC
=
0x17c0
;
uint256
internal
constant
QELLIPTIC_EVAL_LOC
=
0x17e0
;
uint256
internal
constant
QAUX_EVAL_LOC
=
0x1800
;
uint256
internal
constant
TABLE1_EVAL_LOC
=
0x1840
;
uint256
internal
constant
TABLE2_EVAL_LOC
=
0x1860
;
uint256
internal
constant
TABLE3_EVAL_LOC
=
0x1880
;
uint256
internal
constant
TABLE4_EVAL_LOC
=
0x18a0
;
uint256
internal
constant
TABLE_TYPE_EVAL_LOC
=
0x18c0
;
uint256
internal
constant
ID1_EVAL_LOC
=
0x18e0
;
uint256
internal
constant
ID2_EVAL_LOC
=
0x1900
;
uint256
internal
constant
ID3_EVAL_LOC
=
0x1920
;
uint256
internal
constant
ID4_EVAL_LOC
=
0x1940
;
uint256
internal
constant
SIGMA1_EVAL_LOC
=
0x1960
;
uint256
internal
constant
SIGMA2_EVAL_LOC
=
0x1980
;
uint256
internal
constant
SIGMA3_EVAL_LOC
=
0x19a0
;
uint256
internal
constant
SIGMA4_EVAL_LOC
=
0x19c0
;
uint256
internal
constant
W1_OMEGA_EVAL_LOC
=
0x19e0
;
uint256
internal
constant
W2_OMEGA_EVAL_LOC
=
0x2000
;
uint256
internal
constant
W3_OMEGA_EVAL_LOC
=
0x2020
;
uint256
internal
constant
W4_OMEGA_EVAL_LOC
=
0x2040
;
uint256
internal
constant
S_OMEGA_EVAL_LOC
=
0x2060
;
uint256
internal
constant
Z_OMEGA_EVAL_LOC
=
0x2080
;
uint256
internal
constant
Z_LOOKUP_OMEGA_EVAL_LOC
=
0x20a0
;
uint256
internal
constant
TABLE1_OMEGA_EVAL_LOC
=
0x20c0
;
uint256
internal
constant
TABLE2_OMEGA_EVAL_LOC
=
0x20e0
;
uint256
internal
constant
TABLE3_OMEGA_EVAL_LOC
=
0x2100
;
uint256
internal
constant
TABLE4_OMEGA_EVAL_LOC
=
0x2120
;
uint256
internal
constant
PI_Z_X_LOC
=
0x2300
;
uint256
internal
constant
PI_Z_Y_LOC
=
0x2320
;
uint256
internal
constant
PI_Z_OMEGA_X_LOC
=
0x2340
;
uint256
internal
constant
PI_Z_OMEGA_Y_LOC
=
0x2360
;
// Used for elliptic widget. These are alias names for wire + shifted wire evaluations
uint256
internal
constant
X1_EVAL_LOC
=
W2_EVAL_LOC
;
uint256
internal
constant
X2_EVAL_LOC
=
W1_OMEGA_EVAL_LOC
;
uint256
internal
constant
X3_EVAL_LOC
=
W2_OMEGA_EVAL_LOC
;
uint256
internal
constant
Y1_EVAL_LOC
=
W3_EVAL_LOC
;
uint256
internal
constant
Y2_EVAL_LOC
=
W4_OMEGA_EVAL_LOC
;
uint256
internal
constant
Y3_EVAL_LOC
=
W3_OMEGA_EVAL_LOC
;
uint256
internal
constant
QBETA_LOC
=
Q3_EVAL_LOC
;
uint256
internal
constant
QBETA_SQR_LOC
=
Q4_EVAL_LOC
;
uint256
internal
constant
QSIGN_LOC
=
Q1_EVAL_LOC
;
// ### CHALLENGES MEMORY OFFSETS
uint256
internal
constant
C_BETA_LOC
=
0x2600
;
uint256
internal
constant
C_GAMMA_LOC
=
0x2620
;
uint256
internal
constant
C_ALPHA_LOC
=
0x2640
;
uint256
internal
constant
C_ETA_LOC
=
0x2660
;
uint256
internal
constant
C_ETA_SQR_LOC
=
0x2680
;
uint256
internal
constant
C_ETA_CUBE_LOC
=
0x26a0
;
uint256
internal
constant
C_ZETA_LOC
=
0x26c0
;
uint256
internal
constant
C_CURRENT_LOC
=
0x26e0
;
uint256
internal
constant
C_V0_LOC
=
0x2700
;
uint256
internal
constant
C_V1_LOC
=
0x2720
;
uint256
internal
constant
C_V2_LOC
=
0x2740
;
uint256
internal
constant
C_V3_LOC
=
0x2760
;
uint256
internal
constant
C_V4_LOC
=
0x2780
;
uint256
internal
constant
C_V5_LOC
=
0x27a0
;
uint256
internal
constant
C_V6_LOC
=
0x27c0
;
uint256
internal
constant
C_V7_LOC
=
0x27e0
;
uint256
internal
constant
C_V8_LOC
=
0x2800
;
uint256
internal
constant
C_V9_LOC
=
0x2820
;
uint256
internal
constant
C_V10_LOC
=
0x2840
;
uint256
internal
constant
C_V11_LOC
=
0x2860
;
uint256
internal
constant
C_V12_LOC
=
0x2880
;
uint256
internal
constant
C_V13_LOC
=
0x28a0
;
uint256
internal
constant
C_V14_LOC
=
0x28c0
;
uint256
internal
constant
C_V15_LOC
=
0x28e0
;
uint256
internal
constant
C_V16_LOC
=
0x2900
;
uint256
internal
constant
C_V17_LOC
=
0x2920
;
uint256
internal
constant
C_V18_LOC
=
0x2940
;
uint256
internal
constant
C_V19_LOC
=
0x2960
;
uint256
internal
constant
C_V20_LOC
=
0x2980
;
uint256
internal
constant
C_V21_LOC
=
0x29a0
;
uint256
internal
constant
C_V22_LOC
=
0x29c0
;
uint256
internal
constant
C_V23_LOC
=
0x29e0
;
uint256
internal
constant
C_V24_LOC
=
0x2a00
;
uint256
internal
constant
C_V25_LOC
=
0x2a20
;
uint256
internal
constant
C_V26_LOC
=
0x2a40
;
uint256
internal
constant
C_V27_LOC
=
0x2a60
;
uint256
internal
constant
C_V28_LOC
=
0x2a80
;
uint256
internal
constant
C_V29_LOC
=
0x2aa0
;
uint256
internal
constant
C_V30_LOC
=
0x2ac0
;
uint256
internal
constant
C_U_LOC
=
0x2b00
;
// ### LOCAL VARIABLES MEMORY OFFSETS
uint256
internal
constant
DELTA_NUMERATOR_LOC
=
0x3000
;
uint256
internal
constant
DELTA_DENOMINATOR_LOC
=
0x3020
;
uint256
internal
constant
ZETA_POW_N_LOC
=
0x3040
;
uint256
internal
constant
PUBLIC_INPUT_DELTA_LOC
=
0x3060
;
uint256
internal
constant
ZERO_POLY_LOC
=
0x3080
;
uint256
internal
constant
L_START_LOC
=
0x30a0
;
uint256
internal
constant
L_END_LOC
=
0x30c0
;
uint256
internal
constant
R_ZERO_EVAL_LOC
=
0x30e0
;
uint256
internal
constant
PLOOKUP_DELTA_NUMERATOR_LOC
=
0x3100
;
uint256
internal
constant
PLOOKUP_DELTA_DENOMINATOR_LOC
=
0x3120
;
uint256
internal
constant
PLOOKUP_DELTA_LOC
=
0x3140
;
uint256
internal
constant
ACCUMULATOR_X_LOC
=
0x3160
;
uint256
internal
constant
ACCUMULATOR_Y_LOC
=
0x3180
;
uint256
internal
constant
ACCUMULATOR2_X_LOC
=
0x31a0
;
uint256
internal
constant
ACCUMULATOR2_Y_LOC
=
0x31c0
;
uint256
internal
constant
PAIRING_LHS_X_LOC
=
0x31e0
;
uint256
internal
constant
PAIRING_LHS_Y_LOC
=
0x3200
;
uint256
internal
constant
PAIRING_RHS_X_LOC
=
0x3220
;
uint256
internal
constant
PAIRING_RHS_Y_LOC
=
0x3240
;
// misc stuff
uint256
internal
constant
OMEGA_INVERSE_LOC
=
0x3300
;
uint256
internal
constant
C_ALPHA_SQR_LOC
=
0x3320
;
uint256
internal
constant
C_ALPHA_CUBE_LOC
=
0x3340
;
uint256
internal
constant
C_ALPHA_QUAD_LOC
=
0x3360
;
uint256
internal
constant
C_ALPHA_BASE_LOC
=
0x3380
;
// ### RECURSION VARIABLE MEMORY LOCATIONS
uint256
internal
constant
RECURSIVE_P1_X_LOC
=
0x3400
;
uint256
internal
constant
RECURSIVE_P1_Y_LOC
=
0x3420
;
uint256
internal
constant
RECURSIVE_P2_X_LOC
=
0x3440
;
uint256
internal
constant
RECURSIVE_P2_Y_LOC
=
0x3460
;
uint256
internal
constant
PUBLIC_INPUTS_HASH_LOCATION
=
0x3480
;
// sub-identity storage
uint256
internal
constant
PERMUTATION_IDENTITY
=
0x3500
;
uint256
internal
constant
PLOOKUP_IDENTITY
=
0x3520
;
uint256
internal
constant
ARITHMETIC_IDENTITY
=
0x3540
;
uint256
internal
constant
SORT_IDENTITY
=
0x3560
;
uint256
internal
constant
ELLIPTIC_IDENTITY
=
0x3580
;
uint256
internal
constant
AUX_IDENTITY
=
0x35a0
;
uint256
internal
constant
AUX_NON_NATIVE_FIELD_EVALUATION
=
0x35c0
;
uint256
internal
constant
AUX_LIMB_ACCUMULATOR_EVALUATION
=
0x35e0
;
uint256
internal
constant
AUX_RAM_CONSISTENCY_EVALUATION
=
0x3600
;
uint256
internal
constant
AUX_ROM_CONSISTENCY_EVALUATION
=
0x3620
;
uint256
internal
constant
AUX_MEMORY_EVALUATION
=
0x3640
;
uint256
internal
constant
QUOTIENT_EVAL_LOC
=
0x3660
;
uint256
internal
constant
ZERO_POLY_INVERSE_LOC
=
0x3680
;
// when hashing public inputs we use memory at NU_CHALLENGE_INPUT_LOC_A, as the hash input size is unknown at compile time
uint256
internal
constant
NU_CHALLENGE_INPUT_LOC_A
=
0x36a0
;
uint256
internal
constant
NU_CHALLENGE_INPUT_LOC_B
=
0x36c0
;
uint256
internal
constant
NU_CHALLENGE_INPUT_LOC_C
=
0x36e0
;
bytes4
internal
constant
INVALID_VERIFICATION_KEY_SELECTOR
=
0x7e5769bf
;
bytes4
internal
constant
POINT_NOT_ON_CURVE_SELECTOR
=
0xa3dad654
;
bytes4
internal
constant
PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR
=
0xeba9f4a6
;
bytes4
internal
constant
PUBLIC_INPUT_GE_P_SELECTOR
=
0x374a972f
;
bytes4
internal
constant
MOD_EXP_FAILURE_SELECTOR
=
0xf894a7bc
;
bytes4
internal
constant
PAIRING_PREAMBLE_FAILED_SELECTOR
=
0x01882d81
;
bytes4
internal
constant
OPENING_COMMITMENT_FAILED_SELECTOR
=
0x4e719763
;
bytes4
internal
constant
PAIRING_FAILED_SELECTOR
=
0xd71fd263
;
uint256
internal
constant
ETA_INPUT_LENGTH
=
0xc0
;
// W1, W2, W3 = 6 * 0x20 bytes
// We need to hash 41 field elements when generating the NU challenge
// w1, w2, w3, w4, s, z, z_lookup, q1, q2, q3, q4, qm, qc, qarith (14)
// qsort, qelliptic, qaux, sigma1, sigma2, sigma, sigma4, (7)
// table1, table2, table3, table4, tabletype, id1, id2, id3, id4, (9)
// w1_omega, w2_omega, w3_omega, w4_omega, s_omega, z_omega, z_lookup_omega, (7)
// table1_omega, table2_omega, table3_omega, table4_omega (4)
uint256
internal
constant
NU_INPUT_LENGTH
=
0x520
;
// 0x520 = 41 * 0x20
// There are ELEVEN G1 group elements added into the transcript in the `beta` round, that we need to skip over
// W1, W2, W3, W4, S, Z, Z_LOOKUP, T1, T2, T3, T4
uint256
internal
constant
NU_CALLDATA_SKIP_LENGTH
=
0x2c0
;
// 11 * 0x40 = 0x2c0
uint256
internal
constant
NEGATIVE_INVERSE_OF_2_MODULO_P
=
0x183227397098d014dc2822db40c0ac2e9419f4243cdcb848a1f0fac9f8000000
;
uint256
internal
constant
LIMB_SIZE
=
0x100000000000000000
;
// 2<<68
uint256
internal
constant
SUBLIMB_SHIFT
=
0x4000
;
// 2<<14
// y^2 = x^3 + ax + b
// for Grumpkin, a = 0 and b = -17. We use b in a custom gate relation that evaluates elliptic curve arithmetic
uint256
internal
constant
GRUMPKIN_CURVE_B_PARAMETER_NEGATED
=
17
;
error
INVALID_VERIFICATION_KEY
();
error
POINT_NOT_ON_CURVE
();
error
PUBLIC_INPUT_COUNT_INVALID
(
uint256
expected
,
uint256
actual
);
error
PUBLIC_INPUT_INVALID_BN128_G1_POINT
();
error
PUBLIC_INPUT_GE_P
();
error
MOD_EXP_FAILURE
();
error
PAIRING_PREAMBLE_FAILED
();
error
OPENING_COMMITMENT_FAILED
();
error
PAIRING_FAILED
();
function
getVerificationKeyHash
()
public
pure
virtual
returns
(
bytes32
);
/**
* @dev We assume that the verification key loaded by this function is constant as we only verify it on deployment
*/
function
loadVerificationKey
(
uint256
_vk
,
uint256
_omegaInverseLoc
)
internal
pure
virtual
;
constructor
()
{
loadVerificationKey
(
N_LOC
,
OMEGA_INVERSE_LOC
);
// We verify that all of the EC points in the verification key lie on the bn128 curve.
assembly
{
let
q
:=
21888242871839275222246405745257275088696311157297823662689037894645226208583
// EC group order
let
success
:=
1
// VALIDATE Q1
{
let
x
:=
mload
(
Q1_X_LOC
)
let
y
:=
mload
(
Q1_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE Q2
{
let
x
:=
mload
(
Q2_X_LOC
)
let
y
:=
mload
(
Q2_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE Q3
{
let
x
:=
mload
(
Q3_X_LOC
)
let
y
:=
mload
(
Q3_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE Q4
{
let
x
:=
mload
(
Q4_X_LOC
)
let
y
:=
mload
(
Q4_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
// VALIDATE QM
{
let
x
:=
mload
(
QM_X_LOC
)
let
y
:=
mload
(
QM_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE QC
{
let
x
:=
mload
(
QC_X_LOC
)
let
y
:=
mload
(
QC_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE QARITH
{
let
x
:=
mload
(
QARITH_X_LOC
)
let
y
:=
mload
(
QARITH_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE QSORT
{
let
x
:=
mload
(
QSORT_X_LOC
)
let
y
:=
mload
(
QSORT_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE QELLIPTIC
{
let
x
:=
mload
(
QELLIPTIC_X_LOC
)
let
y
:=
mload
(
QELLIPTIC_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE QAUX
{
let
x
:=
mload
(
QAUX_X_LOC
)
let
y
:=
mload
(
QAUX_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE SIGMA1
{
let
x
:=
mload
(
SIGMA1_X_LOC
)
let
y
:=
mload
(
SIGMA1_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE SIGMA2
{
let
x
:=
mload
(
SIGMA2_X_LOC
)
let
y
:=
mload
(
SIGMA2_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE SIGMA3
{
let
x
:=
mload
(
SIGMA3_X_LOC
)
let
y
:=
mload
(
SIGMA3_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE SIGMA4
{
let
x
:=
mload
(
SIGMA4_X_LOC
)
let
y
:=
mload
(
SIGMA4_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE TABLE1
{
let
x
:=
mload
(
TABLE1_X_LOC
)
let
y
:=
mload
(
TABLE1_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE TABLE2
{
let
x
:=
mload
(
TABLE2_X_LOC
)
let
y
:=
mload
(
TABLE2_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE TABLE3
{
let
x
:=
mload
(
TABLE3_X_LOC
)
let
y
:=
mload
(
TABLE3_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE TABLE4
{
let
x
:=
mload
(
TABLE4_X_LOC
)
let
y
:=
mload
(
TABLE4_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE TABLE_TYPE
{
let
x
:=
mload
(
TABLE_TYPE_X_LOC
)
let
y
:=
mload
(
TABLE_TYPE_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE ID1
{
let
x
:=
mload
(
ID1_X_LOC
)
let
y
:=
mload
(
ID1_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE ID2
{
let
x
:=
mload
(
ID2_X_LOC
)
let
y
:=
mload
(
ID2_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE ID3
{
let
x
:=
mload
(
ID3_X_LOC
)
let
y
:=
mload
(
ID3_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
// VALIDATE ID4
{
let
x
:=
mload
(
ID4_X_LOC
)
let
y
:=
mload
(
ID4_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
success
:=
and
(
success
,
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
}
if
iszero
(
success
)
{
mstore
(
0x0
,
INVALID_VERIFICATION_KEY_SELECTOR
)
revert
(
0x00
,
0x04
)
}
}
}
/**
* @notice Verify a Ultra Plonk proof
* @param _proof - The serialized proof
* @param _publicInputs - An array of the public inputs
* @return True if proof is valid, reverts otherwise
*/
function
verify
(
bytes
calldata
_proof
,
bytes32
[]
calldata
_publicInputs
)
external
view
returns
(
bool
)
{
loadVerificationKey
(
N_LOC
,
OMEGA_INVERSE_LOC
);
uint256
requiredPublicInputCount
;
assembly
{
requiredPublicInputCount
:=
mload
(
NUM_INPUTS_LOC
)
}
if
(
requiredPublicInputCount
!=
_publicInputs
.
length
)
{
revert
PUBLIC_INPUT_COUNT_INVALID
(
requiredPublicInputCount
,
_publicInputs
.
length
);
}
assembly
{
let
q
:=
21888242871839275222246405745257275088696311157297823662689037894645226208583
// EC group order
let
p
:=
21888242871839275222246405745257275088548364400416034343698204186575808495617
// Prime field order
/**
* LOAD PROOF FROM CALLDATA
*/
{
let
data_ptr
:=
add
(
calldataload
(
0x04
),
0x24
)
mstore
(
W1_Y_LOC
,
mod
(
calldataload
(
data_ptr
),
q
))
mstore
(
W1_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x20
)),
q
))
mstore
(
W2_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x40
)),
q
))
mstore
(
W2_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x60
)),
q
))
mstore
(
W3_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x80
)),
q
))
mstore
(
W3_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0xa0
)),
q
))
mstore
(
W4_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0xc0
)),
q
))
mstore
(
W4_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0xe0
)),
q
))
mstore
(
S_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x100
)),
q
))
mstore
(
S_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x120
)),
q
))
mstore
(
Z_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x140
)),
q
))
mstore
(
Z_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x160
)),
q
))
mstore
(
Z_LOOKUP_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x180
)),
q
))
mstore
(
Z_LOOKUP_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x1a0
)),
q
))
mstore
(
T1_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x1c0
)),
q
))
mstore
(
T1_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x1e0
)),
q
))
mstore
(
T2_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x200
)),
q
))
mstore
(
T2_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x220
)),
q
))
mstore
(
T3_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x240
)),
q
))
mstore
(
T3_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x260
)),
q
))
mstore
(
T4_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x280
)),
q
))
mstore
(
T4_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x2a0
)),
q
))
mstore
(
W1_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x2c0
)),
p
))
mstore
(
W2_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x2e0
)),
p
))
mstore
(
W3_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x300
)),
p
))
mstore
(
W4_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x320
)),
p
))
mstore
(
S_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x340
)),
p
))
mstore
(
Z_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x360
)),
p
))
mstore
(
Z_LOOKUP_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x380
)),
p
))
mstore
(
Q1_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x3a0
)),
p
))
mstore
(
Q2_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x3c0
)),
p
))
mstore
(
Q3_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x3e0
)),
p
))
mstore
(
Q4_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x400
)),
p
))
mstore
(
QM_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x420
)),
p
))
mstore
(
QC_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x440
)),
p
))
mstore
(
QARITH_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x460
)),
p
))
mstore
(
QSORT_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x480
)),
p
))
mstore
(
QELLIPTIC_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x4a0
)),
p
))
mstore
(
QAUX_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x4c0
)),
p
))
mstore
(
SIGMA1_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x4e0
)),
p
))
mstore
(
SIGMA2_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x500
)),
p
))
mstore
(
SIGMA3_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x520
)),
p
))
mstore
(
SIGMA4_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x540
)),
p
))
mstore
(
TABLE1_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x560
)),
p
))
mstore
(
TABLE2_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x580
)),
p
))
mstore
(
TABLE3_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x5a0
)),
p
))
mstore
(
TABLE4_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x5c0
)),
p
))
mstore
(
TABLE_TYPE_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x5e0
)),
p
))
mstore
(
ID1_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x600
)),
p
))
mstore
(
ID2_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x620
)),
p
))
mstore
(
ID3_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x640
)),
p
))
mstore
(
ID4_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x660
)),
p
))
mstore
(
W1_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x680
)),
p
))
mstore
(
W2_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x6a0
)),
p
))
mstore
(
W3_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x6c0
)),
p
))
mstore
(
W4_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x6e0
)),
p
))
mstore
(
S_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x700
)),
p
))
mstore
(
Z_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x720
)),
p
))
mstore
(
Z_LOOKUP_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x740
)),
p
))
mstore
(
TABLE1_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x760
)),
p
))
mstore
(
TABLE2_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x780
)),
p
))
mstore
(
TABLE3_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x7a0
)),
p
))
mstore
(
TABLE4_OMEGA_EVAL_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x7c0
)),
p
))
mstore
(
PI_Z_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x7e0
)),
q
))
mstore
(
PI_Z_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x800
)),
q
))
mstore
(
PI_Z_OMEGA_Y_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x820
)),
q
))
mstore
(
PI_Z_OMEGA_X_LOC
,
mod
(
calldataload
(
add
(
data_ptr
,
0x840
)),
q
))
}
/**
* LOAD RECURSIVE PROOF INTO MEMORY
*/
{
if
mload
(
CONTAINS_RECURSIVE_PROOF_LOC
)
{
let
public_inputs_ptr
:=
add
(
calldataload
(
0x24
),
0x24
)
let
index_counter
:=
add
(
shl
(
5
,
mload
(
RECURSIVE_PROOF_PUBLIC_INPUT_INDICES_LOC
)),
public_inputs_ptr
)
let
x0
:=
calldataload
(
index_counter
)
x0
:=
add
(
x0
,
shl
(
68
,
calldataload
(
add
(
index_counter
,
0x20
))))
x0
:=
add
(
x0
,
shl
(
136
,
calldataload
(
add
(
index_counter
,
0x40
))))
x0
:=
add
(
x0
,
shl
(
204
,
calldataload
(
add
(
index_counter
,
0x60
))))
let
y0
:=
calldataload
(
add
(
index_counter
,
0x80
))
y0
:=
add
(
y0
,
shl
(
68
,
calldataload
(
add
(
index_counter
,
0xa0
))))
y0
:=
add
(
y0
,
shl
(
136
,
calldataload
(
add
(
index_counter
,
0xc0
))))
y0
:=
add
(
y0
,
shl
(
204
,
calldataload
(
add
(
index_counter
,
0xe0
))))
let
x1
:=
calldataload
(
add
(
index_counter
,
0x100
))
x1
:=
add
(
x1
,
shl
(
68
,
calldataload
(
add
(
index_counter
,
0x120
))))
x1
:=
add
(
x1
,
shl
(
136
,
calldataload
(
add
(
index_counter
,
0x140
))))
x1
:=
add
(
x1
,
shl
(
204
,
calldataload
(
add
(
index_counter
,
0x160
))))
let
y1
:=
calldataload
(
add
(
index_counter
,
0x180
))
y1
:=
add
(
y1
,
shl
(
68
,
calldataload
(
add
(
index_counter
,
0x1a0
))))
y1
:=
add
(
y1
,
shl
(
136
,
calldataload
(
add
(
index_counter
,
0x1c0
))))
y1
:=
add
(
y1
,
shl
(
204
,
calldataload
(
add
(
index_counter
,
0x1e0
))))
mstore
(
RECURSIVE_P1_X_LOC
,
x0
)
mstore
(
RECURSIVE_P1_Y_LOC
,
y0
)
mstore
(
RECURSIVE_P2_X_LOC
,
x1
)
mstore
(
RECURSIVE_P2_Y_LOC
,
y1
)
// validate these are valid bn128 G1 points
if
iszero
(
and
(
and
(
lt
(
x0
,
q
),
lt
(
x1
,
q
)),
and
(
lt
(
y0
,
q
),
lt
(
y1
,
q
))))
{
mstore
(
0x00
,
PUBLIC_INPUT_INVALID_BN128_G1_POINT_SELECTOR
)
revert
(
0x00
,
0x04
)
}
}
}
{
/**
* Generate initial challenge
*/
mstore
(
0x00
,
shl
(
224
,
mload
(
N_LOC
)))
mstore
(
0x04
,
shl
(
224
,
mload
(
NUM_INPUTS_LOC
)))
let
challenge
:=
keccak256
(
0x00
,
0x08
)
/**
* Generate eta challenge
*/
mstore
(
PUBLIC_INPUTS_HASH_LOCATION
,
challenge
)
// The public input location is stored at 0x24, we then add 0x24 to skip selector and the length of public inputs
let
public_inputs_start
:=
add
(
calldataload
(
0x24
),
0x24
)
// copy the public inputs over
let
public_input_size
:=
mul
(
mload
(
NUM_INPUTS_LOC
),
0x20
)
calldatacopy
(
add
(
PUBLIC_INPUTS_HASH_LOCATION
,
0x20
),
public_inputs_start
,
public_input_size
)
// copy W1, W2, W3 into challenge. Each point is 0x40 bytes, so load 0xc0 = 3 * 0x40 bytes (ETA input length)
let
w_start
:=
add
(
calldataload
(
0x04
),
0x24
)
calldatacopy
(
add
(
add
(
PUBLIC_INPUTS_HASH_LOCATION
,
0x20
),
public_input_size
),
w_start
,
ETA_INPUT_LENGTH
)
// Challenge is the old challenge + public inputs + W1, W2, W3 (0x20 + public_input_size + 0xc0)
let
challenge_bytes_size
:=
add
(
0x20
,
add
(
public_input_size
,
ETA_INPUT_LENGTH
))
challenge
:=
keccak256
(
PUBLIC_INPUTS_HASH_LOCATION
,
challenge_bytes_size
)
{
let
eta
:=
mod
(
challenge
,
p
)
mstore
(
C_ETA_LOC
,
eta
)
mstore
(
C_ETA_SQR_LOC
,
mulmod
(
eta
,
eta
,
p
))
mstore
(
C_ETA_CUBE_LOC
,
mulmod
(
mload
(
C_ETA_SQR_LOC
),
eta
,
p
))
}
/**
* Generate beta challenge
*/
mstore
(
0x00
,
challenge
)
mstore
(
0x20
,
mload
(
W4_Y_LOC
))
mstore
(
0x40
,
mload
(
W4_X_LOC
))
mstore
(
0x60
,
mload
(
S_Y_LOC
))
mstore
(
0x80
,
mload
(
S_X_LOC
))
challenge
:=
keccak256
(
0x00
,
0xa0
)
mstore
(
C_BETA_LOC
,
mod
(
challenge
,
p
))
/**
* Generate gamma challenge
*/
mstore
(
0x00
,
challenge
)
mstore8
(
0x20
,
0x01
)
challenge
:=
keccak256
(
0x00
,
0x21
)
mstore
(
C_GAMMA_LOC
,
mod
(
challenge
,
p
))
/**
* Generate alpha challenge
*/
mstore
(
0x00
,
challenge
)
mstore
(
0x20
,
mload
(
Z_Y_LOC
))
mstore
(
0x40
,
mload
(
Z_X_LOC
))
mstore
(
0x60
,
mload
(
Z_LOOKUP_Y_LOC
))
mstore
(
0x80
,
mload
(
Z_LOOKUP_X_LOC
))
challenge
:=
keccak256
(
0x00
,
0xa0
)
mstore
(
C_ALPHA_LOC
,
mod
(
challenge
,
p
))
/**
* Compute and store some powers of alpha for future computations
*/
let
alpha
:=
mload
(
C_ALPHA_LOC
)
mstore
(
C_ALPHA_SQR_LOC
,
mulmod
(
alpha
,
alpha
,
p
))
mstore
(
C_ALPHA_CUBE_LOC
,
mulmod
(
mload
(
C_ALPHA_SQR_LOC
),
alpha
,
p
))
mstore
(
C_ALPHA_QUAD_LOC
,
mulmod
(
mload
(
C_ALPHA_CUBE_LOC
),
alpha
,
p
))
mstore
(
C_ALPHA_BASE_LOC
,
alpha
)
/**
* Generate zeta challenge
*/
mstore
(
0x00
,
challenge
)
mstore
(
0x20
,
mload
(
T1_Y_LOC
))
mstore
(
0x40
,
mload
(
T1_X_LOC
))
mstore
(
0x60
,
mload
(
T2_Y_LOC
))
mstore
(
0x80
,
mload
(
T2_X_LOC
))
mstore
(
0xa0
,
mload
(
T3_Y_LOC
))
mstore
(
0xc0
,
mload
(
T3_X_LOC
))
mstore
(
0xe0
,
mload
(
T4_Y_LOC
))
mstore
(
0x100
,
mload
(
T4_X_LOC
))
challenge
:=
keccak256
(
0x00
,
0x120
)
mstore
(
C_ZETA_LOC
,
mod
(
challenge
,
p
))
mstore
(
C_CURRENT_LOC
,
challenge
)
}
/**
* EVALUATE FIELD OPERATIONS
*/
/**
* COMPUTE PUBLIC INPUT DELTA
* ΔPI = ∏ᵢ∈ℓ(wᵢ + β σ(i) + γ) / ∏ᵢ∈ℓ(wᵢ + β σ'(i) + γ)
*/
{
let
beta
:=
mload
(
C_BETA_LOC
)
// β
let
gamma
:=
mload
(
C_GAMMA_LOC
)
// γ
let
work_root
:=
mload
(
OMEGA_LOC
)
// ω
let
numerator_value
:=
1
let
denominator_value
:=
1
let
p_clone
:=
p
// move p to the front of the stack
let
valid_inputs
:=
true
// Load the starting point of the public inputs (jump over the selector and the length of public inputs [0x24])
let
public_inputs_ptr
:=
add
(
calldataload
(
0x24
),
0x24
)
// endpoint_ptr = public_inputs_ptr + num_inputs * 0x20. // every public input is 0x20 bytes
let
endpoint_ptr
:=
add
(
public_inputs_ptr
,
mul
(
mload
(
NUM_INPUTS_LOC
),
0x20
))
// root_1 = β * 0x05
let
root_1
:=
mulmod
(
beta
,
0x05
,
p_clone
)
// k1.β
// root_2 = β * 0x0c
let
root_2
:=
mulmod
(
beta
,
0x0c
,
p_clone
)
// @note 0x05 + 0x07 == 0x0c == external coset generator
for
{}
lt
(
public_inputs_ptr
,
endpoint_ptr
)
{
public_inputs_ptr
:=
add
(
public_inputs_ptr
,
0x20
)
}
{
/**
* input = public_input[i]
* valid_inputs &= input < p
* temp = input + gamma
* numerator_value *= (β.σ(i) + wᵢ + γ) // σ(i) = 0x05.ωⁱ
* denominator_value *= (β.σ'(i) + wᵢ + γ) // σ'(i) = 0x0c.ωⁱ
* root_1 *= ω
* root_2 *= ω
*/
let
input
:=
calldataload
(
public_inputs_ptr
)
valid_inputs
:=
and
(
valid_inputs
,
lt
(
input
,
p_clone
))
let
temp
:=
addmod
(
input
,
gamma
,
p_clone
)
numerator_value
:=
mulmod
(
numerator_value
,
add
(
root_1
,
temp
),
p_clone
)
denominator_value
:=
mulmod
(
denominator_value
,
add
(
root_2
,
temp
),
p_clone
)
root_1
:=
mulmod
(
root_1
,
work_root
,
p_clone
)
root_2
:=
mulmod
(
root_2
,
work_root
,
p_clone
)
}
// Revert if not all public inputs are field elements (i.e. < p)
if
iszero
(
valid_inputs
)
{
mstore
(
0x00
,
PUBLIC_INPUT_GE_P_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
DELTA_NUMERATOR_LOC
,
numerator_value
)
mstore
(
DELTA_DENOMINATOR_LOC
,
denominator_value
)
}
/**
* Compute Plookup delta factor [γ(1 + β)]^{n-k}
* k = num roots cut out of Z_H = 4
*/
{
let
delta_base
:=
mulmod
(
mload
(
C_GAMMA_LOC
),
addmod
(
mload
(
C_BETA_LOC
),
1
,
p
),
p
)
let
delta_numerator
:=
delta_base
{
let
exponent
:=
mload
(
N_LOC
)
let
count
:=
1
for
{}
lt
(
count
,
exponent
)
{
count
:=
add
(
count
,
count
)
}
{
delta_numerator
:=
mulmod
(
delta_numerator
,
delta_numerator
,
p
)
}
}
mstore
(
PLOOKUP_DELTA_NUMERATOR_LOC
,
delta_numerator
)
let
delta_denominator
:=
mulmod
(
delta_base
,
delta_base
,
p
)
delta_denominator
:=
mulmod
(
delta_denominator
,
delta_denominator
,
p
)
mstore
(
PLOOKUP_DELTA_DENOMINATOR_LOC
,
delta_denominator
)
}
/**
* Compute lagrange poly and vanishing poly fractions
*/
{
/**
* vanishing_numerator = zeta
* ZETA_POW_N = zeta^n
* vanishing_numerator -= 1
* accumulating_root = omega_inverse
* work_root = p - accumulating_root
* domain_inverse = domain_inverse
* vanishing_denominator = zeta + work_root
* work_root *= accumulating_root
* vanishing_denominator *= (zeta + work_root)
* work_root *= accumulating_root
* vanishing_denominator *= (zeta + work_root)
* vanishing_denominator *= (zeta + (zeta + accumulating_root))
* work_root = omega
* lagrange_numerator = vanishing_numerator * domain_inverse
* l_start_denominator = zeta - 1
* accumulating_root = work_root^2
* l_end_denominator = accumulating_root^2 * work_root * zeta - 1
* Note: l_end_denominator term contains a term \omega^5 to cut out 5 roots of unity from vanishing poly
*/
let
zeta
:=
mload
(
C_ZETA_LOC
)
// compute zeta^n, where n is a power of 2
let
vanishing_numerator
:=
zeta
{
// pow_small
let
exponent
:=
mload
(
N_LOC
)
let
count
:=
1
for
{}
lt
(
count
,
exponent
)
{
count
:=
add
(
count
,
count
)
}
{
vanishing_numerator
:=
mulmod
(
vanishing_numerator
,
vanishing_numerator
,
p
)
}
}
mstore
(
ZETA_POW_N_LOC
,
vanishing_numerator
)
vanishing_numerator
:=
addmod
(
vanishing_numerator
,
sub
(
p
,
1
),
p
)
let
accumulating_root
:=
mload
(
OMEGA_INVERSE_LOC
)
let
work_root
:=
sub
(
p
,
accumulating_root
)
let
domain_inverse
:=
mload
(
DOMAIN_INVERSE_LOC
)
let
vanishing_denominator
:=
addmod
(
zeta
,
work_root
,
p
)
work_root
:=
mulmod
(
work_root
,
accumulating_root
,
p
)
vanishing_denominator
:=
mulmod
(
vanishing_denominator
,
addmod
(
zeta
,
work_root
,
p
),
p
)
work_root
:=
mulmod
(
work_root
,
accumulating_root
,
p
)
vanishing_denominator
:=
mulmod
(
vanishing_denominator
,
addmod
(
zeta
,
work_root
,
p
),
p
)
vanishing_denominator
:=
mulmod
(
vanishing_denominator
,
addmod
(
zeta
,
mulmod
(
work_root
,
accumulating_root
,
p
),
p
),
p
)
work_root
:=
mload
(
OMEGA_LOC
)
let
lagrange_numerator
:=
mulmod
(
vanishing_numerator
,
domain_inverse
,
p
)
let
l_start_denominator
:=
addmod
(
zeta
,
sub
(
p
,
1
),
p
)
accumulating_root
:=
mulmod
(
work_root
,
work_root
,
p
)
let
l_end_denominator
:=
addmod
(
mulmod
(
mulmod
(
mulmod
(
accumulating_root
,
accumulating_root
,
p
),
work_root
,
p
),
zeta
,
p
),
sub
(
p
,
1
),
p
)
/**
* Compute inversions using Montgomery's batch inversion trick
*/
let
accumulator
:=
mload
(
DELTA_DENOMINATOR_LOC
)
let
t0
:=
accumulator
accumulator
:=
mulmod
(
accumulator
,
vanishing_denominator
,
p
)
let
t1
:=
accumulator
accumulator
:=
mulmod
(
accumulator
,
vanishing_numerator
,
p
)
let
t2
:=
accumulator
accumulator
:=
mulmod
(
accumulator
,
l_start_denominator
,
p
)
let
t3
:=
accumulator
accumulator
:=
mulmod
(
accumulator
,
mload
(
PLOOKUP_DELTA_DENOMINATOR_LOC
),
p
)
let
t4
:=
accumulator
{
mstore
(
0
,
0x20
)
mstore
(
0x20
,
0x20
)
mstore
(
0x40
,
0x20
)
mstore
(
0x60
,
mulmod
(
accumulator
,
l_end_denominator
,
p
))
mstore
(
0x80
,
sub
(
p
,
2
))
mstore
(
0xa0
,
p
)
if
iszero
(
staticcall
(
gas
(),
0x05
,
0x00
,
0xc0
,
0x00
,
0x20
))
{
mstore
(
0x0
,
MOD_EXP_FAILURE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
accumulator
:=
mload
(
0x00
)
}
t4
:=
mulmod
(
accumulator
,
t4
,
p
)
accumulator
:=
mulmod
(
accumulator
,
l_end_denominator
,
p
)
t3
:=
mulmod
(
accumulator
,
t3
,
p
)
accumulator
:=
mulmod
(
accumulator
,
mload
(
PLOOKUP_DELTA_DENOMINATOR_LOC
),
p
)
t2
:=
mulmod
(
accumulator
,
t2
,
p
)
accumulator
:=
mulmod
(
accumulator
,
l_start_denominator
,
p
)
t1
:=
mulmod
(
accumulator
,
t1
,
p
)
accumulator
:=
mulmod
(
accumulator
,
vanishing_numerator
,
p
)
t0
:=
mulmod
(
accumulator
,
t0
,
p
)
accumulator
:=
mulmod
(
accumulator
,
vanishing_denominator
,
p
)
accumulator
:=
mulmod
(
mulmod
(
accumulator
,
accumulator
,
p
),
mload
(
DELTA_DENOMINATOR_LOC
),
p
)
mstore
(
PUBLIC_INPUT_DELTA_LOC
,
mulmod
(
mload
(
DELTA_NUMERATOR_LOC
),
accumulator
,
p
))
mstore
(
ZERO_POLY_LOC
,
mulmod
(
vanishing_numerator
,
t0
,
p
))
mstore
(
ZERO_POLY_INVERSE_LOC
,
mulmod
(
vanishing_denominator
,
t1
,
p
))
mstore
(
L_START_LOC
,
mulmod
(
lagrange_numerator
,
t2
,
p
))
mstore
(
PLOOKUP_DELTA_LOC
,
mulmod
(
mload
(
PLOOKUP_DELTA_NUMERATOR_LOC
),
t3
,
p
))
mstore
(
L_END_LOC
,
mulmod
(
lagrange_numerator
,
t4
,
p
))
}
/**
* UltraPlonk Widget Ordering:
*
* 1. Permutation widget
* 2. Plookup widget
* 3. Arithmetic widget
* 4. Fixed base widget (?)
* 5. GenPermSort widget
* 6. Elliptic widget
* 7. Auxiliary widget
*/
/**
* COMPUTE PERMUTATION WIDGET EVALUATION
*/
{
let
alpha
:=
mload
(
C_ALPHA_LOC
)
let
beta
:=
mload
(
C_BETA_LOC
)
let
gamma
:=
mload
(
C_GAMMA_LOC
)
/**
* t1 = (W1 + gamma + beta * ID1) * (W2 + gamma + beta * ID2)
* t2 = (W3 + gamma + beta * ID3) * (W4 + gamma + beta * ID4)
* result = alpha_base * z_eval * t1 * t2
* t1 = (W1 + gamma + beta * sigma_1_eval) * (W2 + gamma + beta * sigma_2_eval)
* t2 = (W2 + gamma + beta * sigma_3_eval) * (W3 + gamma + beta * sigma_4_eval)
* result -= (alpha_base * z_omega_eval * t1 * t2)
*/
let
t1
:=
mulmod
(
add
(
add
(
mload
(
W1_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
ID1_EVAL_LOC
),
p
)),
add
(
add
(
mload
(
W2_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
ID2_EVAL_LOC
),
p
)),
p
)
let
t2
:=
mulmod
(
add
(
add
(
mload
(
W3_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
ID3_EVAL_LOC
),
p
)),
add
(
add
(
mload
(
W4_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
ID4_EVAL_LOC
),
p
)),
p
)
let
result
:=
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mulmod
(
mload
(
Z_EVAL_LOC
),
mulmod
(
t1
,
t2
,
p
),
p
),
p
)
t1
:=
mulmod
(
add
(
add
(
mload
(
W1_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
SIGMA1_EVAL_LOC
),
p
)),
add
(
add
(
mload
(
W2_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
SIGMA2_EVAL_LOC
),
p
)),
p
)
t2
:=
mulmod
(
add
(
add
(
mload
(
W3_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
SIGMA3_EVAL_LOC
),
p
)),
add
(
add
(
mload
(
W4_EVAL_LOC
),
gamma
),
mulmod
(
beta
,
mload
(
SIGMA4_EVAL_LOC
),
p
)),
p
)
result
:=
addmod
(
result
,
sub
(
p
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mulmod
(
mload
(
Z_OMEGA_EVAL_LOC
),
mulmod
(
t1
,
t2
,
p
),
p
),
p
)),
p
)
/**
* alpha_base *= alpha
* result += alpha_base . (L_{n-k}(ʓ) . (z(ʓ.ω) - ∆_{PI}))
* alpha_base *= alpha
* result += alpha_base . (L_1(ʓ)(Z(ʓ) - 1))
* alpha_Base *= alpha
*/
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_LOC
),
p
))
result
:=
addmod
(
result
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mulmod
(
mload
(
L_END_LOC
),
addmod
(
mload
(
Z_OMEGA_EVAL_LOC
),
sub
(
p
,
mload
(
PUBLIC_INPUT_DELTA_LOC
)),
p
),
p
),
p
),
p
)
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_LOC
),
p
))
mstore
(
PERMUTATION_IDENTITY
,
addmod
(
result
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mulmod
(
mload
(
L_START_LOC
),
addmod
(
mload
(
Z_EVAL_LOC
),
sub
(
p
,
1
),
p
),
p
),
p
),
p
)
)
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_LOC
),
p
))
}
/**
* COMPUTE PLOOKUP WIDGET EVALUATION
*/
{
/**
* Goal: f = (w1(z) + q2.w1(zω)) + η(w2(z) + qm.w2(zω)) + η²(w3(z) + qc.w_3(zω)) + q3(z).η³
* f = η.q3(z)
* f += (w3(z) + qc.w_3(zω))
* f *= η
* f += (w2(z) + qm.w2(zω))
* f *= η
* f += (w1(z) + q2.w1(zω))
*/
let
f
:=
mulmod
(
mload
(
C_ETA_LOC
),
mload
(
Q3_EVAL_LOC
),
p
)
f
:=
addmod
(
f
,
addmod
(
mload
(
W3_EVAL_LOC
),
mulmod
(
mload
(
QC_EVAL_LOC
),
mload
(
W3_OMEGA_EVAL_LOC
),
p
),
p
),
p
)
f
:=
mulmod
(
f
,
mload
(
C_ETA_LOC
),
p
)
f
:=
addmod
(
f
,
addmod
(
mload
(
W2_EVAL_LOC
),
mulmod
(
mload
(
QM_EVAL_LOC
),
mload
(
W2_OMEGA_EVAL_LOC
),
p
),
p
),
p
)
f
:=
mulmod
(
f
,
mload
(
C_ETA_LOC
),
p
)
f
:=
addmod
(
f
,
addmod
(
mload
(
W1_EVAL_LOC
),
mulmod
(
mload
(
Q2_EVAL_LOC
),
mload
(
W1_OMEGA_EVAL_LOC
),
p
),
p
),
p
)
// t(z) = table4(z).η³ + table3(z).η² + table2(z).η + table1(z)
let
t
:=
addmod
(
addmod
(
addmod
(
mulmod
(
mload
(
TABLE4_EVAL_LOC
),
mload
(
C_ETA_CUBE_LOC
),
p
),
mulmod
(
mload
(
TABLE3_EVAL_LOC
),
mload
(
C_ETA_SQR_LOC
),
p
),
p
),
mulmod
(
mload
(
TABLE2_EVAL_LOC
),
mload
(
C_ETA_LOC
),
p
),
p
),
mload
(
TABLE1_EVAL_LOC
),
p
)
// t(zw) = table4(zw).η³ + table3(zw).η² + table2(zw).η + table1(zw)
let
t_omega
:=
addmod
(
addmod
(
addmod
(
mulmod
(
mload
(
TABLE4_OMEGA_EVAL_LOC
),
mload
(
C_ETA_CUBE_LOC
),
p
),
mulmod
(
mload
(
TABLE3_OMEGA_EVAL_LOC
),
mload
(
C_ETA_SQR_LOC
),
p
),
p
),
mulmod
(
mload
(
TABLE2_OMEGA_EVAL_LOC
),
mload
(
C_ETA_LOC
),
p
),
p
),
mload
(
TABLE1_OMEGA_EVAL_LOC
),
p
)
/**
* Goal: numerator = (TABLE_TYPE_EVAL * f(z) + γ) * (t(z) + βt(zω) + γ(β + 1)) * (β + 1)
* gamma_beta_constant = γ(β + 1)
* numerator = f * TABLE_TYPE_EVAL + gamma
* temp0 = t(z) + t(zω) * β + gamma_beta_constant
* numerator *= temp0
* numerator *= (β + 1)
* temp0 = alpha * l_1
* numerator += temp0
* numerator *= z_lookup(z)
* numerator -= temp0
*/
let
gamma_beta_constant
:=
mulmod
(
mload
(
C_GAMMA_LOC
),
addmod
(
mload
(
C_BETA_LOC
),
1
,
p
),
p
)
let
numerator
:=
addmod
(
mulmod
(
f
,
mload
(
TABLE_TYPE_EVAL_LOC
),
p
),
mload
(
C_GAMMA_LOC
),
p
)
let
temp0
:=
addmod
(
addmod
(
t
,
mulmod
(
t_omega
,
mload
(
C_BETA_LOC
),
p
),
p
),
gamma_beta_constant
,
p
)
numerator
:=
mulmod
(
numerator
,
temp0
,
p
)
numerator
:=
mulmod
(
numerator
,
addmod
(
mload
(
C_BETA_LOC
),
1
,
p
),
p
)
temp0
:=
mulmod
(
mload
(
C_ALPHA_LOC
),
mload
(
L_START_LOC
),
p
)
numerator
:=
addmod
(
numerator
,
temp0
,
p
)
numerator
:=
mulmod
(
numerator
,
mload
(
Z_LOOKUP_EVAL_LOC
),
p
)
numerator
:=
addmod
(
numerator
,
sub
(
p
,
temp0
),
p
)
/**
* Goal: denominator = z_lookup(zω)*[s(z) + βs(zω) + γ(1 + β)] - [z_lookup(zω) - [γ(1 + β)]^{n-k}]*α²L_end(z)
* note: delta_factor = [γ(1 + β)]^{n-k}
* denominator = s(z) + βs(zω) + γ(β + 1)
* temp1 = α²L_end(z)
* denominator -= temp1
* denominator *= z_lookup(zω)
* denominator += temp1 * delta_factor
* PLOOKUP_IDENTITY = (numerator - denominator).alpha_base
* alpha_base *= alpha^3
*/
let
denominator
:=
addmod
(
addmod
(
mload
(
S_EVAL_LOC
),
mulmod
(
mload
(
S_OMEGA_EVAL_LOC
),
mload
(
C_BETA_LOC
),
p
),
p
),
gamma_beta_constant
,
p
)
let
temp1
:=
mulmod
(
mload
(
C_ALPHA_SQR_LOC
),
mload
(
L_END_LOC
),
p
)
denominator
:=
addmod
(
denominator
,
sub
(
p
,
temp1
),
p
)
denominator
:=
mulmod
(
denominator
,
mload
(
Z_LOOKUP_OMEGA_EVAL_LOC
),
p
)
denominator
:=
addmod
(
denominator
,
mulmod
(
temp1
,
mload
(
PLOOKUP_DELTA_LOC
),
p
),
p
)
mstore
(
PLOOKUP_IDENTITY
,
mulmod
(
addmod
(
numerator
,
sub
(
p
,
denominator
),
p
),
mload
(
C_ALPHA_BASE_LOC
),
p
))
// update alpha
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_CUBE_LOC
),
p
))
}
/**
* COMPUTE ARITHMETIC WIDGET EVALUATION
*/
{
/**
* The basic arithmetic gate identity in standard plonk is as follows.
* (w_1 . w_2 . q_m) + (w_1 . q_1) + (w_2 . q_2) + (w_3 . q_3) + (w_4 . q_4) + q_c = 0
* However, for Ultraplonk, we extend this to support "passing" wires between rows (shown without alpha scaling below):
* q_arith * ( ( (-1/2) * (q_arith - 3) * q_m * w_1 * w_2 + q_1 * w_1 + q_2 * w_2 + q_3 * w_3 + q_4 * w_4 + q_c ) +
* (q_arith - 1)*( α * (q_arith - 2) * (w_1 + w_4 - w_1_omega + q_m) + w_4_omega) ) = 0
*
* This formula results in several cases depending on q_arith:
* 1. q_arith == 0: Arithmetic gate is completely disabled
*
* 2. q_arith == 1: Everything in the minigate on the right is disabled. The equation is just a standard plonk equation
* with extra wires: q_m * w_1 * w_2 + q_1 * w_1 + q_2 * w_2 + q_3 * w_3 + q_4 * w_4 + q_c = 0
*
* 3. q_arith == 2: The (w_1 + w_4 - ...) term is disabled. THe equation is:
* (1/2) * q_m * w_1 * w_2 + q_1 * w_1 + q_2 * w_2 + q_3 * w_3 + q_4 * w_4 + q_c + w_4_omega = 0
* It allows defining w_4 at next index (w_4_omega) in terms of current wire values
*
* 4. q_arith == 3: The product of w_1 and w_2 is disabled, but a mini addition gate is enabled. α allows us to split
* the equation into two:
*
* q_1 * w_1 + q_2 * w_2 + q_3 * w_3 + q_4 * w_4 + q_c + 2 * w_4_omega = 0
* and
* w_1 + w_4 - w_1_omega + q_m = 0 (we are reusing q_m here)
*
* 5. q_arith > 3: The product of w_1 and w_2 is scaled by (q_arith - 3), while the w_4_omega term is scaled by (q_arith - 1).
* The equation can be split into two:
*
* (q_arith - 3)* q_m * w_1 * w_ 2 + q_1 * w_1 + q_2 * w_2 + q_3 * w_3 + q_4 * w_4 + q_c + (q_arith - 1) * w_4_omega = 0
* and
* w_1 + w_4 - w_1_omega + q_m = 0
*
* The problem that q_m is used both in both equations can be dealt with by appropriately changing selector values at
* the next gate. Then we can treat (q_arith - 1) as a simulated q_6 selector and scale q_m to handle (q_arith - 3) at
* product.
*/
let
w1q1
:=
mulmod
(
mload
(
W1_EVAL_LOC
),
mload
(
Q1_EVAL_LOC
),
p
)
let
w2q2
:=
mulmod
(
mload
(
W2_EVAL_LOC
),
mload
(
Q2_EVAL_LOC
),
p
)
let
w3q3
:=
mulmod
(
mload
(
W3_EVAL_LOC
),
mload
(
Q3_EVAL_LOC
),
p
)
let
w4q3
:=
mulmod
(
mload
(
W4_EVAL_LOC
),
mload
(
Q4_EVAL_LOC
),
p
)
// @todo - Add a explicit test that hits QARITH == 3
// w1w2qm := (w_1 . w_2 . q_m . (QARITH_EVAL_LOC - 3)) / 2
let
w1w2qm
:=
mulmod
(
mulmod
(
mulmod
(
mulmod
(
mload
(
W1_EVAL_LOC
),
mload
(
W2_EVAL_LOC
),
p
),
mload
(
QM_EVAL_LOC
),
p
),
addmod
(
mload
(
QARITH_EVAL_LOC
),
sub
(
p
,
3
),
p
),
p
),
NEGATIVE_INVERSE_OF_2_MODULO_P
,
p
)
// (w_1 . w_2 . q_m . (q_arith - 3)) / -2) + (w_1 . q_1) + (w_2 . q_2) + (w_3 . q_3) + (w_4 . q_4) + q_c
let
identity
:=
addmod
(
mload
(
QC_EVAL_LOC
),
addmod
(
w4q3
,
addmod
(
w3q3
,
addmod
(
w2q2
,
addmod
(
w1q1
,
w1w2qm
,
p
),
p
),
p
),
p
),
p
)
// if q_arith == 3 we evaluate an additional mini addition gate (on top of the regular one), where:
// w_1 + w_4 - w_1_omega + q_m = 0
// we use this gate to save an addition gate when adding or subtracting non-native field elements
// α * (q_arith - 2) * (w_1 + w_4 - w_1_omega + q_m)
let
extra_small_addition_gate_identity
:=
mulmod
(
mload
(
C_ALPHA_LOC
),
mulmod
(
addmod
(
mload
(
QARITH_EVAL_LOC
),
sub
(
p
,
2
),
p
),
addmod
(
mload
(
QM_EVAL_LOC
),
addmod
(
sub
(
p
,
mload
(
W1_OMEGA_EVAL_LOC
)),
addmod
(
mload
(
W1_EVAL_LOC
),
mload
(
W4_EVAL_LOC
),
p
),
p
),
p
),
p
),
p
)
// if q_arith == 2 OR q_arith == 3 we add the 4th wire of the NEXT gate into the arithmetic identity
// N.B. if q_arith > 2, this wire value will be scaled by (q_arith - 1) relative to the other gate wires!
// alpha_base * q_arith * (identity + (q_arith - 1) * (w_4_omega + extra_small_addition_gate_identity))
mstore
(
ARITHMETIC_IDENTITY
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mulmod
(
mload
(
QARITH_EVAL_LOC
),
addmod
(
identity
,
mulmod
(
addmod
(
mload
(
QARITH_EVAL_LOC
),
sub
(
p
,
1
),
p
),
addmod
(
mload
(
W4_OMEGA_EVAL_LOC
),
extra_small_addition_gate_identity
,
p
),
p
),
p
),
p
),
p
)
)
// update alpha
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_SQR_LOC
),
p
))
}
/**
* COMPUTE GENPERMSORT WIDGET EVALUATION
*/
{
/**
* D1 = (w2 - w1)
* D2 = (w3 - w2)
* D3 = (w4 - w3)
* D4 = (w1_omega - w4)
*
* α_a = alpha_base
* α_b = alpha_base * α
* α_c = alpha_base * α^2
* α_d = alpha_base * α^3
*
* range_accumulator = (
* D1(D1 - 1)(D1 - 2)(D1 - 3).α_a +
* D2(D2 - 1)(D2 - 2)(D2 - 3).α_b +
* D3(D3 - 1)(D3 - 2)(D3 - 3).α_c +
* D4(D4 - 1)(D4 - 2)(D4 - 3).α_d +
* ) . q_sort
*/
let
minus_two
:=
sub
(
p
,
2
)
let
minus_three
:=
sub
(
p
,
3
)
let
d1
:=
addmod
(
mload
(
W2_EVAL_LOC
),
sub
(
p
,
mload
(
W1_EVAL_LOC
)),
p
)
let
d2
:=
addmod
(
mload
(
W3_EVAL_LOC
),
sub
(
p
,
mload
(
W2_EVAL_LOC
)),
p
)
let
d3
:=
addmod
(
mload
(
W4_EVAL_LOC
),
sub
(
p
,
mload
(
W3_EVAL_LOC
)),
p
)
let
d4
:=
addmod
(
mload
(
W1_OMEGA_EVAL_LOC
),
sub
(
p
,
mload
(
W4_EVAL_LOC
)),
p
)
let
range_accumulator
:=
mulmod
(
mulmod
(
mulmod
(
addmod
(
mulmod
(
d1
,
d1
,
p
),
sub
(
p
,
d1
),
p
),
addmod
(
d1
,
minus_two
,
p
),
p
),
addmod
(
d1
,
minus_three
,
p
),
p
),
mload
(
C_ALPHA_BASE_LOC
),
p
)
range_accumulator
:=
addmod
(
range_accumulator
,
mulmod
(
mulmod
(
mulmod
(
addmod
(
mulmod
(
d2
,
d2
,
p
),
sub
(
p
,
d2
),
p
),
addmod
(
d2
,
minus_two
,
p
),
p
),
addmod
(
d2
,
minus_three
,
p
),
p
),
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_LOC
),
p
),
p
),
p
)
range_accumulator
:=
addmod
(
range_accumulator
,
mulmod
(
mulmod
(
mulmod
(
addmod
(
mulmod
(
d3
,
d3
,
p
),
sub
(
p
,
d3
),
p
),
addmod
(
d3
,
minus_two
,
p
),
p
),
addmod
(
d3
,
minus_three
,
p
),
p
),
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_SQR_LOC
),
p
),
p
),
p
)
range_accumulator
:=
addmod
(
range_accumulator
,
mulmod
(
mulmod
(
mulmod
(
addmod
(
mulmod
(
d4
,
d4
,
p
),
sub
(
p
,
d4
),
p
),
addmod
(
d4
,
minus_two
,
p
),
p
),
addmod
(
d4
,
minus_three
,
p
),
p
),
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_CUBE_LOC
),
p
),
p
),
p
)
range_accumulator
:=
mulmod
(
range_accumulator
,
mload
(
QSORT_EVAL_LOC
),
p
)
mstore
(
SORT_IDENTITY
,
range_accumulator
)
// update alpha
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_QUAD_LOC
),
p
))
}
/**
* COMPUTE ELLIPTIC WIDGET EVALUATION
*/
{
/**
* endo_term = (-x_2) * x_1 * (x_3 * 2 + x_1) * q_beta
* endo_sqr_term = x_2^2
* endo_sqr_term *= (x_3 - x_1)
* endo_sqr_term *= q_beta^2
* leftovers = x_2^2
* leftovers *= x_2
* leftovers += x_1^2 * (x_3 + x_1) @follow-up Invalid comment in BB widget
* leftovers -= (y_2^2 + y_1^2)
* sign_term = y_2 * y_1
* sign_term += sign_term
* sign_term *= q_sign
*/
// q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
let
x_diff
:=
addmod
(
mload
(
X2_EVAL_LOC
),
sub
(
p
,
mload
(
X1_EVAL_LOC
)),
p
)
let
y2_sqr
:=
mulmod
(
mload
(
Y2_EVAL_LOC
),
mload
(
Y2_EVAL_LOC
),
p
)
let
y1_sqr
:=
mulmod
(
mload
(
Y1_EVAL_LOC
),
mload
(
Y1_EVAL_LOC
),
p
)
let
y1y2
:=
mulmod
(
mulmod
(
mload
(
Y1_EVAL_LOC
),
mload
(
Y2_EVAL_LOC
),
p
),
mload
(
QSIGN_LOC
),
p
)
let
x_add_identity
:=
addmod
(
mulmod
(
addmod
(
mload
(
X3_EVAL_LOC
),
addmod
(
mload
(
X2_EVAL_LOC
),
mload
(
X1_EVAL_LOC
),
p
),
p
),
mulmod
(
x_diff
,
x_diff
,
p
),
p
),
addmod
(
sub
(
p
,
addmod
(
y2_sqr
,
y1_sqr
,
p
)
),
addmod
(
y1y2
,
y1y2
,
p
),
p
),
p
)
x_add_identity
:=
mulmod
(
mulmod
(
x_add_identity
,
addmod
(
1
,
sub
(
p
,
mload
(
QM_EVAL_LOC
)),
p
),
p
),
mload
(
C_ALPHA_BASE_LOC
),
p
)
// q_elliptic * (x3 + x2 + x1)(x2 - x1)(x2 - x1) - y2^2 - y1^2 + 2(y2y1)*q_sign = 0
let
y1_plus_y3
:=
addmod
(
mload
(
Y1_EVAL_LOC
),
mload
(
Y3_EVAL_LOC
),
p
)
let
y_diff
:=
addmod
(
mulmod
(
mload
(
Y2_EVAL_LOC
),
mload
(
QSIGN_LOC
),
p
),
sub
(
p
,
mload
(
Y1_EVAL_LOC
)),
p
)
let
y_add_identity
:=
addmod
(
mulmod
(
y1_plus_y3
,
x_diff
,
p
),
mulmod
(
addmod
(
mload
(
X3_EVAL_LOC
),
sub
(
p
,
mload
(
X1_EVAL_LOC
)),
p
),
y_diff
,
p
),
p
)
y_add_identity
:=
mulmod
(
mulmod
(
y_add_identity
,
addmod
(
1
,
sub
(
p
,
mload
(
QM_EVAL_LOC
)),
p
),
p
),
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_LOC
),
p
),
p
)
// ELLIPTIC_IDENTITY = (x_identity + y_identity) * Q_ELLIPTIC_EVAL
mstore
(
ELLIPTIC_IDENTITY
,
mulmod
(
addmod
(
x_add_identity
,
y_add_identity
,
p
),
mload
(
QELLIPTIC_EVAL_LOC
),
p
)
)
}
{
/**
* x_pow_4 = (y_1_sqr - curve_b) * x_1;
* y_1_sqr_mul_4 = y_1_sqr + y_1_sqr;
* y_1_sqr_mul_4 += y_1_sqr_mul_4;
* x_1_pow_4_mul_9 = x_pow_4;
* x_1_pow_4_mul_9 += x_1_pow_4_mul_9;
* x_1_pow_4_mul_9 += x_1_pow_4_mul_9;
* x_1_pow_4_mul_9 += x_1_pow_4_mul_9;
* x_1_pow_4_mul_9 += x_pow_4;
* x_1_sqr_mul_3 = x_1_sqr + x_1_sqr + x_1_sqr;
* x_double_identity = (x_3 + x_1 + x_1) * y_1_sqr_mul_4 - x_1_pow_4_mul_9;
* y_double_identity = x_1_sqr_mul_3 * (x_1 - x_3) - (y_1 + y_1) * (y_1 + y_3);
*/
// (x3 + x1 + x1) (4y1*y1) - 9 * x1 * x1 * x1 * x1 = 0
let
x1_sqr
:=
mulmod
(
mload
(
X1_EVAL_LOC
),
mload
(
X1_EVAL_LOC
),
p
)
let
y1_sqr
:=
mulmod
(
mload
(
Y1_EVAL_LOC
),
mload
(
Y1_EVAL_LOC
),
p
)
let
x_pow_4
:=
mulmod
(
addmod
(
y1_sqr
,
GRUMPKIN_CURVE_B_PARAMETER_NEGATED
,
p
),
mload
(
X1_EVAL_LOC
),
p
)
let
y1_sqr_mul_4
:=
mulmod
(
y1_sqr
,
4
,
p
)
let
x1_pow_4_mul_9
:=
mulmod
(
x_pow_4
,
9
,
p
)
let
x1_sqr_mul_3
:=
mulmod
(
x1_sqr
,
3
,
p
)
let
x_double_identity
:=
addmod
(
mulmod
(
addmod
(
mload
(
X3_EVAL_LOC
),
addmod
(
mload
(
X1_EVAL_LOC
),
mload
(
X1_EVAL_LOC
),
p
),
p
),
y1_sqr_mul_4
,
p
),
sub
(
p
,
x1_pow_4_mul_9
),
p
)
// (y1 + y1) (2y1) - (3 * x1 * x1)(x1 - x3) = 0
let
y_double_identity
:=
addmod
(
mulmod
(
x1_sqr_mul_3
,
addmod
(
mload
(
X1_EVAL_LOC
),
sub
(
p
,
mload
(
X3_EVAL_LOC
)),
p
),
p
),
sub
(
p
,
mulmod
(
addmod
(
mload
(
Y1_EVAL_LOC
),
mload
(
Y1_EVAL_LOC
),
p
),
addmod
(
mload
(
Y1_EVAL_LOC
),
mload
(
Y3_EVAL_LOC
),
p
),
p
)
),
p
)
x_double_identity
:=
mulmod
(
x_double_identity
,
mload
(
C_ALPHA_BASE_LOC
),
p
)
y_double_identity
:=
mulmod
(
y_double_identity
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_LOC
),
p
),
p
)
x_double_identity
:=
mulmod
(
x_double_identity
,
mload
(
QM_EVAL_LOC
),
p
)
y_double_identity
:=
mulmod
(
y_double_identity
,
mload
(
QM_EVAL_LOC
),
p
)
// ELLIPTIC_IDENTITY += (x_double_identity + y_double_identity) * Q_DOUBLE_EVAL
mstore
(
ELLIPTIC_IDENTITY
,
addmod
(
mload
(
ELLIPTIC_IDENTITY
),
mulmod
(
addmod
(
x_double_identity
,
y_double_identity
,
p
),
mload
(
QELLIPTIC_EVAL_LOC
),
p
),
p
)
)
// update alpha
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_QUAD_LOC
),
p
))
}
/**
* COMPUTE AUXILIARY WIDGET EVALUATION
*/
{
{
/**
* Non native field arithmetic gate 2
* _ _
* / _ _ _ 14 \
* q_2 . q_4 | (w_1 . w_2) + (w_1 . w_2) + (w_1 . w_4 + w_2 . w_3 - w_3) . 2 - w_3 - w_4 |
* \_ _/
*
* limb_subproduct = w_1 . w_2_omega + w_1_omega . w_2
* non_native_field_gate_2 = w_1 * w_4 + w_4 * w_3 - w_3_omega
* non_native_field_gate_2 = non_native_field_gate_2 * limb_size
* non_native_field_gate_2 -= w_4_omega
* non_native_field_gate_2 += limb_subproduct
* non_native_field_gate_2 *= q_4
* limb_subproduct *= limb_size
* limb_subproduct += w_1_omega * w_2_omega
* non_native_field_gate_1 = (limb_subproduct + w_3 + w_4) * q_3
* non_native_field_gate_3 = (limb_subproduct + w_4 - (w_3_omega + w_4_omega)) * q_m
* non_native_field_identity = (non_native_field_gate_1 + non_native_field_gate_2 + non_native_field_gate_3) * q_2
*/
let
limb_subproduct
:=
addmod
(
mulmod
(
mload
(
W1_EVAL_LOC
),
mload
(
W2_OMEGA_EVAL_LOC
),
p
),
mulmod
(
mload
(
W1_OMEGA_EVAL_LOC
),
mload
(
W2_EVAL_LOC
),
p
),
p
)
let
non_native_field_gate_2
:=
addmod
(
addmod
(
mulmod
(
mload
(
W1_EVAL_LOC
),
mload
(
W4_EVAL_LOC
),
p
),
mulmod
(
mload
(
W2_EVAL_LOC
),
mload
(
W3_EVAL_LOC
),
p
),
p
),
sub
(
p
,
mload
(
W3_OMEGA_EVAL_LOC
)),
p
)
non_native_field_gate_2
:=
mulmod
(
non_native_field_gate_2
,
LIMB_SIZE
,
p
)
non_native_field_gate_2
:=
addmod
(
non_native_field_gate_2
,
sub
(
p
,
mload
(
W4_OMEGA_EVAL_LOC
)),
p
)
non_native_field_gate_2
:=
addmod
(
non_native_field_gate_2
,
limb_subproduct
,
p
)
non_native_field_gate_2
:=
mulmod
(
non_native_field_gate_2
,
mload
(
Q4_EVAL_LOC
),
p
)
limb_subproduct
:=
mulmod
(
limb_subproduct
,
LIMB_SIZE
,
p
)
limb_subproduct
:=
addmod
(
limb_subproduct
,
mulmod
(
mload
(
W1_OMEGA_EVAL_LOC
),
mload
(
W2_OMEGA_EVAL_LOC
),
p
),
p
)
let
non_native_field_gate_1
:=
mulmod
(
addmod
(
limb_subproduct
,
sub
(
p
,
addmod
(
mload
(
W3_EVAL_LOC
),
mload
(
W4_EVAL_LOC
),
p
)),
p
),
mload
(
Q3_EVAL_LOC
),
p
)
let
non_native_field_gate_3
:=
mulmod
(
addmod
(
addmod
(
limb_subproduct
,
mload
(
W4_EVAL_LOC
),
p
),
sub
(
p
,
addmod
(
mload
(
W3_OMEGA_EVAL_LOC
),
mload
(
W4_OMEGA_EVAL_LOC
),
p
)),
p
),
mload
(
QM_EVAL_LOC
),
p
)
let
non_native_field_identity
:=
mulmod
(
addmod
(
addmod
(
non_native_field_gate_1
,
non_native_field_gate_2
,
p
),
non_native_field_gate_3
,
p
),
mload
(
Q2_EVAL_LOC
),
p
)
mstore
(
AUX_NON_NATIVE_FIELD_EVALUATION
,
non_native_field_identity
)
}
{
/**
* limb_accumulator_1 = w_2_omega;
* limb_accumulator_1 *= SUBLIMB_SHIFT;
* limb_accumulator_1 += w_1_omega;
* limb_accumulator_1 *= SUBLIMB_SHIFT;
* limb_accumulator_1 += w_3;
* limb_accumulator_1 *= SUBLIMB_SHIFT;
* limb_accumulator_1 += w_2;
* limb_accumulator_1 *= SUBLIMB_SHIFT;
* limb_accumulator_1 += w_1;
* limb_accumulator_1 -= w_4;
* limb_accumulator_1 *= q_4;
*/
let
limb_accumulator_1
:=
mulmod
(
mload
(
W2_OMEGA_EVAL_LOC
),
SUBLIMB_SHIFT
,
p
)
limb_accumulator_1
:=
addmod
(
limb_accumulator_1
,
mload
(
W1_OMEGA_EVAL_LOC
),
p
)
limb_accumulator_1
:=
mulmod
(
limb_accumulator_1
,
SUBLIMB_SHIFT
,
p
)
limb_accumulator_1
:=
addmod
(
limb_accumulator_1
,
mload
(
W3_EVAL_LOC
),
p
)
limb_accumulator_1
:=
mulmod
(
limb_accumulator_1
,
SUBLIMB_SHIFT
,
p
)
limb_accumulator_1
:=
addmod
(
limb_accumulator_1
,
mload
(
W2_EVAL_LOC
),
p
)
limb_accumulator_1
:=
mulmod
(
limb_accumulator_1
,
SUBLIMB_SHIFT
,
p
)
limb_accumulator_1
:=
addmod
(
limb_accumulator_1
,
mload
(
W1_EVAL_LOC
),
p
)
limb_accumulator_1
:=
addmod
(
limb_accumulator_1
,
sub
(
p
,
mload
(
W4_EVAL_LOC
)),
p
)
limb_accumulator_1
:=
mulmod
(
limb_accumulator_1
,
mload
(
Q4_EVAL_LOC
),
p
)
/**
* limb_accumulator_2 = w_3_omega;
* limb_accumulator_2 *= SUBLIMB_SHIFT;
* limb_accumulator_2 += w_2_omega;
* limb_accumulator_2 *= SUBLIMB_SHIFT;
* limb_accumulator_2 += w_1_omega;
* limb_accumulator_2 *= SUBLIMB_SHIFT;
* limb_accumulator_2 += w_4;
* limb_accumulator_2 *= SUBLIMB_SHIFT;
* limb_accumulator_2 += w_3;
* limb_accumulator_2 -= w_4_omega;
* limb_accumulator_2 *= q_m;
*/
let
limb_accumulator_2
:=
mulmod
(
mload
(
W3_OMEGA_EVAL_LOC
),
SUBLIMB_SHIFT
,
p
)
limb_accumulator_2
:=
addmod
(
limb_accumulator_2
,
mload
(
W2_OMEGA_EVAL_LOC
),
p
)
limb_accumulator_2
:=
mulmod
(
limb_accumulator_2
,
SUBLIMB_SHIFT
,
p
)
limb_accumulator_2
:=
addmod
(
limb_accumulator_2
,
mload
(
W1_OMEGA_EVAL_LOC
),
p
)
limb_accumulator_2
:=
mulmod
(
limb_accumulator_2
,
SUBLIMB_SHIFT
,
p
)
limb_accumulator_2
:=
addmod
(
limb_accumulator_2
,
mload
(
W4_EVAL_LOC
),
p
)
limb_accumulator_2
:=
mulmod
(
limb_accumulator_2
,
SUBLIMB_SHIFT
,
p
)
limb_accumulator_2
:=
addmod
(
limb_accumulator_2
,
mload
(
W3_EVAL_LOC
),
p
)
limb_accumulator_2
:=
addmod
(
limb_accumulator_2
,
sub
(
p
,
mload
(
W4_OMEGA_EVAL_LOC
)),
p
)
limb_accumulator_2
:=
mulmod
(
limb_accumulator_2
,
mload
(
QM_EVAL_LOC
),
p
)
mstore
(
AUX_LIMB_ACCUMULATOR_EVALUATION
,
mulmod
(
addmod
(
limb_accumulator_1
,
limb_accumulator_2
,
p
),
mload
(
Q3_EVAL_LOC
),
p
)
)
}
{
/**
* memory_record_check = w_3;
* memory_record_check *= eta;
* memory_record_check += w_2;
* memory_record_check *= eta;
* memory_record_check += w_1;
* memory_record_check *= eta;
* memory_record_check += q_c;
*
* partial_record_check = memory_record_check;
*
* memory_record_check -= w_4;
*/
let
memory_record_check
:=
mulmod
(
mload
(
W3_EVAL_LOC
),
mload
(
C_ETA_LOC
),
p
)
memory_record_check
:=
addmod
(
memory_record_check
,
mload
(
W2_EVAL_LOC
),
p
)
memory_record_check
:=
mulmod
(
memory_record_check
,
mload
(
C_ETA_LOC
),
p
)
memory_record_check
:=
addmod
(
memory_record_check
,
mload
(
W1_EVAL_LOC
),
p
)
memory_record_check
:=
mulmod
(
memory_record_check
,
mload
(
C_ETA_LOC
),
p
)
memory_record_check
:=
addmod
(
memory_record_check
,
mload
(
QC_EVAL_LOC
),
p
)
let
partial_record_check
:=
memory_record_check
memory_record_check
:=
addmod
(
memory_record_check
,
sub
(
p
,
mload
(
W4_EVAL_LOC
)),
p
)
mstore
(
AUX_MEMORY_EVALUATION
,
memory_record_check
)
// index_delta = w_1_omega - w_1
let
index_delta
:=
addmod
(
mload
(
W1_OMEGA_EVAL_LOC
),
sub
(
p
,
mload
(
W1_EVAL_LOC
)),
p
)
// record_delta = w_4_omega - w_4
let
record_delta
:=
addmod
(
mload
(
W4_OMEGA_EVAL_LOC
),
sub
(
p
,
mload
(
W4_EVAL_LOC
)),
p
)
// index_is_monotonically_increasing = index_delta * (index_delta - 1)
let
index_is_monotonically_increasing
:=
mulmod
(
index_delta
,
addmod
(
index_delta
,
sub
(
p
,
1
),
p
),
p
)
// adjacent_values_match_if_adjacent_indices_match = record_delta * (1 - index_delta)
let
adjacent_values_match_if_adjacent_indices_match
:=
mulmod
(
record_delta
,
addmod
(
1
,
sub
(
p
,
index_delta
),
p
),
p
)
// AUX_ROM_CONSISTENCY_EVALUATION = ((adjacent_values_match_if_adjacent_indices_match * alpha) + index_is_monotonically_increasing) * alpha + partial_record_check
mstore
(
AUX_ROM_CONSISTENCY_EVALUATION
,
addmod
(
mulmod
(
addmod
(
mulmod
(
adjacent_values_match_if_adjacent_indices_match
,
mload
(
C_ALPHA_LOC
),
p
),
index_is_monotonically_increasing
,
p
),
mload
(
C_ALPHA_LOC
),
p
),
memory_record_check
,
p
)
)
{
/**
* next_gate_access_type = w_3_omega;
* next_gate_access_type *= eta;
* next_gate_access_type += w_2_omega;
* next_gate_access_type *= eta;
* next_gate_access_type += w_1_omega;
* next_gate_access_type *= eta;
* next_gate_access_type = w_4_omega - next_gate_access_type;
*/
let
next_gate_access_type
:=
mulmod
(
mload
(
W3_OMEGA_EVAL_LOC
),
mload
(
C_ETA_LOC
),
p
)
next_gate_access_type
:=
addmod
(
next_gate_access_type
,
mload
(
W2_OMEGA_EVAL_LOC
),
p
)
next_gate_access_type
:=
mulmod
(
next_gate_access_type
,
mload
(
C_ETA_LOC
),
p
)
next_gate_access_type
:=
addmod
(
next_gate_access_type
,
mload
(
W1_OMEGA_EVAL_LOC
),
p
)
next_gate_access_type
:=
mulmod
(
next_gate_access_type
,
mload
(
C_ETA_LOC
),
p
)
next_gate_access_type
:=
addmod
(
mload
(
W4_OMEGA_EVAL_LOC
),
sub
(
p
,
next_gate_access_type
),
p
)
// value_delta = w_3_omega - w_3
let
value_delta
:=
addmod
(
mload
(
W3_OMEGA_EVAL_LOC
),
sub
(
p
,
mload
(
W3_EVAL_LOC
)),
p
)
// adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation = (1 - index_delta) * value_delta * (1 - next_gate_access_type);
let
adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation
:=
mulmod
(
addmod
(
1
,
sub
(
p
,
index_delta
),
p
),
mulmod
(
value_delta
,
addmod
(
1
,
sub
(
p
,
next_gate_access_type
),
p
),
p
),
p
)
// AUX_RAM_CONSISTENCY_EVALUATION
/**
* access_type = w_4 - partial_record_check
* access_check = access_type^2 - access_type
* next_gate_access_type_is_boolean = next_gate_access_type^2 - next_gate_access_type
* RAM_consistency_check_identity = adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation;
* RAM_consistency_check_identity *= alpha;
* RAM_consistency_check_identity += index_is_monotonically_increasing;
* RAM_consistency_check_identity *= alpha;
* RAM_consistency_check_identity += next_gate_access_type_is_boolean;
* RAM_consistency_check_identity *= alpha;
* RAM_consistency_check_identity += access_check;
*/
let
access_type
:=
addmod
(
mload
(
W4_EVAL_LOC
),
sub
(
p
,
partial_record_check
),
p
)
let
access_check
:=
mulmod
(
access_type
,
addmod
(
access_type
,
sub
(
p
,
1
),
p
),
p
)
let
next_gate_access_type_is_boolean
:=
mulmod
(
next_gate_access_type
,
addmod
(
next_gate_access_type
,
sub
(
p
,
1
),
p
),
p
)
let
RAM_cci
:=
mulmod
(
adjacent_values_match_if_adjacent_indices_match_and_next_access_is_a_read_operation
,
mload
(
C_ALPHA_LOC
),
p
)
RAM_cci
:=
addmod
(
RAM_cci
,
index_is_monotonically_increasing
,
p
)
RAM_cci
:=
mulmod
(
RAM_cci
,
mload
(
C_ALPHA_LOC
),
p
)
RAM_cci
:=
addmod
(
RAM_cci
,
next_gate_access_type_is_boolean
,
p
)
RAM_cci
:=
mulmod
(
RAM_cci
,
mload
(
C_ALPHA_LOC
),
p
)
RAM_cci
:=
addmod
(
RAM_cci
,
access_check
,
p
)
mstore
(
AUX_RAM_CONSISTENCY_EVALUATION
,
RAM_cci
)
}
{
// timestamp_delta = w_2_omega - w_2
let
timestamp_delta
:=
addmod
(
mload
(
W2_OMEGA_EVAL_LOC
),
sub
(
p
,
mload
(
W2_EVAL_LOC
)),
p
)
// RAM_timestamp_check_identity = (1 - index_delta) * timestamp_delta - w_3
let
RAM_timestamp_check_identity
:=
addmod
(
mulmod
(
timestamp_delta
,
addmod
(
1
,
sub
(
p
,
index_delta
),
p
),
p
),
sub
(
p
,
mload
(
W3_EVAL_LOC
)),
p
)
/**
* memory_identity = ROM_consistency_check_identity * q_2;
* memory_identity += RAM_timestamp_check_identity * q_4;
* memory_identity += memory_record_check * q_m;
* memory_identity *= q_1;
* memory_identity += (RAM_consistency_check_identity * q_arith);
*
* auxiliary_identity = memory_identity + non_native_field_identity + limb_accumulator_identity;
* auxiliary_identity *= q_aux;
* auxiliary_identity *= alpha_base;
*/
let
memory_identity
:=
mulmod
(
mload
(
AUX_ROM_CONSISTENCY_EVALUATION
),
mload
(
Q2_EVAL_LOC
),
p
)
memory_identity
:=
addmod
(
memory_identity
,
mulmod
(
RAM_timestamp_check_identity
,
mload
(
Q4_EVAL_LOC
),
p
),
p
)
memory_identity
:=
addmod
(
memory_identity
,
mulmod
(
mload
(
AUX_MEMORY_EVALUATION
),
mload
(
QM_EVAL_LOC
),
p
),
p
)
memory_identity
:=
mulmod
(
memory_identity
,
mload
(
Q1_EVAL_LOC
),
p
)
memory_identity
:=
addmod
(
memory_identity
,
mulmod
(
mload
(
AUX_RAM_CONSISTENCY_EVALUATION
),
mload
(
QARITH_EVAL_LOC
),
p
),
p
)
let
auxiliary_identity
:=
addmod
(
memory_identity
,
mload
(
AUX_NON_NATIVE_FIELD_EVALUATION
),
p
)
auxiliary_identity
:=
addmod
(
auxiliary_identity
,
mload
(
AUX_LIMB_ACCUMULATOR_EVALUATION
),
p
)
auxiliary_identity
:=
mulmod
(
auxiliary_identity
,
mload
(
QAUX_EVAL_LOC
),
p
)
auxiliary_identity
:=
mulmod
(
auxiliary_identity
,
mload
(
C_ALPHA_BASE_LOC
),
p
)
mstore
(
AUX_IDENTITY
,
auxiliary_identity
)
// update alpha
mstore
(
C_ALPHA_BASE_LOC
,
mulmod
(
mload
(
C_ALPHA_BASE_LOC
),
mload
(
C_ALPHA_CUBE_LOC
),
p
))
}
}
}
{
/**
* quotient = ARITHMETIC_IDENTITY
* quotient += PERMUTATION_IDENTITY
* quotient += PLOOKUP_IDENTITY
* quotient += SORT_IDENTITY
* quotient += ELLIPTIC_IDENTITY
* quotient += AUX_IDENTITY
* quotient *= ZERO_POLY_INVERSE
*/
mstore
(
QUOTIENT_EVAL_LOC
,
mulmod
(
addmod
(
addmod
(
addmod
(
addmod
(
addmod
(
mload
(
PERMUTATION_IDENTITY
),
mload
(
PLOOKUP_IDENTITY
),
p
),
mload
(
ARITHMETIC_IDENTITY
),
p
),
mload
(
SORT_IDENTITY
),
p
),
mload
(
ELLIPTIC_IDENTITY
),
p
),
mload
(
AUX_IDENTITY
),
p
),
mload
(
ZERO_POLY_INVERSE_LOC
),
p
)
)
}
/**
* GENERATE NU AND SEPARATOR CHALLENGES
*/
{
let
current_challenge
:=
mload
(
C_CURRENT_LOC
)
// get a calldata pointer that points to the start of the data we want to copy
let
calldata_ptr
:=
add
(
calldataload
(
0x04
),
0x24
)
calldata_ptr
:=
add
(
calldata_ptr
,
NU_CALLDATA_SKIP_LENGTH
)
mstore
(
NU_CHALLENGE_INPUT_LOC_A
,
current_challenge
)
mstore
(
NU_CHALLENGE_INPUT_LOC_B
,
mload
(
QUOTIENT_EVAL_LOC
))
calldatacopy
(
NU_CHALLENGE_INPUT_LOC_C
,
calldata_ptr
,
NU_INPUT_LENGTH
)
// hash length = (0x20 + num field elements), we include the previous challenge in the hash
let
challenge
:=
keccak256
(
NU_CHALLENGE_INPUT_LOC_A
,
add
(
NU_INPUT_LENGTH
,
0x40
))
mstore
(
C_V0_LOC
,
mod
(
challenge
,
p
))
// We need THIRTY-ONE independent nu challenges!
mstore
(
0x00
,
challenge
)
mstore8
(
0x20
,
0x01
)
mstore
(
C_V1_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x02
)
mstore
(
C_V2_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x03
)
mstore
(
C_V3_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x04
)
mstore
(
C_V4_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x05
)
mstore
(
C_V5_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x06
)
mstore
(
C_V6_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x07
)
mstore
(
C_V7_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x08
)
mstore
(
C_V8_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x09
)
mstore
(
C_V9_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x0a
)
mstore
(
C_V10_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x0b
)
mstore
(
C_V11_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x0c
)
mstore
(
C_V12_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x0d
)
mstore
(
C_V13_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x0e
)
mstore
(
C_V14_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x0f
)
mstore
(
C_V15_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x10
)
mstore
(
C_V16_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x11
)
mstore
(
C_V17_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x12
)
mstore
(
C_V18_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x13
)
mstore
(
C_V19_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x14
)
mstore
(
C_V20_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x15
)
mstore
(
C_V21_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x16
)
mstore
(
C_V22_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x17
)
mstore
(
C_V23_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x18
)
mstore
(
C_V24_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x19
)
mstore
(
C_V25_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x1a
)
mstore
(
C_V26_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x1b
)
mstore
(
C_V27_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x1c
)
mstore
(
C_V28_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
mstore8
(
0x20
,
0x1d
)
mstore
(
C_V29_LOC
,
mod
(
keccak256
(
0x00
,
0x21
),
p
))
// @follow-up - Why are both v29 and v30 using appending 0x1d to the prior challenge and hashing, should it not change?
mstore8
(
0x20
,
0x1d
)
challenge
:=
keccak256
(
0x00
,
0x21
)
mstore
(
C_V30_LOC
,
mod
(
challenge
,
p
))
// separator
mstore
(
0x00
,
challenge
)
mstore
(
0x20
,
mload
(
PI_Z_Y_LOC
))
mstore
(
0x40
,
mload
(
PI_Z_X_LOC
))
mstore
(
0x60
,
mload
(
PI_Z_OMEGA_Y_LOC
))
mstore
(
0x80
,
mload
(
PI_Z_OMEGA_X_LOC
))
mstore
(
C_U_LOC
,
mod
(
keccak256
(
0x00
,
0xa0
),
p
))
}
let
success
:=
0
// VALIDATE T1
{
let
x
:=
mload
(
T1_X_LOC
)
let
y
:=
mload
(
T1_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
ACCUMULATOR_X_LOC
,
x
)
mstore
(
add
(
ACCUMULATOR_X_LOC
,
0x20
),
y
)
}
// VALIDATE T2
{
let
x
:=
mload
(
T2_X_LOC
)
// 0x1400
let
y
:=
mload
(
T2_Y_LOC
)
// 0x1420
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mload
(
ZETA_POW_N_LOC
))
// accumulator_2 = [T2].zeta^n
success
:=
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
)
// accumulator = [T1] + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE T3
{
let
x
:=
mload
(
T3_X_LOC
)
let
y
:=
mload
(
T3_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
mload
(
ZETA_POW_N_LOC
),
mload
(
ZETA_POW_N_LOC
),
p
))
// accumulator_2 = [T3].zeta^{2n}
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE T4
{
let
x
:=
mload
(
T4_X_LOC
)
let
y
:=
mload
(
T4_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
mulmod
(
mload
(
ZETA_POW_N_LOC
),
mload
(
ZETA_POW_N_LOC
),
p
),
mload
(
ZETA_POW_N_LOC
),
p
))
// accumulator_2 = [T4].zeta^{3n}
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE W1
{
let
x
:=
mload
(
W1_X_LOC
)
let
y
:=
mload
(
W1_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V0_LOC
),
p
))
// accumulator_2 = v0.(u + 1).[W1]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE W2
{
let
x
:=
mload
(
W2_X_LOC
)
let
y
:=
mload
(
W2_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V1_LOC
),
p
))
// accumulator_2 = v1.(u + 1).[W2]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE W3
{
let
x
:=
mload
(
W3_X_LOC
)
let
y
:=
mload
(
W3_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V2_LOC
),
p
))
// accumulator_2 = v2.(u + 1).[W3]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE W4
{
let
x
:=
mload
(
W4_X_LOC
)
let
y
:=
mload
(
W4_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V3_LOC
),
p
))
// accumulator_2 = v3.(u + 1).[W4]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE S
{
let
x
:=
mload
(
S_X_LOC
)
let
y
:=
mload
(
S_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V4_LOC
),
p
))
// accumulator_2 = v4.(u + 1).[S]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE Z
{
let
x
:=
mload
(
Z_X_LOC
)
let
y
:=
mload
(
Z_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V5_LOC
),
p
))
// accumulator_2 = v5.(u + 1).[Z]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE Z_LOOKUP
{
let
x
:=
mload
(
Z_LOOKUP_X_LOC
)
let
y
:=
mload
(
Z_LOOKUP_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V6_LOC
),
p
))
// accumulator_2 = v6.(u + 1).[Z_LOOKUP]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE Q1
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
Q1_X_LOC
))
mstore
(
0x20
,
mload
(
Q1_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V7_LOC
))
// accumulator_2 = v7.[Q1]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE Q2
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
Q2_X_LOC
))
mstore
(
0x20
,
mload
(
Q2_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V8_LOC
))
// accumulator_2 = v8.[Q2]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE Q3
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
Q3_X_LOC
))
mstore
(
0x20
,
mload
(
Q3_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V9_LOC
))
// accumulator_2 = v9.[Q3]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE Q4
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
Q4_X_LOC
))
mstore
(
0x20
,
mload
(
Q4_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V10_LOC
))
// accumulator_2 = v10.[Q4]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE QM
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
QM_X_LOC
))
mstore
(
0x20
,
mload
(
QM_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V11_LOC
))
// accumulator_2 = v11.[Q;]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE QC
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
QC_X_LOC
))
mstore
(
0x20
,
mload
(
QC_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V12_LOC
))
// accumulator_2 = v12.[QC]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE QARITH
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
QARITH_X_LOC
))
mstore
(
0x20
,
mload
(
QARITH_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V13_LOC
))
// accumulator_2 = v13.[QARITH]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE QSORT
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
QSORT_X_LOC
))
mstore
(
0x20
,
mload
(
QSORT_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V14_LOC
))
// accumulator_2 = v14.[QSORT]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE QELLIPTIC
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
QELLIPTIC_X_LOC
))
mstore
(
0x20
,
mload
(
QELLIPTIC_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V15_LOC
))
// accumulator_2 = v15.[QELLIPTIC]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE QAUX
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
QAUX_X_LOC
))
mstore
(
0x20
,
mload
(
QAUX_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V16_LOC
))
// accumulator_2 = v15.[Q_AUX]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE SIGMA1
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
SIGMA1_X_LOC
))
mstore
(
0x20
,
mload
(
SIGMA1_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V17_LOC
))
// accumulator_2 = v17.[sigma1]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE SIGMA2
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
SIGMA2_X_LOC
))
mstore
(
0x20
,
mload
(
SIGMA2_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V18_LOC
))
// accumulator_2 = v18.[sigma2]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE SIGMA3
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
SIGMA3_X_LOC
))
mstore
(
0x20
,
mload
(
SIGMA3_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V19_LOC
))
// accumulator_2 = v19.[sigma3]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE SIGMA4
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
SIGMA4_X_LOC
))
mstore
(
0x20
,
mload
(
SIGMA4_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V20_LOC
))
// accumulator_2 = v20.[sigma4]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE TABLE1
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
TABLE1_X_LOC
))
mstore
(
0x20
,
mload
(
TABLE1_Y_LOC
))
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V21_LOC
),
p
))
// accumulator_2 = u.[table1]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE TABLE2
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
TABLE2_X_LOC
))
mstore
(
0x20
,
mload
(
TABLE2_Y_LOC
))
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V22_LOC
),
p
))
// accumulator_2 = u.[table2]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE TABLE3
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
TABLE3_X_LOC
))
mstore
(
0x20
,
mload
(
TABLE3_Y_LOC
))
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V23_LOC
),
p
))
// accumulator_2 = u.[table3]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE TABLE4
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
TABLE4_X_LOC
))
mstore
(
0x20
,
mload
(
TABLE4_Y_LOC
))
mstore
(
0x40
,
mulmod
(
addmod
(
mload
(
C_U_LOC
),
0x1
,
p
),
mload
(
C_V24_LOC
),
p
))
// accumulator_2 = u.[table4]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE TABLE_TYPE
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
TABLE_TYPE_X_LOC
))
mstore
(
0x20
,
mload
(
TABLE_TYPE_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V25_LOC
))
// accumulator_2 = v25.[TableType]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE ID1
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
ID1_X_LOC
))
mstore
(
0x20
,
mload
(
ID1_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V26_LOC
))
// accumulator_2 = v26.[ID1]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE ID2
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
ID2_X_LOC
))
mstore
(
0x20
,
mload
(
ID2_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V27_LOC
))
// accumulator_2 = v27.[ID2]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE ID3
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
ID3_X_LOC
))
mstore
(
0x20
,
mload
(
ID3_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V28_LOC
))
// accumulator_2 = v28.[ID3]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// ACCUMULATE ID4
// Verification key fields verified to be on curve at contract deployment
mstore
(
0x00
,
mload
(
ID4_X_LOC
))
mstore
(
0x20
,
mload
(
ID4_Y_LOC
))
mstore
(
0x40
,
mload
(
C_V29_LOC
))
// accumulator_2 = v29.[ID4]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
/**
* COMPUTE BATCH EVALUATION SCALAR MULTIPLIER
*/
{
/**
* batch_evaluation = v0 * (w_1_omega * u + w_1_eval)
* batch_evaluation += v1 * (w_2_omega * u + w_2_eval)
* batch_evaluation += v2 * (w_3_omega * u + w_3_eval)
* batch_evaluation += v3 * (w_4_omega * u + w_4_eval)
* batch_evaluation += v4 * (s_omega_eval * u + s_eval)
* batch_evaluation += v5 * (z_omega_eval * u + z_eval)
* batch_evaluation += v6 * (z_lookup_omega_eval * u + z_lookup_eval)
*/
let
batch_evaluation
:=
mulmod
(
mload
(
C_V0_LOC
),
addmod
(
mulmod
(
mload
(
W1_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
W1_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V1_LOC
),
addmod
(
mulmod
(
mload
(
W2_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
W2_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V2_LOC
),
addmod
(
mulmod
(
mload
(
W3_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
W3_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V3_LOC
),
addmod
(
mulmod
(
mload
(
W4_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
W4_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V4_LOC
),
addmod
(
mulmod
(
mload
(
S_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
S_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V5_LOC
),
addmod
(
mulmod
(
mload
(
Z_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
Z_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V6_LOC
),
addmod
(
mulmod
(
mload
(
Z_LOOKUP_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
Z_LOOKUP_EVAL_LOC
),
p
),
p
),
p
)
/**
* batch_evaluation += v7 * Q1_EVAL
* batch_evaluation += v8 * Q2_EVAL
* batch_evaluation += v9 * Q3_EVAL
* batch_evaluation += v10 * Q4_EVAL
* batch_evaluation += v11 * QM_EVAL
* batch_evaluation += v12 * QC_EVAL
* batch_evaluation += v13 * QARITH_EVAL
* batch_evaluation += v14 * QSORT_EVAL_LOC
* batch_evaluation += v15 * QELLIPTIC_EVAL_LOC
* batch_evaluation += v16 * QAUX_EVAL_LOC
* batch_evaluation += v17 * SIGMA1_EVAL_LOC
* batch_evaluation += v18 * SIGMA2_EVAL_LOC
* batch_evaluation += v19 * SIGMA3_EVAL_LOC
* batch_evaluation += v20 * SIGMA4_EVAL_LOC
*/
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V7_LOC
),
mload
(
Q1_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V8_LOC
),
mload
(
Q2_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V9_LOC
),
mload
(
Q3_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V10_LOC
),
mload
(
Q4_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V11_LOC
),
mload
(
QM_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V12_LOC
),
mload
(
QC_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V13_LOC
),
mload
(
QARITH_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V14_LOC
),
mload
(
QSORT_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V15_LOC
),
mload
(
QELLIPTIC_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V16_LOC
),
mload
(
QAUX_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V17_LOC
),
mload
(
SIGMA1_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V18_LOC
),
mload
(
SIGMA2_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V19_LOC
),
mload
(
SIGMA3_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V20_LOC
),
mload
(
SIGMA4_EVAL_LOC
),
p
),
p
)
/**
* batch_evaluation += v21 * (table1(zw) * u + table1(z))
* batch_evaluation += v22 * (table2(zw) * u + table2(z))
* batch_evaluation += v23 * (table3(zw) * u + table3(z))
* batch_evaluation += v24 * (table4(zw) * u + table4(z))
* batch_evaluation += v25 * table_type_eval
* batch_evaluation += v26 * id1_eval
* batch_evaluation += v27 * id2_eval
* batch_evaluation += v28 * id3_eval
* batch_evaluation += v29 * id4_eval
* batch_evaluation += quotient_eval
*/
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V21_LOC
),
addmod
(
mulmod
(
mload
(
TABLE1_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
TABLE1_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V22_LOC
),
addmod
(
mulmod
(
mload
(
TABLE2_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
TABLE2_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V23_LOC
),
addmod
(
mulmod
(
mload
(
TABLE3_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
TABLE3_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V24_LOC
),
addmod
(
mulmod
(
mload
(
TABLE4_OMEGA_EVAL_LOC
),
mload
(
C_U_LOC
),
p
),
mload
(
TABLE4_EVAL_LOC
),
p
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V25_LOC
),
mload
(
TABLE_TYPE_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V26_LOC
),
mload
(
ID1_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V27_LOC
),
mload
(
ID2_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V28_LOC
),
mload
(
ID3_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mulmod
(
mload
(
C_V29_LOC
),
mload
(
ID4_EVAL_LOC
),
p
),
p
)
batch_evaluation
:=
addmod
(
batch_evaluation
,
mload
(
QUOTIENT_EVAL_LOC
),
p
)
mstore
(
0x00
,
0x01
)
// [1].x
mstore
(
0x20
,
0x02
)
// [1].y
mstore
(
0x40
,
sub
(
p
,
batch_evaluation
))
// accumulator_2 = -[1].(batch_evaluation)
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
if
iszero
(
success
)
{
mstore
(
0x0
,
OPENING_COMMITMENT_FAILED_SELECTOR
)
revert
(
0x00
,
0x04
)
}
}
/**
* PERFORM PAIRING PREAMBLE
*/
{
let
u
:=
mload
(
C_U_LOC
)
let
zeta
:=
mload
(
C_ZETA_LOC
)
// VALIDATE PI_Z
{
let
x
:=
mload
(
PI_Z_X_LOC
)
let
y
:=
mload
(
PI_Z_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
// compute zeta.[PI_Z] and add into accumulator
mstore
(
0x40
,
zeta
)
success
:=
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
)
// accumulator = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
ACCUMULATOR_X_LOC
,
0x40
))
// VALIDATE PI_Z_OMEGA
{
let
x
:=
mload
(
PI_Z_OMEGA_X_LOC
)
let
y
:=
mload
(
PI_Z_OMEGA_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
mstore
(
0x40
,
mulmod
(
mulmod
(
u
,
zeta
,
p
),
mload
(
OMEGA_LOC
),
p
))
// accumulator_2 = u.zeta.omega.[PI_Z_OMEGA]
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
ACCUMULATOR2_X_LOC
,
0x40
))
// PAIRING_RHS = accumulator + accumulator_2
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
ACCUMULATOR_X_LOC
,
0x80
,
PAIRING_RHS_X_LOC
,
0x40
))
mstore
(
0x00
,
mload
(
PI_Z_X_LOC
))
mstore
(
0x20
,
mload
(
PI_Z_Y_LOC
))
mstore
(
0x40
,
mload
(
PI_Z_OMEGA_X_LOC
))
mstore
(
0x60
,
mload
(
PI_Z_OMEGA_Y_LOC
))
mstore
(
0x80
,
u
)
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x40
,
0x60
,
0x40
,
0x40
))
// PAIRING_LHS = [PI_Z] + [PI_Z_OMEGA] * u
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
0x00
,
0x80
,
PAIRING_LHS_X_LOC
,
0x40
))
// negate lhs y-coordinate
mstore
(
PAIRING_LHS_Y_LOC
,
sub
(
q
,
mload
(
PAIRING_LHS_Y_LOC
)))
if
mload
(
CONTAINS_RECURSIVE_PROOF_LOC
)
{
// VALIDATE RECURSIVE P1
{
let
x
:=
mload
(
RECURSIVE_P1_X_LOC
)
let
y
:=
mload
(
RECURSIVE_P1_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
// compute u.u.[recursive_p1] and write into 0x60
mstore
(
0x40
,
mulmod
(
u
,
u
,
p
))
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
0x60
,
0x40
))
// VALIDATE RECURSIVE P2
{
let
x
:=
mload
(
RECURSIVE_P2_X_LOC
)
let
y
:=
mload
(
RECURSIVE_P2_Y_LOC
)
let
xx
:=
mulmod
(
x
,
x
,
q
)
// validate on curve
if
iszero
(
eq
(
mulmod
(
y
,
y
,
q
),
addmod
(
mulmod
(
x
,
xx
,
q
),
3
,
q
)))
{
mstore
(
0x0
,
POINT_NOT_ON_CURVE_SELECTOR
)
revert
(
0x00
,
0x04
)
}
mstore
(
0x00
,
x
)
mstore
(
0x20
,
y
)
}
// compute u.u.[recursive_p2] and write into 0x00
// 0x40 still contains u*u
success
:=
and
(
success
,
staticcall
(
gas
(),
7
,
0x00
,
0x60
,
0x00
,
0x40
))
// compute u.u.[recursiveP1] + rhs and write into rhs
mstore
(
0xa0
,
mload
(
PAIRING_RHS_X_LOC
))
mstore
(
0xc0
,
mload
(
PAIRING_RHS_Y_LOC
))
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
0x60
,
0x80
,
PAIRING_RHS_X_LOC
,
0x40
))
// compute u.u.[recursiveP2] + lhs and write into lhs
mstore
(
0x40
,
mload
(
PAIRING_LHS_X_LOC
))
mstore
(
0x60
,
mload
(
PAIRING_LHS_Y_LOC
))
success
:=
and
(
success
,
staticcall
(
gas
(),
6
,
0x00
,
0x80
,
PAIRING_LHS_X_LOC
,
0x40
))
}
if
iszero
(
success
)
{
mstore
(
0x0
,
PAIRING_PREAMBLE_FAILED_SELECTOR
)
revert
(
0x00
,
0x04
)
}
}
/**
* PERFORM PAIRING
*/
{
// rhs paired with [1]_2
// lhs paired with [x]_2
mstore
(
0x00
,
mload
(
PAIRING_RHS_X_LOC
))
mstore
(
0x20
,
mload
(
PAIRING_RHS_Y_LOC
))
mstore
(
0x40
,
0x198e9393920d483a7260bfb731fb5d25f1aa493335a9e71297e485b7aef312c2
)
// this is [1]_2
mstore
(
0x60
,
0x1800deef121f1e76426a00665e5c4479674322d4f75edadd46debd5cd992f6ed
)
mstore
(
0x80
,
0x090689d0585ff075ec9e99ad690c3395bc4b313370b38ef355acdadcd122975b
)
mstore
(
0xa0
,
0x12c85ea5db8c6deb4aab71808dcb408fe3d1e7690c43d37b4ce6cc0166fa7daa
)
mstore
(
0xc0
,
mload
(
PAIRING_LHS_X_LOC
))
mstore
(
0xe0
,
mload
(
PAIRING_LHS_Y_LOC
))
mstore
(
0x100
,
mload
(
G2X_X0_LOC
))
mstore
(
0x120
,
mload
(
G2X_X1_LOC
))
mstore
(
0x140
,
mload
(
G2X_Y0_LOC
))
mstore
(
0x160
,
mload
(
G2X_Y1_LOC
))
success
:=
staticcall
(
gas
(),
8
,
0x00
,
0x180
,
0x00
,
0x20
)
if
iszero
(
and
(
success
,
mload
(
0x00
)))
{
mstore
(
0x0
,
PAIRING_FAILED_SELECTOR
)
revert
(
0x00
,
0x04
)
}
}
{
mstore
(
0x00
,
0x01
)
return
(
0x00
,
0x20
)
// Proof succeeded!
}
}
}
}
contract
UltraVerifier
is
BaseUltraVerifier
{
function
getVerificationKeyHash
()
public
pure
override
(
BaseUltraVerifier
)
returns
(
bytes32
)
{
return
UltraVerificationKey
.
verificationKeyHash
();
}
function
loadVerificationKey
(
uint256
vk
,
uint256
_omegaInverseLoc
)
internal
pure
virtual
override
(
BaseUltraVerifier
)
{
UltraVerificationKey
.
loadVerificationKey
(
vk
,
_omegaInverseLoc
);
}
}
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/publish/proofs/publish.proof
0 → 100644
View file @
671a85fd
0x
\ No newline at end of file
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/publish/src/main.nr
0 → 100644
View file @
671a85fd
use dep::std;
use dep::helpers;
use dep::helpers::hash;
use dep::helpers::structs;
fn main(
pi_contract_hash: pub Field,
accumulator: Field,
batch: structs::Batch,
tx_verifier: structs::VerifierTx,
recursion_verifier: structs::Verifier
) {
let tx_root_calc: Field = hash::hash_tree_four(batch.utxo_roots);
assert(batch.batch_oracle == helpers::ZERO_VALUE);
let batch_root_calc: Field = hash::hash([tx_root_calc, batch.batch_oracle]);
let new_root_calc: Field = hash::hash([batch_root_calc, batch.old_state_root]);
let new_path_calc: [Field; 20] = hash::compute_sibling_path(
batch.hist_tree.old_path,
batch.hist_tree.leaf,
batch.hist_tree.index
);
assert(batch.new_state_root == new_root_calc);
let calc_hist_root = hash::compute_merkle_root(
batch.hist_tree.leaf,
batch.hist_tree.index,
batch.hist_tree.old_path
);
assert(calc_hist_root == batch.hist_tree.root);
let hist_root_calc = hash::compute_merkle_root(
new_root_calc,
batch.hist_tree.index + 1,
new_path_calc
);
assert(hist_root_calc == batch.hist_tree.new_root);
let mut hash_validation: [u8; 832] = [0; 832];
for i in 0..32 {
hash_validation[i] = hash::field_to_u8(batch.new_state_root)[i];
hash_validation[i + 32] = hash::field_to_u8(batch.hist_tree.root)[i];
hash_validation[i + 64] = hash::field_to_u8(batch.hist_tree.new_root)[i];
hash_validation[i + 96] = hash::field_to_u8(accumulator)[i];
hash_validation[i + 128] = hash::field_to_u8(tx_verifier.key_hash)[i];
hash_validation[i + 160] = hash::field_to_u8(recursion_verifier.key_hash)[i];
for j in 0..20 {
hash_validation[i + 192 + (32 * j)] = hash::field_to_u8(new_path_calc[j])[i];
}
}
let hash_generated: Field = hash::hash_to_field(std::hash::keccak256(hash_validation, hash_validation.len() as u32));
assert(pi_contract_hash == hash_generated);
std::verify_proof(
recursion_verifier.verification_key.as_slice(),
recursion_verifier.proof.as_slice(),
[accumulator].as_slice(),
recursion_verifier.key_hash
)
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/Nargo.toml
0 → 100644
View file @
671a85fd
[package]
name
=
"recursion"
type
=
"bin"
authors
=
[""]
compiler_version
=
">=0.19.2"
[dependencies]
helpers
=
{
path
=
"../helpers"
}
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/Prover.toml
0 → 100644
View file @
671a85fd
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/Verifier.toml
0 → 100644
View file @
671a85fd
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/proofs/proof
0 → 100644
View file @
671a85fd
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/src/main.nr
0 → 100644
View file @
671a85fd
use dep::std;
use dep::helpers;
use dep::helpers::structs;
use dep::helpers::hash;
#[recursive]
fn main(
accumulator: pub Field,
tx_verifier: structs::VerifierTx,
recursion_verifier: structs::Verifier,
previous_accumulator: Field,
tx: structs::PublicInputs
) {
let tx_as_keccak = tx.as_keccak();
let mut generated_accumulator_preimage: [u8; 128] = [0; 128];
for i in 0..32 {
generated_accumulator_preimage[i] = hash::field_to_u8(previous_accumulator)[i];
generated_accumulator_preimage[i + 32] = hash::field_to_u8(tx_as_keccak)[i];
generated_accumulator_preimage[i + 64] = hash::field_to_u8(tx_verifier.key_hash)[i];
generated_accumulator_preimage[i + 96] = hash::field_to_u8(recursion_verifier.key_hash)[i];
}
let generated_accumulator = hash::hash_to_field(std::hash::keccak256(generated_accumulator_preimage, generated_accumulator_preimage.len() as u32));
assert(accumulator == generated_accumulator);
let mut recursion_pi: Field = previous_accumulator;
let mut recursive_proof: [Field] = recursion_verifier.proof.as_slice();
if (previous_accumulator == helpers::ZERO_VALUE) {
assert(recursion_verifier.key_hash == 0x083764da4a71646a7c2d27cf8f17adc4f9e4f3d2c5a574b643f79864c280b4ce);
recursion_pi = tx.as_hash();
}
std::verify_proof(
recursion_verifier.verification_key.as_slice(),
recursive_proof,
[recursion_pi].as_slice(),
recursion_verifier.key_hash
);
std::verify_proof(
tx_verifier.verification_key.as_slice(),
tx_verifier.proof.as_slice(),
[tx.as_hash()].as_slice(),
tx_verifier.key_hash
);
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/target/acir.gz
0 → 100644
View file @
671a85fd
File added
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/target/vk
0 → 100644
View file @
671a85fd
File added
This diff is collapsed.
Click to expand it.
momiji-helpers/circuits/recursion/target/vk_fields.json
0 → 100644
View file @
671a85fd
[
"0x1727d9cce8edf8b1d7228edf940be5ab221dc023f0e21785e634f5dcf9718007"
,
"0x26125da10a0ed06327508aba06d1e303ac616632dbed349f53422da953337857"
,
"0x0000000000000000000000000000000000000000000000000000000000100000"
,
"0x0000000000000000000000000000000000000000000000000000000000000005"
,
"0x0000000000000000000000000000000000000000000000000000000000100000"
,
"0x0000000000000000000000000000000000000000000000000000000000000011"
,
"0x0000000000000000000000000000000000000000000000000000000000000001"
,
"0x0000000000000000000000000000000000000000000000000000000000000001"
,
"0x0000000000000000000000000000000000000000000000000000000000000002"
,
"0x0000000000000000000000000000000000000000000000000000000000000003"
,
"0x0000000000000000000000000000000000000000000000000000000000000004"
,
"0x0000000000000000000000000000000000000000000000000000000000000005"
,
"0x0000000000000000000000000000000000000000000000000000000000000006"
,
"0x0000000000000000000000000000000000000000000000000000000000000007"
,
"0x0000000000000000000000000000000000000000000000000000000000000008"
,
"0x0000000000000000000000000000000000000000000000000000000000000009"
,
"0x000000000000000000000000000000000000000000000000000000000000000a"
,
"0x000000000000000000000000000000000000000000000000000000000000000b"
,
"0x000000000000000000000000000000000000000000000000000000000000000c"
,
"0x000000000000000000000000000000000000000000000000000000000000000d"
,
"0x000000000000000000000000000000000000000000000000000000000000000e"
,
"0x000000000000000000000000000000000000000000000000000000000000000f"
,
"0x0000000000000000000000000000000000000000000000000000000000000010"
,
"0x0000000000000000000000000000001ed8a02482426d263a4ecb0ef896ce89aa"
,
"0x00000000000000000000000000000000002dd82b96a445a3d48db46e78fd1fe5"
,
"0x0000000000000000000000000000001a810690ec0eb9e6cb49dd68aed57b9a2c"
,
"0x00000000000000000000000000000000002979d0f3b9cbc56e6a5eed0176979c"
,
"0x000000000000000000000000000000ece4843dd3e3cb41a29ffcc72d49376ac5"
,
"0x000000000000000000000000000000000013f586937d9e92ad01910eaf7267fe"
,
"0x000000000000000000000000000000832de083f2aea887e5b0b3e07195bf3369"
,
"0x0000000000000000000000000000000000020d7d6640cc6909b63450357223cd"
,
"0x0000000000000000000000000000001a1e30f8051c1e84c165acf80086e8dfca"
,
"0x00000000000000000000000000000000002c77a04e17e8644f9b7053b4bb08fa"
,
"0x000000000000000000000000000000accbe6a903bb7bfaf1909074da32f28e74"
,
"0x000000000000000000000000000000000010ef1c64b5aa796d3218d20cfdb0a4"
,
"0x000000000000000000000000000000cbc1cc027a33d219526471449d9049146a"
,
"0x00000000000000000000000000000000000735dd552cfe8a4cf17f17049626d0"
,
"0x000000000000000000000000000000f3576e636ff3ebaff43f0d1c8294b67a8c"
,
"0x00000000000000000000000000000000001bb99e027a879809200c2f3e9992da"
,
"0x00000000000000000000000000000004f1b4950d8b0919092c8b596a63e9396e"
,
"0x00000000000000000000000000000000001e031462c21a2937998d8ab726051a"
,
"0x000000000000000000000000000000618474ad492a93435a82a433a1ae1b5c04"
,
"0x00000000000000000000000000000000001beb3c3937fc9ff20499d59cc4665e"
,
"0x000000000000000000000000000000053a4799f326db1157b41ba75481ac65ce"
,
"0x00000000000000000000000000000000002a6cafad02233a289b5ee0dac52d24"
,
"0x00000000000000000000000000000029b0e33ec90e9b6e7c0c774b2a394f5c90"
,
"0x00000000000000000000000000000000000ff63c1bf54473c34651e117d63bbb"
,
"0x000000000000000000000000000000a0098ac613ba3629b0421d7894f0bc65d8"
,
"0x00000000000000000000000000000000001f58e2dbf833ed8c21a5ac822a390e"
,
"0x000000000000000000000000000000ad30140ddc344a8ac7a49d29b0b600d888"
,
"0x000000000000000000000000000000000000b0088164d522367583c90f73bcd7"
,
"0x0000000000000000000000000000004a05d497f585103d826b8a133761cc79ef"
,
"0x000000000000000000000000000000000011888c79e6b006e1a7d293898b9842"
,
"0x00000000000000000000000000000039b41a3dfe9e948d33fd4a759e9e8a7b30"
,
"0x00000000000000000000000000000000000427be5203eb43e160d9635925f64a"
,
"0x000000000000000000000000000000c0b125470d496d55ec3d8678b1efcc0b14"
,
"0x00000000000000000000000000000000000a346d061bfa2ad56a322a81a8be06"
,
"0x000000000000000000000000000000e36f8d9132dccbddbcbc4eca6bdb70583a"
,
"0x000000000000000000000000000000000006e53484e1a4f26129c00c5afdf4d4"
,
"0x000000000000000000000000000000d56ff07f6c8d054cf78d713a5f4399313b"
,
"0x000000000000000000000000000000000009fa75fa397a889177953777b32ad7"
,
"0x000000000000000000000000000000a9eba193f17a0cbcfd5cd786e8fc93e044"
,
"0x0000000000000000000000000000000000231e1180c41ca9fcad8207beb4aeb2"
,
"0x000000000000000000000000000000439f7eb6e39f8ef36735fde1563efc018c"
,
"0x0000000000000000000000000000000000131bb8b31246156eac5a9632b1c44c"
,
"0x000000000000000000000000000000ff14d910386a5d634a00deb8432bd230bd"
,
"0x0000000000000000000000000000000000032cf0e4f77b2c32b39804b2e836a1"
,
"0x00000000000000000000000000000059d45db08da921eb51ee629b37eaac3804"
,
"0x00000000000000000000000000000000001351c4d6ee97e5a13968cd8b575376"
,
"0x000000000000000000000000000000a1fef20a9e9baae03c66b387855786961c"
,
"0x00000000000000000000000000000000000087e919ca347c14bae58f2a007979"
,
"0x00000000000000000000000000000068c2dee24bf49f48ca91a9b31cf489100a"
,
"0x00000000000000000000000000000000002ebbec213fd5e638e763bf574db1dd"
,
"0x000000000000000000000000000000405686bb9661ab548fc6490de8273991c1"
,
"0x00000000000000000000000000000000000f55573e8cc6debc7e4ad36f55f0a3"
,
"0x00000000000000000000000000000016c8911d3abcc99956cfafd2469e57d352"
,
"0x000000000000000000000000000000000023987c17049de9e6e90534922b068d"
,
"0x000000000000000000000000000000310a00459798915e70bb5f6c0d93950c61"
,
"0x0000000000000000000000000000000000190404b6761da87bbb58c68adf9c07"
,
"0x0000000000000000000000000000007003780317cc6fecafa2529793ea4d856a"
,
"0x00000000000000000000000000000000000c49e1acc2e2a5ed2523a68e13bcc7"
,
"0x0000000000000000000000000000004564d9adecd904030f441c500bea3a54e8"
,
"0x0000000000000000000000000000000000118e887dc7827a303ae4efd884289f"
,
"0x00000000000000000000000000000055bcb8484f4bfca2d81c1a7a08f92dcc1e"
,
"0x0000000000000000000000000000000000192d66138ef5fb5cbd60d25910fa8b"
,
"0x0000000000000000000000000000006ce36390303806bf1667cac7fd3a0a911f"
,
"0x000000000000000000000000000000000025719fd7b4f27bd77387d4580c46ef"
,
"0x000000000000000000000000000000e15e5e8edb26147b877fd483a9be1ee557"
,
"0x00000000000000000000000000000000000d4744317ff703c20132134b9af145"
,
"0x00000000000000000000000000000097931bbb683b832edaedfb84ae020a3e6c"
,
"0x000000000000000000000000000000000024e913db937478f592ff958369c33b"
,
"0x000000000000000000000000000000aad0edb65a7896339ad92cb7bdda5bc0cb"
,
"0x00000000000000000000000000000000001f13f1759e514b1f053da73837b9bf"
,
"0x000000000000000000000000000000b5928facba6909a6cb9d3f99b451dbb0da"
,
"0x0000000000000000000000000000000000140e3a61cbd87e23e9f59c0c8a5f92"
,
"0x0000000000000000000000000000000c542c4e643211a206a43e3c82940ce012"
,
"0x0000000000000000000000000000000000073ab903217225282916b264ffbd6f"
,
"0x000000000000000000000000000000362a93230a711f6dff86b1a347c978b220"
,
"0x00000000000000000000000000000000001a14bd51e9dc0b4b973e46910d2b6f"
,
"0x000000000000000000000000000000e13a606550f2c61830bf9da814621581ee"
,
"0x00000000000000000000000000000000001297f1e111cc1ea7a2221affb5eecd"
,
"0x00000000000000000000000000000000aa60b3f6dc00be97871878c40d04a293"
,
"0x000000000000000000000000000000000007f762063f0123fba74c4cd66e7559"
,
"0x000000000000000000000000000000541c1db7e3c80a294ea50b24011999fe4e"
,
"0x00000000000000000000000000000000002e238e496f9533c8fe3a9342fcf1f6"
,
"0x000000000000000000000000000000f65f2ad1025c0ec713b29b2db4c57e83d6"
,
"0x000000000000000000000000000000000013ff20a10295d07fd0b16253a6775a"
,
"0x00000000000000000000000000000026d344ed7a87caa6087967171876052349"
,
"0x00000000000000000000000000000000002626bea2de7026dd6dd4e1df614a65"
,
"0x000000000000000000000000000000b264d3a3a6bb7a41d57f96e6877e5bb37d"
,
"0x0000000000000000000000000000000000275f1c996d71439acf76f03932c52c"
,
"0x000000000000000000000000000000c8b2af388b1f0b0832ca8f2a0154be54ce"
,
"0x00000000000000000000000000000000003020cfd271da8c447e2ccff6908c3a"
,
"0x00000000000000000000000000000008e8f770eef342595ebce4b42811af4966"
,
"0x000000000000000000000000000000000002ae8005a2c1cc97d4cdc896b54e70"
]
\ No newline at end of file
This diff is collapsed.
Click to expand it.
Prev
1
2
3
4
5
6
…
17
Next
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
Menu
Projects
Groups
Snippets
Help