diff --git a/.github/workflows/tutorial.yml b/.github/workflows/tutorial.yml
index 0ed59d3f..135afca8 100644
--- a/.github/workflows/tutorial.yml
+++ b/.github/workflows/tutorial.yml
@@ -97,6 +97,7 @@ jobs:
{"a": 3, "b": 11}
EOT
snarkjs wtns calculate circuit.wasm input.json witness.wtns
+ snarkjs wtns check circuit.r1cs witness.wtns
- name: 23. Debug the final witness calculation
run: snarkjs wtns debug circuit.wasm input.json witness.wtns circuit.sym --trigger --get --set
- name: 24. Create the proof
diff --git a/build/cli.cjs b/build/cli.cjs
index 58ae175a..064fa977 100755
--- a/build/cli.cjs
+++ b/build/cli.cjs
@@ -13,9 +13,9 @@ var crypto = require('crypto');
var path = require('path');
var binFileUtils = require('@iden3/binfileutils');
var ejs = require('ejs');
-var bfj = require('bfj');
-var jsSha3 = require('js-sha3');
var circom_runtime = require('circom_runtime');
+var jsSha3 = require('js-sha3');
+var bfj = require('bfj');
var Logger = require('logplease');
function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
@@ -47,8 +47,8 @@ var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
var binFileUtils__namespace = /*#__PURE__*/_interopNamespace(binFileUtils);
var ejs__default = /*#__PURE__*/_interopDefaultLegacy(ejs);
-var bfj__default = /*#__PURE__*/_interopDefaultLegacy(bfj);
var jsSha3__default = /*#__PURE__*/_interopDefaultLegacy(jsSha3);
+var bfj__default = /*#__PURE__*/_interopDefaultLegacy(bfj);
var Logger__default = /*#__PURE__*/_interopDefaultLegacy(Logger);
/*
@@ -5366,7 +5366,7 @@ async function bellmanContribute(curve, challengeFilename, responesFileName, ent
along with snarkJS. If not, see .
*/
-const {stringifyBigInts: stringifyBigInts$7} = ffjavascript.utils;
+const {stringifyBigInts: stringifyBigInts$5} = ffjavascript.utils;
async function zkeyExportVerificationKey(zkeyName, logger) {
if (logger) logger.info("EXPORT VERIFICATION KEY STARTED");
@@ -5426,7 +5426,7 @@ async function groth16Vk(zkey, fd, sections) {
}
await binFileUtils__namespace.endReadSection(fd);
- vKey = stringifyBigInts$7(vKey);
+ vKey = stringifyBigInts$5(vKey);
return vKey;
}
@@ -5458,7 +5458,7 @@ async function plonkVk(zkey) {
w: curve.Fr.toObject(curve.Fr.w[zkey.power])
};
- vKey = stringifyBigInts$7(vKey);
+ vKey = stringifyBigInts$5(vKey);
return vKey;
}
@@ -5487,4009 +5487,3842 @@ async function exportFFlonkVk(zkey, logger) {
C0: curve.G1.toObject(zkey.C0),
};
- return stringifyBigInts$7(vKey);
+ return stringifyBigInts$5(vKey);
}
/*
- Copyright 2022 iden3 association.
+ Copyright 2021 0KIMS association.
- This file is part of snarkjs.
+ This file is part of snarkJS.
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
*/
-// We export to zkey the signals and values of the a, b, c, ql, qr, qm, qo and qc
-
-// a, b and c are signals id (32-bit integers)
-// ql, qr, qm, qo and qc are field values
+const {unstringifyBigInts: unstringifyBigInts$b, stringifyBigInts: stringifyBigInts$4} = ffjavascript.utils;
-function getFFlonkConstantConstraint(signal1, Fr) {
- return [signal1, 0, 0, Fr.one, Fr.zero, Fr.zero, Fr.zero, Fr.zero];
-}
+async function fflonkExportSolidityVerifier(vk, templates, logger) {
+ if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER STARTED");
-function getFFlonkAdditionConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc) {
- return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
-}
+ const curve = await getCurveFromName(vk.curve);
-function getFFlonkMultiplicationConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc, Fr) {
- return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
-}
+ // Precompute w3_2, w4_2 and w4_3
+ let w3 = fromVkey(vk.w3);
+ vk.w3_2 = toVkey(curve.Fr.square(w3));
-/*
- Copyright 2022 iden3 association.
+ let w4 = fromVkey(vk.w4);
+ vk.w4_2 = toVkey(curve.Fr.square(w4));
+ vk.w4_3 = toVkey(curve.Fr.mul(curve.Fr.square(w4), w4));
- This file is part of snarkjs.
+ let w8 = fromVkey(vk.w8);
+ let acc = curve.Fr.one;
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ for (let i = 1; i < 8; i++) {
+ acc = curve.Fr.mul(acc, w8);
+ vk["w8_" + i] = toVkey(acc);
+ }
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ let template = templates[vk.protocol];
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
+ if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER FINISHED");
-const LINEAR_COMBINATION_NULLABLE = 0;
-const LINEAR_COMBINATION_CONSTANT = 1;
-const LINEAR_COMBINATION_VARIABLE = 2;
+ return ejs__default["default"].render(template, vk);
-class r1csConstraintProcessor {
- constructor(Fr, fnGetConstantConstraint, fnGetAdditionConstraint, fnGetMultiplicationConstraint, logger) {
- this.Fr = Fr;
- this.logger = logger;
- this.fnGetAdditionConstraint = fnGetAdditionConstraint;
- this.fnGetMultiplicationConstraint = fnGetMultiplicationConstraint;
+ function fromVkey(str) {
+ const val = unstringifyBigInts$b(str);
+ return curve.Fr.fromObject(val);
}
- processR1csConstraint(settings, lcA, lcB, lcC) {
- this.normalizeLinearCombination(lcA);
- this.normalizeLinearCombination(lcB);
- this.normalizeLinearCombination(lcC);
-
- const lctA = this.getLinearCombinationType(lcA);
- const lctB = this.getLinearCombinationType(lcB);
-
- if ((lctA === LINEAR_COMBINATION_NULLABLE) || (lctB === LINEAR_COMBINATION_NULLABLE)) {
- return this.processR1csAdditionConstraint(settings, lcC);
- } else if (lctA === LINEAR_COMBINATION_CONSTANT) {
- const lcCC = this.joinLinearCombinations(lcB, lcC, lcA[0]);
- return this.processR1csAdditionConstraint(settings, lcCC);
- } else if (lctB === LINEAR_COMBINATION_CONSTANT) {
- const lcCC = this.joinLinearCombinations(lcA, lcC, lcB[0]);
- return this.processR1csAdditionConstraint(settings, lcCC);
- } else {
- return this.processR1csMultiplicationConstraint(settings, lcA, lcB, lcC);
- }
+ function toVkey(val) {
+ const str = curve.Fr.toObject(val);
+ return stringifyBigInts$4(str);
}
+}
- getLinearCombinationType(linCom) {
- // let k = this.Fr.zero;
- //
- // const signalIds = Object.keys(linCom);
- // for (let i = 0; i < signalIds.length; i++) {
- // if (signalIds[i] === "0") {
- // k = this.Fr.add(k, linCom[signalIds[i]]);
- // } else {
- // return LINEAR_COMBINATION_VARIABLE;
- // }
- // }
- //
- // if (!this.Fr.eq(k, this.Fr.zero)) return LINEAR_COMBINATION_CONSTANT;
- //
- // return LINEAR_COMBINATION_NULLABLE;
+// Not ready yet
+// module.exports.generateVerifier_kimleeoh = generateVerifier_kimleeoh;
- let k = this.Fr.zero;
- let n = 0;
- const ss = Object.keys(linCom);
- for (let i = 0; i < ss.length; i++) {
- if (linCom[ss[i]] == 0n) {
- delete linCom[ss[i]];
- } else if (ss[i] == 0) {
- k = this.Fr.add(k, linCom[ss[i]]);
- } else {
- n++;
- }
- }
- if (n > 0) return LINEAR_COMBINATION_VARIABLE;
- if (!this.Fr.isZero(k)) return LINEAR_COMBINATION_CONSTANT;
- return LINEAR_COMBINATION_NULLABLE;
- }
+async function exportSolidityVerifier(zKeyName, templates, logger) {
- normalizeLinearCombination(linCom) {
- const signalIds = Object.keys(linCom);
- for (let i = 0; i < signalIds.length; i++) {
- if (this.Fr.isZero(linCom[signalIds[i]])) delete linCom[signalIds[i]];
- }
+ const verificationKey = await zkeyExportVerificationKey(zKeyName, logger);
- return linCom;
+ if ("fflonk" === verificationKey.protocol) {
+ return fflonkExportSolidityVerifier(verificationKey, templates, logger);
}
- joinLinearCombinations(linCom1, linCom2, k) {
- const res = {};
+ let template = templates[verificationKey.protocol];
- // for (let s in linCom1) {
- // const val = this.Fr.mul(k, linCom1[s]);
- // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
- // }
- //
- // for (let s in linCom2) {
- // const val = this.Fr.mul(k, linCom2[s]);
- // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
- // }
+ return ejs__default["default"].render(template, verificationKey);
+}
- for (let s in linCom1) {
- if (typeof res[s] == "undefined") {
- res[s] = this.Fr.mul(k, linCom1[s]);
- } else {
- res[s] = this.Fr.add(res[s], this.Fr.mul(k, linCom1[s]));
- }
- }
+/*
+ Copyright 2018 0KIMS association.
- for (let s in linCom2) {
- if (typeof res[s] == "undefined") {
- res[s] = linCom2[s];
- } else {
- res[s] = this.Fr.add(res[s], linCom2[s]);
- }
- }
+ This file is part of snarkJS.
- return this.normalizeLinearCombination(res);
- }
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- reduceCoefs(settings, constraintsArr, additionsArr, linCom, maxC) {
- const res = {
- k: this.Fr.zero,
- signals: [],
- coefs: []
- };
- const cs = [];
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- for (let signalId in linCom) {
- if (signalId == 0) {
- res.k = this.Fr.add(res.k, linCom[signalId]);
- } else if (linCom[signalId] != 0n) {
- cs.push([Number(signalId), linCom[signalId]]);
- }
- }
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
- while (cs.length > maxC) {
- const c1 = cs.shift();
- const c2 = cs.shift();
- const so = settings.nVars++;
- const constraints = this.fnGetAdditionConstraint(
- c1[0], c2[0], so,
- this.Fr.neg(c1[1]), this.Fr.neg(c2[1]), this.Fr.zero, this.Fr.one, this.Fr.zero);
+async function write(fd, witness, prime) {
- constraintsArr.push(constraints);
- additionsArr.push([c1[0], c2[0], c1[1], c2[1]]);
+ await binFileUtils__namespace.startWriteSection(fd, 1);
+ const n8 = (Math.floor( (ffjavascript.Scalar.bitLength(prime) - 1) / 64) +1)*8;
+ await fd.writeULE32(n8);
+ await binFileUtils__namespace.writeBigInt(fd, prime, n8);
+ await fd.writeULE32(witness.length);
+ await binFileUtils__namespace.endWriteSection(fd);
- cs.push([so, this.Fr.one]);
- }
+ await binFileUtils__namespace.startWriteSection(fd, 2);
+ for (let i=0; i.
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
*/
+const {stringifyBigInts: stringifyBigInts$3} = ffjavascript.utils;
-class Polynomial {
- constructor(coefficients, curve, logger) {
- this.coef = coefficients;
- this.curve = curve;
- this.Fr = curve.Fr;
- this.G1 = curve.G1;
- this.logger = logger;
- }
+async function groth16Prove$1(zkeyFileName, witnessFileName, logger) {
+ const {fd: fdWtns, sections: sectionsWtns} = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1<<25, 1<<23);
- static async fromEvaluations(buffer, curve, logger) {
- let coefficients = await curve.Fr.ifft(buffer);
+ const wtns = await readHeader(fdWtns, sectionsWtns);
- return new Polynomial(coefficients, curve, logger);
- }
+ const {fd: fdZKey, sections: sectionsZKey} = await binFileUtils__namespace.readBinFile(zkeyFileName, "zkey", 2, 1<<25, 1<<23);
- static fromCoefficientsArray(array, curve, logger) {
- const Fr = curve.Fr;
- let buff = array.length > 2 << 14 ?
- new ffjavascript.BigBuffer(array.length * Fr.n8) : new Uint8Array(array.length * Fr.n8);
- for (let i = 0; i < array.length; i++) buff.set(array[i], i * Fr.n8);
+ const zkey = await readHeader$1(fdZKey, sectionsZKey);
- return new Polynomial(buff, curve, logger);
+ if (zkey.protocol != "groth16") {
+ throw new Error("zkey file is not groth16");
}
- static fromPolynomial(polynomial, curve, logger) {
- let length = polynomial.length();
- let Fr = curve.Fr;
-
- let buff = length > 2 << 14 ?
- new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
- buff.set(polynomial.coef.slice(), 0);
-
- return new Polynomial(buff, curve, logger);
+ if (!ffjavascript.Scalar.eq(zkey.r, wtns.q)) {
+ throw new Error("Curve of the witness does not match the curve of the proving key");
}
- isEqual(polynomial) {
- const degree = this.degree();
- if (degree !== polynomial.degree()) return false;
+ if (wtns.nWitness != zkey.nVars) {
+ throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}`);
+ }
- for (let i = 0; i < degree + 1; i++) {
- if (!this.Fr.eq(this.getCoef(i), polynomial.getCoef(i))) return false;
- }
+ const curve = zkey.curve;
+ const Fr = curve.Fr;
+ const G1 = curve.G1;
+ const G2 = curve.G2;
- return true;
- }
+ const power = log2(zkey.domainSize);
- blindCoefficients(blindingFactors) {
- blindingFactors = blindingFactors || [];
+ if (logger) logger.debug("Reading Wtns");
+ const buffWitness = await binFileUtils__namespace.readSection(fdWtns, sectionsWtns, 2);
+ if (logger) logger.debug("Reading Coeffs");
+ const buffCoeffs = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 4);
- const blindedCoefficients = (this.length() + blindingFactors.length) > 2 << 14 ?
- new ffjavascript.BigBuffer((this.length() + blindingFactors.length) * this.Fr.n8) :
- new Uint8Array((this.length() + blindingFactors.length) * this.Fr.n8);
+ if (logger) logger.debug("Building ABC");
+ const [buffA_T, buffB_T, buffC_T] = await buildABC1(curve, zkey, buffWitness, buffCoeffs, logger);
- blindedCoefficients.set(this.coef, 0);
- for (let i = 0; i < blindingFactors.length; i++) {
- blindedCoefficients.set(
- this.Fr.add(
- blindedCoefficients.slice((this.length() + i) * this.Fr.n8, (this.length() + i + 1) * this.Fr.n8),
- blindingFactors[i]
- ),
- (this.length() + i) * this.Fr.n8
- );
- blindedCoefficients.set(
- this.Fr.sub(
- blindedCoefficients.slice(i * this.Fr.n8, (i + 1) * this.Fr.n8),
- blindingFactors[i]
- ),
- i * this.Fr.n8
- );
- }
- this.coef = blindedCoefficients;
- }
+ const inc = power == Fr.s ? curve.Fr.shift : curve.Fr.w[power+1];
- getCoef(index) {
- const i_n8 = index * this.Fr.n8;
+ const buffA = await Fr.ifft(buffA_T, "", "", logger, "IFFT_A");
+ const buffAodd = await Fr.batchApplyKey(buffA, Fr.e(1), inc);
+ const buffAodd_T = await Fr.fft(buffAodd, "", "", logger, "FFT_A");
- if (i_n8 + this.Fr.n8 > this.coef.byteLength) return this.Fr.zero;
+ const buffB = await Fr.ifft(buffB_T, "", "", logger, "IFFT_B");
+ const buffBodd = await Fr.batchApplyKey(buffB, Fr.e(1), inc);
+ const buffBodd_T = await Fr.fft(buffBodd, "", "", logger, "FFT_B");
- return this.coef.slice(i_n8, i_n8 + this.Fr.n8);
- }
+ const buffC = await Fr.ifft(buffC_T, "", "", logger, "IFFT_C");
+ const buffCodd = await Fr.batchApplyKey(buffC, Fr.e(1), inc);
+ const buffCodd_T = await Fr.fft(buffCodd, "", "", logger, "FFT_C");
- setCoef(index, value) {
- if (index > (this.length() - 1)) {
- throw new Error("Coef index is not available");
- }
+ if (logger) logger.debug("Join ABC");
+ const buffPodd_T = await joinABC(curve, zkey, buffAodd_T, buffBodd_T, buffCodd_T, logger);
- this.coef.set(value, index * this.Fr.n8);
- }
+ let proof = {};
- static async to4T(buffer, domainSize, blindingFactors, Fr) {
- blindingFactors = blindingFactors || [];
- let a = await Fr.ifft(buffer);
+ if (logger) logger.debug("Reading A Points");
+ const buffBasesA = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 5);
+ proof.pi_a = await curve.G1.multiExpAffine(buffBasesA, buffWitness, logger, "multiexp A");
- const a4 = (domainSize * 4) > 2 << 14 ?
- new ffjavascript.BigBuffer(domainSize * 4 * Fr.n8) : new Uint8Array(domainSize * 4 * Fr.n8);
- a4.set(a, 0);
+ if (logger) logger.debug("Reading B1 Points");
+ const buffBasesB1 = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 6);
+ let pib1 = await curve.G1.multiExpAffine(buffBasesB1, buffWitness, logger, "multiexp B1");
- const A4 = await Fr.fft(a4);
+ if (logger) logger.debug("Reading B2 Points");
+ const buffBasesB2 = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 7);
+ proof.pi_b = await curve.G2.multiExpAffine(buffBasesB2, buffWitness, logger, "multiexp B2");
- if (blindingFactors.length === 0) {
- return [a, A4];
- }
+ if (logger) logger.debug("Reading C Points");
+ const buffBasesC = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 8);
+ proof.pi_c = await curve.G1.multiExpAffine(buffBasesC, buffWitness.slice((zkey.nPublic+1)*curve.Fr.n8), logger, "multiexp C");
- const a1 = domainSize + blindingFactors.length > 2 << 14 ?
- new ffjavascript.BigBuffer((domainSize + blindingFactors.length) * Fr.n8) :
- new Uint8Array((domainSize + blindingFactors.length) * Fr.n8);
+ if (logger) logger.debug("Reading H Points");
+ const buffBasesH = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 9);
+ const resH = await curve.G1.multiExpAffine(buffBasesH, buffPodd_T, logger, "multiexp H");
- a1.set(a, 0);
- for (let i = 0; i < blindingFactors.length; i++) {
- a1.set(
- Fr.add(
- a1.slice((domainSize + i) * Fr.n8, (domainSize + i + 1) * Fr.n8),
- blindingFactors[i]
- ),
- (domainSize + i) * Fr.n8
- );
- a1.set(
- Fr.sub(
- a1.slice(i * Fr.n8, (i + 1) * Fr.n8),
- blindingFactors[i]
- ),
- i * Fr.n8
- );
- }
+ const r = curve.Fr.random();
+ const s = curve.Fr.random();
- return [a1, A4];
- }
+ proof.pi_a = G1.add( proof.pi_a, zkey.vk_alpha_1 );
+ proof.pi_a = G1.add( proof.pi_a, G1.timesFr( zkey.vk_delta_1, r ));
- length() {
- let length = this.coef.byteLength / this.Fr.n8;
- if (length !== Math.floor(this.coef.byteLength / this.Fr.n8)) {
- throw new Error("Polynomial coefficients buffer has incorrect size");
- }
- if (0 === length) {
- if (this.logger) {
- this.logger.warn("Polynomial has length zero");
- }
- }
- return length;
- }
+ proof.pi_b = G2.add( proof.pi_b, zkey.vk_beta_2 );
+ proof.pi_b = G2.add( proof.pi_b, G2.timesFr( zkey.vk_delta_2, s ));
- degree() {
- for (let i = this.length() - 1; i > 0; i--) {
- const i_n8 = i * this.Fr.n8;
- if (!this.Fr.eq(this.Fr.zero, this.coef.slice(i_n8, i_n8 + this.Fr.n8))) {
- return i;
- }
- }
+ pib1 = G1.add( pib1, zkey.vk_beta_1 );
+ pib1 = G1.add( pib1, G1.timesFr( zkey.vk_delta_1, s ));
- return 0;
- }
+ proof.pi_c = G1.add(proof.pi_c, resH);
- evaluate(point) {
- let res = this.Fr.zero;
- for (let i = this.degree() + 1; i > 0; i--) {
- let i_n8 = i * this.Fr.n8;
- const currentCoefficient = this.coef.slice(i_n8 - this.Fr.n8, i_n8);
- res = this.Fr.add(currentCoefficient, this.Fr.mul(res, point));
- }
+ proof.pi_c = G1.add( proof.pi_c, G1.timesFr( proof.pi_a, s ));
+ proof.pi_c = G1.add( proof.pi_c, G1.timesFr( pib1, r ));
+ proof.pi_c = G1.add( proof.pi_c, G1.timesFr( zkey.vk_delta_1, Fr.neg(Fr.mul(r,s) )));
- return res;
+
+ let publicSignals = [];
+
+ for (let i=1; i<= zkey.nPublic; i++) {
+ const b = buffWitness.slice(i*Fr.n8, i*Fr.n8+Fr.n8);
+ publicSignals.push(ffjavascript.Scalar.fromRprLE(b));
}
- fastEvaluate(point) {
- const Fr = this.Fr;
- let nThreads = 3;
+ proof.pi_a = G1.toObject(G1.toAffine(proof.pi_a));
+ proof.pi_b = G2.toObject(G2.toAffine(proof.pi_b));
+ proof.pi_c = G1.toObject(G1.toAffine(proof.pi_c));
- let nCoefs = this.degree() + 1;
- let coefsThread = parseInt(nCoefs / nThreads);
- let residualCoefs = nCoefs - coefsThread * nThreads;
+ proof.protocol = "groth16";
+ proof.curve = curve.name;
- let res = [];
- let xN = [];
+ await fdZKey.close();
+ await fdWtns.close();
- xN[0] = Fr.one;
+ proof = stringifyBigInts$3(proof);
+ publicSignals = stringifyBigInts$3(publicSignals);
- for (let i = 0; i < nThreads; i++) {
- res[i] = Fr.zero;
+ return {proof, publicSignals};
+}
- let nCoefs = i === (nThreads - 1) ? coefsThread + residualCoefs : coefsThread;
- for (let j = nCoefs; j > 0; j--) {
- res[i] = Fr.add(this.getCoef((i * coefsThread) + j - 1), Fr.mul(res[i], point));
- if (i === 0) xN[0] = Fr.mul(xN[0], point);
- }
- }
+async function buildABC1(curve, zkey, witness, coeffs, logger) {
+ const n8 = curve.Fr.n8;
+ const sCoef = 4*3 + zkey.n8r;
+ const nCoef = (coeffs.byteLength-4) / sCoef;
- for (let i = 1; i < nThreads; i++) {
- res[0] = Fr.add(res[0], Fr.mul(xN[i - 1], res[i]));
- xN[i] = Fr.mul(xN[i - 1], xN[0]);
- }
+ const outBuffA = new ffjavascript.BigBuffer(zkey.domainSize * n8);
+ const outBuffB = new ffjavascript.BigBuffer(zkey.domainSize * n8);
+ const outBuffC = new ffjavascript.BigBuffer(zkey.domainSize * n8);
- return res[0];
+ const outBuf = [ outBuffA, outBuffB ];
+ for (let i=0; i this.length()) {
- other = true;
- }
+ return [outBuffA, outBuffB, outBuffC];
- const thisLength = this.length();
- const polyLength = polynomial.length();
- for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
- const i_n8 = i * this.Fr.n8;
+}
- const a = i < thisLength ? this.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
- let b = i < polyLength ? polynomial.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+/*
+async function buldABC(curve, zkey, witness, coeffs, logger) {
+ const concurrency = curve.tm.concurrency;
+ const sCoef = 4*3 + zkey.n8r;
- if (blindingValue !== undefined) {
- b = this.Fr.mul(b, blindingValue);
- }
- if (other) {
- polynomial.coef.set(this.Fr.add(a, b), i_n8);
- } else {
- this.coef.set(this.Fr.add(a, b), i_n8);
- }
- }
- if (other) {
- delete this.coef;
- this.coef = polynomial.coef;
+ let getUint32;
+
+ if (coeffs instanceof BigBuffer) {
+ const coeffsDV = [];
+ const PAGE_LEN = coeffs.buffers[0].length;
+ for (let i=0; i< coeffs.buffers.length; i++) {
+ coeffsDV.push(new DataView(coeffs.buffers[i].buffer));
}
+ getUint32 = function (pos) {
+ return coeffsDV[Math.floor(pos/PAGE_LEN)].getUint32(pos % PAGE_LEN, true);
+ };
+ } else {
+ const coeffsDV = new DataView(coeffs.buffer, coeffs.byteOffset, coeffs.byteLength);
+ getUint32 = function (pos) {
+ return coeffsDV.getUint32(pos, true);
+ };
}
- sub(polynomial, blindingValue) {
- let other = false;
-
- if (polynomial.length() > this.length()) {
- other = true;
- }
+ const elementsPerChunk = Math.floor(zkey.domainSize/concurrency);
+ const promises = [];
- const thisLength = this.length();
- const polyLength = polynomial.length();
- for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
- const i_n8 = i * this.Fr.n8;
+ const cutPoints = [];
+ for (let i=0; i1) {
+ const promises2 = [];
+ for (let i=0; i v) {
+ n = k - 1;
+ } else if (va < v) {
+ m = k + 1;
+ } else {
+ n = k;
+ }
+ }
+ return 4 + m*sCoef;
}
+}
+*/
- // Multiply current polynomial by the polynomial (X - value)
- byXSubValue(value) {
- const Fr = this.Fr;
- const resize = !Fr.eq(Fr.zero, this.getCoef(this.length() - 1));
+async function joinABC(curve, zkey, a, b, c, logger) {
+ const MAX_CHUNK_SIZE = 1 << 22;
- const length = resize ? this.length() + 1 : this.length();
- const buff = length > 2 << 14 ? new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
- let pol = new Polynomial(buff, this.curve, this.logger);
-
- // Step 0: Set current coefficients to the new buffer shifted one position
- pol.coef.set(this.coef.slice(0, (length - 1) * Fr.n8), 32);
-
- // Step 1: multiply each coefficient by (-value)
- this.mulScalar(Fr.neg(value));
+ const n8 = curve.Fr.n8;
+ const nElements = Math.floor(a.byteLength / curve.Fr.n8);
- // Step 2: Add current polynomial to destination polynomial
- pol.add(this);
+ const promises = [];
- // Swap buffers
- this.coef = pol.coef;
- }
+ for (let i=0; i= this.degree());
+ const task = [];
- const length = resize ? this.length() + n : this.length();
- const buff = length > 2 << 14 ? new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
- let pol = new Polynomial(buff, this.curve, this.logger);
+ const aChunk = a.slice(i*n8, (i + n)*n8 );
+ const bChunk = b.slice(i*n8, (i + n)*n8 );
+ const cChunk = c.slice(i*n8, (i + n)*n8 );
- // Step 0: Set current coefficients to the new buffer shifted one position
- pol.coef.set(this.coef.slice(0, (this.degree() + 1) * 32, ), n * 32);
+ task.push({cmd: "ALLOCSET", var: 0, buff: aChunk});
+ task.push({cmd: "ALLOCSET", var: 1, buff: bChunk});
+ task.push({cmd: "ALLOCSET", var: 2, buff: cChunk});
+ task.push({cmd: "ALLOC", var: 3, len: n*n8});
+ task.push({cmd: "CALL", fnName: "qap_joinABC", params:[
+ {var: 0},
+ {var: 1},
+ {var: 2},
+ {val: n},
+ {var: 3},
+ ]});
+ task.push({cmd: "CALL", fnName: "frm_batchFromMontgomery", params:[
+ {var: 3},
+ {val: n},
+ {var: 3}
+ ]});
+ task.push({cmd: "GET", out: 0, var: 3, len: n*n8});
+ promises.push(curve.tm.queueAction(task));
+ }
- // Step 1: multiply each coefficient by (- value)
- this.mulScalar(value);
+ const result = await Promise.all(promises);
- // Step 2: Add current polynomial to destination polynomial
- pol.add(this);
+ let outBuff;
+ if (a instanceof ffjavascript.BigBuffer) {
+ outBuff = new ffjavascript.BigBuffer(a.byteLength);
+ } else {
+ outBuff = new Uint8Array(a.byteLength);
+ }
- // Swap buffers
- this.coef = pol.coef;
+ let p=0;
+ for (let i=0; i 2 << 14 ?
- new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+ This file is part of snarkJS.
- for (let i = degreeA - degreeB; i >= 0; i--) {
- this.setCoef(i, Fr.div(polR.getCoef(i + degreeB), polynomial.getCoef(degreeB)));
- for (let j = 0; j <= degreeB; j++) {
- polR.setCoef(i + j, Fr.sub(polR.getCoef(i + j), Fr.mul(this.getCoef(i), polynomial.getCoef(j))));
- }
- }
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- return polR;
- }
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- // Division by a Polynomial of the form (x^m - beta)
- divByMonic(m, beta) {
- const Fr = this.Fr;
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
+const { unstringifyBigInts: unstringifyBigInts$a} = ffjavascript.utils;
- let d = this.degree();
+async function wtnsCalculate$1(_input, wasmFileName, wtnsFileName, options) {
+ const input = unstringifyBigInts$a(_input);
- let buffer = this.length() > 2 << 14 ?
- new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
- let quotient = new Polynomial(buffer, this.curve, this.logger);
+ const fdWasm = await fastFile__namespace.readExisting(wasmFileName);
+ const wasm = await fdWasm.read(fdWasm.totalSize);
+ await fdWasm.close();
- let bArr = [];
+ const wc = await circom_runtime.WitnessCalculatorBuilder(wasm);
+ if (wc.circom_version() == 1) {
+ const w = await wc.calculateBinWitness(input);
- // Add the m leading coefficients of this to quotient
- for (let i = 0; i < m; i++) {
- quotient.setCoef((d - i) - m, this.getCoef(d - i));
- bArr[i] = this.getCoef(d - i);
- }
+ const fdWtns = await binFileUtils__namespace.createBinFile(wtnsFileName, "wtns", 2, 2);
- let nThreads = m;
- for (let k = 0; k < nThreads; k++) {
- for (let i = d - 2 * m - k; i >= 0; i = i - nThreads) {
- if (i < 0) break;
- let idx = k;
- bArr[idx] = Fr.add(this.getCoef(i + m), Fr.mul(bArr[idx], beta));
+ await writeBin(fdWtns, w, wc.prime);
+ await fdWtns.close();
+ } else {
+ const fdWtns = await fastFile__namespace.createOverride(wtnsFileName);
- quotient.setCoef(i, bArr[idx]);
- }
- }
+ const w = await wc.calculateWTNSBin(input);
- this.coef = quotient.coef;
+ await fdWtns.write(w);
+ await fdWtns.close();
}
+}
- divByVanishing(n, beta) {
- if (this.degree() < n) {
- throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
- }
+/*
+ Copyright 2018 0KIMS association.
- const Fr = this.Fr;
+ This file is part of snarkJS.
- let polR = new Polynomial(this.coef, this.curve, this.logger);
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- this.coef = this.length() > 2 << 14 ?
- new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- for (let i = this.length() - 1; i >= n; i--) {
- let leadingCoef = polR.getCoef(i);
- if (Fr.eq(Fr.zero, leadingCoef)) continue;
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
+const {unstringifyBigInts: unstringifyBigInts$9} = ffjavascript.utils;
- polR.setCoef(i, Fr.zero);
- polR.setCoef(i - n, Fr.add(polR.getCoef(i - n), Fr.mul(beta, leadingCoef)));
- this.setCoef(i - n, Fr.add(this.getCoef(i - n), leadingCoef));
- }
+async function groth16FullProve$1(_input, wasmFile, zkeyFileName, logger) {
+ const input = unstringifyBigInts$9(_input);
- return polR;
- }
+ const wtns= {
+ type: "mem"
+ };
+ await wtnsCalculate$1(input, wasmFile, wtns);
+ return await groth16Prove$1(zkeyFileName, wtns, logger);
+}
- divByVanishing2(m, beta) {
- if (this.degree() < m) {
- throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
- }
+/*
+ Copyright 2018 0kims association.
- const Fr = this.Fr;
+ This file is part of snarkjs.
- let polR = new Polynomial(this.coef, this.curve, this.logger);
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- this.coef = this.length() > 2 << 14 ?
- new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- let nThreads = 3;
- let nTotal = this.length() - m;
- let nElementsChunk = Math.floor(nTotal / nThreads);
- let nElementsLast = nTotal - (nThreads - 1) * nElementsChunk;
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+const {unstringifyBigInts: unstringifyBigInts$8} = ffjavascript.utils;
- console.log(nTotal);
- console.log(nElementsChunk + " " + nElementsLast);
- for (let k = 0; k < nThreads; k++) {
- console.log("> Thread " + k);
- for (let i = (k === 0 ? nElementsLast : nElementsChunk); i > 0; i--) {
- let idxDst = i - 1;
- if (k !== 0) idxDst += (k - 1) * nElementsChunk + nElementsLast;
- let idxSrc = idxDst + m;
+async function groth16Verify$1(_vk_verifier, _publicSignals, _proof, logger) {
+/*
+ let cpub = vk_verifier.IC[0];
+ for (let s= 0; s< vk_verifier.nPublic; s++) {
+ cpub = G1.add( cpub, G1.timesScalar( vk_verifier.IC[s+1], publicSignals[s]));
+ }
+*/
- let leadingCoef = polR.getCoef(idxSrc);
- if (Fr.eq(Fr.zero, leadingCoef)) continue;
+ const vk_verifier = unstringifyBigInts$8(_vk_verifier);
+ const proof = unstringifyBigInts$8(_proof);
+ const publicSignals = unstringifyBigInts$8(_publicSignals);
- polR.setCoef(idxSrc, Fr.zero);
- polR.setCoef(idxDst, Fr.add(polR.getCoef(idxDst), Fr.mul(beta, leadingCoef)));
- this.setCoef(idxDst, Fr.add(this.getCoef(idxDst), leadingCoef));
- console.log(idxDst + " <-- " + idxSrc);
- }
- }
+ const curve = await getCurveFromName(vk_verifier.curve);
- this.print();
- return polR;
+ const IC0 = curve.G1.fromObject(vk_verifier.IC[0]);
+ const IC = new Uint8Array(curve.G1.F.n8*2 * publicSignals.length);
+ const w = new Uint8Array(curve.Fr.n8 * publicSignals.length);
+
+ for (let i=0; i 2 << 14 ?
- new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8), this.curve, this.logger);
-
- let ptr = this.coef;
- this.coef = polTmp.coef;
- polTmp.coef = ptr;
+ vk_alpha_1, vk_beta_2
+ );
- // STEP 1: Setejar els m valors del següent bucket al chunk actual, PARALEL·LITZAR
- for (let k = 0; k < nThreads; k++) {
- let idx0 = (k + 1) * nElementsChunk + nElementsLast;
- for (let i = 0; i < m; i++) {
- this.setCoef(idx0 + i - m, polTmp.getCoef(idx0 + i));
- }
+ if (! res) {
+ if (logger) logger.error("Invalid proof");
+ return false;
+ }
- for (let i = 0; i < nElementsChunk - m; i++) {
- let offset = idx0 - i - 1;
- let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
- this.setCoef(offset - m, val);
- }
- }
+ if (logger) logger.info("OK!");
+ return true;
+}
- //STEP 2: Setejar els valors del elements last NO PARAL·LELITZAR
- let idx0 = nElementsLast;
- let pending = nElementsLast;
- for (let i = 0; i < m && pending; i++) {
- this.setCoef(idx0 - i - 1, polTmp.getCoef(idx0 + m - i - 1));
- pending--;
- }
+/*
+ Copyright 2018 0KIMS association.
- for (let i = 0; i < pending; i++) {
- let offset = idx0 - i - 1;
- let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
- this.setCoef(offset - m, val);
- }
+ This file is part of snarkJS.
- //Step 3: calcular acumulats NO PARALEL·LITZAR
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- let acc = [];
- let betaPow = Fr.one;
- for (let i = 0; i < nElementsBucket; i++) {
- betaPow = Fr.mul(betaPow, beta);
- }
- let currentBeta = Fr.one;
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- for (let k = nThreads; k > 0; k--) {
- let idThread = k - 1;
- let idx0 = idThread * nElementsChunk + nElementsLast;
- acc[idThread] = [];
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
+const { unstringifyBigInts: unstringifyBigInts$7} = ffjavascript.utils;
- for (let i = 0; i < m; i++) {
- acc[idThread][i] = this.getCoef(idx0 + i);
+function p256$2(n) {
+ let nstr = n.toString(16);
+ while (nstr.length < 64) nstr = "0"+nstr;
+ nstr = `"0x${nstr}"`;
+ return nstr;
+}
- if (k !== nThreads) {
- acc[idThread][i] = Fr.add(acc[idThread][i], Fr.mul(betaPow, acc[idThread + 1][i]));
- }
- }
- currentBeta = Fr.mul(currentBeta, betaPow);
- }
+async function groth16ExportSolidityCallData(_proof, _pub) {
+ const proof = unstringifyBigInts$7(_proof);
+ const pub = unstringifyBigInts$7(_pub);
- //STEP 4 recalcular PARALEL·LITZAR
- for (let k = 0; k < nThreads; k++) {
+ let inputs = "";
+ for (let i=0; i 2 << 14 ?
- new ffjavascript.BigBuffer(this.length() * this.Fr.n8) : new Uint8Array(this.length() * this.Fr.n8);
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- coefs.set(this.Fr.zero, (this.length() - 1) * this.Fr.n8);
- coefs.set(this.coef.slice((this.length() - 1) * this.Fr.n8, this.length() * this.Fr.n8), (this.length() - 2) * this.Fr.n8);
- for (let i = this.length() - 3; i >= 0; i--) {
- let i_n8 = i * this.Fr.n8;
- coefs.set(
- this.Fr.add(
- this.coef.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8),
- this.Fr.mul(value, coefs.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8))
- ),
- i * this.Fr.n8
- );
- }
- if (!this.Fr.eq(
- this.coef.slice(0, this.Fr.n8),
- this.Fr.mul(this.Fr.neg(value), coefs.slice(0, this.Fr.n8))
- )) {
- throw new Error("Polynomial does not divide");
- }
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
- this.coef = coefs;
- }
- divZh(domainSize, extensions = 4) {
- for (let i = 0; i < domainSize; i++) {
- const i_n8 = i * this.Fr.n8;
- this.coef.set(this.Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8)), i_n8);
- }
+async function plonkSetup$1(r1csName, ptauName, zkeyName, logger) {
- for (let i = domainSize; i < domainSize * extensions; i++) {
- const i_n8 = i * this.Fr.n8;
+ if (globalThis.gc) {globalThis.gc();}
- const a = this.Fr.sub(
- this.coef.slice((i - domainSize) * this.Fr.n8, (i - domainSize) * this.Fr.n8 + this.Fr.n8),
- this.coef.slice(i_n8, i_n8 + this.Fr.n8)
- );
- this.coef.set(a, i_n8);
- if (i > (domainSize * (extensions-1) - extensions)) {
- if (!this.Fr.isZero(a)) {
- throw new Error("Polynomial is not divisible");
- }
- }
- }
+ await Blake2b__default["default"].ready();
- return this;
- }
+ const {fd: fdPTau, sections: sectionsPTau} = await binFileUtils.readBinFile(ptauName, "ptau", 1, 1<<22, 1<<24);
+ const {curve, power} = await readPTauHeader(fdPTau, sectionsPTau);
+ const {fd: fdR1cs, sections: sectionsR1cs} = await binFileUtils.readBinFile(r1csName, "r1cs", 1, 1<<22, 1<<24);
- divByZerofier(n, beta) {
- let Fr = this.Fr;
- const invBeta = Fr.inv(beta);
- const invBetaNeg = Fr.neg(invBeta);
+ const r1cs = await r1csfile.readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: true, loadCustomGates: true});
- let isOne = Fr.eq(Fr.one, invBetaNeg);
- let isNegOne = Fr.eq(Fr.negone, invBetaNeg);
+ const sG1 = curve.G1.F.n8*2;
+ const G1 = curve.G1;
+ const sG2 = curve.G2.F.n8*2;
+ const Fr = curve.Fr;
+ const n8r = curve.Fr.n8;
- if (!isOne) {
- for (let i = 0; i < n; i++) {
- const i_n8 = i * this.Fr.n8;
- let element;
+ if (logger) logger.info("Reading r1cs");
+ await binFileUtils.readSection(fdR1cs, sectionsR1cs, 2);
- // If invBetaNeg === -1 we'll save a multiplication changing it by a neg function call
- if (isNegOne) {
- element = Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8));
- } else {
- element = Fr.mul(invBetaNeg, this.coef.slice(i_n8, i_n8 + this.Fr.n8));
- }
+ const plonkConstraints = new BigArray();
+ const plonkAdditions = new BigArray();
+ let plonkNVars = r1cs.nVars;
- this.coef.set(element, i_n8);
- }
- }
+ const nPublic = r1cs.nOutputs + r1cs.nPubInputs;
- isOne = Fr.eq(Fr.one, invBeta);
- isNegOne = Fr.eq(Fr.negone, invBeta);
+ await processConstraints(curve.Fr, r1cs, logger);
- for (let i = n; i < this.length(); i++) {
- const i_n8 = i * this.Fr.n8;
- const i_prev_n8 = (i - n) * this.Fr.n8;
+ if (globalThis.gc) {globalThis.gc();}
- let element = this.Fr.sub(
- this.coef.slice(i_prev_n8, i_prev_n8 + this.Fr.n8),
- this.coef.slice(i_n8, i_n8 + this.Fr.n8)
- );
+ const fdZKey = await binFileUtils.createBinFile(zkeyName, "zkey", 1, 14, 1<<22, 1<<24);
- // If invBeta === 1 we'll not do anything
- if(!isOne) {
- // If invBeta === -1 we'll save a multiplication changing it by a neg function call
- if(isNegOne) {
- element = Fr.neg(element);
- } else {
- element = Fr.mul(invBeta, element);
- }
- }
- this.coef.set(element, i_n8);
+ if (r1cs.prime != curve.r) {
+ if (logger) logger.error("r1cs curve does not match powers of tau ceremony curve");
+ return -1;
+ }
- // Check if polynomial is divisible by checking if n high coefficients are zero
- if (i > this.length() - n - 1) {
- if (!this.Fr.isZero(element)) {
- throw new Error("Polynomial is not divisible");
- }
- }
- }
+ let cirPower = log2(plonkConstraints.length -1) +1;
+ if (cirPower < 3) cirPower = 3; // As the t polinomal is n+5 whe need at least a power of 4
+ const domainSize = 2 ** cirPower;
- return this;
+ if (logger) logger.info("Plonk constraints: " + plonkConstraints.length);
+ if (cirPower > power) {
+ if (logger) logger.error(`circuit too big for this power of tau ceremony. ${plonkConstraints.length} > 2**${power}`);
+ return -1;
}
-// function divideByVanishing(f, n, p) {
-// // polynomial division f(X) / (X^n - 1) with remainder
-// // very cheap, 0 multiplications
-// // strategy:
-// // start with q(X) = 0, r(X) = f(X)
-// // then start changing q, r while preserving the identity:
-// // f(X) = q(X) * (X^n - 1) + r(X)
-// // in every step, move highest-degree term of r into the product
-// // => r eventually has degree < n and we're done
-// let q = Array(f.length).fill(0n);
-// let r = [...f];
-// for (let i = f.length - 1; i >= n; i--) {
-// let leadingCoeff = r[i];
-// if (leadingCoeff === 0n) continue;
-// r[i] = 0n;
-// r[i - n] = mod(r[i - n] + leadingCoeff, p);
-// q[i - n] = mod(q[i - n] + leadingCoeff, p);
-// }
-// return [q, r];
-// }
+ if (!sectionsPTau[12]) {
+ if (logger) logger.error("Powers of tau is not prepared.");
+ return -1;
+ }
- byX() {
- const coefs = (this.length() + 1) > 2 << 14 ?
- new ffjavascript.BigBuffer(this.coef.byteLength + this.Fr.n8) : new Uint8Array(this.coef.byteLength + this.Fr.n8);
- coefs.set(this.Fr.zero, 0);
- coefs.set(this.coef, this.Fr.n8);
- this.coef = coefs;
- }
+ const LPoints = new ffjavascript.BigBuffer(domainSize*sG1);
+ const o = sectionsPTau[12][0].p + ((2 ** (cirPower)) -1)*sG1;
+ await fdPTau.readToBuffer(LPoints, 0, domainSize*sG1, o);
-// Compute a new polynomial f(x^n) from f(x)
-// f(x) = a_0 + a_1·x + a_2·x^2 + ... + a_j·x^j
-// f(x^n) = a_0 + a_1·x^n + a_2·x^2n + ... + a_j·x^jn
- static
- async expX(polynomial, n, truncate = false) {
- const Fr = polynomial.Fr;
+ const [k1, k2] = getK1K2();
- if (n < 1) {
- // n == 0 not allowed because it has no sense, but if it's necessary we have to return
- // a zero degree polynomial with a constant coefficient equals to the sum of all the original coefficients
- throw new Error("Compute a new polynomial to a zero or negative number is not allowed");
- } else if (1 === n) {
- return await Polynomial.fromEvaluations(polynomial.coef, curve, polynomial.logger);
- }
+ const vk = {};
- // length is the length of non-constant coefficients
- // if truncate === true, the highest zero coefficients (if exist) will be removed
- const length = truncate ? polynomial.degree() : (polynomial.length() - 1);
- const bufferDst = (length * n + 1) > 2 << 14 ?
- new ffjavascript.BigBuffer((length * n + 1) * Fr.n8) : new Uint8Array((length * n + 1) * Fr.n8);
- // Copy constant coefficient as is because is not related to x
- bufferDst.set(polynomial.getCoef(0), 0);
+ await writeAdditions(3, "Additions");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeWitnessMap(4, 0, "Amap");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeWitnessMap(5, 1, "Bmap");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeWitnessMap(6, 2, "Cmap");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(7, 3, "Qm");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(8, 4, "Ql");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(9, 5, "Qr");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(10, 6, "Qo");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(11, 7, "Qc");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeSigma(12, "sigma");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeLs(13, "lagrange polynomials");
+ if (globalThis.gc) {globalThis.gc();}
- for (let i = 1; i <= length; i++) {
- const i_sFr = i * Fr.n8;
+ // Write PTau points
+ ////////////
- const coef = polynomial.getCoef(i);
- bufferDst.set(coef, i_sFr * n);
- }
+ await binFileUtils.startWriteSection(fdZKey, 14);
+ const buffOut = new ffjavascript.BigBuffer((domainSize+6)*sG1);
+ await fdPTau.readToBuffer(buffOut, 0, (domainSize+6)*sG1, sectionsPTau[2][0].p);
+ await fdZKey.write(buffOut);
+ await binFileUtils.endWriteSection(fdZKey);
+ if (globalThis.gc) {globalThis.gc();}
- return new Polynomial(bufferDst, polynomial.curve, polynomial.logger);
- }
- split(numPols, degPols, blindingFactors) {
- if (numPols < 1) {
- throw new Error(`Polynomials can't be split in ${numPols} parts`);
- } else if (1 === numPols) {
- return [this];
- }
+ await writeHeaders();
- //blinding factors can be void or must have a length of numPols - 1
- if (0 !== blindingFactors.length && blindingFactors.length < numPols - 1) {
- throw new Error(`Blinding factors length must be ${numPols - 1}`);
- }
+ await fdZKey.close();
+ await fdR1cs.close();
+ await fdPTau.close();
- const chunkByteLength = (degPols + 1) * this.Fr.n8;
- let res = [];
+ if (logger) logger.info("Setup Finished");
- // Check polynomial can be split in numChunks parts of chunkSize bytes...
- const numRealPols = Math.ceil((this.degree() + 1) * this.Fr.n8 / chunkByteLength);
- if (numRealPols < numPols) {
- //throw new Error(`Polynomial is short to be split in ${numPols} parts of ${degPols} coefficients each.`);
- for (let i = numRealPols; i < numPols; i++) {
- res[i] = new Polynomial(new Uint8Array(this.Fr.n8), this.curve, this.logger);
+ return ;
+
+ async function processConstraints(Fr, r1cs, logger) {
+
+ function normalize(linearComb) {
+ const ss = Object.keys(linearComb);
+ for (let i = 0; i < ss.length; i++) {
+ if (linearComb[ss[i]] == 0n) delete linearComb[ss[i]];
}
}
- numPols = Math.min(numPols, numRealPols);
- for (let i = 0; i < numPols; i++) {
- const isLast = (numPols - 1) === i;
- const byteLength = isLast ? this.coef.byteLength - ((numPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
-
- let buff = (byteLength / this.Fr.n8) > 2 << 14 ? new ffjavascript.BigBuffer(byteLength) : new Uint8Array(byteLength);
- res[i] = new Polynomial(buff, this.curve, this.logger);
+ function join(linearComb1, k, linearComb2) {
+ const res = {};
- const fr = i * chunkByteLength;
- const to = isLast ? this.coef.byteLength : (i + 1) * chunkByteLength;
- res[i].coef.set(this.coef.slice(fr, to), 0);
+ for (let s in linearComb1) {
+ if (typeof res[s] == "undefined") {
+ res[s] = Fr.mul(k, linearComb1[s]);
+ } else {
+ res[s] = Fr.add(res[s], Fr.mul(k, linearComb1[s]));
+ }
+ }
- // Add a blinding factor as higher degree
- if (!isLast) {
- res[i].coef.set(blindingFactors[i], chunkByteLength);
+ for (let s in linearComb2) {
+ if (typeof res[s] == "undefined") {
+ res[s] = linearComb2[s];
+ } else {
+ res[s] = Fr.add(res[s], linearComb2[s]);
+ }
}
+ normalize(res);
+ return res;
+ }
- // Sub blinding factor to the lowest degree
- if (0 !== i) {
- const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
- res[i].coef.set(lowestDegree, 0);
+ function reduceCoefs(linearComb, maxC) {
+ const res = {
+ k: Fr.zero,
+ s: [],
+ coefs: []
+ };
+ const cs = [];
+
+ for (let s in linearComb) {
+ if (s == 0) {
+ res.k = Fr.add(res.k, linearComb[s]);
+ } else if (linearComb[s] != 0n) {
+ cs.push([Number(s), linearComb[s]]);
+ }
}
+ while (cs.length > maxC) {
+ const c1 = cs.shift();
+ const c2 = cs.shift();
- if (isLast) {
- res[i].truncate();
+ const sl = c1[0];
+ const sr = c2[0];
+ const so = plonkNVars++;
+ const qm = Fr.zero;
+ const ql = Fr.neg(c1[1]);
+ const qr = Fr.neg(c2[1]);
+ const qo = Fr.one;
+ const qc = Fr.zero;
+
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+
+ plonkAdditions.push([sl, sr, c1[1], c2[1]]);
+
+ cs.push([so, Fr.one]);
+ }
+ for (let i = 0; i < cs.length; i++) {
+ res.s[i] = cs[i][0];
+ res.coefs[i] = cs[i][1];
+ }
+ while (res.coefs.length < maxC) {
+ res.s.push(0);
+ res.coefs.push(Fr.zero);
}
+ return res;
}
- return res;
+ function addConstraintSum(lc) {
+ const C = reduceCoefs(lc, 3);
+ const sl = C.s[0];
+ const sr = C.s[1];
+ const so = C.s[2];
+ const qm = Fr.zero;
+ const ql = C.coefs[0];
+ const qr = C.coefs[1];
+ const qo = C.coefs[2];
+ const qc = C.k;
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ }
- // // compute t_low(X)
- // let polTLow = new BigBuffer((chunkSize + 1) * n8r);
- // polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
- // // Add blinding scalar b_10 as a new coefficient n
- // polTLow.set(ch.b[10], zkey.domainSize * n8r);
- //
- // // compute t_mid(X)
- // let polTMid = new BigBuffer((zkey.domainSize + 1) * n8r);
- // polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
- // // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
- // const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
- // polTMid.set(lowestMid, 0);
- // // Add blinding scalar b_11 as a new coefficient n
- // polTMid.set(ch.b[11], zkey.domainSize * n8r);
- //
- // // compute t_high(X)
- // let polTHigh = new BigBuffer((zkey.domainSize + 6) * n8r);
- // polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
- // //Subtract blinding scalar b_11 to the lowest coefficient of t_high
- // const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
- // polTHigh.set(lowestHigh, 0);
- //
- // proof.T1 = await expTau(polTLow, "multiexp T1");
- // proof.T2 = await expTau(polTMid, "multiexp T2");
- // proof.T3 = await expTau(polTHigh, "multiexp T3");
- }
+ function addConstraintMul(lcA, lcB, lcC) {
+ const A = reduceCoefs(lcA, 1);
+ const B = reduceCoefs(lcB, 1);
+ const C = reduceCoefs(lcC, 1);
-// split2(degPols, blindingFactors) {
-// let currentDegree = this.degree();
-// const numFilledPols = Math.ceil((currentDegree + 1) / (degPols + 1));
-//
-// //blinding factors can be void or must have a length of numPols - 1
-// if (0 !== blindingFactors.length && blindingFactors.length < numFilledPols - 1) {
-// throw new Error(`Blinding factors length must be ${numFilledPols - 1}`);
-// }
-//
-// const chunkByteLength = (degPols + 1) * this.Fr.n8;
-//
-// // Check polynomial can be split in numChunks parts of chunkSize bytes...
-// if (this.coef.byteLength / chunkByteLength <= numFilledPols - 1) {
-// throw new Error(`Polynomial is short to be split in ${numFilledPols} parts of ${degPols} coefficients each.`);
-// }
-//
-// let res = [];
-// for (let i = 0; i < numFilledPols; i++) {
-// const isLast = (numFilledPols - 1) === i;
-// const byteLength = isLast ? (currentDegree + 1) * this.Fr.n8 - ((numFilledPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
-//
-// res[i] = new Polynomial(new BigBuffer(byteLength), this.Fr, this.logger);
-// const fr = i * chunkByteLength;
-// const to = isLast ? (currentDegree + 1) * this.Fr.n8 : (i + 1) * chunkByteLength;
-// res[i].coef.set(this.coef.slice(fr, to), 0);
-//
-// // Add a blinding factor as higher degree
-// if (!isLast) {
-// res[i].coef.set(blindingFactors[i], chunkByteLength);
-// }
-//
-// // Sub blinding factor to the lowest degree
-// if (0 !== i) {
-// const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
-// res[i].coef.set(lowestDegree, 0);
-// }
-// }
-//
-// return res;
-// }
-
-// merge(pols, overlap = true) {
-// let length = 0;
-// for (let i = 0; i < pols.length; i++) {
-// length += pols[i].length();
-// }
-//
-// if (overlap) {
-// length -= pols.length - 1;
-// }
-//
-// let res = new Polynomial(new BigBuffer(length * this.Fr.n8));
-// for (let i = 0; i < pols.length; i++) {
-// const byteLength = pols[i].coef.byteLength;
-// if (0 === i) {
-// res.coef.set(pols[i].coef, 0);
-// } else {
-//
-// }
-// }
-//
-// return res;
-// }
-
- truncate() {
- const deg = this.degree();
- if (deg + 1 < this.coef.byteLength / this.Fr.n8) {
- const newCoefs = (deg + 1) > 2 << 14 ?
- new ffjavascript.BigBuffer((deg + 1) * this.Fr.n8) : new Uint8Array((deg + 1) * this.Fr.n8);
-
- newCoefs.set(this.coef.slice(0, (deg + 1) * this.Fr.n8), 0);
- this.coef = newCoefs;
- }
- }
-
- static lagrangePolynomialInterpolation(xArr, yArr, curve) {
- const Fr = curve.Fr;
- let polynomial = computeLagrangePolynomial(0);
- for (let i = 1; i < xArr.length; i++) {
- polynomial.add(computeLagrangePolynomial(i));
- }
-
- return polynomial;
-
- function computeLagrangePolynomial(i) {
- let polynomial;
-
- for (let j = 0; j < xArr.length; j++) {
- if (j === i) continue;
-
- if (polynomial === undefined) {
- let buff = (xArr.length) > 2 << 14 ?
- new ffjavascript.BigBuffer((xArr.length) * Fr.n8) : new Uint8Array((xArr.length) * Fr.n8);
- polynomial = new Polynomial(buff, curve);
- polynomial.setCoef(0, Fr.neg(xArr[j]));
- polynomial.setCoef(1, Fr.one);
- } else {
- polynomial.byXSubValue(xArr[j]);
- }
- }
-
- let denominator = polynomial.evaluate(xArr[i]);
- denominator = Fr.inv(denominator);
- const mulFactor = Fr.mul(yArr[i], denominator);
-
- polynomial.mulScalar(mulFactor);
-
- return polynomial;
- }
- }
-
- static zerofierPolynomial(xArr, curve) {
- const Fr = curve.Fr;
- let buff = (xArr.length + 1) > 2 << 14 ?
- new ffjavascript.BigBuffer((xArr.length + 1) * Fr.n8) : new Uint8Array((xArr.length + 1) * Fr.n8);
- let polynomial = new Polynomial(buff, curve);
-
- // Build a zerofier polynomial with the following form:
- // zerofier(X) = (X-xArr[0])(X-xArr[1])...(X-xArr[n])
- polynomial.setCoef(0, Fr.neg(xArr[0]));
- polynomial.setCoef(1, Fr.one);
-
- for (let i = 1; i < xArr.length; i++) {
- polynomial.byXSubValue(xArr[i]);
- }
-
- return polynomial;
- }
-
- print() {
- const Fr = this.Fr;
- let res = "";
- for (let i = this.degree(); i >= 0; i--) {
- const coef = this.getCoef(i);
- if (!Fr.eq(Fr.zero, coef)) {
- if (Fr.isNegative(coef)) {
- res += " - ";
- } else if (i !== this.degree()) {
- res += " + ";
- }
- res += Fr.toString(coef);
- if (i > 0) {
- res += i > 1 ? "x^" + i : "x";
- }
- }
- }
- console.log(res);
- }
-
- async multiExponentiation(PTau, name) {
- const n = this.coef.byteLength / this.Fr.n8;
- const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
- const bm = await this.Fr.batchFromMontgomery(this.coef);
- let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
- res = this.G1.toAffine(res);
- return res;
- }
-}
-
-/*
- Copyright 2022 iden3 association.
-
- This file is part of snarkjs.
-
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
-
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
-
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-
-class Evaluations {
- constructor(evaluations, curve, logger) {
- this.eval = evaluations;
- this.curve = curve;
- this.Fr = curve.Fr;
- this.logger = logger;
- }
-
- static async fromPolynomial(polynomial, extension, curve, logger) {
- const coefficientsN = new ffjavascript.BigBuffer(polynomial.length() * extension * curve.Fr.n8);
- coefficientsN.set(polynomial.coef, 0);
-
- const evaluations = await curve.Fr.fft(coefficientsN);
-
- return new Evaluations(evaluations, curve, logger);
- }
-
- getEvaluation(index) {
- const i_n8 = index * this.Fr.n8;
-
- if (i_n8 + this.Fr.n8 > this.eval.byteLength) {
- throw new Error("Evaluations.getEvaluation() out of bounds");
- }
-
- return this.eval.slice(i_n8, i_n8 + this.Fr.n8);
- }
-
- length() {
- let length = this.eval.byteLength / this.Fr.n8;
- if (length !== Math.floor(this.eval.byteLength / this.Fr.n8)) {
- throw new Error("Polynomial evaluations buffer has incorrect size");
- }
- if (0 === length) {
- this.logger.warn("Polynomial has length zero");
- }
- return length;
- }
-}
-
-/*
- Copyright 2022 iden3 association.
-
- This file is part of snarkjs.
-
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
-
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
-
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-
-class CPolynomial {
- constructor(n, curve, logger) {
- this.n = n;
- this.polynomials = Array(n).fill(undefined);
- this.curve = curve;
- this.Fr = curve.Fr;
- this.G1 = curve.G1;
- this.logger = logger;
- }
-
- addPolynomial(position, polynomial) {
- if (position > this.n - 1) {
- throw new Error("CPolynomial:addPolynomial, cannot add a polynomial to a position greater than n-1");
- }
-
- this.polynomials[position] = polynomial;
- }
-
- degree() {
- let degrees = this.polynomials.map(
- (polynomial, index) => polynomial === undefined ? 0 : polynomial.degree() * this.n + index);
- return Math.max(...degrees);
- }
-
- getPolynomial() {
- let degrees = this.polynomials.map(polynomial => polynomial === undefined ? 0 : polynomial.degree());
- const maxDegree = this.degree();
- const lengthBuffer = 2 ** (log2(maxDegree - 1) + 1);
- const sFr = this.Fr.n8;
-
- let polynomial = new Polynomial(new ffjavascript.BigBuffer(lengthBuffer * sFr), this.curve, this.logger);
-
- for (let i = 0; i < maxDegree; i++) {
- const i_n8 = i * sFr;
- const i_sFr = i_n8 * this.n;
-
- for (let j = 0; j < this.n; j++) {
- if (this.polynomials[j] !== undefined) {
- if (i <= degrees[j]) polynomial.coef.set(this.polynomials[j].coef.slice(i_n8, i_n8 + sFr), i_sFr + j * sFr);
- }
- }
- }
-
- return polynomial;
- }
-
- async multiExponentiation(PTau, name) {
- let polynomial = this.getPolynomial();
- const n = polynomial.coef.byteLength / this.Fr.n8;
- const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
- const bm = await this.Fr.batchFromMontgomery(polynomial.coef);
- let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
- res = this.G1.toAffine(res);
- return res;
- }
-}
-
-/*
- Copyright 2022 iden3 association.
-
- This file is part of snarkjs.
-
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
-
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
-
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-
-
-async function fflonkSetup$1(r1csFilename, ptauFilename, zkeyFilename, logger) {
- if (logger) logger.info("FFLONK SETUP STARTED");
-
- if (globalThis.gc) globalThis.gc();
-
- // Read PTau file
- if (logger) logger.info("> Reading PTau file");
- const {fd: fdPTau, sections: pTauSections} = await binFileUtils.readBinFile(ptauFilename, "ptau", 1, 1 << 22, 1 << 24);
- if (!pTauSections[12]) {
- throw new Error("Powers of Tau is not well prepared. Section 12 missing.");
- }
-
- // Get curve defined in PTau
- if (logger) logger.info("> Getting curve from PTau settings");
- const {curve} = await readPTauHeader(fdPTau, pTauSections);
-
- // Read r1cs file
- if (logger) logger.info("> Reading r1cs file");
- const {fd: fdR1cs, sections: sectionsR1cs} = await binFileUtils.readBinFile(r1csFilename, "r1cs", 1, 1 << 22, 1 << 24);
- const r1cs = await r1csfile.readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: false, loadCustomGates: true});
-
- // Potential error checks
- if (r1cs.prime !== curve.r) {
- throw new Error("r1cs curve does not match powers of tau ceremony curve");
- }
-
- // Initializations
- const Fr = curve.Fr;
-
- const sFr = curve.Fr.n8;
- const sG1 = curve.G1.F.n8 * 2;
- const sG2 = curve.G2.F.n8 * 2;
-
- let polynomials = {};
- let evaluations = {};
- let PTau;
-
- let settings = {
- nVars: r1cs.nVars,
- nPublic: r1cs.nOutputs + r1cs.nPubInputs
- };
-
- const plonkConstraints = new BigArray();
- let plonkAdditions = new BigArray();
-
- // Process constraints inside r1cs
- if (logger) logger.info("> Processing FFlonk constraints");
- await computeFFConstraints(curve.Fr, r1cs, logger);
- if (globalThis.gc) globalThis.gc();
-
- // As the t polynomial is n+5 whe need at least a power of 4
- //TODO check!!!!
- // NOTE : plonkConstraints + 2 = #constraints + blinding coefficients for each wire polynomial
- settings.cirPower = Math.max(FF_T_POL_DEG_MIN, log2((plonkConstraints.length + 2) - 1) + 1);
- settings.domainSize = 2 ** settings.cirPower;
-
- if (pTauSections[2][0].size < (settings.domainSize * 9 + 18) * sG1) {
- throw new Error("Powers of Tau is not big enough for this circuit size. Section 2 too small.");
- }
- if (pTauSections[3][0].size < sG2) {
- throw new Error("Powers of Tau is not well prepared. Section 3 too small.");
- }
-
- if (logger) {
- logger.info("----------------------------");
- logger.info(" FFLONK SETUP SETTINGS");
- logger.info(` Curve: ${curve.name}`);
- logger.info(` Circuit power: ${settings.cirPower}`);
- logger.info(` Domain size: ${settings.domainSize}`);
- logger.info(` Vars: ${settings.nVars}`);
- logger.info(` Public vars: ${settings.nPublic}`);
- logger.info(` Constraints: ${plonkConstraints.length}`);
- logger.info(` Additions: ${plonkAdditions.length}`);
- logger.info("----------------------------");
- }
-
- // Compute k1 and k2 to be used in the permutation checks
- if (logger) logger.info("> computing k1 and k2");
- const [k1, k2] = computeK1K2();
-
- // Compute omega 3 (w3) and omega 4 (w4) to be used in the prover and the verifier
- // w3^3 = 1 and w4^4 = 1
- if (logger) logger.info("> computing w3");
- const w3 = computeW3();
- if (logger) logger.info("> computing w4");
- const w4 = computeW4();
- if (logger) logger.info("> computing w8");
- const w8 = computeW8();
- if (logger) logger.info("> computing wr");
- const wr = getOmegaCubicRoot(settings.cirPower, curve.Fr);
- // Write output zkey file
- await writeZkeyFile();
+ const sl = A.s[0];
+ const sr = B.s[0];
+ const so = C.s[0];
+ const qm = Fr.mul(A.coefs[0], B.coefs[0]);
+ const ql = Fr.mul(A.coefs[0], B.k);
+ const qr = Fr.mul(A.k, B.coefs[0]);
+ const qo = Fr.neg(C.coefs[0]);
+ const qc = Fr.sub(Fr.mul(A.k, B.k), C.k);
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ }
- await fdR1cs.close();
- await fdPTau.close();
+ function getLinearCombinationType(lc) {
+ let k = Fr.zero;
+ let n = 0;
+ const ss = Object.keys(lc);
+ for (let i = 0; i < ss.length; i++) {
+ if (lc[ss[i]] == 0n) {
+ delete lc[ss[i]];
+ } else if (ss[i] == 0) {
+ k = Fr.add(k, lc[ss[i]]);
+ } else {
+ n++;
+ }
+ }
+ if (n > 0) return n.toString();
+ if (k != Fr.zero) return "k";
+ return "0";
+ }
- if (logger) logger.info("FFLONK SETUP FINISHED");
+ function process(lcA, lcB, lcC) {
+ const lctA = getLinearCombinationType(lcA);
+ const lctB = getLinearCombinationType(lcB);
+ if ((lctA === "0") || (lctB === "0")) {
+ normalize(lcC);
+ addConstraintSum(lcC);
+ } else if (lctA === "k") {
+ const lcCC = join(lcB, lcA[0], lcC);
+ addConstraintSum(lcCC);
+ } else if (lctB === "k") {
+ const lcCC = join(lcA, lcB[0], lcC);
+ addConstraintSum(lcCC);
+ } else {
+ addConstraintMul(lcA, lcB, lcC);
+ }
+ }
- return 0;
+ for (let s = 1; s <= nPublic; s++) {
+ const sl = s;
+ const sr = 0;
+ const so = 0;
+ const qm = Fr.zero;
+ const ql = Fr.one;
+ const qr = Fr.zero;
+ const qo = Fr.zero;
+ const qc = Fr.zero;
- async function computeFFConstraints(Fr, r1cs, logger) {
- // Add public inputs and outputs
- for (let i = 0; i < settings.nPublic; i++) {
- plonkConstraints.push(getFFlonkConstantConstraint(i + 1, Fr));
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
}
- // Add all constraints from r1cs file
- const r1csProcessor = new r1csConstraintProcessor(Fr, getFFlonkConstantConstraint, getFFlonkAdditionConstraint, getFFlonkMultiplicationConstraint, logger);
-
- const bR1cs = await binFileUtils__namespace.readSection(fdR1cs, sectionsR1cs, 2);
- let bR1csPos = 0;
- for (let i = 0; i < r1cs.nConstraints; i++) {
- if ((logger) && (i !== 0) && (i % 500000 === 0)) {
- logger.info(` processing r1cs constraints ${i}/${r1cs.nConstraints}`);
- }
- const [constraints, additions] = r1csProcessor.processR1csConstraint(settings, ...readConstraint());
+ for (let c = 0; c < r1cs.constraints.length; c++) {
+ if ((logger) && (c % 10000 === 0)) logger.debug(`processing constraints: ${c}/${r1cs.nConstraints}`);
+ process(...r1cs.constraints[c]);
+ }
+ }
- plonkConstraints.push(...constraints);
- plonkAdditions.push(...additions);
+ async function writeWitnessMap(sectionNum, posConstraint, name) {
+ await binFileUtils.startWriteSection(fdZKey, sectionNum);
+ for (let i=0; i Writing the zkey file");
- const fdZKey = await binFileUtils.createBinFile(zkeyFilename, "zkey", 1, ZKEY_FF_NSECTIONS, 1 << 22, 1 << 24);
+ S1 = await Fr.batchFromMontgomery(S1);
+ S2 = await Fr.batchFromMontgomery(S2);
+ S3 = await Fr.batchFromMontgomery(S3);
- if (logger) logger.info(`··· Writing Section ${HEADER_ZKEY_SECTION}. Zkey Header`);
- await writeZkeyHeader(fdZKey);
+ vk.S1= await curve.G1.multiExpAffine(LPoints, S1, logger, "multiexp S1");
+ if (globalThis.gc) {globalThis.gc();}
+ vk.S2= await curve.G1.multiExpAffine(LPoints, S2, logger, "multiexp S2");
+ if (globalThis.gc) {globalThis.gc();}
+ vk.S3= await curve.G1.multiExpAffine(LPoints, S3, logger, "multiexp S3");
+ if (globalThis.gc) {globalThis.gc();}
- if (logger) logger.info(`··· Writing Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
- await writeAdditions(fdZKey);
- if (globalThis.gc) globalThis.gc();
+ function buildSigma(s, p) {
+ if (typeof lastAparence[s] === "undefined") {
+ firstPos[s] = p;
+ } else {
+ sigma.set(lastAparence[s], p*n8r);
+ }
+ let v;
+ if (p Writing the zkey file finished");
- await fdZKey.close();
+ function isIncluded(k, kArr, pow) {
+ const domainSize= 2**pow;
+ let w = Fr.one;
+ for (let i=0; i.
+*/
+const {stringifyBigInts: stringifyBigInts$2} = ffjavascript.utils;
+const { keccak256: keccak256$2 } = jsSha3__default["default"];
- buffOutV.setUint32(0, addition[0], true);
- buffOutV.setUint32(4, addition[1], true);
- buffOut.set(addition[2], 8);
- buffOut.set(addition[3], 8 + sFr);
+async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
+ const {fd: fdWtns, sections: sectionsWtns} = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1<<25, 1<<23);
- await fdZKey.write(buffOut);
- }
- await binFileUtils.endWriteSection(fdZKey);
- }
+ const wtns = await readHeader(fdWtns, sectionsWtns);
- async function writeWitnessMap(fdZKey, sectionNum, posConstraint, name) {
- await binFileUtils.startWriteSection(fdZKey, sectionNum);
- for (let i = 0; i < plonkConstraints.length; i++) {
- if (logger && (i !== 0) && (i % 500000 === 0)) {
- logger.info(` writing witness ${name}: ${i}/${plonkConstraints.length}`);
- }
+ const {fd: fdZKey, sections: sectionsZKey} = await binFileUtils__namespace.readBinFile(zkeyFileName, "zkey", 2, 1<<25, 1<<23);
- await fdZKey.writeULE32(plonkConstraints[i][posConstraint]);
- }
- await binFileUtils.endWriteSection(fdZKey);
+ const zkey = await readHeader$1(fdZKey, sectionsZKey);
+ if (zkey.protocol != "plonk") {
+ throw new Error("zkey file is not plonk");
}
- async function writeQMap(fdZKey, sectionNum, posConstraint, name) {
- // Compute Q from q evaluations
- let Q = new ffjavascript.BigBuffer(settings.domainSize * sFr);
+ if (!ffjavascript.Scalar.eq(zkey.r, wtns.q)) {
+ throw new Error("Curve of the witness does not match the curve of the proving key");
+ }
- for (let i = 0; i < plonkConstraints.length; i++) {
- Q.set(plonkConstraints[i][posConstraint], i * sFr);
- if ((logger) && (i !== 0) && (i % 500000 === 0)) {
- logger.info(` writing ${name}: ${i}/${plonkConstraints.length}`);
- }
- }
+ if (wtns.nWitness != zkey.nVars -zkey.nAdditions) {
+ throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
+ }
- polynomials[name] = await Polynomial.fromEvaluations(Q, curve, logger);
- evaluations[name] = await Evaluations.fromPolynomial(polynomials[name], 4, curve, logger);
+ const curve = zkey.curve;
+ const Fr = curve.Fr;
+ const G1 = curve.G1;
+ const n8r = curve.Fr.n8;
- // Write Q coefficients and evaluations
- await binFileUtils.startWriteSection(fdZKey, sectionNum);
- await fdZKey.write(polynomials[name].coef);
- await fdZKey.write(evaluations[name].eval);
- await binFileUtils.endWriteSection(fdZKey);
- }
+ if (logger) logger.debug("Reading Wtns");
+ const buffWitness = await binFileUtils__namespace.readSection(fdWtns, sectionsWtns, 2);
+ // First element in plonk is not used and can be any value. (But always the same).
+ // We set it to zero to go faster in the exponentiations.
+ buffWitness.set(Fr.zero, 0);
+ const buffInternalWitness = new ffjavascript.BigBuffer(n8r*zkey.nAdditions);
- async function writeSigma(fdZKey) {
- // Compute sigma
- const sigma = new ffjavascript.BigBuffer(sFr * settings.domainSize * 3);
- const lastSeen = new BigArray(settings.nVars);
- const firstPos = new BigArray(settings.nVars);
+ await calculateAdditions();
- let w = Fr.one;
- for (let i = 0; i < settings.domainSize; i++) {
- if (i < plonkConstraints.length) {
- buildSigma(plonkConstraints[i][0], i);
- buildSigma(plonkConstraints[i][1], settings.domainSize + i);
- buildSigma(plonkConstraints[i][2], settings.domainSize * 2 + i);
- } else if (i < settings.domainSize - 2) {
- buildSigma(0, i);
- buildSigma(0, settings.domainSize + i);
- buildSigma(0, settings.domainSize * 2 + i);
- } else {
- sigma.set(w, i * sFr);
- sigma.set(Fr.mul(w, k1), (settings.domainSize + i) * sFr);
- sigma.set(Fr.mul(w, k2), (settings.domainSize * 2 + i) * sFr);
- }
+ let A,B,C,Z;
+ let A4, B4, C4, Z4;
+ let pol_a,pol_b,pol_c, pol_z, pol_t, pol_r;
+ let proof = {};
- w = Fr.mul(w, Fr.w[settings.cirPower]);
+ const sigmaBuff = new ffjavascript.BigBuffer(zkey.domainSize*n8r*4*3);
+ let o = sectionsZKey[12][0].p + zkey.domainSize*n8r;
+ await fdZKey.readToBuffer(sigmaBuff, 0 , zkey.domainSize*n8r*4, o);
+ o += zkey.domainSize*n8r*5;
+ await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*4 , zkey.domainSize*n8r*4, o);
+ o += zkey.domainSize*n8r*5;
+ await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*8 , zkey.domainSize*n8r*4, o);
- if ((logger) && (i !== 0) && (i % 500000 === 0)) {
- logger.info(` writing sigma phase1: ${i}/${plonkConstraints.length}`);
- }
- }
+ const pol_s1 = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_s1, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p);
- for (let i = 0; i < settings.nVars; i++) {
- if (typeof firstPos[i] !== "undefined") {
- sigma.set(lastSeen[i], firstPos[i] * sFr);
- } else {
- // throw new Error("Variable not used");
- console.log("Variable not used");
- }
- if ((logger) && (i !== 0) && (i % 500000 === 0)) logger.info(` writing sigma phase2: ${i}/${settings.nVars}`);
- }
+ const pol_s2 = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_s2, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 5*zkey.domainSize*n8r);
- if (globalThis.gc) globalThis.gc();
+ const PTau = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 14);
- // Write sigma coefficients and evaluations
- for (let i = 0; i < 3; i++) {
- const sectionId = 0 === i ? ZKEY_FF_SIGMA1_SECTION : 1 === i ? ZKEY_FF_SIGMA2_SECTION : ZKEY_FF_SIGMA3_SECTION;
- let name = "S" + (i + 1);
- polynomials[name] = await Polynomial.fromEvaluations(sigma.slice(settings.domainSize * sFr * i, settings.domainSize * sFr * (i + 1)), curve, logger);
- evaluations[name] = await Evaluations.fromPolynomial(polynomials[name], 4, curve, logger);
- await binFileUtils.startWriteSection(fdZKey, sectionId);
- await fdZKey.write(polynomials[name].coef);
- await fdZKey.write(evaluations[name].eval);
- await binFileUtils.endWriteSection(fdZKey);
+ const ch = {};
- if (globalThis.gc) globalThis.gc();
- }
+ await round1();
+ await round2();
+ await round3();
+ await round4();
+ await round5();
- return 0;
- function buildSigma(signalId, idx) {
- if (typeof lastSeen[signalId] === "undefined") {
- firstPos[signalId] = idx;
- } else {
- sigma.set(lastSeen[signalId], idx * sFr);
- }
- let v;
- if (idx < settings.domainSize) {
- v = w;
- } else if (idx < 2 * settings.domainSize) {
- v = Fr.mul(w, k1);
- } else {
- v = Fr.mul(w, k2);
- }
+ ///////////////////////
+ // Final adjustments //
+ ///////////////////////
- lastSeen[signalId] = v;
- }
- }
+ proof.protocol = "plonk";
+ proof.curve = curve.name;
- async function writeLagrangePolynomials(fdZKey) {
- await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_LAGRANGE_SECTION);
+ await fdZKey.close();
+ await fdWtns.close();
- const l = Math.max(settings.nPublic, 1);
- for (let i = 0; i < l; i++) {
- let buff = new ffjavascript.BigBuffer(settings.domainSize * sFr);
- buff.set(Fr.one, i * sFr);
+ let publicSignals = [];
- await writeP4(fdZKey, buff);
- }
- await binFileUtils.endWriteSection(fdZKey);
+ for (let i=1; i<= zkey.nPublic; i++) {
+ const pub = buffWitness.slice(i*Fr.n8, i*Fr.n8+Fr.n8);
+ publicSignals.push(ffjavascript.Scalar.fromRprLE(pub));
}
- async function writePtau(fdZKey) {
- await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_PTAU_SECTION);
-
- // domainSize * 9 + 18 = maximum SRS length needed, specifically to commit C2
- PTau = new ffjavascript.BigBuffer((settings.domainSize * 9 + 18) * sG1);
- await fdPTau.readToBuffer(PTau, 0, (settings.domainSize * 9 + 18) * sG1, pTauSections[2][0].p);
+ proof.A = G1.toObject(proof.A);
+ proof.B = G1.toObject(proof.B);
+ proof.C = G1.toObject(proof.C);
+ proof.Z = G1.toObject(proof.Z);
- await fdZKey.write(PTau);
- await binFileUtils.endWriteSection(fdZKey);
- }
+ proof.T1 = G1.toObject(proof.T1);
+ proof.T2 = G1.toObject(proof.T2);
+ proof.T3 = G1.toObject(proof.T3);
- async function writeC0(fdZKey) {
- // C0(X) := QL(X^8) + X · QR(X^8) + X^2 · QO(X^8) + X^3 · QM(X^8) + X^4 · QC(X^8)
- // + X^5 · SIGMA1(X^8) + X^6 · SIGMA2(X^8) + X^7 · SIGMA3(X^8)
- let C0 = new CPolynomial(8, curve, logger);
- C0.addPolynomial(0, polynomials.QL);
- C0.addPolynomial(1, polynomials.QR);
- C0.addPolynomial(2, polynomials.QO);
- C0.addPolynomial(3, polynomials.QM);
- C0.addPolynomial(4, polynomials.QC);
- C0.addPolynomial(5, polynomials.S1);
- C0.addPolynomial(6, polynomials.S2);
- C0.addPolynomial(7, polynomials.S3);
+ proof.eval_a = Fr.toObject(proof.eval_a);
+ proof.eval_b = Fr.toObject(proof.eval_b);
+ proof.eval_c = Fr.toObject(proof.eval_c);
+ proof.eval_s1 = Fr.toObject(proof.eval_s1);
+ proof.eval_s2 = Fr.toObject(proof.eval_s2);
+ proof.eval_zw = Fr.toObject(proof.eval_zw);
+ proof.eval_t = Fr.toObject(proof.eval_t);
+ proof.eval_r = Fr.toObject(proof.eval_r);
- polynomials.C0 = C0.getPolynomial();
+ proof.Wxi = G1.toObject(proof.Wxi);
+ proof.Wxiw = G1.toObject(proof.Wxiw);
- // Check degree
- if (polynomials.C0.degree() >= 8 * settings.domainSize) {
- throw new Error("C0 Polynomial is not well calculated");
- }
+ delete proof.eval_t;
- await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_C0_SECTION);
- await fdZKey.write(polynomials.C0.coef);
- await binFileUtils.endWriteSection(fdZKey);
- }
+ proof = stringifyBigInts$2(proof);
+ publicSignals = stringifyBigInts$2(publicSignals);
- async function writeFFlonkHeader(fdZKey) {
- await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_HEADER_SECTION);
+ return {proof, publicSignals};
- const primeQ = curve.q;
- const n8q = (Math.floor((ffjavascript.Scalar.bitLength(primeQ) - 1) / 64) + 1) * 8;
- await fdZKey.writeULE32(n8q);
- await binFileUtils.writeBigInt(fdZKey, primeQ, n8q);
+ async function calculateAdditions() {
+ const additionsBuff = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 3);
- const primeR = curve.r;
- const n8r = (Math.floor((ffjavascript.Scalar.bitLength(primeR) - 1) / 64) + 1) * 8;
- await fdZKey.writeULE32(n8r);
- await binFileUtils.writeBigInt(fdZKey, primeR, n8r);
+ const sSum = 8+curve.Fr.n8*2;
- // Total number of r1cs vars
- await fdZKey.writeULE32(settings.nVars);
- // Total number of r1cs public vars = outputs + public inputs
- await fdZKey.writeULE32(settings.nPublic);
- await fdZKey.writeULE32(settings.domainSize);
- await fdZKey.writeULE32(plonkAdditions.length);
- await fdZKey.writeULE32(plonkConstraints.length);
+ for (let i=0; i.
-*/
+ let n3 = C.slice(i*n8r, (i+1)*n8r);
+ n3 = Fr.add( n3, Fr.mul(zkey.k2, Fr.mul(ch.beta, w) ));
+ n3 = Fr.add( n3, ch.gamma );
-async function fflonkSetupCmd(r1csFilename, ptauFilename, zkeyFilename, logger) {
- return fflonkSetup$1(r1csFilename, ptauFilename, zkeyFilename, logger);
-}
+ const num = Fr.mul(n1, Fr.mul(n2, n3));
-/*
- Copyright 2018 0KIMS association.
+ let d1 = A.slice(i*n8r, (i+1)*n8r);
+ d1 = Fr.add(d1, Fr.mul( sigmaBuff.slice(i*n8r*4, i*n8r*4 + n8r) , ch.beta));
+ d1 = Fr.add(d1, ch.gamma);
- This file is part of snarkJS.
+ let d2 = B.slice(i*n8r, (i+1)*n8r);
+ d2 = Fr.add(d2, Fr.mul( sigmaBuff.slice((zkey.domainSize + i)*4*n8r, (zkey.domainSize + i)*4*n8r+n8r) , ch.beta));
+ d2 = Fr.add(d2, ch.gamma);
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ let d3 = C.slice(i*n8r, (i+1)*n8r);
+ d3 = Fr.add(d3, Fr.mul( sigmaBuff.slice((zkey.domainSize*2 + i)*4*n8r, (zkey.domainSize*2 + i)*4*n8r + n8r) , ch.beta));
+ d3 = Fr.add(d3, ch.gamma);
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+ const den = Fr.mul(d1, Fr.mul(d2, d3));
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
+ numArr.set(
+ Fr.mul(
+ numArr.slice(i*n8r,(i+1)*n8r) ,
+ num
+ ),
+ ((i+1)%zkey.domainSize)*n8r
+ );
+ denArr.set(
+ Fr.mul(
+ denArr.slice(i*n8r,(i+1)*n8r) ,
+ den
+ ),
+ ((i+1)%zkey.domainSize)*n8r
+ );
-async function write(fd, witness, prime) {
+ w = Fr.mul(w, Fr.w[zkey.power]);
+ }
- await binFileUtils__namespace.startWriteSection(fd, 1);
- const n8 = (Math.floor( (ffjavascript.Scalar.bitLength(prime) - 1) / 64) +1)*8;
- await fd.writeULE32(n8);
- await binFileUtils__namespace.writeBigInt(fd, prime, n8);
- await fd.writeULE32(witness.length);
- await binFileUtils__namespace.endWriteSection(fd);
+ denArr = await Fr.batchInverse(denArr);
- await binFileUtils__namespace.startWriteSection(fd, 2);
- for (let i=0; i0)&&(Fr.isZero(p.slice(deg*n8r, deg*n8r+n8r)))) deg--;
+ return deg;
+ }
-}
+ function printPol(P) {
+ const n=(P.byteLength/n8r);
+ console.log("[");
+ for (let i=0; i.
-*/
-const { keccak256: keccak256$2 } = jsSha3__default["default"];
+ let w = Fr.one;
+ for (let i=0; i POLYNOMIAL === element.type ? nPolynomials++ : nScalars++);
+ let e2b =b;
+ e2b = Fr.add(e2b, Fr.mul(betaw, zkey.k1));
+ e2b = Fr.add(e2b, ch.gamma);
- let buffer = new Uint8Array(nScalars * this.Fr.n8 + nPolynomials * this.G1.F.n8 * 2);
- let offset = 0;
+ let e2c =c;
+ e2c = Fr.add(e2c, Fr.mul(betaw, zkey.k2));
+ e2c = Fr.add(e2c, ch.gamma);
- for (let i = 0; i < this.data.length; i++) {
- if (POLYNOMIAL === this.data[i].type) {
- this.G1.toRprUncompressed(buffer, offset, this.data[i].data);
- offset += this.G1.F.n8 * 2;
- } else {
- this.Fr.toRprBE(buffer, offset, this.data[i].data);
- offset += this.Fr.n8;
- }
- }
+ let e2d = z;
+
+ let [e2, e2z] = mul4(e2a, e2b, e2c, e2d, ap, bp, cp, zp, i%4);
+ e2 = Fr.mul(e2, ch.alpha);
+ e2z = Fr.mul(e2z, ch.alpha);
- const value = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256$2.arrayBuffer(buffer)));
- return this.Fr.e(value);
- }
-}
+ let e3a = a;
+ e3a = Fr.add(e3a, Fr.mul(ch.beta, s1));
+ e3a = Fr.add(e3a, ch.gamma);
-/*
- Copyright 2022 iden3 association.
+ let e3b = b;
+ e3b = Fr.add(e3b, Fr.mul(ch.beta,s2));
+ e3b = Fr.add(e3b, ch.gamma);
- This file is part of snarkjs.
+ let e3c = c;
+ e3c = Fr.add(e3c, Fr.mul(ch.beta,s3));
+ e3c = Fr.add(e3c, ch.gamma);
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ let e3d = zw;
+ let [e3, e3z] = mul4(e3a, e3b, e3c, e3d, ap, bp, cp, zWp, i%4);
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ e3 = Fr.mul(e3, ch.alpha);
+ e3z = Fr.mul(e3z, ch.alpha);
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
+ let e4 = Fr.sub(z, Fr.one);
+ e4 = Fr.mul(e4, lPols.slice( (zkey.domainSize + i)*n8r, (zkey.domainSize+i+1)*n8r));
+ e4 = Fr.mul(e4, Fr.mul(ch.alpha, ch.alpha));
-class Proof {
- constructor(curve, logger) {
- this.curve = curve;
- this.logger = logger;
+ let e4z = Fr.mul(zp, lPols.slice( (zkey.domainSize + i)*n8r, (zkey.domainSize+i+1)*n8r));
+ e4z = Fr.mul(e4z, Fr.mul(ch.alpha, ch.alpha));
- this.resetProof();
- }
+ let e = Fr.add(Fr.sub(Fr.add(e1, e2), e3), e4);
+ let ez = Fr.add(Fr.sub(Fr.add(e1z, e2z), e3z), e4z);
- resetProof() {
- this.polynomials = {};
- this.evaluations = {};
- }
+ T.set(e, i*n8r);
+ Tz.set(ez, i*n8r);
- addPolynomial(key, polynomial) {
- if (key in this.polynomials) {
- this.logger.warn(`proof: polynomial.${key} already exist in proof`);
+ w = Fr.mul(w, Fr.w[zkey.power+2]);
}
- this.polynomials[key] = polynomial;
- }
- getPolynomial(key) {
- if (!(key in this.polynomials)) {
- this.logger.warn(`proof: polynomial ${key} does not exist in proof`);
+ if (logger) logger.debug("ifft T");
+ let t = await Fr.ifft(T);
+
+ if (logger) logger.debug("dividing T/Z");
+ for (let i=0; i (zkey.domainSize*3 -4) ) {
+ if (!Fr.isZero(a)) {
+ throw new Error("T Polynomial is not divisible");
+ }
+ }
}
- this.evaluations[key] = evaluation;
- }
- getEvaluation(key) {
- if (!(key in this.evaluations)) {
- this.logger.warn(`proof: evaluation ${key} does not exist in proof`);
+ if (logger) logger.debug("ifft Tz");
+ const tz = await Fr.ifft(Tz);
+ for (let i=0; i (zkey.domainSize*3 +5) ) {
+ if (!Fr.isZero(a)) {
+ throw new Error("Tz Polynomial is not well calculated");
+ }
+ } else {
+ t.set(
+ Fr.add(
+ t.slice(i*n8r, (i+1)*n8r),
+ a
+ ),
+ i*n8r
+ );
+ }
}
- return this.evaluations[key];
- }
- toObjectProof() {
- let res = {polynomials: {}, evaluations: {}};
+ pol_t = t.slice(0, (zkey.domainSize * 3 + 6) * n8r);
- Object.keys(this.polynomials).forEach(key => {
- res.polynomials[key] = this.curve.G1.toObject(this.polynomials[key]);
- });
+ // t(x) has degree 3n + 5, we are going to split t(x) into three smaller polynomials:
+ // t'_low and t'_mid with a degree < n and t'_high with a degree n+5
+ // such that t(x) = t'_low(X) + X^n t'_mid(X) + X^{2n} t'_hi(X)
+ // To randomize the parts we use blinding scalars b_10 and b_11 in a way that doesn't change t(X):
+ // t_low(X) = t'_low(X) + b_10 X^n
+ // t_mid(X) = t'_mid(X) - b_10 + b_11 X^n
+ // t_high(X) = t'_high(X) - b_11
+ // such that
+ // t(X) = t_low(X) + X^n t_mid(X) + X^2n t_high(X)
- Object.keys(this.evaluations).forEach(key => {
- res.evaluations[key] = this.curve.Fr.toObject(this.evaluations[key]);
- });
+ // compute t_low(X)
+ let polTLow = new ffjavascript.BigBuffer((zkey.domainSize + 1) * n8r);
+ polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
+ // Add blinding scalar b_10 as a new coefficient n
+ polTLow.set(ch.b[10], zkey.domainSize * n8r);
- return res;
- }
+ // compute t_mid(X)
+ let polTMid = new ffjavascript.BigBuffer((zkey.domainSize + 1) * n8r);
+ polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
+ // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
+ const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
+ polTMid.set(lowestMid, 0);
+ // Add blinding scalar b_11 as a new coefficient n
+ polTMid.set(ch.b[11], zkey.domainSize * n8r);
- fromObjectProof(objectProof) {
- this.resetProof();
+ // compute t_high(X)
+ let polTHigh = new ffjavascript.BigBuffer((zkey.domainSize + 6) * n8r);
+ polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
+ //Subtract blinding scalar b_11 to the lowest coefficient of t_high
+ const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
+ polTHigh.set(lowestHigh, 0);
- Object.keys(objectProof.polynomials).forEach(key => {
- this.polynomials[key] = this.curve.G1.fromObject(objectProof.polynomials[key]);
- });
+ proof.T1 = await expTau(polTLow, "multiexp T1");
+ proof.T2 = await expTau(polTMid, "multiexp T2");
+ proof.T3 = await expTau(polTHigh, "multiexp T3");
- Object.keys(objectProof.evaluations).forEach(key => {
- this.evaluations[key] = this.curve.Fr.fromObject(objectProof.evaluations[key]);
- });
- }
-}
+ function mul2(a,b, ap, bp, p) {
+ let r, rz;
-/*
- Copyright 2022 iden3 association.
+
+ const a_b = Fr.mul(a,b);
+ const a_bp = Fr.mul(a,bp);
+ const ap_b = Fr.mul(ap,b);
+ const ap_bp = Fr.mul(ap,bp);
- This file is part of snarkjs.
+ r = a_b;
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ let a0 = Fr.add(a_bp, ap_b);
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ let a1 = ap_bp;
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
+ rz = a0;
+ if (p) {
+ rz = Fr.add(rz, Fr.mul(Z1[p], a1));
+ }
-const { stringifyBigInts: stringifyBigInts$6 } = ffjavascript.utils;
+ return [r, rz];
+ }
+ function mul4(a,b,c,d, ap, bp, cp, dp, p) {
+ let r, rz;
-async function fflonkProve$1(zkeyFileName, witnessFileName, logger) {
- if (logger) logger.info("FFLONK PROVER STARTED");
+
+ const a_b = Fr.mul(a,b);
+ const a_bp = Fr.mul(a,bp);
+ const ap_b = Fr.mul(ap,b);
+ const ap_bp = Fr.mul(ap,bp);
- // Read witness file
- if (logger) logger.info("> Reading witness file");
- const {
- fd: fdWtns,
- sections: wtnsSections
- } = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1 << 25, 1 << 23);
- const wtns = await readHeader(fdWtns, wtnsSections);
+ const c_d = Fr.mul(c,d);
+ const c_dp = Fr.mul(c,dp);
+ const cp_d = Fr.mul(cp,d);
+ const cp_dp = Fr.mul(cp,dp);
- //Read zkey file
- if (logger) logger.info("> Reading zkey file");
- const {
- fd: fdZKey,
- sections: zkeySections
- } = await binFileUtils__namespace.readBinFile(zkeyFileName, "zkey", 2, 1 << 25, 1 << 23);
- const zkey = await readHeader$1(fdZKey, zkeySections);
+ r = Fr.mul(a_b, c_d);
- if (zkey.protocolId !== FFLONK_PROTOCOL_ID) {
- throw new Error("zkey file is not fflonk");
- }
+ let a0 = Fr.mul(ap_b, c_d);
+ a0 = Fr.add(a0, Fr.mul(a_bp, c_d));
+ a0 = Fr.add(a0, Fr.mul(a_b, cp_d));
+ a0 = Fr.add(a0, Fr.mul(a_b, c_dp));
- if (!ffjavascript.Scalar.eq(zkey.r, wtns.q)) {
- throw new Error("Curve of the witness does not match the curve of the proving key");
+ let a1 = Fr.mul(ap_bp, c_d);
+ a1 = Fr.add(a1, Fr.mul(ap_b, cp_d));
+ a1 = Fr.add(a1, Fr.mul(ap_b, c_dp));
+ a1 = Fr.add(a1, Fr.mul(a_bp, cp_d));
+ a1 = Fr.add(a1, Fr.mul(a_bp, c_dp));
+ a1 = Fr.add(a1, Fr.mul(a_b, cp_dp));
+
+ let a2 = Fr.mul(a_bp, cp_dp);
+ a2 = Fr.add(a2, Fr.mul(ap_b, cp_dp));
+ a2 = Fr.add(a2, Fr.mul(ap_bp, c_dp));
+ a2 = Fr.add(a2, Fr.mul(ap_bp, cp_d));
+
+ let a3 = Fr.mul(ap_bp, cp_dp);
+
+ rz = a0;
+ if (p) {
+ rz = Fr.add(rz, Fr.mul(Z1[p], a1));
+ rz = Fr.add(rz, Fr.mul(Z2[p], a2));
+ rz = Fr.add(rz, Fr.mul(Z3[p], a3));
+ }
+
+ return [r, rz];
+ }
}
- if (wtns.nWitness !== zkey.nVars - zkey.nAdditions) {
- throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
- }
+ async function round4() {
+ const pol_qm = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qm, 0 , zkey.domainSize*n8r, sectionsZKey[7][0].p);
+
+ const pol_ql = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_ql, 0 , zkey.domainSize*n8r, sectionsZKey[8][0].p);
+
+ const pol_qr = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qr, 0 , zkey.domainSize*n8r, sectionsZKey[9][0].p);
+
+ const pol_qo = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qo, 0 , zkey.domainSize*n8r, sectionsZKey[10][0].p);
- const curve = zkey.curve;
+ const pol_qc = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qc, 0 , zkey.domainSize*n8r, sectionsZKey[11][0].p);
- const Fr = curve.Fr;
+ const pol_s3 = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_s3, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 10*zkey.domainSize*n8r);
- const sFr = curve.Fr.n8;
- const sG1 = curve.G1.F.n8 * 2;
- const sDomain = zkey.domainSize * sFr;
+ const transcript4 = new Uint8Array(G1.F.n8*2*3);
+ G1.toRprUncompressed(transcript4, 0, proof.T1);
+ G1.toRprUncompressed(transcript4, G1.F.n8*2, proof.T2);
+ G1.toRprUncompressed(transcript4, G1.F.n8*4, proof.T3);
+ ch.xi = hashToFr(transcript4);
- if (logger) {
- logger.info("----------------------------");
- logger.info(" FFLONK PROVE SETTINGS");
- logger.info(` Curve: ${curve.name}`);
- logger.info(` Circuit power: ${zkey.power}`);
- logger.info(` Domain size: ${zkey.domainSize}`);
- logger.info(` Vars: ${zkey.nVars}`);
- logger.info(` Public vars: ${zkey.nPublic}`);
- logger.info(` Constraints: ${zkey.nConstraints}`);
- logger.info(` Additions: ${zkey.nAdditions}`);
- logger.info("----------------------------");
- }
+ if (logger) logger.debug("xi: " + Fr.toString(ch.xi));
- //Read witness data
- if (logger) logger.info("> Reading witness file data");
- const buffWitness = await binFileUtils__namespace.readSection(fdWtns, wtnsSections, 2);
- await fdWtns.close();
+ proof.eval_a = evalPol(pol_a, ch.xi);
+ proof.eval_b = evalPol(pol_b, ch.xi);
+ proof.eval_c = evalPol(pol_c, ch.xi);
+ proof.eval_s1 = evalPol(pol_s1, ch.xi);
+ proof.eval_s2 = evalPol(pol_s2, ch.xi);
+ proof.eval_t = evalPol(pol_t, ch.xi);
+ proof.eval_zw = evalPol(pol_z, Fr.mul(ch.xi, Fr.w[zkey.power]));
- // First element in plonk is not used and can be any value. (But always the same).
- // We set it to zero to go faster in the exponentiations.
- buffWitness.set(Fr.zero, 0);
- const buffInternalWitness = new ffjavascript.BigBuffer(zkey.nAdditions * sFr);
+ const coef_ab = Fr.mul(proof.eval_a, proof.eval_b);
+
+ let e2a = proof.eval_a;
+ const betaxi = Fr.mul(ch.beta, ch.xi);
+ e2a = Fr.add( e2a, betaxi);
+ e2a = Fr.add( e2a, ch.gamma);
- let buffers = {};
- let polynomials = {};
- let evaluations = {};
+ let e2b = proof.eval_b;
+ e2b = Fr.add( e2b, Fr.mul(betaxi, zkey.k1));
+ e2b = Fr.add( e2b, ch.gamma);
- // To divide prime fields the Extended Euclidean Algorithm for computing modular inverses is needed.
- // NOTE: This is the equivalent of compute 1/denominator and then multiply it by the numerator.
- // The Extended Euclidean Algorithm is expensive in terms of computation.
- // For the special case where we need to do many modular inverses, there's a simple mathematical trick
- // that allows us to compute many inverses, called Montgomery batch inversion.
- // More info: https://vitalik.ca/general/2018/07/21/starks_part_3.html
- // Montgomery batch inversion reduces the n inverse computations to a single one
- // To save this (single) inverse computation on-chain, will compute it in proving time and send it to the verifier.
- // The verifier will have to check:
- // 1) the denominator is correct multiplying by himself non-inverted -> a * 1/a == 1
- // 2) compute the rest of the denominators using the Montgomery batch inversion
- // The inversions are:
- // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
- // · denominator needed in step 10 and 11 of the verifier
- // · denominator needed in the verifier when computing L_i^{S1}(X) and L_i^{S2}(X)
- // · L_i i=1 to num public inputs, needed in step 6 and 7 of the verifier to compute L_1(xi) and PI(xi)
- let toInverse = {};
+ let e2c = proof.eval_c;
+ e2c = Fr.add( e2c, Fr.mul(betaxi, zkey.k2));
+ e2c = Fr.add( e2c, ch.gamma);
- let challenges = {};
- let roots = {};
+ const e2 = Fr.mul(Fr.mul(Fr.mul(e2a, e2b), e2c), ch.alpha);
- let proof = new Proof(curve, logger);
+ let e3a = proof.eval_a;
+ e3a = Fr.add( e3a, Fr.mul(ch.beta, proof.eval_s1));
+ e3a = Fr.add( e3a, ch.gamma);
- if (logger) logger.info(`> Reading Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
- await calculateAdditions();
+ let e3b = proof.eval_b;
+ e3b = Fr.add( e3b, Fr.mul(ch.beta, proof.eval_s2));
+ e3b = Fr.add( e3b, ch.gamma);
- if (logger) logger.info(`> Reading Sections ${ZKEY_FF_SIGMA1_SECTION},${ZKEY_FF_SIGMA2_SECTION},${ZKEY_FF_SIGMA3_SECTION}. Sigma1, Sigma2 & Sigma 3`);
- if (logger) logger.info("··· Reading Sigma polynomials ");
- polynomials.Sigma1 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
- polynomials.Sigma2 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
- polynomials.Sigma3 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ let e3 = Fr.mul(e3a, e3b);
+ e3 = Fr.mul(e3, ch.beta);
+ e3 = Fr.mul(e3, proof.eval_zw);
+ e3 = Fr.mul(e3, ch.alpha);
- await fdZKey.readToBuffer(polynomials.Sigma1.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA1_SECTION][0].p);
- await fdZKey.readToBuffer(polynomials.Sigma2.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA2_SECTION][0].p);
- await fdZKey.readToBuffer(polynomials.Sigma3.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA3_SECTION][0].p);
+ ch.xim= ch.xi;
+ for (let i=0; i Reading Section ${ZKEY_FF_PTAU_SECTION}. Powers of Tau`);
- const PTau = new ffjavascript.BigBuffer(zkey.domainSize * 16 * sG1);
- // domainSize * 9 + 18 = SRS length in the zkey saved in setup process.
- // it corresponds to the maximum SRS length needed, specifically to commit C2
- // notice that the reserved buffers size is zkey.domainSize * 16 * sG1 because a power of two buffer size is needed
- // the remaining buffer not filled from SRS are set to 0
- await fdZKey.readToBuffer(PTau, 0, (zkey.domainSize * 9 + 18) * sG1, zkeySections[ZKEY_FF_PTAU_SECTION][0].p);
+ pol_r = new ffjavascript.BigBuffer((zkey.domainSize+3)*n8r);
- // START FFLONK PROVER PROTOCOL
- if (globalThis.gc) globalThis.gc();
+ for (let i = 0; i ROUND 1");
- await round1();
+ proof.eval_r = evalPol(pol_r, ch.xi);
+ }
- delete polynomials.T0;
- delete evaluations.QL;
- delete evaluations.QR;
- delete evaluations.QM;
- delete evaluations.QO;
- delete evaluations.QC;
- if (globalThis.gc) globalThis.gc();
+ async function round5() {
+ const transcript5 = new Uint8Array(n8r*7);
+ Fr.toRprBE(transcript5, 0, proof.eval_a);
+ Fr.toRprBE(transcript5, n8r, proof.eval_b);
+ Fr.toRprBE(transcript5, n8r*2, proof.eval_c);
+ Fr.toRprBE(transcript5, n8r*3, proof.eval_s1);
+ Fr.toRprBE(transcript5, n8r*4, proof.eval_s2);
+ Fr.toRprBE(transcript5, n8r*5, proof.eval_zw);
+ Fr.toRprBE(transcript5, n8r*6, proof.eval_r);
+ ch.v = [];
+ ch.v[1] = hashToFr(transcript5);
+ if (logger) logger.debug("v: " + Fr.toString(ch.v[1]));
- // ROUND 2. Compute C2(X) polynomial
- if (logger) logger.info("> ROUND 2");
- await round2();
+ for (let i=2; i<=6; i++ ) ch.v[i] = Fr.mul(ch.v[i-1], ch.v[1]);
+
+ let pol_wxi = new ffjavascript.BigBuffer((zkey.domainSize+6)*n8r);
- delete buffers.A;
- delete buffers.B;
- delete buffers.C;
- delete evaluations.A;
- delete evaluations.B;
- delete evaluations.C;
- delete evaluations.Sigma1;
- delete evaluations.Sigma2;
- delete evaluations.Sigma3;
- delete evaluations.lagrange1;
- delete evaluations.Z;
- if (globalThis.gc) globalThis.gc();
+ const xi2m = Fr.mul(ch.xim, ch.xim);
- // ROUND 3. Compute opening evaluations
- if (logger) logger.info("> ROUND 3");
- await round3();
+ for (let i = 0; i < zkey.domainSize + 6; i++) {
+ let w = Fr.zero;
- delete polynomials.A;
- delete polynomials.B;
- delete polynomials.C;
- delete polynomials.Z;
- delete polynomials.T1;
- delete polynomials.T2;
- delete polynomials.Sigma1;
- delete polynomials.Sigma2;
- delete polynomials.Sigma3;
- delete polynomials.QL;
- delete polynomials.QR;
- delete polynomials.QM;
- delete polynomials.QC;
- delete polynomials.QO;
- if (globalThis.gc) globalThis.gc();
+ const polTHigh = pol_t.slice((zkey.domainSize * 2 + i) * n8r, (zkey.domainSize * 2 + i + 1) * n8r);
+ w = Fr.add(w, Fr.mul(xi2m, polTHigh));
- // ROUND 4. Compute W(X) polynomial
- if (logger) logger.info("> ROUND 4");
- await round4();
- if (globalThis.gc) globalThis.gc();
+ if (i < zkey.domainSize + 3) {
+ w = Fr.add(w, Fr.mul(ch.v[1], pol_r.slice(i * n8r, (i + 1) * n8r)));
+ }
- // ROUND 5. Compute W'(X) polynomial
- if (logger) logger.info("> ROUND 5");
- await round5();
+ if (i < zkey.domainSize + 2) {
+ w = Fr.add(w, Fr.mul(ch.v[2], pol_a.slice(i * n8r, (i + 1) * n8r)));
+ w = Fr.add(w, Fr.mul(ch.v[3], pol_b.slice(i * n8r, (i + 1) * n8r)));
+ w = Fr.add(w, Fr.mul(ch.v[4], pol_c.slice(i * n8r, (i + 1) * n8r)));
+ }
- delete polynomials.C0;
- delete polynomials.C1;
- delete polynomials.C2;
- delete polynomials.R1;
- delete polynomials.R2;
- delete polynomials.F;
- delete polynomials.L;
- delete polynomials.ZT;
- delete polynomials.ZTS2;
- await fdZKey.close();
- if (globalThis.gc) globalThis.gc();
+ if (i < zkey.domainSize) {
+ const polTLow = pol_t.slice(i * n8r, (i + 1) * n8r);
+ w = Fr.add(w, polTLow);
- proof.addEvaluation("inv", getMontgomeryBatchedInverse());
+ const polTMid = pol_t.slice((zkey.domainSize + i) * n8r, (zkey.domainSize + i + 1) * n8r);
+ w = Fr.add(w, Fr.mul(ch.xim, polTMid));
- // Prepare proof
- let _proof = proof.toObjectProof();
- _proof.protocol = "fflonk";
- _proof.curve = curve.name;
+ w = Fr.add(w, Fr.mul(ch.v[5], pol_s1.slice(i * n8r, (i + 1) * n8r)));
+ w = Fr.add(w, Fr.mul(ch.v[6], pol_s2.slice(i * n8r, (i + 1) * n8r)));
+ }
- // Prepare public inputs
- let publicSignals = [];
+ // b_10 and b_11 blinding scalars were applied on round 3 to randomize the polynomials t_low, t_mid, t_high
+ // Subtract blinding scalar b_10 and b_11 to the lowest coefficient
+ if (i === 0) {
+ w = Fr.sub(w, Fr.mul(xi2m, ch.b[11]));
+ w = Fr.sub(w, Fr.mul(ch.xim, ch.b[10]));
+ }
- for (let i = 1; i <= zkey.nPublic; i++) {
- const i_sFr = i * sFr;
+ // Add blinding scalars b_10 and b_11 to the coefficient n
+ if (i === zkey.domainSize) {
+ w = Fr.add(w, ch.b[10]);
+ w = Fr.add(w, Fr.mul(ch.xim, ch.b[11]));
+ }
- const pub = buffWitness.slice(i_sFr, i_sFr + sFr);
- publicSignals.push(ffjavascript.Scalar.fromRprLE(pub));
- }
+ pol_wxi.set(w, i * n8r);
+ }
- if (logger) logger.info("FFLONK PROVER FINISHED");
+ let w0 = pol_wxi.slice(0, n8r);
+ w0 = Fr.sub(w0, proof.eval_t);
+ w0 = Fr.sub(w0, Fr.mul(ch.v[1], proof.eval_r));
+ w0 = Fr.sub(w0, Fr.mul(ch.v[2], proof.eval_a));
+ w0 = Fr.sub(w0, Fr.mul(ch.v[3], proof.eval_b));
+ w0 = Fr.sub(w0, Fr.mul(ch.v[4], proof.eval_c));
+ w0 = Fr.sub(w0, Fr.mul(ch.v[5], proof.eval_s1));
+ w0 = Fr.sub(w0, Fr.mul(ch.v[6], proof.eval_s2));
+ pol_wxi.set(w0, 0);
- return {
- proof: stringifyBigInts$6(_proof),
- publicSignals: stringifyBigInts$6(publicSignals)
- };
+ pol_wxi= divPol1(pol_wxi, ch.xi);
- async function calculateAdditions() {
- if (logger) logger.info("··· Computing additions");
- const additionsBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_ADDITIONS_SECTION);
+ proof.Wxi = await expTau(pol_wxi, "multiexp Wxi");
- // sizes: wireId_x = 4 bytes (32 bits), factor_x = field size bits
- // Addition form: wireId_a wireId_b factor_a factor_b (size is 4 + 4 + sFr + sFr)
- const sSum = 8 + sFr * 2;
+ let pol_wxiw = new ffjavascript.BigBuffer((zkey.domainSize+3)*n8r);
+ for (let i=0; i=0; i--) {
+ res = Fr.add(Fr.mul(res, x), P.slice(i*n8r, (i+1)*n8r));
+ }
+ return res;
+ }
- buffInternalWitness.set(result, sFr * i);
+ function divPol1(P, d) {
+ const n = P.byteLength/n8r;
+ const res = new ffjavascript.BigBuffer(n*n8r);
+ res.set(Fr.zero, (n-1) *n8r);
+ res.set(P.slice((n-1)*n8r, n*n8r), (n-2)*n8r);
+ for (let i=n-3; i>=0; i--) {
+ res.set(
+ Fr.add(
+ P.slice((i+1)*n8r, (i+2)*n8r),
+ Fr.mul(
+ d,
+ res.slice((i+1)*n8r, (i+2)*n8r)
+ )
+ ),
+ i*n8r
+ );
+ }
+ if (!Fr.eq(
+ P.slice(0, n8r),
+ Fr.mul(
+ Fr.neg(d),
+ res.slice(0, n8r)
+ )
+ )) {
+ throw new Error("Polinomial does not divide");
}
+ return res;
}
- function readUInt32(b, o) {
- const buff = b.slice(o, o + 4);
- const buffV = new DataView(buff.buffer, buff.byteOffset, buff.byteLength);
- return buffV.getUint32(0, true);
+ async function expTau(b, name) {
+ const n = b.byteLength/n8r;
+ const PTauN = PTau.slice(0, n*curve.G1.F.n8*2);
+ const bm = await curve.Fr.batchFromMontgomery(b);
+ let res = await curve.G1.multiExpAffine(PTauN, bm, logger, name);
+ res = curve.G1.toAffine(res);
+ return res;
}
- function getWitness(idx) {
- let diff = zkey.nVars - zkey.nAdditions;
- if (idx < diff) {
- return buffWitness.slice(idx * sFr, idx * sFr + sFr);
- } else if (idx < zkey.nVars) {
- const offset = (idx - diff) * sFr;
- return buffInternalWitness.slice(offset, offset + sFr);
- }
- return Fr.zero;
- }
+ async function to4T(A, pz) {
+ pz = pz || [];
+ let a = await Fr.ifft(A);
+ const a4 = new ffjavascript.BigBuffer(n8r*zkey.domainSize*4);
+ a4.set(a, 0);
- async function round1() {
- // STEP 1.1 - Generate random blinding scalars (b_1, ..., b9) ∈ F
- challenges.b = [];
- for (let i = 1; i <= 9; i++) {
- challenges.b[i] = Fr.random();
+ const a1 = new ffjavascript.BigBuffer(n8r*(zkey.domainSize + pz.length));
+ a1.set(a, 0);
+ for (let i= 0; i Computing A, B, C wire polynomials");
- await computeWirePolynomials();
- // STEP 1.3 - Compute the quotient polynomial T0(X)
- if (logger) logger.info("> Computing T0 polynomial");
- await computeT0();
+}
- // STEP 1.4 - Compute the FFT-style combination polynomial C1(X)
- if (logger) logger.info("> Computing C1 polynomial");
- await computeC1();
+/*
+ Copyright 2021 0KIMS association.
- // The first output of the prover is ([C1]_1)
- if (logger) logger.info("> Computing C1 multi exponentiation");
- let commitC1 = await polynomials.C1.multiExponentiation(PTau, "C1");
- proof.addPolynomial("C1", commitC1);
+ This file is part of snarkJS.
- return 0;
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- async function computeWirePolynomials() {
- if (logger) logger.info("··· Reading data from zkey file");
- // Build A, B and C evaluations buffer from zkey and witness files
- buffers.A = new ffjavascript.BigBuffer(sDomain);
- buffers.B = new ffjavascript.BigBuffer(sDomain);
- buffers.C = new ffjavascript.BigBuffer(sDomain);
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- // Read zkey sections and fill the buffers
- const aMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_A_MAP_SECTION);
- const bMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_B_MAP_SECTION);
- const cMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_C_MAP_SECTION);
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
+const {unstringifyBigInts: unstringifyBigInts$6} = ffjavascript.utils;
- // Compute all witness from signal ids and set them to A,B & C buffers
- for (let i = 0; i < zkey.nConstraints; i++) {
- const i_sFr = i * sFr;
- const offset = i * 4;
+async function plonkFullProve$1(_input, wasmFile, zkeyFileName, logger) {
+ const input = unstringifyBigInts$6(_input);
- // Compute A value from a signal id
- const signalIdA = readUInt32(aMapBuff, offset);
- buffers.A.set(getWitness(signalIdA), i_sFr);
+ const wtns= {
+ type: "mem"
+ };
+ await wtnsCalculate$1(input, wasmFile, wtns);
+ return await plonk16Prove(zkeyFileName, wtns, logger);
+}
- // Compute B value from a signal id
- const signalIdB = readUInt32(bMapBuff, offset);
- buffers.B.set(getWitness(signalIdB), i_sFr);
+/*
+ Copyright 2021 0kims association.
- // Compute C value from a signal id
- const signalIdC = readUInt32(cMapBuff, offset);
- buffers.C.set(getWitness(signalIdC), i_sFr);
- }
+ This file is part of snarkjs.
- // Blind a(X), b(X) and c(X) polynomials coefficients with blinding scalars b
- buffers.A.set(challenges.b[1], sDomain - 64);
- buffers.A.set(challenges.b[2], sDomain - 32);
- buffers.B.set(challenges.b[3], sDomain - 64);
- buffers.B.set(challenges.b[4], sDomain - 32);
- buffers.C.set(challenges.b[5], sDomain - 64);
- buffers.C.set(challenges.b[6], sDomain - 32);
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- buffers.A = await Fr.batchToMontgomery(buffers.A);
- buffers.B = await Fr.batchToMontgomery(buffers.B);
- buffers.C = await Fr.batchToMontgomery(buffers.C);
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- // Compute the coefficients of the wire polynomials a(X), b(X) and c(X) from A,B & C buffers
- if (logger) logger.info("··· Computing A ifft");
- polynomials.A = await Polynomial.fromEvaluations(buffers.A, curve, logger);
- if (logger) logger.info("··· Computing B ifft");
- polynomials.B = await Polynomial.fromEvaluations(buffers.B, curve, logger);
- if (logger) logger.info("··· Computing C ifft");
- polynomials.C = await Polynomial.fromEvaluations(buffers.C, curve, logger);
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+const {unstringifyBigInts: unstringifyBigInts$5} = ffjavascript.utils;
+const { keccak256: keccak256$1 } = jsSha3__default["default"];
- // Compute extended evaluations of a(X), b(X) and c(X) polynomials
- if (logger) logger.info("··· Computing A fft");
- evaluations.A = await Evaluations.fromPolynomial(polynomials.A, 4, curve, logger);
- if (logger) logger.info("··· Computing B fft");
- evaluations.B = await Evaluations.fromPolynomial(polynomials.B, 4, curve, logger);
- if (logger) logger.info("··· Computing C fft");
- evaluations.C = await Evaluations.fromPolynomial(polynomials.C, 4, curve, logger);
- // Check degrees
- if (polynomials.A.degree() >= zkey.domainSize) {
- throw new Error("A Polynomial is not well calculated");
- }
- if (polynomials.B.degree() >= zkey.domainSize) {
- throw new Error("B Polynomial is not well calculated");
- }
- if (polynomials.C.degree() >= zkey.domainSize) {
- throw new Error("C Polynomial is not well calculated");
- }
+async function plonkVerify$1(_vk_verifier, _publicSignals, _proof, logger) {
+ let vk_verifier = unstringifyBigInts$5(_vk_verifier);
+ let proof = unstringifyBigInts$5(_proof);
+ let publicSignals = unstringifyBigInts$5(_publicSignals);
+
+ const curve = await getCurveFromName(vk_verifier.curve);
+
+ const Fr = curve.Fr;
+ const G1 = curve.G1;
+
+ proof = fromObjectProof(curve,proof);
+ vk_verifier = fromObjectVk$1(curve, vk_verifier);
+ if (!isWellConstructed(curve, proof)) {
+ logger.error("Proof is not well constructed");
+ return false;
+ }
+ if (publicSignals.length != vk_verifier.nPublic) {
+ logger.error("Invalid number of public inputs");
+ return false;
+ }
+ const challanges = calculateChallanges(curve, proof, publicSignals);
+ if (logger) {
+ logger.debug("beta: " + Fr.toString(challanges.beta, 16));
+ logger.debug("gamma: " + Fr.toString(challanges.gamma, 16));
+ logger.debug("alpha: " + Fr.toString(challanges.alpha, 16));
+ logger.debug("xi: " + Fr.toString(challanges.xi, 16));
+ logger.debug("v1: " + Fr.toString(challanges.v[1], 16));
+ logger.debug("v6: " + Fr.toString(challanges.v[6], 16));
+ logger.debug("u: " + Fr.toString(challanges.u, 16));
+ }
+ const L = calculateLagrangeEvaluations(curve, challanges, vk_verifier);
+ if (logger) {
+ logger.debug("Lagrange Evaluations: ");
+ for (let i=1; i q_L(X)·a(X)
- const e1 = Fr.mul(a, ql);
- // expression 2 -> q_R(X)·b(X)
- const e2 = Fr.mul(b, qr);
+function fromObjectProof(curve, proof) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
+ const res = {};
+ res.A = G1.fromObject(proof.A);
+ res.B = G1.fromObject(proof.B);
+ res.C = G1.fromObject(proof.C);
+ res.Z = G1.fromObject(proof.Z);
+ res.T1 = G1.fromObject(proof.T1);
+ res.T2 = G1.fromObject(proof.T2);
+ res.T3 = G1.fromObject(proof.T3);
+ res.eval_a = Fr.fromObject(proof.eval_a);
+ res.eval_b = Fr.fromObject(proof.eval_b);
+ res.eval_c = Fr.fromObject(proof.eval_c);
+ res.eval_zw = Fr.fromObject(proof.eval_zw);
+ res.eval_s1 = Fr.fromObject(proof.eval_s1);
+ res.eval_s2 = Fr.fromObject(proof.eval_s2);
+ res.eval_r = Fr.fromObject(proof.eval_r);
+ res.Wxi = G1.fromObject(proof.Wxi);
+ res.Wxiw = G1.fromObject(proof.Wxiw);
+ return res;
+}
- // expression 3 -> q_M(X)·a(X)·b(X)
- const e3 = Fr.mul(Fr.mul(a, b), qm);
+function fromObjectVk$1(curve, vk) {
+ const G1 = curve.G1;
+ const G2 = curve.G2;
+ const Fr = curve.Fr;
+ const res = vk;
+ res.Qm = G1.fromObject(vk.Qm);
+ res.Ql = G1.fromObject(vk.Ql);
+ res.Qr = G1.fromObject(vk.Qr);
+ res.Qo = G1.fromObject(vk.Qo);
+ res.Qc = G1.fromObject(vk.Qc);
+ res.S1 = G1.fromObject(vk.S1);
+ res.S2 = G1.fromObject(vk.S2);
+ res.S3 = G1.fromObject(vk.S3);
+ res.k1 = Fr.fromObject(vk.k1);
+ res.k2 = Fr.fromObject(vk.k2);
+ res.X_2 = G2.fromObject(vk.X_2);
- // expression 4 -> q_O(X)·c(X)
- const e4 = Fr.mul(c, qo);
+ return res;
+}
- // t0 = expressions 1 + expression 2 + expression 3 + expression 4 + qc + pi
- const t0 = Fr.add(e1, Fr.add(e2, Fr.add(e3, Fr.add(e4, Fr.add(qc, pi)))));
+function isWellConstructed(curve, proof) {
+ const G1 = curve.G1;
+ if (!G1.isValid(proof.A)) return false;
+ if (!G1.isValid(proof.B)) return false;
+ if (!G1.isValid(proof.C)) return false;
+ if (!G1.isValid(proof.Z)) return false;
+ if (!G1.isValid(proof.T1)) return false;
+ if (!G1.isValid(proof.T2)) return false;
+ if (!G1.isValid(proof.T3)) return false;
+ if (!G1.isValid(proof.Wxi)) return false;
+ if (!G1.isValid(proof.Wxiw)) return false;
+ return true;
+}
- buffers.T0.set(t0, i * sFr);
- }
+function calculateChallanges(curve, proof, publicSignals) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
+ const n8r = curve.Fr.n8;
+ const res = {};
- if (logger) logger.info("buffer T0: " + buffers.T0.byteLength / sFr);
+ const transcript1 = new Uint8Array(publicSignals.length*n8r + G1.F.n8*2*3);
+ for (let i=0; i= 2 * zkey.domainSize - 2) {
- throw new Error(`T0 Polynomial is not well calculated (degree is ${polynomials.T0.degree()} and must be less than ${2 * zkey.domainSize + 2}`);
- }
+ const transcript4 = new Uint8Array(G1.F.n8*2*3);
+ G1.toRprUncompressed(transcript4, 0, proof.T1);
+ G1.toRprUncompressed(transcript4, G1.F.n8*2, proof.T2);
+ G1.toRprUncompressed(transcript4, G1.F.n8*4, proof.T3);
+ res.xi = hashToFr(curve, transcript4);
- delete buffers.T0;
- }
+ const transcript5 = new Uint8Array(n8r*7);
+ Fr.toRprBE(transcript5, 0, proof.eval_a);
+ Fr.toRprBE(transcript5, n8r, proof.eval_b);
+ Fr.toRprBE(transcript5, n8r*2, proof.eval_c);
+ Fr.toRprBE(transcript5, n8r*3, proof.eval_s1);
+ Fr.toRprBE(transcript5, n8r*4, proof.eval_s2);
+ Fr.toRprBE(transcript5, n8r*5, proof.eval_zw);
+ Fr.toRprBE(transcript5, n8r*6, proof.eval_r);
+ res.v = [];
+ res.v[1] = hashToFr(curve, transcript5);
- async function computeC1() {
- let C1 = new CPolynomial(4, curve, logger);
- C1.addPolynomial(0, polynomials.A);
- C1.addPolynomial(1, polynomials.B);
- C1.addPolynomial(2, polynomials.C);
- C1.addPolynomial(3, polynomials.T0);
+ for (let i=2; i<=6; i++ ) res.v[i] = Fr.mul(res.v[i-1], res.v[1]);
- polynomials.C1 = C1.getPolynomial();
+ const transcript6 = new Uint8Array(G1.F.n8*2*2);
+ G1.toRprUncompressed(transcript6, 0, proof.Wxi);
+ G1.toRprUncompressed(transcript6, G1.F.n8*2, proof.Wxiw);
+ res.u = hashToFr(curve, transcript6);
- // Check degree
- if (polynomials.C1.degree() >= 8 * zkey.domainSize - 8) {
- throw new Error("C1 Polynomial is not well calculated");
- }
- }
- }
+ return res;
+}
- async function round2() {
- // STEP 2.1 - Compute permutation challenge beta and gamma ∈ F
- // Compute permutation challenge beta
- if (logger) logger.info("> Computing challenges beta and gamma");
- const transcript = new Keccak256Transcript(curve);
+function calculateLagrangeEvaluations(curve, challanges, vk) {
+ const Fr = curve.Fr;
- // Add C0 to the transcript
- transcript.addPolCommitment(zkey.C0);
+ let xin = challanges.xi;
+ let domainSize = 1;
+ for (let i=0; i Computing Z polynomial");
- await computeZ();
+function calculatePl(curve, publicSignals, L) {
+ const Fr = curve.Fr;
- // STEP 2.3 - Compute quotient polynomial T1(X) and T2(X)
- if (logger) logger.info("> Computing T1 polynomial");
- await computeT1();
- if (logger) logger.info("> Computing T2 polynomial");
- await computeT2();
+ let pl = Fr.zero;
+ for (let i=0; i Computing C2 polynomial");
- await computeC2();
+function calculateT(curve, proof, challanges, pl, l1) {
+ const Fr = curve.Fr;
+ let num = proof.eval_r;
+ num = Fr.add(num, pl);
- // The second output of the prover is ([C2]_1)
- if (logger) logger.info("> Computing C2 multi exponentiation");
- let commitC2 = await polynomials.C2.multiExponentiation(PTau, "C2");
- proof.addPolynomial("C2", commitC2);
+ let e1 = proof.eval_a;
+ e1 = Fr.add(e1, Fr.mul(challanges.beta, proof.eval_s1));
+ e1 = Fr.add(e1, challanges.gamma);
- return 0;
+ let e2 = proof.eval_b;
+ e2 = Fr.add(e2, Fr.mul(challanges.beta, proof.eval_s2));
+ e2 = Fr.add(e2, challanges.gamma);
- async function computeZ() {
- if (logger) logger.info("··· Computing Z evaluations");
+ let e3 = proof.eval_c;
+ e3 = Fr.add(e3, challanges.gamma);
- let numArr = new ffjavascript.BigBuffer(sDomain);
- let denArr = new ffjavascript.BigBuffer(sDomain);
+ let e = Fr.mul(Fr.mul(e1, e2), e3);
+ e = Fr.mul(e, proof.eval_zw);
+ e = Fr.mul(e, challanges.alpha);
- // Set the first values to 1
- numArr.set(Fr.one, 0);
- denArr.set(Fr.one, 0);
+ num = Fr.sub(num, e);
- // Set initial omega
- let w = Fr.one;
- for (let i = 0; i < zkey.domainSize; i++) {
- if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` Z evaluation ${i}/${zkey.domainSize}`);
- const i_sFr = i * sFr;
+ num = Fr.sub(num, Fr.mul(l1, Fr.square(challanges.alpha)));
- // Z(X) := numArr / denArr
- // numArr := (a + beta·ω + gamma)(b + beta·ω·k1 + gamma)(c + beta·ω·k2 + gamma)
- const betaw = Fr.mul(challenges.beta, w);
+ const t = Fr.div(num, challanges.zh);
- let num1 = buffers.A.slice(i_sFr, i_sFr + sFr);
- num1 = Fr.add(num1, betaw);
- num1 = Fr.add(num1, challenges.gamma);
+ return t;
+}
- let num2 = buffers.B.slice(i_sFr, i_sFr + sFr);
- num2 = Fr.add(num2, Fr.mul(zkey.k1, betaw));
- num2 = Fr.add(num2, challenges.gamma);
+function calculateD(curve, proof, challanges, vk, l1) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
- let num3 = buffers.C.slice(i_sFr, i_sFr + sFr);
- num3 = Fr.add(num3, Fr.mul(zkey.k2, betaw));
- num3 = Fr.add(num3, challenges.gamma);
+ let s1 = Fr.mul(Fr.mul(proof.eval_a, proof.eval_b), challanges.v[1]);
+ let res = G1.timesFr(vk.Qm, s1);
- let num = Fr.mul(num1, Fr.mul(num2, num3));
+ let s2 = Fr.mul(proof.eval_a, challanges.v[1]);
+ res = G1.add(res, G1.timesFr(vk.Ql, s2));
- // denArr := (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)
- let den1 = buffers.A.slice(i_sFr, i_sFr + sFr);
- den1 = Fr.add(den1, Fr.mul(challenges.beta, evaluations.Sigma1.getEvaluation(i * 4)));
- den1 = Fr.add(den1, challenges.gamma);
+ let s3 = Fr.mul(proof.eval_b, challanges.v[1]);
+ res = G1.add(res, G1.timesFr(vk.Qr, s3));
- let den2 = buffers.B.slice(i_sFr, i_sFr + sFr);
- den2 = Fr.add(den2, Fr.mul(challenges.beta, evaluations.Sigma2.getEvaluation(i * 4)));
- den2 = Fr.add(den2, challenges.gamma);
+ let s4 = Fr.mul(proof.eval_c, challanges.v[1]);
+ res = G1.add(res, G1.timesFr(vk.Qo, s4));
- let den3 = buffers.C.slice(i_sFr, i_sFr + sFr);
- den3 = Fr.add(den3, Fr.mul(challenges.beta, evaluations.Sigma3.getEvaluation(i * 4)));
- den3 = Fr.add(den3, challenges.gamma);
+ res = G1.add(res, G1.timesFr(vk.Qc, challanges.v[1]));
- let den = Fr.mul(den1, Fr.mul(den2, den3));
+ const betaxi = Fr.mul(challanges.beta, challanges.xi);
+ let s6a = proof.eval_a;
+ s6a = Fr.add(s6a, betaxi);
+ s6a = Fr.add(s6a, challanges.gamma);
- // Multiply current num value with the previous one saved in numArr
- num = Fr.mul(numArr.slice(i_sFr, i_sFr + sFr), num);
- numArr.set(num, ((i + 1) % zkey.domainSize) * sFr);
+ let s6b = proof.eval_b;
+ s6b = Fr.add(s6b, Fr.mul(betaxi, vk.k1));
+ s6b = Fr.add(s6b, challanges.gamma);
- // Multiply current den value with the previous one saved in denArr
- den = Fr.mul(denArr.slice(i_sFr, i_sFr + sFr), den);
- denArr.set(den, ((i + 1) % zkey.domainSize) * sFr);
+ let s6c = proof.eval_c;
+ s6c = Fr.add(s6c, Fr.mul(betaxi, vk.k2));
+ s6c = Fr.add(s6c, challanges.gamma);
- // Next omega
- w = Fr.mul(w, Fr.w[zkey.power]);
- }
- // Compute the inverse of denArr to compute in the next command the
- // division numArr/denArr by multiplying num · 1/denArr
- denArr = await Fr.batchInverse(denArr);
+ let s6 = Fr.mul(Fr.mul(s6a, s6b), s6c);
+ s6 = Fr.mul(s6, Fr.mul(challanges.alpha, challanges.v[1]));
- // TODO: Do it in assembly and in parallel
- // Multiply numArr · denArr where denArr was inverted in the previous command
- for (let i = 0; i < zkey.domainSize; i++) {
- const i_sFr = i * sFr;
+ let s6d = Fr.mul(Fr.mul(l1, Fr.square(challanges.alpha)), challanges.v[1]);
+ s6 = Fr.add(s6, s6d);
- const z = Fr.mul(numArr.slice(i_sFr, i_sFr + sFr), denArr.slice(i_sFr, i_sFr + sFr));
- numArr.set(z, i_sFr);
- }
- // From now on the values saved on numArr will be Z(X) buffer
- buffers.Z = numArr;
+ s6 = Fr.add(s6, challanges.u);
+ res = G1.add(res, G1.timesFr(proof.Z, s6));
- if (!Fr.eq(numArr.slice(0, sFr), Fr.one)) {
- throw new Error("Copy constraints does not match");
- }
- // Compute polynomial coefficients z(X) from buffers.Z
- if (logger) logger.info("··· Computing Z ifft");
- polynomials.Z = await Polynomial.fromEvaluations(buffers.Z, curve, logger);
+ let s7a = proof.eval_a;
+ s7a = Fr.add(s7a, Fr.mul(challanges.beta, proof.eval_s1));
+ s7a = Fr.add(s7a, challanges.gamma);
- // Compute extended evaluations of z(X) polynomial
- if (logger) logger.info("··· Computing Z fft");
- evaluations.Z = await Evaluations.fromPolynomial(polynomials.Z, 4, curve, logger);
+ let s7b = proof.eval_b;
+ s7b = Fr.add(s7b, Fr.mul(challanges.beta, proof.eval_s2));
+ s7b = Fr.add(s7b, challanges.gamma);
- // Blind z(X) polynomial coefficients with blinding scalars b
- polynomials.Z.blindCoefficients([challenges.b[9], challenges.b[8], challenges.b[7]]);
+ let s7 = Fr.mul(s7a, s7b);
+ s7 = Fr.mul(s7, challanges.alpha);
+ s7 = Fr.mul(s7, challanges.v[1]);
+ s7 = Fr.mul(s7, challanges.beta);
+ s7 = Fr.mul(s7, proof.eval_zw);
+ res = G1.sub(res, G1.timesFr(vk.S3, s7));
- // Check degree
- if (polynomials.Z.degree() >= zkey.domainSize + 3) {
- throw new Error("Z Polynomial is not well calculated");
- }
+ return res;
+}
- delete buffers.Z;
- }
+function calculateF(curve, proof, challanges, vk, D) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
- async function computeT1() {
- if (logger) logger.info("··· Computing T1 evaluations");
+ let res = proof.T1;
- buffers.T1 = new ffjavascript.BigBuffer(sDomain * 2);
- buffers.T1z = new ffjavascript.BigBuffer(sDomain * 2);
+ res = G1.add(res, G1.timesFr(proof.T2, challanges.xin));
+ res = G1.add(res, G1.timesFr(proof.T3, Fr.square(challanges.xin)));
+ res = G1.add(res, D);
+ res = G1.add(res, G1.timesFr(proof.A, challanges.v[2]));
+ res = G1.add(res, G1.timesFr(proof.B, challanges.v[3]));
+ res = G1.add(res, G1.timesFr(proof.C, challanges.v[4]));
+ res = G1.add(res, G1.timesFr(vk.S1, challanges.v[5]));
+ res = G1.add(res, G1.timesFr(vk.S2, challanges.v[6]));
- // Set initial omega
- let omega = Fr.one;
- for (let i = 0; i < zkey.domainSize * 2; i++) {
- if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T1 evaluation ${i}/${zkey.domainSize * 4}`);
+ return res;
+}
- const omega2 = Fr.square(omega);
- const z = evaluations.Z.getEvaluation(i * 2);
- const zp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omega2), Fr.mul(challenges.b[8], omega)), challenges.b[9]);
+function calculateE(curve, proof, challanges, vk, t) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
- // T1(X) := (z(X) - 1) · L_1(X)
- // Compute first T1(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
- const lagrange1 = evaluations.lagrange1.getEvaluation(zkey.domainSize + i * 2);
- let t1 = Fr.mul(Fr.sub(z, Fr.one), lagrange1);
- let t1z = Fr.mul(zp, lagrange1);
+ let s = t;
- buffers.T1.set(t1, i * sFr);
- buffers.T1z.set(t1z, i * sFr);
+ s = Fr.add(s, Fr.mul(challanges.v[1], proof.eval_r));
+ s = Fr.add(s, Fr.mul(challanges.v[2], proof.eval_a));
+ s = Fr.add(s, Fr.mul(challanges.v[3], proof.eval_b));
+ s = Fr.add(s, Fr.mul(challanges.v[4], proof.eval_c));
+ s = Fr.add(s, Fr.mul(challanges.v[5], proof.eval_s1));
+ s = Fr.add(s, Fr.mul(challanges.v[6], proof.eval_s2));
+ s = Fr.add(s, Fr.mul(challanges.u, proof.eval_zw));
- // Compute next omega
- omega = Fr.mul(omega, Fr.w[zkey.power + 1]);
- }
+ const res = G1.timesFr(G1.one, s);
- // Compute the coefficients of the polynomial T1(X) from buffers.T1
- if (logger) logger.info("··· Computing T1 ifft");
- polynomials.T1 = await Polynomial.fromEvaluations(buffers.T1, curve, logger);
+ return res;
+}
- // Divide the polynomial T1 by Z_H(X)
- polynomials.T1.divByZerofier(zkey.domainSize, Fr.one);
+async function isValidPairing$1(curve, proof, challanges, vk, E, F) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
- // Compute the coefficients of the polynomial T1z(X) from buffers.T1z
- if (logger) logger.info("··· Computing T1z ifft");
- polynomials.T1z = await Polynomial.fromEvaluations(buffers.T1z, curve, logger);
+ let A1 = proof.Wxi;
+ A1 = G1.add(A1, G1.timesFr(proof.Wxiw, challanges.u));
- // Add the polynomial T1z to T1 to get the final polynomial T1
- polynomials.T1.add(polynomials.T1z);
+ let B1 = G1.timesFr(proof.Wxi, challanges.xi);
+ const s = Fr.mul(Fr.mul(challanges.u, challanges.xi), Fr.w[vk.power]);
+ B1 = G1.add(B1, G1.timesFr(proof.Wxiw, s));
+ B1 = G1.add(B1, F);
+ B1 = G1.sub(B1, E);
- // Check degree
- if (polynomials.T1.degree() >= zkey.domainSize + 2) {
- throw new Error("T1 Polynomial is not well calculated");
- }
+ const res = await curve.pairingEq(
+ G1.neg(A1) , vk.X_2,
+ B1 , curve.G2.one
+ );
- delete buffers.T1;
- delete buffers.T1z;
- delete polynomials.T1z;
- }
+ return res;
- async function computeT2() {
- if (logger) logger.info("··· Computing T2 evaluations");
+}
- buffers.T2 = new ffjavascript.BigBuffer(sDomain * 4);
- buffers.T2z = new ffjavascript.BigBuffer(sDomain * 4);
+/*
+ Copyright 2021 0KIMS association.
- // Set initial omega
- let omega = Fr.one;
- for (let i = 0; i < zkey.domainSize * 4; i++) {
- if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T2 evaluation ${i}/${zkey.domainSize * 4}`);
+ This file is part of snarkJS.
- const omega2 = Fr.square(omega);
- const omegaW = Fr.mul(omega, Fr.w[zkey.power]);
- const omegaW2 = Fr.square(omegaW);
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- const a = evaluations.A.getEvaluation(i);
- const b = evaluations.B.getEvaluation(i);
- const c = evaluations.C.getEvaluation(i);
- const z = evaluations.Z.getEvaluation(i);
- const zW = evaluations.Z.getEvaluation((zkey.domainSize * 4 + 4 + i) % (zkey.domainSize * 4));
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- const zp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omega2), Fr.mul(challenges.b[8], omega)), challenges.b[9]);
- const zWp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omegaW2), Fr.mul(challenges.b[8], omegaW)), challenges.b[9]);
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
+const { unstringifyBigInts: unstringifyBigInts$4} = ffjavascript.utils;
- const sigma1 = evaluations.Sigma1.getEvaluation(i);
- const sigma2 = evaluations.Sigma2.getEvaluation(i);
- const sigma3 = evaluations.Sigma3.getEvaluation(i);
+function i2hex$1(i) {
+ return ("0" + i.toString(16)).slice(-2);
+}
- // T2(X) := [ (a(X) + beta·X + gamma)(b(X) + beta·k1·X + gamma)(c(X) + beta·k2·X + gamma)z(X)
- // -(a(X) + beta·sigma1(X) + gamma)(b(X) + beta·sigma2(X) + gamma)(c(X) + beta·sigma3(X) + gamma)z(Xω)] · 1/Z_H(X)
- // Compute first T2(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
+function p256$1(n) {
+ let nstr = n.toString(16);
+ while (nstr.length < 64) nstr = "0"+nstr;
+ nstr = `"0x${nstr}"`;
+ return nstr;
+}
- // expression 1 -> (a(X) + beta·X + gamma)(b(X) + beta·k1·X + gamma)(c(X) + beta·k2·X + gamma)z(X)
- const betaX = Fr.mul(challenges.beta, omega);
+async function plonkExportSolidityCallData(_proof, _pub) {
+ const proof = unstringifyBigInts$4(_proof);
+ const pub = unstringifyBigInts$4(_pub);
- let e11 = Fr.add(a, betaX);
- e11 = Fr.add(e11, challenges.gamma);
+ const curve = await getCurveFromName(proof.curve);
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
- let e12 = Fr.add(b, Fr.mul(betaX, zkey.k1));
- e12 = Fr.add(e12, challenges.gamma);
+ let inputs = "";
+ for (let i=0; i (a(X) + beta·sigma1(X) + gamma)(b(X) + beta·sigma2(X) + gamma)(c(X) + beta·sigma3(X) + gamma)z(Xω)
- let e21 = Fr.add(a, Fr.mul(challenges.beta, sigma1));
- e21 = Fr.add(e21, challenges.gamma);
+ const S="0x"+proofHex+",["+inputs+"]";
- let e22 = Fr.add(b, Fr.mul(challenges.beta, sigma2));
- e22 = Fr.add(e22, challenges.gamma);
+ return S;
+}
- let e23 = Fr.add(c, Fr.mul(challenges.beta, sigma3));
- e23 = Fr.add(e23, challenges.gamma);
+/*
+ Copyright 2022 iden3 association.
- let e2 = Fr.mul(Fr.mul(Fr.mul(e21, e22), e23), zW);
- let e2z = Fr.mul(Fr.mul(Fr.mul(e21, e22), e23), zWp);
- // const [e2, e2z] = MulZ.mul4(e21, e22, e23, zW, ap, bp, cp, zWp, i % 4, Fr);
+ This file is part of snarkjs.
- let t2 = Fr.sub(e1, e2);
- let t2z = Fr.sub(e1z, e2z);
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- buffers.T2.set(t2, i * sFr);
- buffers.T2z.set(t2z, i * sFr);
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- // Compute next omega
- omega = Fr.mul(omega, Fr.w[zkey.power + 2]);
- }
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
- // Compute the coefficients of the polynomial T2(X) from buffers.T2
- if (logger) logger.info("··· Computing T2 ifft");
- polynomials.T2 = await Polynomial.fromEvaluations(buffers.T2, curve, logger);
+// We export to zkey the signals and values of the a, b, c, ql, qr, qm, qo and qc
- // Divide the polynomial T2 by Z_H(X)
- if (logger) logger.info("··· Computing T2 / ZH");
- polynomials.T2.divByZerofier(zkey.domainSize, Fr.one);
+// a, b and c are signals id (32-bit integers)
+// ql, qr, qm, qo and qc are field values
- // Compute the coefficients of the polynomial T2z(X) from buffers.T2z
- if (logger) logger.info("··· Computing T2z ifft");
- polynomials.T2z = await Polynomial.fromEvaluations(buffers.T2z, curve, logger);
+function getFFlonkConstantConstraint(signal1, Fr) {
+ return [signal1, 0, 0, Fr.one, Fr.zero, Fr.zero, Fr.zero, Fr.zero];
+}
- // Add the polynomial T2z to T2 to get the final polynomial T2
- polynomials.T2.add(polynomials.T2z);
+function getFFlonkAdditionConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc) {
+ return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
+}
- // Check degree
- if (polynomials.T2.degree() >= 3 * zkey.domainSize) {
- throw new Error("T2 Polynomial is not well calculated");
- }
+function getFFlonkMultiplicationConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc, Fr) {
+ return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
+}
- delete buffers.T2;
- delete buffers.T2z;
- delete polynomials.T2z;
- }
+/*
+ Copyright 2022 iden3 association.
- async function computeC2() {
- let C2 = new CPolynomial(3, curve, logger);
- C2.addPolynomial(0, polynomials.Z);
- C2.addPolynomial(1, polynomials.T1);
- C2.addPolynomial(2, polynomials.T2);
+ This file is part of snarkjs.
- polynomials.C2 = C2.getPolynomial();
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- // Check degree
- if (polynomials.C2.degree() >= 9 * zkey.domainSize) {
- throw new Error("C2 Polynomial is not well calculated");
- }
- }
- }
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- async function round3() {
- if (logger) logger.info("> Computing challenge xi");
- // STEP 3.1 - Compute evaluation challenge xi ∈ S
- const transcript = new Keccak256Transcript(curve);
- transcript.addScalar(challenges.gamma);
- transcript.addPolCommitment(proof.getPolynomial("C2"));
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
- // Obtain a xi_seeder from the transcript
- // To force h1^4 = xi, h2^3 = xi and h_3^2 = xiω
- // we compute xi = xi_seeder^12, h1 = xi_seeder^3, h2 = xi_seeder^4 and h3 = xi_seeder^6
- challenges.xiSeed = transcript.getChallenge();
- const xiSeed2 = Fr.square(challenges.xiSeed);
+const LINEAR_COMBINATION_NULLABLE = 0;
+const LINEAR_COMBINATION_CONSTANT = 1;
+const LINEAR_COMBINATION_VARIABLE = 2;
- // Compute omega8, omega4 and omega3
- roots.w8 = [];
- roots.w8[0] = Fr.one;
- for (let i = 1; i < 8; i++) {
- roots.w8[i] = Fr.mul(roots.w8[i - 1], zkey.w8);
- }
+class r1csConstraintProcessor {
+ constructor(Fr, fnGetConstantConstraint, fnGetAdditionConstraint, fnGetMultiplicationConstraint, logger) {
+ this.Fr = Fr;
+ this.logger = logger;
+ this.fnGetAdditionConstraint = fnGetAdditionConstraint;
+ this.fnGetMultiplicationConstraint = fnGetMultiplicationConstraint;
+ }
- roots.w4 = [];
- roots.w4[0] = Fr.one;
- for (let i = 1; i < 4; i++) {
- roots.w4[i] = Fr.mul(roots.w4[i - 1], zkey.w4);
- }
+ processR1csConstraint(settings, lcA, lcB, lcC) {
+ this.normalizeLinearCombination(lcA);
+ this.normalizeLinearCombination(lcB);
+ this.normalizeLinearCombination(lcC);
- roots.w3 = [];
- roots.w3[0] = Fr.one;
- roots.w3[1] = zkey.w3;
- roots.w3[2] = Fr.square(zkey.w3);
+ const lctA = this.getLinearCombinationType(lcA);
+ const lctB = this.getLinearCombinationType(lcB);
- // Compute h0 = xiSeeder^3
- roots.S0 = {};
- roots.S0.h0w8 = [];
- roots.S0.h0w8[0] = Fr.mul(xiSeed2, challenges.xiSeed);
- for (let i = 1; i < 8; i++) {
- roots.S0.h0w8[i] = Fr.mul(roots.S0.h0w8[0], roots.w8[i]);
+ if ((lctA === LINEAR_COMBINATION_NULLABLE) || (lctB === LINEAR_COMBINATION_NULLABLE)) {
+ return this.processR1csAdditionConstraint(settings, lcC);
+ } else if (lctA === LINEAR_COMBINATION_CONSTANT) {
+ const lcCC = this.joinLinearCombinations(lcB, lcC, lcA[0]);
+ return this.processR1csAdditionConstraint(settings, lcCC);
+ } else if (lctB === LINEAR_COMBINATION_CONSTANT) {
+ const lcCC = this.joinLinearCombinations(lcA, lcC, lcB[0]);
+ return this.processR1csAdditionConstraint(settings, lcCC);
+ } else {
+ return this.processR1csMultiplicationConstraint(settings, lcA, lcB, lcC);
}
+ }
- // Compute h1 = xi_seeder^6
- roots.S1 = {};
- roots.S1.h1w4 = [];
- roots.S1.h1w4[0] = Fr.square(roots.S0.h0w8[0]);
- for (let i = 1; i < 4; i++) {
- roots.S1.h1w4[i] = Fr.mul(roots.S1.h1w4[0], roots.w4[i]);
- }
+ getLinearCombinationType(linCom) {
+ // let k = this.Fr.zero;
+ //
+ // const signalIds = Object.keys(linCom);
+ // for (let i = 0; i < signalIds.length; i++) {
+ // if (signalIds[i] === "0") {
+ // k = this.Fr.add(k, linCom[signalIds[i]]);
+ // } else {
+ // return LINEAR_COMBINATION_VARIABLE;
+ // }
+ // }
+ //
+ // if (!this.Fr.eq(k, this.Fr.zero)) return LINEAR_COMBINATION_CONSTANT;
+ //
+ // return LINEAR_COMBINATION_NULLABLE;
- // Compute h2 = xi_seeder^8
- roots.S2 = {};
- roots.S2.h2w3 = [];
- roots.S2.h2w3[0] = Fr.mul(roots.S1.h1w4[0], xiSeed2);
- roots.S2.h2w3[1] = Fr.mul(roots.S2.h2w3[0], roots.w3[1]);
- roots.S2.h2w3[2] = Fr.mul(roots.S2.h2w3[0], roots.w3[2]);
+ let k = this.Fr.zero;
+ let n = 0;
+ const ss = Object.keys(linCom);
+ for (let i = 0; i < ss.length; i++) {
+ if (linCom[ss[i]] == 0n) {
+ delete linCom[ss[i]];
+ } else if (ss[i] == 0) {
+ k = this.Fr.add(k, linCom[ss[i]]);
+ } else {
+ n++;
+ }
+ }
+ if (n > 0) return LINEAR_COMBINATION_VARIABLE;
+ if (!this.Fr.isZero(k)) return LINEAR_COMBINATION_CONSTANT;
+ return LINEAR_COMBINATION_NULLABLE;
+ }
- roots.S2.h3w3 = [];
- // Multiply h3 by third-root-omega to obtain h_3^3 = xiω
- // So, h3 = xi_seeder^8 ω^{1/3}
- roots.S2.h3w3[0] = Fr.mul(roots.S2.h2w3[0], zkey.wr);
- roots.S2.h3w3[1] = Fr.mul(roots.S2.h3w3[0], roots.w3[1]);
- roots.S2.h3w3[2] = Fr.mul(roots.S2.h3w3[0], roots.w3[2]);
+ normalizeLinearCombination(linCom) {
+ const signalIds = Object.keys(linCom);
+ for (let i = 0; i < signalIds.length; i++) {
+ if (this.Fr.isZero(linCom[signalIds[i]])) delete linCom[signalIds[i]];
+ }
- // Compute xi = xi_seeder^24
- challenges.xi = Fr.mul(Fr.square(roots.S2.h2w3[0]), roots.S2.h2w3[0]);
+ return linCom;
+ }
- if (logger) logger.info("··· challenges.xi: " + Fr.toString(challenges.xi));
+ joinLinearCombinations(linCom1, linCom2, k) {
+ const res = {};
- // Reserve memory for Q's polynomials
- polynomials.QL = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
- polynomials.QR = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
- polynomials.QM = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
- polynomials.QO = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
- polynomials.QC = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ // for (let s in linCom1) {
+ // const val = this.Fr.mul(k, linCom1[s]);
+ // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
+ // }
+ //
+ // for (let s in linCom2) {
+ // const val = this.Fr.mul(k, linCom2[s]);
+ // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
+ // }
- // Read Q's evaluations from zkey file
- await fdZKey.readToBuffer(polynomials.QL.coef, 0, sDomain, zkeySections[ZKEY_FF_QL_SECTION][0].p);
- await fdZKey.readToBuffer(polynomials.QR.coef, 0, sDomain, zkeySections[ZKEY_FF_QR_SECTION][0].p);
- await fdZKey.readToBuffer(polynomials.QM.coef, 0, sDomain, zkeySections[ZKEY_FF_QM_SECTION][0].p);
- await fdZKey.readToBuffer(polynomials.QO.coef, 0, sDomain, zkeySections[ZKEY_FF_QO_SECTION][0].p);
- await fdZKey.readToBuffer(polynomials.QC.coef, 0, sDomain, zkeySections[ZKEY_FF_QC_SECTION][0].p);
+ for (let s in linCom1) {
+ if (typeof res[s] == "undefined") {
+ res[s] = this.Fr.mul(k, linCom1[s]);
+ } else {
+ res[s] = this.Fr.add(res[s], this.Fr.mul(k, linCom1[s]));
+ }
+ }
- // STEP 3.2 - Compute opening evaluations and add them to the proof (third output of the prover)
- if (logger) logger.info("··· Computing evaluations");
- proof.addEvaluation("ql", polynomials.QL.evaluate(challenges.xi));
- proof.addEvaluation("qr", polynomials.QR.evaluate(challenges.xi));
- proof.addEvaluation("qm", polynomials.QM.evaluate(challenges.xi));
- proof.addEvaluation("qo", polynomials.QO.evaluate(challenges.xi));
- proof.addEvaluation("qc", polynomials.QC.evaluate(challenges.xi));
- proof.addEvaluation("s1", polynomials.Sigma1.evaluate(challenges.xi));
- proof.addEvaluation("s2", polynomials.Sigma2.evaluate(challenges.xi));
- proof.addEvaluation("s3", polynomials.Sigma3.evaluate(challenges.xi));
- proof.addEvaluation("a", polynomials.A.evaluate(challenges.xi));
- proof.addEvaluation("b", polynomials.B.evaluate(challenges.xi));
- proof.addEvaluation("c", polynomials.C.evaluate(challenges.xi));
- proof.addEvaluation("z", polynomials.Z.evaluate(challenges.xi));
+ for (let s in linCom2) {
+ if (typeof res[s] == "undefined") {
+ res[s] = linCom2[s];
+ } else {
+ res[s] = this.Fr.add(res[s], linCom2[s]);
+ }
+ }
- challenges.xiw = Fr.mul(challenges.xi, Fr.w[zkey.power]);
- proof.addEvaluation("zw", polynomials.Z.evaluate(challenges.xiw));
- proof.addEvaluation("t1w", polynomials.T1.evaluate(challenges.xiw));
- proof.addEvaluation("t2w", polynomials.T2.evaluate(challenges.xiw));
+ return this.normalizeLinearCombination(res);
}
- async function round4() {
- if (logger) logger.info("> Computing challenge alpha");
- // STEP 4.1 - Compute challenge alpha ∈ F
- const transcript = new Keccak256Transcript(curve);
- transcript.addScalar(challenges.xiSeed);
- transcript.addScalar(proof.getEvaluation("ql"));
- transcript.addScalar(proof.getEvaluation("qr"));
- transcript.addScalar(proof.getEvaluation("qm"));
- transcript.addScalar(proof.getEvaluation("qo"));
- transcript.addScalar(proof.getEvaluation("qc"));
- transcript.addScalar(proof.getEvaluation("s1"));
- transcript.addScalar(proof.getEvaluation("s2"));
- transcript.addScalar(proof.getEvaluation("s3"));
- transcript.addScalar(proof.getEvaluation("a"));
- transcript.addScalar(proof.getEvaluation("b"));
- transcript.addScalar(proof.getEvaluation("c"));
- transcript.addScalar(proof.getEvaluation("z"));
- transcript.addScalar(proof.getEvaluation("zw"));
- transcript.addScalar(proof.getEvaluation("t1w"));
- transcript.addScalar(proof.getEvaluation("t2w"));
- challenges.alpha = transcript.getChallenge();
- if (logger) logger.info("··· challenges.alpha: " + Fr.toString(challenges.alpha));
+ reduceCoefs(settings, constraintsArr, additionsArr, linCom, maxC) {
+ const res = {
+ k: this.Fr.zero,
+ signals: [],
+ coefs: []
+ };
+ const cs = [];
- // STEP 4.2 - Compute F(X)
- if (logger) logger.info("> Reading C0 polynomial");
- polynomials.C0 = new Polynomial(new ffjavascript.BigBuffer(sDomain * 8), curve, logger);
- await fdZKey.readToBuffer(polynomials.C0.coef, 0, sDomain * 8, zkeySections[ZKEY_FF_C0_SECTION][0].p);
+ for (let signalId in linCom) {
+ if (signalId == 0) {
+ res.k = this.Fr.add(res.k, linCom[signalId]);
+ } else if (linCom[signalId] != 0n) {
+ cs.push([Number(signalId), linCom[signalId]]);
+ }
+ }
- if (logger) logger.info("> Computing R0 polynomial");
- computeR0();
- if (logger) logger.info("> Computing R1 polynomial");
- computeR1();
- if (logger) logger.info("> Computing R2 polynomial");
- computeR2();
+ while (cs.length > maxC) {
+ const c1 = cs.shift();
+ const c2 = cs.shift();
+ const so = settings.nVars++;
- if (logger) logger.info("> Computing F polynomial");
- await computeF();
+ const constraints = this.fnGetAdditionConstraint(
+ c1[0], c2[0], so,
+ this.Fr.neg(c1[1]), this.Fr.neg(c2[1]), this.Fr.zero, this.Fr.one, this.Fr.zero);
- // The fourth output of the prover is ([W1]_1), where W1:=(f/Z_t)(x)
- if (logger) logger.info("> Computing W1 multi exponentiation");
- let commitW1 = await polynomials.F.multiExponentiation(PTau, "W1");
- proof.addPolynomial("W1", commitW1);
+ constraintsArr.push(constraints);
+ additionsArr.push([c1[0], c2[0], c1[1], c2[1]]);
- return 0;
+ cs.push([so, this.Fr.one]);
+ }
- function computeR0() {
- // COMPUTE R0
- // Compute the coefficients of R0(X) from 8 evaluations using lagrange interpolation. R0(X) ∈ F_{<8}[X]
- // We decide to use Lagrange interpolations because the R0 degree is very small (deg(R0)===7),
- // and we were not able to compute it using current ifft implementation because the omega are different
- polynomials.R0 = Polynomial.lagrangePolynomialInterpolation(
- [roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
- roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7]],
- [polynomials.C0.evaluate(roots.S0.h0w8[0]), polynomials.C0.evaluate(roots.S0.h0w8[1]),
- polynomials.C0.evaluate(roots.S0.h0w8[2]), polynomials.C0.evaluate(roots.S0.h0w8[3]),
- polynomials.C0.evaluate(roots.S0.h0w8[4]), polynomials.C0.evaluate(roots.S0.h0w8[5]),
- polynomials.C0.evaluate(roots.S0.h0w8[6]), polynomials.C0.evaluate(roots.S0.h0w8[7])], curve);
+ for (let i = 0; i < cs.length; i++) {
+ res.signals[i] = cs[i][0];
+ res.coefs[i] = cs[i][1];
+ }
- // Check the degree of r0(X) < 8
- if (polynomials.R0.degree() > 7) {
- throw new Error("R0 Polynomial is not well calculated");
- }
+ while (res.coefs.length < maxC) {
+ res.signals.push(0);
+ res.coefs.push(this.Fr.zero);
}
- function computeR1() {
- // COMPUTE R1
- // Compute the coefficients of R1(X) from 4 evaluations using lagrange interpolation. R1(X) ∈ F_{<4}[X]
- // We decide to use Lagrange interpolations because the R1 degree is very small (deg(R1)===3),
- // and we were not able to compute it using current ifft implementation because the omega are different
- polynomials.R1 = Polynomial.lagrangePolynomialInterpolation(
- [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3]],
- [polynomials.C1.evaluate(roots.S1.h1w4[0]), polynomials.C1.evaluate(roots.S1.h1w4[1]),
- polynomials.C1.evaluate(roots.S1.h1w4[2]), polynomials.C1.evaluate(roots.S1.h1w4[3])], curve);
+ return res;
+ }
- // Check the degree of r1(X) < 4
- if (polynomials.R1.degree() > 3) {
- throw new Error("R1 Polynomial is not well calculated");
- }
- }
+ processR1csAdditionConstraint(settings, linCom) {
+ const constraintsArr = [];
+ const additionsArr = [];
- function computeR2() {
- // COMPUTE R2
- // Compute the coefficients of r2(X) from 6 evaluations using lagrange interpolation. r2(X) ∈ F_{<6}[X]
- // We decide to use Lagrange interpolations because the R2.degree is very small (deg(R2)===5),
- // and we were not able to compute it using current ifft implementation because the omega are different
- polynomials.R2 = Polynomial.lagrangePolynomialInterpolation(
- [roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
- roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]],
- [polynomials.C2.evaluate(roots.S2.h2w3[0]), polynomials.C2.evaluate(roots.S2.h2w3[1]),
- polynomials.C2.evaluate(roots.S2.h2w3[2]), polynomials.C2.evaluate(roots.S2.h3w3[0]),
- polynomials.C2.evaluate(roots.S2.h3w3[1]), polynomials.C2.evaluate(roots.S2.h3w3[2])], curve);
+ const C = this.reduceCoefs(settings, constraintsArr, additionsArr, linCom, 3);
- // Check the degree of r2(X) < 6
- if (polynomials.R2.degree() > 5) {
- throw new Error("R2 Polynomial is not well calculated");
- }
- }
+ const constraints = this.fnGetAdditionConstraint(
+ C.signals[0], C.signals[1], C.signals[2],
+ C.coefs[0], C.coefs[1], this.Fr.zero, C.coefs[2], C.k);
- async function computeF() {
- if (logger) logger.info("··· Computing F polynomial");
+ constraintsArr.push(constraints);
- // COMPUTE F(X)
- polynomials.F = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
- polynomials.F.sub(polynomials.R0);
- polynomials.F.divByZerofier(8, challenges.xi);
+ return [constraintsArr, additionsArr];
+ }
+
+ processR1csMultiplicationConstraint(settings, lcA, lcB, lcC) {
+ const constraintsArr = [];
+ const additionsArr = [];
- let f2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
- f2.sub(polynomials.R1);
- f2.mulScalar(challenges.alpha);
- f2.divByZerofier(4, challenges.xi);
+ const A = this.reduceCoefs(settings, constraintsArr, additionsArr, lcA, 1);
+ const B = this.reduceCoefs(settings, constraintsArr, additionsArr, lcB, 1);
+ const C = this.reduceCoefs(settings, constraintsArr, additionsArr, lcC, 1);
- let f3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
- f3.sub(polynomials.R2);
- f3.mulScalar(Fr.square(challenges.alpha));
- f3.divByZerofier(3, challenges.xi);
- f3.divByZerofier(3, challenges.xiw);
+ const constraints = this.fnGetMultiplicationConstraint(
+ A.signals[0], B.signals[0], C.signals[0],
+ this.Fr.mul(A.coefs[0], B.k),
+ this.Fr.mul(A.k, B.coefs[0]),
+ this.Fr.mul(A.coefs[0], B.coefs[0]),
+ this.Fr.neg(C.coefs[0]),
+ this.Fr.sub(this.Fr.mul(A.k, B.k), C.k));
- polynomials.F.add(f2);
- polynomials.F.add(f3);
+ constraintsArr.push(constraints);
- if (polynomials.F.degree() >= 9 * zkey.domainSize - 6) {
- throw new Error("F Polynomial is not well calculated");
- }
- }
+ return [constraintsArr, additionsArr];
}
+}
- async function round5() {
- if (logger) logger.info("> Computing challenge y");
+/*
+ Copyright 2022 iden3 association.
- // STEP 5.1 - Compute random evaluation point y ∈ F
- const transcript = new Keccak256Transcript(curve);
- transcript.addScalar(challenges.alpha);
- transcript.addPolCommitment(proof.getPolynomial("W1"));
+ This file is part of snarkjs.
- challenges.y = transcript.getChallenge();
- if (logger) logger.info("··· challenges.y: " + Fr.toString(challenges.y));
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- // STEP 5.2 - Compute L(X)
- if (logger) logger.info("> Computing L polynomial");
- await computeL();
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- if (logger) logger.info("> Computing ZTS2 polynomial");
- await computeZTS2();
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
- let ZTS2Y = polynomials.ZTS2.evaluate(challenges.y);
- ZTS2Y = Fr.inv(ZTS2Y);
- polynomials.L.mulScalar(ZTS2Y);
+class Polynomial {
+ constructor(coefficients, curve, logger) {
+ this.coef = coefficients;
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.G1 = curve.G1;
+ this.logger = logger;
+ }
- const polDividend = Polynomial.fromCoefficientsArray([Fr.neg(challenges.y), Fr.one], curve);
- if (logger) logger.info("> Computing W' = L / ZTS2 polynomial");
- const polRemainder = polynomials.L.divBy(polDividend);
+ static async fromEvaluations(buffer, curve, logger) {
+ let coefficients = await curve.Fr.ifft(buffer);
- //Check polReminder degree is equal to zero
- if (polRemainder.degree() > 0) {
- throw new Error(`Degree of L(X)/(ZTS2(y)(X-y)) remainder is ${polRemainder.degree()} and should be 0`);
- }
+ return new Polynomial(coefficients, curve, logger);
+ }
- if (polynomials.L.degree() >= 9 * zkey.domainSize - 1) {
- throw new Error("Degree of L(X)/(ZTS2(y)(X-y)) is not correct");
- }
+ static fromCoefficientsArray(array, curve, logger) {
+ const Fr = curve.Fr;
+ let buff = array.length > 2 << 14 ?
+ new ffjavascript.BigBuffer(array.length * Fr.n8) : new Uint8Array(array.length * Fr.n8);
+ for (let i = 0; i < array.length; i++) buff.set(array[i], i * Fr.n8);
- // The fifth output of the prover is ([W2]_1), where W2:=(f/Z_t)(x)
- if (logger) logger.info("> Computing W' multi exponentiation");
- let commitW2 = await polynomials.L.multiExponentiation(PTau, "W2");
- proof.addPolynomial("W2", commitW2);
+ return new Polynomial(buff, curve, logger);
+ }
- return 0;
+ static fromPolynomial(polynomial, curve, logger) {
+ let length = polynomial.length();
+ let Fr = curve.Fr;
- async function computeL() {
- if (logger) logger.info("··· Computing L polynomial");
+ let buff = length > 2 << 14 ?
+ new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ buff.set(polynomial.coef.slice(), 0);
- const evalR0Y = polynomials.R0.evaluate(challenges.y);
- const evalR1Y = polynomials.R1.evaluate(challenges.y);
- const evalR2Y = polynomials.R2.evaluate(challenges.y);
+ return new Polynomial(buff, curve, logger);
+ }
- let mulL0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
- for (let i = 1; i < 8; i++) {
- mulL0 = Fr.mul(mulL0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
- }
+ isEqual(polynomial) {
+ const degree = this.degree();
+ if (degree !== polynomial.degree()) return false;
- let mulL1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
- for (let i = 1; i < 4; i++) {
- mulL1 = Fr.mul(mulL1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
- }
+ for (let i = 0; i < degree + 1; i++) {
+ if (!this.Fr.eq(this.getCoef(i), polynomial.getCoef(i))) return false;
+ }
- let mulL2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
- for (let i = 1; i < 3; i++) {
- mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
- }
- for (let i = 0; i < 3; i++) {
- mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
- }
+ return true;
+ }
- let preL0 = Fr.mul(mulL1, mulL2);
- let preL1 = Fr.mul(challenges.alpha, Fr.mul(mulL0, mulL2));
- let preL2 = Fr.mul(Fr.square(challenges.alpha), Fr.mul(mulL0, mulL1));
+ blindCoefficients(blindingFactors) {
+ blindingFactors = blindingFactors || [];
- toInverse["denH1"] = mulL1;
- toInverse["denH2"] = mulL2;
+ const blindedCoefficients = (this.length() + blindingFactors.length) > 2 << 14 ?
+ new ffjavascript.BigBuffer((this.length() + blindingFactors.length) * this.Fr.n8) :
+ new Uint8Array((this.length() + blindingFactors.length) * this.Fr.n8);
- // COMPUTE L(X)
- polynomials.L = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
- polynomials.L.subScalar(evalR0Y);
- polynomials.L.mulScalar(preL0);
+ blindedCoefficients.set(this.coef, 0);
+ for (let i = 0; i < blindingFactors.length; i++) {
+ blindedCoefficients.set(
+ this.Fr.add(
+ blindedCoefficients.slice((this.length() + i) * this.Fr.n8, (this.length() + i + 1) * this.Fr.n8),
+ blindingFactors[i]
+ ),
+ (this.length() + i) * this.Fr.n8
+ );
+ blindedCoefficients.set(
+ this.Fr.sub(
+ blindedCoefficients.slice(i * this.Fr.n8, (i + 1) * this.Fr.n8),
+ blindingFactors[i]
+ ),
+ i * this.Fr.n8
+ );
+ }
+ this.coef = blindedCoefficients;
+ }
- let l2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
- l2.subScalar(evalR1Y);
- l2.mulScalar(preL1);
+ getCoef(index) {
+ const i_n8 = index * this.Fr.n8;
- let l3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
- l3.subScalar(evalR2Y);
- l3.mulScalar(preL2);
+ if (i_n8 + this.Fr.n8 > this.coef.byteLength) return this.Fr.zero;
- polynomials.L.add(l2);
- polynomials.L.add(l3);
+ return this.coef.slice(i_n8, i_n8 + this.Fr.n8);
+ }
- if (logger) logger.info("> Computing ZT polynomial");
- await computeZT();
+ setCoef(index, value) {
+ if (index > (this.length() - 1)) {
+ throw new Error("Coef index is not available");
+ }
- const evalZTY = polynomials.ZT.evaluate(challenges.y);
- polynomials.F.mulScalar(evalZTY);
- polynomials.L.sub(polynomials.F);
+ this.coef.set(value, index * this.Fr.n8);
+ }
- // Check degree
- if (polynomials.L.degree() >= 9 * zkey.domainSize) {
- throw new Error("L Polynomial is not well calculated");
- }
+ static async to4T(buffer, domainSize, blindingFactors, Fr) {
+ blindingFactors = blindingFactors || [];
+ let a = await Fr.ifft(buffer);
- delete buffers.L;
- }
+ const a4 = (domainSize * 4) > 2 << 14 ?
+ new ffjavascript.BigBuffer(domainSize * 4 * Fr.n8) : new Uint8Array(domainSize * 4 * Fr.n8);
+ a4.set(a, 0);
- async function computeZT() {
- polynomials.ZT = Polynomial.zerofierPolynomial(
- [
- roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
- roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7],
- roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
- roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
- roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
- }
+ const A4 = await Fr.fft(a4);
- async function computeZTS2() {
- polynomials.ZTS2 = Polynomial.zerofierPolynomial(
- [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
- roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
- roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
+ if (blindingFactors.length === 0) {
+ return [a, A4];
}
- }
- function getMontgomeryBatchedInverse() {
- // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
- let xiN = challenges.xi;
- for (let i = 0; i < zkey.power; i++) {
- xiN = Fr.square(xiN);
+ const a1 = domainSize + blindingFactors.length > 2 << 14 ?
+ new ffjavascript.BigBuffer((domainSize + blindingFactors.length) * Fr.n8) :
+ new Uint8Array((domainSize + blindingFactors.length) * Fr.n8);
+
+ a1.set(a, 0);
+ for (let i = 0; i < blindingFactors.length; i++) {
+ a1.set(
+ Fr.add(
+ a1.slice((domainSize + i) * Fr.n8, (domainSize + i + 1) * Fr.n8),
+ blindingFactors[i]
+ ),
+ (domainSize + i) * Fr.n8
+ );
+ a1.set(
+ Fr.sub(
+ a1.slice(i * Fr.n8, (i + 1) * Fr.n8),
+ blindingFactors[i]
+ ),
+ i * Fr.n8
+ );
}
- toInverse["zh"] = Fr.sub(xiN, Fr.one);
- // · denominator needed in step 10 and 11 of the verifier
- // toInverse.denH1 & toInverse.denH2 -> Computed in round5, computeL()
+ return [a1, A4];
+ }
- // · denominator needed in the verifier when computing L_i^{S0}(X), L_i^{S1}(X) and L_i^{S2}(X)
- for (let i = 0; i < 8; i++) {
- toInverse["LiS0_" + (i + 1)] = computeLiS0(i);
+ length() {
+ let length = this.coef.byteLength / this.Fr.n8;
+ if (length !== Math.floor(this.coef.byteLength / this.Fr.n8)) {
+ throw new Error("Polynomial coefficients buffer has incorrect size");
+ }
+ if (0 === length) {
+ if (this.logger) {
+ this.logger.warn("Polynomial has length zero");
+ }
}
+ return length;
+ }
- for (let i = 0; i < 4; i++) {
- toInverse["LiS1_" + (i + 1)] = computeLiS1(i);
+ degree() {
+ for (let i = this.length() - 1; i > 0; i--) {
+ const i_n8 = i * this.Fr.n8;
+ if (!this.Fr.eq(this.Fr.zero, this.coef.slice(i_n8, i_n8 + this.Fr.n8))) {
+ return i;
+ }
}
- for (let i = 0; i < 6; i++) {
- toInverse["LiS2_" + (i + 1)] = computeLiS2(i);
+ return 0;
+ }
+
+ evaluate(point) {
+ let res = this.Fr.zero;
+
+ for (let i = this.degree() + 1; i > 0; i--) {
+ let i_n8 = i * this.Fr.n8;
+ const currentCoefficient = this.coef.slice(i_n8 - this.Fr.n8, i_n8);
+ res = this.Fr.add(currentCoefficient, this.Fr.mul(res, point));
}
- // · L_i i=1 to num public inputs, needed in step 6 and 7 of the verifier to compute L_1(xi) and PI(xi)
- const size = Math.max(1, zkey.nPublic);
+ return res;
+ }
- let w = Fr.one;
- for (let i = 0; i < size; i++) {
- toInverse["Li_" + (i + 1)] = Fr.mul(Fr.e(zkey.domainSize), Fr.sub(challenges.xi, w));
+ fastEvaluate(point) {
+ const Fr = this.Fr;
+ let nThreads = 3;
- w = Fr.mul(w, zkey.w);
- }
+ let nCoefs = this.degree() + 1;
+ let coefsThread = parseInt(nCoefs / nThreads);
+ let residualCoefs = nCoefs - coefsThread * nThreads;
- let mulAccumulator = Fr.one;
- for (const element of Object.values(toInverse)) {
- mulAccumulator = Fr.mul(mulAccumulator, element);
- }
- return Fr.inv(mulAccumulator);
+ let res = [];
+ let xN = [];
- function computeLiS0(i) {
- // Compute L_i^{(S0)}(y)
- let idx = i;
- let den = Fr.one;
- for (let j = 0; j < 7; j++) {
- idx = (idx + 1) % 8;
+ xN[0] = Fr.one;
- den = Fr.mul(den, Fr.sub(roots.S0.h0w8[i], roots.S0.h0w8[idx]));
- }
- return den;
- }
+ for (let i = 0; i < nThreads; i++) {
+ res[i] = Fr.zero;
- function computeLiS1(i) {
- // Compute L_i^{(S1)}(y)
- let idx = i;
- let den = Fr.one;
- for (let j = 0; j < 3; j++) {
- idx = (idx + 1) % 4;
+ let nCoefs = i === (nThreads - 1) ? coefsThread + residualCoefs : coefsThread;
+ for (let j = nCoefs; j > 0; j--) {
+ res[i] = Fr.add(this.getCoef((i * coefsThread) + j - 1), Fr.mul(res[i], point));
- den = Fr.mul(den, Fr.sub(roots.S1.h1w4[i], roots.S1.h1w4[idx]));
+ if (i === 0) xN[0] = Fr.mul(xN[0], point);
}
- return den;
}
- function computeLiS2(i) {
- // Compute L_i^{(S1)}(y)
- let idx = i;
- let den = Fr.one;
- for (let j = 0; j < 5; j++) {
- idx = (idx + 1) % 6;
-
- const root1 = i < 3 ? roots.S2.h2w3[i] : roots.S2.h3w3[i - 3];
- const root2 = idx < 3 ? roots.S2.h2w3[idx] : roots.S2.h3w3[idx - 3];
- den = Fr.mul(den, Fr.sub(root1, root2));
- }
- return den;
+ for (let i = 1; i < nThreads; i++) {
+ res[0] = Fr.add(res[0], Fr.mul(xN[i - 1], res[i]));
+ xN[i] = Fr.mul(xN[i - 1], xN[0]);
}
+
+ return res[0];
}
-}
-/*
- This file is part of snarkjs.
+ add(polynomial, blindingValue) {
+ let other = false;
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ if (polynomial.length() > this.length()) {
+ other = true;
+ }
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ const thisLength = this.length();
+ const polyLength = polynomial.length();
+ for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
+ const i_n8 = i * this.Fr.n8;
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
+ const a = i < thisLength ? this.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+ let b = i < polyLength ? polynomial.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
-const {stringifyBigInts: stringifyBigInts$5} = ffjavascript.utils;
+ if (blindingValue !== undefined) {
+ b = this.Fr.mul(b, blindingValue);
+ }
+ if (other) {
+ polynomial.coef.set(this.Fr.add(a, b), i_n8);
+ } else {
+ this.coef.set(this.Fr.add(a, b), i_n8);
+ }
+ }
+ if (other) {
+ delete this.coef;
+ this.coef = polynomial.coef;
+ }
+ }
-async function fflonkProveCmd(zkeyFilename, witnessFilename, publicInputsFilename, proofFilename, logger) {
- const {proof, publicSignals} = await fflonkProve$1(zkeyFilename, witnessFilename, logger);
+ sub(polynomial, blindingValue) {
+ let other = false;
- await bfj__default["default"].write(proofFilename, stringifyBigInts$5(proof), {space: 1});
- await bfj__default["default"].write(publicInputsFilename, stringifyBigInts$5(publicSignals), {space: 1});
+ if (polynomial.length() > this.length()) {
+ other = true;
+ }
- return 0;
-}
+ const thisLength = this.length();
+ const polyLength = polynomial.length();
+ for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
+ const i_n8 = i * this.Fr.n8;
-/*
- Copyright 2018 0KIMS association.
+ const a = i < thisLength ? this.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+ let b = i < polyLength ? polynomial.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
- This file is part of snarkJS.
+ if (blindingValue !== undefined) {
+ b = this.Fr.mul(b, blindingValue);
+ }
+ if (other) {
+ polynomial.coef.set(this.Fr.sub(a, b), i_n8);
+ } else {
+ this.coef.set(this.Fr.sub(a, b), i_n8);
+ }
+ }
+ if (other) {
+ delete this.coef;
+ this.coef = polynomial.coef;
+ }
+ }
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ mulScalar(value) {
+ for (let i = 0; i < this.length(); i++) {
+ const i_n8 = i * this.Fr.n8;
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+ this.coef.set(this.Fr.mul(this.coef.slice(i_n8, i_n8 + this.Fr.n8), value), i_n8);
+ }
+ }
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
-const { unstringifyBigInts: unstringifyBigInts$b} = ffjavascript.utils;
+ addScalar(value) {
+ const currentValue = 0 === this.length() ? this.Fr.zero : this.coef.slice(0, this.Fr.n8);
+ this.coef.set(this.Fr.add(currentValue, value), 0);
+ }
-async function wtnsCalculate$1(_input, wasmFileName, wtnsFileName, options) {
- const input = unstringifyBigInts$b(_input);
+ subScalar(value) {
+ const currentValue = 0 === this.length() ? this.Fr.zero : this.coef.slice(0, this.Fr.n8);
+ this.coef.set(this.Fr.sub(currentValue, value), 0);
+ }
- const fdWasm = await fastFile__namespace.readExisting(wasmFileName);
- const wasm = await fdWasm.read(fdWasm.totalSize);
- await fdWasm.close();
+ // Multiply current polynomial by the polynomial (X - value)
+ byXSubValue(value) {
+ const Fr = this.Fr;
+ const resize = !Fr.eq(Fr.zero, this.getCoef(this.length() - 1));
- const wc = await circom_runtime.WitnessCalculatorBuilder(wasm);
- if (wc.circom_version() == 1) {
- const w = await wc.calculateBinWitness(input);
+ const length = resize ? this.length() + 1 : this.length();
+ const buff = length > 2 << 14 ? new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ let pol = new Polynomial(buff, this.curve, this.logger);
- const fdWtns = await binFileUtils__namespace.createBinFile(wtnsFileName, "wtns", 2, 2);
+ // Step 0: Set current coefficients to the new buffer shifted one position
+ pol.coef.set(this.coef.slice(0, (length - 1) * Fr.n8), 32);
- await writeBin(fdWtns, w, wc.prime);
- await fdWtns.close();
- } else {
- const fdWtns = await fastFile__namespace.createOverride(wtnsFileName);
+ // Step 1: multiply each coefficient by (-value)
+ this.mulScalar(Fr.neg(value));
- const w = await wc.calculateWTNSBin(input);
+ // Step 2: Add current polynomial to destination polynomial
+ pol.add(this);
- await fdWtns.write(w);
- await fdWtns.close();
+ // Swap buffers
+ this.coef = pol.coef;
}
-}
-
-/*
- This file is part of snarkjs.
-
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ // Multiply current polynomial by the polynomial (X^n + value)
+ byXNSubValue(n, value) {
+ const Fr = this.Fr;
+ const resize = !(this.length() - n - 1 >= this.degree());
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-const {unstringifyBigInts: unstringifyBigInts$a, stringifyBigInts: stringifyBigInts$4} = ffjavascript.utils;
+ const length = resize ? this.length() + n : this.length();
+ const buff = length > 2 << 14 ? new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ let pol = new Polynomial(buff, this.curve, this.logger);
+ // Step 0: Set current coefficients to the new buffer shifted one position
+ pol.coef.set(this.coef.slice(0, (this.degree() + 1) * 32, ), n * 32);
-async function fflonkFullProveCmd(zkeyFilename, witnessInputsFilename, wasmFilename, publicInputsFilename, proofFilename, logger) {
- let input = JSON.parse(await fs__default["default"].promises.readFile(witnessInputsFilename, "utf8"));
- input = unstringifyBigInts$a(input);
+ // Step 1: multiply each coefficient by (- value)
+ this.mulScalar(value);
- const wtns= {type: "mem"};
+ // Step 2: Add current polynomial to destination polynomial
+ pol.add(this);
- // Compute the witness
- await wtnsCalculate$1(input, wasmFilename, wtns);
+ // Swap buffers
+ this.coef = pol.coef;
+ }
- // Compute the proof
- const {proof, publicSignals} = await fflonkProve$1(zkeyFilename, wtns, logger);
+ // Euclidean division
+ divBy(polynomial) {
+ const Fr = this.Fr;
+ const degreeA = this.degree();
+ const degreeB = polynomial.degree();
- // Write the proof and the publig signals in each file
- await bfj__default["default"].write(proofFilename, stringifyBigInts$4(proof), {space: 1});
- await bfj__default["default"].write(publicInputsFilename, stringifyBigInts$4(publicSignals), {space: 1});
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
- return 0;
-}
+ this.coef = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
-/*
- Copyright 2022 iden3 association.
+ for (let i = degreeA - degreeB; i >= 0; i--) {
+ this.setCoef(i, Fr.div(polR.getCoef(i + degreeB), polynomial.getCoef(degreeB)));
+ for (let j = 0; j <= degreeB; j++) {
+ polR.setCoef(i + j, Fr.sub(polR.getCoef(i + j), Fr.mul(this.getCoef(i), polynomial.getCoef(j))));
+ }
+ }
- This file is part of snarkjs.
+ return polR;
+ }
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ // Division by a Polynomial of the form (x^m - beta)
+ divByMonic(m, beta) {
+ const Fr = this.Fr;
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ let d = this.degree();
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
+ let buffer = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+ let quotient = new Polynomial(buffer, this.curve, this.logger);
-const { unstringifyBigInts: unstringifyBigInts$9 } = ffjavascript.utils;
+ let bArr = [];
-async function fflonkVerify$1(_vk_verifier, _publicSignals, _proof, logger) {
- if (logger) logger.info("FFLONK VERIFIER STARTED");
+ // Add the m leading coefficients of this to quotient
+ for (let i = 0; i < m; i++) {
+ quotient.setCoef((d - i) - m, this.getCoef(d - i));
+ bArr[i] = this.getCoef(d - i);
+ }
- _vk_verifier = unstringifyBigInts$9(_vk_verifier);
- _proof = unstringifyBigInts$9(_proof);
+ let nThreads = m;
+ for (let k = 0; k < nThreads; k++) {
+ for (let i = d - 2 * m - k; i >= 0; i = i - nThreads) {
+ if (i < 0) break;
+ let idx = k;
+ bArr[idx] = Fr.add(this.getCoef(i + m), Fr.mul(bArr[idx], beta));
- const curve = await getCurveFromName(_vk_verifier.curve);
+ quotient.setCoef(i, bArr[idx]);
+ }
+ }
- const vk = fromObjectVk$1(curve, _vk_verifier);
+ this.coef = quotient.coef;
+ }
- // TODO ??? Compute wr^3 and check if it matches with w
+ divByVanishing(n, beta) {
+ if (this.degree() < n) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
- const proof = new Proof(curve, logger);
- proof.fromObjectProof(_proof);
+ const Fr = this.Fr;
- const publicSignals = unstringifyBigInts$9(_publicSignals);
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
- if (publicSignals.length !== vk.nPublic) {
- logger.error("Number of public signals does not match with vk");
- return false;
- }
+ this.coef = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
- const Fr = curve.Fr;
+ for (let i = this.length() - 1; i >= n; i--) {
+ let leadingCoef = polR.getCoef(i);
+ if (Fr.eq(Fr.zero, leadingCoef)) continue;
- if (logger) {
- logger.info("----------------------------");
- logger.info(" FFLONK VERIFY SETTINGS");
- logger.info(` Curve: ${curve.name}`);
- logger.info(` Circuit power: ${vk.power}`);
- logger.info(` Domain size: ${2 ** vk.power}`);
- logger.info(` Public vars: ${vk.nPublic}`);
- logger.info("----------------------------");
- }
+ polR.setCoef(i, Fr.zero);
+ polR.setCoef(i - n, Fr.add(polR.getCoef(i - n), Fr.mul(beta, leadingCoef)));
+ this.setCoef(i - n, Fr.add(this.getCoef(i - n), leadingCoef));
+ }
- // STEP 1 - Validate that all polynomial commitments ∈ G_1
- if (logger) logger.info("> Checking commitments belong to G1");
- if (!commitmentsBelongToG1(curve, proof, vk)) {
- logger.error("Proof is not well constructed");
- return false;
+ return polR;
}
- // TODO
- // STEP 2 - Validate that all evaluations ∈ F
+ divByVanishing2(m, beta) {
+ if (this.degree() < m) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
- // TODO
- // STEP 3 - Validate that w_i ∈ F for i ∈ [l]
+ const Fr = this.Fr;
- // STEP 4 - Compute the challenges: beta, gamma, xi, alpha and y ∈ F
- // as in prover description, from the common preprocessed inputs, public inputs and elements of π_SNARK
- if (logger) logger.info("> Computing challenges");
- const { challenges, roots } = computeChallenges(curve, proof, vk, publicSignals, logger);
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
- // STEP 5 - Compute the zero polynomial evaluation Z_H(xi) = xi^n - 1
- if (logger) logger.info("> Computing Zero polynomial evaluation Z_H(xi)");
- challenges.zh = Fr.sub(challenges.xiN, Fr.one);
- challenges.invzh = Fr.inv(challenges.zh);
+ this.coef = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
- // STEP 6 - Compute the lagrange polynomial evaluation L_1(xi)
- if (logger) logger.info("> Computing Lagrange evaluations");
- const lagrangeEvals = await computeLagrangeEvaluations(curve, challenges, vk);
+ let nThreads = 3;
+ let nTotal = this.length() - m;
+ let nElementsChunk = Math.floor(nTotal / nThreads);
+ let nElementsLast = nTotal - (nThreads - 1) * nElementsChunk;
- // STEP 7 - Compute public input evaluation PI(xi)
- if (logger) logger.info("> Computing polynomial identities PI(X)");
- const pi = calculatePI(curve, publicSignals, lagrangeEvals);
+ console.log(nTotal);
+ console.log(nElementsChunk + " " + nElementsLast);
+ for (let k = 0; k < nThreads; k++) {
+ console.log("> Thread " + k);
+ for (let i = (k === 0 ? nElementsLast : nElementsChunk); i > 0; i--) {
+ let idxDst = i - 1;
+ if (k !== 0) idxDst += (k - 1) * nElementsChunk + nElementsLast;
+ let idxSrc = idxDst + m;
- // STEP 8 - Compute polynomial r0 ∈ F_{<4}[X]
- if (logger) logger.info("> Computing r0(y)");
- const r0 = computeR0(proof, challenges, roots, pi, curve, logger);
+ let leadingCoef = polR.getCoef(idxSrc);
+ if (Fr.eq(Fr.zero, leadingCoef)) continue;
- // STEP 9 - Compute polynomial r1 ∈ F_{<4}[X]
- if (logger) logger.info("> Computing r1(y)");
- const r1 = computeR1(proof, challenges, roots, pi, curve, logger);
+ polR.setCoef(idxSrc, Fr.zero);
+ polR.setCoef(idxDst, Fr.add(polR.getCoef(idxDst), Fr.mul(beta, leadingCoef)));
+ this.setCoef(idxDst, Fr.add(this.getCoef(idxDst), leadingCoef));
+ console.log(idxDst + " <-- " + idxSrc);
+ }
+ }
- // STEP 9 - Compute polynomial r2 ∈ F_{<6}[X]
- if (logger) logger.info("> Computing r2(y)");
- const r2 = computeR2(proof, challenges, roots, lagrangeEvals[1], vk, curve, logger);
+ this.print();
+ return polR;
+ }
- if (logger) logger.info("> Computing F");
- const F = computeF(curve, proof, vk, challenges, roots);
+ fastDivByVanishing(data) {
+ const Fr = this.Fr;
- if (logger) logger.info("> Computing E");
- const E = computeE(curve, proof, challenges, vk, r0, r1, r2);
+ for (let i = 0; i < data.length; i++) {
- if (logger) logger.info("> Computing J");
- const J = computeJ(curve, proof, challenges);
+ let m = data[i][0];
+ let beta = data[i][1];
- if (logger) logger.info("> Validate all evaluations with a pairing");
- const res = await isValidPairing$1(curve, proof, challenges, vk, F, E, J);
+ if (this.degree() < m) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
- if (logger) {
- if (res) {
- logger.info("PROOF VERIFIED SUCCESSFULLY");
- } else {
- logger.warn("Invalid Proof");
- }
- }
+ let nThreads = 5;
+ let nElements = this.length() - m;
+ let nElementsBucket = Math.floor(nElements / nThreads / m);
+ let nElementsChunk = nElementsBucket * m;
+ let nElementsLast = nElements - nThreads * nElementsChunk;
- if (logger) logger.info("FFLONK VERIFIER FINISHED");
+ //In C++ implementation this buffer will be allocated only once outside the loop
+ let polTmp = new Polynomial(this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8), this.curve, this.logger);
- return res;
+ let ptr = this.coef;
+ this.coef = polTmp.coef;
+ polTmp.coef = ptr;
-}
+ // STEP 1: Setejar els m valors del següent bucket al chunk actual, PARALEL·LITZAR
+ for (let k = 0; k < nThreads; k++) {
+ let idx0 = (k + 1) * nElementsChunk + nElementsLast;
+ for (let i = 0; i < m; i++) {
+ this.setCoef(idx0 + i - m, polTmp.getCoef(idx0 + i));
+ }
-function fromObjectVk$1(curve, vk) {
- const res = vk;
- res.k1 = curve.Fr.fromObject(vk.k1);
- res.k2 = curve.Fr.fromObject(vk.k2);
- res.w = curve.Fr.fromObject(vk.w);
- // res.wW = curve.Fr.fromObject(vk.wW);
- res.w3 = curve.Fr.fromObject(vk.w3);
- res.w4 = curve.Fr.fromObject(vk.w4);
- res.w8 = curve.Fr.fromObject(vk.w8);
- res.wr = curve.Fr.fromObject(vk.wr);
- res.X_2 = curve.G2.fromObject(vk.X_2);
- res.C0 = curve.G1.fromObject(vk.C0);
- return res;
-}
+ for (let i = 0; i < nElementsChunk - m; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
+ this.setCoef(offset - m, val);
+ }
+ }
-function commitmentsBelongToG1(curve, proof, vk) {
- const G1 = curve.G1;
- return G1.isValid(proof.polynomials.C1)
- && G1.isValid(proof.polynomials.C2)
- && G1.isValid(proof.polynomials.W1)
- && G1.isValid(proof.polynomials.W2)
- && G1.isValid(vk.C0);
-}
+ //STEP 2: Setejar els valors del elements last NO PARAL·LELITZAR
+ let idx0 = nElementsLast;
+ let pending = nElementsLast;
+ for (let i = 0; i < m && pending; i++) {
+ this.setCoef(idx0 - i - 1, polTmp.getCoef(idx0 + m - i - 1));
+ pending--;
+ }
-function computeChallenges(curve, proof, vk, publicSignals, logger) {
- const Fr = curve.Fr;
+ for (let i = 0; i < pending; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
+ this.setCoef(offset - m, val);
+ }
- const challenges = {};
- const roots = {};
- const transcript = new Keccak256Transcript(curve);
+ //Step 3: calcular acumulats NO PARALEL·LITZAR
- // Add C0 to the transcript
- transcript.addPolCommitment(vk.C0);
+ let acc = [];
+ let betaPow = Fr.one;
+ for (let i = 0; i < nElementsBucket; i++) {
+ betaPow = Fr.mul(betaPow, beta);
+ }
+ let currentBeta = Fr.one;
- for (let i = 0; i < publicSignals.length; i++) {
- transcript.addScalar(Fr.e(publicSignals[i]));
- }
+ for (let k = nThreads; k > 0; k--) {
+ let idThread = k - 1;
+ let idx0 = idThread * nElementsChunk + nElementsLast;
+ acc[idThread] = [];
- transcript.addPolCommitment(proof.polynomials.C1);
- challenges.beta = transcript.getChallenge();
- transcript.reset();
+ for (let i = 0; i < m; i++) {
+ acc[idThread][i] = this.getCoef(idx0 + i);
- transcript.addScalar(challenges.beta);
- challenges.gamma = transcript.getChallenge();
+ if (k !== nThreads) {
+ acc[idThread][i] = Fr.add(acc[idThread][i], Fr.mul(betaPow, acc[idThread + 1][i]));
+ }
+ }
+ currentBeta = Fr.mul(currentBeta, betaPow);
+ }
- transcript.reset();
- transcript.addScalar(challenges.gamma);
- transcript.addPolCommitment(proof.polynomials.C2);
- const xiSeed = transcript.getChallenge();
- const xiSeed2 = Fr.square(xiSeed);
+ //STEP 4 recalcular PARALEL·LITZAR
+ for (let k = 0; k < nThreads; k++) {
- let w8 = [];
- w8[1] = vk.w8;
- w8[2] = Fr.square(vk.w8);
- w8[3] = Fr.mul(w8[2], vk.w8);
- w8[4] = Fr.mul(w8[3], vk.w8);
- w8[5] = Fr.mul(w8[4], vk.w8);
- w8[6] = Fr.mul(w8[5], vk.w8);
- w8[7] = Fr.mul(w8[6], vk.w8);
- let w4 = [];
- w4[1] = vk.w4;
- w4[2] = Fr.square(vk.w4);
- w4[3] = Fr.mul(w4[2], vk.w4);
- let w3 = [];
- w3[1] = vk.w3;
- w3[2] = Fr.square(vk.w3);
+ let idx0 = k * nElementsChunk + nElementsLast;
+ let currentBeta = beta; //Quan hopassem a C++ i ho paralelitzem aquesta variable ha de ser privada
+ let currentM = m - 1;
- // const w4_2 = Fr.square(vk.w4);
- // const w4_3 = Fr.mul(w4_2, vk.w4);
- // const w3_2 = Fr.square(vk.w3);
+ let limit = k === 0 ? nElementsLast : nElementsChunk;
+ for (let i = 0; i < limit; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(this.getCoef(offset), Fr.mul(currentBeta, acc[k][currentM]));
- // Compute h0 = xiSeeder^3
- roots.S0 = {};
- roots.S0.h0w8 = [];
- roots.S0.h0w8[0] = Fr.mul(xiSeed2, xiSeed);
- for (let i = 1; i < 8; i++) {
- roots.S0.h0w8[i] = Fr.mul(roots.S0.h0w8[0], w8[i]);
- }
+ this.setCoef(offset, val);
- // Compute h1 = xi_seeder^6
- roots.S1 = {};
- roots.S1.h1w4 = [];
- roots.S1.h1w4[0] = Fr.square(roots.S0.h0w8[0]);
- for (let i = 1; i < 4; i++) {
- roots.S1.h1w4[i] = Fr.mul(roots.S1.h1w4[0], w4[i]);
+ // To avoid modular operations in each loop...
+ if (currentM === 0) {
+ currentM = m - 1;
+ currentBeta = Fr.mul(currentBeta, beta);
+ } else {
+ currentM--;
+ }
+ }
+ }
+ }
}
- // Compute h2 = xi_seeder^8
- roots.S2 = {};
- roots.S2.h2w3 = [];
- roots.S2.h2w3[0] = Fr.mul(roots.S1.h1w4[0], xiSeed2);
- roots.S2.h2w3[1] = Fr.mul(roots.S2.h2w3[0], w3[1]);
- roots.S2.h2w3[2] = Fr.mul(roots.S2.h2w3[0], w3[2]);
- roots.S2.h3w3 = [];
- // Multiply h3 by third-root-omega to obtain h_3^3 = xiω
- // So, h3 = xi_seeder^8 ω^{1/3}
- roots.S2.h3w3[0] = Fr.mul(roots.S2.h2w3[0], vk.wr);
- roots.S2.h3w3[1] = Fr.mul(roots.S2.h3w3[0], w3[1]);
- roots.S2.h3w3[2] = Fr.mul(roots.S2.h3w3[0], w3[2]);
+ // Divide polynomial by X - value
+ divByXSubValue(value) {
+ const coefs = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * this.Fr.n8) : new Uint8Array(this.length() * this.Fr.n8);
- // Compute xi = xi_seeder^12
- challenges.xi = Fr.mul(Fr.square(roots.S2.h2w3[0]), roots.S2.h2w3[0]);
+ coefs.set(this.Fr.zero, (this.length() - 1) * this.Fr.n8);
+ coefs.set(this.coef.slice((this.length() - 1) * this.Fr.n8, this.length() * this.Fr.n8), (this.length() - 2) * this.Fr.n8);
+ for (let i = this.length() - 3; i >= 0; i--) {
+ let i_n8 = i * this.Fr.n8;
+ coefs.set(
+ this.Fr.add(
+ this.coef.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8),
+ this.Fr.mul(value, coefs.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8))
+ ),
+ i * this.Fr.n8
+ );
+ }
+ if (!this.Fr.eq(
+ this.coef.slice(0, this.Fr.n8),
+ this.Fr.mul(this.Fr.neg(value), coefs.slice(0, this.Fr.n8))
+ )) {
+ throw new Error("Polynomial does not divide");
+ }
- challenges.xiN = challenges.xi;
- vk.domainSize = 1;
- for (let i = 0; i < vk.power; i++) {
- challenges.xiN = Fr.square(challenges.xiN);
- vk.domainSize *= 2;
+ this.coef = coefs;
}
- transcript.reset();
- transcript.addScalar(xiSeed);
- transcript.addScalar(proof.evaluations.ql);
- transcript.addScalar(proof.evaluations.qr);
- transcript.addScalar(proof.evaluations.qm);
- transcript.addScalar(proof.evaluations.qo);
- transcript.addScalar(proof.evaluations.qc);
- transcript.addScalar(proof.evaluations.s1);
- transcript.addScalar(proof.evaluations.s2);
- transcript.addScalar(proof.evaluations.s3);
- transcript.addScalar(proof.evaluations.a);
- transcript.addScalar(proof.evaluations.b);
- transcript.addScalar(proof.evaluations.c);
- transcript.addScalar(proof.evaluations.z);
- transcript.addScalar(proof.evaluations.zw);
- transcript.addScalar(proof.evaluations.t1w);
- transcript.addScalar(proof.evaluations.t2w);
- challenges.alpha = transcript.getChallenge();
+ divZh(domainSize, extensions = 4) {
+ for (let i = 0; i < domainSize; i++) {
+ const i_n8 = i * this.Fr.n8;
+ this.coef.set(this.Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8)), i_n8);
+ }
- transcript.reset();
- transcript.addScalar(challenges.alpha);
- transcript.addPolCommitment(proof.polynomials.W1);
- challenges.y = transcript.getChallenge();
+ for (let i = domainSize; i < domainSize * extensions; i++) {
+ const i_n8 = i * this.Fr.n8;
- if (logger) {
- logger.info("··· challenges.beta: " + Fr.toString(challenges.beta));
- logger.info("··· challenges.gamma: " + Fr.toString(challenges.gamma));
- logger.info("··· challenges.xi: " + Fr.toString(challenges.xi));
- logger.info("··· challenges.alpha: " + Fr.toString(challenges.alpha));
- logger.info("··· challenges.y: " + Fr.toString(challenges.y));
+ const a = this.Fr.sub(
+ this.coef.slice((i - domainSize) * this.Fr.n8, (i - domainSize) * this.Fr.n8 + this.Fr.n8),
+ this.coef.slice(i_n8, i_n8 + this.Fr.n8)
+ );
+ this.coef.set(a, i_n8);
+ if (i > (domainSize * (extensions-1) - extensions)) {
+ if (!this.Fr.isZero(a)) {
+ throw new Error("Polynomial is not divisible");
+ }
+ }
+ }
+
+ return this;
}
- return { challenges: challenges, roots: roots };
-}
+ divByZerofier(n, beta) {
+ let Fr = this.Fr;
+ const invBeta = Fr.inv(beta);
+ const invBetaNeg = Fr.neg(invBeta);
-async function computeLagrangeEvaluations(curve, challenges, vk) {
- const Fr = curve.Fr;
+ let isOne = Fr.eq(Fr.one, invBetaNeg);
+ let isNegOne = Fr.eq(Fr.negone, invBetaNeg);
- const size = Math.max(1, vk.nPublic);
- const numArr = new ffjavascript.BigBuffer(size * Fr.n8);
- let denArr = new ffjavascript.BigBuffer(size * Fr.n8);
+ if (!isOne) {
+ for (let i = 0; i < n; i++) {
+ const i_n8 = i * this.Fr.n8;
+ let element;
- let w = Fr.one;
- for (let i = 0; i < size; i++) {
- const i_sFr = i * Fr.n8;
- numArr.set(Fr.mul(w, challenges.zh), i_sFr);
- denArr.set(Fr.mul(Fr.e(vk.domainSize), Fr.sub(challenges.xi, w)), i_sFr);
- w = Fr.mul(w, vk.w);
- }
+ // If invBetaNeg === -1 we'll save a multiplication changing it by a neg function call
+ if (isNegOne) {
+ element = Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8));
+ } else {
+ element = Fr.mul(invBetaNeg, this.coef.slice(i_n8, i_n8 + this.Fr.n8));
+ }
- denArr = await Fr.batchInverse(denArr);
+ this.coef.set(element, i_n8);
+ }
+ }
- let L = [];
- for (let i = 0; i < size; i++) {
- const i_sFr = i * Fr.n8;
- L[i + 1] = Fr.mul(numArr.slice(i_sFr, i_sFr + Fr.n8), denArr.slice(i_sFr, i_sFr + Fr.n8));
- }
- return L;
-}
+ isOne = Fr.eq(Fr.one, invBeta);
+ isNegOne = Fr.eq(Fr.negone, invBeta);
-function calculatePI(curve, publicSignals, lagrangeEvals) {
- const Fr = curve.Fr;
+ for (let i = n; i < this.length(); i++) {
+ const i_n8 = i * this.Fr.n8;
+ const i_prev_n8 = (i - n) * this.Fr.n8;
- let pi = Fr.zero;
- for (let i = 0; i < publicSignals.length; i++) {
- const w = Fr.e(publicSignals[i]);
- pi = Fr.sub(pi, Fr.mul(w, lagrangeEvals[i + 1]));
- }
- return pi;
-}
+ let element = this.Fr.sub(
+ this.coef.slice(i_prev_n8, i_prev_n8 + this.Fr.n8),
+ this.coef.slice(i_n8, i_n8 + this.Fr.n8)
+ );
-function computeR0(proof, challenges, roots, pi, curve, logger) {
- const Fr = curve.Fr;
+ // If invBeta === 1 we'll not do anything
+ if(!isOne) {
+ // If invBeta === -1 we'll save a multiplication changing it by a neg function call
+ if(isNegOne) {
+ element = Fr.neg(element);
+ } else {
+ element = Fr.mul(invBeta, element);
+ }
+ }
- // r0(y) = ∑_1^8 C_0(h_0 ω_8^{i-1}) L_i(y). To this end we need to compute
+ this.coef.set(element, i_n8);
- // Compute the 8 C0 values
- if (logger) logger.info("··· Computing C0(h_0ω_8^i) values");
+ // Check if polynomial is divisible by checking if n high coefficients are zero
+ if (i > this.length() - n - 1) {
+ if (!this.Fr.isZero(element)) {
+ throw new Error("Polynomial is not divisible");
+ }
+ }
+ }
+
+ return this;
+ }
+
+// function divideByVanishing(f, n, p) {
+// // polynomial division f(X) / (X^n - 1) with remainder
+// // very cheap, 0 multiplications
+// // strategy:
+// // start with q(X) = 0, r(X) = f(X)
+// // then start changing q, r while preserving the identity:
+// // f(X) = q(X) * (X^n - 1) + r(X)
+// // in every step, move highest-degree term of r into the product
+// // => r eventually has degree < n and we're done
+// let q = Array(f.length).fill(0n);
+// let r = [...f];
+// for (let i = f.length - 1; i >= n; i--) {
+// let leadingCoeff = r[i];
+// if (leadingCoeff === 0n) continue;
+// r[i] = 0n;
+// r[i - n] = mod(r[i - n] + leadingCoeff, p);
+// q[i - n] = mod(q[i - n] + leadingCoeff, p);
+// }
+// return [q, r];
+// }
- let c0Values = [];
- for (let i = 0; i < 8; i++) {
- let coefValues = [];
- coefValues[1] = roots.S0.h0w8[i];
- for (let j = 2; j < 8; j++) {
- coefValues[j] = Fr.mul(coefValues[j - 1], roots.S0.h0w8[i]);
- }
+ byX() {
+ const coefs = (this.length() + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.coef.byteLength + this.Fr.n8) : new Uint8Array(this.coef.byteLength + this.Fr.n8);
+ coefs.set(this.Fr.zero, 0);
+ coefs.set(this.coef, this.Fr.n8);
- c0Values[i] = Fr.add(proof.evaluations.ql, Fr.mul(proof.evaluations.qr, coefValues[1]));
- c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.qo, coefValues[2]));
- c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.qm, coefValues[3]));
- c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.qc, coefValues[4]));
- c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.s1, coefValues[5]));
- c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.s2, coefValues[6]));
- c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.s3, coefValues[7]));
+ this.coef = coefs;
}
- // Interpolate a polynomial with the points computed previously
- const R0 = Polynomial.lagrangePolynomialInterpolation(
- [roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
- roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7]],
- c0Values, curve);
-
- // Check the degree of r1(X) < 4
- if (R0.degree() > 7) {
- throw new Error("R0 Polynomial is not well calculated");
- }
+// Compute a new polynomial f(x^n) from f(x)
+// f(x) = a_0 + a_1·x + a_2·x^2 + ... + a_j·x^j
+// f(x^n) = a_0 + a_1·x^n + a_2·x^2n + ... + a_j·x^jn
+ static
+ async expX(polynomial, n, truncate = false) {
+ const Fr = polynomial.Fr;
- // Evaluate the polynomial in challenges.y
- if (logger) logger.info("··· Computing evaluation r0(y)");
- return R0.evaluate(challenges.y);
-}
+ if (n < 1) {
+ // n == 0 not allowed because it has no sense, but if it's necessary we have to return
+ // a zero degree polynomial with a constant coefficient equals to the sum of all the original coefficients
+ throw new Error("Compute a new polynomial to a zero or negative number is not allowed");
+ } else if (1 === n) {
+ return await Polynomial.fromEvaluations(polynomial.coef, curve, polynomial.logger);
+ }
-function computeR1(proof, challenges, roots, pi, curve, logger) {
- const Fr = curve.Fr;
+ // length is the length of non-constant coefficients
+ // if truncate === true, the highest zero coefficients (if exist) will be removed
+ const length = truncate ? polynomial.degree() : (polynomial.length() - 1);
+ const bufferDst = (length * n + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer((length * n + 1) * Fr.n8) : new Uint8Array((length * n + 1) * Fr.n8);
- // r1(y) = ∑_1^4 C_1(h_1 ω_4^{i-1}) L_i(y). To this end we need to compute
- // Z1 = {C1(h_1}, C1(h_1 ω_4), C1(h_1 ω_4^2), C1(h_1 ω_4^3)}
- // where C_1(h_1 ω_4^{i-1}) = eval.a + h_1 ω_4^i eval.b + (h_1 ω_4^i)^2 eval.c + (h_1 ω_4^i)^3 T0(xi),
- // where T0(xi) = [ qL·a + qR·b + qM·a·b + qO·c + qC + PI(xi) ] / Z_H(xi)
+ // Copy constant coefficient as is because is not related to x
+ bufferDst.set(polynomial.getCoef(0), 0);
- // Compute T0(xi)
- if (logger) logger.info("··· Computing T0(xi)");
- let t0 = Fr.mul(proof.evaluations.ql, proof.evaluations.a);
- t0 = Fr.add(t0, Fr.mul(proof.evaluations.qr, proof.evaluations.b));
- t0 = Fr.add(t0, Fr.mul(proof.evaluations.qm, Fr.mul(proof.evaluations.a, proof.evaluations.b)));
- t0 = Fr.add(t0, Fr.mul(proof.evaluations.qo, proof.evaluations.c));
- t0 = Fr.add(t0, proof.evaluations.qc);
- t0 = Fr.add(t0, pi);
- t0 = Fr.mul(t0, challenges.invzh);
+ for (let i = 1; i <= length; i++) {
+ const i_sFr = i * Fr.n8;
- // Compute the 4 C1 values
- if (logger) logger.info("··· Computing C1(h_1ω_4^i) values");
+ const coef = polynomial.getCoef(i);
+ bufferDst.set(coef, i_sFr * n);
+ }
- let c1Values = [];
- for (let i = 0; i < 4; i++) {
- c1Values[i] = proof.evaluations.a;
- c1Values[i] = Fr.add(c1Values[i], Fr.mul(roots.S1.h1w4[i], proof.evaluations.b));
- const h1w4Squared = Fr.square(roots.S1.h1w4[i]);
- c1Values[i] = Fr.add(c1Values[i], Fr.mul(h1w4Squared, proof.evaluations.c));
- c1Values[i] = Fr.add(c1Values[i], Fr.mul(Fr.mul(h1w4Squared, roots.S1.h1w4[i]), t0));
+ return new Polynomial(bufferDst, polynomial.curve, polynomial.logger);
}
- // Interpolate a polynomial with the points computed previously
- const R1 = Polynomial.lagrangePolynomialInterpolation(
- [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3]],
- c1Values, curve);
-
- // Check the degree of r1(X) < 4
- if (R1.degree() > 3) {
- throw new Error("R1 Polynomial is not well calculated");
- }
+ split(numPols, degPols, blindingFactors) {
+ if (numPols < 1) {
+ throw new Error(`Polynomials can't be split in ${numPols} parts`);
+ } else if (1 === numPols) {
+ return [this];
+ }
- // Evaluate the polynomial in challenges.y
- if (logger) logger.info("··· Computing evaluation r1(y)");
- return R1.evaluate(challenges.y);
-}
+ //blinding factors can be void or must have a length of numPols - 1
+ if (0 !== blindingFactors.length && blindingFactors.length < numPols - 1) {
+ throw new Error(`Blinding factors length must be ${numPols - 1}`);
+ }
-function computeR2(proof, challenges, roots, lagrange1, vk, curve, logger) {
- const Fr = curve.Fr;
+ const chunkByteLength = (degPols + 1) * this.Fr.n8;
+ let res = [];
- // r2(y) = ∑_1^3 C_2(h_2 ω_3^{i-1}) L_i(y) + ∑_1^3 C_2(h_3 ω_3^{i-1}) L_{i+3}(y). To this end we need to compute
- // Z2 = {[C2(h_2}, C2(h_2 ω_3), C2(h_2 ω_3^2)], [C2(h_3}, C2(h_3 ω_3), C2(h_3 ω_3^2)]}
- // where C_2(h_2 ω_3^{i-1}) = eval.z + h_2 ω_2^i T1(xi) + (h_2 ω_3^i)^2 T2(xi),
- // where C_2(h_3 ω_3^{i-1}) = eval.z + h_3 ω_2^i T1(xi) + (h_3 ω_3^i)^2 T2(xi),
- // where T1(xi) = [ L_1(xi)(z-1)] / Z_H(xi)
- // and T2(xi) = [ (a + beta·xi + gamma)(b + beta·xi·k1 + gamma)(c + beta·xi·k2 + gamma)z
- // - (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)zω ] / Z_H(xi)
+ // Check polynomial can be split in numChunks parts of chunkSize bytes...
+ const numRealPols = Math.ceil((this.degree() + 1) * this.Fr.n8 / chunkByteLength);
+ if (numRealPols < numPols) {
+ //throw new Error(`Polynomial is short to be split in ${numPols} parts of ${degPols} coefficients each.`);
+ for (let i = numRealPols; i < numPols; i++) {
+ res[i] = new Polynomial(new Uint8Array(this.Fr.n8), this.curve, this.logger);
+ }
+ }
- // Compute T1(xi)
- if (logger) logger.info("··· Computing T1(xi)");
- let t1 = Fr.sub(proof.evaluations.z, Fr.one);
- t1 = Fr.mul(t1, lagrange1);
- t1 = Fr.mul(t1, challenges.invzh);
+ numPols = Math.min(numPols, numRealPols);
+ for (let i = 0; i < numPols; i++) {
+ const isLast = (numPols - 1) === i;
+ const byteLength = isLast ? this.coef.byteLength - ((numPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
- // Compute T2(xi)
- if (logger) logger.info("··· Computing T2(xi)");
- const betaxi = Fr.mul(challenges.beta, challenges.xi);
- const t211 = Fr.add(proof.evaluations.a, Fr.add(betaxi, challenges.gamma));
- const t212 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(betaxi, vk.k1), challenges.gamma));
- const t213 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(betaxi, vk.k2), challenges.gamma));
- const t21 = Fr.mul(t211, Fr.mul(t212, Fr.mul(t213, proof.evaluations.z)));
+ let buff = (byteLength / this.Fr.n8) > 2 << 14 ? new ffjavascript.BigBuffer(byteLength) : new Uint8Array(byteLength);
+ res[i] = new Polynomial(buff, this.curve, this.logger);
- const t221 = Fr.add(proof.evaluations.a, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s1), challenges.gamma));
- const t222 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s2), challenges.gamma));
- const t223 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s3), challenges.gamma));
- const t22 = Fr.mul(t221, Fr.mul(t222, Fr.mul(t223, proof.evaluations.zw)));
+ const fr = i * chunkByteLength;
+ const to = isLast ? this.coef.byteLength : (i + 1) * chunkByteLength;
+ res[i].coef.set(this.coef.slice(fr, to), 0);
- let t2 = Fr.sub(t21, t22);
- t2 = Fr.mul(t2, challenges.invzh);
+ // Add a blinding factor as higher degree
+ if (!isLast) {
+ res[i].coef.set(blindingFactors[i], chunkByteLength);
+ }
- // Compute the 6 C2 values
- if (logger) logger.info("··· Computing C2(h_2ω_3^i) values");
- let c2Values = [];
- for (let i = 0; i < 3; i++) {
- c2Values[i] = Fr.add(proof.evaluations.z, Fr.mul(roots.S2.h2w3[i], t1));
- c2Values[i] = Fr.add(c2Values[i], Fr.mul(Fr.square(roots.S2.h2w3[i]), t2));
- }
+ // Sub blinding factor to the lowest degree
+ if (0 !== i) {
+ const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
+ res[i].coef.set(lowestDegree, 0);
+ }
- if (logger) logger.info("··· Computing C2(h_3ω_3^i) values");
- for (let i = 0; i < 3; i++) {
- c2Values[i + 3] = Fr.add(proof.evaluations.zw, Fr.mul(roots.S2.h3w3[i], proof.evaluations.t1w));
- c2Values[i + 3] = Fr.add(c2Values[i + 3], Fr.mul(Fr.square(roots.S2.h3w3[i]), proof.evaluations.t2w));
- }
+ if (isLast) {
+ res[i].truncate();
+ }
+ }
- // Interpolate a polynomial with the points computed previously
- if (logger) logger.info("··· Computing r2(xi)");
- const R2 = Polynomial.lagrangePolynomialInterpolation(
- [roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
- roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]],
- c2Values, curve);
+ return res;
- // Check the degree of r2(X) < 6
- if (R2.degree() > 5) {
- throw new Error("R2 Polynomial is not well calculated");
+ // // compute t_low(X)
+ // let polTLow = new BigBuffer((chunkSize + 1) * n8r);
+ // polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
+ // // Add blinding scalar b_10 as a new coefficient n
+ // polTLow.set(ch.b[10], zkey.domainSize * n8r);
+ //
+ // // compute t_mid(X)
+ // let polTMid = new BigBuffer((zkey.domainSize + 1) * n8r);
+ // polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
+ // // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
+ // const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
+ // polTMid.set(lowestMid, 0);
+ // // Add blinding scalar b_11 as a new coefficient n
+ // polTMid.set(ch.b[11], zkey.domainSize * n8r);
+ //
+ // // compute t_high(X)
+ // let polTHigh = new BigBuffer((zkey.domainSize + 6) * n8r);
+ // polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
+ // //Subtract blinding scalar b_11 to the lowest coefficient of t_high
+ // const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
+ // polTHigh.set(lowestHigh, 0);
+ //
+ // proof.T1 = await expTau(polTLow, "multiexp T1");
+ // proof.T2 = await expTau(polTMid, "multiexp T2");
+ // proof.T3 = await expTau(polTHigh, "multiexp T3");
}
- // Evaluate the polynomial in challenges.y
- if (logger) logger.info("··· Computing evaluation r2(y)");
- return R2.evaluate(challenges.y);
-}
+// split2(degPols, blindingFactors) {
+// let currentDegree = this.degree();
+// const numFilledPols = Math.ceil((currentDegree + 1) / (degPols + 1));
+//
+// //blinding factors can be void or must have a length of numPols - 1
+// if (0 !== blindingFactors.length && blindingFactors.length < numFilledPols - 1) {
+// throw new Error(`Blinding factors length must be ${numFilledPols - 1}`);
+// }
+//
+// const chunkByteLength = (degPols + 1) * this.Fr.n8;
+//
+// // Check polynomial can be split in numChunks parts of chunkSize bytes...
+// if (this.coef.byteLength / chunkByteLength <= numFilledPols - 1) {
+// throw new Error(`Polynomial is short to be split in ${numFilledPols} parts of ${degPols} coefficients each.`);
+// }
+//
+// let res = [];
+// for (let i = 0; i < numFilledPols; i++) {
+// const isLast = (numFilledPols - 1) === i;
+// const byteLength = isLast ? (currentDegree + 1) * this.Fr.n8 - ((numFilledPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
+//
+// res[i] = new Polynomial(new BigBuffer(byteLength), this.Fr, this.logger);
+// const fr = i * chunkByteLength;
+// const to = isLast ? (currentDegree + 1) * this.Fr.n8 : (i + 1) * chunkByteLength;
+// res[i].coef.set(this.coef.slice(fr, to), 0);
+//
+// // Add a blinding factor as higher degree
+// if (!isLast) {
+// res[i].coef.set(blindingFactors[i], chunkByteLength);
+// }
+//
+// // Sub blinding factor to the lowest degree
+// if (0 !== i) {
+// const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
+// res[i].coef.set(lowestDegree, 0);
+// }
+// }
+//
+// return res;
+// }
+
+// merge(pols, overlap = true) {
+// let length = 0;
+// for (let i = 0; i < pols.length; i++) {
+// length += pols[i].length();
+// }
+//
+// if (overlap) {
+// length -= pols.length - 1;
+// }
+//
+// let res = new Polynomial(new BigBuffer(length * this.Fr.n8));
+// for (let i = 0; i < pols.length; i++) {
+// const byteLength = pols[i].coef.byteLength;
+// if (0 === i) {
+// res.coef.set(pols[i].coef, 0);
+// } else {
+//
+// }
+// }
+//
+// return res;
+// }
-function computeF(curve, proof, vk, challenges, roots) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
+ truncate() {
+ const deg = this.degree();
+ if (deg + 1 < this.coef.byteLength / this.Fr.n8) {
+ const newCoefs = (deg + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer((deg + 1) * this.Fr.n8) : new Uint8Array((deg + 1) * this.Fr.n8);
- let mulH0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
- for (let i = 1; i < 8; i++) {
- mulH0 = Fr.mul(mulH0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
+ newCoefs.set(this.coef.slice(0, (deg + 1) * this.Fr.n8), 0);
+ this.coef = newCoefs;
+ }
}
- challenges.temp = mulH0;
-
- let mulH1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
- for (let i = 1; i < 4; i++) {
- mulH1 = Fr.mul(mulH1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
- }
+ static lagrangePolynomialInterpolation(xArr, yArr, curve) {
+ const Fr = curve.Fr;
+ let polynomial = computeLagrangePolynomial(0);
+ for (let i = 1; i < xArr.length; i++) {
+ polynomial.add(computeLagrangePolynomial(i));
+ }
- let mulH2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
- for (let i = 1; i < 3; i++) {
- mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
- }
- for (let i = 0; i < 3; i++) {
- mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
- }
+ return polynomial;
- challenges.quotient1 = Fr.mul(challenges.alpha, Fr.div(mulH0, mulH1));
- challenges.quotient2 = Fr.mul(Fr.square(challenges.alpha), Fr.div(mulH0, mulH2));
+ function computeLagrangePolynomial(i) {
+ let polynomial;
- let F2 = G1.timesFr(proof.polynomials.C1, challenges.quotient1);
- let F3 = G1.timesFr(proof.polynomials.C2, challenges.quotient2);
+ for (let j = 0; j < xArr.length; j++) {
+ if (j === i) continue;
- return G1.add(vk.C0, G1.add(F2, F3));
-}
+ if (polynomial === undefined) {
+ let buff = (xArr.length) > 2 << 14 ?
+ new ffjavascript.BigBuffer((xArr.length) * Fr.n8) : new Uint8Array((xArr.length) * Fr.n8);
+ polynomial = new Polynomial(buff, curve);
+ polynomial.setCoef(0, Fr.neg(xArr[j]));
+ polynomial.setCoef(1, Fr.one);
+ } else {
+ polynomial.byXSubValue(xArr[j]);
+ }
+ }
-function computeE(curve, proof, challenges, vk, r0, r1, r2) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
+ let denominator = polynomial.evaluate(xArr[i]);
+ denominator = Fr.inv(denominator);
+ const mulFactor = Fr.mul(yArr[i], denominator);
- let E2 = Fr.mul(r1, challenges.quotient1);
- let E3 = Fr.mul(r2, challenges.quotient2);
+ polynomial.mulScalar(mulFactor);
- return G1.timesFr(G1.one, Fr.add(r0, Fr.add(E2, E3)));
-}
+ return polynomial;
+ }
+ }
-function computeJ(curve, proof, challenges) {
- const G1 = curve.G1;
+ static zerofierPolynomial(xArr, curve) {
+ const Fr = curve.Fr;
+ let buff = (xArr.length + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer((xArr.length + 1) * Fr.n8) : new Uint8Array((xArr.length + 1) * Fr.n8);
+ let polynomial = new Polynomial(buff, curve);
- return G1.timesFr(proof.polynomials.W1, challenges.temp);
-}
+ // Build a zerofier polynomial with the following form:
+ // zerofier(X) = (X-xArr[0])(X-xArr[1])...(X-xArr[n])
+ polynomial.setCoef(0, Fr.neg(xArr[0]));
+ polynomial.setCoef(1, Fr.one);
-async function isValidPairing$1(curve, proof, challenges, vk, F, E, J) {
- const G1 = curve.G1;
+ for (let i = 1; i < xArr.length; i++) {
+ polynomial.byXSubValue(xArr[i]);
+ }
- let A1 = G1.timesFr(proof.polynomials.W2, challenges.y);
- A1 = G1.add(G1.sub(G1.sub(F, E), J), A1);
- const A2 = curve.G2.one;
+ return polynomial;
+ }
- const B1 = proof.polynomials.W2;
- const B2 = vk.X_2;
+ print() {
+ const Fr = this.Fr;
+ let res = "";
+ for (let i = this.degree(); i >= 0; i--) {
+ const coef = this.getCoef(i);
+ if (!Fr.eq(Fr.zero, coef)) {
+ if (Fr.isNegative(coef)) {
+ res += " - ";
+ } else if (i !== this.degree()) {
+ res += " + ";
+ }
+ res += Fr.toString(coef);
+ if (i > 0) {
+ res += i > 1 ? "x^" + i : "x";
+ }
+ }
+ }
+ console.log(res);
+ }
- return await curve.pairingEq(G1.neg(A1), A2, B1, B2);
+ async multiExponentiation(PTau, name) {
+ const n = this.coef.byteLength / this.Fr.n8;
+ const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
+ const bm = await this.Fr.batchFromMontgomery(this.coef);
+ let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
+ res = this.G1.toAffine(res);
+ return res;
+ }
}
/*
+ Copyright 2022 iden3 association.
+
This file is part of snarkjs.
snarkjs is a free software: you can redistribute it and/or
@@ -9506,74 +9339,124 @@ async function isValidPairing$1(curve, proof, challenges, vk, F, E, J) {
snarkjs. If not, see .
*/
-async function fflonkVerifyCmd(vkeyFilename, publicInputsFilename, proofFilename, logger) {
- const vkey = JSON.parse(fs__default["default"].readFileSync(vkeyFilename, "utf8"));
- const publicInputs = JSON.parse(fs__default["default"].readFileSync(publicInputsFilename, "utf8"));
- const proof = JSON.parse(fs__default["default"].readFileSync(proofFilename, "utf8"));
+class Evaluations {
+ constructor(evaluations, curve, logger) {
+ this.eval = evaluations;
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.logger = logger;
+ }
- return await fflonkVerify$1(vkey, publicInputs, proof, logger);
-}
+ static async fromPolynomial(polynomial, extension, curve, logger) {
+ const coefficientsN = new ffjavascript.BigBuffer(polynomial.length() * extension * curve.Fr.n8);
+ coefficientsN.set(polynomial.coef, 0);
-/*
- Copyright 2021 0KIMS association.
+ const evaluations = await curve.Fr.fft(coefficientsN);
- This file is part of snarkJS.
+ return new Evaluations(evaluations, curve, logger);
+ }
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ getEvaluation(index) {
+ const i_n8 = index * this.Fr.n8;
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+ if (i_n8 + this.Fr.n8 > this.eval.byteLength) {
+ throw new Error("Evaluations.getEvaluation() out of bounds");
+ }
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
+ return this.eval.slice(i_n8, i_n8 + this.Fr.n8);
+ }
+
+ length() {
+ let length = this.eval.byteLength / this.Fr.n8;
+ if (length !== Math.floor(this.eval.byteLength / this.Fr.n8)) {
+ throw new Error("Polynomial evaluations buffer has incorrect size");
+ }
+ if (0 === length) {
+ this.logger.warn("Polynomial has length zero");
+ }
+ return length;
+ }
+}
-const {unstringifyBigInts: unstringifyBigInts$8, stringifyBigInts: stringifyBigInts$3} = ffjavascript.utils;
+/*
+ Copyright 2022 iden3 association.
-async function fflonkExportSolidityVerifier(vk, templates, logger) {
- if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER STARTED");
+ This file is part of snarkjs.
- const curve = await getCurveFromName(vk.curve);
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- // Precompute w3_2, w4_2 and w4_3
- let w3 = fromVkey(vk.w3);
- vk.w3_2 = toVkey(curve.Fr.square(w3));
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- let w4 = fromVkey(vk.w4);
- vk.w4_2 = toVkey(curve.Fr.square(w4));
- vk.w4_3 = toVkey(curve.Fr.mul(curve.Fr.square(w4), w4));
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
- let w8 = fromVkey(vk.w8);
- let acc = curve.Fr.one;
+class CPolynomial {
+ constructor(n, curve, logger) {
+ this.n = n;
+ this.polynomials = Array(n).fill(undefined);
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.G1 = curve.G1;
+ this.logger = logger;
+ }
- for (let i = 1; i < 8; i++) {
- acc = curve.Fr.mul(acc, w8);
- vk["w8_" + i] = toVkey(acc);
+ addPolynomial(position, polynomial) {
+ if (position > this.n - 1) {
+ throw new Error("CPolynomial:addPolynomial, cannot add a polynomial to a position greater than n-1");
+ }
+
+ this.polynomials[position] = polynomial;
}
- let template = templates[vk.protocol];
+ degree() {
+ let degrees = this.polynomials.map(
+ (polynomial, index) => polynomial === undefined ? 0 : polynomial.degree() * this.n + index);
+ return Math.max(...degrees);
+ }
+
+ getPolynomial() {
+ let degrees = this.polynomials.map(polynomial => polynomial === undefined ? 0 : polynomial.degree());
+ const maxDegree = this.degree();
+ const lengthBuffer = 2 ** (log2(maxDegree - 1) + 1);
+ const sFr = this.Fr.n8;
+
+ let polynomial = new Polynomial(new ffjavascript.BigBuffer(lengthBuffer * sFr), this.curve, this.logger);
- if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER FINISHED");
+ for (let i = 0; i < maxDegree; i++) {
+ const i_n8 = i * sFr;
+ const i_sFr = i_n8 * this.n;
- return ejs__default["default"].render(template, vk);
+ for (let j = 0; j < this.n; j++) {
+ if (this.polynomials[j] !== undefined) {
+ if (i <= degrees[j]) polynomial.coef.set(this.polynomials[j].coef.slice(i_n8, i_n8 + sFr), i_sFr + j * sFr);
+ }
+ }
+ }
- function fromVkey(str) {
- const val = unstringifyBigInts$8(str);
- return curve.Fr.fromObject(val);
+ return polynomial;
}
- function toVkey(val) {
- const str = curve.Fr.toObject(val);
- return stringifyBigInts$3(str);
+ async multiExponentiation(PTau, name) {
+ let polynomial = this.getPolynomial();
+ const n = polynomial.coef.byteLength / this.Fr.n8;
+ const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
+ const bm = await this.Fr.batchFromMontgomery(polynomial.coef);
+ let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
+ res = this.G1.toAffine(res);
+ return res;
}
}
/*
+ Copyright 2022 iden3 association.
+
This file is part of snarkjs.
snarkjs is a free software: you can redistribute it and/or
@@ -9590,521 +9473,581 @@ async function fflonkExportSolidityVerifier(vk, templates, logger) {
snarkjs. If not, see .
*/
-async function fflonkExportSolidityVerifierCmd(vk, templates, logger) {
- return fflonkExportSolidityVerifier(vk, templates, logger);
-}
-
-/*
- Copyright 2021 0KIMS association.
-
- This file is part of snarkJS.
-
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+async function fflonkSetup$1(r1csFilename, ptauFilename, zkeyFilename, logger) {
+ if (logger) logger.info("FFLONK SETUP STARTED");
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
+ if (globalThis.gc) globalThis.gc();
-const {unstringifyBigInts: unstringifyBigInts$7} = ffjavascript.utils;
+ // Read PTau file
+ if (logger) logger.info("> Reading PTau file");
+ const {fd: fdPTau, sections: pTauSections} = await binFileUtils.readBinFile(ptauFilename, "ptau", 1, 1 << 22, 1 << 24);
+ if (!pTauSections[12]) {
+ throw new Error("Powers of Tau is not well prepared. Section 12 missing.");
+ }
-function i2hex$1(i) {
- return ("0" + i.toString(16)).slice(-2);
-}
+ // Get curve defined in PTau
+ if (logger) logger.info("> Getting curve from PTau settings");
+ const {curve} = await readPTauHeader(fdPTau, pTauSections);
-function p256$2(n) {
- let nstr = n.toString(16);
- while (nstr.length < 64) nstr = "0" + nstr;
- nstr = `"0x${nstr}"`;
- return nstr;
-}
+ // Read r1cs file
+ if (logger) logger.info("> Reading r1cs file");
+ const {fd: fdR1cs, sections: sectionsR1cs} = await binFileUtils.readBinFile(r1csFilename, "r1cs", 1, 1 << 22, 1 << 24);
+ const r1cs = await r1csfile.readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: false, loadCustomGates: true});
-async function fflonkExportCallData(_pub, _proof, logger) {
- const proof = unstringifyBigInts$7(_proof);
- const pub = unstringifyBigInts$7(_pub);
+ // Potential error checks
+ if (r1cs.prime !== curve.r) {
+ throw new Error("r1cs curve does not match powers of tau ceremony curve");
+ }
- const curve = await getCurveFromName(proof.curve);
- const G1 = curve.G1;
+ // Initializations
const Fr = curve.Fr;
- let inputs = "";
- for (let i = 0; i < pub.length; i++) {
- if (inputs !== "") inputs = inputs + ",";
- inputs = inputs + p256$2(pub[i]);
- }
+ const sFr = curve.Fr.n8;
+ const sG1 = curve.G1.F.n8 * 2;
+ const sG2 = curve.G2.F.n8 * 2;
- const proofBuff = new Uint8Array(G1.F.n8 * 2 * 4 + Fr.n8 * 16);
+ let polynomials = {};
+ let evaluations = {};
+ let PTau;
- G1.toRprUncompressed(proofBuff, 0, G1.e(proof.polynomials.C1));
- G1.toRprUncompressed(proofBuff, G1.F.n8 * 2, G1.e(proof.polynomials.C2));
- G1.toRprUncompressed(proofBuff, G1.F.n8 * 4, G1.e(proof.polynomials.W1));
- G1.toRprUncompressed(proofBuff, G1.F.n8 * 6, G1.e(proof.polynomials.W2));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8, Fr.e(proof.evaluations.ql));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8, Fr.e(proof.evaluations.qr));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 2, Fr.e(proof.evaluations.qm));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 3, Fr.e(proof.evaluations.qo));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 4, Fr.e(proof.evaluations.qc));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 5, Fr.e(proof.evaluations.s1));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 6, Fr.e(proof.evaluations.s2));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 7, Fr.e(proof.evaluations.s3));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 8, Fr.e(proof.evaluations.a));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 9, Fr.e(proof.evaluations.b));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 10, Fr.e(proof.evaluations.c));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 11, Fr.e(proof.evaluations.z));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 12, Fr.e(proof.evaluations.zw));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 13, Fr.e(proof.evaluations.t1w));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 14, Fr.e(proof.evaluations.t2w));
- Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 15, Fr.e(proof.evaluations.inv));
+ let settings = {
+ nVars: r1cs.nVars,
+ nPublic: r1cs.nOutputs + r1cs.nPubInputs
+ };
- const proofHex = Array.from(proofBuff).map(i2hex$1).join("");
+ const plonkConstraints = new BigArray();
+ let plonkAdditions = new BigArray();
- return `0x${proofHex},[${inputs}]`;
-}
+ // Process constraints inside r1cs
+ if (logger) logger.info("> Processing FFlonk constraints");
+ await computeFFConstraints(curve.Fr, r1cs, logger);
+ if (globalThis.gc) globalThis.gc();
-/*
- This file is part of snarkjs.
+ // As the t polynomial is n+5 whe need at least a power of 4
+ //TODO check!!!!
+ // NOTE : plonkConstraints + 2 = #constraints + blinding coefficients for each wire polynomial
+ settings.cirPower = Math.max(FF_T_POL_DEG_MIN, log2((plonkConstraints.length + 2) - 1) + 1);
+ settings.domainSize = 2 ** settings.cirPower;
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ if (pTauSections[2][0].size < (settings.domainSize * 9 + 18) * sG1) {
+ throw new Error("Powers of Tau is not big enough for this circuit size. Section 2 too small.");
+ }
+ if (pTauSections[3][0].size < sG2) {
+ throw new Error("Powers of Tau is not well prepared. Section 3 too small.");
+ }
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ if (logger) {
+ logger.info("----------------------------");
+ logger.info(" FFLONK SETUP SETTINGS");
+ logger.info(` Curve: ${curve.name}`);
+ logger.info(` Circuit power: ${settings.cirPower}`);
+ logger.info(` Domain size: ${settings.domainSize}`);
+ logger.info(` Vars: ${settings.nVars}`);
+ logger.info(` Public vars: ${settings.nPublic}`);
+ logger.info(` Constraints: ${plonkConstraints.length}`);
+ logger.info(` Additions: ${plonkAdditions.length}`);
+ logger.info("----------------------------");
+ }
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
+ // Compute k1 and k2 to be used in the permutation checks
+ if (logger) logger.info("> computing k1 and k2");
+ const [k1, k2] = computeK1K2();
-async function fflonkExportCallDataCmd(publicInputs, proof, logger) {
- return await fflonkExportCallData(publicInputs, proof);
-}
+ // Compute omega 3 (w3) and omega 4 (w4) to be used in the prover and the verifier
+ // w3^3 = 1 and w4^4 = 1
+ if (logger) logger.info("> computing w3");
+ const w3 = computeW3();
+ if (logger) logger.info("> computing w4");
+ const w4 = computeW4();
+ if (logger) logger.info("> computing w8");
+ const w8 = computeW8();
+ if (logger) logger.info("> computing wr");
+ const wr = getOmegaCubicRoot(settings.cirPower, curve.Fr);
-// Not ready yet
-// module.exports.generateVerifier_kimleeoh = generateVerifier_kimleeoh;
+ // Write output zkey file
+ await writeZkeyFile();
-async function exportSolidityVerifier(zKeyName, templates, logger) {
+ await fdR1cs.close();
+ await fdPTau.close();
- const verificationKey = await zkeyExportVerificationKey(zKeyName, logger);
+ if (logger) logger.info("FFLONK SETUP FINISHED");
- if ("fflonk" === verificationKey.protocol) {
- return fflonkExportSolidityVerifierCmd(verificationKey, templates, logger);
- }
+ return 0;
- let template = templates[verificationKey.protocol];
+ async function computeFFConstraints(Fr, r1cs, logger) {
+ // Add public inputs and outputs
+ for (let i = 0; i < settings.nPublic; i++) {
+ plonkConstraints.push(getFFlonkConstantConstraint(i + 1, Fr));
+ }
- return ejs__default["default"].render(template, verificationKey);
-}
+ // Add all constraints from r1cs file
+ const r1csProcessor = new r1csConstraintProcessor(Fr, getFFlonkConstantConstraint, getFFlonkAdditionConstraint, getFFlonkMultiplicationConstraint, logger);
-/*
- Copyright 2018 0KIMS association.
+ const bR1cs = await binFileUtils__namespace.readSection(fdR1cs, sectionsR1cs, 2);
+ let bR1csPos = 0;
+ for (let i = 0; i < r1cs.nConstraints; i++) {
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` processing r1cs constraints ${i}/${r1cs.nConstraints}`);
+ }
+ const [constraints, additions] = r1csProcessor.processR1csConstraint(settings, ...readConstraint());
- This file is part of snarkJS.
+ plonkConstraints.push(...constraints);
+ plonkAdditions.push(...additions);
+ }
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ function readConstraint() {
+ const c = [];
+ c[0] = readLC();
+ c[1] = readLC();
+ c[2] = readLC();
+ return c;
+ }
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+ function readLC() {
+ const lc = {};
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
-const {stringifyBigInts: stringifyBigInts$2} = ffjavascript.utils;
+ const buffUL32 = bR1cs.slice(bR1csPos, bR1csPos + 4);
+ bR1csPos += 4;
+ const buffUL32V = new DataView(buffUL32.buffer);
+ const nIdx = buffUL32V.getUint32(0, true);
-async function groth16Prove$1(zkeyFileName, witnessFileName, logger) {
- const {fd: fdWtns, sections: sectionsWtns} = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1<<25, 1<<23);
+ const buff = bR1cs.slice(bR1csPos, bR1csPos + (4 + r1cs.n8) * nIdx);
+ bR1csPos += (4 + r1cs.n8) * nIdx;
+ const buffV = new DataView(buff.buffer);
+ for (let i = 0; i < nIdx; i++) {
+ const idx = buffV.getUint32(i * (4 + r1cs.n8), true);
+ const val = r1cs.F.fromRprLE(buff, i * (4 + r1cs.n8) + 4);
+ lc[idx] = val;
+ }
+ return lc;
+ }
- const wtns = await readHeader(fdWtns, sectionsWtns);
+ return 0;
+ }
- const {fd: fdZKey, sections: sectionsZKey} = await binFileUtils__namespace.readBinFile(zkeyFileName, "zkey", 2, 1<<25, 1<<23);
+ async function writeZkeyFile() {
+ if (logger) logger.info("> Writing the zkey file");
+ const fdZKey = await binFileUtils.createBinFile(zkeyFilename, "zkey", 1, ZKEY_FF_NSECTIONS, 1 << 22, 1 << 24);
+
+ if (logger) logger.info(`··· Writing Section ${HEADER_ZKEY_SECTION}. Zkey Header`);
+ await writeZkeyHeader(fdZKey);
- const zkey = await readHeader$1(fdZKey, sectionsZKey);
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
+ await writeAdditions(fdZKey);
+ if (globalThis.gc) globalThis.gc();
- if (zkey.protocol != "groth16") {
- throw new Error("zkey file is not groth16");
- }
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_A_MAP_SECTION}. A Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_A_MAP_SECTION, 0, "A map");
+ if (globalThis.gc) globalThis.gc();
- if (!ffjavascript.Scalar.eq(zkey.r, wtns.q)) {
- throw new Error("Curve of the witness does not match the curve of the proving key");
- }
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_B_MAP_SECTION}. B Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_B_MAP_SECTION, 1, "B map");
+ if (globalThis.gc) globalThis.gc();
- if (wtns.nWitness != zkey.nVars) {
- throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}`);
- }
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_C_MAP_SECTION}. C Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_C_MAP_SECTION, 2, "C map");
+ if (globalThis.gc) globalThis.gc();
- const curve = zkey.curve;
- const Fr = curve.Fr;
- const G1 = curve.G1;
- const G2 = curve.G2;
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QL_SECTION}. QL`);
+ await writeQMap(fdZKey, ZKEY_FF_QL_SECTION, 3, "QL");
+ if (globalThis.gc) globalThis.gc();
- const power = log2(zkey.domainSize);
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QR_SECTION}. QR`);
+ await writeQMap(fdZKey, ZKEY_FF_QR_SECTION, 4, "QR");
+ if (globalThis.gc) globalThis.gc();
- if (logger) logger.debug("Reading Wtns");
- const buffWitness = await binFileUtils__namespace.readSection(fdWtns, sectionsWtns, 2);
- if (logger) logger.debug("Reading Coeffs");
- const buffCoeffs = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 4);
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QM_SECTION}. QM`);
+ await writeQMap(fdZKey, ZKEY_FF_QM_SECTION, 5, "QM");
+ if (globalThis.gc) globalThis.gc();
- if (logger) logger.debug("Building ABC");
- const [buffA_T, buffB_T, buffC_T] = await buildABC1(curve, zkey, buffWitness, buffCoeffs, logger);
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QO_SECTION}. QO`);
+ await writeQMap(fdZKey, ZKEY_FF_QO_SECTION, 6, "QO");
+ if (globalThis.gc) globalThis.gc();
- const inc = power == Fr.s ? curve.Fr.shift : curve.Fr.w[power+1];
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QC_SECTION}. QC`);
+ await writeQMap(fdZKey, ZKEY_FF_QC_SECTION, 7, "QC");
+ if (globalThis.gc) globalThis.gc();
- const buffA = await Fr.ifft(buffA_T, "", "", logger, "IFFT_A");
- const buffAodd = await Fr.batchApplyKey(buffA, Fr.e(1), inc);
- const buffAodd_T = await Fr.fft(buffAodd, "", "", logger, "FFT_A");
+ if (logger) logger.info(`··· Writing Sections ${ZKEY_FF_SIGMA1_SECTION},${ZKEY_FF_SIGMA2_SECTION},${ZKEY_FF_SIGMA3_SECTION}. Sigma1, Sigma2 & Sigma 3`);
+ await writeSigma(fdZKey);
+ if (globalThis.gc) globalThis.gc();
- const buffB = await Fr.ifft(buffB_T, "", "", logger, "IFFT_B");
- const buffBodd = await Fr.batchApplyKey(buffB, Fr.e(1), inc);
- const buffBodd_T = await Fr.fft(buffBodd, "", "", logger, "FFT_B");
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_LAGRANGE_SECTION}. Lagrange Polynomials`);
+ await writeLagrangePolynomials(fdZKey);
+ if (globalThis.gc) globalThis.gc();
- const buffC = await Fr.ifft(buffC_T, "", "", logger, "IFFT_C");
- const buffCodd = await Fr.batchApplyKey(buffC, Fr.e(1), inc);
- const buffCodd_T = await Fr.fft(buffCodd, "", "", logger, "FFT_C");
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_PTAU_SECTION}. Powers of Tau`);
+ await writePtau(fdZKey);
+ if (globalThis.gc) globalThis.gc();
- if (logger) logger.debug("Join ABC");
- const buffPodd_T = await joinABC(curve, zkey, buffAodd_T, buffBodd_T, buffCodd_T, logger);
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_C0_SECTION}. C0`);
+ await writeC0(fdZKey);
+ if (globalThis.gc) globalThis.gc();
- let proof = {};
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_HEADER_SECTION}. FFlonk Header`);
+ await writeFFlonkHeader(fdZKey);
+ if (globalThis.gc) globalThis.gc();
- if (logger) logger.debug("Reading A Points");
- const buffBasesA = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 5);
- proof.pi_a = await curve.G1.multiExpAffine(buffBasesA, buffWitness, logger, "multiexp A");
+ if (logger) logger.info("> Writing the zkey file finished");
- if (logger) logger.debug("Reading B1 Points");
- const buffBasesB1 = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 6);
- let pib1 = await curve.G1.multiExpAffine(buffBasesB1, buffWitness, logger, "multiexp B1");
+ await fdZKey.close();
+ }
- if (logger) logger.debug("Reading B2 Points");
- const buffBasesB2 = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 7);
- proof.pi_b = await curve.G2.multiExpAffine(buffBasesB2, buffWitness, logger, "multiexp B2");
+ async function writeZkeyHeader(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, HEADER_ZKEY_SECTION);
+ await fdZKey.writeULE32(FFLONK_PROTOCOL_ID);
+ await binFileUtils.endWriteSection(fdZKey);
+ }
- if (logger) logger.debug("Reading C Points");
- const buffBasesC = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 8);
- proof.pi_c = await curve.G1.multiExpAffine(buffBasesC, buffWitness.slice((zkey.nPublic+1)*curve.Fr.n8), logger, "multiexp C");
+ async function writeAdditions(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_ADDITIONS_SECTION);
- if (logger) logger.debug("Reading H Points");
- const buffBasesH = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 9);
- const resH = await curve.G1.multiExpAffine(buffBasesH, buffPodd_T, logger, "multiexp H");
+ // Written values are 2 * 32 bit integers (2 * 4 bytes) + 2 field size values ( 2 * sFr bytes)
+ const buffOut = new Uint8Array(8 + 2 * sFr);
+ const buffOutV = new DataView(buffOut.buffer);
- const r = curve.Fr.random();
- const s = curve.Fr.random();
+ for (let i = 0; i < plonkAdditions.length; i++) {
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) logger.info(` writing Additions: ${i}/${plonkAdditions.length}`);
- proof.pi_a = G1.add( proof.pi_a, zkey.vk_alpha_1 );
- proof.pi_a = G1.add( proof.pi_a, G1.timesFr( zkey.vk_delta_1, r ));
+ const addition = plonkAdditions[i];
- proof.pi_b = G2.add( proof.pi_b, zkey.vk_beta_2 );
- proof.pi_b = G2.add( proof.pi_b, G2.timesFr( zkey.vk_delta_2, s ));
+ buffOutV.setUint32(0, addition[0], true);
+ buffOutV.setUint32(4, addition[1], true);
+ buffOut.set(addition[2], 8);
+ buffOut.set(addition[3], 8 + sFr);
- pib1 = G1.add( pib1, zkey.vk_beta_1 );
- pib1 = G1.add( pib1, G1.timesFr( zkey.vk_delta_1, s ));
+ await fdZKey.write(buffOut);
+ }
+ await binFileUtils.endWriteSection(fdZKey);
+ }
- proof.pi_c = G1.add(proof.pi_c, resH);
+ async function writeWitnessMap(fdZKey, sectionNum, posConstraint, name) {
+ await binFileUtils.startWriteSection(fdZKey, sectionNum);
+ for (let i = 0; i < plonkConstraints.length; i++) {
+ if (logger && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` writing witness ${name}: ${i}/${plonkConstraints.length}`);
+ }
+ await fdZKey.writeULE32(plonkConstraints[i][posConstraint]);
+ }
+ await binFileUtils.endWriteSection(fdZKey);
+ }
- proof.pi_c = G1.add( proof.pi_c, G1.timesFr( proof.pi_a, s ));
- proof.pi_c = G1.add( proof.pi_c, G1.timesFr( pib1, r ));
- proof.pi_c = G1.add( proof.pi_c, G1.timesFr( zkey.vk_delta_1, Fr.neg(Fr.mul(r,s) )));
+ async function writeQMap(fdZKey, sectionNum, posConstraint, name) {
+ // Compute Q from q evaluations
+ let Q = new ffjavascript.BigBuffer(settings.domainSize * sFr);
+ for (let i = 0; i < plonkConstraints.length; i++) {
+ Q.set(plonkConstraints[i][posConstraint], i * sFr);
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` writing ${name}: ${i}/${plonkConstraints.length}`);
+ }
+ }
- let publicSignals = [];
+ polynomials[name] = await Polynomial.fromEvaluations(Q, curve, logger);
+ evaluations[name] = await Evaluations.fromPolynomial(polynomials[name], 4, curve, logger);
- for (let i=1; i<= zkey.nPublic; i++) {
- const b = buffWitness.slice(i*Fr.n8, i*Fr.n8+Fr.n8);
- publicSignals.push(ffjavascript.Scalar.fromRprLE(b));
+ // Write Q coefficients and evaluations
+ await binFileUtils.startWriteSection(fdZKey, sectionNum);
+ await fdZKey.write(polynomials[name].coef);
+ await fdZKey.write(evaluations[name].eval);
+ await binFileUtils.endWriteSection(fdZKey);
}
- proof.pi_a = G1.toObject(G1.toAffine(proof.pi_a));
- proof.pi_b = G2.toObject(G2.toAffine(proof.pi_b));
- proof.pi_c = G1.toObject(G1.toAffine(proof.pi_c));
+ async function writeSigma(fdZKey) {
+ // Compute sigma
+ const sigma = new ffjavascript.BigBuffer(sFr * settings.domainSize * 3);
+ const lastSeen = new BigArray(settings.nVars);
+ const firstPos = new BigArray(settings.nVars);
- proof.protocol = "groth16";
- proof.curve = curve.name;
+ let w = Fr.one;
+ for (let i = 0; i < settings.domainSize; i++) {
+ if (i < plonkConstraints.length) {
+ buildSigma(plonkConstraints[i][0], i);
+ buildSigma(plonkConstraints[i][1], settings.domainSize + i);
+ buildSigma(plonkConstraints[i][2], settings.domainSize * 2 + i);
+ } else if (i < settings.domainSize - 2) {
+ buildSigma(0, i);
+ buildSigma(0, settings.domainSize + i);
+ buildSigma(0, settings.domainSize * 2 + i);
+ } else {
+ sigma.set(w, i * sFr);
+ sigma.set(Fr.mul(w, k1), (settings.domainSize + i) * sFr);
+ sigma.set(Fr.mul(w, k2), (settings.domainSize * 2 + i) * sFr);
+ }
- await fdZKey.close();
- await fdWtns.close();
+ w = Fr.mul(w, Fr.w[settings.cirPower]);
- proof = stringifyBigInts$2(proof);
- publicSignals = stringifyBigInts$2(publicSignals);
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` writing sigma phase1: ${i}/${plonkConstraints.length}`);
+ }
+ }
- return {proof, publicSignals};
-}
+ for (let i = 0; i < settings.nVars; i++) {
+ if (typeof firstPos[i] !== "undefined") {
+ sigma.set(lastSeen[i], firstPos[i] * sFr);
+ } else {
+ // throw new Error("Variable not used");
+ console.log("Variable not used");
+ }
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) logger.info(` writing sigma phase2: ${i}/${settings.nVars}`);
+ }
+ if (globalThis.gc) globalThis.gc();
-async function buildABC1(curve, zkey, witness, coeffs, logger) {
- const n8 = curve.Fr.n8;
- const sCoef = 4*3 + zkey.n8r;
- const nCoef = (coeffs.byteLength-4) / sCoef;
+ // Write sigma coefficients and evaluations
+ for (let i = 0; i < 3; i++) {
+ const sectionId = 0 === i ? ZKEY_FF_SIGMA1_SECTION : 1 === i ? ZKEY_FF_SIGMA2_SECTION : ZKEY_FF_SIGMA3_SECTION;
- const outBuffA = new ffjavascript.BigBuffer(zkey.domainSize * n8);
- const outBuffB = new ffjavascript.BigBuffer(zkey.domainSize * n8);
- const outBuffC = new ffjavascript.BigBuffer(zkey.domainSize * n8);
+ let name = "S" + (i + 1);
+ polynomials[name] = await Polynomial.fromEvaluations(sigma.slice(settings.domainSize * sFr * i, settings.domainSize * sFr * (i + 1)), curve, logger);
+ evaluations[name] = await Evaluations.fromPolynomial(polynomials[name], 4, curve, logger);
+ await binFileUtils.startWriteSection(fdZKey, sectionId);
+ await fdZKey.write(polynomials[name].coef);
+ await fdZKey.write(evaluations[name].eval);
+ await binFileUtils.endWriteSection(fdZKey);
- const outBuf = [ outBuffA, outBuffB ];
- for (let i=0; i= 8 * settings.domainSize) {
+ throw new Error("C0 Polynomial is not well calculated");
}
+
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_C0_SECTION);
+ await fdZKey.write(polynomials.C0.coef);
+ await binFileUtils.endWriteSection(fdZKey);
}
- let result = await Promise.all(promises);
+ async function writeFFlonkHeader(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_HEADER_SECTION);
- const nGroups = result.length / concurrency;
- if (nGroups>1) {
- const promises2 = [];
- for (let i=0; i v) {
- n = k - 1;
- } else if (va < v) {
- m = k + 1;
- } else {
- n = k;
- }
- }
- return 4 + m*sCoef;
- }
-}
-*/
+ await fdZKey.write(k1);
+ await fdZKey.write(k2);
-async function joinABC(curve, zkey, a, b, c, logger) {
- const MAX_CHUNK_SIZE = 1 << 22;
+ await fdZKey.write(w3);
+ await fdZKey.write(w4);
+ await fdZKey.write(w8);
+ await fdZKey.write(wr);
- const n8 = curve.Fr.n8;
- const nElements = Math.floor(a.byteLength / curve.Fr.n8);
+ let bX_2;
+ bX_2 = await fdPTau.read(sG2, pTauSections[3][0].p + sG2);
+ await fdZKey.write(bX_2);
- const promises = [];
+ let commitC0 = await polynomials.C0.multiExponentiation(PTau, "C0");
+ await fdZKey.write(commitC0);
- for (let i=0; i.
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
*/
-const {unstringifyBigInts: unstringifyBigInts$6} = ffjavascript.utils;
+const { keccak256 } = jsSha3__default["default"];
-async function groth16FullProve$1(_input, wasmFile, zkeyFileName, logger) {
- const input = unstringifyBigInts$6(_input);
+const POLYNOMIAL = 0;
+const SCALAR = 1;
- const wtns= {
- type: "mem"
- };
- await wtnsCalculate$1(input, wasmFile, wtns);
- return await groth16Prove$1(zkeyFileName, wtns, logger);
+class Keccak256Transcript {
+ constructor(curve) {
+ this.G1 = curve.G1;
+ this.Fr = curve.Fr;
+
+ this.reset();
+ }
+
+ reset() {
+ this.data = [];
+ }
+
+ addPolCommitment(polynomialCommitment) {
+ this.data.push({type: POLYNOMIAL, data: polynomialCommitment});
+ }
+
+ addScalar(scalar) {
+ this.data.push({type: SCALAR, data: scalar});
+ }
+
+ getChallenge() {
+ if(0 === this.data.length) {
+ throw new Error("Keccak256Transcript: No data to generate a transcript");
+ }
+
+ let nPolynomials = 0;
+ let nScalars = 0;
+
+ this.data.forEach(element => POLYNOMIAL === element.type ? nPolynomials++ : nScalars++);
+
+ let buffer = new Uint8Array(nScalars * this.Fr.n8 + nPolynomials * this.G1.F.n8 * 2);
+ let offset = 0;
+
+ for (let i = 0; i < this.data.length; i++) {
+ if (POLYNOMIAL === this.data[i].type) {
+ this.G1.toRprUncompressed(buffer, offset, this.data[i].data);
+ offset += this.G1.F.n8 * 2;
+ } else {
+ this.Fr.toRprBE(buffer, offset, this.data[i].data);
+ offset += this.Fr.n8;
+ }
+ }
+
+ const value = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256.arrayBuffer(buffer)));
+ return this.Fr.e(value);
+ }
}
/*
- Copyright 2018 0kims association.
+ Copyright 2022 iden3 association.
This file is part of snarkjs.
@@ -10121,1928 +10064,2000 @@ async function groth16FullProve$1(_input, wasmFile, zkeyFileName, logger) {
You should have received a copy of the GNU General Public License along with
snarkjs. If not, see .
*/
-const {unstringifyBigInts: unstringifyBigInts$5} = ffjavascript.utils;
-async function groth16Verify$1(_vk_verifier, _publicSignals, _proof, logger) {
-/*
- let cpub = vk_verifier.IC[0];
- for (let s= 0; s< vk_verifier.nPublic; s++) {
- cpub = G1.add( cpub, G1.timesScalar( vk_verifier.IC[s+1], publicSignals[s]));
- }
-*/
+class Proof {
+ constructor(curve, logger) {
+ this.curve = curve;
+ this.logger = logger;
- const vk_verifier = unstringifyBigInts$5(_vk_verifier);
- const proof = unstringifyBigInts$5(_proof);
- const publicSignals = unstringifyBigInts$5(_publicSignals);
+ this.resetProof();
+ }
- const curve = await getCurveFromName(vk_verifier.curve);
+ resetProof() {
+ this.polynomials = {};
+ this.evaluations = {};
+ }
- const IC0 = curve.G1.fromObject(vk_verifier.IC[0]);
- const IC = new Uint8Array(curve.G1.F.n8*2 * publicSignals.length);
- const w = new Uint8Array(curve.Fr.n8 * publicSignals.length);
+ addPolynomial(key, polynomial) {
+ if (key in this.polynomials) {
+ this.logger.warn(`proof: polynomial.${key} already exist in proof`);
+ }
+ this.polynomials[key] = polynomial;
+ }
- for (let i=0; i {
+ res.polynomials[key] = this.curve.G1.toObject(this.polynomials[key]);
+ });
- vk_alpha_1, vk_beta_2
- );
+ Object.keys(this.evaluations).forEach(key => {
+ res.evaluations[key] = this.curve.Fr.toObject(this.evaluations[key]);
+ });
- if (! res) {
- if (logger) logger.error("Invalid proof");
- return false;
+ return res;
}
- if (logger) logger.info("OK!");
- return true;
+ fromObjectProof(objectProof) {
+ this.resetProof();
+
+ Object.keys(objectProof.polynomials).forEach(key => {
+ this.polynomials[key] = this.curve.G1.fromObject(objectProof.polynomials[key]);
+ });
+
+ Object.keys(objectProof.evaluations).forEach(key => {
+ this.evaluations[key] = this.curve.Fr.fromObject(objectProof.evaluations[key]);
+ });
+ }
}
/*
- Copyright 2018 0KIMS association.
+ Copyright 2022 iden3 association.
- This file is part of snarkJS.
+ This file is part of snarkjs.
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
*/
-const { unstringifyBigInts: unstringifyBigInts$4} = ffjavascript.utils;
-function p256$1(n) {
- let nstr = n.toString(16);
- while (nstr.length < 64) nstr = "0"+nstr;
- nstr = `"0x${nstr}"`;
- return nstr;
-}
+const { stringifyBigInts: stringifyBigInts$1 } = ffjavascript.utils;
+
+
+async function fflonkProve$1(zkeyFileName, witnessFileName, logger) {
+ if (logger) logger.info("FFLONK PROVER STARTED");
+
+ // Read witness file
+ if (logger) logger.info("> Reading witness file");
+ const {
+ fd: fdWtns,
+ sections: wtnsSections
+ } = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1 << 25, 1 << 23);
+ const wtns = await readHeader(fdWtns, wtnsSections);
+
+ //Read zkey file
+ if (logger) logger.info("> Reading zkey file");
+ const {
+ fd: fdZKey,
+ sections: zkeySections
+ } = await binFileUtils__namespace.readBinFile(zkeyFileName, "zkey", 2, 1 << 25, 1 << 23);
+ const zkey = await readHeader$1(fdZKey, zkeySections);
+
+ if (zkey.protocolId !== FFLONK_PROTOCOL_ID) {
+ throw new Error("zkey file is not fflonk");
+ }
+
+ if (!ffjavascript.Scalar.eq(zkey.r, wtns.q)) {
+ throw new Error("Curve of the witness does not match the curve of the proving key");
+ }
+
+ if (wtns.nWitness !== zkey.nVars - zkey.nAdditions) {
+ throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
+ }
-async function groth16ExportSolidityCallData(_proof, _pub) {
- const proof = unstringifyBigInts$4(_proof);
- const pub = unstringifyBigInts$4(_pub);
+ const curve = zkey.curve;
- let inputs = "";
- for (let i=0; i Reading witness file data");
+ const buffWitness = await binFileUtils__namespace.readSection(fdWtns, wtnsSections, 2);
+ await fdWtns.close();
- return S;
-}
+ // First element in plonk is not used and can be any value. (But always the same).
+ // We set it to zero to go faster in the exponentiations.
+ buffWitness.set(Fr.zero, 0);
+ const buffInternalWitness = new ffjavascript.BigBuffer(zkey.nAdditions * sFr);
-/*
- Copyright 2021 0kims association.
+ let buffers = {};
+ let polynomials = {};
+ let evaluations = {};
- This file is part of snarkjs.
+ // To divide prime fields the Extended Euclidean Algorithm for computing modular inverses is needed.
+ // NOTE: This is the equivalent of compute 1/denominator and then multiply it by the numerator.
+ // The Extended Euclidean Algorithm is expensive in terms of computation.
+ // For the special case where we need to do many modular inverses, there's a simple mathematical trick
+ // that allows us to compute many inverses, called Montgomery batch inversion.
+ // More info: https://vitalik.ca/general/2018/07/21/starks_part_3.html
+ // Montgomery batch inversion reduces the n inverse computations to a single one
+ // To save this (single) inverse computation on-chain, will compute it in proving time and send it to the verifier.
+ // The verifier will have to check:
+ // 1) the denominator is correct multiplying by himself non-inverted -> a * 1/a == 1
+ // 2) compute the rest of the denominators using the Montgomery batch inversion
+ // The inversions are:
+ // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
+ // · denominator needed in step 10 and 11 of the verifier
+ // · denominator needed in the verifier when computing L_i^{S1}(X) and L_i^{S2}(X)
+ // · L_i i=1 to num public inputs, needed in step 6 and 7 of the verifier to compute L_1(xi) and PI(xi)
+ let toInverse = {};
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ let challenges = {};
+ let roots = {};
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ let proof = new Proof(curve, logger);
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
+ if (logger) logger.info(`> Reading Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
+ await calculateAdditions();
+ if (logger) logger.info(`> Reading Sections ${ZKEY_FF_SIGMA1_SECTION},${ZKEY_FF_SIGMA2_SECTION},${ZKEY_FF_SIGMA3_SECTION}. Sigma1, Sigma2 & Sigma 3`);
+ if (logger) logger.info("··· Reading Sigma polynomials ");
+ polynomials.Sigma1 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.Sigma2 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.Sigma3 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
-async function plonkSetup$1(r1csName, ptauName, zkeyName, logger) {
+ await fdZKey.readToBuffer(polynomials.Sigma1.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA1_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.Sigma2.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA2_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.Sigma3.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA3_SECTION][0].p);
- if (globalThis.gc) {globalThis.gc();}
+ if (logger) logger.info("··· Reading Sigma evaluations");
+ evaluations.Sigma1 = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.Sigma2 = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.Sigma3 = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
- await Blake2b__default["default"].ready();
+ await fdZKey.readToBuffer(evaluations.Sigma1.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA1_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.Sigma2.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA2_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.Sigma3.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA3_SECTION][0].p + sDomain);
- const {fd: fdPTau, sections: sectionsPTau} = await binFileUtils.readBinFile(ptauName, "ptau", 1, 1<<22, 1<<24);
- const {curve, power} = await readPTauHeader(fdPTau, sectionsPTau);
- const {fd: fdR1cs, sections: sectionsR1cs} = await binFileUtils.readBinFile(r1csName, "r1cs", 1, 1<<22, 1<<24);
+ if (logger) logger.info(`> Reading Section ${ZKEY_FF_PTAU_SECTION}. Powers of Tau`);
+ const PTau = new ffjavascript.BigBuffer(zkey.domainSize * 16 * sG1);
+ // domainSize * 9 + 18 = SRS length in the zkey saved in setup process.
+ // it corresponds to the maximum SRS length needed, specifically to commit C2
+ // notice that the reserved buffers size is zkey.domainSize * 16 * sG1 because a power of two buffer size is needed
+ // the remaining buffer not filled from SRS are set to 0
+ await fdZKey.readToBuffer(PTau, 0, (zkey.domainSize * 9 + 18) * sG1, zkeySections[ZKEY_FF_PTAU_SECTION][0].p);
- const r1cs = await r1csfile.readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: true, loadCustomGates: true});
+ // START FFLONK PROVER PROTOCOL
+ if (globalThis.gc) globalThis.gc();
- const sG1 = curve.G1.F.n8*2;
- const G1 = curve.G1;
- const sG2 = curve.G2.F.n8*2;
- const Fr = curve.Fr;
- const n8r = curve.Fr.n8;
+ // ROUND 1. Compute C1(X) polynomial
+ if (logger) logger.info("");
+ if (logger) logger.info("> ROUND 1");
+ await round1();
- if (logger) logger.info("Reading r1cs");
- await binFileUtils.readSection(fdR1cs, sectionsR1cs, 2);
+ delete polynomials.T0;
+ delete evaluations.QL;
+ delete evaluations.QR;
+ delete evaluations.QM;
+ delete evaluations.QO;
+ delete evaluations.QC;
+ if (globalThis.gc) globalThis.gc();
- const plonkConstraints = new BigArray();
- const plonkAdditions = new BigArray();
- let plonkNVars = r1cs.nVars;
+ // ROUND 2. Compute C2(X) polynomial
+ if (logger) logger.info("> ROUND 2");
+ await round2();
- const nPublic = r1cs.nOutputs + r1cs.nPubInputs;
+ delete buffers.A;
+ delete buffers.B;
+ delete buffers.C;
+ delete evaluations.A;
+ delete evaluations.B;
+ delete evaluations.C;
+ delete evaluations.Sigma1;
+ delete evaluations.Sigma2;
+ delete evaluations.Sigma3;
+ delete evaluations.lagrange1;
+ delete evaluations.Z;
+ if (globalThis.gc) globalThis.gc();
- await processConstraints(curve.Fr, r1cs, logger);
+ // ROUND 3. Compute opening evaluations
+ if (logger) logger.info("> ROUND 3");
+ await round3();
- if (globalThis.gc) {globalThis.gc();}
+ delete polynomials.A;
+ delete polynomials.B;
+ delete polynomials.C;
+ delete polynomials.Z;
+ delete polynomials.T1;
+ delete polynomials.T2;
+ delete polynomials.Sigma1;
+ delete polynomials.Sigma2;
+ delete polynomials.Sigma3;
+ delete polynomials.QL;
+ delete polynomials.QR;
+ delete polynomials.QM;
+ delete polynomials.QC;
+ delete polynomials.QO;
+ if (globalThis.gc) globalThis.gc();
- const fdZKey = await binFileUtils.createBinFile(zkeyName, "zkey", 1, 14, 1<<22, 1<<24);
+ // ROUND 4. Compute W(X) polynomial
+ if (logger) logger.info("> ROUND 4");
+ await round4();
+ if (globalThis.gc) globalThis.gc();
+ // ROUND 5. Compute W'(X) polynomial
+ if (logger) logger.info("> ROUND 5");
+ await round5();
- if (r1cs.prime != curve.r) {
- if (logger) logger.error("r1cs curve does not match powers of tau ceremony curve");
- return -1;
- }
+ delete polynomials.C0;
+ delete polynomials.C1;
+ delete polynomials.C2;
+ delete polynomials.R1;
+ delete polynomials.R2;
+ delete polynomials.F;
+ delete polynomials.L;
+ delete polynomials.ZT;
+ delete polynomials.ZTS2;
+ await fdZKey.close();
+ if (globalThis.gc) globalThis.gc();
- let cirPower = log2(plonkConstraints.length -1) +1;
- if (cirPower < 3) cirPower = 3; // As the t polinomal is n+5 whe need at least a power of 4
- const domainSize = 2 ** cirPower;
+ proof.addEvaluation("inv", getMontgomeryBatchedInverse());
- if (logger) logger.info("Plonk constraints: " + plonkConstraints.length);
- if (cirPower > power) {
- if (logger) logger.error(`circuit too big for this power of tau ceremony. ${plonkConstraints.length} > 2**${power}`);
- return -1;
- }
+ // Prepare proof
+ let _proof = proof.toObjectProof();
+ _proof.protocol = "fflonk";
+ _proof.curve = curve.name;
- if (!sectionsPTau[12]) {
- if (logger) logger.error("Powers of tau is not prepared.");
- return -1;
+ // Prepare public inputs
+ let publicSignals = [];
+
+ for (let i = 1; i <= zkey.nPublic; i++) {
+ const i_sFr = i * sFr;
+
+ const pub = buffWitness.slice(i_sFr, i_sFr + sFr);
+ publicSignals.push(ffjavascript.Scalar.fromRprLE(pub));
}
+ if (logger) logger.info("FFLONK PROVER FINISHED");
- const LPoints = new ffjavascript.BigBuffer(domainSize*sG1);
- const o = sectionsPTau[12][0].p + ((2 ** (cirPower)) -1)*sG1;
- await fdPTau.readToBuffer(LPoints, 0, domainSize*sG1, o);
+ return {
+ proof: stringifyBigInts$1(_proof),
+ publicSignals: stringifyBigInts$1(publicSignals)
+ };
- const [k1, k2] = getK1K2();
+ async function calculateAdditions() {
+ if (logger) logger.info("··· Computing additions");
+ const additionsBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_ADDITIONS_SECTION);
- const vk = {};
+ // sizes: wireId_x = 4 bytes (32 bits), factor_x = field size bits
+ // Addition form: wireId_a wireId_b factor_a factor_b (size is 4 + 4 + sFr + sFr)
+ const sSum = 8 + sFr * 2;
+ for (let i = 0; i < zkey.nAdditions; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` addition ${i}/${zkey.nAdditions}`);
- await writeAdditions(3, "Additions");
- if (globalThis.gc) {globalThis.gc();}
- await writeWitnessMap(4, 0, "Amap");
- if (globalThis.gc) {globalThis.gc();}
- await writeWitnessMap(5, 1, "Bmap");
- if (globalThis.gc) {globalThis.gc();}
- await writeWitnessMap(6, 2, "Cmap");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(7, 3, "Qm");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(8, 4, "Ql");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(9, 5, "Qr");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(10, 6, "Qo");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(11, 7, "Qc");
- if (globalThis.gc) {globalThis.gc();}
- await writeSigma(12, "sigma");
- if (globalThis.gc) {globalThis.gc();}
- await writeLs(13, "lagrange polynomials");
- if (globalThis.gc) {globalThis.gc();}
+ // Read addition values
+ let offset = i * sSum;
+ const signalId1 = readUInt32(additionsBuff, offset);
+ offset += 4;
+ const signalId2 = readUInt32(additionsBuff, offset);
+ offset += 4;
+ const factor1 = additionsBuff.slice(offset, offset + sFr);
+ offset += sFr;
+ const factor2 = additionsBuff.slice(offset, offset + sFr);
- // Write PTau points
- ////////////
+ // Get witness value
+ const witness1 = getWitness(signalId1);
+ const witness2 = getWitness(signalId2);
- await binFileUtils.startWriteSection(fdZKey, 14);
- const buffOut = new ffjavascript.BigBuffer((domainSize+6)*sG1);
- await fdPTau.readToBuffer(buffOut, 0, (domainSize+6)*sG1, sectionsPTau[2][0].p);
- await fdZKey.write(buffOut);
- await binFileUtils.endWriteSection(fdZKey);
- if (globalThis.gc) {globalThis.gc();}
+ //Calculate final result
+ const result = Fr.add(Fr.mul(factor1, witness1), Fr.mul(factor2, witness2));
+ buffInternalWitness.set(result, sFr * i);
+ }
+ }
- await writeHeaders();
+ function readUInt32(b, o) {
+ const buff = b.slice(o, o + 4);
+ const buffV = new DataView(buff.buffer, buff.byteOffset, buff.byteLength);
+ return buffV.getUint32(0, true);
+ }
- await fdZKey.close();
- await fdR1cs.close();
- await fdPTau.close();
+ function getWitness(idx) {
+ let diff = zkey.nVars - zkey.nAdditions;
+ if (idx < diff) {
+ return buffWitness.slice(idx * sFr, idx * sFr + sFr);
+ } else if (idx < zkey.nVars) {
+ const offset = (idx - diff) * sFr;
+ return buffInternalWitness.slice(offset, offset + sFr);
+ }
- if (logger) logger.info("Setup Finished");
+ return Fr.zero;
+ }
- return ;
+ async function round1() {
+ // STEP 1.1 - Generate random blinding scalars (b_1, ..., b9) ∈ F
+ challenges.b = [];
+ for (let i = 1; i <= 9; i++) {
+ challenges.b[i] = Fr.random();
+ }
- async function processConstraints(Fr, r1cs, logger) {
+ // STEP 1.2 - Compute wire polynomials a(X), b(X) and c(X)
+ if (logger) logger.info("> Computing A, B, C wire polynomials");
+ await computeWirePolynomials();
- function normalize(linearComb) {
- const ss = Object.keys(linearComb);
- for (let i = 0; i < ss.length; i++) {
- if (linearComb[ss[i]] == 0n) delete linearComb[ss[i]];
- }
- }
+ // STEP 1.3 - Compute the quotient polynomial T0(X)
+ if (logger) logger.info("> Computing T0 polynomial");
+ await computeT0();
- function join(linearComb1, k, linearComb2) {
- const res = {};
+ // STEP 1.4 - Compute the FFT-style combination polynomial C1(X)
+ if (logger) logger.info("> Computing C1 polynomial");
+ await computeC1();
- for (let s in linearComb1) {
- if (typeof res[s] == "undefined") {
- res[s] = Fr.mul(k, linearComb1[s]);
- } else {
- res[s] = Fr.add(res[s], Fr.mul(k, linearComb1[s]));
- }
- }
+ // The first output of the prover is ([C1]_1)
+ if (logger) logger.info("> Computing C1 multi exponentiation");
+ let commitC1 = await polynomials.C1.multiExponentiation(PTau, "C1");
+ proof.addPolynomial("C1", commitC1);
- for (let s in linearComb2) {
- if (typeof res[s] == "undefined") {
- res[s] = linearComb2[s];
- } else {
- res[s] = Fr.add(res[s], linearComb2[s]);
- }
- }
- normalize(res);
- return res;
- }
+ return 0;
- function reduceCoefs(linearComb, maxC) {
- const res = {
- k: Fr.zero,
- s: [],
- coefs: []
- };
- const cs = [];
+ async function computeWirePolynomials() {
+ if (logger) logger.info("··· Reading data from zkey file");
+ // Build A, B and C evaluations buffer from zkey and witness files
+ buffers.A = new ffjavascript.BigBuffer(sDomain);
+ buffers.B = new ffjavascript.BigBuffer(sDomain);
+ buffers.C = new ffjavascript.BigBuffer(sDomain);
- for (let s in linearComb) {
- if (s == 0) {
- res.k = Fr.add(res.k, linearComb[s]);
- } else if (linearComb[s] != 0n) {
- cs.push([Number(s), linearComb[s]]);
- }
- }
- while (cs.length > maxC) {
- const c1 = cs.shift();
- const c2 = cs.shift();
+ // Read zkey sections and fill the buffers
+ const aMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_A_MAP_SECTION);
+ const bMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_B_MAP_SECTION);
+ const cMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_C_MAP_SECTION);
- const sl = c1[0];
- const sr = c2[0];
- const so = plonkNVars++;
- const qm = Fr.zero;
- const ql = Fr.neg(c1[1]);
- const qr = Fr.neg(c2[1]);
- const qo = Fr.one;
- const qc = Fr.zero;
+ // Compute all witness from signal ids and set them to A,B & C buffers
+ for (let i = 0; i < zkey.nConstraints; i++) {
+ const i_sFr = i * sFr;
+ const offset = i * 4;
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ // Compute A value from a signal id
+ const signalIdA = readUInt32(aMapBuff, offset);
+ buffers.A.set(getWitness(signalIdA), i_sFr);
- plonkAdditions.push([sl, sr, c1[1], c2[1]]);
+ // Compute B value from a signal id
+ const signalIdB = readUInt32(bMapBuff, offset);
+ buffers.B.set(getWitness(signalIdB), i_sFr);
- cs.push([so, Fr.one]);
- }
- for (let i = 0; i < cs.length; i++) {
- res.s[i] = cs[i][0];
- res.coefs[i] = cs[i][1];
- }
- while (res.coefs.length < maxC) {
- res.s.push(0);
- res.coefs.push(Fr.zero);
+ // Compute C value from a signal id
+ const signalIdC = readUInt32(cMapBuff, offset);
+ buffers.C.set(getWitness(signalIdC), i_sFr);
}
- return res;
- }
- function addConstraintSum(lc) {
- const C = reduceCoefs(lc, 3);
- const sl = C.s[0];
- const sr = C.s[1];
- const so = C.s[2];
- const qm = Fr.zero;
- const ql = C.coefs[0];
- const qr = C.coefs[1];
- const qo = C.coefs[2];
- const qc = C.k;
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
- }
+ // Blind a(X), b(X) and c(X) polynomials coefficients with blinding scalars b
+ buffers.A.set(challenges.b[1], sDomain - 64);
+ buffers.A.set(challenges.b[2], sDomain - 32);
+ buffers.B.set(challenges.b[3], sDomain - 64);
+ buffers.B.set(challenges.b[4], sDomain - 32);
+ buffers.C.set(challenges.b[5], sDomain - 64);
+ buffers.C.set(challenges.b[6], sDomain - 32);
- function addConstraintMul(lcA, lcB, lcC) {
- const A = reduceCoefs(lcA, 1);
- const B = reduceCoefs(lcB, 1);
- const C = reduceCoefs(lcC, 1);
+ buffers.A = await Fr.batchToMontgomery(buffers.A);
+ buffers.B = await Fr.batchToMontgomery(buffers.B);
+ buffers.C = await Fr.batchToMontgomery(buffers.C);
+ // Compute the coefficients of the wire polynomials a(X), b(X) and c(X) from A,B & C buffers
+ if (logger) logger.info("··· Computing A ifft");
+ polynomials.A = await Polynomial.fromEvaluations(buffers.A, curve, logger);
+ if (logger) logger.info("··· Computing B ifft");
+ polynomials.B = await Polynomial.fromEvaluations(buffers.B, curve, logger);
+ if (logger) logger.info("··· Computing C ifft");
+ polynomials.C = await Polynomial.fromEvaluations(buffers.C, curve, logger);
- const sl = A.s[0];
- const sr = B.s[0];
- const so = C.s[0];
- const qm = Fr.mul(A.coefs[0], B.coefs[0]);
- const ql = Fr.mul(A.coefs[0], B.k);
- const qr = Fr.mul(A.k, B.coefs[0]);
- const qo = Fr.neg(C.coefs[0]);
- const qc = Fr.sub(Fr.mul(A.k, B.k), C.k);
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
- }
+ // Compute extended evaluations of a(X), b(X) and c(X) polynomials
+ if (logger) logger.info("··· Computing A fft");
+ evaluations.A = await Evaluations.fromPolynomial(polynomials.A, 4, curve, logger);
+ if (logger) logger.info("··· Computing B fft");
+ evaluations.B = await Evaluations.fromPolynomial(polynomials.B, 4, curve, logger);
+ if (logger) logger.info("··· Computing C fft");
+ evaluations.C = await Evaluations.fromPolynomial(polynomials.C, 4, curve, logger);
- function getLinearCombinationType(lc) {
- let k = Fr.zero;
- let n = 0;
- const ss = Object.keys(lc);
- for (let i = 0; i < ss.length; i++) {
- if (lc[ss[i]] == 0n) {
- delete lc[ss[i]];
- } else if (ss[i] == 0) {
- k = Fr.add(k, lc[ss[i]]);
- } else {
- n++;
- }
+ // Check degrees
+ if (polynomials.A.degree() >= zkey.domainSize) {
+ throw new Error("A Polynomial is not well calculated");
}
- if (n > 0) return n.toString();
- if (k != Fr.zero) return "k";
- return "0";
- }
-
- function process(lcA, lcB, lcC) {
- const lctA = getLinearCombinationType(lcA);
- const lctB = getLinearCombinationType(lcB);
- if ((lctA === "0") || (lctB === "0")) {
- normalize(lcC);
- addConstraintSum(lcC);
- } else if (lctA === "k") {
- const lcCC = join(lcB, lcA[0], lcC);
- addConstraintSum(lcCC);
- } else if (lctB === "k") {
- const lcCC = join(lcA, lcB[0], lcC);
- addConstraintSum(lcCC);
- } else {
- addConstraintMul(lcA, lcB, lcC);
+ if (polynomials.B.degree() >= zkey.domainSize) {
+ throw new Error("B Polynomial is not well calculated");
+ }
+ if (polynomials.C.degree() >= zkey.domainSize) {
+ throw new Error("C Polynomial is not well calculated");
}
}
- for (let s = 1; s <= nPublic; s++) {
- const sl = s;
- const sr = 0;
- const so = 0;
- const qm = Fr.zero;
- const ql = Fr.one;
- const qr = Fr.zero;
- const qo = Fr.zero;
- const qc = Fr.zero;
+ async function computeT0() {
+ if (logger) logger.info(`··· Reading sections ${ZKEY_FF_QL_SECTION}, ${ZKEY_FF_QR_SECTION}` +
+ `, ${ZKEY_FF_QM_SECTION}, ${ZKEY_FF_QO_SECTION}, ${ZKEY_FF_QC_SECTION}. Q selectors`);
+ // Reserve memory for Q's evaluations
+ evaluations.QL = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QR = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QM = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QO = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QC = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+
+ // Read Q's evaluations from zkey file
+ await fdZKey.readToBuffer(evaluations.QL.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QL_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QR.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QR_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QM.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QM_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QO.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QO_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QC.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QC_SECTION][0].p + sDomain);
+
+ // Read Lagrange polynomials & evaluations from zkey file
+ const lagrangePolynomials = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_LAGRANGE_SECTION);
+ evaluations.lagrange1 = new Evaluations(lagrangePolynomials, curve, logger);
+
+ // Reserve memory for buffers T0
+ buffers.T0 = new ffjavascript.BigBuffer(sDomain * 4);
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
- }
+ if (logger) logger.info("··· Computing T0 evaluations");
+ for (let i = 0; i < zkey.domainSize * 4; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T0 evaluation ${i}/${zkey.domainSize * 4}`);
- for (let c = 0; c < r1cs.constraints.length; c++) {
- if ((logger) && (c % 10000 === 0)) logger.debug(`processing constraints: ${c}/${r1cs.nConstraints}`);
- process(...r1cs.constraints[c]);
- }
- }
+ // Get related evaluations to compute current T0 evaluation
+ const a = evaluations.A.getEvaluation(i);
+ const b = evaluations.B.getEvaluation(i);
+ const c = evaluations.C.getEvaluation(i);
- async function writeWitnessMap(sectionNum, posConstraint, name) {
- await binFileUtils.startWriteSection(fdZKey, sectionNum);
- for (let i=0; i q_L(X)·a(X)
+ const e1 = Fr.mul(a, ql);
- if (globalThis.gc) {globalThis.gc();}
- await binFileUtils.startWriteSection(fdZKey, sectionNum);
- let S1 = sigma.slice(0, domainSize*n8r);
- await writeP4(S1);
- if (globalThis.gc) {globalThis.gc();}
- let S2 = sigma.slice(domainSize*n8r, domainSize*n8r*2);
- await writeP4(S2);
- if (globalThis.gc) {globalThis.gc();}
- let S3 = sigma.slice(domainSize*n8r*2, domainSize*n8r*3);
- await writeP4(S3);
- if (globalThis.gc) {globalThis.gc();}
- await binFileUtils.endWriteSection(fdZKey);
+ // expression 2 -> q_R(X)·b(X)
+ const e2 = Fr.mul(b, qr);
- S1 = await Fr.batchFromMontgomery(S1);
- S2 = await Fr.batchFromMontgomery(S2);
- S3 = await Fr.batchFromMontgomery(S3);
+ // expression 3 -> q_M(X)·a(X)·b(X)
+ const e3 = Fr.mul(Fr.mul(a, b), qm);
- vk.S1= await curve.G1.multiExpAffine(LPoints, S1, logger, "multiexp S1");
- if (globalThis.gc) {globalThis.gc();}
- vk.S2= await curve.G1.multiExpAffine(LPoints, S2, logger, "multiexp S2");
- if (globalThis.gc) {globalThis.gc();}
- vk.S3= await curve.G1.multiExpAffine(LPoints, S3, logger, "multiexp S3");
- if (globalThis.gc) {globalThis.gc();}
+ // expression 4 -> q_O(X)·c(X)
+ const e4 = Fr.mul(c, qo);
- function buildSigma(s, p) {
- if (typeof lastAparence[s] === "undefined") {
- firstPos[s] = p;
- } else {
- sigma.set(lastAparence[s], p*n8r);
- }
- let v;
- if (p= 2 * zkey.domainSize - 2) {
+ throw new Error(`T0 Polynomial is not well calculated (degree is ${polynomials.T0.degree()} and must be less than ${2 * zkey.domainSize + 2}`);
+ }
- const primeR = curve.r;
- const n8r = (Math.floor( (ffjavascript.Scalar.bitLength(primeR) - 1) / 64) +1)*8;
+ delete buffers.T0;
+ }
- await fdZKey.writeULE32(n8q);
- await binFileUtils.writeBigInt(fdZKey, primeQ, n8q);
- await fdZKey.writeULE32(n8r);
- await binFileUtils.writeBigInt(fdZKey, primeR, n8r);
- await fdZKey.writeULE32(plonkNVars); // Total number of bars
- await fdZKey.writeULE32(nPublic); // Total number of public vars (not including ONE)
- await fdZKey.writeULE32(domainSize); // domainSize
- await fdZKey.writeULE32(plonkAdditions.length); // domainSize
- await fdZKey.writeULE32(plonkConstraints.length);
+ async function computeC1() {
+ let C1 = new CPolynomial(4, curve, logger);
+ C1.addPolynomial(0, polynomials.A);
+ C1.addPolynomial(1, polynomials.B);
+ C1.addPolynomial(2, polynomials.C);
+ C1.addPolynomial(3, polynomials.T0);
- await fdZKey.write(k1);
- await fdZKey.write(k2);
+ polynomials.C1 = C1.getPolynomial();
- await fdZKey.write(G1.toAffine(vk.Qm));
- await fdZKey.write(G1.toAffine(vk.Ql));
- await fdZKey.write(G1.toAffine(vk.Qr));
- await fdZKey.write(G1.toAffine(vk.Qo));
- await fdZKey.write(G1.toAffine(vk.Qc));
+ // Check degree
+ if (polynomials.C1.degree() >= 8 * zkey.domainSize - 8) {
+ throw new Error("C1 Polynomial is not well calculated");
+ }
+ }
+ }
- await fdZKey.write(G1.toAffine(vk.S1));
- await fdZKey.write(G1.toAffine(vk.S2));
- await fdZKey.write(G1.toAffine(vk.S3));
+ async function round2() {
+ // STEP 2.1 - Compute permutation challenge beta and gamma ∈ F
+ // Compute permutation challenge beta
+ if (logger) logger.info("> Computing challenges beta and gamma");
+ const transcript = new Keccak256Transcript(curve);
- let bX_2;
- bX_2 = await fdPTau.read(sG2, sectionsPTau[3][0].p + sG2);
- await fdZKey.write(bX_2);
+ // Add C0 to the transcript
+ transcript.addPolCommitment(zkey.C0);
- await binFileUtils.endWriteSection(fdZKey);
- }
+ // Add A to the transcript
+ for (let i = 0; i < zkey.nPublic; i++) {
+ transcript.addScalar(buffers.A.slice(i * sFr, i * sFr + sFr));
+ }
+
+ // Add C1 to the transcript
+ transcript.addPolCommitment(proof.getPolynomial("C1"));
+
+ challenges.beta = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.beta: " + Fr.toString(challenges.beta));
- function getK1K2() {
- let k1 = Fr.two;
- while (isIncluded(k1, [], cirPower)) Fr.add(k1, Fr.one);
- let k2 = Fr.add(k1, Fr.one);
- while (isIncluded(k2, [k1], cirPower)) Fr.add(k2, Fr.one);
- return [k1, k2];
+ // Compute permutation challenge gamma
+ transcript.reset();
+ transcript.addScalar(challenges.beta);
+ challenges.gamma = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.gamma: " + Fr.toString(challenges.gamma));
+ // STEP 2.2 - Compute permutation polynomial z(X)
+ if (logger) logger.info("> Computing Z polynomial");
+ await computeZ();
- function isIncluded(k, kArr, pow) {
- const domainSize= 2**pow;
- let w = Fr.one;
- for (let i=0; i Computing T1 polynomial");
+ await computeT1();
+ if (logger) logger.info("> Computing T2 polynomial");
+ await computeT2();
-/*
- Copyright 2021 0kims association.
+ // STEP 2.4 - Compute the FFT-style combination polynomial C2(X)
+ if (logger) logger.info("> Computing C2 polynomial");
+ await computeC2();
- This file is part of snarkjs.
+ // The second output of the prover is ([C2]_1)
+ if (logger) logger.info("> Computing C2 multi exponentiation");
+ let commitC2 = await polynomials.C2.multiExponentiation(PTau, "C2");
+ proof.addPolynomial("C2", commitC2);
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ return 0;
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ async function computeZ() {
+ if (logger) logger.info("··· Computing Z evaluations");
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-const {stringifyBigInts: stringifyBigInts$1} = ffjavascript.utils;
-const { keccak256: keccak256$1 } = jsSha3__default["default"];
+ let numArr = new ffjavascript.BigBuffer(sDomain);
+ let denArr = new ffjavascript.BigBuffer(sDomain);
-async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
- const {fd: fdWtns, sections: sectionsWtns} = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1<<25, 1<<23);
+ // Set the first values to 1
+ numArr.set(Fr.one, 0);
+ denArr.set(Fr.one, 0);
- const wtns = await readHeader(fdWtns, sectionsWtns);
+ // Set initial omega
+ let w = Fr.one;
+ for (let i = 0; i < zkey.domainSize; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` Z evaluation ${i}/${zkey.domainSize}`);
+ const i_sFr = i * sFr;
- const {fd: fdZKey, sections: sectionsZKey} = await binFileUtils__namespace.readBinFile(zkeyFileName, "zkey", 2, 1<<25, 1<<23);
+ // Z(X) := numArr / denArr
+ // numArr := (a + beta·ω + gamma)(b + beta·ω·k1 + gamma)(c + beta·ω·k2 + gamma)
+ const betaw = Fr.mul(challenges.beta, w);
- const zkey = await readHeader$1(fdZKey, sectionsZKey);
- if (zkey.protocol != "plonk") {
- throw new Error("zkey file is not plonk");
- }
+ let num1 = buffers.A.slice(i_sFr, i_sFr + sFr);
+ num1 = Fr.add(num1, betaw);
+ num1 = Fr.add(num1, challenges.gamma);
- if (!ffjavascript.Scalar.eq(zkey.r, wtns.q)) {
- throw new Error("Curve of the witness does not match the curve of the proving key");
- }
+ let num2 = buffers.B.slice(i_sFr, i_sFr + sFr);
+ num2 = Fr.add(num2, Fr.mul(zkey.k1, betaw));
+ num2 = Fr.add(num2, challenges.gamma);
- if (wtns.nWitness != zkey.nVars -zkey.nAdditions) {
- throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
- }
+ let num3 = buffers.C.slice(i_sFr, i_sFr + sFr);
+ num3 = Fr.add(num3, Fr.mul(zkey.k2, betaw));
+ num3 = Fr.add(num3, challenges.gamma);
- const curve = zkey.curve;
- const Fr = curve.Fr;
- const G1 = curve.G1;
- const n8r = curve.Fr.n8;
+ let num = Fr.mul(num1, Fr.mul(num2, num3));
- if (logger) logger.debug("Reading Wtns");
- const buffWitness = await binFileUtils__namespace.readSection(fdWtns, sectionsWtns, 2);
- // First element in plonk is not used and can be any value. (But always the same).
- // We set it to zero to go faster in the exponentiations.
- buffWitness.set(Fr.zero, 0);
- const buffInternalWitness = new ffjavascript.BigBuffer(n8r*zkey.nAdditions);
+ // denArr := (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)
+ let den1 = buffers.A.slice(i_sFr, i_sFr + sFr);
+ den1 = Fr.add(den1, Fr.mul(challenges.beta, evaluations.Sigma1.getEvaluation(i * 4)));
+ den1 = Fr.add(den1, challenges.gamma);
- await calculateAdditions();
+ let den2 = buffers.B.slice(i_sFr, i_sFr + sFr);
+ den2 = Fr.add(den2, Fr.mul(challenges.beta, evaluations.Sigma2.getEvaluation(i * 4)));
+ den2 = Fr.add(den2, challenges.gamma);
- let A,B,C,Z;
- let A4, B4, C4, Z4;
- let pol_a,pol_b,pol_c, pol_z, pol_t, pol_r;
- let proof = {};
+ let den3 = buffers.C.slice(i_sFr, i_sFr + sFr);
+ den3 = Fr.add(den3, Fr.mul(challenges.beta, evaluations.Sigma3.getEvaluation(i * 4)));
+ den3 = Fr.add(den3, challenges.gamma);
- const sigmaBuff = new ffjavascript.BigBuffer(zkey.domainSize*n8r*4*3);
- let o = sectionsZKey[12][0].p + zkey.domainSize*n8r;
- await fdZKey.readToBuffer(sigmaBuff, 0 , zkey.domainSize*n8r*4, o);
- o += zkey.domainSize*n8r*5;
- await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*4 , zkey.domainSize*n8r*4, o);
- o += zkey.domainSize*n8r*5;
- await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*8 , zkey.domainSize*n8r*4, o);
+ let den = Fr.mul(den1, Fr.mul(den2, den3));
- const pol_s1 = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_s1, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p);
+ // Multiply current num value with the previous one saved in numArr
+ num = Fr.mul(numArr.slice(i_sFr, i_sFr + sFr), num);
+ numArr.set(num, ((i + 1) % zkey.domainSize) * sFr);
- const pol_s2 = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_s2, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 5*zkey.domainSize*n8r);
+ // Multiply current den value with the previous one saved in denArr
+ den = Fr.mul(denArr.slice(i_sFr, i_sFr + sFr), den);
+ denArr.set(den, ((i + 1) % zkey.domainSize) * sFr);
- const PTau = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 14);
+ // Next omega
+ w = Fr.mul(w, Fr.w[zkey.power]);
+ }
+ // Compute the inverse of denArr to compute in the next command the
+ // division numArr/denArr by multiplying num · 1/denArr
+ denArr = await Fr.batchInverse(denArr);
+ // TODO: Do it in assembly and in parallel
+ // Multiply numArr · denArr where denArr was inverted in the previous command
+ for (let i = 0; i < zkey.domainSize; i++) {
+ const i_sFr = i * sFr;
- const ch = {};
+ const z = Fr.mul(numArr.slice(i_sFr, i_sFr + sFr), denArr.slice(i_sFr, i_sFr + sFr));
+ numArr.set(z, i_sFr);
+ }
+ // From now on the values saved on numArr will be Z(X) buffer
+ buffers.Z = numArr;
- await round1();
- await round2();
- await round3();
- await round4();
- await round5();
+ if (!Fr.eq(numArr.slice(0, sFr), Fr.one)) {
+ throw new Error("Copy constraints does not match");
+ }
+ // Compute polynomial coefficients z(X) from buffers.Z
+ if (logger) logger.info("··· Computing Z ifft");
+ polynomials.Z = await Polynomial.fromEvaluations(buffers.Z, curve, logger);
- ///////////////////////
- // Final adjustments //
- ///////////////////////
+ // Compute extended evaluations of z(X) polynomial
+ if (logger) logger.info("··· Computing Z fft");
+ evaluations.Z = await Evaluations.fromPolynomial(polynomials.Z, 4, curve, logger);
- proof.protocol = "plonk";
- proof.curve = curve.name;
+ // Blind z(X) polynomial coefficients with blinding scalars b
+ polynomials.Z.blindCoefficients([challenges.b[9], challenges.b[8], challenges.b[7]]);
- await fdZKey.close();
- await fdWtns.close();
+ // Check degree
+ if (polynomials.Z.degree() >= zkey.domainSize + 3) {
+ throw new Error("Z Polynomial is not well calculated");
+ }
- let publicSignals = [];
+ delete buffers.Z;
+ }
- for (let i=1; i<= zkey.nPublic; i++) {
- const pub = buffWitness.slice(i*Fr.n8, i*Fr.n8+Fr.n8);
- publicSignals.push(ffjavascript.Scalar.fromRprLE(pub));
- }
+ async function computeT1() {
+ if (logger) logger.info("··· Computing T1 evaluations");
- proof.A = G1.toObject(proof.A);
- proof.B = G1.toObject(proof.B);
- proof.C = G1.toObject(proof.C);
- proof.Z = G1.toObject(proof.Z);
+ buffers.T1 = new ffjavascript.BigBuffer(sDomain * 2);
+ buffers.T1z = new ffjavascript.BigBuffer(sDomain * 2);
- proof.T1 = G1.toObject(proof.T1);
- proof.T2 = G1.toObject(proof.T2);
- proof.T3 = G1.toObject(proof.T3);
+ // Set initial omega
+ let omega = Fr.one;
+ for (let i = 0; i < zkey.domainSize * 2; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T1 evaluation ${i}/${zkey.domainSize * 4}`);
- proof.eval_a = Fr.toObject(proof.eval_a);
- proof.eval_b = Fr.toObject(proof.eval_b);
- proof.eval_c = Fr.toObject(proof.eval_c);
- proof.eval_s1 = Fr.toObject(proof.eval_s1);
- proof.eval_s2 = Fr.toObject(proof.eval_s2);
- proof.eval_zw = Fr.toObject(proof.eval_zw);
- proof.eval_t = Fr.toObject(proof.eval_t);
- proof.eval_r = Fr.toObject(proof.eval_r);
+ const omega2 = Fr.square(omega);
- proof.Wxi = G1.toObject(proof.Wxi);
- proof.Wxiw = G1.toObject(proof.Wxiw);
+ const z = evaluations.Z.getEvaluation(i * 2);
+ const zp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omega2), Fr.mul(challenges.b[8], omega)), challenges.b[9]);
- delete proof.eval_t;
+ // T1(X) := (z(X) - 1) · L_1(X)
+ // Compute first T1(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
+ const lagrange1 = evaluations.lagrange1.getEvaluation(zkey.domainSize + i * 2);
+ let t1 = Fr.mul(Fr.sub(z, Fr.one), lagrange1);
+ let t1z = Fr.mul(zp, lagrange1);
+
+ buffers.T1.set(t1, i * sFr);
+ buffers.T1z.set(t1z, i * sFr);
- proof = stringifyBigInts$1(proof);
- publicSignals = stringifyBigInts$1(publicSignals);
+ // Compute next omega
+ omega = Fr.mul(omega, Fr.w[zkey.power + 1]);
+ }
- return {proof, publicSignals};
+ // Compute the coefficients of the polynomial T1(X) from buffers.T1
+ if (logger) logger.info("··· Computing T1 ifft");
+ polynomials.T1 = await Polynomial.fromEvaluations(buffers.T1, curve, logger);
- async function calculateAdditions() {
- const additionsBuff = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 3);
+ // Divide the polynomial T1 by Z_H(X)
+ polynomials.T1.divByZerofier(zkey.domainSize, Fr.one);
- const sSum = 8+curve.Fr.n8*2;
+ // Compute the coefficients of the polynomial T1z(X) from buffers.T1z
+ if (logger) logger.info("··· Computing T1z ifft");
+ polynomials.T1z = await Polynomial.fromEvaluations(buffers.T1z, curve, logger);
- for (let i=0; i= zkey.domainSize + 2) {
+ throw new Error("T1 Polynomial is not well calculated");
+ }
+
+ delete buffers.T1;
+ delete buffers.T1z;
+ delete polynomials.T1z;
}
- }
+ async function computeT2() {
+ if (logger) logger.info("··· Computing T2 evaluations");
- async function buildABC() {
- let A = new ffjavascript.BigBuffer(zkey.domainSize * n8r);
- let B = new ffjavascript.BigBuffer(zkey.domainSize * n8r);
- let C = new ffjavascript.BigBuffer(zkey.domainSize * n8r);
+ buffers.T2 = new ffjavascript.BigBuffer(sDomain * 4);
+ buffers.T2z = new ffjavascript.BigBuffer(sDomain * 4);
- const aMap = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 4);
- const bMap = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 5);
- const cMap = await binFileUtils__namespace.readSection(fdZKey, sectionsZKey, 6);
+ // Set initial omega
+ let omega = Fr.one;
+ for (let i = 0; i < zkey.domainSize * 4; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T2 evaluation ${i}/${zkey.domainSize * 4}`);
- for (let i=0; i (a(X) + beta·X + gamma)(b(X) + beta·k1·X + gamma)(c(X) + beta·k2·X + gamma)z(X)
+ const betaX = Fr.mul(challenges.beta, omega);
- [pol_a, A4] = await to4T(A, [ch.b[2], ch.b[1]]);
- [pol_b, B4] = await to4T(B, [ch.b[4], ch.b[3]]);
- [pol_c, C4] = await to4T(C, [ch.b[6], ch.b[5]]);
+ let e11 = Fr.add(a, betaX);
+ e11 = Fr.add(e11, challenges.gamma);
-
- proof.A = await expTau(pol_a, "multiexp A");
- proof.B = await expTau(pol_b, "multiexp B");
- proof.C = await expTau(pol_c, "multiexp C");
- }
+ let e12 = Fr.add(b, Fr.mul(betaX, zkey.k1));
+ e12 = Fr.add(e12, challenges.gamma);
- async function round2() {
+ let e13 = Fr.add(c, Fr.mul(betaX, zkey.k2));
+ e13 = Fr.add(e13, challenges.gamma);
- const transcript1 = new Uint8Array(zkey.nPublic*n8r + G1.F.n8*2*3);
- for (let i=0; i (a(X) + beta·sigma1(X) + gamma)(b(X) + beta·sigma2(X) + gamma)(c(X) + beta·sigma3(X) + gamma)z(Xω)
+ let e21 = Fr.add(a, Fr.mul(challenges.beta, sigma1));
+ e21 = Fr.add(e21, challenges.gamma);
- numArr.set(Fr.one, 0);
- denArr.set(Fr.one, 0);
+ let e22 = Fr.add(b, Fr.mul(challenges.beta, sigma2));
+ e22 = Fr.add(e22, challenges.gamma);
- let w = Fr.one;
- for (let i=0; i= 3 * zkey.domainSize) {
+ throw new Error("T2 Polynomial is not well calculated");
+ }
- w = Fr.mul(w, Fr.w[zkey.power]);
+ delete buffers.T2;
+ delete buffers.T2z;
+ delete polynomials.T2z;
}
- denArr = await Fr.batchInverse(denArr);
+ async function computeC2() {
+ let C2 = new CPolynomial(3, curve, logger);
+ C2.addPolynomial(0, polynomials.Z);
+ C2.addPolynomial(1, polynomials.T1);
+ C2.addPolynomial(2, polynomials.T2);
- // TODO: Do it in assembly and in parallel
- for (let i=0; i= 9 * zkey.domainSize) {
+ throw new Error("C2 Polynomial is not well calculated");
+ }
}
+ }
- Z = numArr;
+ async function round3() {
+ if (logger) logger.info("> Computing challenge xi");
+ // STEP 3.1 - Compute evaluation challenge xi ∈ S
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.gamma);
+ transcript.addPolCommitment(proof.getPolynomial("C2"));
- [pol_z, Z4] = await to4T(Z, [ch.b[9], ch.b[8], ch.b[7]]);
+ // Obtain a xi_seeder from the transcript
+ // To force h1^4 = xi, h2^3 = xi and h_3^2 = xiω
+ // we compute xi = xi_seeder^12, h1 = xi_seeder^3, h2 = xi_seeder^4 and h3 = xi_seeder^6
+ challenges.xiSeed = transcript.getChallenge();
+ const xiSeed2 = Fr.square(challenges.xiSeed);
- proof.Z = await expTau( pol_z, "multiexp Z");
- }
+ // Compute omega8, omega4 and omega3
+ roots.w8 = [];
+ roots.w8[0] = Fr.one;
+ for (let i = 1; i < 8; i++) {
+ roots.w8[i] = Fr.mul(roots.w8[i - 1], zkey.w8);
+ }
- async function round3() {
+ roots.w4 = [];
+ roots.w4[0] = Fr.one;
+ for (let i = 1; i < 4; i++) {
+ roots.w4[i] = Fr.mul(roots.w4[i - 1], zkey.w4);
+ }
- /*
- async function checkDegree(P) {
- const p = await curve.Fr.ifft(P);
- let deg = (P.byteLength/n8r)-1;
- while ((deg>0)&&(Fr.isZero(p.slice(deg*n8r, deg*n8r+n8r)))) deg--;
- return deg;
+ roots.w3 = [];
+ roots.w3[0] = Fr.one;
+ roots.w3[1] = zkey.w3;
+ roots.w3[2] = Fr.square(zkey.w3);
+
+ // Compute h0 = xiSeeder^3
+ roots.S0 = {};
+ roots.S0.h0w8 = [];
+ roots.S0.h0w8[0] = Fr.mul(xiSeed2, challenges.xiSeed);
+ for (let i = 1; i < 8; i++) {
+ roots.S0.h0w8[i] = Fr.mul(roots.S0.h0w8[0], roots.w8[i]);
}
- function printPol(P) {
- const n=(P.byteLength/n8r);
- console.log("[");
- for (let i=0; i Computing challenge alpha");
+ // STEP 4.1 - Compute challenge alpha ∈ F
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.xiSeed);
+ transcript.addScalar(proof.getEvaluation("ql"));
+ transcript.addScalar(proof.getEvaluation("qr"));
+ transcript.addScalar(proof.getEvaluation("qm"));
+ transcript.addScalar(proof.getEvaluation("qo"));
+ transcript.addScalar(proof.getEvaluation("qc"));
+ transcript.addScalar(proof.getEvaluation("s1"));
+ transcript.addScalar(proof.getEvaluation("s2"));
+ transcript.addScalar(proof.getEvaluation("s3"));
+ transcript.addScalar(proof.getEvaluation("a"));
+ transcript.addScalar(proof.getEvaluation("b"));
+ transcript.addScalar(proof.getEvaluation("c"));
+ transcript.addScalar(proof.getEvaluation("z"));
+ transcript.addScalar(proof.getEvaluation("zw"));
+ transcript.addScalar(proof.getEvaluation("t1w"));
+ transcript.addScalar(proof.getEvaluation("t2w"));
+ challenges.alpha = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.alpha: " + Fr.toString(challenges.alpha));
- const Z1 = [
- Fr.zero,
- Fr.add(Fr.e(-1), Fr.w[2]),
- Fr.e(-2),
- Fr.sub(Fr.e(-1), Fr.w[2]),
- ];
+ // STEP 4.2 - Compute F(X)
+ if (logger) logger.info("> Reading C0 polynomial");
+ polynomials.C0 = new Polynomial(new ffjavascript.BigBuffer(sDomain * 8), curve, logger);
+ await fdZKey.readToBuffer(polynomials.C0.coef, 0, sDomain * 8, zkeySections[ZKEY_FF_C0_SECTION][0].p);
- const Z2 = [
- Fr.zero,
- Fr.add(Fr.zero, Fr.mul(Fr.e(-2), Fr.w[2])),
- Fr.e(4),
- Fr.sub(Fr.zero, Fr.mul(Fr.e(-2), Fr.w[2])),
- ];
+ if (logger) logger.info("> Computing R0 polynomial");
+ computeR0();
+ if (logger) logger.info("> Computing R1 polynomial");
+ computeR1();
+ if (logger) logger.info("> Computing R2 polynomial");
+ computeR2();
- const Z3 = [
- Fr.zero,
- Fr.add(Fr.e(2), Fr.mul(Fr.e(2), Fr.w[2])),
- Fr.e(-8),
- Fr.sub(Fr.e(2), Fr.mul(Fr.e(2), Fr.w[2])),
- ];
+ if (logger) logger.info("> Computing F polynomial");
+ await computeF();
- const T = new ffjavascript.BigBuffer(zkey.domainSize*4*n8r);
- const Tz = new ffjavascript.BigBuffer(zkey.domainSize*4*n8r);
+ // The fourth output of the prover is ([W1]_1), where W1:=(f/Z_t)(x)
+ if (logger) logger.info("> Computing W1 multi exponentiation");
+ let commitW1 = await polynomials.F.multiExponentiation(PTau, "W1");
+ proof.addPolynomial("W1", commitW1);
- let w = Fr.one;
- for (let i=0; i 7) {
+ throw new Error("R0 Polynomial is not well calculated");
}
+ }
- let [e1, e1z] = mul2(a, b, ap, bp, i%4);
- e1 = Fr.mul(e1, qm);
- e1z = Fr.mul(e1z, qm);
-
- e1 = Fr.add(e1, Fr.mul(a, ql));
- e1z = Fr.add(e1z, Fr.mul(ap, ql));
+ function computeR1() {
+ // COMPUTE R1
+ // Compute the coefficients of R1(X) from 4 evaluations using lagrange interpolation. R1(X) ∈ F_{<4}[X]
+ // We decide to use Lagrange interpolations because the R1 degree is very small (deg(R1)===3),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R1 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3]],
+ [polynomials.C1.evaluate(roots.S1.h1w4[0]), polynomials.C1.evaluate(roots.S1.h1w4[1]),
+ polynomials.C1.evaluate(roots.S1.h1w4[2]), polynomials.C1.evaluate(roots.S1.h1w4[3])], curve);
- e1 = Fr.add(e1, Fr.mul(b, qr));
- e1z = Fr.add(e1z, Fr.mul(bp, qr));
+ // Check the degree of r1(X) < 4
+ if (polynomials.R1.degree() > 3) {
+ throw new Error("R1 Polynomial is not well calculated");
+ }
+ }
- e1 = Fr.add(e1, Fr.mul(c, qo));
- e1z = Fr.add(e1z, Fr.mul(cp, qo));
+ function computeR2() {
+ // COMPUTE R2
+ // Compute the coefficients of r2(X) from 6 evaluations using lagrange interpolation. r2(X) ∈ F_{<6}[X]
+ // We decide to use Lagrange interpolations because the R2.degree is very small (deg(R2)===5),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R2 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]],
+ [polynomials.C2.evaluate(roots.S2.h2w3[0]), polynomials.C2.evaluate(roots.S2.h2w3[1]),
+ polynomials.C2.evaluate(roots.S2.h2w3[2]), polynomials.C2.evaluate(roots.S2.h3w3[0]),
+ polynomials.C2.evaluate(roots.S2.h3w3[1]), polynomials.C2.evaluate(roots.S2.h3w3[2])], curve);
- e1 = Fr.add(e1, pl);
- e1 = Fr.add(e1, qc);
+ // Check the degree of r2(X) < 6
+ if (polynomials.R2.degree() > 5) {
+ throw new Error("R2 Polynomial is not well calculated");
+ }
+ }
- const betaw = Fr.mul(ch.beta, w);
- let e2a =a;
- e2a = Fr.add(e2a, betaw);
- e2a = Fr.add(e2a, ch.gamma);
+ async function computeF() {
+ if (logger) logger.info("··· Computing F polynomial");
- let e2b =b;
- e2b = Fr.add(e2b, Fr.mul(betaw, zkey.k1));
- e2b = Fr.add(e2b, ch.gamma);
+ // COMPUTE F(X)
+ polynomials.F = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
+ polynomials.F.sub(polynomials.R0);
+ polynomials.F.divByZerofier(8, challenges.xi);
- let e2c =c;
- e2c = Fr.add(e2c, Fr.mul(betaw, zkey.k2));
- e2c = Fr.add(e2c, ch.gamma);
+ let f2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
+ f2.sub(polynomials.R1);
+ f2.mulScalar(challenges.alpha);
+ f2.divByZerofier(4, challenges.xi);
- let e2d = z;
+ let f3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
+ f3.sub(polynomials.R2);
+ f3.mulScalar(Fr.square(challenges.alpha));
+ f3.divByZerofier(3, challenges.xi);
+ f3.divByZerofier(3, challenges.xiw);
- let [e2, e2z] = mul4(e2a, e2b, e2c, e2d, ap, bp, cp, zp, i%4);
- e2 = Fr.mul(e2, ch.alpha);
- e2z = Fr.mul(e2z, ch.alpha);
+ polynomials.F.add(f2);
+ polynomials.F.add(f3);
- let e3a = a;
- e3a = Fr.add(e3a, Fr.mul(ch.beta, s1));
- e3a = Fr.add(e3a, ch.gamma);
+ if (polynomials.F.degree() >= 9 * zkey.domainSize - 6) {
+ throw new Error("F Polynomial is not well calculated");
+ }
+ }
+ }
- let e3b = b;
- e3b = Fr.add(e3b, Fr.mul(ch.beta,s2));
- e3b = Fr.add(e3b, ch.gamma);
+ async function round5() {
+ if (logger) logger.info("> Computing challenge y");
- let e3c = c;
- e3c = Fr.add(e3c, Fr.mul(ch.beta,s3));
- e3c = Fr.add(e3c, ch.gamma);
+ // STEP 5.1 - Compute random evaluation point y ∈ F
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.alpha);
+ transcript.addPolCommitment(proof.getPolynomial("W1"));
- let e3d = zw;
- let [e3, e3z] = mul4(e3a, e3b, e3c, e3d, ap, bp, cp, zWp, i%4);
+ challenges.y = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.y: " + Fr.toString(challenges.y));
- e3 = Fr.mul(e3, ch.alpha);
- e3z = Fr.mul(e3z, ch.alpha);
+ // STEP 5.2 - Compute L(X)
+ if (logger) logger.info("> Computing L polynomial");
+ await computeL();
- let e4 = Fr.sub(z, Fr.one);
- e4 = Fr.mul(e4, lPols.slice( (zkey.domainSize + i)*n8r, (zkey.domainSize+i+1)*n8r));
- e4 = Fr.mul(e4, Fr.mul(ch.alpha, ch.alpha));
+ if (logger) logger.info("> Computing ZTS2 polynomial");
+ await computeZTS2();
- let e4z = Fr.mul(zp, lPols.slice( (zkey.domainSize + i)*n8r, (zkey.domainSize+i+1)*n8r));
- e4z = Fr.mul(e4z, Fr.mul(ch.alpha, ch.alpha));
+ let ZTS2Y = polynomials.ZTS2.evaluate(challenges.y);
+ ZTS2Y = Fr.inv(ZTS2Y);
+ polynomials.L.mulScalar(ZTS2Y);
- let e = Fr.add(Fr.sub(Fr.add(e1, e2), e3), e4);
- let ez = Fr.add(Fr.sub(Fr.add(e1z, e2z), e3z), e4z);
+ const polDividend = Polynomial.fromCoefficientsArray([Fr.neg(challenges.y), Fr.one], curve);
+ if (logger) logger.info("> Computing W' = L / ZTS2 polynomial");
+ const polRemainder = polynomials.L.divBy(polDividend);
- T.set(e, i*n8r);
- Tz.set(ez, i*n8r);
+ //Check polReminder degree is equal to zero
+ if (polRemainder.degree() > 0) {
+ throw new Error(`Degree of L(X)/(ZTS2(y)(X-y)) remainder is ${polRemainder.degree()} and should be 0`);
+ }
- w = Fr.mul(w, Fr.w[zkey.power+2]);
+ if (polynomials.L.degree() >= 9 * zkey.domainSize - 1) {
+ throw new Error("Degree of L(X)/(ZTS2(y)(X-y)) is not correct");
}
- if (logger) logger.debug("ifft T");
- let t = await Fr.ifft(T);
+ // The fifth output of the prover is ([W2]_1), where W2:=(f/Z_t)(x)
+ if (logger) logger.info("> Computing W' multi exponentiation");
+ let commitW2 = await polynomials.L.multiExponentiation(PTau, "W2");
+ proof.addPolynomial("W2", commitW2);
- if (logger) logger.debug("dividing T/Z");
- for (let i=0; i (zkey.domainSize*3 -4) ) {
- if (!Fr.isZero(a)) {
- throw new Error("T Polynomial is not divisible");
- }
+ async function computeL() {
+ if (logger) logger.info("··· Computing L polynomial");
+
+ const evalR0Y = polynomials.R0.evaluate(challenges.y);
+ const evalR1Y = polynomials.R1.evaluate(challenges.y);
+ const evalR2Y = polynomials.R2.evaluate(challenges.y);
+
+ let mulL0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
+ for (let i = 1; i < 8; i++) {
+ mulL0 = Fr.mul(mulL0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
}
- }
- if (logger) logger.debug("ifft Tz");
- const tz = await Fr.ifft(Tz);
- for (let i=0; i (zkey.domainSize*3 +5) ) {
- if (!Fr.isZero(a)) {
- throw new Error("Tz Polynomial is not well calculated");
- }
- } else {
- t.set(
- Fr.add(
- t.slice(i*n8r, (i+1)*n8r),
- a
- ),
- i*n8r
- );
+ let mulL1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
+ for (let i = 1; i < 4; i++) {
+ mulL1 = Fr.mul(mulL1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
}
- }
- pol_t = t.slice(0, (zkey.domainSize * 3 + 6) * n8r);
+ let mulL2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
+ for (let i = 1; i < 3; i++) {
+ mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
+ }
+ for (let i = 0; i < 3; i++) {
+ mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
+ }
- // t(x) has degree 3n + 5, we are going to split t(x) into three smaller polynomials:
- // t'_low and t'_mid with a degree < n and t'_high with a degree n+5
- // such that t(x) = t'_low(X) + X^n t'_mid(X) + X^{2n} t'_hi(X)
- // To randomize the parts we use blinding scalars b_10 and b_11 in a way that doesn't change t(X):
- // t_low(X) = t'_low(X) + b_10 X^n
- // t_mid(X) = t'_mid(X) - b_10 + b_11 X^n
- // t_high(X) = t'_high(X) - b_11
- // such that
- // t(X) = t_low(X) + X^n t_mid(X) + X^2n t_high(X)
+ let preL0 = Fr.mul(mulL1, mulL2);
+ let preL1 = Fr.mul(challenges.alpha, Fr.mul(mulL0, mulL2));
+ let preL2 = Fr.mul(Fr.square(challenges.alpha), Fr.mul(mulL0, mulL1));
- // compute t_low(X)
- let polTLow = new ffjavascript.BigBuffer((zkey.domainSize + 1) * n8r);
- polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
- // Add blinding scalar b_10 as a new coefficient n
- polTLow.set(ch.b[10], zkey.domainSize * n8r);
+ toInverse["denH1"] = mulL1;
+ toInverse["denH2"] = mulL2;
- // compute t_mid(X)
- let polTMid = new ffjavascript.BigBuffer((zkey.domainSize + 1) * n8r);
- polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
- // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
- const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
- polTMid.set(lowestMid, 0);
- // Add blinding scalar b_11 as a new coefficient n
- polTMid.set(ch.b[11], zkey.domainSize * n8r);
+ // COMPUTE L(X)
+ polynomials.L = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
+ polynomials.L.subScalar(evalR0Y);
+ polynomials.L.mulScalar(preL0);
- // compute t_high(X)
- let polTHigh = new ffjavascript.BigBuffer((zkey.domainSize + 6) * n8r);
- polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
- //Subtract blinding scalar b_11 to the lowest coefficient of t_high
- const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
- polTHigh.set(lowestHigh, 0);
+ let l2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
+ l2.subScalar(evalR1Y);
+ l2.mulScalar(preL1);
- proof.T1 = await expTau(polTLow, "multiexp T1");
- proof.T2 = await expTau(polTMid, "multiexp T2");
- proof.T3 = await expTau(polTHigh, "multiexp T3");
+ let l3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
+ l3.subScalar(evalR2Y);
+ l3.mulScalar(preL2);
- function mul2(a,b, ap, bp, p) {
- let r, rz;
+ polynomials.L.add(l2);
+ polynomials.L.add(l3);
-
- const a_b = Fr.mul(a,b);
- const a_bp = Fr.mul(a,bp);
- const ap_b = Fr.mul(ap,b);
- const ap_bp = Fr.mul(ap,bp);
+ if (logger) logger.info("> Computing ZT polynomial");
+ await computeZT();
- r = a_b;
+ const evalZTY = polynomials.ZT.evaluate(challenges.y);
+ polynomials.F.mulScalar(evalZTY);
+ polynomials.L.sub(polynomials.F);
- let a0 = Fr.add(a_bp, ap_b);
+ // Check degree
+ if (polynomials.L.degree() >= 9 * zkey.domainSize) {
+ throw new Error("L Polynomial is not well calculated");
+ }
- let a1 = ap_bp;
+ delete buffers.L;
+ }
- rz = a0;
- if (p) {
- rz = Fr.add(rz, Fr.mul(Z1[p], a1));
- }
+ async function computeZT() {
+ polynomials.ZT = Polynomial.zerofierPolynomial(
+ [
+ roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
+ roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7],
+ roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
+ roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
+ }
- return [r, rz];
+ async function computeZTS2() {
+ polynomials.ZTS2 = Polynomial.zerofierPolynomial(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
+ roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
}
+ }
- function mul4(a,b,c,d, ap, bp, cp, dp, p) {
- let r, rz;
+ function getMontgomeryBatchedInverse() {
+ // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
+ let xiN = challenges.xi;
+ for (let i = 0; i < zkey.power; i++) {
+ xiN = Fr.square(xiN);
+ }
+ toInverse["zh"] = Fr.sub(xiN, Fr.one);
-
- const a_b = Fr.mul(a,b);
- const a_bp = Fr.mul(a,bp);
- const ap_b = Fr.mul(ap,b);
- const ap_bp = Fr.mul(ap,bp);
+ // · denominator needed in step 10 and 11 of the verifier
+ // toInverse.denH1 & toInverse.denH2 -> Computed in round5, computeL()
- const c_d = Fr.mul(c,d);
- const c_dp = Fr.mul(c,dp);
- const cp_d = Fr.mul(cp,d);
- const cp_dp = Fr.mul(cp,dp);
+ // · denominator needed in the verifier when computing L_i^{S0}(X), L_i^{S1}(X) and L_i^{S2}(X)
+ for (let i = 0; i < 8; i++) {
+ toInverse["LiS0_" + (i + 1)] = computeLiS0(i);
+ }
- r = Fr.mul(a_b, c_d);
+ for (let i = 0; i < 4; i++) {
+ toInverse["LiS1_" + (i + 1)] = computeLiS1(i);
+ }
- let a0 = Fr.mul(ap_b, c_d);
- a0 = Fr.add(a0, Fr.mul(a_bp, c_d));
- a0 = Fr.add(a0, Fr.mul(a_b, cp_d));
- a0 = Fr.add(a0, Fr.mul(a_b, c_dp));
+ for (let i = 0; i < 6; i++) {
+ toInverse["LiS2_" + (i + 1)] = computeLiS2(i);
+ }
- let a1 = Fr.mul(ap_bp, c_d);
- a1 = Fr.add(a1, Fr.mul(ap_b, cp_d));
- a1 = Fr.add(a1, Fr.mul(ap_b, c_dp));
- a1 = Fr.add(a1, Fr.mul(a_bp, cp_d));
- a1 = Fr.add(a1, Fr.mul(a_bp, c_dp));
- a1 = Fr.add(a1, Fr.mul(a_b, cp_dp));
+ // · L_i i=1 to num public inputs, needed in step 6 and 7 of the verifier to compute L_1(xi) and PI(xi)
+ const size = Math.max(1, zkey.nPublic);
+
+ let w = Fr.one;
+ for (let i = 0; i < size; i++) {
+ toInverse["Li_" + (i + 1)] = Fr.mul(Fr.e(zkey.domainSize), Fr.sub(challenges.xi, w));
+
+ w = Fr.mul(w, zkey.w);
+ }
+
+ let mulAccumulator = Fr.one;
+ for (const element of Object.values(toInverse)) {
+ mulAccumulator = Fr.mul(mulAccumulator, element);
+ }
+ return Fr.inv(mulAccumulator);
+
+ function computeLiS0(i) {
+ // Compute L_i^{(S0)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 7; j++) {
+ idx = (idx + 1) % 8;
- let a2 = Fr.mul(a_bp, cp_dp);
- a2 = Fr.add(a2, Fr.mul(ap_b, cp_dp));
- a2 = Fr.add(a2, Fr.mul(ap_bp, c_dp));
- a2 = Fr.add(a2, Fr.mul(ap_bp, cp_d));
+ den = Fr.mul(den, Fr.sub(roots.S0.h0w8[i], roots.S0.h0w8[idx]));
+ }
+ return den;
+ }
- let a3 = Fr.mul(ap_bp, cp_dp);
+ function computeLiS1(i) {
+ // Compute L_i^{(S1)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 3; j++) {
+ idx = (idx + 1) % 4;
- rz = a0;
- if (p) {
- rz = Fr.add(rz, Fr.mul(Z1[p], a1));
- rz = Fr.add(rz, Fr.mul(Z2[p], a2));
- rz = Fr.add(rz, Fr.mul(Z3[p], a3));
+ den = Fr.mul(den, Fr.sub(roots.S1.h1w4[i], roots.S1.h1w4[idx]));
}
+ return den;
+ }
- return [r, rz];
+ function computeLiS2(i) {
+ // Compute L_i^{(S1)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 5; j++) {
+ idx = (idx + 1) % 6;
+
+ const root1 = i < 3 ? roots.S2.h2w3[i] : roots.S2.h3w3[i - 3];
+ const root2 = idx < 3 ? roots.S2.h2w3[idx] : roots.S2.h3w3[idx - 3];
+ den = Fr.mul(den, Fr.sub(root1, root2));
+ }
+ return den;
}
}
+}
- async function round4() {
- const pol_qm = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qm, 0 , zkey.domainSize*n8r, sectionsZKey[7][0].p);
+/*
+ This file is part of snarkjs.
- const pol_ql = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_ql, 0 , zkey.domainSize*n8r, sectionsZKey[8][0].p);
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- const pol_qr = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qr, 0 , zkey.domainSize*n8r, sectionsZKey[9][0].p);
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- const pol_qo = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qo, 0 , zkey.domainSize*n8r, sectionsZKey[10][0].p);
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+const {unstringifyBigInts: unstringifyBigInts$3} = ffjavascript.utils;
- const pol_qc = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qc, 0 , zkey.domainSize*n8r, sectionsZKey[11][0].p);
+async function fflonkFullProve$1(_input, wasmFilename, zkeyFilename, logger) {
+ const input = unstringifyBigInts$3(_input);
- const pol_s3 = new ffjavascript.BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_s3, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 10*zkey.domainSize*n8r);
+ const wtns= {type: "mem"};
- const transcript4 = new Uint8Array(G1.F.n8*2*3);
- G1.toRprUncompressed(transcript4, 0, proof.T1);
- G1.toRprUncompressed(transcript4, G1.F.n8*2, proof.T2);
- G1.toRprUncompressed(transcript4, G1.F.n8*4, proof.T3);
- ch.xi = hashToFr(transcript4);
+ // Compute the witness
+ await wtnsCalculate$1(input, wasmFilename, wtns);
- if (logger) logger.debug("xi: " + Fr.toString(ch.xi));
+ // Compute the proof
+ return await fflonkProve$1(zkeyFilename, wtns, logger);
+}
- proof.eval_a = evalPol(pol_a, ch.xi);
- proof.eval_b = evalPol(pol_b, ch.xi);
- proof.eval_c = evalPol(pol_c, ch.xi);
- proof.eval_s1 = evalPol(pol_s1, ch.xi);
- proof.eval_s2 = evalPol(pol_s2, ch.xi);
- proof.eval_t = evalPol(pol_t, ch.xi);
- proof.eval_zw = evalPol(pol_z, Fr.mul(ch.xi, Fr.w[zkey.power]));
+/*
+ Copyright 2022 iden3 association.
- const coef_ab = Fr.mul(proof.eval_a, proof.eval_b);
-
- let e2a = proof.eval_a;
- const betaxi = Fr.mul(ch.beta, ch.xi);
- e2a = Fr.add( e2a, betaxi);
- e2a = Fr.add( e2a, ch.gamma);
+ This file is part of snarkjs.
- let e2b = proof.eval_b;
- e2b = Fr.add( e2b, Fr.mul(betaxi, zkey.k1));
- e2b = Fr.add( e2b, ch.gamma);
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- let e2c = proof.eval_c;
- e2c = Fr.add( e2c, Fr.mul(betaxi, zkey.k2));
- e2c = Fr.add( e2c, ch.gamma);
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- const e2 = Fr.mul(Fr.mul(Fr.mul(e2a, e2b), e2c), ch.alpha);
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
- let e3a = proof.eval_a;
- e3a = Fr.add( e3a, Fr.mul(ch.beta, proof.eval_s1));
- e3a = Fr.add( e3a, ch.gamma);
+const { unstringifyBigInts: unstringifyBigInts$2 } = ffjavascript.utils;
- let e3b = proof.eval_b;
- e3b = Fr.add( e3b, Fr.mul(ch.beta, proof.eval_s2));
- e3b = Fr.add( e3b, ch.gamma);
+async function fflonkVerify$1(_vk_verifier, _publicSignals, _proof, logger) {
+ if (logger) logger.info("FFLONK VERIFIER STARTED");
- let e3 = Fr.mul(e3a, e3b);
- e3 = Fr.mul(e3, ch.beta);
- e3 = Fr.mul(e3, proof.eval_zw);
- e3 = Fr.mul(e3, ch.alpha);
+ _vk_verifier = unstringifyBigInts$2(_vk_verifier);
+ _proof = unstringifyBigInts$2(_proof);
- ch.xim= ch.xi;
- for (let i=0; i Checking commitments belong to G1");
+ if (!commitmentsBelongToG1(curve, proof, vk)) {
+ logger.error("Proof is not well constructed");
+ return false;
+ }
- if (i < zkey.domainSize + 3) {
- w = Fr.add(w, Fr.mul(ch.v[1], pol_r.slice(i * n8r, (i + 1) * n8r)));
- }
+ // TODO
+ // STEP 2 - Validate that all evaluations ∈ F
- if (i < zkey.domainSize + 2) {
- w = Fr.add(w, Fr.mul(ch.v[2], pol_a.slice(i * n8r, (i + 1) * n8r)));
- w = Fr.add(w, Fr.mul(ch.v[3], pol_b.slice(i * n8r, (i + 1) * n8r)));
- w = Fr.add(w, Fr.mul(ch.v[4], pol_c.slice(i * n8r, (i + 1) * n8r)));
- }
+ // TODO
+ // STEP 3 - Validate that w_i ∈ F for i ∈ [l]
- if (i < zkey.domainSize) {
- const polTLow = pol_t.slice(i * n8r, (i + 1) * n8r);
- w = Fr.add(w, polTLow);
+ // STEP 4 - Compute the challenges: beta, gamma, xi, alpha and y ∈ F
+ // as in prover description, from the common preprocessed inputs, public inputs and elements of π_SNARK
+ if (logger) logger.info("> Computing challenges");
+ const { challenges, roots } = computeChallenges(curve, proof, vk, publicSignals, logger);
- const polTMid = pol_t.slice((zkey.domainSize + i) * n8r, (zkey.domainSize + i + 1) * n8r);
- w = Fr.add(w, Fr.mul(ch.xim, polTMid));
+ // STEP 5 - Compute the zero polynomial evaluation Z_H(xi) = xi^n - 1
+ if (logger) logger.info("> Computing Zero polynomial evaluation Z_H(xi)");
+ challenges.zh = Fr.sub(challenges.xiN, Fr.one);
+ challenges.invzh = Fr.inv(challenges.zh);
- w = Fr.add(w, Fr.mul(ch.v[5], pol_s1.slice(i * n8r, (i + 1) * n8r)));
- w = Fr.add(w, Fr.mul(ch.v[6], pol_s2.slice(i * n8r, (i + 1) * n8r)));
- }
+ // STEP 6 - Compute the lagrange polynomial evaluation L_1(xi)
+ if (logger) logger.info("> Computing Lagrange evaluations");
+ const lagrangeEvals = await computeLagrangeEvaluations(curve, challenges, vk);
- // b_10 and b_11 blinding scalars were applied on round 3 to randomize the polynomials t_low, t_mid, t_high
- // Subtract blinding scalar b_10 and b_11 to the lowest coefficient
- if (i === 0) {
- w = Fr.sub(w, Fr.mul(xi2m, ch.b[11]));
- w = Fr.sub(w, Fr.mul(ch.xim, ch.b[10]));
- }
+ // STEP 7 - Compute public input evaluation PI(xi)
+ if (logger) logger.info("> Computing polynomial identities PI(X)");
+ const pi = calculatePI(curve, publicSignals, lagrangeEvals);
- // Add blinding scalars b_10 and b_11 to the coefficient n
- if (i === zkey.domainSize) {
- w = Fr.add(w, ch.b[10]);
- w = Fr.add(w, Fr.mul(ch.xim, ch.b[11]));
- }
+ // STEP 8 - Compute polynomial r0 ∈ F_{<4}[X]
+ if (logger) logger.info("> Computing r0(y)");
+ const r0 = computeR0(proof, challenges, roots, pi, curve, logger);
- pol_wxi.set(w, i * n8r);
- }
+ // STEP 9 - Compute polynomial r1 ∈ F_{<4}[X]
+ if (logger) logger.info("> Computing r1(y)");
+ const r1 = computeR1(proof, challenges, roots, pi, curve, logger);
- let w0 = pol_wxi.slice(0, n8r);
- w0 = Fr.sub(w0, proof.eval_t);
- w0 = Fr.sub(w0, Fr.mul(ch.v[1], proof.eval_r));
- w0 = Fr.sub(w0, Fr.mul(ch.v[2], proof.eval_a));
- w0 = Fr.sub(w0, Fr.mul(ch.v[3], proof.eval_b));
- w0 = Fr.sub(w0, Fr.mul(ch.v[4], proof.eval_c));
- w0 = Fr.sub(w0, Fr.mul(ch.v[5], proof.eval_s1));
- w0 = Fr.sub(w0, Fr.mul(ch.v[6], proof.eval_s2));
- pol_wxi.set(w0, 0);
+ // STEP 9 - Compute polynomial r2 ∈ F_{<6}[X]
+ if (logger) logger.info("> Computing r2(y)");
+ const r2 = computeR2(proof, challenges, roots, lagrangeEvals[1], vk, curve, logger);
- pol_wxi= divPol1(pol_wxi, ch.xi);
+ if (logger) logger.info("> Computing F");
+ const F = computeF(curve, proof, vk, challenges, roots);
- proof.Wxi = await expTau(pol_wxi, "multiexp Wxi");
+ if (logger) logger.info("> Computing E");
+ const E = computeE(curve, proof, challenges, vk, r0, r1, r2);
- let pol_wxiw = new ffjavascript.BigBuffer((zkey.domainSize+3)*n8r);
- for (let i=0; i Computing J");
+ const J = computeJ(curve, proof, challenges);
- pol_wxiw= divPol1(pol_wxiw, Fr.mul(ch.xi, Fr.w[zkey.power]));
- proof.Wxiw = await expTau(pol_wxiw, "multiexp Wxiw");
- }
+ if (logger) logger.info("> Validate all evaluations with a pairing");
+ const res = await isValidPairing(curve, proof, challenges, vk, F, E, J);
- function hashToFr(transcript) {
- const v = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256$1.arrayBuffer(transcript)));
- return Fr.e(v);
+ if (logger) {
+ if (res) {
+ logger.info("PROOF VERIFIED SUCCESSFULLY");
+ } else {
+ logger.warn("Invalid Proof");
+ }
}
+ if (logger) logger.info("FFLONK VERIFIER FINISHED");
- function evalPol(P, x) {
- const n = P.byteLength / n8r;
- if (n == 0) return Fr.zero;
- let res = P.slice((n-1)*n8r, n*n8r);
- for (let i=n-2; i>=0; i--) {
- res = Fr.add(Fr.mul(res, x), P.slice(i*n8r, (i+1)*n8r));
- }
- return res;
- }
+ return res;
- function divPol1(P, d) {
- const n = P.byteLength/n8r;
- const res = new ffjavascript.BigBuffer(n*n8r);
- res.set(Fr.zero, (n-1) *n8r);
- res.set(P.slice((n-1)*n8r, n*n8r), (n-2)*n8r);
- for (let i=n-3; i>=0; i--) {
- res.set(
- Fr.add(
- P.slice((i+1)*n8r, (i+2)*n8r),
- Fr.mul(
- d,
- res.slice((i+1)*n8r, (i+2)*n8r)
- )
- ),
- i*n8r
- );
- }
- if (!Fr.eq(
- P.slice(0, n8r),
- Fr.mul(
- Fr.neg(d),
- res.slice(0, n8r)
- )
- )) {
- throw new Error("Polinomial does not divide");
- }
- return res;
- }
+}
- async function expTau(b, name) {
- const n = b.byteLength/n8r;
- const PTauN = PTau.slice(0, n*curve.G1.F.n8*2);
- const bm = await curve.Fr.batchFromMontgomery(b);
- let res = await curve.G1.multiExpAffine(PTauN, bm, logger, name);
- res = curve.G1.toAffine(res);
- return res;
- }
+function fromObjectVk(curve, vk) {
+ const res = vk;
+ res.k1 = curve.Fr.fromObject(vk.k1);
+ res.k2 = curve.Fr.fromObject(vk.k2);
+ res.w = curve.Fr.fromObject(vk.w);
+ // res.wW = curve.Fr.fromObject(vk.wW);
+ res.w3 = curve.Fr.fromObject(vk.w3);
+ res.w4 = curve.Fr.fromObject(vk.w4);
+ res.w8 = curve.Fr.fromObject(vk.w8);
+ res.wr = curve.Fr.fromObject(vk.wr);
+ res.X_2 = curve.G2.fromObject(vk.X_2);
+ res.C0 = curve.G1.fromObject(vk.C0);
+ return res;
+}
+function commitmentsBelongToG1(curve, proof, vk) {
+ const G1 = curve.G1;
+ return G1.isValid(proof.polynomials.C1)
+ && G1.isValid(proof.polynomials.C2)
+ && G1.isValid(proof.polynomials.W1)
+ && G1.isValid(proof.polynomials.W2)
+ && G1.isValid(vk.C0);
+}
- async function to4T(A, pz) {
- pz = pz || [];
- let a = await Fr.ifft(A);
- const a4 = new ffjavascript.BigBuffer(n8r*zkey.domainSize*4);
- a4.set(a, 0);
+function computeChallenges(curve, proof, vk, publicSignals, logger) {
+ const Fr = curve.Fr;
- const a1 = new ffjavascript.BigBuffer(n8r*(zkey.domainSize + pz.length));
- a1.set(a, 0);
- for (let i= 0; i.
-*/
-const {unstringifyBigInts: unstringifyBigInts$3} = ffjavascript.utils;
+ // const w4_2 = Fr.square(vk.w4);
+ // const w4_3 = Fr.mul(w4_2, vk.w4);
+ // const w3_2 = Fr.square(vk.w3);
-async function plonkFullProve$1(_input, wasmFile, zkeyFileName, logger) {
- const input = unstringifyBigInts$3(_input);
+ // Compute h0 = xiSeeder^3
+ roots.S0 = {};
+ roots.S0.h0w8 = [];
+ roots.S0.h0w8[0] = Fr.mul(xiSeed2, xiSeed);
+ for (let i = 1; i < 8; i++) {
+ roots.S0.h0w8[i] = Fr.mul(roots.S0.h0w8[0], w8[i]);
+ }
- const wtns= {
- type: "mem"
- };
- await wtnsCalculate$1(input, wasmFile, wtns);
- return await plonk16Prove(zkeyFileName, wtns, logger);
-}
+ // Compute h1 = xi_seeder^6
+ roots.S1 = {};
+ roots.S1.h1w4 = [];
+ roots.S1.h1w4[0] = Fr.square(roots.S0.h0w8[0]);
+ for (let i = 1; i < 4; i++) {
+ roots.S1.h1w4[i] = Fr.mul(roots.S1.h1w4[0], w4[i]);
+ }
-/*
- Copyright 2021 0kims association.
+ // Compute h2 = xi_seeder^8
+ roots.S2 = {};
+ roots.S2.h2w3 = [];
+ roots.S2.h2w3[0] = Fr.mul(roots.S1.h1w4[0], xiSeed2);
+ roots.S2.h2w3[1] = Fr.mul(roots.S2.h2w3[0], w3[1]);
+ roots.S2.h2w3[2] = Fr.mul(roots.S2.h2w3[0], w3[2]);
- This file is part of snarkjs.
+ roots.S2.h3w3 = [];
+ // Multiply h3 by third-root-omega to obtain h_3^3 = xiω
+ // So, h3 = xi_seeder^8 ω^{1/3}
+ roots.S2.h3w3[0] = Fr.mul(roots.S2.h2w3[0], vk.wr);
+ roots.S2.h3w3[1] = Fr.mul(roots.S2.h3w3[0], w3[1]);
+ roots.S2.h3w3[2] = Fr.mul(roots.S2.h3w3[0], w3[2]);
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
+ // Compute xi = xi_seeder^12
+ challenges.xi = Fr.mul(Fr.square(roots.S2.h2w3[0]), roots.S2.h2w3[0]);
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
+ challenges.xiN = challenges.xi;
+ vk.domainSize = 1;
+ for (let i = 0; i < vk.power; i++) {
+ challenges.xiN = Fr.square(challenges.xiN);
+ vk.domainSize *= 2;
+ }
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-const {unstringifyBigInts: unstringifyBigInts$2} = ffjavascript.utils;
-const { keccak256 } = jsSha3__default["default"];
+ transcript.reset();
+ transcript.addScalar(xiSeed);
+ transcript.addScalar(proof.evaluations.ql);
+ transcript.addScalar(proof.evaluations.qr);
+ transcript.addScalar(proof.evaluations.qm);
+ transcript.addScalar(proof.evaluations.qo);
+ transcript.addScalar(proof.evaluations.qc);
+ transcript.addScalar(proof.evaluations.s1);
+ transcript.addScalar(proof.evaluations.s2);
+ transcript.addScalar(proof.evaluations.s3);
+ transcript.addScalar(proof.evaluations.a);
+ transcript.addScalar(proof.evaluations.b);
+ transcript.addScalar(proof.evaluations.c);
+ transcript.addScalar(proof.evaluations.z);
+ transcript.addScalar(proof.evaluations.zw);
+ transcript.addScalar(proof.evaluations.t1w);
+ transcript.addScalar(proof.evaluations.t2w);
+ challenges.alpha = transcript.getChallenge();
+ transcript.reset();
+ transcript.addScalar(challenges.alpha);
+ transcript.addPolCommitment(proof.polynomials.W1);
+ challenges.y = transcript.getChallenge();
-async function plonkVerify$1(_vk_verifier, _publicSignals, _proof, logger) {
- let vk_verifier = unstringifyBigInts$2(_vk_verifier);
- let proof = unstringifyBigInts$2(_proof);
- let publicSignals = unstringifyBigInts$2(_publicSignals);
+ if (logger) {
+ logger.info("··· challenges.beta: " + Fr.toString(challenges.beta));
+ logger.info("··· challenges.gamma: " + Fr.toString(challenges.gamma));
+ logger.info("··· challenges.xi: " + Fr.toString(challenges.xi));
+ logger.info("··· challenges.alpha: " + Fr.toString(challenges.alpha));
+ logger.info("··· challenges.y: " + Fr.toString(challenges.y));
+ }
- const curve = await getCurveFromName(vk_verifier.curve);
+ return { challenges: challenges, roots: roots };
+}
+async function computeLagrangeEvaluations(curve, challenges, vk) {
const Fr = curve.Fr;
- const G1 = curve.G1;
- proof = fromObjectProof(curve,proof);
- vk_verifier = fromObjectVk(curve, vk_verifier);
- if (!isWellConstructed(curve, proof)) {
- logger.error("Proof is not well constructed");
- return false;
- }
- if (publicSignals.length != vk_verifier.nPublic) {
- logger.error("Invalid number of public inputs");
- return false;
- }
- const challanges = calculateChallanges(curve, proof, publicSignals);
- if (logger) {
- logger.debug("beta: " + Fr.toString(challanges.beta, 16));
- logger.debug("gamma: " + Fr.toString(challanges.gamma, 16));
- logger.debug("alpha: " + Fr.toString(challanges.alpha, 16));
- logger.debug("xi: " + Fr.toString(challanges.xi, 16));
- logger.debug("v1: " + Fr.toString(challanges.v[1], 16));
- logger.debug("v6: " + Fr.toString(challanges.v[6], 16));
- logger.debug("u: " + Fr.toString(challanges.u, 16));
- }
- const L = calculateLagrangeEvaluations(curve, challanges, vk_verifier);
- if (logger) {
- logger.debug("Lagrange Evaluations: ");
- for (let i=1; i 7) {
+ throw new Error("R0 Polynomial is not well calculated");
+ }
-function fromObjectProof(curve, proof) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
- const res = {};
- res.A = G1.fromObject(proof.A);
- res.B = G1.fromObject(proof.B);
- res.C = G1.fromObject(proof.C);
- res.Z = G1.fromObject(proof.Z);
- res.T1 = G1.fromObject(proof.T1);
- res.T2 = G1.fromObject(proof.T2);
- res.T3 = G1.fromObject(proof.T3);
- res.eval_a = Fr.fromObject(proof.eval_a);
- res.eval_b = Fr.fromObject(proof.eval_b);
- res.eval_c = Fr.fromObject(proof.eval_c);
- res.eval_zw = Fr.fromObject(proof.eval_zw);
- res.eval_s1 = Fr.fromObject(proof.eval_s1);
- res.eval_s2 = Fr.fromObject(proof.eval_s2);
- res.eval_r = Fr.fromObject(proof.eval_r);
- res.Wxi = G1.fromObject(proof.Wxi);
- res.Wxiw = G1.fromObject(proof.Wxiw);
- return res;
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r0(y)");
+ return R0.evaluate(challenges.y);
}
-function fromObjectVk(curve, vk) {
- const G1 = curve.G1;
- const G2 = curve.G2;
+function computeR1(proof, challenges, roots, pi, curve, logger) {
const Fr = curve.Fr;
- const res = vk;
- res.Qm = G1.fromObject(vk.Qm);
- res.Ql = G1.fromObject(vk.Ql);
- res.Qr = G1.fromObject(vk.Qr);
- res.Qo = G1.fromObject(vk.Qo);
- res.Qc = G1.fromObject(vk.Qc);
- res.S1 = G1.fromObject(vk.S1);
- res.S2 = G1.fromObject(vk.S2);
- res.S3 = G1.fromObject(vk.S3);
- res.k1 = Fr.fromObject(vk.k1);
- res.k2 = Fr.fromObject(vk.k2);
- res.X_2 = G2.fromObject(vk.X_2);
- return res;
-}
+ // r1(y) = ∑_1^4 C_1(h_1 ω_4^{i-1}) L_i(y). To this end we need to compute
+ // Z1 = {C1(h_1}, C1(h_1 ω_4), C1(h_1 ω_4^2), C1(h_1 ω_4^3)}
+ // where C_1(h_1 ω_4^{i-1}) = eval.a + h_1 ω_4^i eval.b + (h_1 ω_4^i)^2 eval.c + (h_1 ω_4^i)^3 T0(xi),
+ // where T0(xi) = [ qL·a + qR·b + qM·a·b + qO·c + qC + PI(xi) ] / Z_H(xi)
-function isWellConstructed(curve, proof) {
- const G1 = curve.G1;
- if (!G1.isValid(proof.A)) return false;
- if (!G1.isValid(proof.B)) return false;
- if (!G1.isValid(proof.C)) return false;
- if (!G1.isValid(proof.Z)) return false;
- if (!G1.isValid(proof.T1)) return false;
- if (!G1.isValid(proof.T2)) return false;
- if (!G1.isValid(proof.T3)) return false;
- if (!G1.isValid(proof.Wxi)) return false;
- if (!G1.isValid(proof.Wxiw)) return false;
- return true;
-}
+ // Compute T0(xi)
+ if (logger) logger.info("··· Computing T0(xi)");
+ let t0 = Fr.mul(proof.evaluations.ql, proof.evaluations.a);
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qr, proof.evaluations.b));
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qm, Fr.mul(proof.evaluations.a, proof.evaluations.b)));
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qo, proof.evaluations.c));
+ t0 = Fr.add(t0, proof.evaluations.qc);
+ t0 = Fr.add(t0, pi);
+ t0 = Fr.mul(t0, challenges.invzh);
-function calculateChallanges(curve, proof, publicSignals) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
- const n8r = curve.Fr.n8;
- const res = {};
+ // Compute the 4 C1 values
+ if (logger) logger.info("··· Computing C1(h_1ω_4^i) values");
- const transcript1 = new Uint8Array(publicSignals.length*n8r + G1.F.n8*2*3);
- for (let i=0; i 3) {
+ throw new Error("R1 Polynomial is not well calculated");
+ }
- const transcript3 = new Uint8Array(G1.F.n8*2);
- G1.toRprUncompressed(transcript3, 0, proof.Z);
- res.alpha = hashToFr(curve, transcript3);
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r1(y)");
+ return R1.evaluate(challenges.y);
+}
- const transcript4 = new Uint8Array(G1.F.n8*2*3);
- G1.toRprUncompressed(transcript4, 0, proof.T1);
- G1.toRprUncompressed(transcript4, G1.F.n8*2, proof.T2);
- G1.toRprUncompressed(transcript4, G1.F.n8*4, proof.T3);
- res.xi = hashToFr(curve, transcript4);
+function computeR2(proof, challenges, roots, lagrange1, vk, curve, logger) {
+ const Fr = curve.Fr;
- const transcript5 = new Uint8Array(n8r*7);
- Fr.toRprBE(transcript5, 0, proof.eval_a);
- Fr.toRprBE(transcript5, n8r, proof.eval_b);
- Fr.toRprBE(transcript5, n8r*2, proof.eval_c);
- Fr.toRprBE(transcript5, n8r*3, proof.eval_s1);
- Fr.toRprBE(transcript5, n8r*4, proof.eval_s2);
- Fr.toRprBE(transcript5, n8r*5, proof.eval_zw);
- Fr.toRprBE(transcript5, n8r*6, proof.eval_r);
- res.v = [];
- res.v[1] = hashToFr(curve, transcript5);
+ // r2(y) = ∑_1^3 C_2(h_2 ω_3^{i-1}) L_i(y) + ∑_1^3 C_2(h_3 ω_3^{i-1}) L_{i+3}(y). To this end we need to compute
+ // Z2 = {[C2(h_2}, C2(h_2 ω_3), C2(h_2 ω_3^2)], [C2(h_3}, C2(h_3 ω_3), C2(h_3 ω_3^2)]}
+ // where C_2(h_2 ω_3^{i-1}) = eval.z + h_2 ω_2^i T1(xi) + (h_2 ω_3^i)^2 T2(xi),
+ // where C_2(h_3 ω_3^{i-1}) = eval.z + h_3 ω_2^i T1(xi) + (h_3 ω_3^i)^2 T2(xi),
+ // where T1(xi) = [ L_1(xi)(z-1)] / Z_H(xi)
+ // and T2(xi) = [ (a + beta·xi + gamma)(b + beta·xi·k1 + gamma)(c + beta·xi·k2 + gamma)z
+ // - (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)zω ] / Z_H(xi)
- for (let i=2; i<=6; i++ ) res.v[i] = Fr.mul(res.v[i-1], res.v[1]);
+ // Compute T1(xi)
+ if (logger) logger.info("··· Computing T1(xi)");
+ let t1 = Fr.sub(proof.evaluations.z, Fr.one);
+ t1 = Fr.mul(t1, lagrange1);
+ t1 = Fr.mul(t1, challenges.invzh);
- const transcript6 = new Uint8Array(G1.F.n8*2*2);
- G1.toRprUncompressed(transcript6, 0, proof.Wxi);
- G1.toRprUncompressed(transcript6, G1.F.n8*2, proof.Wxiw);
- res.u = hashToFr(curve, transcript6);
+ // Compute T2(xi)
+ if (logger) logger.info("··· Computing T2(xi)");
+ const betaxi = Fr.mul(challenges.beta, challenges.xi);
+ const t211 = Fr.add(proof.evaluations.a, Fr.add(betaxi, challenges.gamma));
+ const t212 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(betaxi, vk.k1), challenges.gamma));
+ const t213 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(betaxi, vk.k2), challenges.gamma));
+ const t21 = Fr.mul(t211, Fr.mul(t212, Fr.mul(t213, proof.evaluations.z)));
- return res;
-}
+ const t221 = Fr.add(proof.evaluations.a, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s1), challenges.gamma));
+ const t222 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s2), challenges.gamma));
+ const t223 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s3), challenges.gamma));
+ const t22 = Fr.mul(t221, Fr.mul(t222, Fr.mul(t223, proof.evaluations.zw)));
-function calculateLagrangeEvaluations(curve, challanges, vk) {
- const Fr = curve.Fr;
+ let t2 = Fr.sub(t21, t22);
+ t2 = Fr.mul(t2, challenges.invzh);
- let xin = challanges.xi;
- let domainSize = 1;
- for (let i=0; i 5) {
+ throw new Error("R2 Polynomial is not well calculated");
}
- return pl;
+
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r2(y)");
+ return R2.evaluate(challenges.y);
}
-function calculateT(curve, proof, challanges, pl, l1) {
+function computeF(curve, proof, vk, challenges, roots) {
+ const G1 = curve.G1;
const Fr = curve.Fr;
- let num = proof.eval_r;
- num = Fr.add(num, pl);
-
- let e1 = proof.eval_a;
- e1 = Fr.add(e1, Fr.mul(challanges.beta, proof.eval_s1));
- e1 = Fr.add(e1, challanges.gamma);
- let e2 = proof.eval_b;
- e2 = Fr.add(e2, Fr.mul(challanges.beta, proof.eval_s2));
- e2 = Fr.add(e2, challanges.gamma);
+ let mulH0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
+ for (let i = 1; i < 8; i++) {
+ mulH0 = Fr.mul(mulH0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
+ }
- let e3 = proof.eval_c;
- e3 = Fr.add(e3, challanges.gamma);
+ challenges.temp = mulH0;
- let e = Fr.mul(Fr.mul(e1, e2), e3);
- e = Fr.mul(e, proof.eval_zw);
- e = Fr.mul(e, challanges.alpha);
+ let mulH1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
+ for (let i = 1; i < 4; i++) {
+ mulH1 = Fr.mul(mulH1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
+ }
- num = Fr.sub(num, e);
+ let mulH2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
+ for (let i = 1; i < 3; i++) {
+ mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
+ }
+ for (let i = 0; i < 3; i++) {
+ mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
+ }
- num = Fr.sub(num, Fr.mul(l1, Fr.square(challanges.alpha)));
+ challenges.quotient1 = Fr.mul(challenges.alpha, Fr.div(mulH0, mulH1));
+ challenges.quotient2 = Fr.mul(Fr.square(challenges.alpha), Fr.div(mulH0, mulH2));
- const t = Fr.div(num, challanges.zh);
+ let F2 = G1.timesFr(proof.polynomials.C1, challenges.quotient1);
+ let F3 = G1.timesFr(proof.polynomials.C2, challenges.quotient2);
- return t;
+ return G1.add(vk.C0, G1.add(F2, F3));
}
-function calculateD(curve, proof, challanges, vk, l1) {
+function computeE(curve, proof, challenges, vk, r0, r1, r2) {
const G1 = curve.G1;
const Fr = curve.Fr;
- let s1 = Fr.mul(Fr.mul(proof.eval_a, proof.eval_b), challanges.v[1]);
- let res = G1.timesFr(vk.Qm, s1);
+ let E2 = Fr.mul(r1, challenges.quotient1);
+ let E3 = Fr.mul(r2, challenges.quotient2);
- let s2 = Fr.mul(proof.eval_a, challanges.v[1]);
- res = G1.add(res, G1.timesFr(vk.Ql, s2));
+ return G1.timesFr(G1.one, Fr.add(r0, Fr.add(E2, E3)));
+}
- let s3 = Fr.mul(proof.eval_b, challanges.v[1]);
- res = G1.add(res, G1.timesFr(vk.Qr, s3));
+function computeJ(curve, proof, challenges) {
+ const G1 = curve.G1;
- let s4 = Fr.mul(proof.eval_c, challanges.v[1]);
- res = G1.add(res, G1.timesFr(vk.Qo, s4));
+ return G1.timesFr(proof.polynomials.W1, challenges.temp);
+}
- res = G1.add(res, G1.timesFr(vk.Qc, challanges.v[1]));
+async function isValidPairing(curve, proof, challenges, vk, F, E, J) {
+ const G1 = curve.G1;
- const betaxi = Fr.mul(challanges.beta, challanges.xi);
- let s6a = proof.eval_a;
- s6a = Fr.add(s6a, betaxi);
- s6a = Fr.add(s6a, challanges.gamma);
+ let A1 = G1.timesFr(proof.polynomials.W2, challenges.y);
+ A1 = G1.add(G1.sub(G1.sub(F, E), J), A1);
+ const A2 = curve.G2.one;
- let s6b = proof.eval_b;
- s6b = Fr.add(s6b, Fr.mul(betaxi, vk.k1));
- s6b = Fr.add(s6b, challanges.gamma);
+ const B1 = proof.polynomials.W2;
+ const B2 = vk.X_2;
- let s6c = proof.eval_c;
- s6c = Fr.add(s6c, Fr.mul(betaxi, vk.k2));
- s6c = Fr.add(s6c, challanges.gamma);
+ return await curve.pairingEq(G1.neg(A1), A2, B1, B2);
+}
- let s6 = Fr.mul(Fr.mul(s6a, s6b), s6c);
- s6 = Fr.mul(s6, Fr.mul(challanges.alpha, challanges.v[1]));
+/*
+ Copyright 2021 0KIMS association.
- let s6d = Fr.mul(Fr.mul(l1, Fr.square(challanges.alpha)), challanges.v[1]);
- s6 = Fr.add(s6, s6d);
+ This file is part of snarkJS.
- s6 = Fr.add(s6, challanges.u);
- res = G1.add(res, G1.timesFr(proof.Z, s6));
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- let s7a = proof.eval_a;
- s7a = Fr.add(s7a, Fr.mul(challanges.beta, proof.eval_s1));
- s7a = Fr.add(s7a, challanges.gamma);
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
- let s7b = proof.eval_b;
- s7b = Fr.add(s7b, Fr.mul(challanges.beta, proof.eval_s2));
- s7b = Fr.add(s7b, challanges.gamma);
+const {unstringifyBigInts: unstringifyBigInts$1} = ffjavascript.utils;
- let s7 = Fr.mul(s7a, s7b);
- s7 = Fr.mul(s7, challanges.alpha);
- s7 = Fr.mul(s7, challanges.v[1]);
- s7 = Fr.mul(s7, challanges.beta);
- s7 = Fr.mul(s7, proof.eval_zw);
- res = G1.sub(res, G1.timesFr(vk.S3, s7));
+function i2hex(i) {
+ return ("0" + i.toString(16)).slice(-2);
+}
- return res;
+function p256(n) {
+ let nstr = n.toString(16);
+ while (nstr.length < 64) nstr = "0" + nstr;
+ nstr = `"0x${nstr}"`;
+ return nstr;
}
-function calculateF(curve, proof, challanges, vk, D) {
+async function fflonkExportCallData(_pub, _proof) {
+ const proof = unstringifyBigInts$1(_proof);
+ const pub = unstringifyBigInts$1(_pub);
+
+ const curve = await getCurveFromName(proof.curve);
const G1 = curve.G1;
const Fr = curve.Fr;
- let res = proof.T1;
+ let inputs = "";
+ for (let i = 0; i < pub.length; i++) {
+ if (inputs !== "") inputs = inputs + ",";
+ inputs = inputs + p256(pub[i]);
+ }
- res = G1.add(res, G1.timesFr(proof.T2, challanges.xin));
- res = G1.add(res, G1.timesFr(proof.T3, Fr.square(challanges.xin)));
- res = G1.add(res, D);
- res = G1.add(res, G1.timesFr(proof.A, challanges.v[2]));
- res = G1.add(res, G1.timesFr(proof.B, challanges.v[3]));
- res = G1.add(res, G1.timesFr(proof.C, challanges.v[4]));
- res = G1.add(res, G1.timesFr(vk.S1, challanges.v[5]));
- res = G1.add(res, G1.timesFr(vk.S2, challanges.v[6]));
+ const proofBuff = new Uint8Array(G1.F.n8 * 2 * 4 + Fr.n8 * 16);
- return res;
+ G1.toRprUncompressed(proofBuff, 0, G1.e(proof.polynomials.C1));
+ G1.toRprUncompressed(proofBuff, G1.F.n8 * 2, G1.e(proof.polynomials.C2));
+ G1.toRprUncompressed(proofBuff, G1.F.n8 * 4, G1.e(proof.polynomials.W1));
+ G1.toRprUncompressed(proofBuff, G1.F.n8 * 6, G1.e(proof.polynomials.W2));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8, Fr.e(proof.evaluations.ql));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8, Fr.e(proof.evaluations.qr));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 2, Fr.e(proof.evaluations.qm));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 3, Fr.e(proof.evaluations.qo));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 4, Fr.e(proof.evaluations.qc));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 5, Fr.e(proof.evaluations.s1));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 6, Fr.e(proof.evaluations.s2));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 7, Fr.e(proof.evaluations.s3));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 8, Fr.e(proof.evaluations.a));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 9, Fr.e(proof.evaluations.b));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 10, Fr.e(proof.evaluations.c));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 11, Fr.e(proof.evaluations.z));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 12, Fr.e(proof.evaluations.zw));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 13, Fr.e(proof.evaluations.t1w));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 14, Fr.e(proof.evaluations.t2w));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 15, Fr.e(proof.evaluations.inv));
+
+ const proofHex = Array.from(proofBuff).map(i2hex).join("");
+
+ return `0x${proofHex},[${inputs}]`;
}
+/*
+ Copyright 2018 0KIMS association.
+
+ This file is part of snarkJS.
+
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
-function calculateE(curve, proof, challanges, vk, t) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
+const {unstringifyBigInts} = ffjavascript.utils;
- let s = t;
- s = Fr.add(s, Fr.mul(challanges.v[1], proof.eval_r));
- s = Fr.add(s, Fr.mul(challanges.v[2], proof.eval_a));
- s = Fr.add(s, Fr.mul(challanges.v[3], proof.eval_b));
- s = Fr.add(s, Fr.mul(challanges.v[4], proof.eval_c));
- s = Fr.add(s, Fr.mul(challanges.v[5], proof.eval_s1));
- s = Fr.add(s, Fr.mul(challanges.v[6], proof.eval_s2));
- s = Fr.add(s, Fr.mul(challanges.u, proof.eval_zw));
+async function wtnsDebug$1(_input, wasmFileName, wtnsFileName, symName, options, logger) {
- const res = G1.timesFr(G1.one, s);
+ const input = unstringifyBigInts(_input);
- return res;
-}
+ const fdWasm = await fastFile__namespace.readExisting(wasmFileName);
+ const wasm = await fdWasm.read(fdWasm.totalSize);
+ await fdWasm.close();
-async function isValidPairing(curve, proof, challanges, vk, E, F) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
- let A1 = proof.Wxi;
- A1 = G1.add(A1, G1.timesFr(proof.Wxiw, challanges.u));
+ let wcOps = {
+ sanityCheck: true
+ };
+ let sym = await loadSymbols(symName);
+ if (options.set) {
+ if (!sym) sym = await loadSymbols(symName);
+ wcOps.logSetSignal= function(labelIdx, value) {
+ // The line below splits the arrow log into 2 strings to avoid some Secure ECMAScript issues
+ if (logger) logger.info("SET " + sym.labelIdx2Name[labelIdx] + " <" + "-- " + value.toString());
+ };
+ }
+ if (options.get) {
+ if (!sym) sym = await loadSymbols(symName);
+ wcOps.logGetSignal= function(varIdx, value) {
+ // The line below splits the arrow log into 2 strings to avoid some Secure ECMAScript issues
+ if (logger) logger.info("GET " + sym.labelIdx2Name[varIdx] + " --" + "> " + value.toString());
+ };
+ }
+ if (options.trigger) {
+ if (!sym) sym = await loadSymbols(symName);
+ wcOps.logStartComponent= function(cIdx) {
+ if (logger) logger.info("START: " + sym.componentIdx2Name[cIdx]);
+ };
+ wcOps.logFinishComponent= function(cIdx) {
+ if (logger) logger.info("FINISH: " + sym.componentIdx2Name[cIdx]);
+ };
+ }
+ wcOps.sym = sym;
- let B1 = G1.timesFr(proof.Wxi, challanges.xi);
- const s = Fr.mul(Fr.mul(challanges.u, challanges.xi), Fr.w[vk.power]);
- B1 = G1.add(B1, G1.timesFr(proof.Wxiw, s));
- B1 = G1.add(B1, F);
- B1 = G1.sub(B1, E);
+ const wc = await circom_runtime.WitnessCalculatorBuilder(wasm, wcOps);
+ const w = await wc.calculateWitness(input);
- const res = await curve.pairingEq(
- G1.neg(A1) , vk.X_2,
- B1 , curve.G2.one
- );
+ const fdWtns = await binFileUtils__namespace.createBinFile(wtnsFileName, "wtns", 2, 2);
- return res;
+ await write(fdWtns, w, wc.prime);
+ await fdWtns.close();
}
/*
- Copyright 2021 0KIMS association.
+ Copyright 2018 0KIMS association.
This file is part of snarkJS.
@@ -12059,56 +12074,12 @@ async function isValidPairing(curve, proof, challanges, vk, E, F) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
-const { unstringifyBigInts: unstringifyBigInts$1} = ffjavascript.utils;
-
-function i2hex(i) {
- return ("0" + i.toString(16)).slice(-2);
-}
-
-function p256(n) {
- let nstr = n.toString(16);
- while (nstr.length < 64) nstr = "0"+nstr;
- nstr = `"0x${nstr}"`;
- return nstr;
-}
-
-async function plonkExportSolidityCallData(_proof, _pub) {
- const proof = unstringifyBigInts$1(_proof);
- const pub = unstringifyBigInts$1(_pub);
-
- const curve = await getCurveFromName(proof.curve);
- const G1 = curve.G1;
- const Fr = curve.Fr;
-
- let inputs = "";
- for (let i=0; i.
-*/
-
-async function wtnsCheckCmd(r1csFilename, wtnsFilename, logger) {
- return await wtnsCheck$1(r1csFilename, wtnsFilename, logger);
-}
-
-/*
- Copyright 2018 0KIMS association.
-
- This file is part of snarkJS.
-
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
-
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
-const {unstringifyBigInts} = ffjavascript.utils;
-
-
-async function wtnsDebug$1(_input, wasmFileName, wtnsFileName, symName, options, logger) {
-
- const input = unstringifyBigInts(_input);
-
- const fdWasm = await fastFile__namespace.readExisting(wasmFileName);
- const wasm = await fdWasm.read(fdWasm.totalSize);
- await fdWasm.close();
-
-
- let wcOps = {
- sanityCheck: true
- };
- let sym = await loadSymbols(symName);
- if (options.set) {
- if (!sym) sym = await loadSymbols(symName);
- wcOps.logSetSignal= function(labelIdx, value) {
- // The line below splits the arrow log into 2 strings to avoid some Secure ECMAScript issues
- if (logger) logger.info("SET " + sym.labelIdx2Name[labelIdx] + " <" + "-- " + value.toString());
- };
- }
- if (options.get) {
- if (!sym) sym = await loadSymbols(symName);
- wcOps.logGetSignal= function(varIdx, value) {
- // The line below splits the arrow log into 2 strings to avoid some Secure ECMAScript issues
- if (logger) logger.info("GET " + sym.labelIdx2Name[varIdx] + " --" + "> " + value.toString());
- };
- }
- if (options.trigger) {
- if (!sym) sym = await loadSymbols(symName);
- wcOps.logStartComponent= function(cIdx) {
- if (logger) logger.info("START: " + sym.componentIdx2Name[cIdx]);
- };
- wcOps.logFinishComponent= function(cIdx) {
- if (logger) logger.info("FINISH: " + sym.componentIdx2Name[cIdx]);
- };
- }
- wcOps.sym = sym;
-
- const wc = await circom_runtime.WitnessCalculatorBuilder(wasm, wcOps);
- const w = await wc.calculateWitness(input);
-
- const fdWtns = await binFileUtils__namespace.createBinFile(wtnsFileName, "wtns", 2, 2);
-
- await write(fdWtns, w, wc.prime);
-
- await fdWtns.close();
-}
-
-/*
- Copyright 2018 0KIMS association.
-
- This file is part of snarkJS.
-
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
-
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
-
-async function wtnsExportJson$1(wtnsFileName) {
-
- const w = await read(wtnsFileName);
-
- return w;
-}
-
/*
Copyright 2018 0KIMS association.
@@ -12832,7 +12687,13 @@ async function wtnsCheck(params, options) {
if (options.verbose) Logger__default["default"].setLogLevel("DEBUG");
- return await wtnsCheckCmd(r1csFilename, wtnsFilename, logger);
+ const isValid = await wtnsCheck$1(r1csFilename, wtnsFilename, logger);
+
+ if (isValid) {
+ return 0;
+ } else {
+ return 1;
+ }
}
@@ -13020,7 +12881,7 @@ async function zkeyExportSolidityCalldata(params, options) {
} else if (proof.protocol == "plonk") {
res = await plonkExportSolidityCallData(proof, pub);
} else if (proof.protocol === "fflonk") {
- res = await fflonkExportCallDataCmd(pub, proof);
+ res = await fflonkExportCallData(pub, proof);
} else {
throw new Error("Invalid Protocol");
}
@@ -13506,7 +13367,7 @@ async function fflonkSetup(params, options) {
if (options.verbose) Logger__default["default"].setLogLevel("DEBUG");
- return await fflonkSetupCmd(r1csFilename, ptauFilename, zkeyFilename, logger);
+ return await fflonkSetup$1(r1csFilename, ptauFilename, zkeyFilename, logger);
}
@@ -13518,7 +13379,15 @@ async function fflonkProve(params, options) {
if (options.verbose) Logger__default["default"].setLogLevel("DEBUG");
- return await fflonkProveCmd(zkeyFilename, witnessFilename, publicInputsFilename, proofFilename, logger);
+ const {proof, publicSignals} = await fflonkProve$1(zkeyFilename, witnessFilename, logger);
+
+ if(undefined !== proofFilename && undefined !== publicInputsFilename) {
+ // Write the proof and the publig signals in each file
+ await bfj__default["default"].write(proofFilename, stringifyBigInts(proof), {space: 1});
+ await bfj__default["default"].write(publicInputsFilename, stringifyBigInts(publicSignals), {space: 1});
+ }
+
+ return 0;
}
async function fflonkFullProve(params, options) {
@@ -13531,7 +13400,15 @@ async function fflonkFullProve(params, options) {
if (options.verbose) Logger__default["default"].setLogLevel("DEBUG");
- return await fflonkFullProveCmd(zkeyFilename, witnessInputsFilename, wasmFilename, publicInputsFilename, proofFilename, logger);
+ const input = JSON.parse(await fs__default["default"].promises.readFile(witnessInputsFilename, "utf8"));
+
+ const {proof, publicSignals} = await fflonkFullProve$1(input, wasmFilename, zkeyFilename, logger);
+
+ // Write the proof and the publig signals in each file
+ await bfj__default["default"].write(proofFilename, stringifyBigInts(proof), {space: 1});
+ await bfj__default["default"].write(publicInputsFilename, stringifyBigInts(publicSignals), {space: 1});
+
+ return 0;
}
async function fflonkVerify(params, options) {
@@ -13541,7 +13418,11 @@ async function fflonkVerify(params, options) {
if (options.verbose) Logger__default["default"].setLogLevel("DEBUG");
- const isValid = await fflonkVerifyCmd(vkeyFilename, publicInputsFilename, proofFilename, logger);
+ const vkey = JSON.parse(fs__default["default"].readFileSync(vkeyFilename, "utf8"));
+ const publicInputs = JSON.parse(fs__default["default"].readFileSync(publicInputsFilename, "utf8"));
+ const proof = JSON.parse(fs__default["default"].readFileSync(proofFilename, "utf8"));
+
+ const isValid = await fflonkVerify$1(vkey, publicInputs, proof, logger);
return isValid ? 0 : 1;
}
diff --git a/build/main.cjs b/build/main.cjs
index 0b0f1c14..e31b84c0 100644
--- a/build/main.cjs
+++ b/build/main.cjs
@@ -11,9 +11,7 @@ var fastFile = require('fastfile');
var circom_runtime = require('circom_runtime');
var r1csfile = require('r1csfile');
var ejs = require('ejs');
-require('bfj');
var jsSha3 = require('js-sha3');
-require('fs');
function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
@@ -257,6 +255,8 @@ function stringifyBigIntsWithField(Fr, o) {
}
}
+const HEADER_ZKEY_SECTION = 1;
+
const GROTH16_PROTOCOL_ID = 1;
const PLONK_PROTOCOL_ID = 2;
const FFLONK_PROTOCOL_ID = 10;
@@ -280,7 +280,28 @@ const FFLONK_PROTOCOL_ID = 10;
snarkjs. If not, see .
*/
+// FFlonk constants
+const FF_T_POL_DEG_MIN = 3;
+
+// ZKEY constants
+const ZKEY_FF_NSECTIONS = 17;
+
const ZKEY_FF_HEADER_SECTION = 2;
+const ZKEY_FF_ADDITIONS_SECTION = 3;
+const ZKEY_FF_A_MAP_SECTION = 4;
+const ZKEY_FF_B_MAP_SECTION = 5;
+const ZKEY_FF_C_MAP_SECTION = 6;
+const ZKEY_FF_QL_SECTION = 7;
+const ZKEY_FF_QR_SECTION = 8;
+const ZKEY_FF_QM_SECTION = 9;
+const ZKEY_FF_QO_SECTION = 10;
+const ZKEY_FF_QC_SECTION = 11;
+const ZKEY_FF_SIGMA1_SECTION = 12;
+const ZKEY_FF_SIGMA2_SECTION = 13;
+const ZKEY_FF_SIGMA3_SECTION = 14;
+const ZKEY_FF_LAGRANGE_SECTION = 15;
+const ZKEY_FF_PTAU_SECTION = 16;
+const ZKEY_FF_C0_SECTION = 17;
/*
Copyright 2018 0KIMS association.
@@ -829,7 +850,7 @@ async function read(fileName) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
-const {stringifyBigInts: stringifyBigInts$3} = ffjavascript.utils;
+const {stringifyBigInts: stringifyBigInts$4} = ffjavascript.utils;
async function groth16Prove(zkeyFileName, witnessFileName, logger) {
const {fd: fdWtns, sections: sectionsWtns} = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1<<25, 1<<23);
@@ -943,8 +964,8 @@ async function groth16Prove(zkeyFileName, witnessFileName, logger) {
await fdZKey.close();
await fdWtns.close();
- proof = stringifyBigInts$3(proof);
- publicSignals = stringifyBigInts$3(publicSignals);
+ proof = stringifyBigInts$4(proof);
+ publicSignals = stringifyBigInts$4(publicSignals);
return {proof, publicSignals};
}
@@ -1197,10 +1218,10 @@ async function joinABC(curve, zkey, a, b, c, logger) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
-const { unstringifyBigInts: unstringifyBigInts$8} = ffjavascript.utils;
+const { unstringifyBigInts: unstringifyBigInts$b} = ffjavascript.utils;
async function wtnsCalculate(_input, wasmFileName, wtnsFileName, options) {
- const input = unstringifyBigInts$8(_input);
+ const input = unstringifyBigInts$b(_input);
const fdWasm = await fastFile__namespace.readExisting(wasmFileName);
const wasm = await fdWasm.read(fdWasm.totalSize);
@@ -1242,10 +1263,10 @@ async function wtnsCalculate(_input, wasmFileName, wtnsFileName, options) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
-const {unstringifyBigInts: unstringifyBigInts$7} = ffjavascript.utils;
+const {unstringifyBigInts: unstringifyBigInts$a} = ffjavascript.utils;
async function groth16FullProve(_input, wasmFile, zkeyFileName, logger) {
- const input = unstringifyBigInts$7(_input);
+ const input = unstringifyBigInts$a(_input);
const wtns= {
type: "mem"
@@ -1272,7 +1293,7 @@ async function groth16FullProve(_input, wasmFile, zkeyFileName, logger) {
You should have received a copy of the GNU General Public License along with
snarkjs. If not, see .
*/
-const {unstringifyBigInts: unstringifyBigInts$6} = ffjavascript.utils;
+const {unstringifyBigInts: unstringifyBigInts$9} = ffjavascript.utils;
async function groth16Verify(_vk_verifier, _publicSignals, _proof, logger) {
/*
@@ -1282,9 +1303,9 @@ async function groth16Verify(_vk_verifier, _publicSignals, _proof, logger) {
}
*/
- const vk_verifier = unstringifyBigInts$6(_vk_verifier);
- const proof = unstringifyBigInts$6(_proof);
- const publicSignals = unstringifyBigInts$6(_publicSignals);
+ const vk_verifier = unstringifyBigInts$9(_vk_verifier);
+ const proof = unstringifyBigInts$9(_proof);
+ const publicSignals = unstringifyBigInts$9(_publicSignals);
const curve = await getCurveFromName(vk_verifier.curve);
@@ -1345,9 +1366,9 @@ async function groth16Verify(_vk_verifier, _publicSignals, _proof, logger) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
-const { unstringifyBigInts: unstringifyBigInts$5} = ffjavascript.utils;
+const { unstringifyBigInts: unstringifyBigInts$8} = ffjavascript.utils;
-function p256$1(n) {
+function p256$2(n) {
let nstr = n.toString(16);
while (nstr.length < 64) nstr = "0"+nstr;
nstr = `"0x${nstr}"`;
@@ -1355,19 +1376,19 @@ function p256$1(n) {
}
async function groth16ExportSolidityCallData(_proof, _pub) {
- const proof = unstringifyBigInts$5(_proof);
- const pub = unstringifyBigInts$5(_pub);
+ const proof = unstringifyBigInts$8(_proof);
+ const pub = unstringifyBigInts$8(_pub);
let inputs = "";
for (let i=0; i.
*/
-const {unstringifyBigInts: unstringifyBigInts$4} = ffjavascript.utils;
+const {unstringifyBigInts: unstringifyBigInts$7} = ffjavascript.utils;
async function wtnsDebug(_input, wasmFileName, wtnsFileName, symName, options, logger) {
- const input = unstringifyBigInts$4(_input);
+ const input = unstringifyBigInts$7(_input);
const fdWasm = await fastFile__namespace.readExisting(wasmFileName);
const wasm = await fdWasm.read(fdWasm.totalSize);
@@ -4021,32 +4042,6 @@ async function wtnsExportJson(wtnsFileName) {
along with snarkJS. If not, see .
*/
-var wtns = /*#__PURE__*/Object.freeze({
- __proto__: null,
- calculate: wtnsCalculate,
- debug: wtnsDebug,
- exportJson: wtnsExportJson
-});
-
-/*
- Copyright 2018 0KIMS association.
-
- This file is part of snarkJS.
-
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
-
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
-*/
-
async function wtnsCheck(r1csFilename, wtnsFilename, logger) {
if (logger) logger.info("WITNESS CHECKING STARTED");
@@ -4174,28 +4169,7 @@ async function wtnsCheck(r1csFilename, wtnsFilename, logger) {
}
/*
- This file is part of snarkjs.
-
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
-
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
-
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-
-async function wtnsCheckCmd(r1csFilename, wtnsFilename, logger) {
- return await wtnsCheck(r1csFilename, wtnsFilename, logger);
-}
-
-/*
- Copyright 2022 iden3 association.
+ Copyright 2018 0KIMS association.
This file is part of snarkJS.
@@ -4213,9 +4187,12 @@ async function wtnsCheckCmd(r1csFilename, wtnsFilename, logger) {
along with snarkJS. If not, see .
*/
-var wtns_cmds = /*#__PURE__*/Object.freeze({
+var wtns = /*#__PURE__*/Object.freeze({
__proto__: null,
- wtnsCheckCmd: wtnsCheckCmd
+ calculate: wtnsCalculate,
+ debug: wtnsDebug,
+ exportJson: wtnsExportJson,
+ check: wtnsCheck
});
/*
@@ -6108,7 +6085,7 @@ async function bellmanContribute(curve, challengeFilename, responesFileName, ent
along with snarkJS. If not, see .
*/
-const {stringifyBigInts: stringifyBigInts$2} = ffjavascript.utils;
+const {stringifyBigInts: stringifyBigInts$3} = ffjavascript.utils;
async function zkeyExportVerificationKey(zkeyName, logger) {
if (logger) logger.info("EXPORT VERIFICATION KEY STARTED");
@@ -6168,7 +6145,7 @@ async function groth16Vk(zkey, fd, sections) {
}
await binFileUtils__namespace.endReadSection(fd);
- vKey = stringifyBigInts$2(vKey);
+ vKey = stringifyBigInts$3(vKey);
return vKey;
}
@@ -6200,7 +6177,7 @@ async function plonkVk(zkey) {
w: curve.Fr.toObject(curve.Fr.w[zkey.power])
};
- vKey = stringifyBigInts$2(vKey);
+ vKey = stringifyBigInts$3(vKey);
return vKey;
}
@@ -6229,7 +6206,7 @@ async function exportFFlonkVk(zkey, logger) {
C0: curve.G1.toObject(zkey.C0),
};
- return stringifyBigInts$2(vKey);
+ return stringifyBigInts$3(vKey);
}
/*
@@ -6251,7 +6228,7 @@ async function exportFFlonkVk(zkey, logger) {
along with snarkJS. If not, see .
*/
-const {unstringifyBigInts: unstringifyBigInts$3, stringifyBigInts: stringifyBigInts$1} = ffjavascript.utils;
+const {unstringifyBigInts: unstringifyBigInts$6, stringifyBigInts: stringifyBigInts$2} = ffjavascript.utils;
async function fflonkExportSolidityVerifier(vk, templates, logger) {
if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER STARTED");
@@ -6281,37 +6258,16 @@ async function fflonkExportSolidityVerifier(vk, templates, logger) {
return ejs__default["default"].render(template, vk);
function fromVkey(str) {
- const val = unstringifyBigInts$3(str);
+ const val = unstringifyBigInts$6(str);
return curve.Fr.fromObject(val);
}
function toVkey(val) {
const str = curve.Fr.toObject(val);
- return stringifyBigInts$1(str);
+ return stringifyBigInts$2(str);
}
}
-/*
- This file is part of snarkjs.
-
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
-
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
-
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
-*/
-
-async function fflonkExportSolidityVerifierCmd(vk, templates, logger) {
- return fflonkExportSolidityVerifier(vk, templates, logger);
-}
-
// Not ready yet
// module.exports.generateVerifier_kimleeoh = generateVerifier_kimleeoh;
@@ -6320,7 +6276,7 @@ async function exportSolidityVerifier(zKeyName, templates, logger) {
const verificationKey = await zkeyExportVerificationKey(zKeyName, logger);
if ("fflonk" === verificationKey.protocol) {
- return fflonkExportSolidityVerifierCmd(verificationKey, templates, logger);
+ return fflonkExportSolidityVerifier(verificationKey, templates, logger);
}
let template = templates[verificationKey.protocol];
@@ -6871,8 +6827,8 @@ async function plonkSetup(r1csName, ptauName, zkeyName, logger) {
You should have received a copy of the GNU General Public License along with
snarkjs. If not, see .
*/
-const {stringifyBigInts} = ffjavascript.utils;
-const { keccak256: keccak256$1 } = jsSha3__default["default"];
+const {stringifyBigInts: stringifyBigInts$1} = ffjavascript.utils;
+const { keccak256: keccak256$2 } = jsSha3__default["default"];
async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
const {fd: fdWtns, sections: sectionsWtns} = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1<<25, 1<<23);
@@ -6979,8 +6935,8 @@ async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
delete proof.eval_t;
- proof = stringifyBigInts(proof);
- publicSignals = stringifyBigInts(publicSignals);
+ proof = stringifyBigInts$1(proof);
+ publicSignals = stringifyBigInts$1(publicSignals);
return {proof, publicSignals};
@@ -7665,7 +7621,7 @@ async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
}
function hashToFr(transcript) {
- const v = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256$1.arrayBuffer(transcript)));
+ const v = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256$2.arrayBuffer(transcript)));
return Fr.e(v);
}
@@ -7768,10 +7724,10 @@ async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
-const {unstringifyBigInts: unstringifyBigInts$2} = ffjavascript.utils;
+const {unstringifyBigInts: unstringifyBigInts$5} = ffjavascript.utils;
async function plonkFullProve(_input, wasmFile, zkeyFileName, logger) {
- const input = unstringifyBigInts$2(_input);
+ const input = unstringifyBigInts$5(_input);
const wtns= {
type: "mem"
@@ -7798,14 +7754,14 @@ async function plonkFullProve(_input, wasmFile, zkeyFileName, logger) {
You should have received a copy of the GNU General Public License along with
snarkjs. If not, see .
*/
-const {unstringifyBigInts: unstringifyBigInts$1} = ffjavascript.utils;
-const { keccak256 } = jsSha3__default["default"];
+const {unstringifyBigInts: unstringifyBigInts$4} = ffjavascript.utils;
+const { keccak256: keccak256$1 } = jsSha3__default["default"];
async function plonkVerify(_vk_verifier, _publicSignals, _proof, logger) {
- let vk_verifier = unstringifyBigInts$1(_vk_verifier);
- let proof = unstringifyBigInts$1(_proof);
- let publicSignals = unstringifyBigInts$1(_publicSignals);
+ let vk_verifier = unstringifyBigInts$4(_vk_verifier);
+ let proof = unstringifyBigInts$4(_proof);
+ let publicSignals = unstringifyBigInts$4(_publicSignals);
const curve = await getCurveFromName(vk_verifier.curve);
@@ -7813,7 +7769,7 @@ async function plonkVerify(_vk_verifier, _publicSignals, _proof, logger) {
const G1 = curve.G1;
proof = fromObjectProof(curve,proof);
- vk_verifier = fromObjectVk(curve, vk_verifier);
+ vk_verifier = fromObjectVk$1(curve, vk_verifier);
if (!isWellConstructed(curve, proof)) {
logger.error("Proof is not well constructed");
return false;
@@ -7870,7 +7826,7 @@ async function plonkVerify(_vk_verifier, _publicSignals, _proof, logger) {
logger.debug("E: " + G1.toString(G1.toAffine(E), 16));
}
- const res = await isValidPairing(curve, proof, challanges, vk_verifier, E, F);
+ const res = await isValidPairing$1(curve, proof, challanges, vk_verifier, E, F);
if (logger) {
if (res) {
@@ -7908,7 +7864,7 @@ function fromObjectProof(curve, proof) {
return res;
}
-function fromObjectVk(curve, vk) {
+function fromObjectVk$1(curve, vk) {
const G1 = curve.G1;
const G2 = curve.G2;
const Fr = curve.Fr;
@@ -8018,7 +7974,7 @@ function calculateLagrangeEvaluations(curve, challanges, vk) {
}
function hashToFr(curve, transcript) {
- const v = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256.arrayBuffer(transcript)));
+ const v = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256$1.arrayBuffer(transcript)));
return curve.Fr.e(v);
}
@@ -8159,7 +8115,7 @@ function calculateE(curve, proof, challanges, vk, t) {
return res;
}
-async function isValidPairing(curve, proof, challanges, vk, E, F) {
+async function isValidPairing$1(curve, proof, challanges, vk, E, F) {
const G1 = curve.G1;
const Fr = curve.Fr;
@@ -8199,13 +8155,13 @@ async function isValidPairing(curve, proof, challanges, vk, E, F) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
-const { unstringifyBigInts} = ffjavascript.utils;
+const { unstringifyBigInts: unstringifyBigInts$3} = ffjavascript.utils;
-function i2hex(i) {
+function i2hex$1(i) {
return ("0" + i.toString(16)).slice(-2);
}
-function p256(n) {
+function p256$1(n) {
let nstr = n.toString(16);
while (nstr.length < 64) nstr = "0"+nstr;
nstr = `"0x${nstr}"`;
@@ -8213,8 +8169,8 @@ function p256(n) {
}
async function plonkExportSolidityCallData(_proof, _pub) {
- const proof = unstringifyBigInts(_proof);
- const pub = unstringifyBigInts(_pub);
+ const proof = unstringifyBigInts$3(_proof);
+ const pub = unstringifyBigInts$3(_pub);
const curve = await getCurveFromName(proof.curve);
const G1 = curve.G1;
@@ -8223,7 +8179,7 @@ async function plonkExportSolidityCallData(_proof, _pub) {
let inputs = "";
for (let i=0; i.
+*/
+
+// We export to zkey the signals and values of the a, b, c, ql, qr, qm, qo and qc
+
+// a, b and c are signals id (32-bit integers)
+// ql, qr, qm, qo and qc are field values
+
+function getFFlonkConstantConstraint(signal1, Fr) {
+ return [signal1, 0, 0, Fr.one, Fr.zero, Fr.zero, Fr.zero, Fr.zero];
+}
+
+function getFFlonkAdditionConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc) {
+ return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
+}
+
+function getFFlonkMultiplicationConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc, Fr) {
+ return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+const LINEAR_COMBINATION_NULLABLE = 0;
+const LINEAR_COMBINATION_CONSTANT = 1;
+const LINEAR_COMBINATION_VARIABLE = 2;
+
+class r1csConstraintProcessor {
+ constructor(Fr, fnGetConstantConstraint, fnGetAdditionConstraint, fnGetMultiplicationConstraint, logger) {
+ this.Fr = Fr;
+ this.logger = logger;
+ this.fnGetAdditionConstraint = fnGetAdditionConstraint;
+ this.fnGetMultiplicationConstraint = fnGetMultiplicationConstraint;
+ }
+
+ processR1csConstraint(settings, lcA, lcB, lcC) {
+ this.normalizeLinearCombination(lcA);
+ this.normalizeLinearCombination(lcB);
+ this.normalizeLinearCombination(lcC);
+
+ const lctA = this.getLinearCombinationType(lcA);
+ const lctB = this.getLinearCombinationType(lcB);
+
+ if ((lctA === LINEAR_COMBINATION_NULLABLE) || (lctB === LINEAR_COMBINATION_NULLABLE)) {
+ return this.processR1csAdditionConstraint(settings, lcC);
+ } else if (lctA === LINEAR_COMBINATION_CONSTANT) {
+ const lcCC = this.joinLinearCombinations(lcB, lcC, lcA[0]);
+ return this.processR1csAdditionConstraint(settings, lcCC);
+ } else if (lctB === LINEAR_COMBINATION_CONSTANT) {
+ const lcCC = this.joinLinearCombinations(lcA, lcC, lcB[0]);
+ return this.processR1csAdditionConstraint(settings, lcCC);
+ } else {
+ return this.processR1csMultiplicationConstraint(settings, lcA, lcB, lcC);
+ }
+ }
+
+ getLinearCombinationType(linCom) {
+ // let k = this.Fr.zero;
+ //
+ // const signalIds = Object.keys(linCom);
+ // for (let i = 0; i < signalIds.length; i++) {
+ // if (signalIds[i] === "0") {
+ // k = this.Fr.add(k, linCom[signalIds[i]]);
+ // } else {
+ // return LINEAR_COMBINATION_VARIABLE;
+ // }
+ // }
+ //
+ // if (!this.Fr.eq(k, this.Fr.zero)) return LINEAR_COMBINATION_CONSTANT;
+ //
+ // return LINEAR_COMBINATION_NULLABLE;
+
+ let k = this.Fr.zero;
+ let n = 0;
+ const ss = Object.keys(linCom);
+ for (let i = 0; i < ss.length; i++) {
+ if (linCom[ss[i]] == 0n) {
+ delete linCom[ss[i]];
+ } else if (ss[i] == 0) {
+ k = this.Fr.add(k, linCom[ss[i]]);
+ } else {
+ n++;
+ }
+ }
+ if (n > 0) return LINEAR_COMBINATION_VARIABLE;
+ if (!this.Fr.isZero(k)) return LINEAR_COMBINATION_CONSTANT;
+ return LINEAR_COMBINATION_NULLABLE;
+ }
+
+ normalizeLinearCombination(linCom) {
+ const signalIds = Object.keys(linCom);
+ for (let i = 0; i < signalIds.length; i++) {
+ if (this.Fr.isZero(linCom[signalIds[i]])) delete linCom[signalIds[i]];
+ }
+
+ return linCom;
+ }
+
+ joinLinearCombinations(linCom1, linCom2, k) {
+ const res = {};
+
+ // for (let s in linCom1) {
+ // const val = this.Fr.mul(k, linCom1[s]);
+ // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
+ // }
+ //
+ // for (let s in linCom2) {
+ // const val = this.Fr.mul(k, linCom2[s]);
+ // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
+ // }
+
+ for (let s in linCom1) {
+ if (typeof res[s] == "undefined") {
+ res[s] = this.Fr.mul(k, linCom1[s]);
+ } else {
+ res[s] = this.Fr.add(res[s], this.Fr.mul(k, linCom1[s]));
+ }
+ }
+
+ for (let s in linCom2) {
+ if (typeof res[s] == "undefined") {
+ res[s] = linCom2[s];
+ } else {
+ res[s] = this.Fr.add(res[s], linCom2[s]);
+ }
+ }
+
+ return this.normalizeLinearCombination(res);
+ }
+
+ reduceCoefs(settings, constraintsArr, additionsArr, linCom, maxC) {
+ const res = {
+ k: this.Fr.zero,
+ signals: [],
+ coefs: []
+ };
+ const cs = [];
+
+ for (let signalId in linCom) {
+ if (signalId == 0) {
+ res.k = this.Fr.add(res.k, linCom[signalId]);
+ } else if (linCom[signalId] != 0n) {
+ cs.push([Number(signalId), linCom[signalId]]);
+ }
+ }
+
+ while (cs.length > maxC) {
+ const c1 = cs.shift();
+ const c2 = cs.shift();
+ const so = settings.nVars++;
+
+ const constraints = this.fnGetAdditionConstraint(
+ c1[0], c2[0], so,
+ this.Fr.neg(c1[1]), this.Fr.neg(c2[1]), this.Fr.zero, this.Fr.one, this.Fr.zero);
+
+ constraintsArr.push(constraints);
+ additionsArr.push([c1[0], c2[0], c1[1], c2[1]]);
+
+ cs.push([so, this.Fr.one]);
+ }
+
+ for (let i = 0; i < cs.length; i++) {
+ res.signals[i] = cs[i][0];
+ res.coefs[i] = cs[i][1];
+ }
+
+ while (res.coefs.length < maxC) {
+ res.signals.push(0);
+ res.coefs.push(this.Fr.zero);
+ }
+
+ return res;
+ }
+
+ processR1csAdditionConstraint(settings, linCom) {
+ const constraintsArr = [];
+ const additionsArr = [];
+
+ const C = this.reduceCoefs(settings, constraintsArr, additionsArr, linCom, 3);
+
+ const constraints = this.fnGetAdditionConstraint(
+ C.signals[0], C.signals[1], C.signals[2],
+ C.coefs[0], C.coefs[1], this.Fr.zero, C.coefs[2], C.k);
+
+ constraintsArr.push(constraints);
+
+ return [constraintsArr, additionsArr];
+ }
+
+ processR1csMultiplicationConstraint(settings, lcA, lcB, lcC) {
+ const constraintsArr = [];
+ const additionsArr = [];
+
+ const A = this.reduceCoefs(settings, constraintsArr, additionsArr, lcA, 1);
+ const B = this.reduceCoefs(settings, constraintsArr, additionsArr, lcB, 1);
+ const C = this.reduceCoefs(settings, constraintsArr, additionsArr, lcC, 1);
+
+ const constraints = this.fnGetMultiplicationConstraint(
+ A.signals[0], B.signals[0], C.signals[0],
+ this.Fr.mul(A.coefs[0], B.k),
+ this.Fr.mul(A.k, B.coefs[0]),
+ this.Fr.mul(A.coefs[0], B.coefs[0]),
+ this.Fr.neg(C.coefs[0]),
+ this.Fr.sub(this.Fr.mul(A.k, B.k), C.k));
+
+ constraintsArr.push(constraints);
+
+ return [constraintsArr, additionsArr];
+ }
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+class Polynomial {
+ constructor(coefficients, curve, logger) {
+ this.coef = coefficients;
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.G1 = curve.G1;
+ this.logger = logger;
+ }
+
+ static async fromEvaluations(buffer, curve, logger) {
+ let coefficients = await curve.Fr.ifft(buffer);
+
+ return new Polynomial(coefficients, curve, logger);
+ }
+
+ static fromCoefficientsArray(array, curve, logger) {
+ const Fr = curve.Fr;
+ let buff = array.length > 2 << 14 ?
+ new ffjavascript.BigBuffer(array.length * Fr.n8) : new Uint8Array(array.length * Fr.n8);
+ for (let i = 0; i < array.length; i++) buff.set(array[i], i * Fr.n8);
+
+ return new Polynomial(buff, curve, logger);
+ }
+
+ static fromPolynomial(polynomial, curve, logger) {
+ let length = polynomial.length();
+ let Fr = curve.Fr;
+
+ let buff = length > 2 << 14 ?
+ new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ buff.set(polynomial.coef.slice(), 0);
+
+ return new Polynomial(buff, curve, logger);
+ }
+
+ isEqual(polynomial) {
+ const degree = this.degree();
+ if (degree !== polynomial.degree()) return false;
+
+ for (let i = 0; i < degree + 1; i++) {
+ if (!this.Fr.eq(this.getCoef(i), polynomial.getCoef(i))) return false;
+ }
+
+ return true;
+ }
+
+ blindCoefficients(blindingFactors) {
+ blindingFactors = blindingFactors || [];
+
+ const blindedCoefficients = (this.length() + blindingFactors.length) > 2 << 14 ?
+ new ffjavascript.BigBuffer((this.length() + blindingFactors.length) * this.Fr.n8) :
+ new Uint8Array((this.length() + blindingFactors.length) * this.Fr.n8);
+
+ blindedCoefficients.set(this.coef, 0);
+ for (let i = 0; i < blindingFactors.length; i++) {
+ blindedCoefficients.set(
+ this.Fr.add(
+ blindedCoefficients.slice((this.length() + i) * this.Fr.n8, (this.length() + i + 1) * this.Fr.n8),
+ blindingFactors[i]
+ ),
+ (this.length() + i) * this.Fr.n8
+ );
+ blindedCoefficients.set(
+ this.Fr.sub(
+ blindedCoefficients.slice(i * this.Fr.n8, (i + 1) * this.Fr.n8),
+ blindingFactors[i]
+ ),
+ i * this.Fr.n8
+ );
+ }
+ this.coef = blindedCoefficients;
+ }
+
+ getCoef(index) {
+ const i_n8 = index * this.Fr.n8;
+
+ if (i_n8 + this.Fr.n8 > this.coef.byteLength) return this.Fr.zero;
+
+ return this.coef.slice(i_n8, i_n8 + this.Fr.n8);
+ }
+
+ setCoef(index, value) {
+ if (index > (this.length() - 1)) {
+ throw new Error("Coef index is not available");
+ }
+
+ this.coef.set(value, index * this.Fr.n8);
+ }
+
+ static async to4T(buffer, domainSize, blindingFactors, Fr) {
+ blindingFactors = blindingFactors || [];
+ let a = await Fr.ifft(buffer);
+
+ const a4 = (domainSize * 4) > 2 << 14 ?
+ new ffjavascript.BigBuffer(domainSize * 4 * Fr.n8) : new Uint8Array(domainSize * 4 * Fr.n8);
+ a4.set(a, 0);
+
+ const A4 = await Fr.fft(a4);
+
+ if (blindingFactors.length === 0) {
+ return [a, A4];
+ }
+
+ const a1 = domainSize + blindingFactors.length > 2 << 14 ?
+ new ffjavascript.BigBuffer((domainSize + blindingFactors.length) * Fr.n8) :
+ new Uint8Array((domainSize + blindingFactors.length) * Fr.n8);
+
+ a1.set(a, 0);
+ for (let i = 0; i < blindingFactors.length; i++) {
+ a1.set(
+ Fr.add(
+ a1.slice((domainSize + i) * Fr.n8, (domainSize + i + 1) * Fr.n8),
+ blindingFactors[i]
+ ),
+ (domainSize + i) * Fr.n8
+ );
+ a1.set(
+ Fr.sub(
+ a1.slice(i * Fr.n8, (i + 1) * Fr.n8),
+ blindingFactors[i]
+ ),
+ i * Fr.n8
+ );
+ }
+
+ return [a1, A4];
+ }
+
+ length() {
+ let length = this.coef.byteLength / this.Fr.n8;
+ if (length !== Math.floor(this.coef.byteLength / this.Fr.n8)) {
+ throw new Error("Polynomial coefficients buffer has incorrect size");
+ }
+ if (0 === length) {
+ if (this.logger) {
+ this.logger.warn("Polynomial has length zero");
+ }
+ }
+ return length;
+ }
+
+ degree() {
+ for (let i = this.length() - 1; i > 0; i--) {
+ const i_n8 = i * this.Fr.n8;
+ if (!this.Fr.eq(this.Fr.zero, this.coef.slice(i_n8, i_n8 + this.Fr.n8))) {
+ return i;
+ }
+ }
+
+ return 0;
+ }
+
+ evaluate(point) {
+ let res = this.Fr.zero;
+
+ for (let i = this.degree() + 1; i > 0; i--) {
+ let i_n8 = i * this.Fr.n8;
+ const currentCoefficient = this.coef.slice(i_n8 - this.Fr.n8, i_n8);
+ res = this.Fr.add(currentCoefficient, this.Fr.mul(res, point));
+ }
+
+ return res;
+ }
+
+ fastEvaluate(point) {
+ const Fr = this.Fr;
+ let nThreads = 3;
+
+ let nCoefs = this.degree() + 1;
+ let coefsThread = parseInt(nCoefs / nThreads);
+ let residualCoefs = nCoefs - coefsThread * nThreads;
+
+ let res = [];
+ let xN = [];
+
+ xN[0] = Fr.one;
+
+ for (let i = 0; i < nThreads; i++) {
+ res[i] = Fr.zero;
+
+ let nCoefs = i === (nThreads - 1) ? coefsThread + residualCoefs : coefsThread;
+ for (let j = nCoefs; j > 0; j--) {
+ res[i] = Fr.add(this.getCoef((i * coefsThread) + j - 1), Fr.mul(res[i], point));
+
+ if (i === 0) xN[0] = Fr.mul(xN[0], point);
+ }
+ }
+
+ for (let i = 1; i < nThreads; i++) {
+ res[0] = Fr.add(res[0], Fr.mul(xN[i - 1], res[i]));
+ xN[i] = Fr.mul(xN[i - 1], xN[0]);
+ }
+
+ return res[0];
+ }
+
+ add(polynomial, blindingValue) {
+ let other = false;
+
+ if (polynomial.length() > this.length()) {
+ other = true;
+ }
+
+ const thisLength = this.length();
+ const polyLength = polynomial.length();
+ for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ const a = i < thisLength ? this.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+ let b = i < polyLength ? polynomial.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+
+ if (blindingValue !== undefined) {
+ b = this.Fr.mul(b, blindingValue);
+ }
+ if (other) {
+ polynomial.coef.set(this.Fr.add(a, b), i_n8);
+ } else {
+ this.coef.set(this.Fr.add(a, b), i_n8);
+ }
+ }
+ if (other) {
+ delete this.coef;
+ this.coef = polynomial.coef;
+ }
+ }
+
+ sub(polynomial, blindingValue) {
+ let other = false;
+
+ if (polynomial.length() > this.length()) {
+ other = true;
+ }
+
+ const thisLength = this.length();
+ const polyLength = polynomial.length();
+ for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ const a = i < thisLength ? this.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+ let b = i < polyLength ? polynomial.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+
+ if (blindingValue !== undefined) {
+ b = this.Fr.mul(b, blindingValue);
+ }
+ if (other) {
+ polynomial.coef.set(this.Fr.sub(a, b), i_n8);
+ } else {
+ this.coef.set(this.Fr.sub(a, b), i_n8);
+ }
+ }
+ if (other) {
+ delete this.coef;
+ this.coef = polynomial.coef;
+ }
+ }
+
+ mulScalar(value) {
+ for (let i = 0; i < this.length(); i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ this.coef.set(this.Fr.mul(this.coef.slice(i_n8, i_n8 + this.Fr.n8), value), i_n8);
+ }
+ }
+
+ addScalar(value) {
+ const currentValue = 0 === this.length() ? this.Fr.zero : this.coef.slice(0, this.Fr.n8);
+ this.coef.set(this.Fr.add(currentValue, value), 0);
+ }
+
+ subScalar(value) {
+ const currentValue = 0 === this.length() ? this.Fr.zero : this.coef.slice(0, this.Fr.n8);
+ this.coef.set(this.Fr.sub(currentValue, value), 0);
+ }
+
+ // Multiply current polynomial by the polynomial (X - value)
+ byXSubValue(value) {
+ const Fr = this.Fr;
+ const resize = !Fr.eq(Fr.zero, this.getCoef(this.length() - 1));
+
+ const length = resize ? this.length() + 1 : this.length();
+ const buff = length > 2 << 14 ? new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ let pol = new Polynomial(buff, this.curve, this.logger);
+
+ // Step 0: Set current coefficients to the new buffer shifted one position
+ pol.coef.set(this.coef.slice(0, (length - 1) * Fr.n8), 32);
+
+ // Step 1: multiply each coefficient by (-value)
+ this.mulScalar(Fr.neg(value));
+
+ // Step 2: Add current polynomial to destination polynomial
+ pol.add(this);
+
+ // Swap buffers
+ this.coef = pol.coef;
+ }
+
+ // Multiply current polynomial by the polynomial (X^n + value)
+ byXNSubValue(n, value) {
+ const Fr = this.Fr;
+ const resize = !(this.length() - n - 1 >= this.degree());
+
+ const length = resize ? this.length() + n : this.length();
+ const buff = length > 2 << 14 ? new ffjavascript.BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ let pol = new Polynomial(buff, this.curve, this.logger);
+
+ // Step 0: Set current coefficients to the new buffer shifted one position
+ pol.coef.set(this.coef.slice(0, (this.degree() + 1) * 32, ), n * 32);
+
+ // Step 1: multiply each coefficient by (- value)
+ this.mulScalar(value);
+
+ // Step 2: Add current polynomial to destination polynomial
+ pol.add(this);
+
+ // Swap buffers
+ this.coef = pol.coef;
+ }
+
+ // Euclidean division
+ divBy(polynomial) {
+ const Fr = this.Fr;
+ const degreeA = this.degree();
+ const degreeB = polynomial.degree();
+
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
+
+ this.coef = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+
+ for (let i = degreeA - degreeB; i >= 0; i--) {
+ this.setCoef(i, Fr.div(polR.getCoef(i + degreeB), polynomial.getCoef(degreeB)));
+ for (let j = 0; j <= degreeB; j++) {
+ polR.setCoef(i + j, Fr.sub(polR.getCoef(i + j), Fr.mul(this.getCoef(i), polynomial.getCoef(j))));
+ }
+ }
+
+ return polR;
+ }
+
+ // Division by a Polynomial of the form (x^m - beta)
+ divByMonic(m, beta) {
+ const Fr = this.Fr;
+
+ let d = this.degree();
+
+ let buffer = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+ let quotient = new Polynomial(buffer, this.curve, this.logger);
+
+ let bArr = [];
+
+ // Add the m leading coefficients of this to quotient
+ for (let i = 0; i < m; i++) {
+ quotient.setCoef((d - i) - m, this.getCoef(d - i));
+ bArr[i] = this.getCoef(d - i);
+ }
+
+ let nThreads = m;
+ for (let k = 0; k < nThreads; k++) {
+ for (let i = d - 2 * m - k; i >= 0; i = i - nThreads) {
+ if (i < 0) break;
+ let idx = k;
+ bArr[idx] = Fr.add(this.getCoef(i + m), Fr.mul(bArr[idx], beta));
+
+ quotient.setCoef(i, bArr[idx]);
+ }
+ }
+
+ this.coef = quotient.coef;
+ }
+
+ divByVanishing(n, beta) {
+ if (this.degree() < n) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
+
+ const Fr = this.Fr;
+
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
+
+ this.coef = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+
+ for (let i = this.length() - 1; i >= n; i--) {
+ let leadingCoef = polR.getCoef(i);
+ if (Fr.eq(Fr.zero, leadingCoef)) continue;
+
+ polR.setCoef(i, Fr.zero);
+ polR.setCoef(i - n, Fr.add(polR.getCoef(i - n), Fr.mul(beta, leadingCoef)));
+ this.setCoef(i - n, Fr.add(this.getCoef(i - n), leadingCoef));
+ }
+
+ return polR;
+ }
+
+ divByVanishing2(m, beta) {
+ if (this.degree() < m) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
+
+ const Fr = this.Fr;
+
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
+
+ this.coef = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+
+ let nThreads = 3;
+ let nTotal = this.length() - m;
+ let nElementsChunk = Math.floor(nTotal / nThreads);
+ let nElementsLast = nTotal - (nThreads - 1) * nElementsChunk;
+
+ console.log(nTotal);
+ console.log(nElementsChunk + " " + nElementsLast);
+ for (let k = 0; k < nThreads; k++) {
+ console.log("> Thread " + k);
+ for (let i = (k === 0 ? nElementsLast : nElementsChunk); i > 0; i--) {
+ let idxDst = i - 1;
+ if (k !== 0) idxDst += (k - 1) * nElementsChunk + nElementsLast;
+ let idxSrc = idxDst + m;
+
+ let leadingCoef = polR.getCoef(idxSrc);
+ if (Fr.eq(Fr.zero, leadingCoef)) continue;
+
+ polR.setCoef(idxSrc, Fr.zero);
+ polR.setCoef(idxDst, Fr.add(polR.getCoef(idxDst), Fr.mul(beta, leadingCoef)));
+ this.setCoef(idxDst, Fr.add(this.getCoef(idxDst), leadingCoef));
+ console.log(idxDst + " <-- " + idxSrc);
+ }
+ }
+
+ this.print();
+ return polR;
+ }
+
+ fastDivByVanishing(data) {
+ const Fr = this.Fr;
+
+ for (let i = 0; i < data.length; i++) {
+
+ let m = data[i][0];
+ let beta = data[i][1];
+
+ if (this.degree() < m) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
+
+ let nThreads = 5;
+ let nElements = this.length() - m;
+ let nElementsBucket = Math.floor(nElements / nThreads / m);
+ let nElementsChunk = nElementsBucket * m;
+ let nElementsLast = nElements - nThreads * nElementsChunk;
+
+ //In C++ implementation this buffer will be allocated only once outside the loop
+ let polTmp = new Polynomial(this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8), this.curve, this.logger);
+
+ let ptr = this.coef;
+ this.coef = polTmp.coef;
+ polTmp.coef = ptr;
+
+ // STEP 1: Setejar els m valors del següent bucket al chunk actual, PARALEL·LITZAR
+ for (let k = 0; k < nThreads; k++) {
+ let idx0 = (k + 1) * nElementsChunk + nElementsLast;
+ for (let i = 0; i < m; i++) {
+ this.setCoef(idx0 + i - m, polTmp.getCoef(idx0 + i));
+ }
+
+ for (let i = 0; i < nElementsChunk - m; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
+ this.setCoef(offset - m, val);
+ }
+ }
+
+ //STEP 2: Setejar els valors del elements last NO PARAL·LELITZAR
+ let idx0 = nElementsLast;
+ let pending = nElementsLast;
+ for (let i = 0; i < m && pending; i++) {
+ this.setCoef(idx0 - i - 1, polTmp.getCoef(idx0 + m - i - 1));
+ pending--;
+ }
+
+ for (let i = 0; i < pending; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
+ this.setCoef(offset - m, val);
+ }
+
+ //Step 3: calcular acumulats NO PARALEL·LITZAR
+
+ let acc = [];
+ let betaPow = Fr.one;
+ for (let i = 0; i < nElementsBucket; i++) {
+ betaPow = Fr.mul(betaPow, beta);
+ }
+ let currentBeta = Fr.one;
+
+ for (let k = nThreads; k > 0; k--) {
+ let idThread = k - 1;
+ let idx0 = idThread * nElementsChunk + nElementsLast;
+ acc[idThread] = [];
+
+ for (let i = 0; i < m; i++) {
+ acc[idThread][i] = this.getCoef(idx0 + i);
+
+ if (k !== nThreads) {
+ acc[idThread][i] = Fr.add(acc[idThread][i], Fr.mul(betaPow, acc[idThread + 1][i]));
+ }
+ }
+ currentBeta = Fr.mul(currentBeta, betaPow);
+ }
+
+ //STEP 4 recalcular PARALEL·LITZAR
+ for (let k = 0; k < nThreads; k++) {
+
+ let idx0 = k * nElementsChunk + nElementsLast;
+ let currentBeta = beta; //Quan hopassem a C++ i ho paralelitzem aquesta variable ha de ser privada
+ let currentM = m - 1;
+
+ let limit = k === 0 ? nElementsLast : nElementsChunk;
+ for (let i = 0; i < limit; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(this.getCoef(offset), Fr.mul(currentBeta, acc[k][currentM]));
+
+ this.setCoef(offset, val);
+
+ // To avoid modular operations in each loop...
+ if (currentM === 0) {
+ currentM = m - 1;
+ currentBeta = Fr.mul(currentBeta, beta);
+ } else {
+ currentM--;
+ }
+ }
+ }
+ }
+ }
+
+
+ // Divide polynomial by X - value
+ divByXSubValue(value) {
+ const coefs = this.length() > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.length() * this.Fr.n8) : new Uint8Array(this.length() * this.Fr.n8);
+
+ coefs.set(this.Fr.zero, (this.length() - 1) * this.Fr.n8);
+ coefs.set(this.coef.slice((this.length() - 1) * this.Fr.n8, this.length() * this.Fr.n8), (this.length() - 2) * this.Fr.n8);
+ for (let i = this.length() - 3; i >= 0; i--) {
+ let i_n8 = i * this.Fr.n8;
+ coefs.set(
+ this.Fr.add(
+ this.coef.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8),
+ this.Fr.mul(value, coefs.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8))
+ ),
+ i * this.Fr.n8
+ );
+ }
+ if (!this.Fr.eq(
+ this.coef.slice(0, this.Fr.n8),
+ this.Fr.mul(this.Fr.neg(value), coefs.slice(0, this.Fr.n8))
+ )) {
+ throw new Error("Polynomial does not divide");
+ }
+
+ this.coef = coefs;
+ }
+
+ divZh(domainSize, extensions = 4) {
+ for (let i = 0; i < domainSize; i++) {
+ const i_n8 = i * this.Fr.n8;
+ this.coef.set(this.Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8)), i_n8);
+ }
+
+ for (let i = domainSize; i < domainSize * extensions; i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ const a = this.Fr.sub(
+ this.coef.slice((i - domainSize) * this.Fr.n8, (i - domainSize) * this.Fr.n8 + this.Fr.n8),
+ this.coef.slice(i_n8, i_n8 + this.Fr.n8)
+ );
+ this.coef.set(a, i_n8);
+ if (i > (domainSize * (extensions-1) - extensions)) {
+ if (!this.Fr.isZero(a)) {
+ throw new Error("Polynomial is not divisible");
+ }
+ }
+ }
+
+ return this;
+ }
+
+ divByZerofier(n, beta) {
+ let Fr = this.Fr;
+ const invBeta = Fr.inv(beta);
+ const invBetaNeg = Fr.neg(invBeta);
+
+ let isOne = Fr.eq(Fr.one, invBetaNeg);
+ let isNegOne = Fr.eq(Fr.negone, invBetaNeg);
+
+ if (!isOne) {
+ for (let i = 0; i < n; i++) {
+ const i_n8 = i * this.Fr.n8;
+ let element;
+
+ // If invBetaNeg === -1 we'll save a multiplication changing it by a neg function call
+ if (isNegOne) {
+ element = Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8));
+ } else {
+ element = Fr.mul(invBetaNeg, this.coef.slice(i_n8, i_n8 + this.Fr.n8));
+ }
+
+ this.coef.set(element, i_n8);
+ }
+ }
+
+ isOne = Fr.eq(Fr.one, invBeta);
+ isNegOne = Fr.eq(Fr.negone, invBeta);
+
+ for (let i = n; i < this.length(); i++) {
+ const i_n8 = i * this.Fr.n8;
+ const i_prev_n8 = (i - n) * this.Fr.n8;
+
+ let element = this.Fr.sub(
+ this.coef.slice(i_prev_n8, i_prev_n8 + this.Fr.n8),
+ this.coef.slice(i_n8, i_n8 + this.Fr.n8)
+ );
+
+ // If invBeta === 1 we'll not do anything
+ if(!isOne) {
+ // If invBeta === -1 we'll save a multiplication changing it by a neg function call
+ if(isNegOne) {
+ element = Fr.neg(element);
+ } else {
+ element = Fr.mul(invBeta, element);
+ }
+ }
+
+ this.coef.set(element, i_n8);
+
+ // Check if polynomial is divisible by checking if n high coefficients are zero
+ if (i > this.length() - n - 1) {
+ if (!this.Fr.isZero(element)) {
+ throw new Error("Polynomial is not divisible");
+ }
+ }
+ }
+
+ return this;
+ }
+
+// function divideByVanishing(f, n, p) {
+// // polynomial division f(X) / (X^n - 1) with remainder
+// // very cheap, 0 multiplications
+// // strategy:
+// // start with q(X) = 0, r(X) = f(X)
+// // then start changing q, r while preserving the identity:
+// // f(X) = q(X) * (X^n - 1) + r(X)
+// // in every step, move highest-degree term of r into the product
+// // => r eventually has degree < n and we're done
+// let q = Array(f.length).fill(0n);
+// let r = [...f];
+// for (let i = f.length - 1; i >= n; i--) {
+// let leadingCoeff = r[i];
+// if (leadingCoeff === 0n) continue;
+// r[i] = 0n;
+// r[i - n] = mod(r[i - n] + leadingCoeff, p);
+// q[i - n] = mod(q[i - n] + leadingCoeff, p);
+// }
+// return [q, r];
+// }
+
+ byX() {
+ const coefs = (this.length() + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer(this.coef.byteLength + this.Fr.n8) : new Uint8Array(this.coef.byteLength + this.Fr.n8);
+ coefs.set(this.Fr.zero, 0);
+ coefs.set(this.coef, this.Fr.n8);
+
+ this.coef = coefs;
+ }
+
+// Compute a new polynomial f(x^n) from f(x)
+// f(x) = a_0 + a_1·x + a_2·x^2 + ... + a_j·x^j
+// f(x^n) = a_0 + a_1·x^n + a_2·x^2n + ... + a_j·x^jn
+ static
+ async expX(polynomial, n, truncate = false) {
+ const Fr = polynomial.Fr;
+
+ if (n < 1) {
+ // n == 0 not allowed because it has no sense, but if it's necessary we have to return
+ // a zero degree polynomial with a constant coefficient equals to the sum of all the original coefficients
+ throw new Error("Compute a new polynomial to a zero or negative number is not allowed");
+ } else if (1 === n) {
+ return await Polynomial.fromEvaluations(polynomial.coef, curve, polynomial.logger);
+ }
+
+ // length is the length of non-constant coefficients
+ // if truncate === true, the highest zero coefficients (if exist) will be removed
+ const length = truncate ? polynomial.degree() : (polynomial.length() - 1);
+ const bufferDst = (length * n + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer((length * n + 1) * Fr.n8) : new Uint8Array((length * n + 1) * Fr.n8);
+
+ // Copy constant coefficient as is because is not related to x
+ bufferDst.set(polynomial.getCoef(0), 0);
+
+ for (let i = 1; i <= length; i++) {
+ const i_sFr = i * Fr.n8;
+
+ const coef = polynomial.getCoef(i);
+ bufferDst.set(coef, i_sFr * n);
+ }
+
+ return new Polynomial(bufferDst, polynomial.curve, polynomial.logger);
+ }
+
+ split(numPols, degPols, blindingFactors) {
+ if (numPols < 1) {
+ throw new Error(`Polynomials can't be split in ${numPols} parts`);
+ } else if (1 === numPols) {
+ return [this];
+ }
+
+ //blinding factors can be void or must have a length of numPols - 1
+ if (0 !== blindingFactors.length && blindingFactors.length < numPols - 1) {
+ throw new Error(`Blinding factors length must be ${numPols - 1}`);
+ }
+
+ const chunkByteLength = (degPols + 1) * this.Fr.n8;
+ let res = [];
+
+ // Check polynomial can be split in numChunks parts of chunkSize bytes...
+ const numRealPols = Math.ceil((this.degree() + 1) * this.Fr.n8 / chunkByteLength);
+ if (numRealPols < numPols) {
+ //throw new Error(`Polynomial is short to be split in ${numPols} parts of ${degPols} coefficients each.`);
+ for (let i = numRealPols; i < numPols; i++) {
+ res[i] = new Polynomial(new Uint8Array(this.Fr.n8), this.curve, this.logger);
+ }
+ }
+
+ numPols = Math.min(numPols, numRealPols);
+ for (let i = 0; i < numPols; i++) {
+ const isLast = (numPols - 1) === i;
+ const byteLength = isLast ? this.coef.byteLength - ((numPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
+
+ let buff = (byteLength / this.Fr.n8) > 2 << 14 ? new ffjavascript.BigBuffer(byteLength) : new Uint8Array(byteLength);
+ res[i] = new Polynomial(buff, this.curve, this.logger);
+
+ const fr = i * chunkByteLength;
+ const to = isLast ? this.coef.byteLength : (i + 1) * chunkByteLength;
+ res[i].coef.set(this.coef.slice(fr, to), 0);
+
+ // Add a blinding factor as higher degree
+ if (!isLast) {
+ res[i].coef.set(blindingFactors[i], chunkByteLength);
+ }
+
+ // Sub blinding factor to the lowest degree
+ if (0 !== i) {
+ const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
+ res[i].coef.set(lowestDegree, 0);
+ }
+
+ if (isLast) {
+ res[i].truncate();
+ }
+ }
+
+ return res;
+
+ // // compute t_low(X)
+ // let polTLow = new BigBuffer((chunkSize + 1) * n8r);
+ // polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
+ // // Add blinding scalar b_10 as a new coefficient n
+ // polTLow.set(ch.b[10], zkey.domainSize * n8r);
+ //
+ // // compute t_mid(X)
+ // let polTMid = new BigBuffer((zkey.domainSize + 1) * n8r);
+ // polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
+ // // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
+ // const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
+ // polTMid.set(lowestMid, 0);
+ // // Add blinding scalar b_11 as a new coefficient n
+ // polTMid.set(ch.b[11], zkey.domainSize * n8r);
+ //
+ // // compute t_high(X)
+ // let polTHigh = new BigBuffer((zkey.domainSize + 6) * n8r);
+ // polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
+ // //Subtract blinding scalar b_11 to the lowest coefficient of t_high
+ // const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
+ // polTHigh.set(lowestHigh, 0);
+ //
+ // proof.T1 = await expTau(polTLow, "multiexp T1");
+ // proof.T2 = await expTau(polTMid, "multiexp T2");
+ // proof.T3 = await expTau(polTHigh, "multiexp T3");
+ }
+
+// split2(degPols, blindingFactors) {
+// let currentDegree = this.degree();
+// const numFilledPols = Math.ceil((currentDegree + 1) / (degPols + 1));
+//
+// //blinding factors can be void or must have a length of numPols - 1
+// if (0 !== blindingFactors.length && blindingFactors.length < numFilledPols - 1) {
+// throw new Error(`Blinding factors length must be ${numFilledPols - 1}`);
+// }
+//
+// const chunkByteLength = (degPols + 1) * this.Fr.n8;
+//
+// // Check polynomial can be split in numChunks parts of chunkSize bytes...
+// if (this.coef.byteLength / chunkByteLength <= numFilledPols - 1) {
+// throw new Error(`Polynomial is short to be split in ${numFilledPols} parts of ${degPols} coefficients each.`);
+// }
+//
+// let res = [];
+// for (let i = 0; i < numFilledPols; i++) {
+// const isLast = (numFilledPols - 1) === i;
+// const byteLength = isLast ? (currentDegree + 1) * this.Fr.n8 - ((numFilledPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
+//
+// res[i] = new Polynomial(new BigBuffer(byteLength), this.Fr, this.logger);
+// const fr = i * chunkByteLength;
+// const to = isLast ? (currentDegree + 1) * this.Fr.n8 : (i + 1) * chunkByteLength;
+// res[i].coef.set(this.coef.slice(fr, to), 0);
+//
+// // Add a blinding factor as higher degree
+// if (!isLast) {
+// res[i].coef.set(blindingFactors[i], chunkByteLength);
+// }
+//
+// // Sub blinding factor to the lowest degree
+// if (0 !== i) {
+// const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
+// res[i].coef.set(lowestDegree, 0);
+// }
+// }
+//
+// return res;
+// }
+
+// merge(pols, overlap = true) {
+// let length = 0;
+// for (let i = 0; i < pols.length; i++) {
+// length += pols[i].length();
+// }
+//
+// if (overlap) {
+// length -= pols.length - 1;
+// }
+//
+// let res = new Polynomial(new BigBuffer(length * this.Fr.n8));
+// for (let i = 0; i < pols.length; i++) {
+// const byteLength = pols[i].coef.byteLength;
+// if (0 === i) {
+// res.coef.set(pols[i].coef, 0);
+// } else {
+//
+// }
+// }
+//
+// return res;
+// }
+
+ truncate() {
+ const deg = this.degree();
+ if (deg + 1 < this.coef.byteLength / this.Fr.n8) {
+ const newCoefs = (deg + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer((deg + 1) * this.Fr.n8) : new Uint8Array((deg + 1) * this.Fr.n8);
+
+ newCoefs.set(this.coef.slice(0, (deg + 1) * this.Fr.n8), 0);
+ this.coef = newCoefs;
+ }
+ }
+
+ static lagrangePolynomialInterpolation(xArr, yArr, curve) {
+ const Fr = curve.Fr;
+ let polynomial = computeLagrangePolynomial(0);
+ for (let i = 1; i < xArr.length; i++) {
+ polynomial.add(computeLagrangePolynomial(i));
+ }
+
+ return polynomial;
+
+ function computeLagrangePolynomial(i) {
+ let polynomial;
+
+ for (let j = 0; j < xArr.length; j++) {
+ if (j === i) continue;
+
+ if (polynomial === undefined) {
+ let buff = (xArr.length) > 2 << 14 ?
+ new ffjavascript.BigBuffer((xArr.length) * Fr.n8) : new Uint8Array((xArr.length) * Fr.n8);
+ polynomial = new Polynomial(buff, curve);
+ polynomial.setCoef(0, Fr.neg(xArr[j]));
+ polynomial.setCoef(1, Fr.one);
+ } else {
+ polynomial.byXSubValue(xArr[j]);
+ }
+ }
+
+ let denominator = polynomial.evaluate(xArr[i]);
+ denominator = Fr.inv(denominator);
+ const mulFactor = Fr.mul(yArr[i], denominator);
+
+ polynomial.mulScalar(mulFactor);
+
+ return polynomial;
+ }
+ }
+
+ static zerofierPolynomial(xArr, curve) {
+ const Fr = curve.Fr;
+ let buff = (xArr.length + 1) > 2 << 14 ?
+ new ffjavascript.BigBuffer((xArr.length + 1) * Fr.n8) : new Uint8Array((xArr.length + 1) * Fr.n8);
+ let polynomial = new Polynomial(buff, curve);
+
+ // Build a zerofier polynomial with the following form:
+ // zerofier(X) = (X-xArr[0])(X-xArr[1])...(X-xArr[n])
+ polynomial.setCoef(0, Fr.neg(xArr[0]));
+ polynomial.setCoef(1, Fr.one);
+
+ for (let i = 1; i < xArr.length; i++) {
+ polynomial.byXSubValue(xArr[i]);
+ }
+
+ return polynomial;
+ }
+
+ print() {
+ const Fr = this.Fr;
+ let res = "";
+ for (let i = this.degree(); i >= 0; i--) {
+ const coef = this.getCoef(i);
+ if (!Fr.eq(Fr.zero, coef)) {
+ if (Fr.isNegative(coef)) {
+ res += " - ";
+ } else if (i !== this.degree()) {
+ res += " + ";
+ }
+ res += Fr.toString(coef);
+ if (i > 0) {
+ res += i > 1 ? "x^" + i : "x";
+ }
+ }
+ }
+ console.log(res);
+ }
+
+ async multiExponentiation(PTau, name) {
+ const n = this.coef.byteLength / this.Fr.n8;
+ const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
+ const bm = await this.Fr.batchFromMontgomery(this.coef);
+ let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
+ res = this.G1.toAffine(res);
+ return res;
+ }
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+class Evaluations {
+ constructor(evaluations, curve, logger) {
+ this.eval = evaluations;
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.logger = logger;
+ }
+
+ static async fromPolynomial(polynomial, extension, curve, logger) {
+ const coefficientsN = new ffjavascript.BigBuffer(polynomial.length() * extension * curve.Fr.n8);
+ coefficientsN.set(polynomial.coef, 0);
+
+ const evaluations = await curve.Fr.fft(coefficientsN);
+
+ return new Evaluations(evaluations, curve, logger);
+ }
+
+ getEvaluation(index) {
+ const i_n8 = index * this.Fr.n8;
+
+ if (i_n8 + this.Fr.n8 > this.eval.byteLength) {
+ throw new Error("Evaluations.getEvaluation() out of bounds");
+ }
+
+ return this.eval.slice(i_n8, i_n8 + this.Fr.n8);
+ }
+
+ length() {
+ let length = this.eval.byteLength / this.Fr.n8;
+ if (length !== Math.floor(this.eval.byteLength / this.Fr.n8)) {
+ throw new Error("Polynomial evaluations buffer has incorrect size");
+ }
+ if (0 === length) {
+ this.logger.warn("Polynomial has length zero");
+ }
+ return length;
+ }
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+class CPolynomial {
+ constructor(n, curve, logger) {
+ this.n = n;
+ this.polynomials = Array(n).fill(undefined);
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.G1 = curve.G1;
+ this.logger = logger;
+ }
+
+ addPolynomial(position, polynomial) {
+ if (position > this.n - 1) {
+ throw new Error("CPolynomial:addPolynomial, cannot add a polynomial to a position greater than n-1");
+ }
+
+ this.polynomials[position] = polynomial;
+ }
+
+ degree() {
+ let degrees = this.polynomials.map(
+ (polynomial, index) => polynomial === undefined ? 0 : polynomial.degree() * this.n + index);
+ return Math.max(...degrees);
+ }
+
+ getPolynomial() {
+ let degrees = this.polynomials.map(polynomial => polynomial === undefined ? 0 : polynomial.degree());
+ const maxDegree = this.degree();
+ const lengthBuffer = 2 ** (log2(maxDegree - 1) + 1);
+ const sFr = this.Fr.n8;
+
+ let polynomial = new Polynomial(new ffjavascript.BigBuffer(lengthBuffer * sFr), this.curve, this.logger);
+
+ for (let i = 0; i < maxDegree; i++) {
+ const i_n8 = i * sFr;
+ const i_sFr = i_n8 * this.n;
+
+ for (let j = 0; j < this.n; j++) {
+ if (this.polynomials[j] !== undefined) {
+ if (i <= degrees[j]) polynomial.coef.set(this.polynomials[j].coef.slice(i_n8, i_n8 + sFr), i_sFr + j * sFr);
+ }
+ }
+ }
+
+ return polynomial;
+ }
+
+ async multiExponentiation(PTau, name) {
+ let polynomial = this.getPolynomial();
+ const n = polynomial.coef.byteLength / this.Fr.n8;
+ const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
+ const bm = await this.Fr.batchFromMontgomery(polynomial.coef);
+ let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
+ res = this.G1.toAffine(res);
+ return res;
+ }
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+
+async function fflonkSetup(r1csFilename, ptauFilename, zkeyFilename, logger) {
+ if (logger) logger.info("FFLONK SETUP STARTED");
+
+ if (globalThis.gc) globalThis.gc();
+
+ // Read PTau file
+ if (logger) logger.info("> Reading PTau file");
+ const {fd: fdPTau, sections: pTauSections} = await binFileUtils.readBinFile(ptauFilename, "ptau", 1, 1 << 22, 1 << 24);
+ if (!pTauSections[12]) {
+ throw new Error("Powers of Tau is not well prepared. Section 12 missing.");
+ }
+
+ // Get curve defined in PTau
+ if (logger) logger.info("> Getting curve from PTau settings");
+ const {curve} = await readPTauHeader(fdPTau, pTauSections);
+
+ // Read r1cs file
+ if (logger) logger.info("> Reading r1cs file");
+ const {fd: fdR1cs, sections: sectionsR1cs} = await binFileUtils.readBinFile(r1csFilename, "r1cs", 1, 1 << 22, 1 << 24);
+ const r1cs = await r1csfile.readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: false, loadCustomGates: true});
+
+ // Potential error checks
+ if (r1cs.prime !== curve.r) {
+ throw new Error("r1cs curve does not match powers of tau ceremony curve");
+ }
+
+ // Initializations
+ const Fr = curve.Fr;
+
+ const sFr = curve.Fr.n8;
+ const sG1 = curve.G1.F.n8 * 2;
+ const sG2 = curve.G2.F.n8 * 2;
+
+ let polynomials = {};
+ let evaluations = {};
+ let PTau;
+
+ let settings = {
+ nVars: r1cs.nVars,
+ nPublic: r1cs.nOutputs + r1cs.nPubInputs
+ };
+
+ const plonkConstraints = new BigArray();
+ let plonkAdditions = new BigArray();
+
+ // Process constraints inside r1cs
+ if (logger) logger.info("> Processing FFlonk constraints");
+ await computeFFConstraints(curve.Fr, r1cs, logger);
+ if (globalThis.gc) globalThis.gc();
+
+ // As the t polynomial is n+5 whe need at least a power of 4
+ //TODO check!!!!
+ // NOTE : plonkConstraints + 2 = #constraints + blinding coefficients for each wire polynomial
+ settings.cirPower = Math.max(FF_T_POL_DEG_MIN, log2((plonkConstraints.length + 2) - 1) + 1);
+ settings.domainSize = 2 ** settings.cirPower;
+
+ if (pTauSections[2][0].size < (settings.domainSize * 9 + 18) * sG1) {
+ throw new Error("Powers of Tau is not big enough for this circuit size. Section 2 too small.");
+ }
+ if (pTauSections[3][0].size < sG2) {
+ throw new Error("Powers of Tau is not well prepared. Section 3 too small.");
+ }
+
+ if (logger) {
+ logger.info("----------------------------");
+ logger.info(" FFLONK SETUP SETTINGS");
+ logger.info(` Curve: ${curve.name}`);
+ logger.info(` Circuit power: ${settings.cirPower}`);
+ logger.info(` Domain size: ${settings.domainSize}`);
+ logger.info(` Vars: ${settings.nVars}`);
+ logger.info(` Public vars: ${settings.nPublic}`);
+ logger.info(` Constraints: ${plonkConstraints.length}`);
+ logger.info(` Additions: ${plonkAdditions.length}`);
+ logger.info("----------------------------");
+ }
+
+ // Compute k1 and k2 to be used in the permutation checks
+ if (logger) logger.info("> computing k1 and k2");
+ const [k1, k2] = computeK1K2();
+
+ // Compute omega 3 (w3) and omega 4 (w4) to be used in the prover and the verifier
+ // w3^3 = 1 and w4^4 = 1
+ if (logger) logger.info("> computing w3");
+ const w3 = computeW3();
+ if (logger) logger.info("> computing w4");
+ const w4 = computeW4();
+ if (logger) logger.info("> computing w8");
+ const w8 = computeW8();
+ if (logger) logger.info("> computing wr");
+ const wr = getOmegaCubicRoot(settings.cirPower, curve.Fr);
+
+ // Write output zkey file
+ await writeZkeyFile();
+
+ await fdR1cs.close();
+ await fdPTau.close();
+
+ if (logger) logger.info("FFLONK SETUP FINISHED");
+
+ return 0;
+
+ async function computeFFConstraints(Fr, r1cs, logger) {
+ // Add public inputs and outputs
+ for (let i = 0; i < settings.nPublic; i++) {
+ plonkConstraints.push(getFFlonkConstantConstraint(i + 1, Fr));
+ }
+
+ // Add all constraints from r1cs file
+ const r1csProcessor = new r1csConstraintProcessor(Fr, getFFlonkConstantConstraint, getFFlonkAdditionConstraint, getFFlonkMultiplicationConstraint, logger);
+
+ const bR1cs = await binFileUtils__namespace.readSection(fdR1cs, sectionsR1cs, 2);
+ let bR1csPos = 0;
+ for (let i = 0; i < r1cs.nConstraints; i++) {
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` processing r1cs constraints ${i}/${r1cs.nConstraints}`);
+ }
+ const [constraints, additions] = r1csProcessor.processR1csConstraint(settings, ...readConstraint());
+
+ plonkConstraints.push(...constraints);
+ plonkAdditions.push(...additions);
+ }
+
+ function readConstraint() {
+ const c = [];
+ c[0] = readLC();
+ c[1] = readLC();
+ c[2] = readLC();
+ return c;
+ }
+
+ function readLC() {
+ const lc = {};
+
+ const buffUL32 = bR1cs.slice(bR1csPos, bR1csPos + 4);
+ bR1csPos += 4;
+ const buffUL32V = new DataView(buffUL32.buffer);
+ const nIdx = buffUL32V.getUint32(0, true);
+
+ const buff = bR1cs.slice(bR1csPos, bR1csPos + (4 + r1cs.n8) * nIdx);
+ bR1csPos += (4 + r1cs.n8) * nIdx;
+ const buffV = new DataView(buff.buffer);
+ for (let i = 0; i < nIdx; i++) {
+ const idx = buffV.getUint32(i * (4 + r1cs.n8), true);
+ const val = r1cs.F.fromRprLE(buff, i * (4 + r1cs.n8) + 4);
+ lc[idx] = val;
+ }
+ return lc;
+ }
+
+ return 0;
+ }
+
+ async function writeZkeyFile() {
+ if (logger) logger.info("> Writing the zkey file");
+ const fdZKey = await binFileUtils.createBinFile(zkeyFilename, "zkey", 1, ZKEY_FF_NSECTIONS, 1 << 22, 1 << 24);
+
+ if (logger) logger.info(`··· Writing Section ${HEADER_ZKEY_SECTION}. Zkey Header`);
+ await writeZkeyHeader(fdZKey);
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
+ await writeAdditions(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_A_MAP_SECTION}. A Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_A_MAP_SECTION, 0, "A map");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_B_MAP_SECTION}. B Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_B_MAP_SECTION, 1, "B map");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_C_MAP_SECTION}. C Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_C_MAP_SECTION, 2, "C map");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QL_SECTION}. QL`);
+ await writeQMap(fdZKey, ZKEY_FF_QL_SECTION, 3, "QL");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QR_SECTION}. QR`);
+ await writeQMap(fdZKey, ZKEY_FF_QR_SECTION, 4, "QR");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QM_SECTION}. QM`);
+ await writeQMap(fdZKey, ZKEY_FF_QM_SECTION, 5, "QM");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QO_SECTION}. QO`);
+ await writeQMap(fdZKey, ZKEY_FF_QO_SECTION, 6, "QO");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QC_SECTION}. QC`);
+ await writeQMap(fdZKey, ZKEY_FF_QC_SECTION, 7, "QC");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Sections ${ZKEY_FF_SIGMA1_SECTION},${ZKEY_FF_SIGMA2_SECTION},${ZKEY_FF_SIGMA3_SECTION}. Sigma1, Sigma2 & Sigma 3`);
+ await writeSigma(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_LAGRANGE_SECTION}. Lagrange Polynomials`);
+ await writeLagrangePolynomials(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_PTAU_SECTION}. Powers of Tau`);
+ await writePtau(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_C0_SECTION}. C0`);
+ await writeC0(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_HEADER_SECTION}. FFlonk Header`);
+ await writeFFlonkHeader(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info("> Writing the zkey file finished");
+
+ await fdZKey.close();
+ }
+
+ async function writeZkeyHeader(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, HEADER_ZKEY_SECTION);
+ await fdZKey.writeULE32(FFLONK_PROTOCOL_ID);
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writeAdditions(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_ADDITIONS_SECTION);
+
+ // Written values are 2 * 32 bit integers (2 * 4 bytes) + 2 field size values ( 2 * sFr bytes)
+ const buffOut = new Uint8Array(8 + 2 * sFr);
+ const buffOutV = new DataView(buffOut.buffer);
+
+ for (let i = 0; i < plonkAdditions.length; i++) {
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) logger.info(` writing Additions: ${i}/${plonkAdditions.length}`);
+
+ const addition = plonkAdditions[i];
+
+ buffOutV.setUint32(0, addition[0], true);
+ buffOutV.setUint32(4, addition[1], true);
+ buffOut.set(addition[2], 8);
+ buffOut.set(addition[3], 8 + sFr);
+
+ await fdZKey.write(buffOut);
+ }
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writeWitnessMap(fdZKey, sectionNum, posConstraint, name) {
+ await binFileUtils.startWriteSection(fdZKey, sectionNum);
+ for (let i = 0; i < plonkConstraints.length; i++) {
+ if (logger && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` writing witness ${name}: ${i}/${plonkConstraints.length}`);
+ }
+
+ await fdZKey.writeULE32(plonkConstraints[i][posConstraint]);
+ }
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writeQMap(fdZKey, sectionNum, posConstraint, name) {
+ // Compute Q from q evaluations
+ let Q = new ffjavascript.BigBuffer(settings.domainSize * sFr);
+
+ for (let i = 0; i < plonkConstraints.length; i++) {
+ Q.set(plonkConstraints[i][posConstraint], i * sFr);
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` writing ${name}: ${i}/${plonkConstraints.length}`);
+ }
+ }
+
+ polynomials[name] = await Polynomial.fromEvaluations(Q, curve, logger);
+ evaluations[name] = await Evaluations.fromPolynomial(polynomials[name], 4, curve, logger);
+
+ // Write Q coefficients and evaluations
+ await binFileUtils.startWriteSection(fdZKey, sectionNum);
+ await fdZKey.write(polynomials[name].coef);
+ await fdZKey.write(evaluations[name].eval);
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writeSigma(fdZKey) {
+ // Compute sigma
+ const sigma = new ffjavascript.BigBuffer(sFr * settings.domainSize * 3);
+ const lastSeen = new BigArray(settings.nVars);
+ const firstPos = new BigArray(settings.nVars);
+
+ let w = Fr.one;
+ for (let i = 0; i < settings.domainSize; i++) {
+ if (i < plonkConstraints.length) {
+ buildSigma(plonkConstraints[i][0], i);
+ buildSigma(plonkConstraints[i][1], settings.domainSize + i);
+ buildSigma(plonkConstraints[i][2], settings.domainSize * 2 + i);
+ } else if (i < settings.domainSize - 2) {
+ buildSigma(0, i);
+ buildSigma(0, settings.domainSize + i);
+ buildSigma(0, settings.domainSize * 2 + i);
+ } else {
+ sigma.set(w, i * sFr);
+ sigma.set(Fr.mul(w, k1), (settings.domainSize + i) * sFr);
+ sigma.set(Fr.mul(w, k2), (settings.domainSize * 2 + i) * sFr);
+ }
+
+ w = Fr.mul(w, Fr.w[settings.cirPower]);
+
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` writing sigma phase1: ${i}/${plonkConstraints.length}`);
+ }
+ }
+
+ for (let i = 0; i < settings.nVars; i++) {
+ if (typeof firstPos[i] !== "undefined") {
+ sigma.set(lastSeen[i], firstPos[i] * sFr);
+ } else {
+ // throw new Error("Variable not used");
+ console.log("Variable not used");
+ }
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) logger.info(` writing sigma phase2: ${i}/${settings.nVars}`);
+ }
+
+ if (globalThis.gc) globalThis.gc();
+
+ // Write sigma coefficients and evaluations
+ for (let i = 0; i < 3; i++) {
+ const sectionId = 0 === i ? ZKEY_FF_SIGMA1_SECTION : 1 === i ? ZKEY_FF_SIGMA2_SECTION : ZKEY_FF_SIGMA3_SECTION;
+
+ let name = "S" + (i + 1);
+ polynomials[name] = await Polynomial.fromEvaluations(sigma.slice(settings.domainSize * sFr * i, settings.domainSize * sFr * (i + 1)), curve, logger);
+ evaluations[name] = await Evaluations.fromPolynomial(polynomials[name], 4, curve, logger);
+ await binFileUtils.startWriteSection(fdZKey, sectionId);
+ await fdZKey.write(polynomials[name].coef);
+ await fdZKey.write(evaluations[name].eval);
+ await binFileUtils.endWriteSection(fdZKey);
+
+ if (globalThis.gc) globalThis.gc();
+ }
+
+ return 0;
+
+ function buildSigma(signalId, idx) {
+ if (typeof lastSeen[signalId] === "undefined") {
+ firstPos[signalId] = idx;
+ } else {
+ sigma.set(lastSeen[signalId], idx * sFr);
+ }
+ let v;
+ if (idx < settings.domainSize) {
+ v = w;
+ } else if (idx < 2 * settings.domainSize) {
+ v = Fr.mul(w, k1);
+ } else {
+ v = Fr.mul(w, k2);
+ }
+
+ lastSeen[signalId] = v;
+ }
+ }
+
+ async function writeLagrangePolynomials(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_LAGRANGE_SECTION);
+
+ const l = Math.max(settings.nPublic, 1);
+ for (let i = 0; i < l; i++) {
+ let buff = new ffjavascript.BigBuffer(settings.domainSize * sFr);
+ buff.set(Fr.one, i * sFr);
+
+ await writeP4(fdZKey, buff);
+ }
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writePtau(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_PTAU_SECTION);
+
+ // domainSize * 9 + 18 = maximum SRS length needed, specifically to commit C2
+ PTau = new ffjavascript.BigBuffer((settings.domainSize * 9 + 18) * sG1);
+ await fdPTau.readToBuffer(PTau, 0, (settings.domainSize * 9 + 18) * sG1, pTauSections[2][0].p);
+
+ await fdZKey.write(PTau);
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writeC0(fdZKey) {
+ // C0(X) := QL(X^8) + X · QR(X^8) + X^2 · QO(X^8) + X^3 · QM(X^8) + X^4 · QC(X^8)
+ // + X^5 · SIGMA1(X^8) + X^6 · SIGMA2(X^8) + X^7 · SIGMA3(X^8)
+ let C0 = new CPolynomial(8, curve, logger);
+ C0.addPolynomial(0, polynomials.QL);
+ C0.addPolynomial(1, polynomials.QR);
+ C0.addPolynomial(2, polynomials.QO);
+ C0.addPolynomial(3, polynomials.QM);
+ C0.addPolynomial(4, polynomials.QC);
+ C0.addPolynomial(5, polynomials.S1);
+ C0.addPolynomial(6, polynomials.S2);
+ C0.addPolynomial(7, polynomials.S3);
+
+ polynomials.C0 = C0.getPolynomial();
+
+ // Check degree
+ if (polynomials.C0.degree() >= 8 * settings.domainSize) {
+ throw new Error("C0 Polynomial is not well calculated");
+ }
+
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_C0_SECTION);
+ await fdZKey.write(polynomials.C0.coef);
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writeFFlonkHeader(fdZKey) {
+ await binFileUtils.startWriteSection(fdZKey, ZKEY_FF_HEADER_SECTION);
+
+ const primeQ = curve.q;
+ const n8q = (Math.floor((ffjavascript.Scalar.bitLength(primeQ) - 1) / 64) + 1) * 8;
+ await fdZKey.writeULE32(n8q);
+ await binFileUtils.writeBigInt(fdZKey, primeQ, n8q);
+
+ const primeR = curve.r;
+ const n8r = (Math.floor((ffjavascript.Scalar.bitLength(primeR) - 1) / 64) + 1) * 8;
+ await fdZKey.writeULE32(n8r);
+ await binFileUtils.writeBigInt(fdZKey, primeR, n8r);
+
+ // Total number of r1cs vars
+ await fdZKey.writeULE32(settings.nVars);
+ // Total number of r1cs public vars = outputs + public inputs
+ await fdZKey.writeULE32(settings.nPublic);
+ await fdZKey.writeULE32(settings.domainSize);
+ await fdZKey.writeULE32(plonkAdditions.length);
+ await fdZKey.writeULE32(plonkConstraints.length);
+
+ await fdZKey.write(k1);
+ await fdZKey.write(k2);
+
+ await fdZKey.write(w3);
+ await fdZKey.write(w4);
+ await fdZKey.write(w8);
+ await fdZKey.write(wr);
+
+ let bX_2;
+ bX_2 = await fdPTau.read(sG2, pTauSections[3][0].p + sG2);
+ await fdZKey.write(bX_2);
+
+ let commitC0 = await polynomials.C0.multiExponentiation(PTau, "C0");
+ await fdZKey.write(commitC0);
+
+ await binFileUtils.endWriteSection(fdZKey);
+ }
+
+ async function writeP4(fdZKey, buff) {
+ const [coefficients, evaluations4] = await Polynomial.to4T(buff, settings.domainSize, [], Fr);
+ await fdZKey.write(coefficients);
+ await fdZKey.write(evaluations4);
+
+ return [coefficients, evaluations4];
+ }
+
+ function computeK1K2() {
+ let k1 = Fr.two;
+ while (isIncluded(k1, [], settings.cirPower)) Fr.add(k1, Fr.one);
+ let k2 = Fr.add(k1, Fr.one);
+ while (isIncluded(k2, [k1], settings.cirPower)) Fr.add(k2, Fr.one);
+ return [k1, k2];
+
+ function isIncluded(k, kArr, pow) {
+ const domainSize = 2 ** pow;
+ let w = Fr.one;
+ for (let i = 0; i < domainSize; i++) {
+ if (Fr.eq(k, w)) return true;
+ for (let j = 0; j < kArr.length; j++) {
+ if (Fr.eq(k, Fr.mul(kArr[j], w))) return true;
+ }
+ w = Fr.mul(w, Fr.w[pow]);
+ }
+ return false;
+ }
+ }
+
+ function computeW3() {
+ let generator = Fr.e(31624);
+
+ // Exponent is order(r - 1) / 3
+ let orderRsub1 = 3648040478639879203707734290876212514758060733402672390616367364429301415936n;
+ let exponent = ffjavascript.Scalar.div(orderRsub1, ffjavascript.Scalar.e(3));
+
+ return Fr.exp(generator, exponent);
+ }
+
+ function computeW4() {
+ return Fr.w[2];
+ }
+
+ function computeW8() {
+ return Fr.w[3];
+ }
+
+ function getOmegaCubicRoot(power, Fr) {
+ // Hardcorded 3th-root of Fr.w[28]
+ const firstRoot = Fr.e(467799165886069610036046866799264026481344299079011762026774533774345988080n);
+
+ return Fr.exp(firstRoot, 2 ** (28 - power));
+ }
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+const { keccak256 } = jsSha3__default["default"];
+
+const POLYNOMIAL = 0;
+const SCALAR = 1;
+
+class Keccak256Transcript {
+ constructor(curve) {
+ this.G1 = curve.G1;
+ this.Fr = curve.Fr;
+
+ this.reset();
+ }
+
+ reset() {
+ this.data = [];
+ }
+
+ addPolCommitment(polynomialCommitment) {
+ this.data.push({type: POLYNOMIAL, data: polynomialCommitment});
+ }
+
+ addScalar(scalar) {
+ this.data.push({type: SCALAR, data: scalar});
+ }
+
+ getChallenge() {
+ if(0 === this.data.length) {
+ throw new Error("Keccak256Transcript: No data to generate a transcript");
+ }
+
+ let nPolynomials = 0;
+ let nScalars = 0;
+
+ this.data.forEach(element => POLYNOMIAL === element.type ? nPolynomials++ : nScalars++);
+
+ let buffer = new Uint8Array(nScalars * this.Fr.n8 + nPolynomials * this.G1.F.n8 * 2);
+ let offset = 0;
+
+ for (let i = 0; i < this.data.length; i++) {
+ if (POLYNOMIAL === this.data[i].type) {
+ this.G1.toRprUncompressed(buffer, offset, this.data[i].data);
+ offset += this.G1.F.n8 * 2;
+ } else {
+ this.Fr.toRprBE(buffer, offset, this.data[i].data);
+ offset += this.Fr.n8;
+ }
+ }
+
+ const value = ffjavascript.Scalar.fromRprBE(new Uint8Array(keccak256.arrayBuffer(buffer)));
+ return this.Fr.e(value);
+ }
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+class Proof {
+ constructor(curve, logger) {
+ this.curve = curve;
+ this.logger = logger;
+
+ this.resetProof();
+ }
+
+ resetProof() {
+ this.polynomials = {};
+ this.evaluations = {};
+ }
+
+ addPolynomial(key, polynomial) {
+ if (key in this.polynomials) {
+ this.logger.warn(`proof: polynomial.${key} already exist in proof`);
+ }
+ this.polynomials[key] = polynomial;
+ }
+
+ getPolynomial(key) {
+ if (!(key in this.polynomials)) {
+ this.logger.warn(`proof: polynomial ${key} does not exist in proof`);
+ }
+ return this.polynomials[key];
+ }
+
+ addEvaluation(key, evaluation) {
+ if (key in this.evaluations) {
+ this.logger.warn(`proof: evaluations.${key} already exist in proof`);
+ }
+ this.evaluations[key] = evaluation;
+ }
+
+ getEvaluation(key) {
+ if (!(key in this.evaluations)) {
+ this.logger.warn(`proof: evaluation ${key} does not exist in proof`);
+ }
+ return this.evaluations[key];
+ }
+
+ toObjectProof() {
+ let res = {polynomials: {}, evaluations: {}};
+
+ Object.keys(this.polynomials).forEach(key => {
+ res.polynomials[key] = this.curve.G1.toObject(this.polynomials[key]);
+ });
+
+ Object.keys(this.evaluations).forEach(key => {
+ res.evaluations[key] = this.curve.Fr.toObject(this.evaluations[key]);
+ });
+
+ return res;
+ }
+
+ fromObjectProof(objectProof) {
+ this.resetProof();
+
+ Object.keys(objectProof.polynomials).forEach(key => {
+ this.polynomials[key] = this.curve.G1.fromObject(objectProof.polynomials[key]);
+ });
+
+ Object.keys(objectProof.evaluations).forEach(key => {
+ this.evaluations[key] = this.curve.Fr.fromObject(objectProof.evaluations[key]);
+ });
+ }
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+const { stringifyBigInts } = ffjavascript.utils;
+
+
+async function fflonkProve(zkeyFileName, witnessFileName, logger) {
+ if (logger) logger.info("FFLONK PROVER STARTED");
+
+ // Read witness file
+ if (logger) logger.info("> Reading witness file");
+ const {
+ fd: fdWtns,
+ sections: wtnsSections
+ } = await binFileUtils__namespace.readBinFile(witnessFileName, "wtns", 2, 1 << 25, 1 << 23);
+ const wtns = await readHeader(fdWtns, wtnsSections);
+
+ //Read zkey file
+ if (logger) logger.info("> Reading zkey file");
+ const {
+ fd: fdZKey,
+ sections: zkeySections
+ } = await binFileUtils__namespace.readBinFile(zkeyFileName, "zkey", 2, 1 << 25, 1 << 23);
+ const zkey = await readHeader$1(fdZKey, zkeySections);
+
+ if (zkey.protocolId !== FFLONK_PROTOCOL_ID) {
+ throw new Error("zkey file is not fflonk");
+ }
+
+ if (!ffjavascript.Scalar.eq(zkey.r, wtns.q)) {
+ throw new Error("Curve of the witness does not match the curve of the proving key");
+ }
+
+ if (wtns.nWitness !== zkey.nVars - zkey.nAdditions) {
+ throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
+ }
+
+ const curve = zkey.curve;
+
+ const Fr = curve.Fr;
+
+ const sFr = curve.Fr.n8;
+ const sG1 = curve.G1.F.n8 * 2;
+ const sDomain = zkey.domainSize * sFr;
+
+ if (logger) {
+ logger.info("----------------------------");
+ logger.info(" FFLONK PROVE SETTINGS");
+ logger.info(` Curve: ${curve.name}`);
+ logger.info(` Circuit power: ${zkey.power}`);
+ logger.info(` Domain size: ${zkey.domainSize}`);
+ logger.info(` Vars: ${zkey.nVars}`);
+ logger.info(` Public vars: ${zkey.nPublic}`);
+ logger.info(` Constraints: ${zkey.nConstraints}`);
+ logger.info(` Additions: ${zkey.nAdditions}`);
+ logger.info("----------------------------");
+ }
+
+ //Read witness data
+ if (logger) logger.info("> Reading witness file data");
+ const buffWitness = await binFileUtils__namespace.readSection(fdWtns, wtnsSections, 2);
+ await fdWtns.close();
+
+ // First element in plonk is not used and can be any value. (But always the same).
+ // We set it to zero to go faster in the exponentiations.
+ buffWitness.set(Fr.zero, 0);
+ const buffInternalWitness = new ffjavascript.BigBuffer(zkey.nAdditions * sFr);
+
+ let buffers = {};
+ let polynomials = {};
+ let evaluations = {};
+
+ // To divide prime fields the Extended Euclidean Algorithm for computing modular inverses is needed.
+ // NOTE: This is the equivalent of compute 1/denominator and then multiply it by the numerator.
+ // The Extended Euclidean Algorithm is expensive in terms of computation.
+ // For the special case where we need to do many modular inverses, there's a simple mathematical trick
+ // that allows us to compute many inverses, called Montgomery batch inversion.
+ // More info: https://vitalik.ca/general/2018/07/21/starks_part_3.html
+ // Montgomery batch inversion reduces the n inverse computations to a single one
+ // To save this (single) inverse computation on-chain, will compute it in proving time and send it to the verifier.
+ // The verifier will have to check:
+ // 1) the denominator is correct multiplying by himself non-inverted -> a * 1/a == 1
+ // 2) compute the rest of the denominators using the Montgomery batch inversion
+ // The inversions are:
+ // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
+ // · denominator needed in step 10 and 11 of the verifier
+ // · denominator needed in the verifier when computing L_i^{S1}(X) and L_i^{S2}(X)
+ // · L_i i=1 to num public inputs, needed in step 6 and 7 of the verifier to compute L_1(xi) and PI(xi)
+ let toInverse = {};
+
+ let challenges = {};
+ let roots = {};
+
+ let proof = new Proof(curve, logger);
+
+ if (logger) logger.info(`> Reading Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
+ await calculateAdditions();
+
+ if (logger) logger.info(`> Reading Sections ${ZKEY_FF_SIGMA1_SECTION},${ZKEY_FF_SIGMA2_SECTION},${ZKEY_FF_SIGMA3_SECTION}. Sigma1, Sigma2 & Sigma 3`);
+ if (logger) logger.info("··· Reading Sigma polynomials ");
+ polynomials.Sigma1 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.Sigma2 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.Sigma3 = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+
+ await fdZKey.readToBuffer(polynomials.Sigma1.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA1_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.Sigma2.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA2_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.Sigma3.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA3_SECTION][0].p);
+
+ if (logger) logger.info("··· Reading Sigma evaluations");
+ evaluations.Sigma1 = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.Sigma2 = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.Sigma3 = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+
+ await fdZKey.readToBuffer(evaluations.Sigma1.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA1_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.Sigma2.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA2_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.Sigma3.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA3_SECTION][0].p + sDomain);
+
+ if (logger) logger.info(`> Reading Section ${ZKEY_FF_PTAU_SECTION}. Powers of Tau`);
+ const PTau = new ffjavascript.BigBuffer(zkey.domainSize * 16 * sG1);
+ // domainSize * 9 + 18 = SRS length in the zkey saved in setup process.
+ // it corresponds to the maximum SRS length needed, specifically to commit C2
+ // notice that the reserved buffers size is zkey.domainSize * 16 * sG1 because a power of two buffer size is needed
+ // the remaining buffer not filled from SRS are set to 0
+ await fdZKey.readToBuffer(PTau, 0, (zkey.domainSize * 9 + 18) * sG1, zkeySections[ZKEY_FF_PTAU_SECTION][0].p);
+
+ // START FFLONK PROVER PROTOCOL
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 1. Compute C1(X) polynomial
+ if (logger) logger.info("");
+ if (logger) logger.info("> ROUND 1");
+ await round1();
+
+ delete polynomials.T0;
+ delete evaluations.QL;
+ delete evaluations.QR;
+ delete evaluations.QM;
+ delete evaluations.QO;
+ delete evaluations.QC;
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 2. Compute C2(X) polynomial
+ if (logger) logger.info("> ROUND 2");
+ await round2();
+
+ delete buffers.A;
+ delete buffers.B;
+ delete buffers.C;
+ delete evaluations.A;
+ delete evaluations.B;
+ delete evaluations.C;
+ delete evaluations.Sigma1;
+ delete evaluations.Sigma2;
+ delete evaluations.Sigma3;
+ delete evaluations.lagrange1;
+ delete evaluations.Z;
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 3. Compute opening evaluations
+ if (logger) logger.info("> ROUND 3");
+ await round3();
+
+ delete polynomials.A;
+ delete polynomials.B;
+ delete polynomials.C;
+ delete polynomials.Z;
+ delete polynomials.T1;
+ delete polynomials.T2;
+ delete polynomials.Sigma1;
+ delete polynomials.Sigma2;
+ delete polynomials.Sigma3;
+ delete polynomials.QL;
+ delete polynomials.QR;
+ delete polynomials.QM;
+ delete polynomials.QC;
+ delete polynomials.QO;
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 4. Compute W(X) polynomial
+ if (logger) logger.info("> ROUND 4");
+ await round4();
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 5. Compute W'(X) polynomial
+ if (logger) logger.info("> ROUND 5");
+ await round5();
+
+ delete polynomials.C0;
+ delete polynomials.C1;
+ delete polynomials.C2;
+ delete polynomials.R1;
+ delete polynomials.R2;
+ delete polynomials.F;
+ delete polynomials.L;
+ delete polynomials.ZT;
+ delete polynomials.ZTS2;
+ await fdZKey.close();
+ if (globalThis.gc) globalThis.gc();
+
+ proof.addEvaluation("inv", getMontgomeryBatchedInverse());
+
+ // Prepare proof
+ let _proof = proof.toObjectProof();
+ _proof.protocol = "fflonk";
+ _proof.curve = curve.name;
+
+ // Prepare public inputs
+ let publicSignals = [];
+
+ for (let i = 1; i <= zkey.nPublic; i++) {
+ const i_sFr = i * sFr;
+
+ const pub = buffWitness.slice(i_sFr, i_sFr + sFr);
+ publicSignals.push(ffjavascript.Scalar.fromRprLE(pub));
+ }
+
+ if (logger) logger.info("FFLONK PROVER FINISHED");
+
+ return {
+ proof: stringifyBigInts(_proof),
+ publicSignals: stringifyBigInts(publicSignals)
+ };
+
+ async function calculateAdditions() {
+ if (logger) logger.info("··· Computing additions");
+ const additionsBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_ADDITIONS_SECTION);
+
+ // sizes: wireId_x = 4 bytes (32 bits), factor_x = field size bits
+ // Addition form: wireId_a wireId_b factor_a factor_b (size is 4 + 4 + sFr + sFr)
+ const sSum = 8 + sFr * 2;
+
+ for (let i = 0; i < zkey.nAdditions; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` addition ${i}/${zkey.nAdditions}`);
+
+ // Read addition values
+ let offset = i * sSum;
+ const signalId1 = readUInt32(additionsBuff, offset);
+ offset += 4;
+ const signalId2 = readUInt32(additionsBuff, offset);
+ offset += 4;
+ const factor1 = additionsBuff.slice(offset, offset + sFr);
+ offset += sFr;
+ const factor2 = additionsBuff.slice(offset, offset + sFr);
+
+ // Get witness value
+ const witness1 = getWitness(signalId1);
+ const witness2 = getWitness(signalId2);
+
+ //Calculate final result
+ const result = Fr.add(Fr.mul(factor1, witness1), Fr.mul(factor2, witness2));
+
+ buffInternalWitness.set(result, sFr * i);
+ }
+ }
+
+ function readUInt32(b, o) {
+ const buff = b.slice(o, o + 4);
+ const buffV = new DataView(buff.buffer, buff.byteOffset, buff.byteLength);
+ return buffV.getUint32(0, true);
+ }
+
+ function getWitness(idx) {
+ let diff = zkey.nVars - zkey.nAdditions;
+ if (idx < diff) {
+ return buffWitness.slice(idx * sFr, idx * sFr + sFr);
+ } else if (idx < zkey.nVars) {
+ const offset = (idx - diff) * sFr;
+ return buffInternalWitness.slice(offset, offset + sFr);
+ }
+
+ return Fr.zero;
+ }
+
+ async function round1() {
+ // STEP 1.1 - Generate random blinding scalars (b_1, ..., b9) ∈ F
+ challenges.b = [];
+ for (let i = 1; i <= 9; i++) {
+ challenges.b[i] = Fr.random();
+ }
+
+ // STEP 1.2 - Compute wire polynomials a(X), b(X) and c(X)
+ if (logger) logger.info("> Computing A, B, C wire polynomials");
+ await computeWirePolynomials();
+
+ // STEP 1.3 - Compute the quotient polynomial T0(X)
+ if (logger) logger.info("> Computing T0 polynomial");
+ await computeT0();
+
+ // STEP 1.4 - Compute the FFT-style combination polynomial C1(X)
+ if (logger) logger.info("> Computing C1 polynomial");
+ await computeC1();
+
+ // The first output of the prover is ([C1]_1)
+ if (logger) logger.info("> Computing C1 multi exponentiation");
+ let commitC1 = await polynomials.C1.multiExponentiation(PTau, "C1");
+ proof.addPolynomial("C1", commitC1);
+
+ return 0;
+
+ async function computeWirePolynomials() {
+ if (logger) logger.info("··· Reading data from zkey file");
+ // Build A, B and C evaluations buffer from zkey and witness files
+ buffers.A = new ffjavascript.BigBuffer(sDomain);
+ buffers.B = new ffjavascript.BigBuffer(sDomain);
+ buffers.C = new ffjavascript.BigBuffer(sDomain);
+
+ // Read zkey sections and fill the buffers
+ const aMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_A_MAP_SECTION);
+ const bMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_B_MAP_SECTION);
+ const cMapBuff = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_C_MAP_SECTION);
+
+ // Compute all witness from signal ids and set them to A,B & C buffers
+ for (let i = 0; i < zkey.nConstraints; i++) {
+ const i_sFr = i * sFr;
+ const offset = i * 4;
+
+ // Compute A value from a signal id
+ const signalIdA = readUInt32(aMapBuff, offset);
+ buffers.A.set(getWitness(signalIdA), i_sFr);
+
+ // Compute B value from a signal id
+ const signalIdB = readUInt32(bMapBuff, offset);
+ buffers.B.set(getWitness(signalIdB), i_sFr);
+
+ // Compute C value from a signal id
+ const signalIdC = readUInt32(cMapBuff, offset);
+ buffers.C.set(getWitness(signalIdC), i_sFr);
+ }
+
+ // Blind a(X), b(X) and c(X) polynomials coefficients with blinding scalars b
+ buffers.A.set(challenges.b[1], sDomain - 64);
+ buffers.A.set(challenges.b[2], sDomain - 32);
+ buffers.B.set(challenges.b[3], sDomain - 64);
+ buffers.B.set(challenges.b[4], sDomain - 32);
+ buffers.C.set(challenges.b[5], sDomain - 64);
+ buffers.C.set(challenges.b[6], sDomain - 32);
+
+ buffers.A = await Fr.batchToMontgomery(buffers.A);
+ buffers.B = await Fr.batchToMontgomery(buffers.B);
+ buffers.C = await Fr.batchToMontgomery(buffers.C);
+
+ // Compute the coefficients of the wire polynomials a(X), b(X) and c(X) from A,B & C buffers
+ if (logger) logger.info("··· Computing A ifft");
+ polynomials.A = await Polynomial.fromEvaluations(buffers.A, curve, logger);
+ if (logger) logger.info("··· Computing B ifft");
+ polynomials.B = await Polynomial.fromEvaluations(buffers.B, curve, logger);
+ if (logger) logger.info("··· Computing C ifft");
+ polynomials.C = await Polynomial.fromEvaluations(buffers.C, curve, logger);
+
+ // Compute extended evaluations of a(X), b(X) and c(X) polynomials
+ if (logger) logger.info("··· Computing A fft");
+ evaluations.A = await Evaluations.fromPolynomial(polynomials.A, 4, curve, logger);
+ if (logger) logger.info("··· Computing B fft");
+ evaluations.B = await Evaluations.fromPolynomial(polynomials.B, 4, curve, logger);
+ if (logger) logger.info("··· Computing C fft");
+ evaluations.C = await Evaluations.fromPolynomial(polynomials.C, 4, curve, logger);
+
+ // Check degrees
+ if (polynomials.A.degree() >= zkey.domainSize) {
+ throw new Error("A Polynomial is not well calculated");
+ }
+ if (polynomials.B.degree() >= zkey.domainSize) {
+ throw new Error("B Polynomial is not well calculated");
+ }
+ if (polynomials.C.degree() >= zkey.domainSize) {
+ throw new Error("C Polynomial is not well calculated");
+ }
+ }
+
+ async function computeT0() {
+ if (logger) logger.info(`··· Reading sections ${ZKEY_FF_QL_SECTION}, ${ZKEY_FF_QR_SECTION}` +
+ `, ${ZKEY_FF_QM_SECTION}, ${ZKEY_FF_QO_SECTION}, ${ZKEY_FF_QC_SECTION}. Q selectors`);
+ // Reserve memory for Q's evaluations
+ evaluations.QL = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QR = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QM = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QO = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QC = new Evaluations(new ffjavascript.BigBuffer(sDomain * 4), curve, logger);
+
+ // Read Q's evaluations from zkey file
+ await fdZKey.readToBuffer(evaluations.QL.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QL_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QR.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QR_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QM.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QM_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QO.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QO_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QC.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QC_SECTION][0].p + sDomain);
+
+ // Read Lagrange polynomials & evaluations from zkey file
+ const lagrangePolynomials = await binFileUtils__namespace.readSection(fdZKey, zkeySections, ZKEY_FF_LAGRANGE_SECTION);
+ evaluations.lagrange1 = new Evaluations(lagrangePolynomials, curve, logger);
+
+ // Reserve memory for buffers T0
+ buffers.T0 = new ffjavascript.BigBuffer(sDomain * 4);
+
+ if (logger) logger.info("··· Computing T0 evaluations");
+ for (let i = 0; i < zkey.domainSize * 4; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T0 evaluation ${i}/${zkey.domainSize * 4}`);
+
+ // Get related evaluations to compute current T0 evaluation
+ const a = evaluations.A.getEvaluation(i);
+ const b = evaluations.B.getEvaluation(i);
+ const c = evaluations.C.getEvaluation(i);
+
+ const ql = evaluations.QL.getEvaluation(i);
+ const qr = evaluations.QR.getEvaluation(i);
+ const qm = evaluations.QM.getEvaluation(i);
+ const qo = evaluations.QO.getEvaluation(i);
+ const qc = evaluations.QC.getEvaluation(i);
+
+ // Compute current public input
+ let pi = Fr.zero;
+ for (let j = 0; j < zkey.nPublic; j++) {
+ const offset = (j * 5 * zkey.domainSize) + zkey.domainSize + i;
+
+ const lPol = evaluations.lagrange1.getEvaluation(offset);
+ const aVal = buffers.A.slice(j * sFr, (j + 1) * sFr);
+
+ pi = Fr.sub(pi, Fr.mul(lPol, aVal));
+ }
+
+ //T0(X) = [q_L(X)·a(X) + q_R(X)·b(X) + q_M(X)·a(X)·b(X) + q_O(X)·c(X) + q_C(X) + PI(X)] · 1/Z_H(X)
+ // Compute first T0(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
+ // expression 1 -> q_L(X)·a(X)
+ const e1 = Fr.mul(a, ql);
+
+ // expression 2 -> q_R(X)·b(X)
+ const e2 = Fr.mul(b, qr);
+
+ // expression 3 -> q_M(X)·a(X)·b(X)
+ const e3 = Fr.mul(Fr.mul(a, b), qm);
+
+ // expression 4 -> q_O(X)·c(X)
+ const e4 = Fr.mul(c, qo);
+
+ // t0 = expressions 1 + expression 2 + expression 3 + expression 4 + qc + pi
+ const t0 = Fr.add(e1, Fr.add(e2, Fr.add(e3, Fr.add(e4, Fr.add(qc, pi)))));
+
+ buffers.T0.set(t0, i * sFr);
+ }
+
+ if (logger) logger.info("buffer T0: " + buffers.T0.byteLength / sFr);
+
+ // Compute the coefficients of the polynomial T0(X) from buffers.T0
+ if (logger) logger.info("··· Computing T0 ifft");
+ polynomials.T0 = await Polynomial.fromEvaluations(buffers.T0, curve, logger);
+
+ if (logger) logger.info("T0 length: " + polynomials.T0.length());
+ if (logger) logger.info("T0 degree: " + polynomials.T0.degree());
+
+ // Divide the polynomial T0 by Z_H(X)
+ if (logger) logger.info("··· Computing T0 / ZH");
+ polynomials.T0.divByZerofier(zkey.domainSize, Fr.one);
+
+ // Check degree
+ if (polynomials.T0.degree() >= 2 * zkey.domainSize - 2) {
+ throw new Error(`T0 Polynomial is not well calculated (degree is ${polynomials.T0.degree()} and must be less than ${2 * zkey.domainSize + 2}`);
+ }
+
+ delete buffers.T0;
+ }
+
+ async function computeC1() {
+ let C1 = new CPolynomial(4, curve, logger);
+ C1.addPolynomial(0, polynomials.A);
+ C1.addPolynomial(1, polynomials.B);
+ C1.addPolynomial(2, polynomials.C);
+ C1.addPolynomial(3, polynomials.T0);
+
+ polynomials.C1 = C1.getPolynomial();
+
+ // Check degree
+ if (polynomials.C1.degree() >= 8 * zkey.domainSize - 8) {
+ throw new Error("C1 Polynomial is not well calculated");
+ }
+ }
+ }
+
+ async function round2() {
+ // STEP 2.1 - Compute permutation challenge beta and gamma ∈ F
+ // Compute permutation challenge beta
+ if (logger) logger.info("> Computing challenges beta and gamma");
+ const transcript = new Keccak256Transcript(curve);
+
+ // Add C0 to the transcript
+ transcript.addPolCommitment(zkey.C0);
+
+ // Add A to the transcript
+ for (let i = 0; i < zkey.nPublic; i++) {
+ transcript.addScalar(buffers.A.slice(i * sFr, i * sFr + sFr));
+ }
+
+ // Add C1 to the transcript
+ transcript.addPolCommitment(proof.getPolynomial("C1"));
+
+ challenges.beta = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.beta: " + Fr.toString(challenges.beta));
+
+ // Compute permutation challenge gamma
+ transcript.reset();
+ transcript.addScalar(challenges.beta);
+ challenges.gamma = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.gamma: " + Fr.toString(challenges.gamma));
+
+ // STEP 2.2 - Compute permutation polynomial z(X)
+ if (logger) logger.info("> Computing Z polynomial");
+ await computeZ();
+
+ // STEP 2.3 - Compute quotient polynomial T1(X) and T2(X)
+ if (logger) logger.info("> Computing T1 polynomial");
+ await computeT1();
+ if (logger) logger.info("> Computing T2 polynomial");
+ await computeT2();
+
+ // STEP 2.4 - Compute the FFT-style combination polynomial C2(X)
+ if (logger) logger.info("> Computing C2 polynomial");
+ await computeC2();
+
+ // The second output of the prover is ([C2]_1)
+ if (logger) logger.info("> Computing C2 multi exponentiation");
+ let commitC2 = await polynomials.C2.multiExponentiation(PTau, "C2");
+ proof.addPolynomial("C2", commitC2);
+
+ return 0;
+
+ async function computeZ() {
+ if (logger) logger.info("··· Computing Z evaluations");
+
+ let numArr = new ffjavascript.BigBuffer(sDomain);
+ let denArr = new ffjavascript.BigBuffer(sDomain);
+
+ // Set the first values to 1
+ numArr.set(Fr.one, 0);
+ denArr.set(Fr.one, 0);
+
+ // Set initial omega
+ let w = Fr.one;
+ for (let i = 0; i < zkey.domainSize; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` Z evaluation ${i}/${zkey.domainSize}`);
+ const i_sFr = i * sFr;
+
+ // Z(X) := numArr / denArr
+ // numArr := (a + beta·ω + gamma)(b + beta·ω·k1 + gamma)(c + beta·ω·k2 + gamma)
+ const betaw = Fr.mul(challenges.beta, w);
+
+ let num1 = buffers.A.slice(i_sFr, i_sFr + sFr);
+ num1 = Fr.add(num1, betaw);
+ num1 = Fr.add(num1, challenges.gamma);
+
+ let num2 = buffers.B.slice(i_sFr, i_sFr + sFr);
+ num2 = Fr.add(num2, Fr.mul(zkey.k1, betaw));
+ num2 = Fr.add(num2, challenges.gamma);
+
+ let num3 = buffers.C.slice(i_sFr, i_sFr + sFr);
+ num3 = Fr.add(num3, Fr.mul(zkey.k2, betaw));
+ num3 = Fr.add(num3, challenges.gamma);
+
+ let num = Fr.mul(num1, Fr.mul(num2, num3));
+
+ // denArr := (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)
+ let den1 = buffers.A.slice(i_sFr, i_sFr + sFr);
+ den1 = Fr.add(den1, Fr.mul(challenges.beta, evaluations.Sigma1.getEvaluation(i * 4)));
+ den1 = Fr.add(den1, challenges.gamma);
+
+ let den2 = buffers.B.slice(i_sFr, i_sFr + sFr);
+ den2 = Fr.add(den2, Fr.mul(challenges.beta, evaluations.Sigma2.getEvaluation(i * 4)));
+ den2 = Fr.add(den2, challenges.gamma);
+
+ let den3 = buffers.C.slice(i_sFr, i_sFr + sFr);
+ den3 = Fr.add(den3, Fr.mul(challenges.beta, evaluations.Sigma3.getEvaluation(i * 4)));
+ den3 = Fr.add(den3, challenges.gamma);
+
+ let den = Fr.mul(den1, Fr.mul(den2, den3));
+
+ // Multiply current num value with the previous one saved in numArr
+ num = Fr.mul(numArr.slice(i_sFr, i_sFr + sFr), num);
+ numArr.set(num, ((i + 1) % zkey.domainSize) * sFr);
+
+ // Multiply current den value with the previous one saved in denArr
+ den = Fr.mul(denArr.slice(i_sFr, i_sFr + sFr), den);
+ denArr.set(den, ((i + 1) % zkey.domainSize) * sFr);
+
+ // Next omega
+ w = Fr.mul(w, Fr.w[zkey.power]);
+ }
+ // Compute the inverse of denArr to compute in the next command the
+ // division numArr/denArr by multiplying num · 1/denArr
+ denArr = await Fr.batchInverse(denArr);
+
+ // TODO: Do it in assembly and in parallel
+ // Multiply numArr · denArr where denArr was inverted in the previous command
+ for (let i = 0; i < zkey.domainSize; i++) {
+ const i_sFr = i * sFr;
+
+ const z = Fr.mul(numArr.slice(i_sFr, i_sFr + sFr), denArr.slice(i_sFr, i_sFr + sFr));
+ numArr.set(z, i_sFr);
+ }
+ // From now on the values saved on numArr will be Z(X) buffer
+ buffers.Z = numArr;
+
+ if (!Fr.eq(numArr.slice(0, sFr), Fr.one)) {
+ throw new Error("Copy constraints does not match");
+ }
+
+ // Compute polynomial coefficients z(X) from buffers.Z
+ if (logger) logger.info("··· Computing Z ifft");
+ polynomials.Z = await Polynomial.fromEvaluations(buffers.Z, curve, logger);
+
+ // Compute extended evaluations of z(X) polynomial
+ if (logger) logger.info("··· Computing Z fft");
+ evaluations.Z = await Evaluations.fromPolynomial(polynomials.Z, 4, curve, logger);
+
+ // Blind z(X) polynomial coefficients with blinding scalars b
+ polynomials.Z.blindCoefficients([challenges.b[9], challenges.b[8], challenges.b[7]]);
+
+ // Check degree
+ if (polynomials.Z.degree() >= zkey.domainSize + 3) {
+ throw new Error("Z Polynomial is not well calculated");
+ }
+
+ delete buffers.Z;
+ }
+
+ async function computeT1() {
+ if (logger) logger.info("··· Computing T1 evaluations");
+
+ buffers.T1 = new ffjavascript.BigBuffer(sDomain * 2);
+ buffers.T1z = new ffjavascript.BigBuffer(sDomain * 2);
+
+ // Set initial omega
+ let omega = Fr.one;
+ for (let i = 0; i < zkey.domainSize * 2; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T1 evaluation ${i}/${zkey.domainSize * 4}`);
+
+ const omega2 = Fr.square(omega);
+
+ const z = evaluations.Z.getEvaluation(i * 2);
+ const zp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omega2), Fr.mul(challenges.b[8], omega)), challenges.b[9]);
+
+ // T1(X) := (z(X) - 1) · L_1(X)
+ // Compute first T1(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
+ const lagrange1 = evaluations.lagrange1.getEvaluation(zkey.domainSize + i * 2);
+ let t1 = Fr.mul(Fr.sub(z, Fr.one), lagrange1);
+ let t1z = Fr.mul(zp, lagrange1);
+
+ buffers.T1.set(t1, i * sFr);
+ buffers.T1z.set(t1z, i * sFr);
+
+ // Compute next omega
+ omega = Fr.mul(omega, Fr.w[zkey.power + 1]);
+ }
+
+ // Compute the coefficients of the polynomial T1(X) from buffers.T1
+ if (logger) logger.info("··· Computing T1 ifft");
+ polynomials.T1 = await Polynomial.fromEvaluations(buffers.T1, curve, logger);
+
+ // Divide the polynomial T1 by Z_H(X)
+ polynomials.T1.divByZerofier(zkey.domainSize, Fr.one);
+
+ // Compute the coefficients of the polynomial T1z(X) from buffers.T1z
+ if (logger) logger.info("··· Computing T1z ifft");
+ polynomials.T1z = await Polynomial.fromEvaluations(buffers.T1z, curve, logger);
+
+ // Add the polynomial T1z to T1 to get the final polynomial T1
+ polynomials.T1.add(polynomials.T1z);
+
+ // Check degree
+ if (polynomials.T1.degree() >= zkey.domainSize + 2) {
+ throw new Error("T1 Polynomial is not well calculated");
+ }
+
+ delete buffers.T1;
+ delete buffers.T1z;
+ delete polynomials.T1z;
+ }
+
+ async function computeT2() {
+ if (logger) logger.info("··· Computing T2 evaluations");
+
+ buffers.T2 = new ffjavascript.BigBuffer(sDomain * 4);
+ buffers.T2z = new ffjavascript.BigBuffer(sDomain * 4);
+
+ // Set initial omega
+ let omega = Fr.one;
+ for (let i = 0; i < zkey.domainSize * 4; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T2 evaluation ${i}/${zkey.domainSize * 4}`);
+
+ const omega2 = Fr.square(omega);
+ const omegaW = Fr.mul(omega, Fr.w[zkey.power]);
+ const omegaW2 = Fr.square(omegaW);
+
+ const a = evaluations.A.getEvaluation(i);
+ const b = evaluations.B.getEvaluation(i);
+ const c = evaluations.C.getEvaluation(i);
+ const z = evaluations.Z.getEvaluation(i);
+ const zW = evaluations.Z.getEvaluation((zkey.domainSize * 4 + 4 + i) % (zkey.domainSize * 4));
+
+ const zp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omega2), Fr.mul(challenges.b[8], omega)), challenges.b[9]);
+ const zWp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omegaW2), Fr.mul(challenges.b[8], omegaW)), challenges.b[9]);
+
+ const sigma1 = evaluations.Sigma1.getEvaluation(i);
+ const sigma2 = evaluations.Sigma2.getEvaluation(i);
+ const sigma3 = evaluations.Sigma3.getEvaluation(i);
+
+ // T2(X) := [ (a(X) + beta·X + gamma)(b(X) + beta·k1·X + gamma)(c(X) + beta·k2·X + gamma)z(X)
+ // -(a(X) + beta·sigma1(X) + gamma)(b(X) + beta·sigma2(X) + gamma)(c(X) + beta·sigma3(X) + gamma)z(Xω)] · 1/Z_H(X)
+ // Compute first T2(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
+
+ // expression 1 -> (a(X) + beta·X + gamma)(b(X) + beta·k1·X + gamma)(c(X) + beta·k2·X + gamma)z(X)
+ const betaX = Fr.mul(challenges.beta, omega);
+
+ let e11 = Fr.add(a, betaX);
+ e11 = Fr.add(e11, challenges.gamma);
+
+ let e12 = Fr.add(b, Fr.mul(betaX, zkey.k1));
+ e12 = Fr.add(e12, challenges.gamma);
+
+ let e13 = Fr.add(c, Fr.mul(betaX, zkey.k2));
+ e13 = Fr.add(e13, challenges.gamma);
+
+ let e1 = Fr.mul(Fr.mul(Fr.mul(e11, e12), e13), z);
+ let e1z = Fr.mul(Fr.mul(Fr.mul(e11, e12), e13), zp);
+ // const [e1, e1z] = MulZ.mul4(e11, e12, e13, z, ap, bp, cp, zp, i % 4, Fr);
+
+ // expression 2 -> (a(X) + beta·sigma1(X) + gamma)(b(X) + beta·sigma2(X) + gamma)(c(X) + beta·sigma3(X) + gamma)z(Xω)
+ let e21 = Fr.add(a, Fr.mul(challenges.beta, sigma1));
+ e21 = Fr.add(e21, challenges.gamma);
+
+ let e22 = Fr.add(b, Fr.mul(challenges.beta, sigma2));
+ e22 = Fr.add(e22, challenges.gamma);
+
+ let e23 = Fr.add(c, Fr.mul(challenges.beta, sigma3));
+ e23 = Fr.add(e23, challenges.gamma);
+
+ let e2 = Fr.mul(Fr.mul(Fr.mul(e21, e22), e23), zW);
+ let e2z = Fr.mul(Fr.mul(Fr.mul(e21, e22), e23), zWp);
+ // const [e2, e2z] = MulZ.mul4(e21, e22, e23, zW, ap, bp, cp, zWp, i % 4, Fr);
+
+ let t2 = Fr.sub(e1, e2);
+ let t2z = Fr.sub(e1z, e2z);
+
+ buffers.T2.set(t2, i * sFr);
+ buffers.T2z.set(t2z, i * sFr);
+
+ // Compute next omega
+ omega = Fr.mul(omega, Fr.w[zkey.power + 2]);
+ }
+
+ // Compute the coefficients of the polynomial T2(X) from buffers.T2
+ if (logger) logger.info("··· Computing T2 ifft");
+ polynomials.T2 = await Polynomial.fromEvaluations(buffers.T2, curve, logger);
+
+ // Divide the polynomial T2 by Z_H(X)
+ if (logger) logger.info("··· Computing T2 / ZH");
+ polynomials.T2.divByZerofier(zkey.domainSize, Fr.one);
+
+ // Compute the coefficients of the polynomial T2z(X) from buffers.T2z
+ if (logger) logger.info("··· Computing T2z ifft");
+ polynomials.T2z = await Polynomial.fromEvaluations(buffers.T2z, curve, logger);
+
+ // Add the polynomial T2z to T2 to get the final polynomial T2
+ polynomials.T2.add(polynomials.T2z);
+
+ // Check degree
+ if (polynomials.T2.degree() >= 3 * zkey.domainSize) {
+ throw new Error("T2 Polynomial is not well calculated");
+ }
+
+ delete buffers.T2;
+ delete buffers.T2z;
+ delete polynomials.T2z;
+ }
+
+ async function computeC2() {
+ let C2 = new CPolynomial(3, curve, logger);
+ C2.addPolynomial(0, polynomials.Z);
+ C2.addPolynomial(1, polynomials.T1);
+ C2.addPolynomial(2, polynomials.T2);
+
+ polynomials.C2 = C2.getPolynomial();
+
+ // Check degree
+ if (polynomials.C2.degree() >= 9 * zkey.domainSize) {
+ throw new Error("C2 Polynomial is not well calculated");
+ }
+ }
+ }
+
+ async function round3() {
+ if (logger) logger.info("> Computing challenge xi");
+ // STEP 3.1 - Compute evaluation challenge xi ∈ S
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.gamma);
+ transcript.addPolCommitment(proof.getPolynomial("C2"));
+
+ // Obtain a xi_seeder from the transcript
+ // To force h1^4 = xi, h2^3 = xi and h_3^2 = xiω
+ // we compute xi = xi_seeder^12, h1 = xi_seeder^3, h2 = xi_seeder^4 and h3 = xi_seeder^6
+ challenges.xiSeed = transcript.getChallenge();
+ const xiSeed2 = Fr.square(challenges.xiSeed);
+
+ // Compute omega8, omega4 and omega3
+ roots.w8 = [];
+ roots.w8[0] = Fr.one;
+ for (let i = 1; i < 8; i++) {
+ roots.w8[i] = Fr.mul(roots.w8[i - 1], zkey.w8);
+ }
+
+ roots.w4 = [];
+ roots.w4[0] = Fr.one;
+ for (let i = 1; i < 4; i++) {
+ roots.w4[i] = Fr.mul(roots.w4[i - 1], zkey.w4);
+ }
+
+ roots.w3 = [];
+ roots.w3[0] = Fr.one;
+ roots.w3[1] = zkey.w3;
+ roots.w3[2] = Fr.square(zkey.w3);
+
+ // Compute h0 = xiSeeder^3
+ roots.S0 = {};
+ roots.S0.h0w8 = [];
+ roots.S0.h0w8[0] = Fr.mul(xiSeed2, challenges.xiSeed);
+ for (let i = 1; i < 8; i++) {
+ roots.S0.h0w8[i] = Fr.mul(roots.S0.h0w8[0], roots.w8[i]);
+ }
+
+ // Compute h1 = xi_seeder^6
+ roots.S1 = {};
+ roots.S1.h1w4 = [];
+ roots.S1.h1w4[0] = Fr.square(roots.S0.h0w8[0]);
+ for (let i = 1; i < 4; i++) {
+ roots.S1.h1w4[i] = Fr.mul(roots.S1.h1w4[0], roots.w4[i]);
+ }
+
+ // Compute h2 = xi_seeder^8
+ roots.S2 = {};
+ roots.S2.h2w3 = [];
+ roots.S2.h2w3[0] = Fr.mul(roots.S1.h1w4[0], xiSeed2);
+ roots.S2.h2w3[1] = Fr.mul(roots.S2.h2w3[0], roots.w3[1]);
+ roots.S2.h2w3[2] = Fr.mul(roots.S2.h2w3[0], roots.w3[2]);
+
+ roots.S2.h3w3 = [];
+ // Multiply h3 by third-root-omega to obtain h_3^3 = xiω
+ // So, h3 = xi_seeder^8 ω^{1/3}
+ roots.S2.h3w3[0] = Fr.mul(roots.S2.h2w3[0], zkey.wr);
+ roots.S2.h3w3[1] = Fr.mul(roots.S2.h3w3[0], roots.w3[1]);
+ roots.S2.h3w3[2] = Fr.mul(roots.S2.h3w3[0], roots.w3[2]);
+
+ // Compute xi = xi_seeder^24
+ challenges.xi = Fr.mul(Fr.square(roots.S2.h2w3[0]), roots.S2.h2w3[0]);
+
+ if (logger) logger.info("··· challenges.xi: " + Fr.toString(challenges.xi));
+
+ // Reserve memory for Q's polynomials
+ polynomials.QL = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.QR = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.QM = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.QO = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+ polynomials.QC = new Polynomial(new ffjavascript.BigBuffer(sDomain), curve, logger);
+
+ // Read Q's evaluations from zkey file
+ await fdZKey.readToBuffer(polynomials.QL.coef, 0, sDomain, zkeySections[ZKEY_FF_QL_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QR.coef, 0, sDomain, zkeySections[ZKEY_FF_QR_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QM.coef, 0, sDomain, zkeySections[ZKEY_FF_QM_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QO.coef, 0, sDomain, zkeySections[ZKEY_FF_QO_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QC.coef, 0, sDomain, zkeySections[ZKEY_FF_QC_SECTION][0].p);
+
+ // STEP 3.2 - Compute opening evaluations and add them to the proof (third output of the prover)
+ if (logger) logger.info("··· Computing evaluations");
+ proof.addEvaluation("ql", polynomials.QL.evaluate(challenges.xi));
+ proof.addEvaluation("qr", polynomials.QR.evaluate(challenges.xi));
+ proof.addEvaluation("qm", polynomials.QM.evaluate(challenges.xi));
+ proof.addEvaluation("qo", polynomials.QO.evaluate(challenges.xi));
+ proof.addEvaluation("qc", polynomials.QC.evaluate(challenges.xi));
+ proof.addEvaluation("s1", polynomials.Sigma1.evaluate(challenges.xi));
+ proof.addEvaluation("s2", polynomials.Sigma2.evaluate(challenges.xi));
+ proof.addEvaluation("s3", polynomials.Sigma3.evaluate(challenges.xi));
+ proof.addEvaluation("a", polynomials.A.evaluate(challenges.xi));
+ proof.addEvaluation("b", polynomials.B.evaluate(challenges.xi));
+ proof.addEvaluation("c", polynomials.C.evaluate(challenges.xi));
+ proof.addEvaluation("z", polynomials.Z.evaluate(challenges.xi));
+
+ challenges.xiw = Fr.mul(challenges.xi, Fr.w[zkey.power]);
+ proof.addEvaluation("zw", polynomials.Z.evaluate(challenges.xiw));
+ proof.addEvaluation("t1w", polynomials.T1.evaluate(challenges.xiw));
+ proof.addEvaluation("t2w", polynomials.T2.evaluate(challenges.xiw));
+ }
+
+ async function round4() {
+ if (logger) logger.info("> Computing challenge alpha");
+ // STEP 4.1 - Compute challenge alpha ∈ F
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.xiSeed);
+ transcript.addScalar(proof.getEvaluation("ql"));
+ transcript.addScalar(proof.getEvaluation("qr"));
+ transcript.addScalar(proof.getEvaluation("qm"));
+ transcript.addScalar(proof.getEvaluation("qo"));
+ transcript.addScalar(proof.getEvaluation("qc"));
+ transcript.addScalar(proof.getEvaluation("s1"));
+ transcript.addScalar(proof.getEvaluation("s2"));
+ transcript.addScalar(proof.getEvaluation("s3"));
+ transcript.addScalar(proof.getEvaluation("a"));
+ transcript.addScalar(proof.getEvaluation("b"));
+ transcript.addScalar(proof.getEvaluation("c"));
+ transcript.addScalar(proof.getEvaluation("z"));
+ transcript.addScalar(proof.getEvaluation("zw"));
+ transcript.addScalar(proof.getEvaluation("t1w"));
+ transcript.addScalar(proof.getEvaluation("t2w"));
+ challenges.alpha = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.alpha: " + Fr.toString(challenges.alpha));
+
+ // STEP 4.2 - Compute F(X)
+ if (logger) logger.info("> Reading C0 polynomial");
+ polynomials.C0 = new Polynomial(new ffjavascript.BigBuffer(sDomain * 8), curve, logger);
+ await fdZKey.readToBuffer(polynomials.C0.coef, 0, sDomain * 8, zkeySections[ZKEY_FF_C0_SECTION][0].p);
+
+ if (logger) logger.info("> Computing R0 polynomial");
+ computeR0();
+ if (logger) logger.info("> Computing R1 polynomial");
+ computeR1();
+ if (logger) logger.info("> Computing R2 polynomial");
+ computeR2();
+
+ if (logger) logger.info("> Computing F polynomial");
+ await computeF();
+
+ // The fourth output of the prover is ([W1]_1), where W1:=(f/Z_t)(x)
+ if (logger) logger.info("> Computing W1 multi exponentiation");
+ let commitW1 = await polynomials.F.multiExponentiation(PTau, "W1");
+ proof.addPolynomial("W1", commitW1);
+
+ return 0;
+
+ function computeR0() {
+ // COMPUTE R0
+ // Compute the coefficients of R0(X) from 8 evaluations using lagrange interpolation. R0(X) ∈ F_{<8}[X]
+ // We decide to use Lagrange interpolations because the R0 degree is very small (deg(R0)===7),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R0 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
+ roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7]],
+ [polynomials.C0.evaluate(roots.S0.h0w8[0]), polynomials.C0.evaluate(roots.S0.h0w8[1]),
+ polynomials.C0.evaluate(roots.S0.h0w8[2]), polynomials.C0.evaluate(roots.S0.h0w8[3]),
+ polynomials.C0.evaluate(roots.S0.h0w8[4]), polynomials.C0.evaluate(roots.S0.h0w8[5]),
+ polynomials.C0.evaluate(roots.S0.h0w8[6]), polynomials.C0.evaluate(roots.S0.h0w8[7])], curve);
+
+ // Check the degree of r0(X) < 8
+ if (polynomials.R0.degree() > 7) {
+ throw new Error("R0 Polynomial is not well calculated");
+ }
+ }
+
+ function computeR1() {
+ // COMPUTE R1
+ // Compute the coefficients of R1(X) from 4 evaluations using lagrange interpolation. R1(X) ∈ F_{<4}[X]
+ // We decide to use Lagrange interpolations because the R1 degree is very small (deg(R1)===3),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R1 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3]],
+ [polynomials.C1.evaluate(roots.S1.h1w4[0]), polynomials.C1.evaluate(roots.S1.h1w4[1]),
+ polynomials.C1.evaluate(roots.S1.h1w4[2]), polynomials.C1.evaluate(roots.S1.h1w4[3])], curve);
+
+ // Check the degree of r1(X) < 4
+ if (polynomials.R1.degree() > 3) {
+ throw new Error("R1 Polynomial is not well calculated");
+ }
+ }
+
+ function computeR2() {
+ // COMPUTE R2
+ // Compute the coefficients of r2(X) from 6 evaluations using lagrange interpolation. r2(X) ∈ F_{<6}[X]
+ // We decide to use Lagrange interpolations because the R2.degree is very small (deg(R2)===5),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R2 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]],
+ [polynomials.C2.evaluate(roots.S2.h2w3[0]), polynomials.C2.evaluate(roots.S2.h2w3[1]),
+ polynomials.C2.evaluate(roots.S2.h2w3[2]), polynomials.C2.evaluate(roots.S2.h3w3[0]),
+ polynomials.C2.evaluate(roots.S2.h3w3[1]), polynomials.C2.evaluate(roots.S2.h3w3[2])], curve);
+
+ // Check the degree of r2(X) < 6
+ if (polynomials.R2.degree() > 5) {
+ throw new Error("R2 Polynomial is not well calculated");
+ }
+ }
+
+ async function computeF() {
+ if (logger) logger.info("··· Computing F polynomial");
+
+ // COMPUTE F(X)
+ polynomials.F = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
+ polynomials.F.sub(polynomials.R0);
+ polynomials.F.divByZerofier(8, challenges.xi);
+
+ let f2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
+ f2.sub(polynomials.R1);
+ f2.mulScalar(challenges.alpha);
+ f2.divByZerofier(4, challenges.xi);
+
+ let f3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
+ f3.sub(polynomials.R2);
+ f3.mulScalar(Fr.square(challenges.alpha));
+ f3.divByZerofier(3, challenges.xi);
+ f3.divByZerofier(3, challenges.xiw);
+
+ polynomials.F.add(f2);
+ polynomials.F.add(f3);
+
+ if (polynomials.F.degree() >= 9 * zkey.domainSize - 6) {
+ throw new Error("F Polynomial is not well calculated");
+ }
+ }
+ }
+
+ async function round5() {
+ if (logger) logger.info("> Computing challenge y");
+
+ // STEP 5.1 - Compute random evaluation point y ∈ F
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.alpha);
+ transcript.addPolCommitment(proof.getPolynomial("W1"));
+
+ challenges.y = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.y: " + Fr.toString(challenges.y));
+
+ // STEP 5.2 - Compute L(X)
+ if (logger) logger.info("> Computing L polynomial");
+ await computeL();
+
+ if (logger) logger.info("> Computing ZTS2 polynomial");
+ await computeZTS2();
+
+ let ZTS2Y = polynomials.ZTS2.evaluate(challenges.y);
+ ZTS2Y = Fr.inv(ZTS2Y);
+ polynomials.L.mulScalar(ZTS2Y);
+
+ const polDividend = Polynomial.fromCoefficientsArray([Fr.neg(challenges.y), Fr.one], curve);
+ if (logger) logger.info("> Computing W' = L / ZTS2 polynomial");
+ const polRemainder = polynomials.L.divBy(polDividend);
+
+ //Check polReminder degree is equal to zero
+ if (polRemainder.degree() > 0) {
+ throw new Error(`Degree of L(X)/(ZTS2(y)(X-y)) remainder is ${polRemainder.degree()} and should be 0`);
+ }
+
+ if (polynomials.L.degree() >= 9 * zkey.domainSize - 1) {
+ throw new Error("Degree of L(X)/(ZTS2(y)(X-y)) is not correct");
+ }
+
+ // The fifth output of the prover is ([W2]_1), where W2:=(f/Z_t)(x)
+ if (logger) logger.info("> Computing W' multi exponentiation");
+ let commitW2 = await polynomials.L.multiExponentiation(PTau, "W2");
+ proof.addPolynomial("W2", commitW2);
+
+ return 0;
+
+ async function computeL() {
+ if (logger) logger.info("··· Computing L polynomial");
+
+ const evalR0Y = polynomials.R0.evaluate(challenges.y);
+ const evalR1Y = polynomials.R1.evaluate(challenges.y);
+ const evalR2Y = polynomials.R2.evaluate(challenges.y);
+
+ let mulL0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
+ for (let i = 1; i < 8; i++) {
+ mulL0 = Fr.mul(mulL0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
+ }
+
+ let mulL1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
+ for (let i = 1; i < 4; i++) {
+ mulL1 = Fr.mul(mulL1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
+ }
+
+ let mulL2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
+ for (let i = 1; i < 3; i++) {
+ mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
+ }
+ for (let i = 0; i < 3; i++) {
+ mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
+ }
+
+ let preL0 = Fr.mul(mulL1, mulL2);
+ let preL1 = Fr.mul(challenges.alpha, Fr.mul(mulL0, mulL2));
+ let preL2 = Fr.mul(Fr.square(challenges.alpha), Fr.mul(mulL0, mulL1));
+
+ toInverse["denH1"] = mulL1;
+ toInverse["denH2"] = mulL2;
+
+ // COMPUTE L(X)
+ polynomials.L = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
+ polynomials.L.subScalar(evalR0Y);
+ polynomials.L.mulScalar(preL0);
+
+ let l2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
+ l2.subScalar(evalR1Y);
+ l2.mulScalar(preL1);
+
+ let l3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
+ l3.subScalar(evalR2Y);
+ l3.mulScalar(preL2);
+
+ polynomials.L.add(l2);
+ polynomials.L.add(l3);
+
+ if (logger) logger.info("> Computing ZT polynomial");
+ await computeZT();
+
+ const evalZTY = polynomials.ZT.evaluate(challenges.y);
+ polynomials.F.mulScalar(evalZTY);
+ polynomials.L.sub(polynomials.F);
+
+ // Check degree
+ if (polynomials.L.degree() >= 9 * zkey.domainSize) {
+ throw new Error("L Polynomial is not well calculated");
+ }
+
+ delete buffers.L;
+ }
+
+ async function computeZT() {
+ polynomials.ZT = Polynomial.zerofierPolynomial(
+ [
+ roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
+ roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7],
+ roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
+ roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
+ }
+
+ async function computeZTS2() {
+ polynomials.ZTS2 = Polynomial.zerofierPolynomial(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
+ roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
+ }
+ }
+
+ function getMontgomeryBatchedInverse() {
+ // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
+ let xiN = challenges.xi;
+ for (let i = 0; i < zkey.power; i++) {
+ xiN = Fr.square(xiN);
+ }
+ toInverse["zh"] = Fr.sub(xiN, Fr.one);
+
+ // · denominator needed in step 10 and 11 of the verifier
+ // toInverse.denH1 & toInverse.denH2 -> Computed in round5, computeL()
+
+ // · denominator needed in the verifier when computing L_i^{S0}(X), L_i^{S1}(X) and L_i^{S2}(X)
+ for (let i = 0; i < 8; i++) {
+ toInverse["LiS0_" + (i + 1)] = computeLiS0(i);
+ }
+
+ for (let i = 0; i < 4; i++) {
+ toInverse["LiS1_" + (i + 1)] = computeLiS1(i);
+ }
+
+ for (let i = 0; i < 6; i++) {
+ toInverse["LiS2_" + (i + 1)] = computeLiS2(i);
+ }
+
+ // · L_i i=1 to num public inputs, needed in step 6 and 7 of the verifier to compute L_1(xi) and PI(xi)
+ const size = Math.max(1, zkey.nPublic);
+
+ let w = Fr.one;
+ for (let i = 0; i < size; i++) {
+ toInverse["Li_" + (i + 1)] = Fr.mul(Fr.e(zkey.domainSize), Fr.sub(challenges.xi, w));
+
+ w = Fr.mul(w, zkey.w);
+ }
+
+ let mulAccumulator = Fr.one;
+ for (const element of Object.values(toInverse)) {
+ mulAccumulator = Fr.mul(mulAccumulator, element);
+ }
+ return Fr.inv(mulAccumulator);
+
+ function computeLiS0(i) {
+ // Compute L_i^{(S0)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 7; j++) {
+ idx = (idx + 1) % 8;
+
+ den = Fr.mul(den, Fr.sub(roots.S0.h0w8[i], roots.S0.h0w8[idx]));
+ }
+ return den;
+ }
+
+ function computeLiS1(i) {
+ // Compute L_i^{(S1)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 3; j++) {
+ idx = (idx + 1) % 4;
+
+ den = Fr.mul(den, Fr.sub(roots.S1.h1w4[i], roots.S1.h1w4[idx]));
+ }
+ return den;
+ }
+
+ function computeLiS2(i) {
+ // Compute L_i^{(S1)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 5; j++) {
+ idx = (idx + 1) % 6;
+
+ const root1 = i < 3 ? roots.S2.h2w3[i] : roots.S2.h3w3[i - 3];
+ const root2 = idx < 3 ? roots.S2.h2w3[idx] : roots.S2.h3w3[idx - 3];
+ den = Fr.mul(den, Fr.sub(root1, root2));
+ }
+ return den;
+ }
+ }
+}
+
+/*
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+const {unstringifyBigInts: unstringifyBigInts$2} = ffjavascript.utils;
+
+async function fflonkFullProve(_input, wasmFilename, zkeyFilename, logger) {
+ const input = unstringifyBigInts$2(_input);
+
+ const wtns= {type: "mem"};
+
+ // Compute the witness
+ await wtnsCalculate(input, wasmFilename, wtns);
+
+ // Compute the proof
+ return await fflonkProve(zkeyFilename, wtns, logger);
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+const { unstringifyBigInts: unstringifyBigInts$1 } = ffjavascript.utils;
+
+async function fflonkVerify(_vk_verifier, _publicSignals, _proof, logger) {
+ if (logger) logger.info("FFLONK VERIFIER STARTED");
+
+ _vk_verifier = unstringifyBigInts$1(_vk_verifier);
+ _proof = unstringifyBigInts$1(_proof);
+
+ const curve = await getCurveFromName(_vk_verifier.curve);
+
+ const vk = fromObjectVk(curve, _vk_verifier);
+
+ // TODO ??? Compute wr^3 and check if it matches with w
+
+ const proof = new Proof(curve, logger);
+ proof.fromObjectProof(_proof);
+
+ const publicSignals = unstringifyBigInts$1(_publicSignals);
+
+ if (publicSignals.length !== vk.nPublic) {
+ logger.error("Number of public signals does not match with vk");
+ return false;
+ }
+
+ const Fr = curve.Fr;
+
+ if (logger) {
+ logger.info("----------------------------");
+ logger.info(" FFLONK VERIFY SETTINGS");
+ logger.info(` Curve: ${curve.name}`);
+ logger.info(` Circuit power: ${vk.power}`);
+ logger.info(` Domain size: ${2 ** vk.power}`);
+ logger.info(` Public vars: ${vk.nPublic}`);
+ logger.info("----------------------------");
+ }
+
+ // STEP 1 - Validate that all polynomial commitments ∈ G_1
+ if (logger) logger.info("> Checking commitments belong to G1");
+ if (!commitmentsBelongToG1(curve, proof, vk)) {
+ logger.error("Proof is not well constructed");
+ return false;
+ }
+
+ // TODO
+ // STEP 2 - Validate that all evaluations ∈ F
+
+ // TODO
+ // STEP 3 - Validate that w_i ∈ F for i ∈ [l]
+
+ // STEP 4 - Compute the challenges: beta, gamma, xi, alpha and y ∈ F
+ // as in prover description, from the common preprocessed inputs, public inputs and elements of π_SNARK
+ if (logger) logger.info("> Computing challenges");
+ const { challenges, roots } = computeChallenges(curve, proof, vk, publicSignals, logger);
+
+ // STEP 5 - Compute the zero polynomial evaluation Z_H(xi) = xi^n - 1
+ if (logger) logger.info("> Computing Zero polynomial evaluation Z_H(xi)");
+ challenges.zh = Fr.sub(challenges.xiN, Fr.one);
+ challenges.invzh = Fr.inv(challenges.zh);
+
+ // STEP 6 - Compute the lagrange polynomial evaluation L_1(xi)
+ if (logger) logger.info("> Computing Lagrange evaluations");
+ const lagrangeEvals = await computeLagrangeEvaluations(curve, challenges, vk);
+
+ // STEP 7 - Compute public input evaluation PI(xi)
+ if (logger) logger.info("> Computing polynomial identities PI(X)");
+ const pi = calculatePI(curve, publicSignals, lagrangeEvals);
+
+ // STEP 8 - Compute polynomial r0 ∈ F_{<4}[X]
+ if (logger) logger.info("> Computing r0(y)");
+ const r0 = computeR0(proof, challenges, roots, pi, curve, logger);
+
+ // STEP 9 - Compute polynomial r1 ∈ F_{<4}[X]
+ if (logger) logger.info("> Computing r1(y)");
+ const r1 = computeR1(proof, challenges, roots, pi, curve, logger);
+
+ // STEP 9 - Compute polynomial r2 ∈ F_{<6}[X]
+ if (logger) logger.info("> Computing r2(y)");
+ const r2 = computeR2(proof, challenges, roots, lagrangeEvals[1], vk, curve, logger);
+
+ if (logger) logger.info("> Computing F");
+ const F = computeF(curve, proof, vk, challenges, roots);
+
+ if (logger) logger.info("> Computing E");
+ const E = computeE(curve, proof, challenges, vk, r0, r1, r2);
+
+ if (logger) logger.info("> Computing J");
+ const J = computeJ(curve, proof, challenges);
+
+ if (logger) logger.info("> Validate all evaluations with a pairing");
+ const res = await isValidPairing(curve, proof, challenges, vk, F, E, J);
+
+ if (logger) {
+ if (res) {
+ logger.info("PROOF VERIFIED SUCCESSFULLY");
+ } else {
+ logger.warn("Invalid Proof");
+ }
+ }
+
+ if (logger) logger.info("FFLONK VERIFIER FINISHED");
+
+ return res;
+
+}
+
+function fromObjectVk(curve, vk) {
+ const res = vk;
+ res.k1 = curve.Fr.fromObject(vk.k1);
+ res.k2 = curve.Fr.fromObject(vk.k2);
+ res.w = curve.Fr.fromObject(vk.w);
+ // res.wW = curve.Fr.fromObject(vk.wW);
+ res.w3 = curve.Fr.fromObject(vk.w3);
+ res.w4 = curve.Fr.fromObject(vk.w4);
+ res.w8 = curve.Fr.fromObject(vk.w8);
+ res.wr = curve.Fr.fromObject(vk.wr);
+ res.X_2 = curve.G2.fromObject(vk.X_2);
+ res.C0 = curve.G1.fromObject(vk.C0);
+ return res;
+}
+
+function commitmentsBelongToG1(curve, proof, vk) {
+ const G1 = curve.G1;
+ return G1.isValid(proof.polynomials.C1)
+ && G1.isValid(proof.polynomials.C2)
+ && G1.isValid(proof.polynomials.W1)
+ && G1.isValid(proof.polynomials.W2)
+ && G1.isValid(vk.C0);
+}
+
+function computeChallenges(curve, proof, vk, publicSignals, logger) {
+ const Fr = curve.Fr;
+
+ const challenges = {};
+ const roots = {};
+ const transcript = new Keccak256Transcript(curve);
+
+ // Add C0 to the transcript
+ transcript.addPolCommitment(vk.C0);
+
+ for (let i = 0; i < publicSignals.length; i++) {
+ transcript.addScalar(Fr.e(publicSignals[i]));
+ }
+
+ transcript.addPolCommitment(proof.polynomials.C1);
+ challenges.beta = transcript.getChallenge();
+ transcript.reset();
+
+ transcript.addScalar(challenges.beta);
+ challenges.gamma = transcript.getChallenge();
+
+ transcript.reset();
+ transcript.addScalar(challenges.gamma);
+ transcript.addPolCommitment(proof.polynomials.C2);
+ const xiSeed = transcript.getChallenge();
+ const xiSeed2 = Fr.square(xiSeed);
+
+ let w8 = [];
+ w8[1] = vk.w8;
+ w8[2] = Fr.square(vk.w8);
+ w8[3] = Fr.mul(w8[2], vk.w8);
+ w8[4] = Fr.mul(w8[3], vk.w8);
+ w8[5] = Fr.mul(w8[4], vk.w8);
+ w8[6] = Fr.mul(w8[5], vk.w8);
+ w8[7] = Fr.mul(w8[6], vk.w8);
+ let w4 = [];
+ w4[1] = vk.w4;
+ w4[2] = Fr.square(vk.w4);
+ w4[3] = Fr.mul(w4[2], vk.w4);
+ let w3 = [];
+ w3[1] = vk.w3;
+ w3[2] = Fr.square(vk.w3);
+
+ // const w4_2 = Fr.square(vk.w4);
+ // const w4_3 = Fr.mul(w4_2, vk.w4);
+ // const w3_2 = Fr.square(vk.w3);
+
+ // Compute h0 = xiSeeder^3
+ roots.S0 = {};
+ roots.S0.h0w8 = [];
+ roots.S0.h0w8[0] = Fr.mul(xiSeed2, xiSeed);
+ for (let i = 1; i < 8; i++) {
+ roots.S0.h0w8[i] = Fr.mul(roots.S0.h0w8[0], w8[i]);
+ }
+
+ // Compute h1 = xi_seeder^6
+ roots.S1 = {};
+ roots.S1.h1w4 = [];
+ roots.S1.h1w4[0] = Fr.square(roots.S0.h0w8[0]);
+ for (let i = 1; i < 4; i++) {
+ roots.S1.h1w4[i] = Fr.mul(roots.S1.h1w4[0], w4[i]);
+ }
+
+ // Compute h2 = xi_seeder^8
+ roots.S2 = {};
+ roots.S2.h2w3 = [];
+ roots.S2.h2w3[0] = Fr.mul(roots.S1.h1w4[0], xiSeed2);
+ roots.S2.h2w3[1] = Fr.mul(roots.S2.h2w3[0], w3[1]);
+ roots.S2.h2w3[2] = Fr.mul(roots.S2.h2w3[0], w3[2]);
+
+ roots.S2.h3w3 = [];
+ // Multiply h3 by third-root-omega to obtain h_3^3 = xiω
+ // So, h3 = xi_seeder^8 ω^{1/3}
+ roots.S2.h3w3[0] = Fr.mul(roots.S2.h2w3[0], vk.wr);
+ roots.S2.h3w3[1] = Fr.mul(roots.S2.h3w3[0], w3[1]);
+ roots.S2.h3w3[2] = Fr.mul(roots.S2.h3w3[0], w3[2]);
+
+ // Compute xi = xi_seeder^12
+ challenges.xi = Fr.mul(Fr.square(roots.S2.h2w3[0]), roots.S2.h2w3[0]);
+
+ challenges.xiN = challenges.xi;
+ vk.domainSize = 1;
+ for (let i = 0; i < vk.power; i++) {
+ challenges.xiN = Fr.square(challenges.xiN);
+ vk.domainSize *= 2;
+ }
+
+ transcript.reset();
+ transcript.addScalar(xiSeed);
+ transcript.addScalar(proof.evaluations.ql);
+ transcript.addScalar(proof.evaluations.qr);
+ transcript.addScalar(proof.evaluations.qm);
+ transcript.addScalar(proof.evaluations.qo);
+ transcript.addScalar(proof.evaluations.qc);
+ transcript.addScalar(proof.evaluations.s1);
+ transcript.addScalar(proof.evaluations.s2);
+ transcript.addScalar(proof.evaluations.s3);
+ transcript.addScalar(proof.evaluations.a);
+ transcript.addScalar(proof.evaluations.b);
+ transcript.addScalar(proof.evaluations.c);
+ transcript.addScalar(proof.evaluations.z);
+ transcript.addScalar(proof.evaluations.zw);
+ transcript.addScalar(proof.evaluations.t1w);
+ transcript.addScalar(proof.evaluations.t2w);
+ challenges.alpha = transcript.getChallenge();
+
+ transcript.reset();
+ transcript.addScalar(challenges.alpha);
+ transcript.addPolCommitment(proof.polynomials.W1);
+ challenges.y = transcript.getChallenge();
+
+ if (logger) {
+ logger.info("··· challenges.beta: " + Fr.toString(challenges.beta));
+ logger.info("··· challenges.gamma: " + Fr.toString(challenges.gamma));
+ logger.info("··· challenges.xi: " + Fr.toString(challenges.xi));
+ logger.info("··· challenges.alpha: " + Fr.toString(challenges.alpha));
+ logger.info("··· challenges.y: " + Fr.toString(challenges.y));
+ }
+
+ return { challenges: challenges, roots: roots };
+}
+
+async function computeLagrangeEvaluations(curve, challenges, vk) {
+ const Fr = curve.Fr;
+
+ const size = Math.max(1, vk.nPublic);
+ const numArr = new ffjavascript.BigBuffer(size * Fr.n8);
+ let denArr = new ffjavascript.BigBuffer(size * Fr.n8);
+
+ let w = Fr.one;
+ for (let i = 0; i < size; i++) {
+ const i_sFr = i * Fr.n8;
+ numArr.set(Fr.mul(w, challenges.zh), i_sFr);
+ denArr.set(Fr.mul(Fr.e(vk.domainSize), Fr.sub(challenges.xi, w)), i_sFr);
+ w = Fr.mul(w, vk.w);
+ }
+
+ denArr = await Fr.batchInverse(denArr);
+
+ let L = [];
+ for (let i = 0; i < size; i++) {
+ const i_sFr = i * Fr.n8;
+ L[i + 1] = Fr.mul(numArr.slice(i_sFr, i_sFr + Fr.n8), denArr.slice(i_sFr, i_sFr + Fr.n8));
+ }
+ return L;
+}
+
+function calculatePI(curve, publicSignals, lagrangeEvals) {
+ const Fr = curve.Fr;
+
+ let pi = Fr.zero;
+ for (let i = 0; i < publicSignals.length; i++) {
+ const w = Fr.e(publicSignals[i]);
+ pi = Fr.sub(pi, Fr.mul(w, lagrangeEvals[i + 1]));
+ }
+ return pi;
+}
+
+function computeR0(proof, challenges, roots, pi, curve, logger) {
+ const Fr = curve.Fr;
+
+ // r0(y) = ∑_1^8 C_0(h_0 ω_8^{i-1}) L_i(y). To this end we need to compute
+
+ // Compute the 8 C0 values
+ if (logger) logger.info("··· Computing C0(h_0ω_8^i) values");
+
+ let c0Values = [];
+ for (let i = 0; i < 8; i++) {
+ let coefValues = [];
+ coefValues[1] = roots.S0.h0w8[i];
+ for (let j = 2; j < 8; j++) {
+ coefValues[j] = Fr.mul(coefValues[j - 1], roots.S0.h0w8[i]);
+ }
+
+ c0Values[i] = Fr.add(proof.evaluations.ql, Fr.mul(proof.evaluations.qr, coefValues[1]));
+ c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.qo, coefValues[2]));
+ c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.qm, coefValues[3]));
+ c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.qc, coefValues[4]));
+ c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.s1, coefValues[5]));
+ c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.s2, coefValues[6]));
+ c0Values[i] = Fr.add(c0Values[i], Fr.mul(proof.evaluations.s3, coefValues[7]));
+ }
+
+ // Interpolate a polynomial with the points computed previously
+ const R0 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
+ roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7]],
+ c0Values, curve);
+
+ // Check the degree of r1(X) < 4
+ if (R0.degree() > 7) {
+ throw new Error("R0 Polynomial is not well calculated");
+ }
+
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r0(y)");
+ return R0.evaluate(challenges.y);
+}
+
+function computeR1(proof, challenges, roots, pi, curve, logger) {
+ const Fr = curve.Fr;
+
+ // r1(y) = ∑_1^4 C_1(h_1 ω_4^{i-1}) L_i(y). To this end we need to compute
+ // Z1 = {C1(h_1}, C1(h_1 ω_4), C1(h_1 ω_4^2), C1(h_1 ω_4^3)}
+ // where C_1(h_1 ω_4^{i-1}) = eval.a + h_1 ω_4^i eval.b + (h_1 ω_4^i)^2 eval.c + (h_1 ω_4^i)^3 T0(xi),
+ // where T0(xi) = [ qL·a + qR·b + qM·a·b + qO·c + qC + PI(xi) ] / Z_H(xi)
+
+ // Compute T0(xi)
+ if (logger) logger.info("··· Computing T0(xi)");
+ let t0 = Fr.mul(proof.evaluations.ql, proof.evaluations.a);
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qr, proof.evaluations.b));
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qm, Fr.mul(proof.evaluations.a, proof.evaluations.b)));
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qo, proof.evaluations.c));
+ t0 = Fr.add(t0, proof.evaluations.qc);
+ t0 = Fr.add(t0, pi);
+ t0 = Fr.mul(t0, challenges.invzh);
+
+ // Compute the 4 C1 values
+ if (logger) logger.info("··· Computing C1(h_1ω_4^i) values");
+
+ let c1Values = [];
+ for (let i = 0; i < 4; i++) {
+ c1Values[i] = proof.evaluations.a;
+ c1Values[i] = Fr.add(c1Values[i], Fr.mul(roots.S1.h1w4[i], proof.evaluations.b));
+ const h1w4Squared = Fr.square(roots.S1.h1w4[i]);
+ c1Values[i] = Fr.add(c1Values[i], Fr.mul(h1w4Squared, proof.evaluations.c));
+ c1Values[i] = Fr.add(c1Values[i], Fr.mul(Fr.mul(h1w4Squared, roots.S1.h1w4[i]), t0));
+ }
+
+ // Interpolate a polynomial with the points computed previously
+ const R1 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3]],
+ c1Values, curve);
+
+ // Check the degree of r1(X) < 4
+ if (R1.degree() > 3) {
+ throw new Error("R1 Polynomial is not well calculated");
+ }
+
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r1(y)");
+ return R1.evaluate(challenges.y);
+}
+
+function computeR2(proof, challenges, roots, lagrange1, vk, curve, logger) {
+ const Fr = curve.Fr;
+
+ // r2(y) = ∑_1^3 C_2(h_2 ω_3^{i-1}) L_i(y) + ∑_1^3 C_2(h_3 ω_3^{i-1}) L_{i+3}(y). To this end we need to compute
+ // Z2 = {[C2(h_2}, C2(h_2 ω_3), C2(h_2 ω_3^2)], [C2(h_3}, C2(h_3 ω_3), C2(h_3 ω_3^2)]}
+ // where C_2(h_2 ω_3^{i-1}) = eval.z + h_2 ω_2^i T1(xi) + (h_2 ω_3^i)^2 T2(xi),
+ // where C_2(h_3 ω_3^{i-1}) = eval.z + h_3 ω_2^i T1(xi) + (h_3 ω_3^i)^2 T2(xi),
+ // where T1(xi) = [ L_1(xi)(z-1)] / Z_H(xi)
+ // and T2(xi) = [ (a + beta·xi + gamma)(b + beta·xi·k1 + gamma)(c + beta·xi·k2 + gamma)z
+ // - (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)zω ] / Z_H(xi)
+
+ // Compute T1(xi)
+ if (logger) logger.info("··· Computing T1(xi)");
+ let t1 = Fr.sub(proof.evaluations.z, Fr.one);
+ t1 = Fr.mul(t1, lagrange1);
+ t1 = Fr.mul(t1, challenges.invzh);
+
+ // Compute T2(xi)
+ if (logger) logger.info("··· Computing T2(xi)");
+ const betaxi = Fr.mul(challenges.beta, challenges.xi);
+ const t211 = Fr.add(proof.evaluations.a, Fr.add(betaxi, challenges.gamma));
+ const t212 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(betaxi, vk.k1), challenges.gamma));
+ const t213 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(betaxi, vk.k2), challenges.gamma));
+ const t21 = Fr.mul(t211, Fr.mul(t212, Fr.mul(t213, proof.evaluations.z)));
+
+ const t221 = Fr.add(proof.evaluations.a, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s1), challenges.gamma));
+ const t222 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s2), challenges.gamma));
+ const t223 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s3), challenges.gamma));
+ const t22 = Fr.mul(t221, Fr.mul(t222, Fr.mul(t223, proof.evaluations.zw)));
+
+ let t2 = Fr.sub(t21, t22);
+ t2 = Fr.mul(t2, challenges.invzh);
+
+ // Compute the 6 C2 values
+ if (logger) logger.info("··· Computing C2(h_2ω_3^i) values");
+ let c2Values = [];
+ for (let i = 0; i < 3; i++) {
+ c2Values[i] = Fr.add(proof.evaluations.z, Fr.mul(roots.S2.h2w3[i], t1));
+ c2Values[i] = Fr.add(c2Values[i], Fr.mul(Fr.square(roots.S2.h2w3[i]), t2));
+ }
+
+ if (logger) logger.info("··· Computing C2(h_3ω_3^i) values");
+ for (let i = 0; i < 3; i++) {
+ c2Values[i + 3] = Fr.add(proof.evaluations.zw, Fr.mul(roots.S2.h3w3[i], proof.evaluations.t1w));
+ c2Values[i + 3] = Fr.add(c2Values[i + 3], Fr.mul(Fr.square(roots.S2.h3w3[i]), proof.evaluations.t2w));
+ }
+
+ // Interpolate a polynomial with the points computed previously
+ if (logger) logger.info("··· Computing r2(xi)");
+ const R2 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]],
+ c2Values, curve);
+
+ // Check the degree of r2(X) < 6
+ if (R2.degree() > 5) {
+ throw new Error("R2 Polynomial is not well calculated");
+ }
+
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r2(y)");
+ return R2.evaluate(challenges.y);
+}
+
+function computeF(curve, proof, vk, challenges, roots) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
+
+ let mulH0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
+ for (let i = 1; i < 8; i++) {
+ mulH0 = Fr.mul(mulH0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
+ }
+
+ challenges.temp = mulH0;
+
+ let mulH1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
+ for (let i = 1; i < 4; i++) {
+ mulH1 = Fr.mul(mulH1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
+ }
+
+ let mulH2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
+ for (let i = 1; i < 3; i++) {
+ mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
+ }
+ for (let i = 0; i < 3; i++) {
+ mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
+ }
+
+ challenges.quotient1 = Fr.mul(challenges.alpha, Fr.div(mulH0, mulH1));
+ challenges.quotient2 = Fr.mul(Fr.square(challenges.alpha), Fr.div(mulH0, mulH2));
+
+ let F2 = G1.timesFr(proof.polynomials.C1, challenges.quotient1);
+ let F3 = G1.timesFr(proof.polynomials.C2, challenges.quotient2);
+
+ return G1.add(vk.C0, G1.add(F2, F3));
+}
+
+function computeE(curve, proof, challenges, vk, r0, r1, r2) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
+
+ let E2 = Fr.mul(r1, challenges.quotient1);
+ let E3 = Fr.mul(r2, challenges.quotient2);
+
+ return G1.timesFr(G1.one, Fr.add(r0, Fr.add(E2, E3)));
+}
+
+function computeJ(curve, proof, challenges) {
+ const G1 = curve.G1;
+
+ return G1.timesFr(proof.polynomials.W1, challenges.temp);
+}
+
+async function isValidPairing(curve, proof, challenges, vk, F, E, J) {
+ const G1 = curve.G1;
+
+ let A1 = G1.timesFr(proof.polynomials.W2, challenges.y);
+ A1 = G1.add(G1.sub(G1.sub(F, E), J), A1);
+ const A2 = curve.G2.one;
+
+ const B1 = proof.polynomials.W2;
+ const B2 = vk.X_2;
+
+ return await curve.pairingEq(G1.neg(A1), A2, B1, B2);
+}
+
+/*
+ Copyright 2021 0KIMS association.
+
+ This file is part of snarkJS.
+
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+*/
+
+const {unstringifyBigInts} = ffjavascript.utils;
+
+function i2hex(i) {
+ return ("0" + i.toString(16)).slice(-2);
+}
+
+function p256(n) {
+ let nstr = n.toString(16);
+ while (nstr.length < 64) nstr = "0" + nstr;
+ nstr = `"0x${nstr}"`;
+ return nstr;
+}
+
+async function fflonkExportCallData(_pub, _proof, logger) {
+ const proof = unstringifyBigInts(_proof);
+ const pub = unstringifyBigInts(_pub);
+
+ const curve = await getCurveFromName(proof.curve);
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
+
+ let inputs = "";
+ for (let i = 0; i < pub.length; i++) {
+ if (inputs !== "") inputs = inputs + ",";
+ inputs = inputs + p256(pub[i]);
+ }
+
+ const proofBuff = new Uint8Array(G1.F.n8 * 2 * 4 + Fr.n8 * 16);
+
+ G1.toRprUncompressed(proofBuff, 0, G1.e(proof.polynomials.C1));
+ G1.toRprUncompressed(proofBuff, G1.F.n8 * 2, G1.e(proof.polynomials.C2));
+ G1.toRprUncompressed(proofBuff, G1.F.n8 * 4, G1.e(proof.polynomials.W1));
+ G1.toRprUncompressed(proofBuff, G1.F.n8 * 6, G1.e(proof.polynomials.W2));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8, Fr.e(proof.evaluations.ql));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8, Fr.e(proof.evaluations.qr));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 2, Fr.e(proof.evaluations.qm));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 3, Fr.e(proof.evaluations.qo));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 4, Fr.e(proof.evaluations.qc));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 5, Fr.e(proof.evaluations.s1));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 6, Fr.e(proof.evaluations.s2));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 7, Fr.e(proof.evaluations.s3));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 8, Fr.e(proof.evaluations.a));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 9, Fr.e(proof.evaluations.b));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 10, Fr.e(proof.evaluations.c));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 11, Fr.e(proof.evaluations.z));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 12, Fr.e(proof.evaluations.zw));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 13, Fr.e(proof.evaluations.t1w));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 14, Fr.e(proof.evaluations.t2w));
+ Fr.toRprBE(proofBuff, G1.F.n8 * 8 + Fr.n8 * 15, Fr.e(proof.evaluations.inv));
+
+ const proofHex = Array.from(proofBuff).map(i2hex).join("");
+
+ return `0x${proofHex},[${inputs}]`;
+}
+
+/*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+*/
+
+var fflonk = /*#__PURE__*/Object.freeze({
+ __proto__: null,
+ setup: fflonkSetup,
+ prove: fflonkProve,
+ fullProve: fflonkFullProve,
+ verify: fflonkVerify,
+ exportSolidityVerifier: fflonkExportSolidityVerifier,
+ exportSolidityCallData: fflonkExportCallData
+});
+
+exports.fflonk = fflonk;
exports.groth16 = groth16;
exports.plonk = plonk;
exports.powersOfTau = powersoftau;
exports.r1cs = r1cs;
exports.wtns = wtns;
-exports.wtnsCmds = wtns_cmds;
exports.zKey = zkey;
diff --git a/build/snarkjs.js b/build/snarkjs.js
index 5534aa01..749638fa 100644
--- a/build/snarkjs.js
+++ b/build/snarkjs.js
@@ -1162,27 +1162,6 @@ var snarkjs = (function (exports) {
var commonjsGlobal = typeof globalThis !== 'undefined' ? globalThis : typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
- function getAugmentedNamespace(n) {
- var f = n.default;
- if (typeof f == "function") {
- var a = function () {
- return f.apply(this, arguments);
- };
- a.prototype = f.prototype;
- } else a = {};
- Object.defineProperty(a, '__esModule', {value: true});
- Object.keys(n).forEach(function (k) {
- var d = Object.getOwnPropertyDescriptor(n, k);
- Object.defineProperty(a, k, d.get ? d : {
- enumerable: true,
- get: function () {
- return n[k];
- }
- });
- });
- return a;
- }
-
var utils$6 = {};
/*
@@ -12473,18 +12452,18 @@ var snarkjs = (function (exports) {
/* global BigInt */
- function stringifyBigInts$4(o) {
+ function stringifyBigInts$5(o) {
if (typeof o == "bigint" || o.eq !== undefined) {
return o.toString(10);
} else if (o instanceof Uint8Array) {
return fromRprLE(o, 0);
} else if (Array.isArray(o)) {
- return o.map(stringifyBigInts$4);
+ return o.map(stringifyBigInts$5);
} else if (typeof o == "object") {
const res = {};
const keys = Object.keys(o);
keys.forEach((k) => {
- res[k] = stringifyBigInts$4(o[k]);
+ res[k] = stringifyBigInts$5(o[k]);
});
return res;
} else {
@@ -12492,19 +12471,19 @@ var snarkjs = (function (exports) {
}
}
- function unstringifyBigInts$9(o) {
+ function unstringifyBigInts$c(o) {
if (typeof o == "string" && /^[0-9]+$/.test(o)) {
return BigInt(o);
} else if (typeof o == "string" && /^0x[0-9a-fA-F]+$/.test(o)) {
return BigInt(o);
} else if (Array.isArray(o)) {
- return o.map(unstringifyBigInts$9);
+ return o.map(unstringifyBigInts$c);
} else if (typeof o == "object") {
if (o === null) return null;
const res = {};
const keys = Object.keys(o);
keys.forEach((k) => {
- res[k] = unstringifyBigInts$9(o[k]);
+ res[k] = unstringifyBigInts$c(o[k]);
});
return res;
} else {
@@ -12722,8 +12701,8 @@ var snarkjs = (function (exports) {
var _utils = /*#__PURE__*/Object.freeze({
__proto__: null,
- stringifyBigInts: stringifyBigInts$4,
- unstringifyBigInts: unstringifyBigInts$9,
+ stringifyBigInts: stringifyBigInts$5,
+ unstringifyBigInts: unstringifyBigInts$c,
beBuff2int: beBuff2int,
beInt2Buff: beInt2Buff,
leBuff2int: leBuff2int,
@@ -18925,6 +18904,8 @@ var snarkjs = (function (exports) {
}
}
+ const HEADER_ZKEY_SECTION = 1;
+
const GROTH16_PROTOCOL_ID = 1;
const PLONK_PROTOCOL_ID = 2;
const FFLONK_PROTOCOL_ID = 10;
@@ -18948,7 +18929,28 @@ var snarkjs = (function (exports) {
snarkjs. If not, see .
*/
+ // FFlonk constants
+ const FF_T_POL_DEG_MIN = 3;
+
+ // ZKEY constants
+ const ZKEY_FF_NSECTIONS = 17;
+
const ZKEY_FF_HEADER_SECTION = 2;
+ const ZKEY_FF_ADDITIONS_SECTION = 3;
+ const ZKEY_FF_A_MAP_SECTION = 4;
+ const ZKEY_FF_B_MAP_SECTION = 5;
+ const ZKEY_FF_C_MAP_SECTION = 6;
+ const ZKEY_FF_QL_SECTION = 7;
+ const ZKEY_FF_QR_SECTION = 8;
+ const ZKEY_FF_QM_SECTION = 9;
+ const ZKEY_FF_QO_SECTION = 10;
+ const ZKEY_FF_QC_SECTION = 11;
+ const ZKEY_FF_SIGMA1_SECTION = 12;
+ const ZKEY_FF_SIGMA2_SECTION = 13;
+ const ZKEY_FF_SIGMA3_SECTION = 14;
+ const ZKEY_FF_LAGRANGE_SECTION = 15;
+ const ZKEY_FF_PTAU_SECTION = 16;
+ const ZKEY_FF_C0_SECTION = 17;
/*
Copyright 2018 0KIMS association.
@@ -19497,7 +19499,7 @@ var snarkjs = (function (exports) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
- const {stringifyBigInts: stringifyBigInts$3} = utils;
+ const {stringifyBigInts: stringifyBigInts$4} = utils;
async function groth16Prove(zkeyFileName, witnessFileName, logger) {
const {fd: fdWtns, sections: sectionsWtns} = await readBinFile(witnessFileName, "wtns", 2);
@@ -19611,8 +19613,8 @@ var snarkjs = (function (exports) {
await fdZKey.close();
await fdWtns.close();
- proof = stringifyBigInts$3(proof);
- publicSignals = stringifyBigInts$3(publicSignals);
+ proof = stringifyBigInts$4(proof);
+ publicSignals = stringifyBigInts$4(publicSignals);
return {proof, publicSignals};
}
@@ -20437,10 +20439,10 @@ var snarkjs = (function (exports) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
- const { unstringifyBigInts: unstringifyBigInts$8} = utils;
+ const { unstringifyBigInts: unstringifyBigInts$b} = utils;
async function wtnsCalculate(_input, wasmFileName, wtnsFileName, options) {
- const input = unstringifyBigInts$8(_input);
+ const input = unstringifyBigInts$b(_input);
const fdWasm = await readExisting(wasmFileName);
const wasm = await fdWasm.read(fdWasm.totalSize);
@@ -20482,10 +20484,10 @@ var snarkjs = (function (exports) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
- const {unstringifyBigInts: unstringifyBigInts$7} = utils;
+ const {unstringifyBigInts: unstringifyBigInts$a} = utils;
async function groth16FullProve(_input, wasmFile, zkeyFileName, logger) {
- const input = unstringifyBigInts$7(_input);
+ const input = unstringifyBigInts$a(_input);
const wtns= {
type: "mem"
@@ -20512,7 +20514,7 @@ var snarkjs = (function (exports) {
You should have received a copy of the GNU General Public License along with
snarkjs. If not, see .
*/
- const {unstringifyBigInts: unstringifyBigInts$6} = utils;
+ const {unstringifyBigInts: unstringifyBigInts$9} = utils;
async function groth16Verify(_vk_verifier, _publicSignals, _proof, logger) {
/*
@@ -20522,9 +20524,9 @@ var snarkjs = (function (exports) {
}
*/
- const vk_verifier = unstringifyBigInts$6(_vk_verifier);
- const proof = unstringifyBigInts$6(_proof);
- const publicSignals = unstringifyBigInts$6(_publicSignals);
+ const vk_verifier = unstringifyBigInts$9(_vk_verifier);
+ const proof = unstringifyBigInts$9(_proof);
+ const publicSignals = unstringifyBigInts$9(_publicSignals);
const curve = await getCurveFromName(vk_verifier.curve);
@@ -20585,9 +20587,9 @@ var snarkjs = (function (exports) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
- const { unstringifyBigInts: unstringifyBigInts$5} = utils;
+ const { unstringifyBigInts: unstringifyBigInts$8} = utils;
- function p256$1(n) {
+ function p256$2(n) {
let nstr = n.toString(16);
while (nstr.length < 64) nstr = "0"+nstr;
nstr = `"0x${nstr}"`;
@@ -20595,19 +20597,19 @@ var snarkjs = (function (exports) {
}
async function groth16ExportSolidityCallData(_proof, _pub) {
- const proof = unstringifyBigInts$5(_proof);
- const pub = unstringifyBigInts$5(_pub);
+ const proof = unstringifyBigInts$8(_proof);
+ const pub = unstringifyBigInts$8(_pub);
let inputs = "";
for (let i=0; i.
*/
- const {unstringifyBigInts: unstringifyBigInts$4} = utils;
+ const {unstringifyBigInts: unstringifyBigInts$7} = utils;
async function wtnsDebug(_input, wasmFileName, wtnsFileName, symName, options, logger) {
- const input = unstringifyBigInts$4(_input);
+ const input = unstringifyBigInts$7(_input);
const fdWasm = await readExisting(wasmFileName);
const wasm = await fdWasm.read(fdWasm.totalSize);
@@ -23611,32 +23613,6 @@ var snarkjs = (function (exports) {
along with snarkJS. If not, see .
*/
- var wtns = /*#__PURE__*/Object.freeze({
- __proto__: null,
- calculate: wtnsCalculate,
- debug: wtnsDebug,
- exportJson: wtnsExportJson
- });
-
- /*
- Copyright 2018 0KIMS association.
-
- This file is part of snarkJS.
-
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
-
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
-
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
- */
-
async function wtnsCheck(r1csFilename, wtnsFilename, logger) {
if (logger) logger.info("WITNESS CHECKING STARTED");
@@ -23764,28 +23740,7 @@ var snarkjs = (function (exports) {
}
/*
- This file is part of snarkjs.
-
- snarkjs is a free software: you can redistribute it and/or
- modify it under the terms of the GNU General Public License as published by the
- Free Software Foundation, either version 3 of the License, or (at your option)
- any later version.
-
- snarkjs is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- more details.
-
- You should have received a copy of the GNU General Public License along with
- snarkjs. If not, see .
- */
-
- async function wtnsCheckCmd(r1csFilename, wtnsFilename, logger) {
- return await wtnsCheck(r1csFilename, wtnsFilename, logger);
- }
-
- /*
- Copyright 2022 iden3 association.
+ Copyright 2018 0KIMS association.
This file is part of snarkJS.
@@ -23803,9 +23758,12 @@ var snarkjs = (function (exports) {
along with snarkJS. If not, see .
*/
- var wtns_cmds = /*#__PURE__*/Object.freeze({
+ var wtns = /*#__PURE__*/Object.freeze({
__proto__: null,
- wtnsCheckCmd: wtnsCheckCmd
+ calculate: wtnsCalculate,
+ debug: wtnsDebug,
+ exportJson: wtnsExportJson,
+ check: wtnsCheck
});
/*
@@ -25698,7 +25656,7 @@ var snarkjs = (function (exports) {
along with snarkJS. If not, see .
*/
- const {stringifyBigInts: stringifyBigInts$2} = utils;
+ const {stringifyBigInts: stringifyBigInts$3} = utils;
async function zkeyExportVerificationKey(zkeyName, logger) {
if (logger) logger.info("EXPORT VERIFICATION KEY STARTED");
@@ -25758,7 +25716,7 @@ var snarkjs = (function (exports) {
}
await endReadSection(fd);
- vKey = stringifyBigInts$2(vKey);
+ vKey = stringifyBigInts$3(vKey);
return vKey;
}
@@ -25790,7 +25748,7 @@ var snarkjs = (function (exports) {
w: curve.Fr.toObject(curve.Fr.w[zkey.power])
};
- vKey = stringifyBigInts$2(vKey);
+ vKey = stringifyBigInts$3(vKey);
return vKey;
}
@@ -25819,1547 +25777,690 @@ var snarkjs = (function (exports) {
C0: curve.G1.toObject(zkey.C0),
};
- return stringifyBigInts$2(vKey);
+ return stringifyBigInts$3(vKey);
}
var ejs = {};
- var checkTypes = {exports: {}};
+ /*
+ Copyright 2021 0KIMS association.
- /*globals define, module, Symbol, Map, Set */
+ This file is part of snarkJS.
- (function (module) {
- /*jshint -W056 */
-
- (function (globals) {
-
- var messages, predicates, functions, assert, not, maybe, collections,
- hasOwnProperty, toString, keys, slice, isArray, neginf, posinf,
- haveSymbols, haveMaps, haveSets;
-
- messages = {};
- predicates = {};
-
- [
- { n: 'equal', f: equal, s: 'equal {e}' },
- { n: 'undefined', f: isUndefined, s: 'be undefined' },
- { n: 'null', f: isNull, s: 'be null' },
- { n: 'assigned', f: assigned, s: 'be assigned' },
- { n: 'primitive', f: primitive, s: 'be primitive type' },
- { n: 'contains', f: contains, s: 'contain {e}' },
- { n: 'in', f: isIn, s: 'be in {e}' },
- { n: 'containsKey', f: containsKey, s: 'contain key {e}' },
- { n: 'keyIn', f: keyIn, s: 'be key in {e}' },
- { n: 'zero', f: zero, s: 'be 0' },
- { n: 'one', f: one, s: 'be 1' },
- { n: 'infinity', f: infinity, s: 'be infinity' },
- { n: 'number', f: number, s: 'be Number' },
- { n: 'integer', f: integer, s: 'be integer' },
- { n: 'float', f: float, s: 'be non-integer number' },
- { n: 'even', f: even, s: 'be even number' },
- { n: 'odd', f: odd, s: 'be odd number' },
- { n: 'greater', f: greater, s: 'be greater than {e}' },
- { n: 'less', f: less, s: 'be less than {e}' },
- { n: 'between', f: between, s: 'be between {e} and {e2}' },
- { n: 'greaterOrEqual', f: greaterOrEqual, s: 'be greater than or equal to {e}' },
- { n: 'lessOrEqual', f: lessOrEqual, s: 'be less than or equal to {e}' },
- { n: 'inRange', f: inRange, s: 'be in the range {e} to {e2}' },
- { n: 'positive', f: positive, s: 'be positive number' },
- { n: 'negative', f: negative, s: 'be negative number' },
- { n: 'string', f: string, s: 'be String' },
- { n: 'emptyString', f: emptyString, s: 'be empty string' },
- { n: 'nonEmptyString', f: nonEmptyString, s: 'be non-empty string' },
- { n: 'match', f: match, s: 'match {e}' },
- { n: 'boolean', f: boolean, s: 'be Boolean' },
- { n: 'object', f: object, s: 'be Object' },
- { n: 'emptyObject', f: emptyObject, s: 'be empty object' },
- { n: 'nonEmptyObject', f: nonEmptyObject, s: 'be non-empty object' },
- { n: 'instanceStrict', f: instanceStrict, s: 'be instanceof {t}' },
- { n: 'thenable', f: thenable, s: 'be promise-like' },
- { n: 'instance', f: instance, s: 'be {t}' },
- { n: 'like', f: like, s: 'be like {e}' },
- { n: 'identical', f: identical, s: 'be identical to {e}' },
- { n: 'array', f: array, s: 'be Array' },
- { n: 'emptyArray', f: emptyArray, s: 'be empty array' },
- { n: 'nonEmptyArray', f: nonEmptyArray, s: 'be non-empty array' },
- { n: 'arrayLike', f: arrayLike, s: 'be array-like' },
- { n: 'iterable', f: iterable, s: 'be iterable' },
- { n: 'date', f: date, s: 'be valid Date' },
- { n: 'function', f: isFunction, s: 'be Function' },
- { n: 'hasLength', f: hasLength, s: 'have length {e}' },
- { n: 'throws', f: throws, s: 'throw' }
- ].map(function (data) {
- var n = data.n;
- messages[n] = 'assert failed: expected {a} to ' + data.s;
- predicates[n] = data.f;
- });
-
- functions = {
- map: map,
- all: all,
- any: any
- };
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- collections = [ 'array', 'arrayLike', 'iterable', 'object' ];
- hasOwnProperty = Object.prototype.hasOwnProperty;
- toString = Object.prototype.toString;
- keys = Object.keys;
- slice = Array.prototype.slice;
- isArray = Array.isArray;
- neginf = Number.NEGATIVE_INFINITY;
- posinf = Number.POSITIVE_INFINITY;
- haveSymbols = typeof Symbol === 'function';
- haveMaps = typeof Map === 'function';
- haveSets = typeof Set === 'function';
-
- functions = mixin(functions, predicates);
- assert = createModifiedPredicates(assertModifier, assertImpl);
- not = createModifiedPredicates(notModifier, notImpl);
- maybe = createModifiedPredicates(maybeModifier, maybeImpl);
- assert.not = createModifiedModifier(assertModifier, not, 'not ');
- assert.maybe = createModifiedModifier(assertModifier, maybe, 'maybe ');
-
- collections.forEach(createOfPredicates);
- createOfModifiers(assert, assertModifier);
- createOfModifiers(not, notModifier);
- collections.forEach(createMaybeOfModifiers);
-
- exportFunctions(mixin(functions, {
- assert: assert,
- not: not,
- maybe: maybe
- }));
-
- /**
- * Public function `equal`.
- *
- * Returns true if `lhs` and `rhs` are strictly equal, without coercion.
- * Returns false otherwise.
- */
- function equal (lhs, rhs) {
- return lhs === rhs;
- }
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- /**
- * Public function `undefined`.
- *
- * Returns true if `data` is undefined, false otherwise.
- */
- function isUndefined (data) {
- return data === undefined;
- }
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+ */
- /**
- * Public function `null`.
- *
- * Returns true if `data` is null, false otherwise.
- */
- function isNull (data) {
- return data === null;
- }
+ const {unstringifyBigInts: unstringifyBigInts$6, stringifyBigInts: stringifyBigInts$2} = utils;
- /**
- * Public function `assigned`.
- *
- * Returns true if `data` is not null or undefined, false otherwise.
- */
- function assigned (data) {
- return data !== undefined && data !== null;
- }
+ async function fflonkExportSolidityVerifier(vk, templates, logger) {
+ if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER STARTED");
- /**
- * Public function `primitive`.
- *
- * Returns true if `data` is a primitive type, false otherwise.
- */
- function primitive (data) {
- var type;
-
- switch (data) {
- case null:
- case undefined:
- case false:
- case true:
- return true;
- }
+ const curve = await getCurveFromName(vk.curve);
- type = typeof data;
- return type === 'string' || type === 'number' || (haveSymbols && type === 'symbol');
- }
+ // Precompute w3_2, w4_2 and w4_3
+ let w3 = fromVkey(vk.w3);
+ vk.w3_2 = toVkey(curve.Fr.square(w3));
- /**
- * Public function `zero`.
- *
- * Returns true if `data` is zero, false otherwise.
- */
- function zero (data) {
- return data === 0;
- }
+ let w4 = fromVkey(vk.w4);
+ vk.w4_2 = toVkey(curve.Fr.square(w4));
+ vk.w4_3 = toVkey(curve.Fr.mul(curve.Fr.square(w4), w4));
- /**
- * Public function `one`.
- *
- * Returns true if `data` is one, false otherwise.
- */
- function one (data) {
- return data === 1;
- }
+ let w8 = fromVkey(vk.w8);
+ let acc = curve.Fr.one;
- /**
- * Public function `infinity`.
- *
- * Returns true if `data` is positive or negative infinity, false otherwise.
- */
- function infinity (data) {
- return data === neginf || data === posinf;
- }
+ for (let i = 1; i < 8; i++) {
+ acc = curve.Fr.mul(acc, w8);
+ vk["w8_" + i] = toVkey(acc);
+ }
- /**
- * Public function `number`.
- *
- * Returns true if `data` is a number, false otherwise.
- */
- function number (data) {
- return typeof data === 'number' && data > neginf && data < posinf;
- }
+ let template = templates[vk.protocol];
- /**
- * Public function `integer`.
- *
- * Returns true if `data` is an integer, false otherwise.
- */
- function integer (data) {
- return typeof data === 'number' && data % 1 === 0;
- }
+ if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER FINISHED");
- /**
- * Public function `float`.
- *
- * Returns true if `data` is a non-integer number, false otherwise.
- */
- function float (data) {
- return number(data) && data % 1 !== 0;
- }
+ return ejs.render(template, vk);
- /**
- * Public function `even`.
- *
- * Returns true if `data` is an even number, false otherwise.
- */
- function even (data) {
- return typeof data === 'number' && data % 2 === 0;
- }
+ function fromVkey(str) {
+ const val = unstringifyBigInts$6(str);
+ return curve.Fr.fromObject(val);
+ }
- /**
- * Public function `odd`.
- *
- * Returns true if `data` is an odd number, false otherwise.
- */
- function odd (data) {
- return integer(data) && data % 2 !== 0;
- }
+ function toVkey(val) {
+ const str = curve.Fr.toObject(val);
+ return stringifyBigInts$2(str);
+ }
+ }
- /**
- * Public function `greater`.
- *
- * Returns true if `lhs` is a number greater than `rhs`, false otherwise.
- */
- function greater (lhs, rhs) {
- return number(lhs) && lhs > rhs;
- }
+ // Not ready yet
+ // module.exports.generateVerifier_kimleeoh = generateVerifier_kimleeoh;
- /**
- * Public function `less`.
- *
- * Returns true if `lhs` is a number less than `rhs`, false otherwise.
- */
- function less (lhs, rhs) {
- return number(lhs) && lhs < rhs;
- }
+ async function exportSolidityVerifier(zKeyName, templates, logger) {
- /**
- * Public function `between`.
- *
- * Returns true if `data` is a number between `x` and `y`, false otherwise.
- */
- function between (data, x, y) {
- if (x < y) {
- return greater(data, x) && data < y;
- }
+ const verificationKey = await zkeyExportVerificationKey(zKeyName, logger);
- return less(data, x) && data > y;
- }
+ if ("fflonk" === verificationKey.protocol) {
+ return fflonkExportSolidityVerifier(verificationKey, templates, logger);
+ }
- /**
- * Public function `greaterOrEqual`.
- *
- * Returns true if `lhs` is a number greater than or equal to `rhs`, false
- * otherwise.
- */
- function greaterOrEqual (lhs, rhs) {
- return number(lhs) && lhs >= rhs;
- }
+ let template = templates[verificationKey.protocol];
- /**
- * Public function `lessOrEqual`.
- *
- * Returns true if `lhs` is a number less than or equal to `rhs`, false
- * otherwise.
- */
- function lessOrEqual (lhs, rhs) {
- return number(lhs) && lhs <= rhs;
- }
+ return ejs.render(template, verificationKey);
+ }
- /**
- * Public function `inRange`.
- *
- * Returns true if `data` is a number in the range `x..y`, false otherwise.
- */
- function inRange (data, x, y) {
- if (x < y) {
- return greaterOrEqual(data, x) && data <= y;
- }
+ /*
+ Copyright 2018 0KIMS association.
- return lessOrEqual(data, x) && data >= y;
- }
+ This file is part of snarkJS.
- /**
- * Public function `positive`.
- *
- * Returns true if `data` is a positive number, false otherwise.
- */
- function positive (data) {
- return greater(data, 0);
- }
+ snarkJS is a free software: you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- /**
- * Public function `negative`.
- *
- * Returns true if `data` is a negative number, false otherwise.
- */
- function negative (data) {
- return less(data, 0);
- }
+ snarkJS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ License for more details.
- /**
- * Public function `string`.
- *
- * Returns true if `data` is a string, false otherwise.
- */
- function string (data) {
- return typeof data === 'string';
- }
+ You should have received a copy of the GNU General Public License
+ along with snarkJS. If not, see .
+ */
- /**
- * Public function `emptyString`.
- *
- * Returns true if `data` is the empty string, false otherwise.
- */
- function emptyString (data) {
- return data === '';
- }
+ var zkey = /*#__PURE__*/Object.freeze({
+ __proto__: null,
+ newZKey: newZKey,
+ exportBellman: phase2exportMPCParams,
+ importBellman: phase2importMPCParams,
+ verifyFromR1cs: phase2verifyFromR1cs,
+ verifyFromInit: phase2verifyFromInit,
+ contribute: phase2contribute,
+ beacon: beacon,
+ exportJson: zkeyExportJson,
+ bellmanContribute: bellmanContribute,
+ exportVerificationKey: zkeyExportVerificationKey,
+ exportSolidityVerifier: exportSolidityVerifier
+ });
- /**
- * Public function `nonEmptyString`.
- *
- * Returns true if `data` is a non-empty string, false otherwise.
- */
- function nonEmptyString (data) {
- return string(data) && data !== '';
- }
+ /*
+ Copyright 2021 0kims association.
- /**
- * Public function `match`.
- *
- * Returns true if `data` is a string that matches `regex`, false otherwise.
- */
- function match (data, regex) {
- return string(data) && !! data.match(regex);
- }
+ This file is part of snarkjs.
- /**
- * Public function `boolean`.
- *
- * Returns true if `data` is a boolean value, false otherwise.
- */
- function boolean (data) {
- return data === false || data === true;
- }
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- /**
- * Public function `object`.
- *
- * Returns true if `data` is a plain-old JS object, false otherwise.
- */
- function object (data) {
- return toString.call(data) === '[object Object]';
- }
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- /**
- * Public function `emptyObject`.
- *
- * Returns true if `data` is an empty object, false otherwise.
- */
- function emptyObject (data) {
- return object(data) && ! some(data, function () {
- return true;
- });
- }
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+ */
- function some (data, predicate) {
- for (var key in data) {
- if (hasOwnProperty.call(data, key)) {
- if (predicate(key, data[key])) {
- return true;
- }
- }
- }
- return false;
- }
+ async function plonkSetup(r1csName, ptauName, zkeyName, logger) {
- /**
- * Public function `nonEmptyObject`.
- *
- * Returns true if `data` is a non-empty object, false otherwise.
- */
- function nonEmptyObject (data) {
- return object(data) && some(data, function () {
- return true;
- });
- }
+ if (globalThis.gc) {globalThis.gc();}
- /**
- * Public function `thenable`.
- *
- * Returns true if `data` has a `then` method.
- */
- function thenable (data) {
- return assigned(data) && isFunction(data.then);
- }
+ await blake2bWasm.exports.ready();
- /**
- * Public function `instanceStrict`.
- *
- * Returns true if `data` is an instance of `prototype`, false otherwise.
- */
- function instanceStrict (data, prototype) {
- try {
- return data instanceof prototype;
- } catch (error) {
- return false;
- }
- }
+ const {fd: fdPTau, sections: sectionsPTau} = await readBinFile(ptauName, "ptau", 1);
+ const {curve, power} = await readPTauHeader(fdPTau, sectionsPTau);
+ const {fd: fdR1cs, sections: sectionsR1cs} = await readBinFile(r1csName, "r1cs", 1);
- /**
- * Public function `instance`.
- *
- * Returns true if `data` is an instance of `prototype`, false otherwise.
- * Falls back to testing constructor.name and Object.prototype.toString
- * if the initial instanceof test fails.
- */
- function instance (data, prototype) {
- try {
- return instanceStrict(data, prototype) ||
- data.constructor.name === prototype.name ||
- toString.call(data) === '[object ' + prototype.name + ']';
- } catch (error) {
- return false;
- }
- }
+ const r1cs = await readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: true, loadCustomGates: true});
- /**
- * Public function `like`.
- *
- * Tests whether `data` 'quacks like a duck'. Returns true if `data` has all
- * of the properties of `archetype` (the 'duck'), false otherwise. Interrogates
- * objects recursively, to arbitrary depth.
- */
- function like (data, archetype) {
- var name;
-
- if (! assigned(data) || ! assigned(archetype)) {
- return data === archetype;
- }
+ const sG1 = curve.G1.F.n8*2;
+ const G1 = curve.G1;
+ const sG2 = curve.G2.F.n8*2;
+ const Fr = curve.Fr;
+ const n8r = curve.Fr.n8;
- for (name in archetype) {
- if (hasOwnProperty.call(archetype, name)) {
- if (! hasOwnProperty.call(data, name) || typeof data[name] !== typeof archetype[name]) {
- return false;
- }
+ if (logger) logger.info("Reading r1cs");
+ await readSection(fdR1cs, sectionsR1cs, 2);
- if (object(data[name]) && ! like(data[name], archetype[name])) {
- return false;
- }
- }
- }
+ const plonkConstraints = new BigArray();
+ const plonkAdditions = new BigArray();
+ let plonkNVars = r1cs.nVars;
- return true;
- }
+ const nPublic = r1cs.nOutputs + r1cs.nPubInputs;
- /**
- * Public function `identical`.
- *
- * Tests whether `data` has all of the same properties and values as `archetype`.
- * Interrogates objects recursively, to arbitrary depth.
- */
- function identical (data, archetype) {
- var name;
-
- if (! assigned(data) || ! assigned(archetype)) {
- return data === archetype;
- }
+ await processConstraints(curve.Fr, r1cs, logger);
- for (name in archetype) {
- if (hasOwnProperty.call(archetype, name)) {
- if (! hasOwnProperty.call(data, name) || data[name] !== archetype[name]) {
- return false;
- }
+ if (globalThis.gc) {globalThis.gc();}
- if (object(data[name]) && ! identical(data[name], archetype[name])) {
- return false;
- }
- }
- }
+ const fdZKey = await createBinFile(zkeyName, "zkey", 1, 14, 1<<22, 1<<24);
- for (name in data) {
- if (hasOwnProperty.call(data, name)) {
- if (! hasOwnProperty.call(archetype, name) || archetype[name] !== data[name]) {
- return false;
- }
- if (object(archetype[name]) && ! identical(archetype[name], data[name])) {
- return false;
- }
- }
- }
+ if (r1cs.prime != curve.r) {
+ if (logger) logger.error("r1cs curve does not match powers of tau ceremony curve");
+ return -1;
+ }
- return true;
- }
+ let cirPower = log2(plonkConstraints.length -1) +1;
+ if (cirPower < 3) cirPower = 3; // As the t polinomal is n+5 whe need at least a power of 4
+ const domainSize = 2 ** cirPower;
- /**
- * Public function `array`.
- *
- * Returns true if `data` is an array, false otherwise.
- */
- function array (data) {
- return isArray(data);
- }
+ if (logger) logger.info("Plonk constraints: " + plonkConstraints.length);
+ if (cirPower > power) {
+ if (logger) logger.error(`circuit too big for this power of tau ceremony. ${plonkConstraints.length} > 2**${power}`);
+ return -1;
+ }
- /**
- * Public function `emptyArray`.
- *
- * Returns true if `data` is an empty array, false otherwise.
- */
- function emptyArray (data) {
- return isArray(data) && data.length === 0;
- }
+ if (!sectionsPTau[12]) {
+ if (logger) logger.error("Powers of tau is not prepared.");
+ return -1;
+ }
- /**
- * Public function `nonEmptyArray`.
- *
- * Returns true if `data` is a non-empty array, false otherwise.
- */
- function nonEmptyArray (data) {
- return isArray(data) && data.length > 0;
- }
- /**
- * Public function `arrayLike`.
- *
- * Returns true if `data` is an array-like object, false otherwise.
- */
- function arrayLike (data) {
- return assigned(data) && data.length >= 0;
- }
-
- /**
- * Public function `iterable`.
- *
- * Returns true if `data` is an iterable, false otherwise.
- */
- function iterable (data) {
- if (! haveSymbols) {
- // Fall back to `arrayLike` predicate in pre-ES6 environments.
- return arrayLike(data);
- }
-
- return assigned(data) && isFunction(data[Symbol.iterator]);
- }
-
- /**
- * Public function `contains`.
- *
- * Returns true if `data` contains `value`, false otherwise.
- * Works with objects, arrays and array-likes (including strings).
- */
- function contains (data, value) {
- var iterator, iteration;
-
- if (! assigned(data)) {
- return false;
- }
-
- if (haveSets && instanceStrict(data, Set)) {
- return data.has(value);
- }
+ const LPoints = new BigBuffer(domainSize*sG1);
+ const o = sectionsPTau[12][0].p + ((2 ** (cirPower)) -1)*sG1;
+ await fdPTau.readToBuffer(LPoints, 0, domainSize*sG1, o);
- if (string(data)) {
- return data.indexOf(value) !== -1;
- }
+ const [k1, k2] = getK1K2();
- if (haveSymbols && data[Symbol.iterator] && isFunction(data.values)) {
- iterator = data.values();
+ const vk = {};
- do {
- iteration = iterator.next();
- if (iteration.value === value) {
- return true;
- }
- } while (! iteration.done);
+ await writeAdditions(3, "Additions");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeWitnessMap(4, 0, "Amap");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeWitnessMap(5, 1, "Bmap");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeWitnessMap(6, 2, "Cmap");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(7, 3, "Qm");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(8, 4, "Ql");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(9, 5, "Qr");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(10, 6, "Qo");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeQMap(11, 7, "Qc");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeSigma(12, "sigma");
+ if (globalThis.gc) {globalThis.gc();}
+ await writeLs(13, "lagrange polynomials");
+ if (globalThis.gc) {globalThis.gc();}
- return false;
- }
+ // Write PTau points
+ ////////////
- return some(data, function (key, dataValue) {
- return dataValue === value;
- });
- }
+ await startWriteSection(fdZKey, 14);
+ const buffOut = new BigBuffer((domainSize+6)*sG1);
+ await fdPTau.readToBuffer(buffOut, 0, (domainSize+6)*sG1, sectionsPTau[2][0].p);
+ await fdZKey.write(buffOut);
+ await endWriteSection(fdZKey);
+ if (globalThis.gc) {globalThis.gc();}
- /**
- * Public function `in`.
- *
- * Returns true if `value` is in `data`, false otherwise.
- * Like `contains`, but with arguments flipped.
- */
- function isIn (value, data) {
- return contains(data, value);
- }
- /**
- * Public function `containsKey`.
- *
- * Returns true if `data` contains key `key`, false otherwise.
- * Works with objects, arrays and array-likes (including strings).
- */
- function containsKey (data, key) {
- if (! assigned(data)) {
- return false;
- }
+ await writeHeaders();
- if (haveMaps && instanceStrict(data, Map)) {
- return data.has(key);
- }
+ await fdZKey.close();
+ await fdR1cs.close();
+ await fdPTau.close();
- if (iterable(data) && ! number(+key)) {
- return false;
- }
+ if (logger) logger.info("Setup Finished");
- return !! data[key];
- }
+ return ;
- /**
- * Public function `keyIn`.
- *
- * Returns true if key `key` is in `data`, false otherwise.
- * Like `contains`, but with arguments flipped.
- */
- function keyIn (key, data) {
- return containsKey(data, key);
- }
+ async function processConstraints(Fr, r1cs, logger) {
- /**
- * Public function `hasLength`.
- *
- * Returns true if `data` has a length property that equals `length`, false
- * otherwise.
- */
- function hasLength (data, length) {
- return assigned(data) && data.length === length;
- }
+ function normalize(linearComb) {
+ const ss = Object.keys(linearComb);
+ for (let i = 0; i < ss.length; i++) {
+ if (linearComb[ss[i]] == 0n) delete linearComb[ss[i]];
+ }
+ }
- /**
- * Public function `date`.
- *
- * Returns true if `data` is a valid date, false otherwise.
- */
- function date (data) {
- return instanceStrict(data, Date) && integer(data.getTime());
- }
+ function join(linearComb1, k, linearComb2) {
+ const res = {};
- /**
- * Public function `function`.
- *
- * Returns true if `data` is a function, false otherwise.
- */
- function isFunction (data) {
- return typeof data === 'function';
- }
+ for (let s in linearComb1) {
+ if (typeof res[s] == "undefined") {
+ res[s] = Fr.mul(k, linearComb1[s]);
+ } else {
+ res[s] = Fr.add(res[s], Fr.mul(k, linearComb1[s]));
+ }
+ }
- /**
- * Public function `throws`.
- *
- * Returns true if `data` is a function that throws, false otherwise.
- */
- function throws (data) {
- if (! isFunction(data)) {
- return false;
- }
+ for (let s in linearComb2) {
+ if (typeof res[s] == "undefined") {
+ res[s] = linearComb2[s];
+ } else {
+ res[s] = Fr.add(res[s], linearComb2[s]);
+ }
+ }
+ normalize(res);
+ return res;
+ }
- try {
- data();
- } catch (error) {
- return true;
- }
+ function reduceCoefs(linearComb, maxC) {
+ const res = {
+ k: Fr.zero,
+ s: [],
+ coefs: []
+ };
+ const cs = [];
- return false;
- }
+ for (let s in linearComb) {
+ if (s == 0) {
+ res.k = Fr.add(res.k, linearComb[s]);
+ } else if (linearComb[s] != 0n) {
+ cs.push([Number(s), linearComb[s]]);
+ }
+ }
+ while (cs.length > maxC) {
+ const c1 = cs.shift();
+ const c2 = cs.shift();
- /**
- * Public function `map`.
- *
- * Maps each value from `data` to the corresponding predicate and returns
- * the results. If the same function is to be applied across all of the data,
- * a single predicate function may be passed in.
- */
- function map (data, predicates) {
- var result;
-
- if (isArray(data)) {
- result = [];
- } else {
- result = {};
- }
+ const sl = c1[0];
+ const sr = c2[0];
+ const so = plonkNVars++;
+ const qm = Fr.zero;
+ const ql = Fr.neg(c1[1]);
+ const qr = Fr.neg(c2[1]);
+ const qo = Fr.one;
+ const qc = Fr.zero;
- if (isFunction(predicates)) {
- forEach(data, function (key, value) {
- result[key] = predicates(value);
- });
- } else {
- if (! isArray(predicates)) {
- assert.object(predicates);
- }
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
- var dataKeys = keys(data || {});
+ plonkAdditions.push([sl, sr, c1[1], c2[1]]);
- forEach(predicates, function (key, predicate) {
- dataKeys.some(function (dataKey, index) {
- if (dataKey === key) {
- dataKeys.splice(index, 1);
- return true;
- }
- return false;
- });
+ cs.push([so, Fr.one]);
+ }
+ for (let i = 0; i < cs.length; i++) {
+ res.s[i] = cs[i][0];
+ res.coefs[i] = cs[i][1];
+ }
+ while (res.coefs.length < maxC) {
+ res.s.push(0);
+ res.coefs.push(Fr.zero);
+ }
+ return res;
+ }
- if (isFunction(predicate)) {
- if (not.assigned(data)) {
- result[key] = !! predicate.m;
- } else {
- result[key] = predicate(data[key]);
- }
- } else {
- result[key] = map(data[key], predicate);
- }
- });
- }
+ function addConstraintSum(lc) {
+ const C = reduceCoefs(lc, 3);
+ const sl = C.s[0];
+ const sr = C.s[1];
+ const so = C.s[2];
+ const qm = Fr.zero;
+ const ql = C.coefs[0];
+ const qr = C.coefs[1];
+ const qo = C.coefs[2];
+ const qc = C.k;
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ }
- return result;
- }
+ function addConstraintMul(lcA, lcB, lcC) {
+ const A = reduceCoefs(lcA, 1);
+ const B = reduceCoefs(lcB, 1);
+ const C = reduceCoefs(lcC, 1);
- function forEach (object, action) {
- for (var key in object) {
- if (hasOwnProperty.call(object, key)) {
- action(key, object[key]);
- }
- }
- }
- /**
- * Public function `all`
- *
- * Check that all boolean values are true
- * in an array or object returned from `map`.
- */
- function all (data) {
- if (isArray(data)) {
- return testArray(data, false);
- }
+ const sl = A.s[0];
+ const sr = B.s[0];
+ const so = C.s[0];
+ const qm = Fr.mul(A.coefs[0], B.coefs[0]);
+ const ql = Fr.mul(A.coefs[0], B.k);
+ const qr = Fr.mul(A.k, B.coefs[0]);
+ const qo = Fr.neg(C.coefs[0]);
+ const qc = Fr.sub(Fr.mul(A.k, B.k), C.k);
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ }
- assert.object(data);
+ function getLinearCombinationType(lc) {
+ let k = Fr.zero;
+ let n = 0;
+ const ss = Object.keys(lc);
+ for (let i = 0; i < ss.length; i++) {
+ if (lc[ss[i]] == 0n) {
+ delete lc[ss[i]];
+ } else if (ss[i] == 0) {
+ k = Fr.add(k, lc[ss[i]]);
+ } else {
+ n++;
+ }
+ }
+ if (n > 0) return n.toString();
+ if (k != Fr.zero) return "k";
+ return "0";
+ }
- return testObject(data, false);
- }
+ function process(lcA, lcB, lcC) {
+ const lctA = getLinearCombinationType(lcA);
+ const lctB = getLinearCombinationType(lcB);
+ if ((lctA === "0") || (lctB === "0")) {
+ normalize(lcC);
+ addConstraintSum(lcC);
+ } else if (lctA === "k") {
+ const lcCC = join(lcB, lcA[0], lcC);
+ addConstraintSum(lcCC);
+ } else if (lctB === "k") {
+ const lcCC = join(lcA, lcB[0], lcC);
+ addConstraintSum(lcCC);
+ } else {
+ addConstraintMul(lcA, lcB, lcC);
+ }
+ }
- function testArray (data, result) {
- var i;
+ for (let s = 1; s <= nPublic; s++) {
+ const sl = s;
+ const sr = 0;
+ const so = 0;
+ const qm = Fr.zero;
+ const ql = Fr.one;
+ const qr = Fr.zero;
+ const qo = Fr.zero;
+ const qc = Fr.zero;
- for (i = 0; i < data.length; i += 1) {
- if (data[i] === result) {
- return result;
- }
- }
+ plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ }
- return ! result;
- }
+ for (let c = 0; c < r1cs.constraints.length; c++) {
+ if ((logger) && (c % 10000 === 0)) logger.debug(`processing constraints: ${c}/${r1cs.nConstraints}`);
+ process(...r1cs.constraints[c]);
+ }
+ }
- function testObject (data, result) {
- var key, value;
+ async function writeWitnessMap(sectionNum, posConstraint, name) {
+ await startWriteSection(fdZKey, sectionNum);
+ for (let i=0; i {
- if (! isPositiveInteger(by)) {
- throw new TypeError('Argument `by` must be a positive integer.')
- }
-
- let i;
- const newSize = size + by;
-
- for (i = size; i < newSize; ++i) {
- this[i] = undefined;
- }
-
- if (isIndexOverflowed) {
- for (i = 0; i <= index; ++i) {
- let j = size + i;
- if (j >= newSize) {
- j %= newSize;
- }
- this[j] = this[i];
- this[i] = undefined;
- }
- }
-
- size = newSize;
- };
-
- return new Proxy(this, {
- get (target, key) {
- if (isInteger(key)) {
- return target[getIndex(key, size)]
- }
-
- return target[key]
- },
-
- set (target, key, value) {
- if (isInteger(key)) {
- index = getIndex(key, size);
- target[index] = value;
-
- if (Math.abs(key) >= size) {
- isIndexOverflowed = true;
- } else {
- isIndexOverflowed = false;
- }
- } else {
- target[key] = value;
- }
- return true
- }
- })
- }
- }
-
- function isPositiveInteger (thing) {
- return isInteger(thing) && thing > 0
- }
-
- function isInteger (thing) {
- try {
- return +thing % 1 === 0
- } catch (error) {
- // Coercing symbols to numbers throws an error
- }
-
- return false
- }
-
- function getIndex (key, size) {
- if (key === 0) {
- return 0
- }
-
- if (key < 0) {
- return (size - Math.abs(key)) % size
- }
-
- return key % size
- }
-
- function nop () {
- throw new Error('Not implemented')
- }
-
- Hoopy.prototype.push = nop;
- Hoopy.prototype.pop = nop;
- Hoopy.prototype.shift = nop;
- Hoopy.prototype.unshift = nop;
-
- require$$1.EventEmitter;
-
- const check = checkTypes.exports;
- const BfjStream = stream;
- const util = require$$2;
-
- util.inherits(JsonStream, BfjStream);
-
- function JsonStream (read, options) {
- if (check.not.instanceStrict(this, JsonStream)) {
- return new JsonStream(read, options)
- }
-
- return BfjStream.call(this, read, { ...options, encoding: 'utf8' })
- }
-
- var tryer = {exports: {}};
-
- (function (module) {
- // Conditional and repeated task invocation for node and browser.
-
- /*globals setTimeout, define, module */
-
- (function (globals) {
-
- if (module !== null) {
- module.exports = tryer;
- } else {
- globals.tryer = tryer;
- }
-
- // Public function `tryer`.
- //
- // Performs some action when pre-requisite conditions are met and/or until
- // post-requisite conditions are satisfied.
- //
- // @option action {function} The function that you want to invoke. Defaults to `() => {}`.
- // If `action` returns a promise, iterations will not end until
- // the promise is resolved or rejected. Alternatively, `action`
- // may take a callback argument, `done`, to signal that it is
- // asynchronous. In that case, you are responsible for calling
- // `done` when the action is finished.
- //
- // @option when {function} Predicate used to test pre-conditions. Should return `false`
- // to postpone `action` or `true` to perform it. Defaults to
- // `() => true`.
- //
- // @option until {function} Predicate used to test post-conditions. Should return `false`
- // to retry `action` or `true` to terminate it. Defaults to
- // `() => true`.
- //
- // @option fail {function} Callback to be invoked if `limit` tries are reached. Defaults
- // to `() => {}`.
- //
- // @option pass {function} Callback to be invoked after `until` has returned truthily.
- // Defaults to `() => {}`.
- //
- // @option interval {number} Retry interval in milliseconds. A negative number indicates
- // that subsequent retries should wait for double the interval
- // from the preceding iteration (exponential backoff). Defaults
- // to -1000.
- //
- // @option limit {number} Maximum retry count, at which point the call fails and retries
- // will cease. A negative number indicates that retries should
- // continue indefinitely. Defaults to -1.
- //
- // @example
- // tryer({
- // when: () => db.isConnected,
- // action: () => db.insert(user),
- // fail () {
- // log.error('No database connection, terminating.');
- // process.exit(1);
- // },
- // interval: 1000,
- // limit: 10
- // });
- //
- // @example
- // let sent = false;
- // tryer({
- // until: () => sent,
- // action: done => {
- // smtp.send(email, error => {
- // if (! error) {
- // sent = true;
- // }
- // done();
- // });
- // },
- // pass: next,
- // interval: -1000,
- // limit: -1
- // });
- function tryer (options) {
- options = normaliseOptions(options);
-
- iterateWhen();
-
- function iterateWhen () {
- if (preRecur()) {
- iterateUntil();
- }
- }
-
- function preRecur () {
- return conditionallyRecur('when', iterateWhen);
- }
-
- function conditionallyRecur (predicateKey, iterate) {
- if (! options[predicateKey]()) {
- incrementCount(options);
-
- if (shouldFail(options)) {
- options.fail();
- } else {
- recur(iterate, postIncrementInterval(options));
- }
-
- return false;
- }
-
- return true;
- }
-
- function iterateUntil () {
- var result;
-
- if (isActionSynchronous(options)) {
- result = options.action();
-
- if (result && isFunction(result.then)) {
- return result.then(postRecur, postRecur);
- }
-
- return postRecur();
- }
-
- options.action(postRecur);
- }
-
- function postRecur () {
- if (conditionallyRecur('until', iterateUntil)) {
- options.pass();
- }
- }
- }
-
- function normaliseOptions (options) {
- options = options || {};
- return {
- count: 0,
- when: normalisePredicate(options.when),
- until: normalisePredicate(options.until),
- action: normaliseFunction(options.action),
- fail: normaliseFunction(options.fail),
- pass: normaliseFunction(options.pass),
- interval: normaliseNumber(options.interval, -1000),
- limit: normaliseNumber(options.limit, -1)
- };
- }
-
- function normalisePredicate (fn) {
- return normalise(fn, isFunction, yes);
- }
-
- function isFunction (fn) {
- return typeof fn === 'function';
- }
-
- function yes () {
- return true;
- }
-
- function normaliseFunction (fn) {
- return normalise(fn, isFunction, nop);
- }
-
- function nop () {
- }
-
- function normalise (thing, predicate, defaultValue) {
- if (predicate(thing)) {
- return thing;
- }
-
- return defaultValue;
- }
-
- function normaliseNumber (number, defaultNumber) {
- return normalise(number, isNumber, defaultNumber);
- }
-
- function isNumber (number) {
- return typeof number === 'number' && number === number;
- }
-
- function isActionSynchronous (options) {
- return options.action.length === 0;
- }
-
- function incrementCount (options) {
- options.count += 1;
- }
-
- function shouldFail (options) {
- return options.limit >= 0 && options.count >= options.limit;
- }
-
- function postIncrementInterval (options) {
- var currentInterval = options.interval;
-
- if (options.interval < 0) {
- options.interval *= 2;
- }
-
- return currentInterval;
- }
-
- function recur (fn, interval) {
- setTimeout(fn, Math.abs(interval));
- }
- }(commonjsGlobal));
- } (tryer));
-
- var sha3 = {exports: {}};
-
- /**
- * [js-sha3]{@link https://github.com/emn178/js-sha3}
- *
- * @version 0.8.0
- * @author Chen, Yi-Cyuan [emn178@gmail.com]
- * @copyright Chen, Yi-Cyuan 2015-2018
- * @license MIT
- */
-
- (function (module) {
- /*jslint bitwise: true */
- (function () {
-
- var INPUT_ERROR = 'input is invalid type';
- var FINALIZE_ERROR = 'finalize already called';
- var WINDOW = typeof window === 'object';
- var root = WINDOW ? window : {};
- if (root.JS_SHA3_NO_WINDOW) {
- WINDOW = false;
- }
- var WEB_WORKER = !WINDOW && typeof self === 'object';
- var NODE_JS = !root.JS_SHA3_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node;
- if (NODE_JS) {
- root = commonjsGlobal;
- } else if (WEB_WORKER) {
- root = self;
- }
- var COMMON_JS = !root.JS_SHA3_NO_COMMON_JS && 'object' === 'object' && module.exports;
- var ARRAY_BUFFER = !root.JS_SHA3_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined';
- var HEX_CHARS = '0123456789abcdef'.split('');
- var SHAKE_PADDING = [31, 7936, 2031616, 520093696];
- var CSHAKE_PADDING = [4, 1024, 262144, 67108864];
- var KECCAK_PADDING = [1, 256, 65536, 16777216];
- var PADDING = [6, 1536, 393216, 100663296];
- var SHIFT = [0, 8, 16, 24];
- var RC = [1, 0, 32898, 0, 32906, 2147483648, 2147516416, 2147483648, 32907, 0, 2147483649,
- 0, 2147516545, 2147483648, 32777, 2147483648, 138, 0, 136, 0, 2147516425, 0,
- 2147483658, 0, 2147516555, 0, 139, 2147483648, 32905, 2147483648, 32771,
- 2147483648, 32770, 2147483648, 128, 2147483648, 32778, 0, 2147483658, 2147483648,
- 2147516545, 2147483648, 32896, 2147483648, 2147483649, 0, 2147516424, 2147483648];
- var BITS = [224, 256, 384, 512];
- var SHAKE_BITS = [128, 256];
- var OUTPUT_TYPES = ['hex', 'buffer', 'arrayBuffer', 'array', 'digest'];
- var CSHAKE_BYTEPAD = {
- '128': 168,
- '256': 136
- };
-
- if (root.JS_SHA3_NO_NODE_JS || !Array.isArray) {
- Array.isArray = function (obj) {
- return Object.prototype.toString.call(obj) === '[object Array]';
- };
- }
-
- if (ARRAY_BUFFER && (root.JS_SHA3_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) {
- ArrayBuffer.isView = function (obj) {
- return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer;
- };
- }
-
- var createOutputMethod = function (bits, padding, outputType) {
- return function (message) {
- return new Keccak(bits, padding, bits).update(message)[outputType]();
- };
- };
-
- var createShakeOutputMethod = function (bits, padding, outputType) {
- return function (message, outputBits) {
- return new Keccak(bits, padding, outputBits).update(message)[outputType]();
- };
- };
-
- var createCshakeOutputMethod = function (bits, padding, outputType) {
- return function (message, outputBits, n, s) {
- return methods['cshake' + bits].update(message, outputBits, n, s)[outputType]();
- };
- };
+ var createCshakeOutputMethod = function (bits, padding, outputType) {
+ return function (message, outputBits, n, s) {
+ return methods['cshake' + bits].update(message, outputBits, n, s)[outputType]();
+ };
+ };
var createKmacOutputMethod = function (bits, padding, outputType) {
return function (key, message, outputBits, s) {
@@ -27939,65 +27040,2650 @@ var snarkjs = (function (exports) {
var jsSha3 = sha3.exports;
/*
- Copyright 2021 0KIMS association.
+ Copyright 2021 0kims association.
- This file is part of snarkJS.
+ This file is part of snarkjs.
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
*/
+ const {stringifyBigInts: stringifyBigInts$1} = utils;
+ const { keccak256: keccak256$2 } = jsSha3;
- const {unstringifyBigInts: unstringifyBigInts$3, stringifyBigInts: stringifyBigInts$1} = utils;
+ async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
+ const {fd: fdWtns, sections: sectionsWtns} = await readBinFile(witnessFileName, "wtns", 2);
- async function fflonkExportSolidityVerifier(vk, templates, logger) {
- if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER STARTED");
+ const wtns = await readHeader(fdWtns, sectionsWtns);
- const curve = await getCurveFromName(vk.curve);
+ const {fd: fdZKey, sections: sectionsZKey} = await readBinFile(zkeyFileName, "zkey", 2);
- // Precompute w3_2, w4_2 and w4_3
- let w3 = fromVkey(vk.w3);
- vk.w3_2 = toVkey(curve.Fr.square(w3));
+ const zkey = await readHeader$1(fdZKey, sectionsZKey);
+ if (zkey.protocol != "plonk") {
+ throw new Error("zkey file is not plonk");
+ }
- let w4 = fromVkey(vk.w4);
- vk.w4_2 = toVkey(curve.Fr.square(w4));
- vk.w4_3 = toVkey(curve.Fr.mul(curve.Fr.square(w4), w4));
+ if (!Scalar.eq(zkey.r, wtns.q)) {
+ throw new Error("Curve of the witness does not match the curve of the proving key");
+ }
- let w8 = fromVkey(vk.w8);
- let acc = curve.Fr.one;
+ if (wtns.nWitness != zkey.nVars -zkey.nAdditions) {
+ throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
+ }
- for (let i = 1; i < 8; i++) {
- acc = curve.Fr.mul(acc, w8);
- vk["w8_" + i] = toVkey(acc);
+ const curve = zkey.curve;
+ const Fr = curve.Fr;
+ const G1 = curve.G1;
+ const n8r = curve.Fr.n8;
+
+ if (logger) logger.debug("Reading Wtns");
+ const buffWitness = await readSection(fdWtns, sectionsWtns, 2);
+ // First element in plonk is not used and can be any value. (But always the same).
+ // We set it to zero to go faster in the exponentiations.
+ buffWitness.set(Fr.zero, 0);
+ const buffInternalWitness = new BigBuffer(n8r*zkey.nAdditions);
+
+ await calculateAdditions();
+
+ let A,B,C,Z;
+ let A4, B4, C4, Z4;
+ let pol_a,pol_b,pol_c, pol_z, pol_t, pol_r;
+ let proof = {};
+
+ const sigmaBuff = new BigBuffer(zkey.domainSize*n8r*4*3);
+ let o = sectionsZKey[12][0].p + zkey.domainSize*n8r;
+ await fdZKey.readToBuffer(sigmaBuff, 0 , zkey.domainSize*n8r*4, o);
+ o += zkey.domainSize*n8r*5;
+ await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*4 , zkey.domainSize*n8r*4, o);
+ o += zkey.domainSize*n8r*5;
+ await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*8 , zkey.domainSize*n8r*4, o);
+
+ const pol_s1 = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_s1, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p);
+
+ const pol_s2 = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_s2, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 5*zkey.domainSize*n8r);
+
+ const PTau = await readSection(fdZKey, sectionsZKey, 14);
+
+
+ const ch = {};
+
+ await round1();
+ await round2();
+ await round3();
+ await round4();
+ await round5();
+
+
+ ///////////////////////
+ // Final adjustments //
+ ///////////////////////
+
+ proof.protocol = "plonk";
+ proof.curve = curve.name;
+
+ await fdZKey.close();
+ await fdWtns.close();
+
+ let publicSignals = [];
+
+ for (let i=1; i<= zkey.nPublic; i++) {
+ const pub = buffWitness.slice(i*Fr.n8, i*Fr.n8+Fr.n8);
+ publicSignals.push(Scalar.fromRprLE(pub));
}
- let template = templates[vk.protocol];
+ proof.A = G1.toObject(proof.A);
+ proof.B = G1.toObject(proof.B);
+ proof.C = G1.toObject(proof.C);
+ proof.Z = G1.toObject(proof.Z);
- if (logger) logger.info("FFLONK EXPORT SOLIDITY VERIFIER FINISHED");
+ proof.T1 = G1.toObject(proof.T1);
+ proof.T2 = G1.toObject(proof.T2);
+ proof.T3 = G1.toObject(proof.T3);
- return ejs.render(template, vk);
+ proof.eval_a = Fr.toObject(proof.eval_a);
+ proof.eval_b = Fr.toObject(proof.eval_b);
+ proof.eval_c = Fr.toObject(proof.eval_c);
+ proof.eval_s1 = Fr.toObject(proof.eval_s1);
+ proof.eval_s2 = Fr.toObject(proof.eval_s2);
+ proof.eval_zw = Fr.toObject(proof.eval_zw);
+ proof.eval_t = Fr.toObject(proof.eval_t);
+ proof.eval_r = Fr.toObject(proof.eval_r);
+
+ proof.Wxi = G1.toObject(proof.Wxi);
+ proof.Wxiw = G1.toObject(proof.Wxiw);
+
+ delete proof.eval_t;
+
+ proof = stringifyBigInts$1(proof);
+ publicSignals = stringifyBigInts$1(publicSignals);
+
+ return {proof, publicSignals};
+
+ async function calculateAdditions() {
+ const additionsBuff = await readSection(fdZKey, sectionsZKey, 3);
+
+ const sSum = 8+curve.Fr.n8*2;
+
+ for (let i=0; i0)&&(Fr.isZero(p.slice(deg*n8r, deg*n8r+n8r)))) deg--;
+ return deg;
+ }
+
+ function printPol(P) {
+ const n=(P.byteLength/n8r);
+ console.log("[");
+ for (let i=0; i (zkey.domainSize*3 -4) ) {
+ if (!Fr.isZero(a)) {
+ throw new Error("T Polynomial is not divisible");
+ }
+ }
+ }
+
+ if (logger) logger.debug("ifft Tz");
+ const tz = await Fr.ifft(Tz);
+ for (let i=0; i (zkey.domainSize*3 +5) ) {
+ if (!Fr.isZero(a)) {
+ throw new Error("Tz Polynomial is not well calculated");
+ }
+ } else {
+ t.set(
+ Fr.add(
+ t.slice(i*n8r, (i+1)*n8r),
+ a
+ ),
+ i*n8r
+ );
+ }
+ }
+
+ pol_t = t.slice(0, (zkey.domainSize * 3 + 6) * n8r);
+
+ // t(x) has degree 3n + 5, we are going to split t(x) into three smaller polynomials:
+ // t'_low and t'_mid with a degree < n and t'_high with a degree n+5
+ // such that t(x) = t'_low(X) + X^n t'_mid(X) + X^{2n} t'_hi(X)
+ // To randomize the parts we use blinding scalars b_10 and b_11 in a way that doesn't change t(X):
+ // t_low(X) = t'_low(X) + b_10 X^n
+ // t_mid(X) = t'_mid(X) - b_10 + b_11 X^n
+ // t_high(X) = t'_high(X) - b_11
+ // such that
+ // t(X) = t_low(X) + X^n t_mid(X) + X^2n t_high(X)
+
+ // compute t_low(X)
+ let polTLow = new BigBuffer((zkey.domainSize + 1) * n8r);
+ polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
+ // Add blinding scalar b_10 as a new coefficient n
+ polTLow.set(ch.b[10], zkey.domainSize * n8r);
+
+ // compute t_mid(X)
+ let polTMid = new BigBuffer((zkey.domainSize + 1) * n8r);
+ polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
+ // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
+ const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
+ polTMid.set(lowestMid, 0);
+ // Add blinding scalar b_11 as a new coefficient n
+ polTMid.set(ch.b[11], zkey.domainSize * n8r);
+
+ // compute t_high(X)
+ let polTHigh = new BigBuffer((zkey.domainSize + 6) * n8r);
+ polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
+ //Subtract blinding scalar b_11 to the lowest coefficient of t_high
+ const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
+ polTHigh.set(lowestHigh, 0);
+
+ proof.T1 = await expTau(polTLow, "multiexp T1");
+ proof.T2 = await expTau(polTMid, "multiexp T2");
+ proof.T3 = await expTau(polTHigh, "multiexp T3");
+
+ function mul2(a,b, ap, bp, p) {
+ let r, rz;
+
+
+ const a_b = Fr.mul(a,b);
+ const a_bp = Fr.mul(a,bp);
+ const ap_b = Fr.mul(ap,b);
+ const ap_bp = Fr.mul(ap,bp);
+
+ r = a_b;
+
+ let a0 = Fr.add(a_bp, ap_b);
+
+ let a1 = ap_bp;
+
+ rz = a0;
+ if (p) {
+ rz = Fr.add(rz, Fr.mul(Z1[p], a1));
+ }
+
+ return [r, rz];
+ }
+
+ function mul4(a,b,c,d, ap, bp, cp, dp, p) {
+ let r, rz;
+
+
+ const a_b = Fr.mul(a,b);
+ const a_bp = Fr.mul(a,bp);
+ const ap_b = Fr.mul(ap,b);
+ const ap_bp = Fr.mul(ap,bp);
+
+ const c_d = Fr.mul(c,d);
+ const c_dp = Fr.mul(c,dp);
+ const cp_d = Fr.mul(cp,d);
+ const cp_dp = Fr.mul(cp,dp);
+
+ r = Fr.mul(a_b, c_d);
+
+ let a0 = Fr.mul(ap_b, c_d);
+ a0 = Fr.add(a0, Fr.mul(a_bp, c_d));
+ a0 = Fr.add(a0, Fr.mul(a_b, cp_d));
+ a0 = Fr.add(a0, Fr.mul(a_b, c_dp));
+
+ let a1 = Fr.mul(ap_bp, c_d);
+ a1 = Fr.add(a1, Fr.mul(ap_b, cp_d));
+ a1 = Fr.add(a1, Fr.mul(ap_b, c_dp));
+ a1 = Fr.add(a1, Fr.mul(a_bp, cp_d));
+ a1 = Fr.add(a1, Fr.mul(a_bp, c_dp));
+ a1 = Fr.add(a1, Fr.mul(a_b, cp_dp));
+
+ let a2 = Fr.mul(a_bp, cp_dp);
+ a2 = Fr.add(a2, Fr.mul(ap_b, cp_dp));
+ a2 = Fr.add(a2, Fr.mul(ap_bp, c_dp));
+ a2 = Fr.add(a2, Fr.mul(ap_bp, cp_d));
+
+ let a3 = Fr.mul(ap_bp, cp_dp);
+
+ rz = a0;
+ if (p) {
+ rz = Fr.add(rz, Fr.mul(Z1[p], a1));
+ rz = Fr.add(rz, Fr.mul(Z2[p], a2));
+ rz = Fr.add(rz, Fr.mul(Z3[p], a3));
+ }
+
+ return [r, rz];
+ }
+ }
+
+ async function round4() {
+ const pol_qm = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qm, 0 , zkey.domainSize*n8r, sectionsZKey[7][0].p);
+
+ const pol_ql = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_ql, 0 , zkey.domainSize*n8r, sectionsZKey[8][0].p);
+
+ const pol_qr = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qr, 0 , zkey.domainSize*n8r, sectionsZKey[9][0].p);
+
+ const pol_qo = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qo, 0 , zkey.domainSize*n8r, sectionsZKey[10][0].p);
+
+ const pol_qc = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_qc, 0 , zkey.domainSize*n8r, sectionsZKey[11][0].p);
+
+ const pol_s3 = new BigBuffer(zkey.domainSize*n8r);
+ await fdZKey.readToBuffer(pol_s3, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 10*zkey.domainSize*n8r);
+
+ const transcript4 = new Uint8Array(G1.F.n8*2*3);
+ G1.toRprUncompressed(transcript4, 0, proof.T1);
+ G1.toRprUncompressed(transcript4, G1.F.n8*2, proof.T2);
+ G1.toRprUncompressed(transcript4, G1.F.n8*4, proof.T3);
+ ch.xi = hashToFr(transcript4);
+
+ if (logger) logger.debug("xi: " + Fr.toString(ch.xi));
+
+ proof.eval_a = evalPol(pol_a, ch.xi);
+ proof.eval_b = evalPol(pol_b, ch.xi);
+ proof.eval_c = evalPol(pol_c, ch.xi);
+ proof.eval_s1 = evalPol(pol_s1, ch.xi);
+ proof.eval_s2 = evalPol(pol_s2, ch.xi);
+ proof.eval_t = evalPol(pol_t, ch.xi);
+ proof.eval_zw = evalPol(pol_z, Fr.mul(ch.xi, Fr.w[zkey.power]));
+
+ const coef_ab = Fr.mul(proof.eval_a, proof.eval_b);
+
+ let e2a = proof.eval_a;
+ const betaxi = Fr.mul(ch.beta, ch.xi);
+ e2a = Fr.add( e2a, betaxi);
+ e2a = Fr.add( e2a, ch.gamma);
+
+ let e2b = proof.eval_b;
+ e2b = Fr.add( e2b, Fr.mul(betaxi, zkey.k1));
+ e2b = Fr.add( e2b, ch.gamma);
+
+ let e2c = proof.eval_c;
+ e2c = Fr.add( e2c, Fr.mul(betaxi, zkey.k2));
+ e2c = Fr.add( e2c, ch.gamma);
+
+ const e2 = Fr.mul(Fr.mul(Fr.mul(e2a, e2b), e2c), ch.alpha);
+
+ let e3a = proof.eval_a;
+ e3a = Fr.add( e3a, Fr.mul(ch.beta, proof.eval_s1));
+ e3a = Fr.add( e3a, ch.gamma);
+
+ let e3b = proof.eval_b;
+ e3b = Fr.add( e3b, Fr.mul(ch.beta, proof.eval_s2));
+ e3b = Fr.add( e3b, ch.gamma);
+
+ let e3 = Fr.mul(e3a, e3b);
+ e3 = Fr.mul(e3, ch.beta);
+ e3 = Fr.mul(e3, proof.eval_zw);
+ e3 = Fr.mul(e3, ch.alpha);
+
+ ch.xim= ch.xi;
+ for (let i=0; i=0; i--) {
+ res = Fr.add(Fr.mul(res, x), P.slice(i*n8r, (i+1)*n8r));
+ }
+ return res;
+ }
+
+ function divPol1(P, d) {
+ const n = P.byteLength/n8r;
+ const res = new BigBuffer(n*n8r);
+ res.set(Fr.zero, (n-1) *n8r);
+ res.set(P.slice((n-1)*n8r, n*n8r), (n-2)*n8r);
+ for (let i=n-3; i>=0; i--) {
+ res.set(
+ Fr.add(
+ P.slice((i+1)*n8r, (i+2)*n8r),
+ Fr.mul(
+ d,
+ res.slice((i+1)*n8r, (i+2)*n8r)
+ )
+ ),
+ i*n8r
+ );
+ }
+ if (!Fr.eq(
+ P.slice(0, n8r),
+ Fr.mul(
+ Fr.neg(d),
+ res.slice(0, n8r)
+ )
+ )) {
+ throw new Error("Polinomial does not divide");
+ }
+ return res;
+ }
+
+ async function expTau(b, name) {
+ const n = b.byteLength/n8r;
+ const PTauN = PTau.slice(0, n*curve.G1.F.n8*2);
+ const bm = await curve.Fr.batchFromMontgomery(b);
+ let res = await curve.G1.multiExpAffine(PTauN, bm, logger, name);
+ res = curve.G1.toAffine(res);
+ return res;
+ }
+
+
+ async function to4T(A, pz) {
+ pz = pz || [];
+ let a = await Fr.ifft(A);
+ const a4 = new BigBuffer(n8r*zkey.domainSize*4);
+ a4.set(a, 0);
+
+ const a1 = new BigBuffer(n8r*(zkey.domainSize + pz.length));
+ a1.set(a, 0);
+ for (let i= 0; i.
+ */
+ const {unstringifyBigInts: unstringifyBigInts$5} = utils;
+
+ async function plonkFullProve(_input, wasmFile, zkeyFileName, logger) {
+ const input = unstringifyBigInts$5(_input);
+
+ const wtns= {
+ type: "mem"
+ };
+ await wtnsCalculate(input, wasmFile, wtns);
+ return await plonk16Prove(zkeyFileName, wtns, logger);
+ }
+
+ /*
+ Copyright 2021 0kims association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+ */
+ const {unstringifyBigInts: unstringifyBigInts$4} = utils;
+ const { keccak256: keccak256$1 } = jsSha3;
+
+
+ async function plonkVerify(_vk_verifier, _publicSignals, _proof, logger) {
+ let vk_verifier = unstringifyBigInts$4(_vk_verifier);
+ let proof = unstringifyBigInts$4(_proof);
+ let publicSignals = unstringifyBigInts$4(_publicSignals);
+
+ const curve = await getCurveFromName(vk_verifier.curve);
+
+ const Fr = curve.Fr;
+ const G1 = curve.G1;
+
+ proof = fromObjectProof(curve,proof);
+ vk_verifier = fromObjectVk$1(curve, vk_verifier);
+ if (!isWellConstructed(curve, proof)) {
+ logger.error("Proof is not well constructed");
+ return false;
+ }
+ if (publicSignals.length != vk_verifier.nPublic) {
+ logger.error("Invalid number of public inputs");
+ return false;
+ }
+ const challanges = calculateChallanges(curve, proof, publicSignals);
+ if (logger) {
+ logger.debug("beta: " + Fr.toString(challanges.beta, 16));
+ logger.debug("gamma: " + Fr.toString(challanges.gamma, 16));
+ logger.debug("alpha: " + Fr.toString(challanges.alpha, 16));
+ logger.debug("xi: " + Fr.toString(challanges.xi, 16));
+ logger.debug("v1: " + Fr.toString(challanges.v[1], 16));
+ logger.debug("v6: " + Fr.toString(challanges.v[6], 16));
+ logger.debug("u: " + Fr.toString(challanges.u, 16));
+ }
+ const L = calculateLagrangeEvaluations(curve, challanges, vk_verifier);
+ if (logger) {
+ logger.debug("Lagrange Evaluations: ");
+ for (let i=1; i.
+ */
+ const { unstringifyBigInts: unstringifyBigInts$3} = utils;
+
+ function i2hex$1(i) {
+ return ("0" + i.toString(16)).slice(-2);
+ }
+
+ function p256$1(n) {
+ let nstr = n.toString(16);
+ while (nstr.length < 64) nstr = "0"+nstr;
+ nstr = `"0x${nstr}"`;
+ return nstr;
+ }
+
+ async function plonkExportSolidityCallData(_proof, _pub) {
+ const proof = unstringifyBigInts$3(_proof);
+ const pub = unstringifyBigInts$3(_pub);
+
+ const curve = await getCurveFromName(proof.curve);
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
+
+ let inputs = "";
+ for (let i=0; i.
+ */
+
+ var plonk = /*#__PURE__*/Object.freeze({
+ __proto__: null,
+ setup: plonkSetup,
+ fullProve: plonkFullProve,
+ prove: plonk16Prove,
+ verify: plonkVerify,
+ exportSolidityCallData: plonkExportSolidityCallData
+ });
+
+ /*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+ */
+
+ // We export to zkey the signals and values of the a, b, c, ql, qr, qm, qo and qc
+
+ // a, b and c are signals id (32-bit integers)
+ // ql, qr, qm, qo and qc are field values
+
+ function getFFlonkConstantConstraint(signal1, Fr) {
+ return [signal1, 0, 0, Fr.one, Fr.zero, Fr.zero, Fr.zero, Fr.zero];
+ }
+
+ function getFFlonkAdditionConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc) {
+ return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
+ }
+
+ function getFFlonkMultiplicationConstraint(signal1, signal2, signalOut, ql, qr, qm, qo, qc, Fr) {
+ return [signal1, signal2, signalOut, ql, qr, qm, qo, qc];
+ }
+
+ /*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+ */
+
+ const LINEAR_COMBINATION_NULLABLE = 0;
+ const LINEAR_COMBINATION_CONSTANT = 1;
+ const LINEAR_COMBINATION_VARIABLE = 2;
+
+ class r1csConstraintProcessor {
+ constructor(Fr, fnGetConstantConstraint, fnGetAdditionConstraint, fnGetMultiplicationConstraint, logger) {
+ this.Fr = Fr;
+ this.logger = logger;
+ this.fnGetAdditionConstraint = fnGetAdditionConstraint;
+ this.fnGetMultiplicationConstraint = fnGetMultiplicationConstraint;
+ }
+
+ processR1csConstraint(settings, lcA, lcB, lcC) {
+ this.normalizeLinearCombination(lcA);
+ this.normalizeLinearCombination(lcB);
+ this.normalizeLinearCombination(lcC);
+
+ const lctA = this.getLinearCombinationType(lcA);
+ const lctB = this.getLinearCombinationType(lcB);
+
+ if ((lctA === LINEAR_COMBINATION_NULLABLE) || (lctB === LINEAR_COMBINATION_NULLABLE)) {
+ return this.processR1csAdditionConstraint(settings, lcC);
+ } else if (lctA === LINEAR_COMBINATION_CONSTANT) {
+ const lcCC = this.joinLinearCombinations(lcB, lcC, lcA[0]);
+ return this.processR1csAdditionConstraint(settings, lcCC);
+ } else if (lctB === LINEAR_COMBINATION_CONSTANT) {
+ const lcCC = this.joinLinearCombinations(lcA, lcC, lcB[0]);
+ return this.processR1csAdditionConstraint(settings, lcCC);
+ } else {
+ return this.processR1csMultiplicationConstraint(settings, lcA, lcB, lcC);
+ }
+ }
+
+ getLinearCombinationType(linCom) {
+ // let k = this.Fr.zero;
+ //
+ // const signalIds = Object.keys(linCom);
+ // for (let i = 0; i < signalIds.length; i++) {
+ // if (signalIds[i] === "0") {
+ // k = this.Fr.add(k, linCom[signalIds[i]]);
+ // } else {
+ // return LINEAR_COMBINATION_VARIABLE;
+ // }
+ // }
+ //
+ // if (!this.Fr.eq(k, this.Fr.zero)) return LINEAR_COMBINATION_CONSTANT;
+ //
+ // return LINEAR_COMBINATION_NULLABLE;
+
+ let k = this.Fr.zero;
+ let n = 0;
+ const ss = Object.keys(linCom);
+ for (let i = 0; i < ss.length; i++) {
+ if (linCom[ss[i]] == 0n) {
+ delete linCom[ss[i]];
+ } else if (ss[i] == 0) {
+ k = this.Fr.add(k, linCom[ss[i]]);
+ } else {
+ n++;
+ }
+ }
+ if (n > 0) return LINEAR_COMBINATION_VARIABLE;
+ if (!this.Fr.isZero(k)) return LINEAR_COMBINATION_CONSTANT;
+ return LINEAR_COMBINATION_NULLABLE;
+ }
+
+ normalizeLinearCombination(linCom) {
+ const signalIds = Object.keys(linCom);
+ for (let i = 0; i < signalIds.length; i++) {
+ if (this.Fr.isZero(linCom[signalIds[i]])) delete linCom[signalIds[i]];
+ }
+
+ return linCom;
+ }
+
+ joinLinearCombinations(linCom1, linCom2, k) {
+ const res = {};
+
+ // for (let s in linCom1) {
+ // const val = this.Fr.mul(k, linCom1[s]);
+ // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
+ // }
+ //
+ // for (let s in linCom2) {
+ // const val = this.Fr.mul(k, linCom2[s]);
+ // res[s] = !(s in res) ? val : this.Fr.add(val, res[s]);
+ // }
+
+ for (let s in linCom1) {
+ if (typeof res[s] == "undefined") {
+ res[s] = this.Fr.mul(k, linCom1[s]);
+ } else {
+ res[s] = this.Fr.add(res[s], this.Fr.mul(k, linCom1[s]));
+ }
+ }
+
+ for (let s in linCom2) {
+ if (typeof res[s] == "undefined") {
+ res[s] = linCom2[s];
+ } else {
+ res[s] = this.Fr.add(res[s], linCom2[s]);
+ }
+ }
+
+ return this.normalizeLinearCombination(res);
+ }
+
+ reduceCoefs(settings, constraintsArr, additionsArr, linCom, maxC) {
+ const res = {
+ k: this.Fr.zero,
+ signals: [],
+ coefs: []
+ };
+ const cs = [];
+
+ for (let signalId in linCom) {
+ if (signalId == 0) {
+ res.k = this.Fr.add(res.k, linCom[signalId]);
+ } else if (linCom[signalId] != 0n) {
+ cs.push([Number(signalId), linCom[signalId]]);
+ }
+ }
+
+ while (cs.length > maxC) {
+ const c1 = cs.shift();
+ const c2 = cs.shift();
+ const so = settings.nVars++;
+
+ const constraints = this.fnGetAdditionConstraint(
+ c1[0], c2[0], so,
+ this.Fr.neg(c1[1]), this.Fr.neg(c2[1]), this.Fr.zero, this.Fr.one, this.Fr.zero);
+
+ constraintsArr.push(constraints);
+ additionsArr.push([c1[0], c2[0], c1[1], c2[1]]);
+
+ cs.push([so, this.Fr.one]);
+ }
+
+ for (let i = 0; i < cs.length; i++) {
+ res.signals[i] = cs[i][0];
+ res.coefs[i] = cs[i][1];
+ }
+
+ while (res.coefs.length < maxC) {
+ res.signals.push(0);
+ res.coefs.push(this.Fr.zero);
+ }
+
+ return res;
+ }
+
+ processR1csAdditionConstraint(settings, linCom) {
+ const constraintsArr = [];
+ const additionsArr = [];
+
+ const C = this.reduceCoefs(settings, constraintsArr, additionsArr, linCom, 3);
+
+ const constraints = this.fnGetAdditionConstraint(
+ C.signals[0], C.signals[1], C.signals[2],
+ C.coefs[0], C.coefs[1], this.Fr.zero, C.coefs[2], C.k);
+
+ constraintsArr.push(constraints);
+
+ return [constraintsArr, additionsArr];
+ }
+
+ processR1csMultiplicationConstraint(settings, lcA, lcB, lcC) {
+ const constraintsArr = [];
+ const additionsArr = [];
+
+ const A = this.reduceCoefs(settings, constraintsArr, additionsArr, lcA, 1);
+ const B = this.reduceCoefs(settings, constraintsArr, additionsArr, lcB, 1);
+ const C = this.reduceCoefs(settings, constraintsArr, additionsArr, lcC, 1);
+
+ const constraints = this.fnGetMultiplicationConstraint(
+ A.signals[0], B.signals[0], C.signals[0],
+ this.Fr.mul(A.coefs[0], B.k),
+ this.Fr.mul(A.k, B.coefs[0]),
+ this.Fr.mul(A.coefs[0], B.coefs[0]),
+ this.Fr.neg(C.coefs[0]),
+ this.Fr.sub(this.Fr.mul(A.k, B.k), C.k));
+
+ constraintsArr.push(constraints);
+
+ return [constraintsArr, additionsArr];
+ }
+ }
+
+ /*
+ Copyright 2022 iden3 association.
+
+ This file is part of snarkjs.
+
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
+
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+ */
+
+ class Polynomial {
+ constructor(coefficients, curve, logger) {
+ this.coef = coefficients;
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.G1 = curve.G1;
+ this.logger = logger;
+ }
+
+ static async fromEvaluations(buffer, curve, logger) {
+ let coefficients = await curve.Fr.ifft(buffer);
+
+ return new Polynomial(coefficients, curve, logger);
+ }
+
+ static fromCoefficientsArray(array, curve, logger) {
+ const Fr = curve.Fr;
+ let buff = array.length > 2 << 14 ?
+ new BigBuffer(array.length * Fr.n8) : new Uint8Array(array.length * Fr.n8);
+ for (let i = 0; i < array.length; i++) buff.set(array[i], i * Fr.n8);
+
+ return new Polynomial(buff, curve, logger);
+ }
+
+ static fromPolynomial(polynomial, curve, logger) {
+ let length = polynomial.length();
+ let Fr = curve.Fr;
+
+ let buff = length > 2 << 14 ?
+ new BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ buff.set(polynomial.coef.slice(), 0);
+
+ return new Polynomial(buff, curve, logger);
+ }
+
+ isEqual(polynomial) {
+ const degree = this.degree();
+ if (degree !== polynomial.degree()) return false;
+
+ for (let i = 0; i < degree + 1; i++) {
+ if (!this.Fr.eq(this.getCoef(i), polynomial.getCoef(i))) return false;
+ }
+
+ return true;
+ }
+
+ blindCoefficients(blindingFactors) {
+ blindingFactors = blindingFactors || [];
+
+ const blindedCoefficients = (this.length() + blindingFactors.length) > 2 << 14 ?
+ new BigBuffer((this.length() + blindingFactors.length) * this.Fr.n8) :
+ new Uint8Array((this.length() + blindingFactors.length) * this.Fr.n8);
+
+ blindedCoefficients.set(this.coef, 0);
+ for (let i = 0; i < blindingFactors.length; i++) {
+ blindedCoefficients.set(
+ this.Fr.add(
+ blindedCoefficients.slice((this.length() + i) * this.Fr.n8, (this.length() + i + 1) * this.Fr.n8),
+ blindingFactors[i]
+ ),
+ (this.length() + i) * this.Fr.n8
+ );
+ blindedCoefficients.set(
+ this.Fr.sub(
+ blindedCoefficients.slice(i * this.Fr.n8, (i + 1) * this.Fr.n8),
+ blindingFactors[i]
+ ),
+ i * this.Fr.n8
+ );
+ }
+ this.coef = blindedCoefficients;
+ }
+
+ getCoef(index) {
+ const i_n8 = index * this.Fr.n8;
+
+ if (i_n8 + this.Fr.n8 > this.coef.byteLength) return this.Fr.zero;
+
+ return this.coef.slice(i_n8, i_n8 + this.Fr.n8);
+ }
+
+ setCoef(index, value) {
+ if (index > (this.length() - 1)) {
+ throw new Error("Coef index is not available");
+ }
+
+ this.coef.set(value, index * this.Fr.n8);
+ }
+
+ static async to4T(buffer, domainSize, blindingFactors, Fr) {
+ blindingFactors = blindingFactors || [];
+ let a = await Fr.ifft(buffer);
+
+ const a4 = (domainSize * 4) > 2 << 14 ?
+ new BigBuffer(domainSize * 4 * Fr.n8) : new Uint8Array(domainSize * 4 * Fr.n8);
+ a4.set(a, 0);
+
+ const A4 = await Fr.fft(a4);
+
+ if (blindingFactors.length === 0) {
+ return [a, A4];
+ }
+
+ const a1 = domainSize + blindingFactors.length > 2 << 14 ?
+ new BigBuffer((domainSize + blindingFactors.length) * Fr.n8) :
+ new Uint8Array((domainSize + blindingFactors.length) * Fr.n8);
+
+ a1.set(a, 0);
+ for (let i = 0; i < blindingFactors.length; i++) {
+ a1.set(
+ Fr.add(
+ a1.slice((domainSize + i) * Fr.n8, (domainSize + i + 1) * Fr.n8),
+ blindingFactors[i]
+ ),
+ (domainSize + i) * Fr.n8
+ );
+ a1.set(
+ Fr.sub(
+ a1.slice(i * Fr.n8, (i + 1) * Fr.n8),
+ blindingFactors[i]
+ ),
+ i * Fr.n8
+ );
+ }
+
+ return [a1, A4];
+ }
+
+ length() {
+ let length = this.coef.byteLength / this.Fr.n8;
+ if (length !== Math.floor(this.coef.byteLength / this.Fr.n8)) {
+ throw new Error("Polynomial coefficients buffer has incorrect size");
+ }
+ if (0 === length) {
+ if (this.logger) {
+ this.logger.warn("Polynomial has length zero");
+ }
+ }
+ return length;
+ }
+
+ degree() {
+ for (let i = this.length() - 1; i > 0; i--) {
+ const i_n8 = i * this.Fr.n8;
+ if (!this.Fr.eq(this.Fr.zero, this.coef.slice(i_n8, i_n8 + this.Fr.n8))) {
+ return i;
+ }
+ }
+
+ return 0;
+ }
+
+ evaluate(point) {
+ let res = this.Fr.zero;
+
+ for (let i = this.degree() + 1; i > 0; i--) {
+ let i_n8 = i * this.Fr.n8;
+ const currentCoefficient = this.coef.slice(i_n8 - this.Fr.n8, i_n8);
+ res = this.Fr.add(currentCoefficient, this.Fr.mul(res, point));
+ }
+
+ return res;
+ }
+
+ fastEvaluate(point) {
+ const Fr = this.Fr;
+ let nThreads = 3;
+
+ let nCoefs = this.degree() + 1;
+ let coefsThread = parseInt(nCoefs / nThreads);
+ let residualCoefs = nCoefs - coefsThread * nThreads;
+
+ let res = [];
+ let xN = [];
+
+ xN[0] = Fr.one;
+
+ for (let i = 0; i < nThreads; i++) {
+ res[i] = Fr.zero;
+
+ let nCoefs = i === (nThreads - 1) ? coefsThread + residualCoefs : coefsThread;
+ for (let j = nCoefs; j > 0; j--) {
+ res[i] = Fr.add(this.getCoef((i * coefsThread) + j - 1), Fr.mul(res[i], point));
+
+ if (i === 0) xN[0] = Fr.mul(xN[0], point);
+ }
+ }
+
+ for (let i = 1; i < nThreads; i++) {
+ res[0] = Fr.add(res[0], Fr.mul(xN[i - 1], res[i]));
+ xN[i] = Fr.mul(xN[i - 1], xN[0]);
+ }
+
+ return res[0];
+ }
+
+ add(polynomial, blindingValue) {
+ let other = false;
+
+ if (polynomial.length() > this.length()) {
+ other = true;
+ }
+
+ const thisLength = this.length();
+ const polyLength = polynomial.length();
+ for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ const a = i < thisLength ? this.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+ let b = i < polyLength ? polynomial.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+
+ if (blindingValue !== undefined) {
+ b = this.Fr.mul(b, blindingValue);
+ }
+ if (other) {
+ polynomial.coef.set(this.Fr.add(a, b), i_n8);
+ } else {
+ this.coef.set(this.Fr.add(a, b), i_n8);
+ }
+ }
+ if (other) {
+ delete this.coef;
+ this.coef = polynomial.coef;
+ }
+ }
+
+ sub(polynomial, blindingValue) {
+ let other = false;
+
+ if (polynomial.length() > this.length()) {
+ other = true;
+ }
+
+ const thisLength = this.length();
+ const polyLength = polynomial.length();
+ for (let i = 0; i < Math.max(thisLength, polyLength); i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ const a = i < thisLength ? this.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+ let b = i < polyLength ? polynomial.coef.slice(i_n8, i_n8 + this.Fr.n8) : this.Fr.zero;
+
+ if (blindingValue !== undefined) {
+ b = this.Fr.mul(b, blindingValue);
+ }
+ if (other) {
+ polynomial.coef.set(this.Fr.sub(a, b), i_n8);
+ } else {
+ this.coef.set(this.Fr.sub(a, b), i_n8);
+ }
+ }
+ if (other) {
+ delete this.coef;
+ this.coef = polynomial.coef;
+ }
+ }
+
+ mulScalar(value) {
+ for (let i = 0; i < this.length(); i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ this.coef.set(this.Fr.mul(this.coef.slice(i_n8, i_n8 + this.Fr.n8), value), i_n8);
+ }
+ }
+
+ addScalar(value) {
+ const currentValue = 0 === this.length() ? this.Fr.zero : this.coef.slice(0, this.Fr.n8);
+ this.coef.set(this.Fr.add(currentValue, value), 0);
+ }
+
+ subScalar(value) {
+ const currentValue = 0 === this.length() ? this.Fr.zero : this.coef.slice(0, this.Fr.n8);
+ this.coef.set(this.Fr.sub(currentValue, value), 0);
+ }
+
+ // Multiply current polynomial by the polynomial (X - value)
+ byXSubValue(value) {
+ const Fr = this.Fr;
+ const resize = !Fr.eq(Fr.zero, this.getCoef(this.length() - 1));
+
+ const length = resize ? this.length() + 1 : this.length();
+ const buff = length > 2 << 14 ? new BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ let pol = new Polynomial(buff, this.curve, this.logger);
+
+ // Step 0: Set current coefficients to the new buffer shifted one position
+ pol.coef.set(this.coef.slice(0, (length - 1) * Fr.n8), 32);
+
+ // Step 1: multiply each coefficient by (-value)
+ this.mulScalar(Fr.neg(value));
+
+ // Step 2: Add current polynomial to destination polynomial
+ pol.add(this);
+
+ // Swap buffers
+ this.coef = pol.coef;
+ }
+
+ // Multiply current polynomial by the polynomial (X^n + value)
+ byXNSubValue(n, value) {
+ const Fr = this.Fr;
+ const resize = !(this.length() - n - 1 >= this.degree());
+
+ const length = resize ? this.length() + n : this.length();
+ const buff = length > 2 << 14 ? new BigBuffer(length * Fr.n8) : new Uint8Array(length * Fr.n8);
+ let pol = new Polynomial(buff, this.curve, this.logger);
+
+ // Step 0: Set current coefficients to the new buffer shifted one position
+ pol.coef.set(this.coef.slice(0, (this.degree() + 1) * 32, ), n * 32);
+
+ // Step 1: multiply each coefficient by (- value)
+ this.mulScalar(value);
+
+ // Step 2: Add current polynomial to destination polynomial
+ pol.add(this);
+
+ // Swap buffers
+ this.coef = pol.coef;
+ }
+
+ // Euclidean division
+ divBy(polynomial) {
+ const Fr = this.Fr;
+ const degreeA = this.degree();
+ const degreeB = polynomial.degree();
+
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
+
+ this.coef = this.length() > 2 << 14 ?
+ new BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+
+ for (let i = degreeA - degreeB; i >= 0; i--) {
+ this.setCoef(i, Fr.div(polR.getCoef(i + degreeB), polynomial.getCoef(degreeB)));
+ for (let j = 0; j <= degreeB; j++) {
+ polR.setCoef(i + j, Fr.sub(polR.getCoef(i + j), Fr.mul(this.getCoef(i), polynomial.getCoef(j))));
+ }
+ }
+
+ return polR;
+ }
+
+ // Division by a Polynomial of the form (x^m - beta)
+ divByMonic(m, beta) {
+ const Fr = this.Fr;
+
+ let d = this.degree();
+
+ let buffer = this.length() > 2 << 14 ?
+ new BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+ let quotient = new Polynomial(buffer, this.curve, this.logger);
+
+ let bArr = [];
+
+ // Add the m leading coefficients of this to quotient
+ for (let i = 0; i < m; i++) {
+ quotient.setCoef((d - i) - m, this.getCoef(d - i));
+ bArr[i] = this.getCoef(d - i);
+ }
+
+ let nThreads = m;
+ for (let k = 0; k < nThreads; k++) {
+ for (let i = d - 2 * m - k; i >= 0; i = i - nThreads) {
+ if (i < 0) break;
+ let idx = k;
+ bArr[idx] = Fr.add(this.getCoef(i + m), Fr.mul(bArr[idx], beta));
+
+ quotient.setCoef(i, bArr[idx]);
+ }
+ }
+
+ this.coef = quotient.coef;
+ }
+
+ divByVanishing(n, beta) {
+ if (this.degree() < n) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
+
+ const Fr = this.Fr;
+
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
+
+ this.coef = this.length() > 2 << 14 ?
+ new BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+
+ for (let i = this.length() - 1; i >= n; i--) {
+ let leadingCoef = polR.getCoef(i);
+ if (Fr.eq(Fr.zero, leadingCoef)) continue;
+
+ polR.setCoef(i, Fr.zero);
+ polR.setCoef(i - n, Fr.add(polR.getCoef(i - n), Fr.mul(beta, leadingCoef)));
+ this.setCoef(i - n, Fr.add(this.getCoef(i - n), leadingCoef));
+ }
+
+ return polR;
+ }
+
+ divByVanishing2(m, beta) {
+ if (this.degree() < m) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
+
+ const Fr = this.Fr;
+
+ let polR = new Polynomial(this.coef, this.curve, this.logger);
+
+ this.coef = this.length() > 2 << 14 ?
+ new BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8);
+
+ let nThreads = 3;
+ let nTotal = this.length() - m;
+ let nElementsChunk = Math.floor(nTotal / nThreads);
+ let nElementsLast = nTotal - (nThreads - 1) * nElementsChunk;
+
+ console.log(nTotal);
+ console.log(nElementsChunk + " " + nElementsLast);
+ for (let k = 0; k < nThreads; k++) {
+ console.log("> Thread " + k);
+ for (let i = (k === 0 ? nElementsLast : nElementsChunk); i > 0; i--) {
+ let idxDst = i - 1;
+ if (k !== 0) idxDst += (k - 1) * nElementsChunk + nElementsLast;
+ let idxSrc = idxDst + m;
+
+ let leadingCoef = polR.getCoef(idxSrc);
+ if (Fr.eq(Fr.zero, leadingCoef)) continue;
+
+ polR.setCoef(idxSrc, Fr.zero);
+ polR.setCoef(idxDst, Fr.add(polR.getCoef(idxDst), Fr.mul(beta, leadingCoef)));
+ this.setCoef(idxDst, Fr.add(this.getCoef(idxDst), leadingCoef));
+ console.log(idxDst + " <-- " + idxSrc);
+ }
+ }
+
+ this.print();
+ return polR;
+ }
+
+ fastDivByVanishing(data) {
+ const Fr = this.Fr;
+
+ for (let i = 0; i < data.length; i++) {
+
+ let m = data[i][0];
+ let beta = data[i][1];
+
+ if (this.degree() < m) {
+ throw new Error("divByVanishing polynomial divisor must be of degree lower than the dividend polynomial");
+ }
+
+ let nThreads = 5;
+ let nElements = this.length() - m;
+ let nElementsBucket = Math.floor(nElements / nThreads / m);
+ let nElementsChunk = nElementsBucket * m;
+ let nElementsLast = nElements - nThreads * nElementsChunk;
+
+ //In C++ implementation this buffer will be allocated only once outside the loop
+ let polTmp = new Polynomial(this.length() > 2 << 14 ?
+ new BigBuffer(this.length() * Fr.n8) : new Uint8Array(this.length() * Fr.n8), this.curve, this.logger);
+
+ let ptr = this.coef;
+ this.coef = polTmp.coef;
+ polTmp.coef = ptr;
+
+ // STEP 1: Setejar els m valors del següent bucket al chunk actual, PARALEL·LITZAR
+ for (let k = 0; k < nThreads; k++) {
+ let idx0 = (k + 1) * nElementsChunk + nElementsLast;
+ for (let i = 0; i < m; i++) {
+ this.setCoef(idx0 + i - m, polTmp.getCoef(idx0 + i));
+ }
+
+ for (let i = 0; i < nElementsChunk - m; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
+ this.setCoef(offset - m, val);
+ }
+ }
+
+ //STEP 2: Setejar els valors del elements last NO PARAL·LELITZAR
+ let idx0 = nElementsLast;
+ let pending = nElementsLast;
+ for (let i = 0; i < m && pending; i++) {
+ this.setCoef(idx0 - i - 1, polTmp.getCoef(idx0 + m - i - 1));
+ pending--;
+ }
+
+ for (let i = 0; i < pending; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(polTmp.getCoef(offset), Fr.mul(beta, this.getCoef(offset)));
+ this.setCoef(offset - m, val);
+ }
+
+ //Step 3: calcular acumulats NO PARALEL·LITZAR
+
+ let acc = [];
+ let betaPow = Fr.one;
+ for (let i = 0; i < nElementsBucket; i++) {
+ betaPow = Fr.mul(betaPow, beta);
+ }
+ let currentBeta = Fr.one;
+
+ for (let k = nThreads; k > 0; k--) {
+ let idThread = k - 1;
+ let idx0 = idThread * nElementsChunk + nElementsLast;
+ acc[idThread] = [];
+
+ for (let i = 0; i < m; i++) {
+ acc[idThread][i] = this.getCoef(idx0 + i);
+
+ if (k !== nThreads) {
+ acc[idThread][i] = Fr.add(acc[idThread][i], Fr.mul(betaPow, acc[idThread + 1][i]));
+ }
+ }
+ currentBeta = Fr.mul(currentBeta, betaPow);
+ }
+
+ //STEP 4 recalcular PARALEL·LITZAR
+ for (let k = 0; k < nThreads; k++) {
+
+ let idx0 = k * nElementsChunk + nElementsLast;
+ let currentBeta = beta; //Quan hopassem a C++ i ho paralelitzem aquesta variable ha de ser privada
+ let currentM = m - 1;
+
+ let limit = k === 0 ? nElementsLast : nElementsChunk;
+ for (let i = 0; i < limit; i++) {
+ let offset = idx0 - i - 1;
+ let val = Fr.add(this.getCoef(offset), Fr.mul(currentBeta, acc[k][currentM]));
+
+ this.setCoef(offset, val);
+
+ // To avoid modular operations in each loop...
+ if (currentM === 0) {
+ currentM = m - 1;
+ currentBeta = Fr.mul(currentBeta, beta);
+ } else {
+ currentM--;
+ }
+ }
+ }
+ }
+ }
+
+
+ // Divide polynomial by X - value
+ divByXSubValue(value) {
+ const coefs = this.length() > 2 << 14 ?
+ new BigBuffer(this.length() * this.Fr.n8) : new Uint8Array(this.length() * this.Fr.n8);
+
+ coefs.set(this.Fr.zero, (this.length() - 1) * this.Fr.n8);
+ coefs.set(this.coef.slice((this.length() - 1) * this.Fr.n8, this.length() * this.Fr.n8), (this.length() - 2) * this.Fr.n8);
+ for (let i = this.length() - 3; i >= 0; i--) {
+ let i_n8 = i * this.Fr.n8;
+ coefs.set(
+ this.Fr.add(
+ this.coef.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8),
+ this.Fr.mul(value, coefs.slice(i_n8 + this.Fr.n8, i_n8 + 2 * this.Fr.n8))
+ ),
+ i * this.Fr.n8
+ );
+ }
+ if (!this.Fr.eq(
+ this.coef.slice(0, this.Fr.n8),
+ this.Fr.mul(this.Fr.neg(value), coefs.slice(0, this.Fr.n8))
+ )) {
+ throw new Error("Polynomial does not divide");
+ }
+
+ this.coef = coefs;
+ }
+
+ divZh(domainSize, extensions = 4) {
+ for (let i = 0; i < domainSize; i++) {
+ const i_n8 = i * this.Fr.n8;
+ this.coef.set(this.Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8)), i_n8);
+ }
+
+ for (let i = domainSize; i < domainSize * extensions; i++) {
+ const i_n8 = i * this.Fr.n8;
+
+ const a = this.Fr.sub(
+ this.coef.slice((i - domainSize) * this.Fr.n8, (i - domainSize) * this.Fr.n8 + this.Fr.n8),
+ this.coef.slice(i_n8, i_n8 + this.Fr.n8)
+ );
+ this.coef.set(a, i_n8);
+ if (i > (domainSize * (extensions-1) - extensions)) {
+ if (!this.Fr.isZero(a)) {
+ throw new Error("Polynomial is not divisible");
+ }
+ }
+ }
+
+ return this;
+ }
+
+ divByZerofier(n, beta) {
+ let Fr = this.Fr;
+ const invBeta = Fr.inv(beta);
+ const invBetaNeg = Fr.neg(invBeta);
+
+ let isOne = Fr.eq(Fr.one, invBetaNeg);
+ let isNegOne = Fr.eq(Fr.negone, invBetaNeg);
+
+ if (!isOne) {
+ for (let i = 0; i < n; i++) {
+ const i_n8 = i * this.Fr.n8;
+ let element;
+
+ // If invBetaNeg === -1 we'll save a multiplication changing it by a neg function call
+ if (isNegOne) {
+ element = Fr.neg(this.coef.slice(i_n8, i_n8 + this.Fr.n8));
+ } else {
+ element = Fr.mul(invBetaNeg, this.coef.slice(i_n8, i_n8 + this.Fr.n8));
+ }
+
+ this.coef.set(element, i_n8);
+ }
+ }
+
+ isOne = Fr.eq(Fr.one, invBeta);
+ isNegOne = Fr.eq(Fr.negone, invBeta);
+
+ for (let i = n; i < this.length(); i++) {
+ const i_n8 = i * this.Fr.n8;
+ const i_prev_n8 = (i - n) * this.Fr.n8;
+
+ let element = this.Fr.sub(
+ this.coef.slice(i_prev_n8, i_prev_n8 + this.Fr.n8),
+ this.coef.slice(i_n8, i_n8 + this.Fr.n8)
+ );
+
+ // If invBeta === 1 we'll not do anything
+ if(!isOne) {
+ // If invBeta === -1 we'll save a multiplication changing it by a neg function call
+ if(isNegOne) {
+ element = Fr.neg(element);
+ } else {
+ element = Fr.mul(invBeta, element);
+ }
+ }
+
+ this.coef.set(element, i_n8);
+
+ // Check if polynomial is divisible by checking if n high coefficients are zero
+ if (i > this.length() - n - 1) {
+ if (!this.Fr.isZero(element)) {
+ throw new Error("Polynomial is not divisible");
+ }
+ }
+ }
+
+ return this;
+ }
+
+ // function divideByVanishing(f, n, p) {
+ // // polynomial division f(X) / (X^n - 1) with remainder
+ // // very cheap, 0 multiplications
+ // // strategy:
+ // // start with q(X) = 0, r(X) = f(X)
+ // // then start changing q, r while preserving the identity:
+ // // f(X) = q(X) * (X^n - 1) + r(X)
+ // // in every step, move highest-degree term of r into the product
+ // // => r eventually has degree < n and we're done
+ // let q = Array(f.length).fill(0n);
+ // let r = [...f];
+ // for (let i = f.length - 1; i >= n; i--) {
+ // let leadingCoeff = r[i];
+ // if (leadingCoeff === 0n) continue;
+ // r[i] = 0n;
+ // r[i - n] = mod(r[i - n] + leadingCoeff, p);
+ // q[i - n] = mod(q[i - n] + leadingCoeff, p);
+ // }
+ // return [q, r];
+ // }
+
+ byX() {
+ const coefs = (this.length() + 1) > 2 << 14 ?
+ new BigBuffer(this.coef.byteLength + this.Fr.n8) : new Uint8Array(this.coef.byteLength + this.Fr.n8);
+ coefs.set(this.Fr.zero, 0);
+ coefs.set(this.coef, this.Fr.n8);
+
+ this.coef = coefs;
+ }
+
+ // Compute a new polynomial f(x^n) from f(x)
+ // f(x) = a_0 + a_1·x + a_2·x^2 + ... + a_j·x^j
+ // f(x^n) = a_0 + a_1·x^n + a_2·x^2n + ... + a_j·x^jn
+ static
+ async expX(polynomial, n, truncate = false) {
+ const Fr = polynomial.Fr;
+
+ if (n < 1) {
+ // n == 0 not allowed because it has no sense, but if it's necessary we have to return
+ // a zero degree polynomial with a constant coefficient equals to the sum of all the original coefficients
+ throw new Error("Compute a new polynomial to a zero or negative number is not allowed");
+ } else if (1 === n) {
+ return await Polynomial.fromEvaluations(polynomial.coef, curve, polynomial.logger);
+ }
+
+ // length is the length of non-constant coefficients
+ // if truncate === true, the highest zero coefficients (if exist) will be removed
+ const length = truncate ? polynomial.degree() : (polynomial.length() - 1);
+ const bufferDst = (length * n + 1) > 2 << 14 ?
+ new BigBuffer((length * n + 1) * Fr.n8) : new Uint8Array((length * n + 1) * Fr.n8);
+
+ // Copy constant coefficient as is because is not related to x
+ bufferDst.set(polynomial.getCoef(0), 0);
+
+ for (let i = 1; i <= length; i++) {
+ const i_sFr = i * Fr.n8;
+
+ const coef = polynomial.getCoef(i);
+ bufferDst.set(coef, i_sFr * n);
+ }
+
+ return new Polynomial(bufferDst, polynomial.curve, polynomial.logger);
+ }
+
+ split(numPols, degPols, blindingFactors) {
+ if (numPols < 1) {
+ throw new Error(`Polynomials can't be split in ${numPols} parts`);
+ } else if (1 === numPols) {
+ return [this];
+ }
+
+ //blinding factors can be void or must have a length of numPols - 1
+ if (0 !== blindingFactors.length && blindingFactors.length < numPols - 1) {
+ throw new Error(`Blinding factors length must be ${numPols - 1}`);
+ }
+
+ const chunkByteLength = (degPols + 1) * this.Fr.n8;
+ let res = [];
+
+ // Check polynomial can be split in numChunks parts of chunkSize bytes...
+ const numRealPols = Math.ceil((this.degree() + 1) * this.Fr.n8 / chunkByteLength);
+ if (numRealPols < numPols) {
+ //throw new Error(`Polynomial is short to be split in ${numPols} parts of ${degPols} coefficients each.`);
+ for (let i = numRealPols; i < numPols; i++) {
+ res[i] = new Polynomial(new Uint8Array(this.Fr.n8), this.curve, this.logger);
+ }
+ }
+
+ numPols = Math.min(numPols, numRealPols);
+ for (let i = 0; i < numPols; i++) {
+ const isLast = (numPols - 1) === i;
+ const byteLength = isLast ? this.coef.byteLength - ((numPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
+
+ let buff = (byteLength / this.Fr.n8) > 2 << 14 ? new BigBuffer(byteLength) : new Uint8Array(byteLength);
+ res[i] = new Polynomial(buff, this.curve, this.logger);
+
+ const fr = i * chunkByteLength;
+ const to = isLast ? this.coef.byteLength : (i + 1) * chunkByteLength;
+ res[i].coef.set(this.coef.slice(fr, to), 0);
+
+ // Add a blinding factor as higher degree
+ if (!isLast) {
+ res[i].coef.set(blindingFactors[i], chunkByteLength);
+ }
+
+ // Sub blinding factor to the lowest degree
+ if (0 !== i) {
+ const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
+ res[i].coef.set(lowestDegree, 0);
+ }
+
+ if (isLast) {
+ res[i].truncate();
+ }
+ }
+
+ return res;
+
+ // // compute t_low(X)
+ // let polTLow = new BigBuffer((chunkSize + 1) * n8r);
+ // polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
+ // // Add blinding scalar b_10 as a new coefficient n
+ // polTLow.set(ch.b[10], zkey.domainSize * n8r);
+ //
+ // // compute t_mid(X)
+ // let polTMid = new BigBuffer((zkey.domainSize + 1) * n8r);
+ // polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
+ // // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
+ // const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
+ // polTMid.set(lowestMid, 0);
+ // // Add blinding scalar b_11 as a new coefficient n
+ // polTMid.set(ch.b[11], zkey.domainSize * n8r);
+ //
+ // // compute t_high(X)
+ // let polTHigh = new BigBuffer((zkey.domainSize + 6) * n8r);
+ // polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
+ // //Subtract blinding scalar b_11 to the lowest coefficient of t_high
+ // const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
+ // polTHigh.set(lowestHigh, 0);
+ //
+ // proof.T1 = await expTau(polTLow, "multiexp T1");
+ // proof.T2 = await expTau(polTMid, "multiexp T2");
+ // proof.T3 = await expTau(polTHigh, "multiexp T3");
+ }
+
+ // split2(degPols, blindingFactors) {
+ // let currentDegree = this.degree();
+ // const numFilledPols = Math.ceil((currentDegree + 1) / (degPols + 1));
+ //
+ // //blinding factors can be void or must have a length of numPols - 1
+ // if (0 !== blindingFactors.length && blindingFactors.length < numFilledPols - 1) {
+ // throw new Error(`Blinding factors length must be ${numFilledPols - 1}`);
+ // }
+ //
+ // const chunkByteLength = (degPols + 1) * this.Fr.n8;
+ //
+ // // Check polynomial can be split in numChunks parts of chunkSize bytes...
+ // if (this.coef.byteLength / chunkByteLength <= numFilledPols - 1) {
+ // throw new Error(`Polynomial is short to be split in ${numFilledPols} parts of ${degPols} coefficients each.`);
+ // }
+ //
+ // let res = [];
+ // for (let i = 0; i < numFilledPols; i++) {
+ // const isLast = (numFilledPols - 1) === i;
+ // const byteLength = isLast ? (currentDegree + 1) * this.Fr.n8 - ((numFilledPols - 1) * chunkByteLength) : chunkByteLength + this.Fr.n8;
+ //
+ // res[i] = new Polynomial(new BigBuffer(byteLength), this.Fr, this.logger);
+ // const fr = i * chunkByteLength;
+ // const to = isLast ? (currentDegree + 1) * this.Fr.n8 : (i + 1) * chunkByteLength;
+ // res[i].coef.set(this.coef.slice(fr, to), 0);
+ //
+ // // Add a blinding factor as higher degree
+ // if (!isLast) {
+ // res[i].coef.set(blindingFactors[i], chunkByteLength);
+ // }
+ //
+ // // Sub blinding factor to the lowest degree
+ // if (0 !== i) {
+ // const lowestDegree = this.Fr.sub(res[i].coef.slice(0, this.Fr.n8), blindingFactors[i - 1]);
+ // res[i].coef.set(lowestDegree, 0);
+ // }
+ // }
+ //
+ // return res;
+ // }
+
+ // merge(pols, overlap = true) {
+ // let length = 0;
+ // for (let i = 0; i < pols.length; i++) {
+ // length += pols[i].length();
+ // }
+ //
+ // if (overlap) {
+ // length -= pols.length - 1;
+ // }
+ //
+ // let res = new Polynomial(new BigBuffer(length * this.Fr.n8));
+ // for (let i = 0; i < pols.length; i++) {
+ // const byteLength = pols[i].coef.byteLength;
+ // if (0 === i) {
+ // res.coef.set(pols[i].coef, 0);
+ // } else {
+ //
+ // }
+ // }
+ //
+ // return res;
+ // }
+
+ truncate() {
+ const deg = this.degree();
+ if (deg + 1 < this.coef.byteLength / this.Fr.n8) {
+ const newCoefs = (deg + 1) > 2 << 14 ?
+ new BigBuffer((deg + 1) * this.Fr.n8) : new Uint8Array((deg + 1) * this.Fr.n8);
+
+ newCoefs.set(this.coef.slice(0, (deg + 1) * this.Fr.n8), 0);
+ this.coef = newCoefs;
+ }
+ }
+
+ static lagrangePolynomialInterpolation(xArr, yArr, curve) {
+ const Fr = curve.Fr;
+ let polynomial = computeLagrangePolynomial(0);
+ for (let i = 1; i < xArr.length; i++) {
+ polynomial.add(computeLagrangePolynomial(i));
+ }
+
+ return polynomial;
+
+ function computeLagrangePolynomial(i) {
+ let polynomial;
+
+ for (let j = 0; j < xArr.length; j++) {
+ if (j === i) continue;
+
+ if (polynomial === undefined) {
+ let buff = (xArr.length) > 2 << 14 ?
+ new BigBuffer((xArr.length) * Fr.n8) : new Uint8Array((xArr.length) * Fr.n8);
+ polynomial = new Polynomial(buff, curve);
+ polynomial.setCoef(0, Fr.neg(xArr[j]));
+ polynomial.setCoef(1, Fr.one);
+ } else {
+ polynomial.byXSubValue(xArr[j]);
+ }
+ }
+
+ let denominator = polynomial.evaluate(xArr[i]);
+ denominator = Fr.inv(denominator);
+ const mulFactor = Fr.mul(yArr[i], denominator);
+
+ polynomial.mulScalar(mulFactor);
+
+ return polynomial;
+ }
+ }
+
+ static zerofierPolynomial(xArr, curve) {
+ const Fr = curve.Fr;
+ let buff = (xArr.length + 1) > 2 << 14 ?
+ new BigBuffer((xArr.length + 1) * Fr.n8) : new Uint8Array((xArr.length + 1) * Fr.n8);
+ let polynomial = new Polynomial(buff, curve);
+
+ // Build a zerofier polynomial with the following form:
+ // zerofier(X) = (X-xArr[0])(X-xArr[1])...(X-xArr[n])
+ polynomial.setCoef(0, Fr.neg(xArr[0]));
+ polynomial.setCoef(1, Fr.one);
+
+ for (let i = 1; i < xArr.length; i++) {
+ polynomial.byXSubValue(xArr[i]);
+ }
+
+ return polynomial;
+ }
+
+ print() {
+ const Fr = this.Fr;
+ let res = "";
+ for (let i = this.degree(); i >= 0; i--) {
+ const coef = this.getCoef(i);
+ if (!Fr.eq(Fr.zero, coef)) {
+ if (Fr.isNegative(coef)) {
+ res += " - ";
+ } else if (i !== this.degree()) {
+ res += " + ";
+ }
+ res += Fr.toString(coef);
+ if (i > 0) {
+ res += i > 1 ? "x^" + i : "x";
+ }
+ }
+ }
+ console.log(res);
+ }
+
+ async multiExponentiation(PTau, name) {
+ const n = this.coef.byteLength / this.Fr.n8;
+ const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
+ const bm = await this.Fr.batchFromMontgomery(this.coef);
+ let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
+ res = this.G1.toAffine(res);
+ return res;
}
}
/*
+ Copyright 2022 iden3 association.
+
This file is part of snarkjs.
snarkjs is a free software: you can redistribute it and/or
@@ -28014,62 +29700,47 @@ var snarkjs = (function (exports) {
snarkjs. If not, see .
*/
- async function fflonkExportSolidityVerifierCmd(vk, templates, logger) {
- return fflonkExportSolidityVerifier(vk, templates, logger);
- }
-
- // Not ready yet
- // module.exports.generateVerifier_kimleeoh = generateVerifier_kimleeoh;
-
- async function exportSolidityVerifier(zKeyName, templates, logger) {
-
- const verificationKey = await zkeyExportVerificationKey(zKeyName, logger);
-
- if ("fflonk" === verificationKey.protocol) {
- return fflonkExportSolidityVerifierCmd(verificationKey, templates, logger);
+ class Evaluations {
+ constructor(evaluations, curve, logger) {
+ this.eval = evaluations;
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.logger = logger;
}
- let template = templates[verificationKey.protocol];
-
- return ejs.render(template, verificationKey);
- }
+ static async fromPolynomial(polynomial, extension, curve, logger) {
+ const coefficientsN = new BigBuffer(polynomial.length() * extension * curve.Fr.n8);
+ coefficientsN.set(polynomial.coef, 0);
- /*
- Copyright 2018 0KIMS association.
+ const evaluations = await curve.Fr.fft(coefficientsN);
- This file is part of snarkJS.
+ return new Evaluations(evaluations, curve, logger);
+ }
- snarkJS is a free software: you can redistribute it and/or modify it
- under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ getEvaluation(index) {
+ const i_n8 = index * this.Fr.n8;
- snarkJS is distributed in the hope that it will be useful, but WITHOUT
- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
- License for more details.
+ if (i_n8 + this.Fr.n8 > this.eval.byteLength) {
+ throw new Error("Evaluations.getEvaluation() out of bounds");
+ }
- You should have received a copy of the GNU General Public License
- along with snarkJS. If not, see .
- */
+ return this.eval.slice(i_n8, i_n8 + this.Fr.n8);
+ }
- var zkey = /*#__PURE__*/Object.freeze({
- __proto__: null,
- newZKey: newZKey,
- exportBellman: phase2exportMPCParams,
- importBellman: phase2importMPCParams,
- verifyFromR1cs: phase2verifyFromR1cs,
- verifyFromInit: phase2verifyFromInit,
- contribute: phase2contribute,
- beacon: beacon,
- exportJson: zkeyExportJson,
- bellmanContribute: bellmanContribute,
- exportVerificationKey: zkeyExportVerificationKey,
- exportSolidityVerifier: exportSolidityVerifier
- });
+ length() {
+ let length = this.eval.byteLength / this.Fr.n8;
+ if (length !== Math.floor(this.eval.byteLength / this.Fr.n8)) {
+ throw new Error("Polynomial evaluations buffer has incorrect size");
+ }
+ if (0 === length) {
+ this.logger.warn("Polynomial has length zero");
+ }
+ return length;
+ }
+ }
/*
- Copyright 2021 0kims association.
+ Copyright 2022 iden3 association.
This file is part of snarkjs.
@@ -28087,469 +29758,550 @@ var snarkjs = (function (exports) {
snarkjs. If not, see .
*/
+ class CPolynomial {
+ constructor(n, curve, logger) {
+ this.n = n;
+ this.polynomials = Array(n).fill(undefined);
+ this.curve = curve;
+ this.Fr = curve.Fr;
+ this.G1 = curve.G1;
+ this.logger = logger;
+ }
- async function plonkSetup(r1csName, ptauName, zkeyName, logger) {
-
- if (globalThis.gc) {globalThis.gc();}
-
- await blake2bWasm.exports.ready();
-
- const {fd: fdPTau, sections: sectionsPTau} = await readBinFile(ptauName, "ptau", 1);
- const {curve, power} = await readPTauHeader(fdPTau, sectionsPTau);
- const {fd: fdR1cs, sections: sectionsR1cs} = await readBinFile(r1csName, "r1cs", 1);
-
- const r1cs = await readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: true, loadCustomGates: true});
-
- const sG1 = curve.G1.F.n8*2;
- const G1 = curve.G1;
- const sG2 = curve.G2.F.n8*2;
- const Fr = curve.Fr;
- const n8r = curve.Fr.n8;
-
- if (logger) logger.info("Reading r1cs");
- await readSection(fdR1cs, sectionsR1cs, 2);
-
- const plonkConstraints = new BigArray();
- const plonkAdditions = new BigArray();
- let plonkNVars = r1cs.nVars;
-
- const nPublic = r1cs.nOutputs + r1cs.nPubInputs;
+ addPolynomial(position, polynomial) {
+ if (position > this.n - 1) {
+ throw new Error("CPolynomial:addPolynomial, cannot add a polynomial to a position greater than n-1");
+ }
- await processConstraints(curve.Fr, r1cs, logger);
+ this.polynomials[position] = polynomial;
+ }
- if (globalThis.gc) {globalThis.gc();}
+ degree() {
+ let degrees = this.polynomials.map(
+ (polynomial, index) => polynomial === undefined ? 0 : polynomial.degree() * this.n + index);
+ return Math.max(...degrees);
+ }
- const fdZKey = await createBinFile(zkeyName, "zkey", 1, 14, 1<<22, 1<<24);
+ getPolynomial() {
+ let degrees = this.polynomials.map(polynomial => polynomial === undefined ? 0 : polynomial.degree());
+ const maxDegree = this.degree();
+ const lengthBuffer = 2 ** (log2(maxDegree - 1) + 1);
+ const sFr = this.Fr.n8;
+ let polynomial = new Polynomial(new BigBuffer(lengthBuffer * sFr), this.curve, this.logger);
- if (r1cs.prime != curve.r) {
- if (logger) logger.error("r1cs curve does not match powers of tau ceremony curve");
- return -1;
- }
+ for (let i = 0; i < maxDegree; i++) {
+ const i_n8 = i * sFr;
+ const i_sFr = i_n8 * this.n;
- let cirPower = log2(plonkConstraints.length -1) +1;
- if (cirPower < 3) cirPower = 3; // As the t polinomal is n+5 whe need at least a power of 4
- const domainSize = 2 ** cirPower;
+ for (let j = 0; j < this.n; j++) {
+ if (this.polynomials[j] !== undefined) {
+ if (i <= degrees[j]) polynomial.coef.set(this.polynomials[j].coef.slice(i_n8, i_n8 + sFr), i_sFr + j * sFr);
+ }
+ }
+ }
- if (logger) logger.info("Plonk constraints: " + plonkConstraints.length);
- if (cirPower > power) {
- if (logger) logger.error(`circuit too big for this power of tau ceremony. ${plonkConstraints.length} > 2**${power}`);
- return -1;
+ return polynomial;
}
- if (!sectionsPTau[12]) {
- if (logger) logger.error("Powers of tau is not prepared.");
- return -1;
+ async multiExponentiation(PTau, name) {
+ let polynomial = this.getPolynomial();
+ const n = polynomial.coef.byteLength / this.Fr.n8;
+ const PTauN = PTau.slice(0, n * this.G1.F.n8 * 2);
+ const bm = await this.Fr.batchFromMontgomery(polynomial.coef);
+ let res = await this.G1.multiExpAffine(PTauN, bm, this.logger, name);
+ res = this.G1.toAffine(res);
+ return res;
}
+ }
+ /*
+ Copyright 2022 iden3 association.
- const LPoints = new BigBuffer(domainSize*sG1);
- const o = sectionsPTau[12][0].p + ((2 ** (cirPower)) -1)*sG1;
- await fdPTau.readToBuffer(LPoints, 0, domainSize*sG1, o);
-
- const [k1, k2] = getK1K2();
-
- const vk = {};
-
-
- await writeAdditions(3, "Additions");
- if (globalThis.gc) {globalThis.gc();}
- await writeWitnessMap(4, 0, "Amap");
- if (globalThis.gc) {globalThis.gc();}
- await writeWitnessMap(5, 1, "Bmap");
- if (globalThis.gc) {globalThis.gc();}
- await writeWitnessMap(6, 2, "Cmap");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(7, 3, "Qm");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(8, 4, "Ql");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(9, 5, "Qr");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(10, 6, "Qo");
- if (globalThis.gc) {globalThis.gc();}
- await writeQMap(11, 7, "Qc");
- if (globalThis.gc) {globalThis.gc();}
- await writeSigma(12, "sigma");
- if (globalThis.gc) {globalThis.gc();}
- await writeLs(13, "lagrange polynomials");
- if (globalThis.gc) {globalThis.gc();}
+ This file is part of snarkjs.
- // Write PTau points
- ////////////
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- await startWriteSection(fdZKey, 14);
- const buffOut = new BigBuffer((domainSize+6)*sG1);
- await fdPTau.readToBuffer(buffOut, 0, (domainSize+6)*sG1, sectionsPTau[2][0].p);
- await fdZKey.write(buffOut);
- await endWriteSection(fdZKey);
- if (globalThis.gc) {globalThis.gc();}
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+ */
- await writeHeaders();
- await fdZKey.close();
- await fdR1cs.close();
- await fdPTau.close();
+ async function fflonkSetup(r1csFilename, ptauFilename, zkeyFilename, logger) {
+ if (logger) logger.info("FFLONK SETUP STARTED");
- if (logger) logger.info("Setup Finished");
+ if (globalThis.gc) globalThis.gc();
- return ;
+ // Read PTau file
+ if (logger) logger.info("> Reading PTau file");
+ const {fd: fdPTau, sections: pTauSections} = await readBinFile(ptauFilename, "ptau", 1);
+ if (!pTauSections[12]) {
+ throw new Error("Powers of Tau is not well prepared. Section 12 missing.");
+ }
- async function processConstraints(Fr, r1cs, logger) {
+ // Get curve defined in PTau
+ if (logger) logger.info("> Getting curve from PTau settings");
+ const {curve} = await readPTauHeader(fdPTau, pTauSections);
- function normalize(linearComb) {
- const ss = Object.keys(linearComb);
- for (let i = 0; i < ss.length; i++) {
- if (linearComb[ss[i]] == 0n) delete linearComb[ss[i]];
- }
- }
+ // Read r1cs file
+ if (logger) logger.info("> Reading r1cs file");
+ const {fd: fdR1cs, sections: sectionsR1cs} = await readBinFile(r1csFilename, "r1cs", 1);
+ const r1cs = await readR1csFd(fdR1cs, sectionsR1cs, {loadConstraints: false, loadCustomGates: true});
- function join(linearComb1, k, linearComb2) {
- const res = {};
+ // Potential error checks
+ if (r1cs.prime !== curve.r) {
+ throw new Error("r1cs curve does not match powers of tau ceremony curve");
+ }
- for (let s in linearComb1) {
- if (typeof res[s] == "undefined") {
- res[s] = Fr.mul(k, linearComb1[s]);
- } else {
- res[s] = Fr.add(res[s], Fr.mul(k, linearComb1[s]));
- }
- }
+ // Initializations
+ const Fr = curve.Fr;
- for (let s in linearComb2) {
- if (typeof res[s] == "undefined") {
- res[s] = linearComb2[s];
- } else {
- res[s] = Fr.add(res[s], linearComb2[s]);
- }
- }
- normalize(res);
- return res;
- }
+ const sFr = curve.Fr.n8;
+ const sG1 = curve.G1.F.n8 * 2;
+ const sG2 = curve.G2.F.n8 * 2;
- function reduceCoefs(linearComb, maxC) {
- const res = {
- k: Fr.zero,
- s: [],
- coefs: []
- };
- const cs = [];
+ let polynomials = {};
+ let evaluations = {};
+ let PTau;
- for (let s in linearComb) {
- if (s == 0) {
- res.k = Fr.add(res.k, linearComb[s]);
- } else if (linearComb[s] != 0n) {
- cs.push([Number(s), linearComb[s]]);
- }
- }
- while (cs.length > maxC) {
- const c1 = cs.shift();
- const c2 = cs.shift();
+ let settings = {
+ nVars: r1cs.nVars,
+ nPublic: r1cs.nOutputs + r1cs.nPubInputs
+ };
- const sl = c1[0];
- const sr = c2[0];
- const so = plonkNVars++;
- const qm = Fr.zero;
- const ql = Fr.neg(c1[1]);
- const qr = Fr.neg(c2[1]);
- const qo = Fr.one;
- const qc = Fr.zero;
+ const plonkConstraints = new BigArray();
+ let plonkAdditions = new BigArray();
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ // Process constraints inside r1cs
+ if (logger) logger.info("> Processing FFlonk constraints");
+ await computeFFConstraints(curve.Fr, r1cs, logger);
+ if (globalThis.gc) globalThis.gc();
- plonkAdditions.push([sl, sr, c1[1], c2[1]]);
+ // As the t polynomial is n+5 whe need at least a power of 4
+ //TODO check!!!!
+ // NOTE : plonkConstraints + 2 = #constraints + blinding coefficients for each wire polynomial
+ settings.cirPower = Math.max(FF_T_POL_DEG_MIN, log2((plonkConstraints.length + 2) - 1) + 1);
+ settings.domainSize = 2 ** settings.cirPower;
- cs.push([so, Fr.one]);
- }
- for (let i = 0; i < cs.length; i++) {
- res.s[i] = cs[i][0];
- res.coefs[i] = cs[i][1];
- }
- while (res.coefs.length < maxC) {
- res.s.push(0);
- res.coefs.push(Fr.zero);
- }
- return res;
- }
+ if (pTauSections[2][0].size < (settings.domainSize * 9 + 18) * sG1) {
+ throw new Error("Powers of Tau is not big enough for this circuit size. Section 2 too small.");
+ }
+ if (pTauSections[3][0].size < sG2) {
+ throw new Error("Powers of Tau is not well prepared. Section 3 too small.");
+ }
- function addConstraintSum(lc) {
- const C = reduceCoefs(lc, 3);
- const sl = C.s[0];
- const sr = C.s[1];
- const so = C.s[2];
- const qm = Fr.zero;
- const ql = C.coefs[0];
- const qr = C.coefs[1];
- const qo = C.coefs[2];
- const qc = C.k;
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
- }
+ if (logger) {
+ logger.info("----------------------------");
+ logger.info(" FFLONK SETUP SETTINGS");
+ logger.info(` Curve: ${curve.name}`);
+ logger.info(` Circuit power: ${settings.cirPower}`);
+ logger.info(` Domain size: ${settings.domainSize}`);
+ logger.info(` Vars: ${settings.nVars}`);
+ logger.info(` Public vars: ${settings.nPublic}`);
+ logger.info(` Constraints: ${plonkConstraints.length}`);
+ logger.info(` Additions: ${plonkAdditions.length}`);
+ logger.info("----------------------------");
+ }
- function addConstraintMul(lcA, lcB, lcC) {
- const A = reduceCoefs(lcA, 1);
- const B = reduceCoefs(lcB, 1);
- const C = reduceCoefs(lcC, 1);
+ // Compute k1 and k2 to be used in the permutation checks
+ if (logger) logger.info("> computing k1 and k2");
+ const [k1, k2] = computeK1K2();
+ // Compute omega 3 (w3) and omega 4 (w4) to be used in the prover and the verifier
+ // w3^3 = 1 and w4^4 = 1
+ if (logger) logger.info("> computing w3");
+ const w3 = computeW3();
+ if (logger) logger.info("> computing w4");
+ const w4 = computeW4();
+ if (logger) logger.info("> computing w8");
+ const w8 = computeW8();
+ if (logger) logger.info("> computing wr");
+ const wr = getOmegaCubicRoot(settings.cirPower, curve.Fr);
- const sl = A.s[0];
- const sr = B.s[0];
- const so = C.s[0];
- const qm = Fr.mul(A.coefs[0], B.coefs[0]);
- const ql = Fr.mul(A.coefs[0], B.k);
- const qr = Fr.mul(A.k, B.coefs[0]);
- const qo = Fr.neg(C.coefs[0]);
- const qc = Fr.sub(Fr.mul(A.k, B.k), C.k);
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ // Write output zkey file
+ await writeZkeyFile();
+
+ await fdR1cs.close();
+ await fdPTau.close();
+
+ if (logger) logger.info("FFLONK SETUP FINISHED");
+
+ return 0;
+
+ async function computeFFConstraints(Fr, r1cs, logger) {
+ // Add public inputs and outputs
+ for (let i = 0; i < settings.nPublic; i++) {
+ plonkConstraints.push(getFFlonkConstantConstraint(i + 1, Fr));
}
- function getLinearCombinationType(lc) {
- let k = Fr.zero;
- let n = 0;
- const ss = Object.keys(lc);
- for (let i = 0; i < ss.length; i++) {
- if (lc[ss[i]] == 0n) {
- delete lc[ss[i]];
- } else if (ss[i] == 0) {
- k = Fr.add(k, lc[ss[i]]);
- } else {
- n++;
- }
+ // Add all constraints from r1cs file
+ const r1csProcessor = new r1csConstraintProcessor(Fr, getFFlonkConstantConstraint, getFFlonkAdditionConstraint, getFFlonkMultiplicationConstraint, logger);
+
+ const bR1cs = await readSection(fdR1cs, sectionsR1cs, 2);
+ let bR1csPos = 0;
+ for (let i = 0; i < r1cs.nConstraints; i++) {
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) {
+ logger.info(` processing r1cs constraints ${i}/${r1cs.nConstraints}`);
}
- if (n > 0) return n.toString();
- if (k != Fr.zero) return "k";
- return "0";
+ const [constraints, additions] = r1csProcessor.processR1csConstraint(settings, ...readConstraint());
+
+ plonkConstraints.push(...constraints);
+ plonkAdditions.push(...additions);
}
- function process(lcA, lcB, lcC) {
- const lctA = getLinearCombinationType(lcA);
- const lctB = getLinearCombinationType(lcB);
- if ((lctA === "0") || (lctB === "0")) {
- normalize(lcC);
- addConstraintSum(lcC);
- } else if (lctA === "k") {
- const lcCC = join(lcB, lcA[0], lcC);
- addConstraintSum(lcCC);
- } else if (lctB === "k") {
- const lcCC = join(lcA, lcB[0], lcC);
- addConstraintSum(lcCC);
- } else {
- addConstraintMul(lcA, lcB, lcC);
- }
+ function readConstraint() {
+ const c = [];
+ c[0] = readLC();
+ c[1] = readLC();
+ c[2] = readLC();
+ return c;
}
- for (let s = 1; s <= nPublic; s++) {
- const sl = s;
- const sr = 0;
- const so = 0;
- const qm = Fr.zero;
- const ql = Fr.one;
- const qr = Fr.zero;
- const qo = Fr.zero;
- const qc = Fr.zero;
+ function readLC() {
+ const lc = {};
- plonkConstraints.push([sl, sr, so, qm, ql, qr, qo, qc]);
+ const buffUL32 = bR1cs.slice(bR1csPos, bR1csPos + 4);
+ bR1csPos += 4;
+ const buffUL32V = new DataView(buffUL32.buffer);
+ const nIdx = buffUL32V.getUint32(0, true);
+
+ const buff = bR1cs.slice(bR1csPos, bR1csPos + (4 + r1cs.n8) * nIdx);
+ bR1csPos += (4 + r1cs.n8) * nIdx;
+ const buffV = new DataView(buff.buffer);
+ for (let i = 0; i < nIdx; i++) {
+ const idx = buffV.getUint32(i * (4 + r1cs.n8), true);
+ const val = r1cs.F.fromRprLE(buff, i * (4 + r1cs.n8) + 4);
+ lc[idx] = val;
+ }
+ return lc;
}
- for (let c = 0; c < r1cs.constraints.length; c++) {
- if ((logger) && (c % 10000 === 0)) logger.debug(`processing constraints: ${c}/${r1cs.nConstraints}`);
- process(...r1cs.constraints[c]);
+ return 0;
+ }
+
+ async function writeZkeyFile() {
+ if (logger) logger.info("> Writing the zkey file");
+ const fdZKey = await createBinFile(zkeyFilename, "zkey", 1, ZKEY_FF_NSECTIONS, 1 << 22, 1 << 24);
+
+ if (logger) logger.info(`··· Writing Section ${HEADER_ZKEY_SECTION}. Zkey Header`);
+ await writeZkeyHeader(fdZKey);
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
+ await writeAdditions(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_A_MAP_SECTION}. A Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_A_MAP_SECTION, 0, "A map");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_B_MAP_SECTION}. B Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_B_MAP_SECTION, 1, "B map");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_C_MAP_SECTION}. C Map`);
+ await writeWitnessMap(fdZKey, ZKEY_FF_C_MAP_SECTION, 2, "C map");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QL_SECTION}. QL`);
+ await writeQMap(fdZKey, ZKEY_FF_QL_SECTION, 3, "QL");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QR_SECTION}. QR`);
+ await writeQMap(fdZKey, ZKEY_FF_QR_SECTION, 4, "QR");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QM_SECTION}. QM`);
+ await writeQMap(fdZKey, ZKEY_FF_QM_SECTION, 5, "QM");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QO_SECTION}. QO`);
+ await writeQMap(fdZKey, ZKEY_FF_QO_SECTION, 6, "QO");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_QC_SECTION}. QC`);
+ await writeQMap(fdZKey, ZKEY_FF_QC_SECTION, 7, "QC");
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Sections ${ZKEY_FF_SIGMA1_SECTION},${ZKEY_FF_SIGMA2_SECTION},${ZKEY_FF_SIGMA3_SECTION}. Sigma1, Sigma2 & Sigma 3`);
+ await writeSigma(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_LAGRANGE_SECTION}. Lagrange Polynomials`);
+ await writeLagrangePolynomials(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_PTAU_SECTION}. Powers of Tau`);
+ await writePtau(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_C0_SECTION}. C0`);
+ await writeC0(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info(`··· Writing Section ${ZKEY_FF_HEADER_SECTION}. FFlonk Header`);
+ await writeFFlonkHeader(fdZKey);
+ if (globalThis.gc) globalThis.gc();
+
+ if (logger) logger.info("> Writing the zkey file finished");
+
+ await fdZKey.close();
+ }
+
+ async function writeZkeyHeader(fdZKey) {
+ await startWriteSection(fdZKey, HEADER_ZKEY_SECTION);
+ await fdZKey.writeULE32(FFLONK_PROTOCOL_ID);
+ await endWriteSection(fdZKey);
+ }
+
+ async function writeAdditions(fdZKey) {
+ await startWriteSection(fdZKey, ZKEY_FF_ADDITIONS_SECTION);
+
+ // Written values are 2 * 32 bit integers (2 * 4 bytes) + 2 field size values ( 2 * sFr bytes)
+ const buffOut = new Uint8Array(8 + 2 * sFr);
+ const buffOutV = new DataView(buffOut.buffer);
+
+ for (let i = 0; i < plonkAdditions.length; i++) {
+ if ((logger) && (i !== 0) && (i % 500000 === 0)) logger.info(` writing Additions: ${i}/${plonkAdditions.length}`);
+
+ const addition = plonkAdditions[i];
+
+ buffOutV.setUint32(0, addition[0], true);
+ buffOutV.setUint32(4, addition[1], true);
+ buffOut.set(addition[2], 8);
+ buffOut.set(addition[3], 8 + sFr);
+
+ await fdZKey.write(buffOut);
}
+ await endWriteSection(fdZKey);
}
- async function writeWitnessMap(sectionNum, posConstraint, name) {
+ async function writeWitnessMap(fdZKey, sectionNum, posConstraint, name) {
await startWriteSection(fdZKey, sectionNum);
- for (let i=0; i= 8 * settings.domainSize) {
+ throw new Error("C0 Polynomial is not well calculated");
+ }
+
+ await startWriteSection(fdZKey, ZKEY_FF_C0_SECTION);
+ await fdZKey.write(polynomials.C0.coef);
+ await endWriteSection(fdZKey);
+ }
+
+ async function writeFFlonkHeader(fdZKey) {
+ await startWriteSection(fdZKey, ZKEY_FF_HEADER_SECTION);
+ const primeQ = curve.q;
+ const n8q = (Math.floor((Scalar.bitLength(primeQ) - 1) / 64) + 1) * 8;
await fdZKey.writeULE32(n8q);
await writeBigInt(fdZKey, primeQ, n8q);
+
+ const primeR = curve.r;
+ const n8r = (Math.floor((Scalar.bitLength(primeR) - 1) / 64) + 1) * 8;
await fdZKey.writeULE32(n8r);
await writeBigInt(fdZKey, primeR, n8r);
- await fdZKey.writeULE32(plonkNVars); // Total number of bars
- await fdZKey.writeULE32(nPublic); // Total number of public vars (not including ONE)
- await fdZKey.writeULE32(domainSize); // domainSize
- await fdZKey.writeULE32(plonkAdditions.length); // domainSize
- await fdZKey.writeULE32(plonkConstraints.length);
+
+ // Total number of r1cs vars
+ await fdZKey.writeULE32(settings.nVars);
+ // Total number of r1cs public vars = outputs + public inputs
+ await fdZKey.writeULE32(settings.nPublic);
+ await fdZKey.writeULE32(settings.domainSize);
+ await fdZKey.writeULE32(plonkAdditions.length);
+ await fdZKey.writeULE32(plonkConstraints.length);
await fdZKey.write(k1);
await fdZKey.write(k2);
- await fdZKey.write(G1.toAffine(vk.Qm));
- await fdZKey.write(G1.toAffine(vk.Ql));
- await fdZKey.write(G1.toAffine(vk.Qr));
- await fdZKey.write(G1.toAffine(vk.Qo));
- await fdZKey.write(G1.toAffine(vk.Qc));
-
- await fdZKey.write(G1.toAffine(vk.S1));
- await fdZKey.write(G1.toAffine(vk.S2));
- await fdZKey.write(G1.toAffine(vk.S3));
+ await fdZKey.write(w3);
+ await fdZKey.write(w4);
+ await fdZKey.write(w8);
+ await fdZKey.write(wr);
let bX_2;
- bX_2 = await fdPTau.read(sG2, sectionsPTau[3][0].p + sG2);
+ bX_2 = await fdPTau.read(sG2, pTauSections[3][0].p + sG2);
await fdZKey.write(bX_2);
+ let commitC0 = await polynomials.C0.multiExponentiation(PTau, "C0");
+ await fdZKey.write(commitC0);
+
await endWriteSection(fdZKey);
}
- function getK1K2() {
+ async function writeP4(fdZKey, buff) {
+ const [coefficients, evaluations4] = await Polynomial.to4T(buff, settings.domainSize, [], Fr);
+ await fdZKey.write(coefficients);
+ await fdZKey.write(evaluations4);
+
+ return [coefficients, evaluations4];
+ }
+
+ function computeK1K2() {
let k1 = Fr.two;
- while (isIncluded(k1, [], cirPower)) Fr.add(k1, Fr.one);
+ while (isIncluded(k1, [], settings.cirPower)) Fr.add(k1, Fr.one);
let k2 = Fr.add(k1, Fr.one);
- while (isIncluded(k2, [k1], cirPower)) Fr.add(k2, Fr.one);
+ while (isIncluded(k2, [k1], settings.cirPower)) Fr.add(k2, Fr.one);
return [k1, k2];
-
function isIncluded(k, kArr, pow) {
- const domainSize= 2**pow;
+ const domainSize = 2 ** pow;
let w = Fr.one;
- for (let i=0; i.
*/
- const {stringifyBigInts} = utils;
- const { keccak256: keccak256$1 } = jsSha3;
+ const { keccak256 } = jsSha3;
- async function plonk16Prove(zkeyFileName, witnessFileName, logger) {
- const {fd: fdWtns, sections: sectionsWtns} = await readBinFile(witnessFileName, "wtns", 2);
+ const POLYNOMIAL = 0;
+ const SCALAR = 1;
- const wtns = await readHeader(fdWtns, sectionsWtns);
+ class Keccak256Transcript {
+ constructor(curve) {
+ this.G1 = curve.G1;
+ this.Fr = curve.Fr;
- const {fd: fdZKey, sections: sectionsZKey} = await readBinFile(zkeyFileName, "zkey", 2);
+ this.reset();
+ }
- const zkey = await readHeader$1(fdZKey, sectionsZKey);
- if (zkey.protocol != "plonk") {
- throw new Error("zkey file is not plonk");
+ reset() {
+ this.data = [];
}
- if (!Scalar.eq(zkey.r, wtns.q)) {
- throw new Error("Curve of the witness does not match the curve of the proving key");
+ addPolCommitment(polynomialCommitment) {
+ this.data.push({type: POLYNOMIAL, data: polynomialCommitment});
}
- if (wtns.nWitness != zkey.nVars -zkey.nAdditions) {
- throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
+ addScalar(scalar) {
+ this.data.push({type: SCALAR, data: scalar});
}
- const curve = zkey.curve;
- const Fr = curve.Fr;
- const G1 = curve.G1;
- const n8r = curve.Fr.n8;
+ getChallenge() {
+ if(0 === this.data.length) {
+ throw new Error("Keccak256Transcript: No data to generate a transcript");
+ }
- if (logger) logger.debug("Reading Wtns");
- const buffWitness = await readSection(fdWtns, sectionsWtns, 2);
- // First element in plonk is not used and can be any value. (But always the same).
- // We set it to zero to go faster in the exponentiations.
- buffWitness.set(Fr.zero, 0);
- const buffInternalWitness = new BigBuffer(n8r*zkey.nAdditions);
+ let nPolynomials = 0;
+ let nScalars = 0;
- await calculateAdditions();
+ this.data.forEach(element => POLYNOMIAL === element.type ? nPolynomials++ : nScalars++);
- let A,B,C,Z;
- let A4, B4, C4, Z4;
- let pol_a,pol_b,pol_c, pol_z, pol_t, pol_r;
- let proof = {};
+ let buffer = new Uint8Array(nScalars * this.Fr.n8 + nPolynomials * this.G1.F.n8 * 2);
+ let offset = 0;
- const sigmaBuff = new BigBuffer(zkey.domainSize*n8r*4*3);
- let o = sectionsZKey[12][0].p + zkey.domainSize*n8r;
- await fdZKey.readToBuffer(sigmaBuff, 0 , zkey.domainSize*n8r*4, o);
- o += zkey.domainSize*n8r*5;
- await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*4 , zkey.domainSize*n8r*4, o);
- o += zkey.domainSize*n8r*5;
- await fdZKey.readToBuffer(sigmaBuff, zkey.domainSize*n8r*8 , zkey.domainSize*n8r*4, o);
+ for (let i = 0; i < this.data.length; i++) {
+ if (POLYNOMIAL === this.data[i].type) {
+ this.G1.toRprUncompressed(buffer, offset, this.data[i].data);
+ offset += this.G1.F.n8 * 2;
+ } else {
+ this.Fr.toRprBE(buffer, offset, this.data[i].data);
+ offset += this.Fr.n8;
+ }
+ }
- const pol_s1 = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_s1, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p);
+ const value = Scalar.fromRprBE(new Uint8Array(keccak256.arrayBuffer(buffer)));
+ return this.Fr.e(value);
+ }
+ }
- const pol_s2 = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_s2, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 5*zkey.domainSize*n8r);
+ /*
+ Copyright 2022 iden3 association.
- const PTau = await readSection(fdZKey, sectionsZKey, 14);
+ This file is part of snarkjs.
+ snarkjs is a free software: you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as published by the
+ Free Software Foundation, either version 3 of the License, or (at your option)
+ any later version.
- const ch = {};
+ snarkjs is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ more details.
- await round1();
- await round2();
- await round3();
- await round4();
- await round5();
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
+ */
+ class Proof {
+ constructor(curve, logger) {
+ this.curve = curve;
+ this.logger = logger;
- ///////////////////////
- // Final adjustments //
- ///////////////////////
+ this.resetProof();
+ }
- proof.protocol = "plonk";
- proof.curve = curve.name;
+ resetProof() {
+ this.polynomials = {};
+ this.evaluations = {};
+ }
- await fdZKey.close();
- await fdWtns.close();
+ addPolynomial(key, polynomial) {
+ if (key in this.polynomials) {
+ this.logger.warn(`proof: polynomial.${key} already exist in proof`);
+ }
+ this.polynomials[key] = polynomial;
+ }
- let publicSignals = [];
+ getPolynomial(key) {
+ if (!(key in this.polynomials)) {
+ this.logger.warn(`proof: polynomial ${key} does not exist in proof`);
+ }
+ return this.polynomials[key];
+ }
- for (let i=1; i<= zkey.nPublic; i++) {
- const pub = buffWitness.slice(i*Fr.n8, i*Fr.n8+Fr.n8);
- publicSignals.push(Scalar.fromRprLE(pub));
+ addEvaluation(key, evaluation) {
+ if (key in this.evaluations) {
+ this.logger.warn(`proof: evaluations.${key} already exist in proof`);
+ }
+ this.evaluations[key] = evaluation;
}
- proof.A = G1.toObject(proof.A);
- proof.B = G1.toObject(proof.B);
- proof.C = G1.toObject(proof.C);
- proof.Z = G1.toObject(proof.Z);
+ getEvaluation(key) {
+ if (!(key in this.evaluations)) {
+ this.logger.warn(`proof: evaluation ${key} does not exist in proof`);
+ }
+ return this.evaluations[key];
+ }
- proof.T1 = G1.toObject(proof.T1);
- proof.T2 = G1.toObject(proof.T2);
- proof.T3 = G1.toObject(proof.T3);
+ toObjectProof() {
+ let res = {polynomials: {}, evaluations: {}};
- proof.eval_a = Fr.toObject(proof.eval_a);
- proof.eval_b = Fr.toObject(proof.eval_b);
- proof.eval_c = Fr.toObject(proof.eval_c);
- proof.eval_s1 = Fr.toObject(proof.eval_s1);
- proof.eval_s2 = Fr.toObject(proof.eval_s2);
- proof.eval_zw = Fr.toObject(proof.eval_zw);
- proof.eval_t = Fr.toObject(proof.eval_t);
- proof.eval_r = Fr.toObject(proof.eval_r);
+ Object.keys(this.polynomials).forEach(key => {
+ res.polynomials[key] = this.curve.G1.toObject(this.polynomials[key]);
+ });
- proof.Wxi = G1.toObject(proof.Wxi);
- proof.Wxiw = G1.toObject(proof.Wxiw);
+ Object.keys(this.evaluations).forEach(key => {
+ res.evaluations[key] = this.curve.Fr.toObject(this.evaluations[key]);
+ });
- delete proof.eval_t;
+ return res;
+ }
- proof = stringifyBigInts(proof);
- publicSignals = stringifyBigInts(publicSignals);
+ fromObjectProof(objectProof) {
+ this.resetProof();
- return {proof, publicSignals};
+ Object.keys(objectProof.polynomials).forEach(key => {
+ this.polynomials[key] = this.curve.G1.fromObject(objectProof.polynomials[key]);
+ });
- async function calculateAdditions() {
- const additionsBuff = await readSection(fdZKey, sectionsZKey, 3);
+ Object.keys(objectProof.evaluations).forEach(key => {
+ this.evaluations[key] = this.curve.Fr.fromObject(objectProof.evaluations[key]);
+ });
+ }
+ }
- const sSum = 8+curve.Fr.n8*2;
+ /*
+ Copyright 2022 iden3 association.
- for (let i=0; i.
+ */
- const aMap = await readSection(fdZKey, sectionsZKey, 4);
- const bMap = await readSection(fdZKey, sectionsZKey, 5);
- const cMap = await readSection(fdZKey, sectionsZKey, 6);
+ const { stringifyBigInts } = utils;
- for (let i=0; i Reading witness file");
+ const {
+ fd: fdWtns,
+ sections: wtnsSections
+ } = await readBinFile(witnessFileName, "wtns", 2);
+ const wtns = await readHeader(fdWtns, wtnsSections);
+
+ //Read zkey file
+ if (logger) logger.info("> Reading zkey file");
+ const {
+ fd: fdZKey,
+ sections: zkeySections
+ } = await readBinFile(zkeyFileName, "zkey", 2);
+ const zkey = await readHeader$1(fdZKey, zkeySections);
+
+ if (zkey.protocolId !== FFLONK_PROTOCOL_ID) {
+ throw new Error("zkey file is not fflonk");
}
- function readUInt32(b, o) {
- const buff = b.slice(o, o+4);
- const buffV = new DataView(buff.buffer, buff.byteOffset, buff.byteLength);
- return buffV.getUint32(0, true);
+ if (!Scalar.eq(zkey.r, wtns.q)) {
+ throw new Error("Curve of the witness does not match the curve of the proving key");
}
- function getWitness(idx) {
- if (idx < zkey.nVars-zkey.nAdditions) {
- return buffWitness.slice(idx*n8r, idx*n8r+n8r);
- } else if (idx < zkey.nVars) {
- return buffInternalWitness.slice((idx - (zkey.nVars-zkey.nAdditions))*n8r, (idx-(zkey.nVars-zkey.nAdditions))*n8r + n8r);
- } else {
- return curve.Fr.zero;
- }
+ if (wtns.nWitness !== zkey.nVars - zkey.nAdditions) {
+ throw new Error(`Invalid witness length. Circuit: ${zkey.nVars}, witness: ${wtns.nWitness}, ${zkey.nAdditions}`);
}
- async function round1() {
- ch.b = [];
- for (let i=1; i<=11; i++) {
- ch.b[i] = curve.Fr.random();
- }
-
- [A, B, C] = await buildABC();
+ const curve = zkey.curve;
- [pol_a, A4] = await to4T(A, [ch.b[2], ch.b[1]]);
- [pol_b, B4] = await to4T(B, [ch.b[4], ch.b[3]]);
- [pol_c, C4] = await to4T(C, [ch.b[6], ch.b[5]]);
+ const Fr = curve.Fr;
-
- proof.A = await expTau(pol_a, "multiexp A");
- proof.B = await expTau(pol_b, "multiexp B");
- proof.C = await expTau(pol_c, "multiexp C");
+ const sFr = curve.Fr.n8;
+ const sG1 = curve.G1.F.n8 * 2;
+ const sDomain = zkey.domainSize * sFr;
+
+ if (logger) {
+ logger.info("----------------------------");
+ logger.info(" FFLONK PROVE SETTINGS");
+ logger.info(` Curve: ${curve.name}`);
+ logger.info(` Circuit power: ${zkey.power}`);
+ logger.info(` Domain size: ${zkey.domainSize}`);
+ logger.info(` Vars: ${zkey.nVars}`);
+ logger.info(` Public vars: ${zkey.nPublic}`);
+ logger.info(` Constraints: ${zkey.nConstraints}`);
+ logger.info(` Additions: ${zkey.nAdditions}`);
+ logger.info("----------------------------");
}
- async function round2() {
+ //Read witness data
+ if (logger) logger.info("> Reading witness file data");
+ const buffWitness = await readSection(fdWtns, wtnsSections, 2);
+ await fdWtns.close();
- const transcript1 = new Uint8Array(zkey.nPublic*n8r + G1.F.n8*2*3);
- for (let i=0; i a * 1/a == 1
+ // 2) compute the rest of the denominators using the Montgomery batch inversion
+ // The inversions are:
+ // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
+ // · denominator needed in step 10 and 11 of the verifier
+ // · denominator needed in the verifier when computing L_i^{S1}(X) and L_i^{S2}(X)
+ // · L_i i=1 to num public inputs, needed in step 6 and 7 of the verifier to compute L_1(xi) and PI(xi)
+ let toInverse = {};
+
+ let challenges = {};
+ let roots = {};
+
+ let proof = new Proof(curve, logger);
+
+ if (logger) logger.info(`> Reading Section ${ZKEY_FF_ADDITIONS_SECTION}. Additions`);
+ await calculateAdditions();
- ch.beta = hashToFr(transcript1);
- if (logger) logger.debug("beta: " + Fr.toString(ch.beta));
-
- const transcript2 = new Uint8Array(n8r);
- Fr.toRprBE(transcript2, 0, ch.beta);
- ch.gamma = hashToFr(transcript2);
- if (logger) logger.debug("gamma: " + Fr.toString(ch.gamma));
-
- let numArr = new BigBuffer(Fr.n8*zkey.domainSize);
- let denArr = new BigBuffer(Fr.n8*zkey.domainSize);
+ if (logger) logger.info(`> Reading Sections ${ZKEY_FF_SIGMA1_SECTION},${ZKEY_FF_SIGMA2_SECTION},${ZKEY_FF_SIGMA3_SECTION}. Sigma1, Sigma2 & Sigma 3`);
+ if (logger) logger.info("··· Reading Sigma polynomials ");
+ polynomials.Sigma1 = new Polynomial(new BigBuffer(sDomain), curve, logger);
+ polynomials.Sigma2 = new Polynomial(new BigBuffer(sDomain), curve, logger);
+ polynomials.Sigma3 = new Polynomial(new BigBuffer(sDomain), curve, logger);
+
+ await fdZKey.readToBuffer(polynomials.Sigma1.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA1_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.Sigma2.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA2_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.Sigma3.coef, 0, sDomain, zkeySections[ZKEY_FF_SIGMA3_SECTION][0].p);
+
+ if (logger) logger.info("··· Reading Sigma evaluations");
+ evaluations.Sigma1 = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+ evaluations.Sigma2 = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+ evaluations.Sigma3 = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+
+ await fdZKey.readToBuffer(evaluations.Sigma1.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA1_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.Sigma2.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA2_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.Sigma3.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_SIGMA3_SECTION][0].p + sDomain);
+
+ if (logger) logger.info(`> Reading Section ${ZKEY_FF_PTAU_SECTION}. Powers of Tau`);
+ const PTau = new BigBuffer(zkey.domainSize * 16 * sG1);
+ // domainSize * 9 + 18 = SRS length in the zkey saved in setup process.
+ // it corresponds to the maximum SRS length needed, specifically to commit C2
+ // notice that the reserved buffers size is zkey.domainSize * 16 * sG1 because a power of two buffer size is needed
+ // the remaining buffer not filled from SRS are set to 0
+ await fdZKey.readToBuffer(PTau, 0, (zkey.domainSize * 9 + 18) * sG1, zkeySections[ZKEY_FF_PTAU_SECTION][0].p);
+
+ // START FFLONK PROVER PROTOCOL
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 1. Compute C1(X) polynomial
+ if (logger) logger.info("");
+ if (logger) logger.info("> ROUND 1");
+ await round1();
+
+ delete polynomials.T0;
+ delete evaluations.QL;
+ delete evaluations.QR;
+ delete evaluations.QM;
+ delete evaluations.QO;
+ delete evaluations.QC;
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 2. Compute C2(X) polynomial
+ if (logger) logger.info("> ROUND 2");
+ await round2();
+
+ delete buffers.A;
+ delete buffers.B;
+ delete buffers.C;
+ delete evaluations.A;
+ delete evaluations.B;
+ delete evaluations.C;
+ delete evaluations.Sigma1;
+ delete evaluations.Sigma2;
+ delete evaluations.Sigma3;
+ delete evaluations.lagrange1;
+ delete evaluations.Z;
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 3. Compute opening evaluations
+ if (logger) logger.info("> ROUND 3");
+ await round3();
+
+ delete polynomials.A;
+ delete polynomials.B;
+ delete polynomials.C;
+ delete polynomials.Z;
+ delete polynomials.T1;
+ delete polynomials.T2;
+ delete polynomials.Sigma1;
+ delete polynomials.Sigma2;
+ delete polynomials.Sigma3;
+ delete polynomials.QL;
+ delete polynomials.QR;
+ delete polynomials.QM;
+ delete polynomials.QC;
+ delete polynomials.QO;
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 4. Compute W(X) polynomial
+ if (logger) logger.info("> ROUND 4");
+ await round4();
+ if (globalThis.gc) globalThis.gc();
+
+ // ROUND 5. Compute W'(X) polynomial
+ if (logger) logger.info("> ROUND 5");
+ await round5();
+
+ delete polynomials.C0;
+ delete polynomials.C1;
+ delete polynomials.C2;
+ delete polynomials.R1;
+ delete polynomials.R2;
+ delete polynomials.F;
+ delete polynomials.L;
+ delete polynomials.ZT;
+ delete polynomials.ZTS2;
+ await fdZKey.close();
+ if (globalThis.gc) globalThis.gc();
+
+ proof.addEvaluation("inv", getMontgomeryBatchedInverse());
- numArr.set(Fr.one, 0);
- denArr.set(Fr.one, 0);
+ // Prepare proof
+ let _proof = proof.toObjectProof();
+ _proof.protocol = "fflonk";
+ _proof.curve = curve.name;
- let w = Fr.one;
- for (let i=0; i Computing A, B, C wire polynomials");
+ await computeWirePolynomials();
+
+ // STEP 1.3 - Compute the quotient polynomial T0(X)
+ if (logger) logger.info("> Computing T0 polynomial");
+ await computeT0();
+
+ // STEP 1.4 - Compute the FFT-style combination polynomial C1(X)
+ if (logger) logger.info("> Computing C1 polynomial");
+ await computeC1();
+
+ // The first output of the prover is ([C1]_1)
+ if (logger) logger.info("> Computing C1 multi exponentiation");
+ let commitC1 = await polynomials.C1.multiExponentiation(PTau, "C1");
+ proof.addPolynomial("C1", commitC1);
+
+ return 0;
+
+ async function computeWirePolynomials() {
+ if (logger) logger.info("··· Reading data from zkey file");
+ // Build A, B and C evaluations buffer from zkey and witness files
+ buffers.A = new BigBuffer(sDomain);
+ buffers.B = new BigBuffer(sDomain);
+ buffers.C = new BigBuffer(sDomain);
+
+ // Read zkey sections and fill the buffers
+ const aMapBuff = await readSection(fdZKey, zkeySections, ZKEY_FF_A_MAP_SECTION);
+ const bMapBuff = await readSection(fdZKey, zkeySections, ZKEY_FF_B_MAP_SECTION);
+ const cMapBuff = await readSection(fdZKey, zkeySections, ZKEY_FF_C_MAP_SECTION);
+
+ // Compute all witness from signal ids and set them to A,B & C buffers
+ for (let i = 0; i < zkey.nConstraints; i++) {
+ const i_sFr = i * sFr;
+ const offset = i * 4;
+
+ // Compute A value from a signal id
+ const signalIdA = readUInt32(aMapBuff, offset);
+ buffers.A.set(getWitness(signalIdA), i_sFr);
+
+ // Compute B value from a signal id
+ const signalIdB = readUInt32(bMapBuff, offset);
+ buffers.B.set(getWitness(signalIdB), i_sFr);
+
+ // Compute C value from a signal id
+ const signalIdC = readUInt32(cMapBuff, offset);
+ buffers.C.set(getWitness(signalIdC), i_sFr);
+ }
+
+ // Blind a(X), b(X) and c(X) polynomials coefficients with blinding scalars b
+ buffers.A.set(challenges.b[1], sDomain - 64);
+ buffers.A.set(challenges.b[2], sDomain - 32);
+ buffers.B.set(challenges.b[3], sDomain - 64);
+ buffers.B.set(challenges.b[4], sDomain - 32);
+ buffers.C.set(challenges.b[5], sDomain - 64);
+ buffers.C.set(challenges.b[6], sDomain - 32);
+
+ buffers.A = await Fr.batchToMontgomery(buffers.A);
+ buffers.B = await Fr.batchToMontgomery(buffers.B);
+ buffers.C = await Fr.batchToMontgomery(buffers.C);
+
+ // Compute the coefficients of the wire polynomials a(X), b(X) and c(X) from A,B & C buffers
+ if (logger) logger.info("··· Computing A ifft");
+ polynomials.A = await Polynomial.fromEvaluations(buffers.A, curve, logger);
+ if (logger) logger.info("··· Computing B ifft");
+ polynomials.B = await Polynomial.fromEvaluations(buffers.B, curve, logger);
+ if (logger) logger.info("··· Computing C ifft");
+ polynomials.C = await Polynomial.fromEvaluations(buffers.C, curve, logger);
+
+ // Compute extended evaluations of a(X), b(X) and c(X) polynomials
+ if (logger) logger.info("··· Computing A fft");
+ evaluations.A = await Evaluations.fromPolynomial(polynomials.A, 4, curve, logger);
+ if (logger) logger.info("··· Computing B fft");
+ evaluations.B = await Evaluations.fromPolynomial(polynomials.B, 4, curve, logger);
+ if (logger) logger.info("··· Computing C fft");
+ evaluations.C = await Evaluations.fromPolynomial(polynomials.C, 4, curve, logger);
+
+ // Check degrees
+ if (polynomials.A.degree() >= zkey.domainSize) {
+ throw new Error("A Polynomial is not well calculated");
+ }
+ if (polynomials.B.degree() >= zkey.domainSize) {
+ throw new Error("B Polynomial is not well calculated");
+ }
+ if (polynomials.C.degree() >= zkey.domainSize) {
+ throw new Error("C Polynomial is not well calculated");
+ }
}
- Z = numArr;
+ async function computeT0() {
+ if (logger) logger.info(`··· Reading sections ${ZKEY_FF_QL_SECTION}, ${ZKEY_FF_QR_SECTION}` +
+ `, ${ZKEY_FF_QM_SECTION}, ${ZKEY_FF_QO_SECTION}, ${ZKEY_FF_QC_SECTION}. Q selectors`);
+ // Reserve memory for Q's evaluations
+ evaluations.QL = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QR = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QM = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QO = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+ evaluations.QC = new Evaluations(new BigBuffer(sDomain * 4), curve, logger);
+
+ // Read Q's evaluations from zkey file
+ await fdZKey.readToBuffer(evaluations.QL.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QL_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QR.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QR_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QM.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QM_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QO.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QO_SECTION][0].p + sDomain);
+ await fdZKey.readToBuffer(evaluations.QC.eval, 0, sDomain * 4, zkeySections[ZKEY_FF_QC_SECTION][0].p + sDomain);
+
+ // Read Lagrange polynomials & evaluations from zkey file
+ const lagrangePolynomials = await readSection(fdZKey, zkeySections, ZKEY_FF_LAGRANGE_SECTION);
+ evaluations.lagrange1 = new Evaluations(lagrangePolynomials, curve, logger);
+
+ // Reserve memory for buffers T0
+ buffers.T0 = new BigBuffer(sDomain * 4);
+
+ if (logger) logger.info("··· Computing T0 evaluations");
+ for (let i = 0; i < zkey.domainSize * 4; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T0 evaluation ${i}/${zkey.domainSize * 4}`);
+
+ // Get related evaluations to compute current T0 evaluation
+ const a = evaluations.A.getEvaluation(i);
+ const b = evaluations.B.getEvaluation(i);
+ const c = evaluations.C.getEvaluation(i);
+
+ const ql = evaluations.QL.getEvaluation(i);
+ const qr = evaluations.QR.getEvaluation(i);
+ const qm = evaluations.QM.getEvaluation(i);
+ const qo = evaluations.QO.getEvaluation(i);
+ const qc = evaluations.QC.getEvaluation(i);
+
+ // Compute current public input
+ let pi = Fr.zero;
+ for (let j = 0; j < zkey.nPublic; j++) {
+ const offset = (j * 5 * zkey.domainSize) + zkey.domainSize + i;
+
+ const lPol = evaluations.lagrange1.getEvaluation(offset);
+ const aVal = buffers.A.slice(j * sFr, (j + 1) * sFr);
+
+ pi = Fr.sub(pi, Fr.mul(lPol, aVal));
+ }
- [pol_z, Z4] = await to4T(Z, [ch.b[9], ch.b[8], ch.b[7]]);
+ //T0(X) = [q_L(X)·a(X) + q_R(X)·b(X) + q_M(X)·a(X)·b(X) + q_O(X)·c(X) + q_C(X) + PI(X)] · 1/Z_H(X)
+ // Compute first T0(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
+ // expression 1 -> q_L(X)·a(X)
+ const e1 = Fr.mul(a, ql);
- proof.Z = await expTau( pol_z, "multiexp Z");
- }
+ // expression 2 -> q_R(X)·b(X)
+ const e2 = Fr.mul(b, qr);
- async function round3() {
+ // expression 3 -> q_M(X)·a(X)·b(X)
+ const e3 = Fr.mul(Fr.mul(a, b), qm);
- /*
- async function checkDegree(P) {
- const p = await curve.Fr.ifft(P);
- let deg = (P.byteLength/n8r)-1;
- while ((deg>0)&&(Fr.isZero(p.slice(deg*n8r, deg*n8r+n8r)))) deg--;
- return deg;
- }
+ // expression 4 -> q_O(X)·c(X)
+ const e4 = Fr.mul(c, qo);
- function printPol(P) {
- const n=(P.byteLength/n8r);
- console.log("[");
- for (let i=0; i= 2 * zkey.domainSize - 2) {
+ throw new Error(`T0 Polynomial is not well calculated (degree is ${polynomials.T0.degree()} and must be less than ${2 * zkey.domainSize + 2}`);
+ }
- const transcript3 = new Uint8Array(G1.F.n8*2);
- G1.toRprUncompressed(transcript3, 0, proof.Z);
+ delete buffers.T0;
+ }
- ch.alpha = hashToFr(transcript3);
+ async function computeC1() {
+ let C1 = new CPolynomial(4, curve, logger);
+ C1.addPolynomial(0, polynomials.A);
+ C1.addPolynomial(1, polynomials.B);
+ C1.addPolynomial(2, polynomials.C);
+ C1.addPolynomial(3, polynomials.T0);
- if (logger) logger.debug("alpha: " + Fr.toString(ch.alpha));
+ polynomials.C1 = C1.getPolynomial();
+ // Check degree
+ if (polynomials.C1.degree() >= 8 * zkey.domainSize - 8) {
+ throw new Error("C1 Polynomial is not well calculated");
+ }
+ }
+ }
- const Z1 = [
- Fr.zero,
- Fr.add(Fr.e(-1), Fr.w[2]),
- Fr.e(-2),
- Fr.sub(Fr.e(-1), Fr.w[2]),
- ];
+ async function round2() {
+ // STEP 2.1 - Compute permutation challenge beta and gamma ∈ F
+ // Compute permutation challenge beta
+ if (logger) logger.info("> Computing challenges beta and gamma");
+ const transcript = new Keccak256Transcript(curve);
- const Z2 = [
- Fr.zero,
- Fr.add(Fr.zero, Fr.mul(Fr.e(-2), Fr.w[2])),
- Fr.e(4),
- Fr.sub(Fr.zero, Fr.mul(Fr.e(-2), Fr.w[2])),
- ];
+ // Add C0 to the transcript
+ transcript.addPolCommitment(zkey.C0);
- const Z3 = [
- Fr.zero,
- Fr.add(Fr.e(2), Fr.mul(Fr.e(2), Fr.w[2])),
- Fr.e(-8),
- Fr.sub(Fr.e(2), Fr.mul(Fr.e(2), Fr.w[2])),
- ];
+ // Add A to the transcript
+ for (let i = 0; i < zkey.nPublic; i++) {
+ transcript.addScalar(buffers.A.slice(i * sFr, i * sFr + sFr));
+ }
- const T = new BigBuffer(zkey.domainSize*4*n8r);
- const Tz = new BigBuffer(zkey.domainSize*4*n8r);
+ // Add C1 to the transcript
+ transcript.addPolCommitment(proof.getPolynomial("C1"));
- let w = Fr.one;
- for (let i=0; i Computing Z polynomial");
+ await computeZ();
- let [e1, e1z] = mul2(a, b, ap, bp, i%4);
- e1 = Fr.mul(e1, qm);
- e1z = Fr.mul(e1z, qm);
+ // STEP 2.3 - Compute quotient polynomial T1(X) and T2(X)
+ if (logger) logger.info("> Computing T1 polynomial");
+ await computeT1();
+ if (logger) logger.info("> Computing T2 polynomial");
+ await computeT2();
- e1 = Fr.add(e1, Fr.mul(a, ql));
- e1z = Fr.add(e1z, Fr.mul(ap, ql));
+ // STEP 2.4 - Compute the FFT-style combination polynomial C2(X)
+ if (logger) logger.info("> Computing C2 polynomial");
+ await computeC2();
- e1 = Fr.add(e1, Fr.mul(b, qr));
- e1z = Fr.add(e1z, Fr.mul(bp, qr));
+ // The second output of the prover is ([C2]_1)
+ if (logger) logger.info("> Computing C2 multi exponentiation");
+ let commitC2 = await polynomials.C2.multiExponentiation(PTau, "C2");
+ proof.addPolynomial("C2", commitC2);
- e1 = Fr.add(e1, Fr.mul(c, qo));
- e1z = Fr.add(e1z, Fr.mul(cp, qo));
+ return 0;
- e1 = Fr.add(e1, pl);
- e1 = Fr.add(e1, qc);
+ async function computeZ() {
+ if (logger) logger.info("··· Computing Z evaluations");
- const betaw = Fr.mul(ch.beta, w);
- let e2a =a;
- e2a = Fr.add(e2a, betaw);
- e2a = Fr.add(e2a, ch.gamma);
+ let numArr = new BigBuffer(sDomain);
+ let denArr = new BigBuffer(sDomain);
- let e2b =b;
- e2b = Fr.add(e2b, Fr.mul(betaw, zkey.k1));
- e2b = Fr.add(e2b, ch.gamma);
+ // Set the first values to 1
+ numArr.set(Fr.one, 0);
+ denArr.set(Fr.one, 0);
- let e2c =c;
- e2c = Fr.add(e2c, Fr.mul(betaw, zkey.k2));
- e2c = Fr.add(e2c, ch.gamma);
+ // Set initial omega
+ let w = Fr.one;
+ for (let i = 0; i < zkey.domainSize; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` Z evaluation ${i}/${zkey.domainSize}`);
+ const i_sFr = i * sFr;
- let e2d = z;
+ // Z(X) := numArr / denArr
+ // numArr := (a + beta·ω + gamma)(b + beta·ω·k1 + gamma)(c + beta·ω·k2 + gamma)
+ const betaw = Fr.mul(challenges.beta, w);
- let [e2, e2z] = mul4(e2a, e2b, e2c, e2d, ap, bp, cp, zp, i%4);
- e2 = Fr.mul(e2, ch.alpha);
- e2z = Fr.mul(e2z, ch.alpha);
+ let num1 = buffers.A.slice(i_sFr, i_sFr + sFr);
+ num1 = Fr.add(num1, betaw);
+ num1 = Fr.add(num1, challenges.gamma);
- let e3a = a;
- e3a = Fr.add(e3a, Fr.mul(ch.beta, s1));
- e3a = Fr.add(e3a, ch.gamma);
+ let num2 = buffers.B.slice(i_sFr, i_sFr + sFr);
+ num2 = Fr.add(num2, Fr.mul(zkey.k1, betaw));
+ num2 = Fr.add(num2, challenges.gamma);
- let e3b = b;
- e3b = Fr.add(e3b, Fr.mul(ch.beta,s2));
- e3b = Fr.add(e3b, ch.gamma);
+ let num3 = buffers.C.slice(i_sFr, i_sFr + sFr);
+ num3 = Fr.add(num3, Fr.mul(zkey.k2, betaw));
+ num3 = Fr.add(num3, challenges.gamma);
- let e3c = c;
- e3c = Fr.add(e3c, Fr.mul(ch.beta,s3));
- e3c = Fr.add(e3c, ch.gamma);
+ let num = Fr.mul(num1, Fr.mul(num2, num3));
- let e3d = zw;
- let [e3, e3z] = mul4(e3a, e3b, e3c, e3d, ap, bp, cp, zWp, i%4);
+ // denArr := (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)
+ let den1 = buffers.A.slice(i_sFr, i_sFr + sFr);
+ den1 = Fr.add(den1, Fr.mul(challenges.beta, evaluations.Sigma1.getEvaluation(i * 4)));
+ den1 = Fr.add(den1, challenges.gamma);
- e3 = Fr.mul(e3, ch.alpha);
- e3z = Fr.mul(e3z, ch.alpha);
+ let den2 = buffers.B.slice(i_sFr, i_sFr + sFr);
+ den2 = Fr.add(den2, Fr.mul(challenges.beta, evaluations.Sigma2.getEvaluation(i * 4)));
+ den2 = Fr.add(den2, challenges.gamma);
- let e4 = Fr.sub(z, Fr.one);
- e4 = Fr.mul(e4, lPols.slice( (zkey.domainSize + i)*n8r, (zkey.domainSize+i+1)*n8r));
- e4 = Fr.mul(e4, Fr.mul(ch.alpha, ch.alpha));
+ let den3 = buffers.C.slice(i_sFr, i_sFr + sFr);
+ den3 = Fr.add(den3, Fr.mul(challenges.beta, evaluations.Sigma3.getEvaluation(i * 4)));
+ den3 = Fr.add(den3, challenges.gamma);
- let e4z = Fr.mul(zp, lPols.slice( (zkey.domainSize + i)*n8r, (zkey.domainSize+i+1)*n8r));
- e4z = Fr.mul(e4z, Fr.mul(ch.alpha, ch.alpha));
+ let den = Fr.mul(den1, Fr.mul(den2, den3));
- let e = Fr.add(Fr.sub(Fr.add(e1, e2), e3), e4);
- let ez = Fr.add(Fr.sub(Fr.add(e1z, e2z), e3z), e4z);
+ // Multiply current num value with the previous one saved in numArr
+ num = Fr.mul(numArr.slice(i_sFr, i_sFr + sFr), num);
+ numArr.set(num, ((i + 1) % zkey.domainSize) * sFr);
- T.set(e, i*n8r);
- Tz.set(ez, i*n8r);
+ // Multiply current den value with the previous one saved in denArr
+ den = Fr.mul(denArr.slice(i_sFr, i_sFr + sFr), den);
+ denArr.set(den, ((i + 1) % zkey.domainSize) * sFr);
- w = Fr.mul(w, Fr.w[zkey.power+2]);
- }
+ // Next omega
+ w = Fr.mul(w, Fr.w[zkey.power]);
+ }
+ // Compute the inverse of denArr to compute in the next command the
+ // division numArr/denArr by multiplying num · 1/denArr
+ denArr = await Fr.batchInverse(denArr);
- if (logger) logger.debug("ifft T");
- let t = await Fr.ifft(T);
+ // TODO: Do it in assembly and in parallel
+ // Multiply numArr · denArr where denArr was inverted in the previous command
+ for (let i = 0; i < zkey.domainSize; i++) {
+ const i_sFr = i * sFr;
- if (logger) logger.debug("dividing T/Z");
- for (let i=0; i (zkey.domainSize*3 -4) ) {
- if (!Fr.isZero(a)) {
- throw new Error("T Polynomial is not divisible");
- }
+ if (!Fr.eq(numArr.slice(0, sFr), Fr.one)) {
+ throw new Error("Copy constraints does not match");
}
- }
- if (logger) logger.debug("ifft Tz");
- const tz = await Fr.ifft(Tz);
- for (let i=0; i (zkey.domainSize*3 +5) ) {
- if (!Fr.isZero(a)) {
- throw new Error("Tz Polynomial is not well calculated");
- }
- } else {
- t.set(
- Fr.add(
- t.slice(i*n8r, (i+1)*n8r),
- a
- ),
- i*n8r
- );
+ // Compute polynomial coefficients z(X) from buffers.Z
+ if (logger) logger.info("··· Computing Z ifft");
+ polynomials.Z = await Polynomial.fromEvaluations(buffers.Z, curve, logger);
+
+ // Compute extended evaluations of z(X) polynomial
+ if (logger) logger.info("··· Computing Z fft");
+ evaluations.Z = await Evaluations.fromPolynomial(polynomials.Z, 4, curve, logger);
+
+ // Blind z(X) polynomial coefficients with blinding scalars b
+ polynomials.Z.blindCoefficients([challenges.b[9], challenges.b[8], challenges.b[7]]);
+
+ // Check degree
+ if (polynomials.Z.degree() >= zkey.domainSize + 3) {
+ throw new Error("Z Polynomial is not well calculated");
}
+
+ delete buffers.Z;
}
- pol_t = t.slice(0, (zkey.domainSize * 3 + 6) * n8r);
+ async function computeT1() {
+ if (logger) logger.info("··· Computing T1 evaluations");
- // t(x) has degree 3n + 5, we are going to split t(x) into three smaller polynomials:
- // t'_low and t'_mid with a degree < n and t'_high with a degree n+5
- // such that t(x) = t'_low(X) + X^n t'_mid(X) + X^{2n} t'_hi(X)
- // To randomize the parts we use blinding scalars b_10 and b_11 in a way that doesn't change t(X):
- // t_low(X) = t'_low(X) + b_10 X^n
- // t_mid(X) = t'_mid(X) - b_10 + b_11 X^n
- // t_high(X) = t'_high(X) - b_11
- // such that
- // t(X) = t_low(X) + X^n t_mid(X) + X^2n t_high(X)
+ buffers.T1 = new BigBuffer(sDomain * 2);
+ buffers.T1z = new BigBuffer(sDomain * 2);
- // compute t_low(X)
- let polTLow = new BigBuffer((zkey.domainSize + 1) * n8r);
- polTLow.set(t.slice(0, zkey.domainSize * n8r), 0);
- // Add blinding scalar b_10 as a new coefficient n
- polTLow.set(ch.b[10], zkey.domainSize * n8r);
+ // Set initial omega
+ let omega = Fr.one;
+ for (let i = 0; i < zkey.domainSize * 2; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T1 evaluation ${i}/${zkey.domainSize * 4}`);
- // compute t_mid(X)
- let polTMid = new BigBuffer((zkey.domainSize + 1) * n8r);
- polTMid.set(t.slice(zkey.domainSize * n8r, zkey.domainSize * 2 * n8r), 0);
- // Subtract blinding scalar b_10 to the lowest coefficient of t_mid
- const lowestMid = Fr.sub(polTMid.slice(0, n8r), ch.b[10]);
- polTMid.set(lowestMid, 0);
- // Add blinding scalar b_11 as a new coefficient n
- polTMid.set(ch.b[11], zkey.domainSize * n8r);
+ const omega2 = Fr.square(omega);
- // compute t_high(X)
- let polTHigh = new BigBuffer((zkey.domainSize + 6) * n8r);
- polTHigh.set(t.slice(zkey.domainSize * 2 * n8r, (zkey.domainSize * 3 + 6) * n8r), 0);
- //Subtract blinding scalar b_11 to the lowest coefficient of t_high
- const lowestHigh = Fr.sub(polTHigh.slice(0, n8r), ch.b[11]);
- polTHigh.set(lowestHigh, 0);
+ const z = evaluations.Z.getEvaluation(i * 2);
+ const zp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omega2), Fr.mul(challenges.b[8], omega)), challenges.b[9]);
- proof.T1 = await expTau(polTLow, "multiexp T1");
- proof.T2 = await expTau(polTMid, "multiexp T2");
- proof.T3 = await expTau(polTHigh, "multiexp T3");
+ // T1(X) := (z(X) - 1) · L_1(X)
+ // Compute first T1(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
+ const lagrange1 = evaluations.lagrange1.getEvaluation(zkey.domainSize + i * 2);
+ let t1 = Fr.mul(Fr.sub(z, Fr.one), lagrange1);
+ let t1z = Fr.mul(zp, lagrange1);
- function mul2(a,b, ap, bp, p) {
- let r, rz;
+ buffers.T1.set(t1, i * sFr);
+ buffers.T1z.set(t1z, i * sFr);
-
- const a_b = Fr.mul(a,b);
- const a_bp = Fr.mul(a,bp);
- const ap_b = Fr.mul(ap,b);
- const ap_bp = Fr.mul(ap,bp);
+ // Compute next omega
+ omega = Fr.mul(omega, Fr.w[zkey.power + 1]);
+ }
- r = a_b;
+ // Compute the coefficients of the polynomial T1(X) from buffers.T1
+ if (logger) logger.info("··· Computing T1 ifft");
+ polynomials.T1 = await Polynomial.fromEvaluations(buffers.T1, curve, logger);
- let a0 = Fr.add(a_bp, ap_b);
+ // Divide the polynomial T1 by Z_H(X)
+ polynomials.T1.divByZerofier(zkey.domainSize, Fr.one);
- let a1 = ap_bp;
+ // Compute the coefficients of the polynomial T1z(X) from buffers.T1z
+ if (logger) logger.info("··· Computing T1z ifft");
+ polynomials.T1z = await Polynomial.fromEvaluations(buffers.T1z, curve, logger);
- rz = a0;
- if (p) {
- rz = Fr.add(rz, Fr.mul(Z1[p], a1));
+ // Add the polynomial T1z to T1 to get the final polynomial T1
+ polynomials.T1.add(polynomials.T1z);
+
+ // Check degree
+ if (polynomials.T1.degree() >= zkey.domainSize + 2) {
+ throw new Error("T1 Polynomial is not well calculated");
}
- return [r, rz];
+ delete buffers.T1;
+ delete buffers.T1z;
+ delete polynomials.T1z;
}
- function mul4(a,b,c,d, ap, bp, cp, dp, p) {
- let r, rz;
+ async function computeT2() {
+ if (logger) logger.info("··· Computing T2 evaluations");
-
- const a_b = Fr.mul(a,b);
- const a_bp = Fr.mul(a,bp);
- const ap_b = Fr.mul(ap,b);
- const ap_bp = Fr.mul(ap,bp);
+ buffers.T2 = new BigBuffer(sDomain * 4);
+ buffers.T2z = new BigBuffer(sDomain * 4);
- const c_d = Fr.mul(c,d);
- const c_dp = Fr.mul(c,dp);
- const cp_d = Fr.mul(cp,d);
- const cp_dp = Fr.mul(cp,dp);
+ // Set initial omega
+ let omega = Fr.one;
+ for (let i = 0; i < zkey.domainSize * 4; i++) {
+ if (logger && (0 !== i) && (i % 100000 === 0)) logger.info(` T2 evaluation ${i}/${zkey.domainSize * 4}`);
- r = Fr.mul(a_b, c_d);
+ const omega2 = Fr.square(omega);
+ const omegaW = Fr.mul(omega, Fr.w[zkey.power]);
+ const omegaW2 = Fr.square(omegaW);
- let a0 = Fr.mul(ap_b, c_d);
- a0 = Fr.add(a0, Fr.mul(a_bp, c_d));
- a0 = Fr.add(a0, Fr.mul(a_b, cp_d));
- a0 = Fr.add(a0, Fr.mul(a_b, c_dp));
+ const a = evaluations.A.getEvaluation(i);
+ const b = evaluations.B.getEvaluation(i);
+ const c = evaluations.C.getEvaluation(i);
+ const z = evaluations.Z.getEvaluation(i);
+ const zW = evaluations.Z.getEvaluation((zkey.domainSize * 4 + 4 + i) % (zkey.domainSize * 4));
- let a1 = Fr.mul(ap_bp, c_d);
- a1 = Fr.add(a1, Fr.mul(ap_b, cp_d));
- a1 = Fr.add(a1, Fr.mul(ap_b, c_dp));
- a1 = Fr.add(a1, Fr.mul(a_bp, cp_d));
- a1 = Fr.add(a1, Fr.mul(a_bp, c_dp));
- a1 = Fr.add(a1, Fr.mul(a_b, cp_dp));
+ const zp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omega2), Fr.mul(challenges.b[8], omega)), challenges.b[9]);
+ const zWp = Fr.add(Fr.add(Fr.mul(challenges.b[7], omegaW2), Fr.mul(challenges.b[8], omegaW)), challenges.b[9]);
- let a2 = Fr.mul(a_bp, cp_dp);
- a2 = Fr.add(a2, Fr.mul(ap_b, cp_dp));
- a2 = Fr.add(a2, Fr.mul(ap_bp, c_dp));
- a2 = Fr.add(a2, Fr.mul(ap_bp, cp_d));
+ const sigma1 = evaluations.Sigma1.getEvaluation(i);
+ const sigma2 = evaluations.Sigma2.getEvaluation(i);
+ const sigma3 = evaluations.Sigma3.getEvaluation(i);
- let a3 = Fr.mul(ap_bp, cp_dp);
+ // T2(X) := [ (a(X) + beta·X + gamma)(b(X) + beta·k1·X + gamma)(c(X) + beta·k2·X + gamma)z(X)
+ // -(a(X) + beta·sigma1(X) + gamma)(b(X) + beta·sigma2(X) + gamma)(c(X) + beta·sigma3(X) + gamma)z(Xω)] · 1/Z_H(X)
+ // Compute first T2(X)·Z_H(X), so divide later the resulting polynomial by Z_H(X)
- rz = a0;
- if (p) {
- rz = Fr.add(rz, Fr.mul(Z1[p], a1));
- rz = Fr.add(rz, Fr.mul(Z2[p], a2));
- rz = Fr.add(rz, Fr.mul(Z3[p], a3));
- }
+ // expression 1 -> (a(X) + beta·X + gamma)(b(X) + beta·k1·X + gamma)(c(X) + beta·k2·X + gamma)z(X)
+ const betaX = Fr.mul(challenges.beta, omega);
- return [r, rz];
- }
- }
+ let e11 = Fr.add(a, betaX);
+ e11 = Fr.add(e11, challenges.gamma);
- async function round4() {
- const pol_qm = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qm, 0 , zkey.domainSize*n8r, sectionsZKey[7][0].p);
+ let e12 = Fr.add(b, Fr.mul(betaX, zkey.k1));
+ e12 = Fr.add(e12, challenges.gamma);
- const pol_ql = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_ql, 0 , zkey.domainSize*n8r, sectionsZKey[8][0].p);
+ let e13 = Fr.add(c, Fr.mul(betaX, zkey.k2));
+ e13 = Fr.add(e13, challenges.gamma);
- const pol_qr = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qr, 0 , zkey.domainSize*n8r, sectionsZKey[9][0].p);
+ let e1 = Fr.mul(Fr.mul(Fr.mul(e11, e12), e13), z);
+ let e1z = Fr.mul(Fr.mul(Fr.mul(e11, e12), e13), zp);
+ // const [e1, e1z] = MulZ.mul4(e11, e12, e13, z, ap, bp, cp, zp, i % 4, Fr);
- const pol_qo = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qo, 0 , zkey.domainSize*n8r, sectionsZKey[10][0].p);
+ // expression 2 -> (a(X) + beta·sigma1(X) + gamma)(b(X) + beta·sigma2(X) + gamma)(c(X) + beta·sigma3(X) + gamma)z(Xω)
+ let e21 = Fr.add(a, Fr.mul(challenges.beta, sigma1));
+ e21 = Fr.add(e21, challenges.gamma);
- const pol_qc = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_qc, 0 , zkey.domainSize*n8r, sectionsZKey[11][0].p);
+ let e22 = Fr.add(b, Fr.mul(challenges.beta, sigma2));
+ e22 = Fr.add(e22, challenges.gamma);
- const pol_s3 = new BigBuffer(zkey.domainSize*n8r);
- await fdZKey.readToBuffer(pol_s3, 0 , zkey.domainSize*n8r, sectionsZKey[12][0].p + 10*zkey.domainSize*n8r);
+ let e23 = Fr.add(c, Fr.mul(challenges.beta, sigma3));
+ e23 = Fr.add(e23, challenges.gamma);
- const transcript4 = new Uint8Array(G1.F.n8*2*3);
- G1.toRprUncompressed(transcript4, 0, proof.T1);
- G1.toRprUncompressed(transcript4, G1.F.n8*2, proof.T2);
- G1.toRprUncompressed(transcript4, G1.F.n8*4, proof.T3);
- ch.xi = hashToFr(transcript4);
+ let e2 = Fr.mul(Fr.mul(Fr.mul(e21, e22), e23), zW);
+ let e2z = Fr.mul(Fr.mul(Fr.mul(e21, e22), e23), zWp);
+ // const [e2, e2z] = MulZ.mul4(e21, e22, e23, zW, ap, bp, cp, zWp, i % 4, Fr);
- if (logger) logger.debug("xi: " + Fr.toString(ch.xi));
+ let t2 = Fr.sub(e1, e2);
+ let t2z = Fr.sub(e1z, e2z);
- proof.eval_a = evalPol(pol_a, ch.xi);
- proof.eval_b = evalPol(pol_b, ch.xi);
- proof.eval_c = evalPol(pol_c, ch.xi);
- proof.eval_s1 = evalPol(pol_s1, ch.xi);
- proof.eval_s2 = evalPol(pol_s2, ch.xi);
- proof.eval_t = evalPol(pol_t, ch.xi);
- proof.eval_zw = evalPol(pol_z, Fr.mul(ch.xi, Fr.w[zkey.power]));
+ buffers.T2.set(t2, i * sFr);
+ buffers.T2z.set(t2z, i * sFr);
- const coef_ab = Fr.mul(proof.eval_a, proof.eval_b);
-
- let e2a = proof.eval_a;
- const betaxi = Fr.mul(ch.beta, ch.xi);
- e2a = Fr.add( e2a, betaxi);
- e2a = Fr.add( e2a, ch.gamma);
+ // Compute next omega
+ omega = Fr.mul(omega, Fr.w[zkey.power + 2]);
+ }
- let e2b = proof.eval_b;
- e2b = Fr.add( e2b, Fr.mul(betaxi, zkey.k1));
- e2b = Fr.add( e2b, ch.gamma);
+ // Compute the coefficients of the polynomial T2(X) from buffers.T2
+ if (logger) logger.info("··· Computing T2 ifft");
+ polynomials.T2 = await Polynomial.fromEvaluations(buffers.T2, curve, logger);
- let e2c = proof.eval_c;
- e2c = Fr.add( e2c, Fr.mul(betaxi, zkey.k2));
- e2c = Fr.add( e2c, ch.gamma);
+ // Divide the polynomial T2 by Z_H(X)
+ if (logger) logger.info("··· Computing T2 / ZH");
+ polynomials.T2.divByZerofier(zkey.domainSize, Fr.one);
- const e2 = Fr.mul(Fr.mul(Fr.mul(e2a, e2b), e2c), ch.alpha);
+ // Compute the coefficients of the polynomial T2z(X) from buffers.T2z
+ if (logger) logger.info("··· Computing T2z ifft");
+ polynomials.T2z = await Polynomial.fromEvaluations(buffers.T2z, curve, logger);
- let e3a = proof.eval_a;
- e3a = Fr.add( e3a, Fr.mul(ch.beta, proof.eval_s1));
- e3a = Fr.add( e3a, ch.gamma);
+ // Add the polynomial T2z to T2 to get the final polynomial T2
+ polynomials.T2.add(polynomials.T2z);
- let e3b = proof.eval_b;
- e3b = Fr.add( e3b, Fr.mul(ch.beta, proof.eval_s2));
- e3b = Fr.add( e3b, ch.gamma);
+ // Check degree
+ if (polynomials.T2.degree() >= 3 * zkey.domainSize) {
+ throw new Error("T2 Polynomial is not well calculated");
+ }
- let e3 = Fr.mul(e3a, e3b);
- e3 = Fr.mul(e3, ch.beta);
- e3 = Fr.mul(e3, proof.eval_zw);
- e3 = Fr.mul(e3, ch.alpha);
+ delete buffers.T2;
+ delete buffers.T2z;
+ delete polynomials.T2z;
+ }
- ch.xim= ch.xi;
- for (let i=0; i= 9 * zkey.domainSize) {
+ throw new Error("C2 Polynomial is not well calculated");
+ }
+ }
+ }
- pol_r = new BigBuffer((zkey.domainSize+3)*n8r);
+ async function round3() {
+ if (logger) logger.info("> Computing challenge xi");
+ // STEP 3.1 - Compute evaluation challenge xi ∈ S
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.gamma);
+ transcript.addPolCommitment(proof.getPolynomial("C2"));
+
+ // Obtain a xi_seeder from the transcript
+ // To force h1^4 = xi, h2^3 = xi and h_3^2 = xiω
+ // we compute xi = xi_seeder^12, h1 = xi_seeder^3, h2 = xi_seeder^4 and h3 = xi_seeder^6
+ challenges.xiSeed = transcript.getChallenge();
+ const xiSeed2 = Fr.square(challenges.xiSeed);
+
+ // Compute omega8, omega4 and omega3
+ roots.w8 = [];
+ roots.w8[0] = Fr.one;
+ for (let i = 1; i < 8; i++) {
+ roots.w8[i] = Fr.mul(roots.w8[i - 1], zkey.w8);
+ }
+
+ roots.w4 = [];
+ roots.w4[0] = Fr.one;
+ for (let i = 1; i < 4; i++) {
+ roots.w4[i] = Fr.mul(roots.w4[i - 1], zkey.w4);
+ }
+
+ roots.w3 = [];
+ roots.w3[0] = Fr.one;
+ roots.w3[1] = zkey.w3;
+ roots.w3[2] = Fr.square(zkey.w3);
+
+ // Compute h0 = xiSeeder^3
+ roots.S0 = {};
+ roots.S0.h0w8 = [];
+ roots.S0.h0w8[0] = Fr.mul(xiSeed2, challenges.xiSeed);
+ for (let i = 1; i < 8; i++) {
+ roots.S0.h0w8[i] = Fr.mul(roots.S0.h0w8[0], roots.w8[i]);
+ }
+
+ // Compute h1 = xi_seeder^6
+ roots.S1 = {};
+ roots.S1.h1w4 = [];
+ roots.S1.h1w4[0] = Fr.square(roots.S0.h0w8[0]);
+ for (let i = 1; i < 4; i++) {
+ roots.S1.h1w4[i] = Fr.mul(roots.S1.h1w4[0], roots.w4[i]);
+ }
+
+ // Compute h2 = xi_seeder^8
+ roots.S2 = {};
+ roots.S2.h2w3 = [];
+ roots.S2.h2w3[0] = Fr.mul(roots.S1.h1w4[0], xiSeed2);
+ roots.S2.h2w3[1] = Fr.mul(roots.S2.h2w3[0], roots.w3[1]);
+ roots.S2.h2w3[2] = Fr.mul(roots.S2.h2w3[0], roots.w3[2]);
+
+ roots.S2.h3w3 = [];
+ // Multiply h3 by third-root-omega to obtain h_3^3 = xiω
+ // So, h3 = xi_seeder^8 ω^{1/3}
+ roots.S2.h3w3[0] = Fr.mul(roots.S2.h2w3[0], zkey.wr);
+ roots.S2.h3w3[1] = Fr.mul(roots.S2.h3w3[0], roots.w3[1]);
+ roots.S2.h3w3[2] = Fr.mul(roots.S2.h3w3[0], roots.w3[2]);
+
+ // Compute xi = xi_seeder^24
+ challenges.xi = Fr.mul(Fr.square(roots.S2.h2w3[0]), roots.S2.h2w3[0]);
+
+ if (logger) logger.info("··· challenges.xi: " + Fr.toString(challenges.xi));
+
+ // Reserve memory for Q's polynomials
+ polynomials.QL = new Polynomial(new BigBuffer(sDomain), curve, logger);
+ polynomials.QR = new Polynomial(new BigBuffer(sDomain), curve, logger);
+ polynomials.QM = new Polynomial(new BigBuffer(sDomain), curve, logger);
+ polynomials.QO = new Polynomial(new BigBuffer(sDomain), curve, logger);
+ polynomials.QC = new Polynomial(new BigBuffer(sDomain), curve, logger);
+
+ // Read Q's evaluations from zkey file
+ await fdZKey.readToBuffer(polynomials.QL.coef, 0, sDomain, zkeySections[ZKEY_FF_QL_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QR.coef, 0, sDomain, zkeySections[ZKEY_FF_QR_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QM.coef, 0, sDomain, zkeySections[ZKEY_FF_QM_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QO.coef, 0, sDomain, zkeySections[ZKEY_FF_QO_SECTION][0].p);
+ await fdZKey.readToBuffer(polynomials.QC.coef, 0, sDomain, zkeySections[ZKEY_FF_QC_SECTION][0].p);
+
+ // STEP 3.2 - Compute opening evaluations and add them to the proof (third output of the prover)
+ if (logger) logger.info("··· Computing evaluations");
+ proof.addEvaluation("ql", polynomials.QL.evaluate(challenges.xi));
+ proof.addEvaluation("qr", polynomials.QR.evaluate(challenges.xi));
+ proof.addEvaluation("qm", polynomials.QM.evaluate(challenges.xi));
+ proof.addEvaluation("qo", polynomials.QO.evaluate(challenges.xi));
+ proof.addEvaluation("qc", polynomials.QC.evaluate(challenges.xi));
+ proof.addEvaluation("s1", polynomials.Sigma1.evaluate(challenges.xi));
+ proof.addEvaluation("s2", polynomials.Sigma2.evaluate(challenges.xi));
+ proof.addEvaluation("s3", polynomials.Sigma3.evaluate(challenges.xi));
+ proof.addEvaluation("a", polynomials.A.evaluate(challenges.xi));
+ proof.addEvaluation("b", polynomials.B.evaluate(challenges.xi));
+ proof.addEvaluation("c", polynomials.C.evaluate(challenges.xi));
+ proof.addEvaluation("z", polynomials.Z.evaluate(challenges.xi));
+
+ challenges.xiw = Fr.mul(challenges.xi, Fr.w[zkey.power]);
+ proof.addEvaluation("zw", polynomials.Z.evaluate(challenges.xiw));
+ proof.addEvaluation("t1w", polynomials.T1.evaluate(challenges.xiw));
+ proof.addEvaluation("t2w", polynomials.T2.evaluate(challenges.xiw));
+ }
- for (let i = 0; i Computing challenge alpha");
+ // STEP 4.1 - Compute challenge alpha ∈ F
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.xiSeed);
+ transcript.addScalar(proof.getEvaluation("ql"));
+ transcript.addScalar(proof.getEvaluation("qr"));
+ transcript.addScalar(proof.getEvaluation("qm"));
+ transcript.addScalar(proof.getEvaluation("qo"));
+ transcript.addScalar(proof.getEvaluation("qc"));
+ transcript.addScalar(proof.getEvaluation("s1"));
+ transcript.addScalar(proof.getEvaluation("s2"));
+ transcript.addScalar(proof.getEvaluation("s3"));
+ transcript.addScalar(proof.getEvaluation("a"));
+ transcript.addScalar(proof.getEvaluation("b"));
+ transcript.addScalar(proof.getEvaluation("c"));
+ transcript.addScalar(proof.getEvaluation("z"));
+ transcript.addScalar(proof.getEvaluation("zw"));
+ transcript.addScalar(proof.getEvaluation("t1w"));
+ transcript.addScalar(proof.getEvaluation("t2w"));
+ challenges.alpha = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.alpha: " + Fr.toString(challenges.alpha));
+
+ // STEP 4.2 - Compute F(X)
+ if (logger) logger.info("> Reading C0 polynomial");
+ polynomials.C0 = new Polynomial(new BigBuffer(sDomain * 8), curve, logger);
+ await fdZKey.readToBuffer(polynomials.C0.coef, 0, sDomain * 8, zkeySections[ZKEY_FF_C0_SECTION][0].p);
+
+ if (logger) logger.info("> Computing R0 polynomial");
+ computeR0();
+ if (logger) logger.info("> Computing R1 polynomial");
+ computeR1();
+ if (logger) logger.info("> Computing R2 polynomial");
+ computeR2();
+
+ if (logger) logger.info("> Computing F polynomial");
+ await computeF();
+
+ // The fourth output of the prover is ([W1]_1), where W1:=(f/Z_t)(x)
+ if (logger) logger.info("> Computing W1 multi exponentiation");
+ let commitW1 = await polynomials.F.multiExponentiation(PTau, "W1");
+ proof.addPolynomial("W1", commitW1);
+
+ return 0;
+
+ function computeR0() {
+ // COMPUTE R0
+ // Compute the coefficients of R0(X) from 8 evaluations using lagrange interpolation. R0(X) ∈ F_{<8}[X]
+ // We decide to use Lagrange interpolations because the R0 degree is very small (deg(R0)===7),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R0 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
+ roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7]],
+ [polynomials.C0.evaluate(roots.S0.h0w8[0]), polynomials.C0.evaluate(roots.S0.h0w8[1]),
+ polynomials.C0.evaluate(roots.S0.h0w8[2]), polynomials.C0.evaluate(roots.S0.h0w8[3]),
+ polynomials.C0.evaluate(roots.S0.h0w8[4]), polynomials.C0.evaluate(roots.S0.h0w8[5]),
+ polynomials.C0.evaluate(roots.S0.h0w8[6]), polynomials.C0.evaluate(roots.S0.h0w8[7])], curve);
+
+ // Check the degree of r0(X) < 8
+ if (polynomials.R0.degree() > 7) {
+ throw new Error("R0 Polynomial is not well calculated");
}
- pol_r.set(v, i*n8r);
}
- proof.eval_r = evalPol(pol_r, ch.xi);
+ function computeR1() {
+ // COMPUTE R1
+ // Compute the coefficients of R1(X) from 4 evaluations using lagrange interpolation. R1(X) ∈ F_{<4}[X]
+ // We decide to use Lagrange interpolations because the R1 degree is very small (deg(R1)===3),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R1 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3]],
+ [polynomials.C1.evaluate(roots.S1.h1w4[0]), polynomials.C1.evaluate(roots.S1.h1w4[1]),
+ polynomials.C1.evaluate(roots.S1.h1w4[2]), polynomials.C1.evaluate(roots.S1.h1w4[3])], curve);
+
+ // Check the degree of r1(X) < 4
+ if (polynomials.R1.degree() > 3) {
+ throw new Error("R1 Polynomial is not well calculated");
+ }
+ }
+
+ function computeR2() {
+ // COMPUTE R2
+ // Compute the coefficients of r2(X) from 6 evaluations using lagrange interpolation. r2(X) ∈ F_{<6}[X]
+ // We decide to use Lagrange interpolations because the R2.degree is very small (deg(R2)===5),
+ // and we were not able to compute it using current ifft implementation because the omega are different
+ polynomials.R2 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]],
+ [polynomials.C2.evaluate(roots.S2.h2w3[0]), polynomials.C2.evaluate(roots.S2.h2w3[1]),
+ polynomials.C2.evaluate(roots.S2.h2w3[2]), polynomials.C2.evaluate(roots.S2.h3w3[0]),
+ polynomials.C2.evaluate(roots.S2.h3w3[1]), polynomials.C2.evaluate(roots.S2.h3w3[2])], curve);
+
+ // Check the degree of r2(X) < 6
+ if (polynomials.R2.degree() > 5) {
+ throw new Error("R2 Polynomial is not well calculated");
+ }
+ }
+
+ async function computeF() {
+ if (logger) logger.info("··· Computing F polynomial");
+
+ // COMPUTE F(X)
+ polynomials.F = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
+ polynomials.F.sub(polynomials.R0);
+ polynomials.F.divByZerofier(8, challenges.xi);
+
+ let f2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
+ f2.sub(polynomials.R1);
+ f2.mulScalar(challenges.alpha);
+ f2.divByZerofier(4, challenges.xi);
+
+ let f3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
+ f3.sub(polynomials.R2);
+ f3.mulScalar(Fr.square(challenges.alpha));
+ f3.divByZerofier(3, challenges.xi);
+ f3.divByZerofier(3, challenges.xiw);
+
+ polynomials.F.add(f2);
+ polynomials.F.add(f3);
+
+ if (polynomials.F.degree() >= 9 * zkey.domainSize - 6) {
+ throw new Error("F Polynomial is not well calculated");
+ }
+ }
}
async function round5() {
- const transcript5 = new Uint8Array(n8r*7);
- Fr.toRprBE(transcript5, 0, proof.eval_a);
- Fr.toRprBE(transcript5, n8r, proof.eval_b);
- Fr.toRprBE(transcript5, n8r*2, proof.eval_c);
- Fr.toRprBE(transcript5, n8r*3, proof.eval_s1);
- Fr.toRprBE(transcript5, n8r*4, proof.eval_s2);
- Fr.toRprBE(transcript5, n8r*5, proof.eval_zw);
- Fr.toRprBE(transcript5, n8r*6, proof.eval_r);
- ch.v = [];
- ch.v[1] = hashToFr(transcript5);
- if (logger) logger.debug("v: " + Fr.toString(ch.v[1]));
+ if (logger) logger.info("> Computing challenge y");
- for (let i=2; i<=6; i++ ) ch.v[i] = Fr.mul(ch.v[i-1], ch.v[1]);
-
- let pol_wxi = new BigBuffer((zkey.domainSize+6)*n8r);
+ // STEP 5.1 - Compute random evaluation point y ∈ F
+ const transcript = new Keccak256Transcript(curve);
+ transcript.addScalar(challenges.alpha);
+ transcript.addPolCommitment(proof.getPolynomial("W1"));
- const xi2m = Fr.mul(ch.xim, ch.xim);
+ challenges.y = transcript.getChallenge();
+ if (logger) logger.info("··· challenges.y: " + Fr.toString(challenges.y));
- for (let i = 0; i < zkey.domainSize + 6; i++) {
- let w = Fr.zero;
+ // STEP 5.2 - Compute L(X)
+ if (logger) logger.info("> Computing L polynomial");
+ await computeL();
- const polTHigh = pol_t.slice((zkey.domainSize * 2 + i) * n8r, (zkey.domainSize * 2 + i + 1) * n8r);
- w = Fr.add(w, Fr.mul(xi2m, polTHigh));
+ if (logger) logger.info("> Computing ZTS2 polynomial");
+ await computeZTS2();
- if (i < zkey.domainSize + 3) {
- w = Fr.add(w, Fr.mul(ch.v[1], pol_r.slice(i * n8r, (i + 1) * n8r)));
- }
+ let ZTS2Y = polynomials.ZTS2.evaluate(challenges.y);
+ ZTS2Y = Fr.inv(ZTS2Y);
+ polynomials.L.mulScalar(ZTS2Y);
- if (i < zkey.domainSize + 2) {
- w = Fr.add(w, Fr.mul(ch.v[2], pol_a.slice(i * n8r, (i + 1) * n8r)));
- w = Fr.add(w, Fr.mul(ch.v[3], pol_b.slice(i * n8r, (i + 1) * n8r)));
- w = Fr.add(w, Fr.mul(ch.v[4], pol_c.slice(i * n8r, (i + 1) * n8r)));
- }
+ const polDividend = Polynomial.fromCoefficientsArray([Fr.neg(challenges.y), Fr.one], curve);
+ if (logger) logger.info("> Computing W' = L / ZTS2 polynomial");
+ const polRemainder = polynomials.L.divBy(polDividend);
- if (i < zkey.domainSize) {
- const polTLow = pol_t.slice(i * n8r, (i + 1) * n8r);
- w = Fr.add(w, polTLow);
+ //Check polReminder degree is equal to zero
+ if (polRemainder.degree() > 0) {
+ throw new Error(`Degree of L(X)/(ZTS2(y)(X-y)) remainder is ${polRemainder.degree()} and should be 0`);
+ }
- const polTMid = pol_t.slice((zkey.domainSize + i) * n8r, (zkey.domainSize + i + 1) * n8r);
- w = Fr.add(w, Fr.mul(ch.xim, polTMid));
+ if (polynomials.L.degree() >= 9 * zkey.domainSize - 1) {
+ throw new Error("Degree of L(X)/(ZTS2(y)(X-y)) is not correct");
+ }
- w = Fr.add(w, Fr.mul(ch.v[5], pol_s1.slice(i * n8r, (i + 1) * n8r)));
- w = Fr.add(w, Fr.mul(ch.v[6], pol_s2.slice(i * n8r, (i + 1) * n8r)));
+ // The fifth output of the prover is ([W2]_1), where W2:=(f/Z_t)(x)
+ if (logger) logger.info("> Computing W' multi exponentiation");
+ let commitW2 = await polynomials.L.multiExponentiation(PTau, "W2");
+ proof.addPolynomial("W2", commitW2);
+
+ return 0;
+
+ async function computeL() {
+ if (logger) logger.info("··· Computing L polynomial");
+
+ const evalR0Y = polynomials.R0.evaluate(challenges.y);
+ const evalR1Y = polynomials.R1.evaluate(challenges.y);
+ const evalR2Y = polynomials.R2.evaluate(challenges.y);
+
+ let mulL0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
+ for (let i = 1; i < 8; i++) {
+ mulL0 = Fr.mul(mulL0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
}
- // b_10 and b_11 blinding scalars were applied on round 3 to randomize the polynomials t_low, t_mid, t_high
- // Subtract blinding scalar b_10 and b_11 to the lowest coefficient
- if (i === 0) {
- w = Fr.sub(w, Fr.mul(xi2m, ch.b[11]));
- w = Fr.sub(w, Fr.mul(ch.xim, ch.b[10]));
+ let mulL1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
+ for (let i = 1; i < 4; i++) {
+ mulL1 = Fr.mul(mulL1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
}
- // Add blinding scalars b_10 and b_11 to the coefficient n
- if (i === zkey.domainSize) {
- w = Fr.add(w, ch.b[10]);
- w = Fr.add(w, Fr.mul(ch.xim, ch.b[11]));
+ let mulL2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
+ for (let i = 1; i < 3; i++) {
+ mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
+ }
+ for (let i = 0; i < 3; i++) {
+ mulL2 = Fr.mul(mulL2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
}
- pol_wxi.set(w, i * n8r);
+ let preL0 = Fr.mul(mulL1, mulL2);
+ let preL1 = Fr.mul(challenges.alpha, Fr.mul(mulL0, mulL2));
+ let preL2 = Fr.mul(Fr.square(challenges.alpha), Fr.mul(mulL0, mulL1));
+
+ toInverse["denH1"] = mulL1;
+ toInverse["denH2"] = mulL2;
+
+ // COMPUTE L(X)
+ polynomials.L = Polynomial.fromPolynomial(polynomials.C0, curve, logger);
+ polynomials.L.subScalar(evalR0Y);
+ polynomials.L.mulScalar(preL0);
+
+ let l2 = Polynomial.fromPolynomial(polynomials.C1, curve, logger);
+ l2.subScalar(evalR1Y);
+ l2.mulScalar(preL1);
+
+ let l3 = Polynomial.fromPolynomial(polynomials.C2, curve, logger);
+ l3.subScalar(evalR2Y);
+ l3.mulScalar(preL2);
+
+ polynomials.L.add(l2);
+ polynomials.L.add(l3);
+
+ if (logger) logger.info("> Computing ZT polynomial");
+ await computeZT();
+
+ const evalZTY = polynomials.ZT.evaluate(challenges.y);
+ polynomials.F.mulScalar(evalZTY);
+ polynomials.L.sub(polynomials.F);
+
+ // Check degree
+ if (polynomials.L.degree() >= 9 * zkey.domainSize) {
+ throw new Error("L Polynomial is not well calculated");
+ }
+
+ delete buffers.L;
}
- let w0 = pol_wxi.slice(0, n8r);
- w0 = Fr.sub(w0, proof.eval_t);
- w0 = Fr.sub(w0, Fr.mul(ch.v[1], proof.eval_r));
- w0 = Fr.sub(w0, Fr.mul(ch.v[2], proof.eval_a));
- w0 = Fr.sub(w0, Fr.mul(ch.v[3], proof.eval_b));
- w0 = Fr.sub(w0, Fr.mul(ch.v[4], proof.eval_c));
- w0 = Fr.sub(w0, Fr.mul(ch.v[5], proof.eval_s1));
- w0 = Fr.sub(w0, Fr.mul(ch.v[6], proof.eval_s2));
- pol_wxi.set(w0, 0);
+ async function computeZT() {
+ polynomials.ZT = Polynomial.zerofierPolynomial(
+ [
+ roots.S0.h0w8[0], roots.S0.h0w8[1], roots.S0.h0w8[2], roots.S0.h0w8[3],
+ roots.S0.h0w8[4], roots.S0.h0w8[5], roots.S0.h0w8[6], roots.S0.h0w8[7],
+ roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
+ roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
+ }
+
+ async function computeZTS2() {
+ polynomials.ZTS2 = Polynomial.zerofierPolynomial(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3],
+ roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]], curve);
+ }
+ }
+
+ function getMontgomeryBatchedInverse() {
+ // · denominator needed in step 8 and 9 of the verifier to multiply by 1/Z_H(xi)
+ let xiN = challenges.xi;
+ for (let i = 0; i < zkey.power; i++) {
+ xiN = Fr.square(xiN);
+ }
+ toInverse["zh"] = Fr.sub(xiN, Fr.one);
- pol_wxi= divPol1(pol_wxi, ch.xi);
+ // · denominator needed in step 10 and 11 of the verifier
+ // toInverse.denH1 & toInverse.denH2 -> Computed in round5, computeL()
- proof.Wxi = await expTau(pol_wxi, "multiexp Wxi");
+ // · denominator needed in the verifier when computing L_i^{S0}(X), L_i^{S1}(X) and L_i^{S2}(X)
+ for (let i = 0; i < 8; i++) {
+ toInverse["LiS0_" + (i + 1)] = computeLiS0(i);
+ }
- let pol_wxiw = new BigBuffer((zkey.domainSize+3)*n8r);
- for (let i=0; i=0; i--) {
- res = Fr.add(Fr.mul(res, x), P.slice(i*n8r, (i+1)*n8r));
+ w = Fr.mul(w, zkey.w);
}
- return res;
- }
- function divPol1(P, d) {
- const n = P.byteLength/n8r;
- const res = new BigBuffer(n*n8r);
- res.set(Fr.zero, (n-1) *n8r);
- res.set(P.slice((n-1)*n8r, n*n8r), (n-2)*n8r);
- for (let i=n-3; i>=0; i--) {
- res.set(
- Fr.add(
- P.slice((i+1)*n8r, (i+2)*n8r),
- Fr.mul(
- d,
- res.slice((i+1)*n8r, (i+2)*n8r)
- )
- ),
- i*n8r
- );
- }
- if (!Fr.eq(
- P.slice(0, n8r),
- Fr.mul(
- Fr.neg(d),
- res.slice(0, n8r)
- )
- )) {
- throw new Error("Polinomial does not divide");
+ let mulAccumulator = Fr.one;
+ for (const element of Object.values(toInverse)) {
+ mulAccumulator = Fr.mul(mulAccumulator, element);
}
- return res;
- }
+ return Fr.inv(mulAccumulator);
- async function expTau(b, name) {
- const n = b.byteLength/n8r;
- const PTauN = PTau.slice(0, n*curve.G1.F.n8*2);
- const bm = await curve.Fr.batchFromMontgomery(b);
- let res = await curve.G1.multiExpAffine(PTauN, bm, logger, name);
- res = curve.G1.toAffine(res);
- return res;
- }
+ function computeLiS0(i) {
+ // Compute L_i^{(S0)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 7; j++) {
+ idx = (idx + 1) % 8;
+ den = Fr.mul(den, Fr.sub(roots.S0.h0w8[i], roots.S0.h0w8[idx]));
+ }
+ return den;
+ }
- async function to4T(A, pz) {
- pz = pz || [];
- let a = await Fr.ifft(A);
- const a4 = new BigBuffer(n8r*zkey.domainSize*4);
- a4.set(a, 0);
+ function computeLiS1(i) {
+ // Compute L_i^{(S1)}(y)
+ let idx = i;
+ let den = Fr.one;
+ for (let j = 0; j < 3; j++) {
+ idx = (idx + 1) % 4;
- const a1 = new BigBuffer(n8r*(zkey.domainSize + pz.length));
- a1.set(a, 0);
- for (let i= 0; i.
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
*/
const {unstringifyBigInts: unstringifyBigInts$2} = utils;
- async function plonkFullProve(_input, wasmFile, zkeyFileName, logger) {
+ async function fflonkFullProve(_input, wasmFilename, zkeyFilename, logger) {
const input = unstringifyBigInts$2(_input);
- const wtns= {
- type: "mem"
- };
- await wtnsCalculate(input, wasmFile, wtns);
- return await plonk16Prove(zkeyFileName, wtns, logger);
+ const wtns= {type: "mem"};
+
+ // Compute the witness
+ await wtnsCalculate(input, wasmFilename, wtns);
+
+ // Compute the proof
+ return await fflonkProve(zkeyFilename, wtns, logger);
}
/*
- Copyright 2021 0kims association.
+ Copyright 2022 iden3 association.
This file is part of snarkjs.
@@ -29504,387 +31774,504 @@ var snarkjs = (function (exports) {
You should have received a copy of the GNU General Public License along with
snarkjs. If not, see .
*/
- const {unstringifyBigInts: unstringifyBigInts$1} = utils;
- const { keccak256 } = jsSha3;
-
- async function plonkVerify(_vk_verifier, _publicSignals, _proof, logger) {
- let vk_verifier = unstringifyBigInts$1(_vk_verifier);
- let proof = unstringifyBigInts$1(_proof);
- let publicSignals = unstringifyBigInts$1(_publicSignals);
+ const { unstringifyBigInts: unstringifyBigInts$1 } = utils;
- const curve = await getCurveFromName(vk_verifier.curve);
+ async function fflonkVerify(_vk_verifier, _publicSignals, _proof, logger) {
+ if (logger) logger.info("FFLONK VERIFIER STARTED");
- const Fr = curve.Fr;
- const G1 = curve.G1;
+ _vk_verifier = unstringifyBigInts$1(_vk_verifier);
+ _proof = unstringifyBigInts$1(_proof);
- proof = fromObjectProof(curve,proof);
- vk_verifier = fromObjectVk(curve, vk_verifier);
- if (!isWellConstructed(curve, proof)) {
- logger.error("Proof is not well constructed");
- return false;
- }
- if (publicSignals.length != vk_verifier.nPublic) {
- logger.error("Invalid number of public inputs");
- return false;
- }
- const challanges = calculateChallanges(curve, proof, publicSignals);
- if (logger) {
- logger.debug("beta: " + Fr.toString(challanges.beta, 16));
- logger.debug("gamma: " + Fr.toString(challanges.gamma, 16));
- logger.debug("alpha: " + Fr.toString(challanges.alpha, 16));
- logger.debug("xi: " + Fr.toString(challanges.xi, 16));
- logger.debug("v1: " + Fr.toString(challanges.v[1], 16));
- logger.debug("v6: " + Fr.toString(challanges.v[6], 16));
- logger.debug("u: " + Fr.toString(challanges.u, 16));
- }
- const L = calculateLagrangeEvaluations(curve, challanges, vk_verifier);
- if (logger) {
- logger.debug("Lagrange Evaluations: ");
- for (let i=1; i Checking commitments belong to G1");
+ if (!commitmentsBelongToG1(curve, proof, vk)) {
+ logger.error("Proof is not well constructed");
+ return false;
+ }
+ // TODO
+ // STEP 2 - Validate that all evaluations ∈ F
- function fromObjectProof(curve, proof) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
- const res = {};
- res.A = G1.fromObject(proof.A);
- res.B = G1.fromObject(proof.B);
- res.C = G1.fromObject(proof.C);
- res.Z = G1.fromObject(proof.Z);
- res.T1 = G1.fromObject(proof.T1);
- res.T2 = G1.fromObject(proof.T2);
- res.T3 = G1.fromObject(proof.T3);
- res.eval_a = Fr.fromObject(proof.eval_a);
- res.eval_b = Fr.fromObject(proof.eval_b);
- res.eval_c = Fr.fromObject(proof.eval_c);
- res.eval_zw = Fr.fromObject(proof.eval_zw);
- res.eval_s1 = Fr.fromObject(proof.eval_s1);
- res.eval_s2 = Fr.fromObject(proof.eval_s2);
- res.eval_r = Fr.fromObject(proof.eval_r);
- res.Wxi = G1.fromObject(proof.Wxi);
- res.Wxiw = G1.fromObject(proof.Wxiw);
- return res;
- }
+ // TODO
+ // STEP 3 - Validate that w_i ∈ F for i ∈ [l]
- function fromObjectVk(curve, vk) {
- const G1 = curve.G1;
- const G2 = curve.G2;
- const Fr = curve.Fr;
- const res = vk;
- res.Qm = G1.fromObject(vk.Qm);
- res.Ql = G1.fromObject(vk.Ql);
- res.Qr = G1.fromObject(vk.Qr);
- res.Qo = G1.fromObject(vk.Qo);
- res.Qc = G1.fromObject(vk.Qc);
- res.S1 = G1.fromObject(vk.S1);
- res.S2 = G1.fromObject(vk.S2);
- res.S3 = G1.fromObject(vk.S3);
- res.k1 = Fr.fromObject(vk.k1);
- res.k2 = Fr.fromObject(vk.k2);
- res.X_2 = G2.fromObject(vk.X_2);
+ // STEP 4 - Compute the challenges: beta, gamma, xi, alpha and y ∈ F
+ // as in prover description, from the common preprocessed inputs, public inputs and elements of π_SNARK
+ if (logger) logger.info("> Computing challenges");
+ const { challenges, roots } = computeChallenges(curve, proof, vk, publicSignals, logger);
- return res;
- }
+ // STEP 5 - Compute the zero polynomial evaluation Z_H(xi) = xi^n - 1
+ if (logger) logger.info("> Computing Zero polynomial evaluation Z_H(xi)");
+ challenges.zh = Fr.sub(challenges.xiN, Fr.one);
+ challenges.invzh = Fr.inv(challenges.zh);
- function isWellConstructed(curve, proof) {
- const G1 = curve.G1;
- if (!G1.isValid(proof.A)) return false;
- if (!G1.isValid(proof.B)) return false;
- if (!G1.isValid(proof.C)) return false;
- if (!G1.isValid(proof.Z)) return false;
- if (!G1.isValid(proof.T1)) return false;
- if (!G1.isValid(proof.T2)) return false;
- if (!G1.isValid(proof.T3)) return false;
- if (!G1.isValid(proof.Wxi)) return false;
- if (!G1.isValid(proof.Wxiw)) return false;
- return true;
- }
+ // STEP 6 - Compute the lagrange polynomial evaluation L_1(xi)
+ if (logger) logger.info("> Computing Lagrange evaluations");
+ const lagrangeEvals = await computeLagrangeEvaluations(curve, challenges, vk);
- function calculateChallanges(curve, proof, publicSignals) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
- const n8r = curve.Fr.n8;
- const res = {};
+ // STEP 7 - Compute public input evaluation PI(xi)
+ if (logger) logger.info("> Computing polynomial identities PI(X)");
+ const pi = calculatePI(curve, publicSignals, lagrangeEvals);
- const transcript1 = new Uint8Array(publicSignals.length*n8r + G1.F.n8*2*3);
- for (let i=0; i Computing r0(y)");
+ const r0 = computeR0(proof, challenges, roots, pi, curve, logger);
- res.beta = hashToFr(curve, transcript1);
+ // STEP 9 - Compute polynomial r1 ∈ F_{<4}[X]
+ if (logger) logger.info("> Computing r1(y)");
+ const r1 = computeR1(proof, challenges, roots, pi, curve, logger);
- const transcript2 = new Uint8Array(n8r);
- Fr.toRprBE(transcript2, 0, res.beta);
- res.gamma = hashToFr(curve, transcript2);
+ // STEP 9 - Compute polynomial r2 ∈ F_{<6}[X]
+ if (logger) logger.info("> Computing r2(y)");
+ const r2 = computeR2(proof, challenges, roots, lagrangeEvals[1], vk, curve, logger);
- const transcript3 = new Uint8Array(G1.F.n8*2);
- G1.toRprUncompressed(transcript3, 0, proof.Z);
- res.alpha = hashToFr(curve, transcript3);
+ if (logger) logger.info("> Computing F");
+ const F = computeF(curve, proof, vk, challenges, roots);
- const transcript4 = new Uint8Array(G1.F.n8*2*3);
- G1.toRprUncompressed(transcript4, 0, proof.T1);
- G1.toRprUncompressed(transcript4, G1.F.n8*2, proof.T2);
- G1.toRprUncompressed(transcript4, G1.F.n8*4, proof.T3);
- res.xi = hashToFr(curve, transcript4);
+ if (logger) logger.info("> Computing E");
+ const E = computeE(curve, proof, challenges, vk, r0, r1, r2);
- const transcript5 = new Uint8Array(n8r*7);
- Fr.toRprBE(transcript5, 0, proof.eval_a);
- Fr.toRprBE(transcript5, n8r, proof.eval_b);
- Fr.toRprBE(transcript5, n8r*2, proof.eval_c);
- Fr.toRprBE(transcript5, n8r*3, proof.eval_s1);
- Fr.toRprBE(transcript5, n8r*4, proof.eval_s2);
- Fr.toRprBE(transcript5, n8r*5, proof.eval_zw);
- Fr.toRprBE(transcript5, n8r*6, proof.eval_r);
- res.v = [];
- res.v[1] = hashToFr(curve, transcript5);
+ if (logger) logger.info("> Computing J");
+ const J = computeJ(curve, proof, challenges);
- for (let i=2; i<=6; i++ ) res.v[i] = Fr.mul(res.v[i-1], res.v[1]);
+ if (logger) logger.info("> Validate all evaluations with a pairing");
+ const res = await isValidPairing(curve, proof, challenges, vk, F, E, J);
- const transcript6 = new Uint8Array(G1.F.n8*2*2);
- G1.toRprUncompressed(transcript6, 0, proof.Wxi);
- G1.toRprUncompressed(transcript6, G1.F.n8*2, proof.Wxiw);
- res.u = hashToFr(curve, transcript6);
+ if (logger) {
+ if (res) {
+ logger.info("PROOF VERIFIED SUCCESSFULLY");
+ } else {
+ logger.warn("Invalid Proof");
+ }
+ }
+
+ if (logger) logger.info("FFLONK VERIFIER FINISHED");
return res;
+
}
- function calculateLagrangeEvaluations(curve, challanges, vk) {
+ function fromObjectVk(curve, vk) {
+ const res = vk;
+ res.k1 = curve.Fr.fromObject(vk.k1);
+ res.k2 = curve.Fr.fromObject(vk.k2);
+ res.w = curve.Fr.fromObject(vk.w);
+ // res.wW = curve.Fr.fromObject(vk.wW);
+ res.w3 = curve.Fr.fromObject(vk.w3);
+ res.w4 = curve.Fr.fromObject(vk.w4);
+ res.w8 = curve.Fr.fromObject(vk.w8);
+ res.wr = curve.Fr.fromObject(vk.wr);
+ res.X_2 = curve.G2.fromObject(vk.X_2);
+ res.C0 = curve.G1.fromObject(vk.C0);
+ return res;
+ }
+
+ function commitmentsBelongToG1(curve, proof, vk) {
+ const G1 = curve.G1;
+ return G1.isValid(proof.polynomials.C1)
+ && G1.isValid(proof.polynomials.C2)
+ && G1.isValid(proof.polynomials.W1)
+ && G1.isValid(proof.polynomials.W2)
+ && G1.isValid(vk.C0);
+ }
+
+ function computeChallenges(curve, proof, vk, publicSignals, logger) {
const Fr = curve.Fr;
- let xin = challanges.xi;
- let domainSize = 1;
- for (let i=0; i 7) {
+ throw new Error("R0 Polynomial is not well calculated");
+ }
- return t;
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r0(y)");
+ return R0.evaluate(challenges.y);
}
- function calculateD(curve, proof, challanges, vk, l1) {
- const G1 = curve.G1;
+ function computeR1(proof, challenges, roots, pi, curve, logger) {
const Fr = curve.Fr;
- let s1 = Fr.mul(Fr.mul(proof.eval_a, proof.eval_b), challanges.v[1]);
- let res = G1.timesFr(vk.Qm, s1);
+ // r1(y) = ∑_1^4 C_1(h_1 ω_4^{i-1}) L_i(y). To this end we need to compute
+ // Z1 = {C1(h_1}, C1(h_1 ω_4), C1(h_1 ω_4^2), C1(h_1 ω_4^3)}
+ // where C_1(h_1 ω_4^{i-1}) = eval.a + h_1 ω_4^i eval.b + (h_1 ω_4^i)^2 eval.c + (h_1 ω_4^i)^3 T0(xi),
+ // where T0(xi) = [ qL·a + qR·b + qM·a·b + qO·c + qC + PI(xi) ] / Z_H(xi)
- let s2 = Fr.mul(proof.eval_a, challanges.v[1]);
- res = G1.add(res, G1.timesFr(vk.Ql, s2));
+ // Compute T0(xi)
+ if (logger) logger.info("··· Computing T0(xi)");
+ let t0 = Fr.mul(proof.evaluations.ql, proof.evaluations.a);
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qr, proof.evaluations.b));
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qm, Fr.mul(proof.evaluations.a, proof.evaluations.b)));
+ t0 = Fr.add(t0, Fr.mul(proof.evaluations.qo, proof.evaluations.c));
+ t0 = Fr.add(t0, proof.evaluations.qc);
+ t0 = Fr.add(t0, pi);
+ t0 = Fr.mul(t0, challenges.invzh);
- let s3 = Fr.mul(proof.eval_b, challanges.v[1]);
- res = G1.add(res, G1.timesFr(vk.Qr, s3));
+ // Compute the 4 C1 values
+ if (logger) logger.info("··· Computing C1(h_1ω_4^i) values");
- let s4 = Fr.mul(proof.eval_c, challanges.v[1]);
- res = G1.add(res, G1.timesFr(vk.Qo, s4));
+ let c1Values = [];
+ for (let i = 0; i < 4; i++) {
+ c1Values[i] = proof.evaluations.a;
+ c1Values[i] = Fr.add(c1Values[i], Fr.mul(roots.S1.h1w4[i], proof.evaluations.b));
+ const h1w4Squared = Fr.square(roots.S1.h1w4[i]);
+ c1Values[i] = Fr.add(c1Values[i], Fr.mul(h1w4Squared, proof.evaluations.c));
+ c1Values[i] = Fr.add(c1Values[i], Fr.mul(Fr.mul(h1w4Squared, roots.S1.h1w4[i]), t0));
+ }
- res = G1.add(res, G1.timesFr(vk.Qc, challanges.v[1]));
+ // Interpolate a polynomial with the points computed previously
+ const R1 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S1.h1w4[0], roots.S1.h1w4[1], roots.S1.h1w4[2], roots.S1.h1w4[3]],
+ c1Values, curve);
- const betaxi = Fr.mul(challanges.beta, challanges.xi);
- let s6a = proof.eval_a;
- s6a = Fr.add(s6a, betaxi);
- s6a = Fr.add(s6a, challanges.gamma);
+ // Check the degree of r1(X) < 4
+ if (R1.degree() > 3) {
+ throw new Error("R1 Polynomial is not well calculated");
+ }
- let s6b = proof.eval_b;
- s6b = Fr.add(s6b, Fr.mul(betaxi, vk.k1));
- s6b = Fr.add(s6b, challanges.gamma);
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r1(y)");
+ return R1.evaluate(challenges.y);
+ }
- let s6c = proof.eval_c;
- s6c = Fr.add(s6c, Fr.mul(betaxi, vk.k2));
- s6c = Fr.add(s6c, challanges.gamma);
+ function computeR2(proof, challenges, roots, lagrange1, vk, curve, logger) {
+ const Fr = curve.Fr;
- let s6 = Fr.mul(Fr.mul(s6a, s6b), s6c);
- s6 = Fr.mul(s6, Fr.mul(challanges.alpha, challanges.v[1]));
+ // r2(y) = ∑_1^3 C_2(h_2 ω_3^{i-1}) L_i(y) + ∑_1^3 C_2(h_3 ω_3^{i-1}) L_{i+3}(y). To this end we need to compute
+ // Z2 = {[C2(h_2}, C2(h_2 ω_3), C2(h_2 ω_3^2)], [C2(h_3}, C2(h_3 ω_3), C2(h_3 ω_3^2)]}
+ // where C_2(h_2 ω_3^{i-1}) = eval.z + h_2 ω_2^i T1(xi) + (h_2 ω_3^i)^2 T2(xi),
+ // where C_2(h_3 ω_3^{i-1}) = eval.z + h_3 ω_2^i T1(xi) + (h_3 ω_3^i)^2 T2(xi),
+ // where T1(xi) = [ L_1(xi)(z-1)] / Z_H(xi)
+ // and T2(xi) = [ (a + beta·xi + gamma)(b + beta·xi·k1 + gamma)(c + beta·xi·k2 + gamma)z
+ // - (a + beta·sigma1 + gamma)(b + beta·sigma2 + gamma)(c + beta·sigma3 + gamma)zω ] / Z_H(xi)
- let s6d = Fr.mul(Fr.mul(l1, Fr.square(challanges.alpha)), challanges.v[1]);
- s6 = Fr.add(s6, s6d);
+ // Compute T1(xi)
+ if (logger) logger.info("··· Computing T1(xi)");
+ let t1 = Fr.sub(proof.evaluations.z, Fr.one);
+ t1 = Fr.mul(t1, lagrange1);
+ t1 = Fr.mul(t1, challenges.invzh);
- s6 = Fr.add(s6, challanges.u);
- res = G1.add(res, G1.timesFr(proof.Z, s6));
+ // Compute T2(xi)
+ if (logger) logger.info("··· Computing T2(xi)");
+ const betaxi = Fr.mul(challenges.beta, challenges.xi);
+ const t211 = Fr.add(proof.evaluations.a, Fr.add(betaxi, challenges.gamma));
+ const t212 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(betaxi, vk.k1), challenges.gamma));
+ const t213 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(betaxi, vk.k2), challenges.gamma));
+ const t21 = Fr.mul(t211, Fr.mul(t212, Fr.mul(t213, proof.evaluations.z)));
+ const t221 = Fr.add(proof.evaluations.a, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s1), challenges.gamma));
+ const t222 = Fr.add(proof.evaluations.b, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s2), challenges.gamma));
+ const t223 = Fr.add(proof.evaluations.c, Fr.add(Fr.mul(challenges.beta, proof.evaluations.s3), challenges.gamma));
+ const t22 = Fr.mul(t221, Fr.mul(t222, Fr.mul(t223, proof.evaluations.zw)));
- let s7a = proof.eval_a;
- s7a = Fr.add(s7a, Fr.mul(challanges.beta, proof.eval_s1));
- s7a = Fr.add(s7a, challanges.gamma);
+ let t2 = Fr.sub(t21, t22);
+ t2 = Fr.mul(t2, challenges.invzh);
- let s7b = proof.eval_b;
- s7b = Fr.add(s7b, Fr.mul(challanges.beta, proof.eval_s2));
- s7b = Fr.add(s7b, challanges.gamma);
+ // Compute the 6 C2 values
+ if (logger) logger.info("··· Computing C2(h_2ω_3^i) values");
+ let c2Values = [];
+ for (let i = 0; i < 3; i++) {
+ c2Values[i] = Fr.add(proof.evaluations.z, Fr.mul(roots.S2.h2w3[i], t1));
+ c2Values[i] = Fr.add(c2Values[i], Fr.mul(Fr.square(roots.S2.h2w3[i]), t2));
+ }
- let s7 = Fr.mul(s7a, s7b);
- s7 = Fr.mul(s7, challanges.alpha);
- s7 = Fr.mul(s7, challanges.v[1]);
- s7 = Fr.mul(s7, challanges.beta);
- s7 = Fr.mul(s7, proof.eval_zw);
- res = G1.sub(res, G1.timesFr(vk.S3, s7));
+ if (logger) logger.info("··· Computing C2(h_3ω_3^i) values");
+ for (let i = 0; i < 3; i++) {
+ c2Values[i + 3] = Fr.add(proof.evaluations.zw, Fr.mul(roots.S2.h3w3[i], proof.evaluations.t1w));
+ c2Values[i + 3] = Fr.add(c2Values[i + 3], Fr.mul(Fr.square(roots.S2.h3w3[i]), proof.evaluations.t2w));
+ }
- return res;
+ // Interpolate a polynomial with the points computed previously
+ if (logger) logger.info("··· Computing r2(xi)");
+ const R2 = Polynomial.lagrangePolynomialInterpolation(
+ [roots.S2.h2w3[0], roots.S2.h2w3[1], roots.S2.h2w3[2],
+ roots.S2.h3w3[0], roots.S2.h3w3[1], roots.S2.h3w3[2]],
+ c2Values, curve);
+
+ // Check the degree of r2(X) < 6
+ if (R2.degree() > 5) {
+ throw new Error("R2 Polynomial is not well calculated");
+ }
+
+ // Evaluate the polynomial in challenges.y
+ if (logger) logger.info("··· Computing evaluation r2(y)");
+ return R2.evaluate(challenges.y);
}
- function calculateF(curve, proof, challanges, vk, D) {
+ function computeF(curve, proof, vk, challenges, roots) {
const G1 = curve.G1;
const Fr = curve.Fr;
- let res = proof.T1;
+ let mulH0 = Fr.sub(challenges.y, roots.S0.h0w8[0]);
+ for (let i = 1; i < 8; i++) {
+ mulH0 = Fr.mul(mulH0, Fr.sub(challenges.y, roots.S0.h0w8[i]));
+ }
- res = G1.add(res, G1.timesFr(proof.T2, challanges.xin));
- res = G1.add(res, G1.timesFr(proof.T3, Fr.square(challanges.xin)));
- res = G1.add(res, D);
- res = G1.add(res, G1.timesFr(proof.A, challanges.v[2]));
- res = G1.add(res, G1.timesFr(proof.B, challanges.v[3]));
- res = G1.add(res, G1.timesFr(proof.C, challanges.v[4]));
- res = G1.add(res, G1.timesFr(vk.S1, challanges.v[5]));
- res = G1.add(res, G1.timesFr(vk.S2, challanges.v[6]));
+ challenges.temp = mulH0;
- return res;
- }
+ let mulH1 = Fr.sub(challenges.y, roots.S1.h1w4[0]);
+ for (let i = 1; i < 4; i++) {
+ mulH1 = Fr.mul(mulH1, Fr.sub(challenges.y, roots.S1.h1w4[i]));
+ }
+ let mulH2 = Fr.sub(challenges.y, roots.S2.h2w3[0]);
+ for (let i = 1; i < 3; i++) {
+ mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h2w3[i]));
+ }
+ for (let i = 0; i < 3; i++) {
+ mulH2 = Fr.mul(mulH2, Fr.sub(challenges.y, roots.S2.h3w3[i]));
+ }
- function calculateE(curve, proof, challanges, vk, t) {
- const G1 = curve.G1;
- const Fr = curve.Fr;
+ challenges.quotient1 = Fr.mul(challenges.alpha, Fr.div(mulH0, mulH1));
+ challenges.quotient2 = Fr.mul(Fr.square(challenges.alpha), Fr.div(mulH0, mulH2));
- let s = t;
+ let F2 = G1.timesFr(proof.polynomials.C1, challenges.quotient1);
+ let F3 = G1.timesFr(proof.polynomials.C2, challenges.quotient2);
- s = Fr.add(s, Fr.mul(challanges.v[1], proof.eval_r));
- s = Fr.add(s, Fr.mul(challanges.v[2], proof.eval_a));
- s = Fr.add(s, Fr.mul(challanges.v[3], proof.eval_b));
- s = Fr.add(s, Fr.mul(challanges.v[4], proof.eval_c));
- s = Fr.add(s, Fr.mul(challanges.v[5], proof.eval_s1));
- s = Fr.add(s, Fr.mul(challanges.v[6], proof.eval_s2));
- s = Fr.add(s, Fr.mul(challanges.u, proof.eval_zw));
+ return G1.add(vk.C0, G1.add(F2, F3));
+ }
- const res = G1.timesFr(G1.one, s);
+ function computeE(curve, proof, challenges, vk, r0, r1, r2) {
+ const G1 = curve.G1;
+ const Fr = curve.Fr;
- return res;
+ let E2 = Fr.mul(r1, challenges.quotient1);
+ let E3 = Fr.mul(r2, challenges.quotient2);
+
+ return G1.timesFr(G1.one, Fr.add(r0, Fr.add(E2, E3)));
}
- async function isValidPairing(curve, proof, challanges, vk, E, F) {
+ function computeJ(curve, proof, challenges) {
const G1 = curve.G1;
- const Fr = curve.Fr;
- let A1 = proof.Wxi;
- A1 = G1.add(A1, G1.timesFr(proof.Wxiw, challanges.u));
+ return G1.timesFr(proof.polynomials.W1, challenges.temp);
+ }
- let B1 = G1.timesFr(proof.Wxi, challanges.xi);
- const s = Fr.mul(Fr.mul(challanges.u, challanges.xi), Fr.w[vk.power]);
- B1 = G1.add(B1, G1.timesFr(proof.Wxiw, s));
- B1 = G1.add(B1, F);
- B1 = G1.sub(B1, E);
+ async function isValidPairing(curve, proof, challenges, vk, F, E, J) {
+ const G1 = curve.G1;
- const res = await curve.pairingEq(
- G1.neg(A1) , vk.X_2,
- B1 , curve.G2.one
- );
+ let A1 = G1.timesFr(proof.polynomials.W2, challenges.y);
+ A1 = G1.add(G1.sub(G1.sub(F, E), J), A1);
+ const A2 = curve.G2.one;
- return res;
+ const B1 = proof.polynomials.W2;
+ const B2 = vk.X_2;
+ return await curve.pairingEq(G1.neg(A1), A2, B1, B2);
}
/*
@@ -29905,7 +32292,8 @@ var snarkjs = (function (exports) {
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see .
*/
- const { unstringifyBigInts} = utils;
+
+ const {unstringifyBigInts} = utils;
function i2hex(i) {
return ("0" + i.toString(16)).slice(-2);
@@ -29913,12 +32301,12 @@ var snarkjs = (function (exports) {
function p256(n) {
let nstr = n.toString(16);
- while (nstr.length < 64) nstr = "0"+nstr;
+ while (nstr.length < 64) nstr = "0" + nstr;
nstr = `"0x${nstr}"`;
return nstr;
}
- async function plonkExportSolidityCallData(_proof, _pub) {
+ async function fflonkExportCallData(_pub, _proof, logger) {
const proof = unstringifyBigInts(_proof);
const pub = unstringifyBigInts(_pub);
@@ -29927,70 +32315,74 @@ var snarkjs = (function (exports) {
const Fr = curve.Fr;
let inputs = "";
- for (let i=0; i.
+ You should have received a copy of the GNU General Public License along with
+ snarkjs. If not, see .
*/
- var plonk = /*#__PURE__*/Object.freeze({
+ var fflonk = /*#__PURE__*/Object.freeze({
__proto__: null,
- setup: plonkSetup,
- fullProve: plonkFullProve,
- prove: plonk16Prove,
- verify: plonkVerify,
- exportSolidityCallData: plonkExportSolidityCallData
+ setup: fflonkSetup,
+ prove: fflonkProve,
+ fullProve: fflonkFullProve,
+ verify: fflonkVerify,
+ exportSolidityVerifier: fflonkExportSolidityVerifier,
+ exportSolidityCallData: fflonkExportCallData
});
+ exports.fflonk = fflonk;
exports.groth16 = groth16;
exports.plonk = plonk;
exports.powersOfTau = powersoftau;
exports.r1cs = r1cs;
exports.wtns = wtns;
- exports.wtnsCmds = wtns_cmds;
exports.zKey = zkey;
Object.defineProperty(exports, '__esModule', { value: true });
@@ -29998,4 +32390,4 @@ var snarkjs = (function (exports) {
return exports;
})({});
-//# sourceMappingURL=data:application/json;charset=utf-8;base64,
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,
diff --git a/build/snarkjs.min.js b/build/snarkjs.min.js
index fddeda30..c9fdb9ca 100644
--- a/build/snarkjs.min.js
+++ b/build/snarkjs.min.js
@@ -1,4 +1,4 @@
-var snarkjs=function(t){"use strict";const e=[0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4];function a(t,e){return e&&10!=e?16==e?"0x"==t.slice(0,2)?BigInt(t):BigInt("0x"+t):void 0:BigInt(t)}const i=a;function o(t){const a=t.toString(16);return 4*(a.length-1)+e[parseInt(a[0],16)]}function n(t){return BigInt(t)>BigInt(e)}const s=c,d=l;function u(t){return(BigInt(t)&BigInt(1))==BigInt(1)}function g(t){let e=BigInt(t);const a=[];for(;e;)e&BigInt(1)?a.push(1):a.push(0),e>>=BigInt(1);return a}function f(t){if(t>BigInt(Number.MAX_SAFE_INTEGER))throw new Error("Number too big");return Number(t)}function _(t,e){return BigInt(t)+BigInt(e)}function p(t,e){return BigInt(t)-BigInt(e)}function h(t){return-BigInt(t)}function m(t,e){return BigInt(t)*BigInt(e)}function L(t,e){return BigInt(t)**BigInt(e)}function w(t,e){return BigInt(t)/BigInt(e)}function b(t,e){return BigInt(t)%BigInt(e)}function A(t,e){return BigInt(t)==BigInt(e)}function y(t,e){return BigInt(t)>BigInt(e)}function I(t,e){return BigInt(t)>=BigInt(e)}function C(t,e){return BigInt(t)&BigInt(e)}function F(t,e,a,i){const o="0000000"+a.toString(16),n=new Uint32Array(t.buffer,e,i/4),r=1+(4*(o.length-7)-1>>5);for(let t=0;t>5);for(let t=0;tn[n.length-e-1]=t.toString(16).padStart(8,"0"))),a(n.join(""),16)}function B(t,e,i){i=i||t.byteLength,e=e||0;const o=new DataView(t.buffer,t.byteOffset+e,i),n=new Array(i/4);for(let t=0;t>=BigInt(1)}return a},bits:g,toNumber:f,toArray:function(t,e){const a=[];let i=BigInt(t);for(e=BigInt(e);i;)a.unshift(Number(i%e)),i/=e;return a},add:_,sub:p,neg:h,mul:m,square:function(t){return BigInt(t)*BigInt(t)},pow:L,exp:function(t,e){return BigInt(t)**BigInt(e)},abs:function(t){return BigInt(t)>=0?BigInt(t):-BigInt(t)},div:w,mod:b,eq:A,neq:function(t,e){return BigInt(t)!=BigInt(e)},lt:function(t,e){return BigInt(t)=0;a--)o=t.square(o),i[a]&&(o=t.mul(o,e));return o}function z(t){if(t.m%2==1)if(A(b(t.p,4),1))if(A(b(t.p,8),1))if(A(b(t.p,16),1))!function(t){t.sqrt_q=L(t.p,t.m),t.sqrt_s=0,t.sqrt_t=p(t.sqrt_q,1);for(;!u(t.sqrt_t);)t.sqrt_s=t.sqrt_s+1,t.sqrt_t=w(t.sqrt_t,2);let e=t.one;for(;t.eq(e,t.one);){const a=t.random();t.sqrt_z=t.pow(a,t.sqrt_t),e=t.pow(t.sqrt_z,2**(t.sqrt_s-1))}t.sqrt_tm1d2=w(p(t.sqrt_t,1),2),t.sqrt=function(t){const e=this;if(e.isZero(t))return e.zero;let a=e.pow(t,e.sqrt_tm1d2);const i=e.pow(e.mul(e.square(a),t),2**(e.sqrt_s-1));if(e.eq(i,e.negone))return null;let o=e.sqrt_s,n=e.mul(t,a),r=e.mul(n,a),c=e.sqrt_z;for(;!e.eq(r,e.one);){let t=e.square(r),i=1;for(;!e.eq(t,e.one);)t=e.square(t),i++;a=c;for(let t=0;t>>0,t[o]=(t[o]^t[e])>>>0,t[o]=(t[o]<<16|t[o]>>>16&65535)>>>0,t[i]=t[i]+t[o]>>>0,t[a]=(t[a]^t[i])>>>0,t[a]=(t[a]<<12|t[a]>>>20&4095)>>>0,t[e]=t[e]+t[a]>>>0,t[o]=(t[o]^t[e])>>>0,t[o]=(t[o]<<8|t[o]>>>24&255)>>>0,t[i]=t[i]+t[o]>>>0,t[a]=(t[a]^t[i])>>>0,t[a]=(t[a]<<7|t[a]>>>25&127)>>>0}class q{constructor(t){t=t||[0,0,0,0,0,0,0,0],this.state=[1634760805,857760878,2036477234,1797285236,t[0],t[1],t[2],t[3],t[4],t[5],t[6],t[7],0,0,0,0],this.idx=16,this.buff=new Array(16)}nextU32(){return 16==this.idx&&this.update(),this.buff[this.idx++]}nextU64(){return _(m(this.nextU32(),4294967296),this.nextU32())}nextBool(){return 1==(1&this.nextU32())}update(){for(let t=0;t<16;t++)this.buff[t]=this.state[t];for(let e=0;e<10;e++)Q(t=this.buff,0,4,8,12),Q(t,1,5,9,13),Q(t,2,6,10,14),Q(t,3,7,11,15),Q(t,0,5,10,15),Q(t,1,6,11,12),Q(t,2,7,8,13),Q(t,3,4,9,14);var t;for(let t=0;t<16;t++)this.buff[t]=this.buff[t]+this.state[t]>>>0;this.idx=0,this.state[12]=this.state[12]+1>>>0,0==this.state[12]&&(this.state[13]=this.state[13]+1>>>0,0==this.state[13]&&(this.state[14]=this.state[14]+1>>>0,0==this.state[14]&&(this.state[15]=this.state[15]+1>>>0)))}}var M={};function T(t){let e=new Uint8Array(t);if(void 0!==globalThis.crypto)globalThis.crypto.getRandomValues(e);else for(let a=0;a>>0;return e}let k=null;function R(){return k||(k=new q(function(){const t=T(32),e=new Uint32Array(t.buffer),a=[];for(let t=0;t<8;t++)a.push(e[t]);return a}()),k)}class D{constructor(t,e,a){this.F=e,this.G=t,this.opMulGF=a;let i=e.sqrt_t||e.t,o=e.sqrt_s||e.s,n=e.one;for(;e.eq(e.pow(n,e.half),e.one);)n=e.add(n,e.one);this.w=new Array(o+1),this.wi=new Array(o+1),this.w[o]=this.F.pow(n,i),this.wi[o]=this.F.inv(this.w[o]);let r=o-1;for(;r>=0;)this.w[r]=this.F.square(this.w[r+1]),this.wi[r]=this.F.square(this.wi[r+1]),r--;this.roots=[],this._setRoots(Math.min(o,15))}_setRoots(t){for(let e=t;e>=0&&!this.roots[e];e--){let t=this.F.one;const a=1<>1,c=j(t,e,a-1,i,2*o),l=j(t,e,a-1,i+o,2*o),s=new Array(n);for(let e=0;e>this.one,this.bitLength=o(this.p),this.mask=(this.one<>this.one;this.nqr=this.two;let a=this.pow(this.nqr,e);for(;!this.eq(a,this.negone);)this.nqr=this.nqr+this.one,a=this.pow(this.nqr,e);for(this.s=0,this.t=this.negone;(this.t&this.one)==this.zero;)this.s=this.s+1,this.t=this.t>>this.one;this.nqr_to_t=this.pow(this.nqr,this.t),z(this),this.FFT=new D(this,this,this.mul.bind(this)),this.fft=this.FFT.fft.bind(this.FFT),this.ifft=this.FFT.ifft.bind(this.FFT),this.w=this.FFT.w,this.wi=this.FFT.wi,this.shift=this.square(this.nqr),this.k=this.exp(this.nqr,2**this.s)}e(t,e){let a;if(e?16==e&&(a=BigInt("0x"+t)):a=BigInt(t),a<0){let t=-a;return t>=this.p&&(t%=this.p),this.p-t}return a>=this.p?a%this.p:a}add(t,e){const a=t+e;return a>=this.p?a-this.p:a}sub(t,e){return t>=e?t-e:this.p-e+t}neg(t){return t?this.p-t:t}mul(t,e){return t*e%this.p}mulScalar(t,e){return t*this.e(e)%this.p}square(t){return t*t%this.p}eq(t,e){return t==e}neq(t,e){return t!=e}lt(t,e){return(t>this.half?t-this.p:t)<(e>this.half?e-this.p:e)}gt(t,e){return(t>this.half?t-this.p:t)>(e>this.half?e-this.p:e)}leq(t,e){return(t>this.half?t-this.p:t)<=(e>this.half?e-this.p:e)}geq(t,e){return(t>this.half?t-this.p:t)>=(e>this.half?e-this.p:e)}div(t,e){return this.mul(t,this.inv(e))}idiv(t,e){if(!e)throw new Error("Division by zero");return t/e}inv(t){if(!t)throw new Error("Division by zero");let e=this.zero,a=this.p,i=this.one,o=t%this.p;for(;o;){let t=a/o;[e,i]=[i,e-t*i],[a,o]=[o,a-t*o]}return e=this.p?a-this.p:a}bor(t,e){const a=(t|e)&this.mask;return a>=this.p?a-this.p:a}bxor(t,e){const a=(t^e)&this.mask;return a>=this.p?a-this.p:a}bnot(t){const e=t^this.mask;return e>=this.p?e-this.p:e}shl(t,e){if(Number(e)=this.p?a-this.p:a}{const a=this.p-e;return Number(a)>a:this.zero}}shr(t,e){if(Number(e)>e;{const a=this.p-e;if(Number(a)=this.p?e-this.p:e}return 0}}land(t,e){return t&&e?this.one:this.zero}lor(t,e){return t||e?this.one:this.zero}lnot(t){return t?this.zero:this.one}sqrt_old(t){if(t==this.zero)return this.zero;if(this.pow(t,this.negone>>this.one)!=this.one)return null;let e=this.s,a=this.nqr_to_t,i=this.pow(t,this.t),o=this.pow(t,this.add(this.t,this.one)>>this.one);for(;i!=this.one;){let t=this.square(i),n=1;for(;t!=this.one;)n++,t=this.square(t);let r=a;for(let t=0;tthis.p>>this.one&&(o=this.neg(o)),o}normalize(t,e){if((t=BigInt(t,e))<0){let e=-t;return e>=this.p&&(e%=this.p),this.p-e}return t>=this.p?t%this.p:t}random(){const t=2*this.bitLength/8;let e=this.zero;for(let a=0;athis.half&&10==e){a="-"+(this.p-t).toString(e)}else a=t.toString(e);return a}isZero(t){return t==this.zero}fromRng(t){let e;do{e=this.zero;for(let a=0;a=this.p);return e=e*this.Ri%this.p,e}fft(t){return this.FFT.fft(t)}ifft(t){return this.FFT.ifft(t)}toRprLE(t,e,a){F(t,e,a,8*this.n64)}toRprBE(t,e,a){x(t,e,a,8*this.n64)}toRprBEM(t,e,a){return this.toRprBE(t,e,this.mul(this.R,a))}toRprLEM(t,e,a){return this.toRprLE(t,e,this.mul(this.R,a))}fromRprLE(t,e){return E(t,e,this.n8)}fromRprBE(t,e){return B(t,e,this.n8)}fromRprLEM(t,e){return this.mul(this.fromRprLE(t,e),this.Ri)}fromRprBEM(t,e){return this.mul(this.fromRprBE(t,e),this.Ri)}toObject(t){return t}}var K="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function H(t){var e=t.default;if("function"==typeof e){var a=function(){return e.apply(this,arguments)};a.prototype=e.prototype}else a={};return Object.defineProperty(a,"__esModule",{value:!0}),Object.keys(t).forEach((function(e){var i=Object.getOwnPropertyDescriptor(t,e);Object.defineProperty(a,e,i.get?i:{enumerable:!0,get:function(){return t[e]}})})),a}var $={bigInt2BytesLE:function(t,e){const a=Array(e);let i=BigInt(t);for(let t=0;t>=8n;return a},bigInt2U32LE:function(t,e){const a=Array(e);let i=BigInt(t);for(let t=0;t>=32n;return a},isOcamNum:function(t){return!!Array.isArray(t)&&(3==t.length&&("number"==typeof t[0]&&("number"==typeof t[1]&&!!Array.isArray(t[2]))))}},Y=function(t,e,a,i,o,n,r){const c=t.addFunction(e);c.addParam("base","i32"),c.addParam("scalar","i32"),c.addParam("scalarLength","i32"),c.addParam("r","i32"),c.addLocal("i","i32"),c.addLocal("b","i32");const l=c.getCodeBuilder(),s=l.i32_const(t.alloc(a));c.addCode(l.if(l.i32_eqz(l.getLocal("scalarLength")),[...l.call(r,l.getLocal("r")),...l.ret([])])),c.addCode(l.call(n,l.getLocal("base"),s)),c.addCode(l.call(r,l.getLocal("r"))),c.addCode(l.setLocal("i",l.getLocal("scalarLength"))),c.addCode(l.block(l.loop(l.setLocal("i",l.i32_sub(l.getLocal("i"),l.i32_const(1))),l.setLocal("b",l.i32_load8_u(l.i32_add(l.getLocal("scalar"),l.getLocal("i")))),...function(){const t=[];for(let e=0;e<8;e++)t.push(...l.call(o,l.getLocal("r"),l.getLocal("r")),...l.if(l.i32_ge_u(l.getLocal("b"),l.i32_const(128>>e)),[...l.setLocal("b",l.i32_sub(l.getLocal("b"),l.i32_const(128>>e))),...l.call(i,l.getLocal("r"),s,l.getLocal("r"))]));return t}(),l.br_if(1,l.i32_eqz(l.getLocal("i"))),l.br(0))))},W=function(t,e){const a=8*t.modules[e].n64,i=t.addFunction(e+"_batchInverse");i.addParam("pIn","i32"),i.addParam("inStep","i32"),i.addParam("n","i32"),i.addParam("pOut","i32"),i.addParam("outStep","i32"),i.addLocal("itAux","i32"),i.addLocal("itIn","i32"),i.addLocal("itOut","i32"),i.addLocal("i","i32");const o=i.getCodeBuilder(),n=o.i32_const(t.alloc(a));i.addCode(o.setLocal("itAux",o.i32_load(o.i32_const(0))),o.i32_store(o.i32_const(0),o.i32_add(o.getLocal("itAux"),o.i32_mul(o.i32_add(o.getLocal("n"),o.i32_const(1)),o.i32_const(a))))),i.addCode(o.call(e+"_one",o.getLocal("itAux")),o.setLocal("itIn",o.getLocal("pIn")),o.setLocal("itAux",o.i32_add(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("i",o.i32_const(0)),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("i"),o.getLocal("n"))),o.if(o.call(e+"_isZero",o.getLocal("itIn")),o.call(e+"_copy",o.i32_sub(o.getLocal("itAux"),o.i32_const(a)),o.getLocal("itAux")),o.call(e+"_mul",o.getLocal("itIn"),o.i32_sub(o.getLocal("itAux"),o.i32_const(a)),o.getLocal("itAux"))),o.setLocal("itIn",o.i32_add(o.getLocal("itIn"),o.getLocal("inStep"))),o.setLocal("itAux",o.i32_add(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("i",o.i32_add(o.getLocal("i"),o.i32_const(1))),o.br(0))),o.setLocal("itIn",o.i32_sub(o.getLocal("itIn"),o.getLocal("inStep"))),o.setLocal("itAux",o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("itOut",o.i32_add(o.getLocal("pOut"),o.i32_mul(o.i32_sub(o.getLocal("n"),o.i32_const(1)),o.getLocal("outStep")))),o.call(e+"_inverse",o.getLocal("itAux"),o.getLocal("itAux")),o.block(o.loop(o.br_if(1,o.i32_eqz(o.getLocal("i"))),o.if(o.call(e+"_isZero",o.getLocal("itIn")),[...o.call(e+"_copy",o.getLocal("itAux"),o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),...o.call(e+"_zero",o.getLocal("itOut"))],[...o.call(e+"_copy",o.i32_sub(o.getLocal("itAux"),o.i32_const(a)),n),...o.call(e+"_mul",o.getLocal("itAux"),o.getLocal("itIn"),o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),...o.call(e+"_mul",o.getLocal("itAux"),n,o.getLocal("itOut"))]),o.setLocal("itIn",o.i32_sub(o.getLocal("itIn"),o.getLocal("inStep"))),o.setLocal("itOut",o.i32_sub(o.getLocal("itOut"),o.getLocal("outStep"))),o.setLocal("itAux",o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("i",o.i32_sub(o.getLocal("i"),o.i32_const(1))),o.br(0)))),i.addCode(o.i32_store(o.i32_const(0),o.getLocal("itAux")))};var Z=function(t,e,a,i,o,n){void 0===n&&(n=ie?1:-1}function et(t){return t*t}function at(t){return t%2n!==0n}function it(t){return t%2n===0n}function ot(t){return t<0n}function nt(t){return t>0n}function rt(t){return ot(t)?t.toString(2).length-1:t.toString(2).length}function ct(t){return t<0n?-t:t}function lt(t){return 1n===ct(t)}function st(t,e){for(var a,i,o,n=0n,r=1n,c=e,l=ct(t);0n!==l;)a=c/l,i=n,o=c,n=r,c=l,r=i-a*r,l=o-a*l;if(!lt(c))throw new Error(t.toString()+" and "+e.toString()+" are not co-prime");return-1===tt(n,0n)&&(n+=e),ot(t)?-n:n}function dt(t,e,a){if(0n===a)throw new Error("Cannot take modPow with modulus 0");var i=1n,o=t%a;for(ot(e)&&(e*=-1n,o=st(o,a));nt(e);){if(0n===o)return 0n;at(e)&&(i=i*o%a),e/=2n,o=et(o)%a}return i}function ut(t,e){return 0n!==e&&(!!lt(e)||(0===function(t,e){return(t=t>=0n?t:-t)===(e=e>=0n?e:-e)?0:t>e?1:-1}(e,2n)?it(t):t%e===0n))}function gt(t,e){for(var a,i,o,n=function(t){return t-1n}(t),r=n,c=0;it(r);)r/=2n,c++;t:for(i=0;i>1&&i>1,t>>1)))),e.addCode(a.setLocal(l,a.i64_add(a.getLocal(l),a.i64_shr_u(a.getLocal(c),a.i64_const(32)))))),t>0&&(e.addCode(a.setLocal(c,a.i64_add(a.i64_and(a.getLocal(c),a.i64_const(4294967295)),a.i64_and(a.getLocal(s),a.i64_const(4294967295))))),e.addCode(a.setLocal(l,a.i64_add(a.i64_add(a.getLocal(l),a.i64_shr_u(a.getLocal(c),a.i64_const(32))),a.getLocal(d))))),e.addCode(a.i64_store32(a.getLocal("r"),4*t,a.getLocal(c))),e.addCode(a.setLocal(s,a.getLocal(l)),a.setLocal(d,a.i64_shr_u(a.getLocal(s),a.i64_const(32))))}e.addCode(a.i64_store32(a.getLocal("r"),4*o*2-4,a.getLocal(s)))}(),function(){const e=t.addFunction(i+"_squareOld");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(i+"_mul",a.getLocal("x"),a.getLocal("x"),a.getLocal("r")))}(),function(){!function(){const e=t.addFunction(i+"__mul1");e.addParam("px","i32"),e.addParam("y","i64"),e.addParam("pr","i32"),e.addLocal("c","i64");const a=e.getCodeBuilder();e.addCode(a.setLocal("c",a.i64_mul(a.i64_load32_u(a.getLocal("px"),0,0),a.getLocal("y")))),e.addCode(a.i64_store32(a.getLocal("pr"),0,0,a.getLocal("c")));for(let t=1;t>1n,h=t.alloc(c,_t.bigInt2BytesLE(p,c)),m=p+1n,L=t.alloc(c,_t.bigInt2BytesLE(m,c));t.modules[l]={pq:d,pR2:u,n64:n,q:o,pOne:g,pZero:f,pePlusOne:L};let w=2n;if(yt(o))for(;At(w,p,o)!==_;)w+=1n;let b=0,A=_;for(;!It(A)&&0n!==A;)b++,A>>=1n;const y=t.alloc(c,_t.bigInt2BytesLE(A,c)),I=At(w,A,o),C=t.alloc(_t.bigInt2BytesLE((I<>1n,x=t.alloc(c,_t.bigInt2BytesLE(F,c));return t.exportFunction(s+"_copy",l+"_copy"),t.exportFunction(s+"_zero",l+"_zero"),t.exportFunction(s+"_isZero",l+"_isZero"),t.exportFunction(s+"_eq",l+"_eq"),function(){const e=t.addFunction(l+"_isOne");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder();e.addCode(a.ret(a.call(s+"_eq",a.getLocal("x"),a.i32_const(g))))}(),function(){const e=t.addFunction(l+"_add");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.if(a.call(s+"_add",a.getLocal("x"),a.getLocal("y"),a.getLocal("r")),a.drop(a.call(s+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),a.if(a.call(s+"_gte",a.getLocal("r"),a.i32_const(d)),a.drop(a.call(s+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))))))}(),function(){const e=t.addFunction(l+"_sub");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.if(a.call(s+"_sub",a.getLocal("x"),a.getLocal("y"),a.getLocal("r")),a.drop(a.call(s+"_add",a.getLocal("r"),a.i32_const(d),a.getLocal("r")))))}(),function(){const e=t.addFunction(l+"_neg");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(l+"_sub",a.i32_const(f),a.getLocal("x"),a.getLocal("r")))}(),function(){const e=t.alloc(r*r*8),a=t.addFunction(l+"_mReduct");a.addParam("t","i32"),a.addParam("r","i32"),a.addLocal("np32","i64"),a.addLocal("c","i64"),a.addLocal("m","i64");const i=a.getCodeBuilder(),n=Number(0x100000000n-bt(o,0x100000000n));a.addCode(i.setLocal("np32",i.i64_const(n)));for(let t=0;t=r&&e.addCode(a.i64_store32(a.getLocal("r"),4*(t-r),a.getLocal(_))),[_,p]=[p,_],e.addCode(a.setLocal(p,a.i64_shr_u(a.getLocal(_),a.i64_const(32))))}e.addCode(a.i64_store32(a.getLocal("r"),4*r-4,a.getLocal(_))),e.addCode(a.if(a.i32_wrap_i64(a.getLocal(p)),a.drop(a.call(s+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),a.if(a.call(s+"_gte",a.getLocal("r"),a.i32_const(d)),a.drop(a.call(s+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))))))}(),function(){const e=t.addFunction(l+"_square");e.addParam("x","i32"),e.addParam("r","i32"),e.addLocal("c0","i64"),e.addLocal("c1","i64"),e.addLocal("c0_old","i64"),e.addLocal("c1_old","i64"),e.addLocal("np32","i64");for(let t=0;t>1&&i>1,t>>1)))),e.addCode(a.setLocal(_,a.i64_add(a.getLocal(_),a.i64_shr_u(a.getLocal(f),a.i64_const(32)))))),t>0&&(e.addCode(a.setLocal(f,a.i64_add(a.i64_and(a.getLocal(f),a.i64_const(4294967295)),a.i64_and(a.getLocal(p),a.i64_const(4294967295))))),e.addCode(a.setLocal(_,a.i64_add(a.i64_add(a.getLocal(_),a.i64_shr_u(a.getLocal(f),a.i64_const(32))),a.getLocal(h)))));for(let i=Math.max(1,t-r+1);i<=t&&i=r&&e.addCode(a.i64_store32(a.getLocal("r"),4*(t-r),a.getLocal(f))),e.addCode(a.setLocal(p,a.getLocal(_)),a.setLocal(h,a.i64_shr_u(a.getLocal(p),a.i64_const(32))))}e.addCode(a.i64_store32(a.getLocal("r"),4*r-4,a.getLocal(p))),e.addCode(a.if(a.i32_wrap_i64(a.getLocal(h)),a.drop(a.call(s+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),a.if(a.call(s+"_gte",a.getLocal("r"),a.i32_const(d)),a.drop(a.call(s+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))))))}(),function(){const e=t.addFunction(l+"_squareOld");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(l+"_mul",a.getLocal("x"),a.getLocal("x"),a.getLocal("r")))}(),function(){const e=t.addFunction(l+"_toMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(l+"_mul",a.getLocal("x"),a.i32_const(u),a.getLocal("r")))}(),function(){const e=t.alloc(2*c),a=t.addFunction(l+"_fromMontgomery");a.addParam("x","i32"),a.addParam("r","i32");const i=a.getCodeBuilder();a.addCode(i.call(s+"_copy",i.getLocal("x"),i.i32_const(e))),a.addCode(i.call(s+"_zero",i.i32_const(e+c))),a.addCode(i.call(l+"_mReduct",i.i32_const(e),i.getLocal("r")))}(),function(){const e=t.addFunction(l+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(c));e.addCode(a.call(l+"_fromMontgomery",a.getLocal("x"),i),a.call(s+"_gte",i,a.i32_const(L)))}(),function(){const e=t.addFunction(l+"_sign");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(c));e.addCode(a.if(a.call(s+"_isZero",a.getLocal("x")),a.ret(a.i32_const(0))),a.call(l+"_fromMontgomery",a.getLocal("x"),i),a.if(a.call(s+"_gte",i,a.i32_const(L)),a.ret(a.i32_const(-1))),a.ret(a.i32_const(1)))}(),function(){const e=t.addFunction(l+"_inverse");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(l+"_fromMontgomery",a.getLocal("x"),a.getLocal("r"))),e.addCode(a.call(s+"_inverseMod",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),e.addCode(a.call(l+"_toMontgomery",a.getLocal("r"),a.getLocal("r")))}(),function(){const e=t.addFunction(l+"_one");e.addParam("pr","i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_copy",a.i32_const(g),a.getLocal("pr")))}(),function(){const e=t.addFunction(l+"_load");e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32"),e.addLocal("p","i32"),e.addLocal("l","i32"),e.addLocal("i","i32"),e.addLocal("j","i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(c)),o=t.alloc(c),n=a.i32_const(o);e.addCode(a.call(s+"_zero",a.getLocal("r")),a.setLocal("i",a.i32_const(c)),a.setLocal("p",a.getLocal("scalar")),a.block(a.loop(a.br_if(1,a.i32_gt_u(a.getLocal("i"),a.getLocal("scalarLen"))),a.if(a.i32_eq(a.getLocal("i"),a.i32_const(c)),a.call(l+"_one",i),a.call(l+"_mul",i,a.i32_const(u),i)),a.call(l+"_mul",a.getLocal("p"),i,n),a.call(l+"_add",a.getLocal("r"),n,a.getLocal("r")),a.setLocal("p",a.i32_add(a.getLocal("p"),a.i32_const(c))),a.setLocal("i",a.i32_add(a.getLocal("i"),a.i32_const(c))),a.br(0))),a.setLocal("l",a.i32_rem_u(a.getLocal("scalarLen"),a.i32_const(c))),a.if(a.i32_eqz(a.getLocal("l")),a.ret([])),a.call(s+"_zero",n),a.setLocal("j",a.i32_const(0)),a.block(a.loop(a.br_if(1,a.i32_eq(a.getLocal("j"),a.getLocal("l"))),a.i32_store8(a.getLocal("j"),o,a.i32_load8_u(a.getLocal("p"))),a.setLocal("p",a.i32_add(a.getLocal("p"),a.i32_const(1))),a.setLocal("j",a.i32_add(a.getLocal("j"),a.i32_const(1))),a.br(0))),a.if(a.i32_eq(a.getLocal("i"),a.i32_const(c)),a.call(l+"_one",i),a.call(l+"_mul",i,a.i32_const(u),i)),a.call(l+"_mul",n,i,n),a.call(l+"_add",a.getLocal("r"),n,a.getLocal("r")))}(),function(){const e=t.addFunction(l+"_timesScalar");e.addParam("x","i32"),e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(c));e.addCode(a.call(l+"_load",a.getLocal("scalar"),a.getLocal("scalarLen"),i),a.call(l+"_toMontgomery",i,i),a.call(l+"_mul",a.getLocal("x"),i,a.getLocal("r")))}(),ht(t,l),mt(t,l+"_batchToMontgomery",l+"_toMontgomery",c,c),mt(t,l+"_batchFromMontgomery",l+"_fromMontgomery",c,c),mt(t,l+"_batchNeg",l+"_neg",c,c),Lt(t,l+"_batchAdd",l+"_add",c,c),Lt(t,l+"_batchSub",l+"_sub",c,c),Lt(t,l+"_batchMul",l+"_mul",c,c),t.exportFunction(l+"_add"),t.exportFunction(l+"_sub"),t.exportFunction(l+"_neg"),t.exportFunction(l+"_isNegative"),t.exportFunction(l+"_isOne"),t.exportFunction(l+"_sign"),t.exportFunction(l+"_mReduct"),t.exportFunction(l+"_mul"),t.exportFunction(l+"_square"),t.exportFunction(l+"_squareOld"),t.exportFunction(l+"_fromMontgomery"),t.exportFunction(l+"_toMontgomery"),t.exportFunction(l+"_inverse"),t.exportFunction(l+"_one"),t.exportFunction(l+"_load"),t.exportFunction(l+"_timesScalar"),pt(t,l+"_exp",c,l+"_mul",l+"_square",s+"_copy",l+"_one"),t.exportFunction(l+"_exp"),t.exportFunction(l+"_batchInverse"),yt(o)&&(!function(){const e=t.addFunction(l+"_sqrt");e.addParam("n","i32"),e.addParam("r","i32"),e.addLocal("m","i32"),e.addLocal("i","i32"),e.addLocal("j","i32");const a=e.getCodeBuilder(),i=a.i32_const(g),o=a.i32_const(t.alloc(c)),n=a.i32_const(t.alloc(c)),r=a.i32_const(t.alloc(c)),s=a.i32_const(t.alloc(c)),d=a.i32_const(t.alloc(c));e.addCode(a.if(a.call(l+"_isZero",a.getLocal("n")),a.ret(a.call(l+"_zero",a.getLocal("r")))),a.setLocal("m",a.i32_const(b)),a.call(l+"_copy",a.i32_const(C),o),a.call(l+"_exp",a.getLocal("n"),a.i32_const(y),a.i32_const(c),n),a.call(l+"_exp",a.getLocal("n"),a.i32_const(x),a.i32_const(c),r),a.block(a.loop(a.br_if(1,a.call(l+"_eq",n,i)),a.call(l+"_square",n,s),a.setLocal("i",a.i32_const(1)),a.block(a.loop(a.br_if(1,a.call(l+"_eq",s,i)),a.call(l+"_square",s,s),a.setLocal("i",a.i32_add(a.getLocal("i"),a.i32_const(1))),a.br(0))),a.call(l+"_copy",o,d),a.setLocal("j",a.i32_sub(a.i32_sub(a.getLocal("m"),a.getLocal("i")),a.i32_const(1))),a.block(a.loop(a.br_if(1,a.i32_eqz(a.getLocal("j"))),a.call(l+"_square",d,d),a.setLocal("j",a.i32_sub(a.getLocal("j"),a.i32_const(1))),a.br(0))),a.setLocal("m",a.getLocal("i")),a.call(l+"_square",d,o),a.call(l+"_mul",n,o,n),a.call(l+"_mul",r,d,r),a.br(0))),a.if(a.call(l+"_isNegative",r),a.call(l+"_neg",r,a.getLocal("r")),a.call(l+"_copy",r,a.getLocal("r"))))}(),function(){const e=t.addFunction(l+"_isSquare");e.addParam("n","i32"),e.setReturnType("i32");const a=e.getCodeBuilder(),i=a.i32_const(g),o=a.i32_const(t.alloc(c));e.addCode(a.if(a.call(l+"_isZero",a.getLocal("n")),a.ret(a.i32_const(1))),a.call(l+"_exp",a.getLocal("n"),a.i32_const(h),a.i32_const(c),o),a.call(l+"_eq",o,i))}(),t.exportFunction(l+"_sqrt"),t.exportFunction(l+"_isSquare")),t.exportFunction(l+"_batchToMontgomery"),t.exportFunction(l+"_batchFromMontgomery"),l};const xt=Ft,{bitLength:Et}=X;var Bt=function(t,e,a,i,o){const n=BigInt(e),r=Math.floor((Et(n-1n)-1)/64)+1,c=8*r,l=a||"f1";if(t.modules[l])return l;t.modules[l]={n64:r};const s=o||"int",d=xt(t,n,i,s),u=t.modules[d].pR2,g=t.modules[d].pq,f=t.modules[d].pePlusOne;return function(){const e=t.alloc(c),a=t.addFunction(l+"_mul");a.addParam("x","i32"),a.addParam("y","i32"),a.addParam("r","i32");const i=a.getCodeBuilder();a.addCode(i.call(d+"_mul",i.getLocal("x"),i.getLocal("y"),i.i32_const(e))),a.addCode(i.call(d+"_mul",i.i32_const(e),i.i32_const(u),i.getLocal("r")))}(),function(){const e=t.addFunction(l+"_square");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(l+"_mul",a.getLocal("x"),a.getLocal("x"),a.getLocal("r")))}(),function(){const e=t.addFunction(l+"_inverse");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_inverseMod",a.getLocal("x"),a.i32_const(g),a.getLocal("r")))}(),function(){const e=t.addFunction(l+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_gte",a.getLocal("x"),a.i32_const(f)))}(),t.exportFunction(d+"_add",l+"_add"),t.exportFunction(d+"_sub",l+"_sub"),t.exportFunction(d+"_neg",l+"_neg"),t.exportFunction(l+"_mul"),t.exportFunction(l+"_square"),t.exportFunction(l+"_inverse"),t.exportFunction(l+"_isNegative"),t.exportFunction(d+"_copy",l+"_copy"),t.exportFunction(d+"_zero",l+"_zero"),t.exportFunction(d+"_one",l+"_one"),t.exportFunction(d+"_isZero",l+"_isZero"),t.exportFunction(d+"_eq",l+"_eq"),l};const vt=Y,St=W,Gt=$;var Pt=function(t,e,a,i){if(t.modules[a])return a;const o=8*t.modules[i].n64,n=t.modules[i].q;return t.modules[a]={n64:2*t.modules[i].n64},function(){const e=t.addFunction(a+"_isZero");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.i32_and(n.call(i+"_isZero",r),n.call(i+"_isZero",c)))}(),function(){const e=t.addFunction(a+"_isOne");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.ret(n.i32_and(n.call(i+"_isOne",r),n.call(i+"_isZero",c))))}(),function(){const e=t.addFunction(a+"_zero");e.addParam("x","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.call(i+"_zero",r),n.call(i+"_zero",c))}(),function(){const e=t.addFunction(a+"_one");e.addParam("x","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.call(i+"_one",r),n.call(i+"_zero",c))}(),function(){const e=t.addFunction(a+"_copy");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("r"),s=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_copy",r,l),n.call(i+"_copy",c,s))}(),function(){const n=t.addFunction(a+"_mul");n.addParam("x","i32"),n.addParam("y","i32"),n.addParam("r","i32");const r=n.getCodeBuilder(),c=r.getLocal("x"),l=r.i32_add(r.getLocal("x"),r.i32_const(o)),s=r.getLocal("y"),d=r.i32_add(r.getLocal("y"),r.i32_const(o)),u=r.getLocal("r"),g=r.i32_add(r.getLocal("r"),r.i32_const(o)),f=r.i32_const(t.alloc(o)),_=r.i32_const(t.alloc(o)),p=r.i32_const(t.alloc(o)),h=r.i32_const(t.alloc(o));n.addCode(r.call(i+"_mul",c,s,f),r.call(i+"_mul",l,d,_),r.call(i+"_add",c,l,p),r.call(i+"_add",s,d,h),r.call(i+"_mul",p,h,p),r.call(e,_,u),r.call(i+"_add",f,u,u),r.call(i+"_add",f,_,g),r.call(i+"_sub",p,g,g))}(),function(){const e=t.addFunction(a+"_mul1");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("y"),s=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_mul",r,l,s),n.call(i+"_mul",c,l,d))}(),function(){const n=t.addFunction(a+"_square");n.addParam("x","i32"),n.addParam("r","i32");const r=n.getCodeBuilder(),c=r.getLocal("x"),l=r.i32_add(r.getLocal("x"),r.i32_const(o)),s=r.getLocal("r"),d=r.i32_add(r.getLocal("r"),r.i32_const(o)),u=r.i32_const(t.alloc(o)),g=r.i32_const(t.alloc(o)),f=r.i32_const(t.alloc(o)),_=r.i32_const(t.alloc(o));n.addCode(r.call(i+"_mul",c,l,u),r.call(i+"_add",c,l,g),r.call(e,l,f),r.call(i+"_add",c,f,f),r.call(e,u,_),r.call(i+"_add",_,u,_),r.call(i+"_mul",g,f,s),r.call(i+"_sub",s,_,s),r.call(i+"_add",u,u,d))}(),function(){const e=t.addFunction(a+"_add");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("y"),s=n.i32_add(n.getLocal("y"),n.i32_const(o)),d=n.getLocal("r"),u=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_add",r,l,d),n.call(i+"_add",c,s,u))}(),function(){const e=t.addFunction(a+"_sub");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("y"),s=n.i32_add(n.getLocal("y"),n.i32_const(o)),d=n.getLocal("r"),u=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_sub",r,l,d),n.call(i+"_sub",c,s,u))}(),function(){const e=t.addFunction(a+"_neg");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("r"),s=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_neg",r,l),n.call(i+"_neg",c,s))}(),function(){const e=t.addFunction(a+"_conjugate");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("r"),s=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_copy",r,l),n.call(i+"_neg",c,s))}(),function(){const e=t.addFunction(a+"_toMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("r"),s=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_toMontgomery",r,l),n.call(i+"_toMontgomery",c,s))}(),function(){const e=t.addFunction(a+"_fromMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("r"),s=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_fromMontgomery",r,l),n.call(i+"_fromMontgomery",c,s))}(),function(){const e=t.addFunction(a+"_eq");e.addParam("x","i32"),e.addParam("y","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("y"),s=n.i32_add(n.getLocal("y"),n.i32_const(o));e.addCode(n.i32_and(n.call(i+"_eq",r,l),n.call(i+"_eq",c,s)))}(),function(){const n=t.addFunction(a+"_inverse");n.addParam("x","i32"),n.addParam("r","i32");const r=n.getCodeBuilder(),c=r.getLocal("x"),l=r.i32_add(r.getLocal("x"),r.i32_const(o)),s=r.getLocal("r"),d=r.i32_add(r.getLocal("r"),r.i32_const(o)),u=r.i32_const(t.alloc(o)),g=r.i32_const(t.alloc(o)),f=r.i32_const(t.alloc(o)),_=r.i32_const(t.alloc(o));n.addCode(r.call(i+"_square",c,u),r.call(i+"_square",l,g),r.call(e,g,f),r.call(i+"_sub",u,f,f),r.call(i+"_inverse",f,_),r.call(i+"_mul",c,_,s),r.call(i+"_mul",l,_,d),r.call(i+"_neg",d,d))}(),function(){const e=t.addFunction(a+"_timesScalar");e.addParam("x","i32"),e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.getLocal("r"),s=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_timesScalar",r,n.getLocal("scalar"),n.getLocal("scalarLen"),l),n.call(i+"_timesScalar",c,n.getLocal("scalar"),n.getLocal("scalarLen"),s))}(),function(){const e=t.addFunction(a+"_sign");e.addParam("x","i32"),e.addLocal("s","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.setLocal("s",n.call(i+"_sign",c)),n.if(n.getLocal("s"),n.ret(n.getLocal("s"))),n.ret(n.call(i+"_sign",r)))}(),function(){const e=t.addFunction(a+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.if(n.call(i+"_isZero",c),n.ret(n.call(i+"_isNegative",r))),n.ret(n.call(i+"_isNegative",c)))}(),t.exportFunction(a+"_isZero"),t.exportFunction(a+"_isOne"),t.exportFunction(a+"_zero"),t.exportFunction(a+"_one"),t.exportFunction(a+"_copy"),t.exportFunction(a+"_mul"),t.exportFunction(a+"_mul1"),t.exportFunction(a+"_square"),t.exportFunction(a+"_add"),t.exportFunction(a+"_sub"),t.exportFunction(a+"_neg"),t.exportFunction(a+"_sign"),t.exportFunction(a+"_conjugate"),t.exportFunction(a+"_fromMontgomery"),t.exportFunction(a+"_toMontgomery"),t.exportFunction(a+"_eq"),t.exportFunction(a+"_inverse"),St(t,a),vt(t,a+"_exp",2*o,a+"_mul",a+"_square",a+"_copy",a+"_one"),function(){const e=t.addFunction(a+"_sqrt");e.addParam("a","i32"),e.addParam("pr","i32");const r=e.getCodeBuilder(),c=r.i32_const(t.alloc(Gt.bigInt2BytesLE((BigInt(n||0)-3n)/4n,o))),l=r.i32_const(t.alloc(Gt.bigInt2BytesLE((BigInt(n||0)-1n)/2n,o))),s=r.getLocal("a"),d=r.i32_const(t.alloc(2*o)),u=r.i32_const(t.alloc(2*o)),g=r.i32_const(t.alloc(2*o)),f=t.alloc(2*o),_=r.i32_const(f),p=r.i32_const(f),h=r.i32_const(f+o),m=r.i32_const(t.alloc(2*o)),L=r.i32_const(t.alloc(2*o));e.addCode(r.call(a+"_one",_),r.call(a+"_neg",_,_),r.call(a+"_exp",s,c,r.i32_const(o),d),r.call(a+"_square",d,u),r.call(a+"_mul",s,u,u),r.call(a+"_conjugate",u,g),r.call(a+"_mul",g,u,g),r.if(r.call(a+"_eq",g,_),r.unreachable()),r.call(a+"_mul",d,s,m),r.if(r.call(a+"_eq",u,_),[...r.call(i+"_zero",p),...r.call(i+"_one",h),...r.call(a+"_mul",_,m,r.getLocal("pr"))],[...r.call(a+"_one",L),...r.call(a+"_add",L,u,L),...r.call(a+"_exp",L,l,r.i32_const(o),L),...r.call(a+"_mul",L,m,r.getLocal("pr"))]))}(),function(){const e=t.addFunction(a+"_isSquare");e.addParam("a","i32"),e.setReturnType("i32");const i=e.getCodeBuilder(),r=i.i32_const(t.alloc(Gt.bigInt2BytesLE((BigInt(n||0)-3n)/4n,o))),c=i.getLocal("a"),l=i.i32_const(t.alloc(2*o)),s=i.i32_const(t.alloc(2*o)),d=i.i32_const(t.alloc(2*o)),u=t.alloc(2*o),g=i.i32_const(u);e.addCode(i.call(a+"_one",g),i.call(a+"_neg",g,g),i.call(a+"_exp",c,r,i.i32_const(o),l),i.call(a+"_square",l,s),i.call(a+"_mul",c,s,s),i.call(a+"_conjugate",s,d),i.call(a+"_mul",d,s,d),i.if(i.call(a+"_eq",d,g),i.ret(i.i32_const(0))),i.ret(i.i32_const(1)))}(),t.exportFunction(a+"_exp"),t.exportFunction(a+"_timesScalar"),t.exportFunction(a+"_batchInverse"),t.exportFunction(a+"_sqrt"),t.exportFunction(a+"_isSquare"),t.exportFunction(a+"_isNegative"),a};const Ot=Y,Ut=W;var zt=function(t,e,a,i){if(t.modules[a])return a;const o=8*t.modules[i].n64;return t.modules[a]={n64:3*t.modules[i].n64},function(){const e=t.addFunction(a+"_isZero");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.i32_and(n.i32_and(n.call(i+"_isZero",r),n.call(i+"_isZero",c)),n.call(i+"_isZero",l)))}(),function(){const e=t.addFunction(a+"_isOne");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.ret(n.i32_and(n.i32_and(n.call(i+"_isOne",r),n.call(i+"_isZero",c)),n.call(i+"_isZero",l))))}(),function(){const e=t.addFunction(a+"_zero");e.addParam("x","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.call(i+"_zero",r),n.call(i+"_zero",c),n.call(i+"_zero",l))}(),function(){const e=t.addFunction(a+"_one");e.addParam("x","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.call(i+"_one",r),n.call(i+"_zero",c),n.call(i+"_zero",l))}(),function(){const e=t.addFunction(a+"_copy");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_copy",r,s),n.call(i+"_copy",c,d),n.call(i+"_copy",l,u))}(),function(){const n=t.addFunction(a+"_mul");n.addParam("x","i32"),n.addParam("y","i32"),n.addParam("r","i32");const r=n.getCodeBuilder(),c=r.getLocal("x"),l=r.i32_add(r.getLocal("x"),r.i32_const(o)),s=r.i32_add(r.getLocal("x"),r.i32_const(2*o)),d=r.getLocal("y"),u=r.i32_add(r.getLocal("y"),r.i32_const(o)),g=r.i32_add(r.getLocal("y"),r.i32_const(2*o)),f=r.getLocal("r"),_=r.i32_add(r.getLocal("r"),r.i32_const(o)),p=r.i32_add(r.getLocal("r"),r.i32_const(2*o)),h=r.i32_const(t.alloc(o)),m=r.i32_const(t.alloc(o)),L=r.i32_const(t.alloc(o)),w=r.i32_const(t.alloc(o)),b=r.i32_const(t.alloc(o)),A=r.i32_const(t.alloc(o)),y=r.i32_const(t.alloc(o)),I=r.i32_const(t.alloc(o)),C=r.i32_const(t.alloc(o)),F=r.i32_const(t.alloc(o)),x=r.i32_const(t.alloc(o)),E=r.i32_const(t.alloc(o)),B=r.i32_const(t.alloc(o));n.addCode(r.call(i+"_mul",c,d,h),r.call(i+"_mul",l,u,m),r.call(i+"_mul",s,g,L),r.call(i+"_add",c,l,w),r.call(i+"_add",d,u,b),r.call(i+"_add",c,s,A),r.call(i+"_add",d,g,y),r.call(i+"_add",l,s,I),r.call(i+"_add",u,g,C),r.call(i+"_add",h,m,F),r.call(i+"_add",h,L,x),r.call(i+"_add",m,L,E),r.call(i+"_mul",I,C,f),r.call(i+"_sub",f,E,f),r.call(e,f,f),r.call(i+"_add",h,f,f),r.call(i+"_mul",w,b,_),r.call(i+"_sub",_,F,_),r.call(e,L,B),r.call(i+"_add",_,B,_),r.call(i+"_mul",A,y,p),r.call(i+"_sub",p,x,p),r.call(i+"_add",p,m,p))}(),function(){const n=t.addFunction(a+"_square");n.addParam("x","i32"),n.addParam("r","i32");const r=n.getCodeBuilder(),c=r.getLocal("x"),l=r.i32_add(r.getLocal("x"),r.i32_const(o)),s=r.i32_add(r.getLocal("x"),r.i32_const(2*o)),d=r.getLocal("r"),u=r.i32_add(r.getLocal("r"),r.i32_const(o)),g=r.i32_add(r.getLocal("r"),r.i32_const(2*o)),f=r.i32_const(t.alloc(o)),_=r.i32_const(t.alloc(o)),p=r.i32_const(t.alloc(o)),h=r.i32_const(t.alloc(o)),m=r.i32_const(t.alloc(o)),L=r.i32_const(t.alloc(o)),w=r.i32_const(t.alloc(o));n.addCode(r.call(i+"_square",c,f),r.call(i+"_mul",c,l,_),r.call(i+"_add",_,_,p),r.call(i+"_sub",c,l,h),r.call(i+"_add",h,s,h),r.call(i+"_square",h,h),r.call(i+"_mul",l,s,m),r.call(i+"_add",m,m,L),r.call(i+"_square",s,w),r.call(e,L,d),r.call(i+"_add",f,d,d),r.call(e,w,u),r.call(i+"_add",p,u,u),r.call(i+"_add",f,w,g),r.call(i+"_sub",L,g,g),r.call(i+"_add",h,g,g),r.call(i+"_add",p,g,g))}(),function(){const e=t.addFunction(a+"_add");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("y"),d=n.i32_add(n.getLocal("y"),n.i32_const(o)),u=n.i32_add(n.getLocal("y"),n.i32_const(2*o)),g=n.getLocal("r"),f=n.i32_add(n.getLocal("r"),n.i32_const(o)),_=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_add",r,s,g),n.call(i+"_add",c,d,f),n.call(i+"_add",l,u,_))}(),function(){const e=t.addFunction(a+"_sub");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("y"),d=n.i32_add(n.getLocal("y"),n.i32_const(o)),u=n.i32_add(n.getLocal("y"),n.i32_const(2*o)),g=n.getLocal("r"),f=n.i32_add(n.getLocal("r"),n.i32_const(o)),_=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_sub",r,s,g),n.call(i+"_sub",c,d,f),n.call(i+"_sub",l,u,_))}(),function(){const e=t.addFunction(a+"_neg");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_neg",r,s),n.call(i+"_neg",c,d),n.call(i+"_neg",l,u))}(),function(){const e=t.addFunction(a+"_sign");e.addParam("x","i32"),e.addLocal("s","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.setLocal("s",n.call(i+"_sign",l)),n.if(n.getLocal("s"),n.ret(n.getLocal("s"))),n.setLocal("s",n.call(i+"_sign",c)),n.if(n.getLocal("s"),n.ret(n.getLocal("s"))),n.ret(n.call(i+"_sign",r)))}(),function(){const e=t.addFunction(a+"_toMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_toMontgomery",r,s),n.call(i+"_toMontgomery",c,d),n.call(i+"_toMontgomery",l,u))}(),function(){const e=t.addFunction(a+"_fromMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_fromMontgomery",r,s),n.call(i+"_fromMontgomery",c,d),n.call(i+"_fromMontgomery",l,u))}(),function(){const e=t.addFunction(a+"_eq");e.addParam("x","i32"),e.addParam("y","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("y"),d=n.i32_add(n.getLocal("y"),n.i32_const(o)),u=n.i32_add(n.getLocal("y"),n.i32_const(2*o));e.addCode(n.i32_and(n.i32_and(n.call(i+"_eq",r,s),n.call(i+"_eq",c,d)),n.call(i+"_eq",l,u)))}(),function(){const n=t.addFunction(a+"_inverse");n.addParam("x","i32"),n.addParam("r","i32");const r=n.getCodeBuilder(),c=r.getLocal("x"),l=r.i32_add(r.getLocal("x"),r.i32_const(o)),s=r.i32_add(r.getLocal("x"),r.i32_const(2*o)),d=r.getLocal("r"),u=r.i32_add(r.getLocal("r"),r.i32_const(o)),g=r.i32_add(r.getLocal("r"),r.i32_const(2*o)),f=r.i32_const(t.alloc(o)),_=r.i32_const(t.alloc(o)),p=r.i32_const(t.alloc(o)),h=r.i32_const(t.alloc(o)),m=r.i32_const(t.alloc(o)),L=r.i32_const(t.alloc(o)),w=r.i32_const(t.alloc(o)),b=r.i32_const(t.alloc(o)),A=r.i32_const(t.alloc(o)),y=r.i32_const(t.alloc(o)),I=r.i32_const(t.alloc(o));n.addCode(r.call(i+"_square",c,f),r.call(i+"_square",l,_),r.call(i+"_square",s,p),r.call(i+"_mul",c,l,h),r.call(i+"_mul",c,s,m),r.call(i+"_mul",l,s,L),r.call(e,L,w),r.call(i+"_sub",f,w,w),r.call(e,p,b),r.call(i+"_sub",b,h,b),r.call(i+"_sub",_,m,A),r.call(i+"_mul",s,b,y),r.call(i+"_mul",l,A,I),r.call(i+"_add",y,I,y),r.call(e,y,y),r.call(i+"_mul",c,w,I),r.call(i+"_add",I,y,y),r.call(i+"_inverse",y,y),r.call(i+"_mul",y,w,d),r.call(i+"_mul",y,b,u),r.call(i+"_mul",y,A,g))}(),function(){const e=t.addFunction(a+"_timesScalar");e.addParam("x","i32"),e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),s=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_timesScalar",r,n.getLocal("scalar"),n.getLocal("scalarLen"),s),n.call(i+"_timesScalar",c,n.getLocal("scalar"),n.getLocal("scalarLen"),d),n.call(i+"_timesScalar",l,n.getLocal("scalar"),n.getLocal("scalarLen"),u))}(),function(){const e=t.addFunction(a+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),r=n.getLocal("x"),c=n.i32_add(n.getLocal("x"),n.i32_const(o)),l=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.if(n.call(i+"_isZero",l),n.if(n.call(i+"_isZero",c),n.ret(n.call(i+"_isNegative",r)),n.ret(n.call(i+"_isNegative",c)))),n.ret(n.call(i+"_isNegative",l)))}(),t.exportFunction(a+"_isZero"),t.exportFunction(a+"_isOne"),t.exportFunction(a+"_zero"),t.exportFunction(a+"_one"),t.exportFunction(a+"_copy"),t.exportFunction(a+"_mul"),t.exportFunction(a+"_square"),t.exportFunction(a+"_add"),t.exportFunction(a+"_sub"),t.exportFunction(a+"_neg"),t.exportFunction(a+"_sign"),t.exportFunction(a+"_fromMontgomery"),t.exportFunction(a+"_toMontgomery"),t.exportFunction(a+"_eq"),t.exportFunction(a+"_inverse"),Ut(t,a),Ot(t,a+"_exp",3*o,a+"_mul",a+"_square",a+"_copy",a+"_one"),t.exportFunction(a+"_exp"),t.exportFunction(a+"_timesScalar"),t.exportFunction(a+"_batchInverse"),t.exportFunction(a+"_isNegative"),a};const Qt=function(t,e,a,i,o,n,r,c){const l=t.addFunction(e);l.addParam("base","i32"),l.addParam("scalar","i32"),l.addParam("scalarLength","i32"),l.addParam("r","i32"),l.addLocal("old0","i32"),l.addLocal("nbits","i32"),l.addLocal("i","i32"),l.addLocal("last","i32"),l.addLocal("cur","i32"),l.addLocal("carry","i32"),l.addLocal("p","i32");const s=l.getCodeBuilder(),d=s.i32_const(t.alloc(a));function u(t){return s.i32_and(s.i32_shr_u(s.i32_load(s.i32_add(s.getLocal("scalar"),s.i32_and(s.i32_shr_u(t,s.i32_const(3)),s.i32_const(4294967292)))),s.i32_and(t,s.i32_const(31))),s.i32_const(1))}function g(t){return[...s.i32_store8(s.getLocal("p"),s.i32_const(t)),...s.setLocal("p",s.i32_add(s.getLocal("p"),s.i32_const(1)))]}l.addCode(s.if(s.i32_eqz(s.getLocal("scalarLength")),[...s.call(c,s.getLocal("r")),...s.ret([])]),s.setLocal("nbits",s.i32_shl(s.getLocal("scalarLength"),s.i32_const(3))),s.setLocal("old0",s.i32_load(s.i32_const(0))),s.setLocal("p",s.getLocal("old0")),s.i32_store(s.i32_const(0),s.i32_and(s.i32_add(s.i32_add(s.getLocal("old0"),s.i32_const(32)),s.getLocal("nbits")),s.i32_const(4294967288))),s.setLocal("i",s.i32_const(1)),s.setLocal("last",u(s.i32_const(0))),s.setLocal("carry",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("i"),s.getLocal("nbits"))),s.setLocal("cur",u(s.getLocal("i"))),s.if(s.getLocal("last"),s.if(s.getLocal("cur"),s.if(s.getLocal("carry"),[...s.setLocal("last",s.i32_const(0)),...s.setLocal("carry",s.i32_const(1)),...g(1)],[...s.setLocal("last",s.i32_const(0)),...s.setLocal("carry",s.i32_const(1)),...g(255)]),s.if(s.getLocal("carry"),[...s.setLocal("last",s.i32_const(0)),...s.setLocal("carry",s.i32_const(1)),...g(255)],[...s.setLocal("last",s.i32_const(0)),...s.setLocal("carry",s.i32_const(0)),...g(1)])),s.if(s.getLocal("cur"),s.if(s.getLocal("carry"),[...s.setLocal("last",s.i32_const(0)),...s.setLocal("carry",s.i32_const(1)),...g(0)],[...s.setLocal("last",s.i32_const(1)),...s.setLocal("carry",s.i32_const(0)),...g(0)]),s.if(s.getLocal("carry"),[...s.setLocal("last",s.i32_const(1)),...s.setLocal("carry",s.i32_const(0)),...g(0)],[...s.setLocal("last",s.i32_const(0)),...s.setLocal("carry",s.i32_const(0)),...g(0)]))),s.setLocal("i",s.i32_add(s.getLocal("i"),s.i32_const(1))),s.br(0))),s.if(s.getLocal("last"),s.if(s.getLocal("carry"),[...g(255),...g(0),...g(1)],[...g(1)]),s.if(s.getLocal("carry"),[...g(0),...g(1)])),s.setLocal("p",s.i32_sub(s.getLocal("p"),s.i32_const(1))),s.call(r,s.getLocal("base"),d),s.call(c,s.getLocal("r")),s.block(s.loop(s.call(o,s.getLocal("r"),s.getLocal("r")),s.setLocal("cur",s.i32_load8_u(s.getLocal("p"))),s.if(s.getLocal("cur"),s.if(s.i32_eq(s.getLocal("cur"),s.i32_const(1)),s.call(i,s.getLocal("r"),d,s.getLocal("r")),s.call(n,s.getLocal("r"),d,s.getLocal("r")))),s.br_if(1,s.i32_eq(s.getLocal("old0"),s.getLocal("p"))),s.setLocal("p",s.i32_sub(s.getLocal("p"),s.i32_const(1))),s.br(0))),s.i32_store(s.i32_const(0),s.getLocal("old0")))},qt=Z,Mt=function(t,e,a,i,o){const n=8*t.modules[e].n64;function r(){const i=t.addFunction(a);i.addParam("pBases","i32"),i.addParam("pScalars","i32"),i.addParam("scalarSize","i32"),i.addParam("n","i32"),i.addParam("pr","i32"),i.addLocal("chunkSize","i32"),i.addLocal("nChunks","i32"),i.addLocal("itScalar","i32"),i.addLocal("endScalar","i32"),i.addLocal("itBase","i32"),i.addLocal("itBit","i32"),i.addLocal("i","i32"),i.addLocal("j","i32"),i.addLocal("nTable","i32"),i.addLocal("pTable","i32"),i.addLocal("idx","i32"),i.addLocal("pIdxTable","i32");const o=i.getCodeBuilder(),r=o.i32_const(t.alloc(n)),c=t.alloc([17,17,17,17,17,17,17,17,17,17,16,16,15,14,13,13,12,11,10,9,8,7,7,6,5,4,3,2,1,1,1,1]);i.addCode(o.call(e+"_zero",o.getLocal("pr")),o.if(o.i32_eqz(o.getLocal("n")),o.ret([])),o.setLocal("chunkSize",o.i32_load8_u(o.i32_clz(o.getLocal("n")),c)),o.setLocal("nChunks",o.i32_add(o.i32_div_u(o.i32_sub(o.i32_shl(o.getLocal("scalarSize"),o.i32_const(3)),o.i32_const(1)),o.getLocal("chunkSize")),o.i32_const(1))),o.setLocal("itBit",o.i32_mul(o.i32_sub(o.getLocal("nChunks"),o.i32_const(1)),o.getLocal("chunkSize"))),o.block(o.loop(o.br_if(1,o.i32_lt_s(o.getLocal("itBit"),o.i32_const(0))),o.if(o.i32_eqz(o.call(e+"_isZero",o.getLocal("pr"))),[...o.setLocal("j",o.i32_const(0)),...o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("j"),o.getLocal("chunkSize"))),o.call(e+"_double",o.getLocal("pr"),o.getLocal("pr")),o.setLocal("j",o.i32_add(o.getLocal("j"),o.i32_const(1))),o.br(0)))]),o.call(a+"_chunk",o.getLocal("pBases"),o.getLocal("pScalars"),o.getLocal("scalarSize"),o.getLocal("n"),o.getLocal("itBit"),o.getLocal("chunkSize"),r),o.call(e+"_add",o.getLocal("pr"),r,o.getLocal("pr")),o.setLocal("itBit",o.i32_sub(o.getLocal("itBit"),o.getLocal("chunkSize"))),o.br(0))))}!function(){const e=t.addFunction(a+"_getChunk");e.addParam("pScalar","i32"),e.addParam("scalarSize","i32"),e.addParam("startBit","i32"),e.addParam("chunkSize","i32"),e.addLocal("bitsToEnd","i32"),e.addLocal("mask","i32"),e.setReturnType("i32");const i=e.getCodeBuilder();e.addCode(i.setLocal("bitsToEnd",i.i32_sub(i.i32_mul(i.getLocal("scalarSize"),i.i32_const(8)),i.getLocal("startBit"))),i.if(i.i32_gt_s(i.getLocal("chunkSize"),i.getLocal("bitsToEnd")),i.setLocal("mask",i.i32_sub(i.i32_shl(i.i32_const(1),i.getLocal("bitsToEnd")),i.i32_const(1))),i.setLocal("mask",i.i32_sub(i.i32_shl(i.i32_const(1),i.getLocal("chunkSize")),i.i32_const(1)))),i.i32_and(i.i32_shr_u(i.i32_load(i.i32_add(i.getLocal("pScalar"),i.i32_shr_u(i.getLocal("startBit"),i.i32_const(3))),0,0),i.i32_and(i.getLocal("startBit"),i.i32_const(7))),i.getLocal("mask")))}(),function(){const i=t.addFunction(a+"_reduceTable");i.addParam("pTable","i32"),i.addParam("p","i32"),i.addLocal("half","i32"),i.addLocal("it1","i32"),i.addLocal("it2","i32"),i.addLocal("pAcc","i32");const o=i.getCodeBuilder();i.addCode(o.if(o.i32_eq(o.getLocal("p"),o.i32_const(1)),o.ret([])),o.setLocal("half",o.i32_shl(o.i32_const(1),o.i32_sub(o.getLocal("p"),o.i32_const(1)))),o.setLocal("it1",o.getLocal("pTable")),o.setLocal("it2",o.i32_add(o.getLocal("pTable"),o.i32_mul(o.getLocal("half"),o.i32_const(n)))),o.setLocal("pAcc",o.i32_sub(o.getLocal("it2"),o.i32_const(n))),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("it1"),o.getLocal("pAcc"))),o.call(e+"_add",o.getLocal("it1"),o.getLocal("it2"),o.getLocal("it1")),o.call(e+"_add",o.getLocal("pAcc"),o.getLocal("it2"),o.getLocal("pAcc")),o.setLocal("it1",o.i32_add(o.getLocal("it1"),o.i32_const(n))),o.setLocal("it2",o.i32_add(o.getLocal("it2"),o.i32_const(n))),o.br(0))),o.call(a+"_reduceTable",o.getLocal("pTable"),o.i32_sub(o.getLocal("p"),o.i32_const(1))),o.setLocal("p",o.i32_sub(o.getLocal("p"),o.i32_const(1))),o.block(o.loop(o.br_if(1,o.i32_eqz(o.getLocal("p"))),o.call(e+"_double",o.getLocal("pAcc"),o.getLocal("pAcc")),o.setLocal("p",o.i32_sub(o.getLocal("p"),o.i32_const(1))),o.br(0))),o.call(e+"_add",o.getLocal("pTable"),o.getLocal("pAcc"),o.getLocal("pTable")))}(),function(){const r=t.addFunction(a+"_chunk");r.addParam("pBases","i32"),r.addParam("pScalars","i32"),r.addParam("scalarSize","i32"),r.addParam("n","i32"),r.addParam("startBit","i32"),r.addParam("chunkSize","i32"),r.addParam("pr","i32"),r.addLocal("nChunks","i32"),r.addLocal("itScalar","i32"),r.addLocal("endScalar","i32"),r.addLocal("itBase","i32"),r.addLocal("i","i32"),r.addLocal("j","i32"),r.addLocal("nTable","i32"),r.addLocal("pTable","i32"),r.addLocal("idx","i32"),r.addLocal("pIdxTable","i32");const c=r.getCodeBuilder();r.addCode(c.if(c.i32_eqz(c.getLocal("n")),[...c.call(e+"_zero",c.getLocal("pr")),...c.ret([])]),c.setLocal("nTable",c.i32_shl(c.i32_const(1),c.getLocal("chunkSize"))),c.setLocal("pTable",c.i32_load(c.i32_const(0))),c.i32_store(c.i32_const(0),c.i32_add(c.getLocal("pTable"),c.i32_mul(c.getLocal("nTable"),c.i32_const(n)))),c.setLocal("j",c.i32_const(0)),c.block(c.loop(c.br_if(1,c.i32_eq(c.getLocal("j"),c.getLocal("nTable"))),c.call(e+"_zero",c.i32_add(c.getLocal("pTable"),c.i32_mul(c.getLocal("j"),c.i32_const(n)))),c.setLocal("j",c.i32_add(c.getLocal("j"),c.i32_const(1))),c.br(0))),c.setLocal("itBase",c.getLocal("pBases")),c.setLocal("itScalar",c.getLocal("pScalars")),c.setLocal("endScalar",c.i32_add(c.getLocal("pScalars"),c.i32_mul(c.getLocal("n"),c.getLocal("scalarSize")))),c.block(c.loop(c.br_if(1,c.i32_eq(c.getLocal("itScalar"),c.getLocal("endScalar"))),c.setLocal("idx",c.call(a+"_getChunk",c.getLocal("itScalar"),c.getLocal("scalarSize"),c.getLocal("startBit"),c.getLocal("chunkSize"))),c.if(c.getLocal("idx"),[...c.setLocal("pIdxTable",c.i32_add(c.getLocal("pTable"),c.i32_mul(c.i32_sub(c.getLocal("idx"),c.i32_const(1)),c.i32_const(n)))),...c.call(i,c.getLocal("pIdxTable"),c.getLocal("itBase"),c.getLocal("pIdxTable"))]),c.setLocal("itScalar",c.i32_add(c.getLocal("itScalar"),c.getLocal("scalarSize"))),c.setLocal("itBase",c.i32_add(c.getLocal("itBase"),c.i32_const(o))),c.br(0))),c.call(a+"_reduceTable",c.getLocal("pTable"),c.getLocal("chunkSize")),c.call(e+"_copy",c.getLocal("pTable"),c.getLocal("pr")),c.i32_store(c.i32_const(0),c.getLocal("pTable")))}(),r(),t.exportFunction(a),t.exportFunction(a+"_chunk")};var Tt=function(t,e,a,i){const o=t.modules[a].n64,n=8*o;if(t.modules[e])return e;return t.modules[e]={n64:3*o},function(){const i=t.addFunction(e+"_isZeroAffine");i.addParam("p1","i32"),i.setReturnType("i32");const o=i.getCodeBuilder();i.addCode(o.i32_and(o.call(a+"_isZero",o.getLocal("p1")),o.call(a+"_isZero",o.i32_add(o.getLocal("p1"),o.i32_const(n)))))}(),function(){const i=t.addFunction(e+"_isZero");i.addParam("p1","i32"),i.setReturnType("i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_isZero",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))))}(),function(){const i=t.addFunction(e+"_zeroAffine");i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_zero",o.getLocal("pr"))),i.addCode(o.call(a+"_zero",o.i32_add(o.getLocal("pr"),o.i32_const(n))))}(),function(){const i=t.addFunction(e+"_zero");i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_zero",o.getLocal("pr"))),i.addCode(o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(n)))),i.addCode(o.call(a+"_zero",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))))}(),function(){const a=t.addFunction(e+"_copyAffine");a.addParam("ps","i32"),a.addParam("pd","i32");const i=a.getCodeBuilder();for(let t=0;t<2*o;t++)a.addCode(i.i64_store(i.getLocal("pd"),8*t,i.i64_load(i.getLocal("ps"),8*t)))}(),function(){const a=t.addFunction(e+"_copy");a.addParam("ps","i32"),a.addParam("pd","i32");const i=a.getCodeBuilder();for(let t=0;t<3*o;t++)a.addCode(i.i64_store(i.getLocal("pd"),8*t,i.i64_load(i.getLocal("ps"),8*t)))}(),function(){const i=t.addFunction(e+"_toJacobian");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n)),l=o.getLocal("pr"),s=o.i32_add(o.getLocal("pr"),o.i32_const(n)),d=o.i32_add(o.getLocal("pr"),o.i32_const(2*n));i.addCode(o.if(o.call(e+"_isZeroAffine",o.getLocal("p1")),o.call(e+"_zero",o.getLocal("pr")),[...o.call(a+"_one",d),...o.call(a+"_copy",c,s),...o.call(a+"_copy",r,l)]))}(),function(){const i=t.addFunction(e+"_eqAffine");i.addParam("p1","i32"),i.addParam("p2","i32"),i.setReturnType("i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder();i.addCode(o.ret(o.i32_and(o.call(a+"_eq",o.getLocal("p1"),o.getLocal("p2")),o.call(a+"_eq",o.i32_add(o.getLocal("p1"),o.i32_const(n)),o.i32_add(o.getLocal("p2"),o.i32_const(n))))))}(),function(){const i=t.addFunction(e+"_eqMixed");i.addParam("p1","i32"),i.addParam("p2","i32"),i.setReturnType("i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const l=o.getLocal("z1"),s=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n)),u=o.i32_const(t.alloc(n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),o.ret(o.call(e+"_isZeroAffine",o.getLocal("p2")))),o.if(o.call(e+"_isZeroAffine",o.getLocal("p2")),o.ret(o.i32_const(0))),o.if(o.call(a+"_isOne",l),o.ret(o.call(e+"_eqAffine",o.getLocal("p1"),o.getLocal("p2")))),o.call(a+"_square",l,u),o.call(a+"_mul",s,u,g),o.call(a+"_mul",l,u,f),o.call(a+"_mul",d,f,_),o.if(o.call(a+"_eq",r,g),o.if(o.call(a+"_eq",c,_),o.ret(o.i32_const(1)))),o.ret(o.i32_const(0)))}(),function(){const i=t.addFunction(e+"_eq");i.addParam("p1","i32"),i.addParam("p2","i32"),i.setReturnType("i32"),i.addLocal("z1","i32"),i.addLocal("z2","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const l=o.getLocal("z1"),s=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n));i.addCode(o.setLocal("z2",o.i32_add(o.getLocal("p2"),o.i32_const(2*n))));const u=o.getLocal("z2"),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),o.ret(o.call(e+"_isZero",o.getLocal("p2")))),o.if(o.call(e+"_isZero",o.getLocal("p2")),o.ret(o.i32_const(0))),o.if(o.call(a+"_isOne",l),o.ret(o.call(e+"_eqMixed",o.getLocal("p2"),o.getLocal("p1")))),o.if(o.call(a+"_isOne",u),o.ret(o.call(e+"_eqMixed",o.getLocal("p1"),o.getLocal("p2")))),o.call(a+"_square",l,g),o.call(a+"_square",u,f),o.call(a+"_mul",r,f,_),o.call(a+"_mul",s,g,p),o.call(a+"_mul",l,g,h),o.call(a+"_mul",u,f,m),o.call(a+"_mul",c,m,L),o.call(a+"_mul",d,h,w),o.if(o.call(a+"_eq",_,p),o.if(o.call(a+"_eq",L,w),o.ret(o.i32_const(1)))),o.ret(o.i32_const(0)))}(),function(){const i=t.addFunction(e+"_doubleAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n)),l=o.getLocal("pr"),s=o.i32_add(o.getLocal("pr"),o.i32_const(n)),d=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),u=o.i32_const(t.alloc(n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZeroAffine",o.getLocal("p1")),[...o.call(e+"_toJacobian",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.call(a+"_square",r,u),o.call(a+"_square",c,g),o.call(a+"_square",g,f),o.call(a+"_add",r,g,_),o.call(a+"_square",_,_),o.call(a+"_sub",_,u,_),o.call(a+"_sub",_,f,_),o.call(a+"_add",_,_,_),o.call(a+"_add",u,u,p),o.call(a+"_add",p,u,p),o.call(a+"_add",c,c,d),o.call(a+"_square",p,l),o.call(a+"_sub",l,_,l),o.call(a+"_sub",l,_,l),o.call(a+"_add",f,f,h),o.call(a+"_add",h,h,h),o.call(a+"_add",h,h,h),o.call(a+"_sub",_,l,s),o.call(a+"_mul",s,p,s),o.call(a+"_sub",s,h,s))}(),function(){const i=t.addFunction(e+"_double");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n)),l=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),s=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(e+"_copy",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(a+"_isOne",l),[...o.ret(o.call(e+"_doubleAffine",o.getLocal("p1"),o.getLocal("pr"))),...o.ret([])]),o.call(a+"_square",r,g),o.call(a+"_square",c,f),o.call(a+"_square",f,_),o.call(a+"_add",r,f,p),o.call(a+"_square",p,p),o.call(a+"_sub",p,g,p),o.call(a+"_sub",p,_,p),o.call(a+"_add",p,p,p),o.call(a+"_add",g,g,h),o.call(a+"_add",h,g,h),o.call(a+"_square",h,m),o.call(a+"_mul",c,l,L),o.call(a+"_add",p,p,s),o.call(a+"_sub",m,s,s),o.call(a+"_add",_,_,w),o.call(a+"_add",w,w,w),o.call(a+"_add",w,w,w),o.call(a+"_sub",p,s,d),o.call(a+"_mul",d,h,d),o.call(a+"_sub",d,w,d),o.call(a+"_add",L,L,u))}(),function(){const i=t.addFunction(e+"_addAffine");i.addParam("p1","i32"),i.addParam("p2","i32"),i.addParam("pr","i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const l=o.getLocal("p2"),s=o.i32_add(o.getLocal("p2"),o.i32_const(n)),d=o.getLocal("pr"),u=o.i32_add(o.getLocal("pr"),o.i32_const(n)),g=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),f=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),b=o.i32_const(t.alloc(n)),A=o.i32_const(t.alloc(n)),y=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZeroAffine",o.getLocal("p1")),[...o.call(e+"_copyAffine",o.getLocal("p2"),o.getLocal("pr")),...o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))),...o.ret([])]),o.if(o.call(e+"_isZeroAffine",o.getLocal("p2")),[...o.call(e+"_copyAffine",o.getLocal("p1"),o.getLocal("pr")),...o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))),...o.ret([])]),o.if(o.call(a+"_eq",r,l),o.if(o.call(a+"_eq",c,s),[...o.call(e+"_doubleAffine",o.getLocal("p2"),o.getLocal("pr")),...o.ret([])])),o.call(a+"_sub",l,r,f),o.call(a+"_sub",s,c,p),o.call(a+"_square",f,_),o.call(a+"_add",_,_,h),o.call(a+"_add",h,h,h),o.call(a+"_mul",f,h,m),o.call(a+"_add",p,p,L),o.call(a+"_mul",r,h,b),o.call(a+"_square",L,w),o.call(a+"_add",b,b,A),o.call(a+"_sub",w,m,d),o.call(a+"_sub",d,A,d),o.call(a+"_mul",c,m,y),o.call(a+"_add",y,y,y),o.call(a+"_sub",b,d,u),o.call(a+"_mul",u,L,u),o.call(a+"_sub",u,y,u),o.call(a+"_add",f,f,g))}(),function(){const i=t.addFunction(e+"_addMixed");i.addParam("p1","i32"),i.addParam("p2","i32"),i.addParam("pr","i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const l=o.getLocal("z1"),s=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n)),u=o.getLocal("pr"),g=o.i32_add(o.getLocal("pr"),o.i32_const(n)),f=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),b=o.i32_const(t.alloc(n)),A=o.i32_const(t.alloc(n)),y=o.i32_const(t.alloc(n)),I=o.i32_const(t.alloc(n)),C=o.i32_const(t.alloc(n)),F=o.i32_const(t.alloc(n)),x=o.i32_const(t.alloc(n)),E=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(e+"_copyAffine",o.getLocal("p2"),o.getLocal("pr")),...o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))),...o.ret([])]),o.if(o.call(e+"_isZeroAffine",o.getLocal("p2")),[...o.call(e+"_copy",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(a+"_isOne",l),[...o.call(e+"_addAffine",r,s,u),...o.ret([])]),o.call(a+"_square",l,_),o.call(a+"_mul",s,_,p),o.call(a+"_mul",l,_,h),o.call(a+"_mul",d,h,m),o.if(o.call(a+"_eq",r,p),o.if(o.call(a+"_eq",c,m),[...o.call(e+"_doubleAffine",o.getLocal("p2"),o.getLocal("pr")),...o.ret([])])),o.call(a+"_sub",p,r,L),o.call(a+"_sub",m,c,b),o.call(a+"_square",L,w),o.call(a+"_add",w,w,A),o.call(a+"_add",A,A,A),o.call(a+"_mul",L,A,y),o.call(a+"_add",b,b,I),o.call(a+"_mul",r,A,F),o.call(a+"_square",I,C),o.call(a+"_add",F,F,x),o.call(a+"_sub",C,y,u),o.call(a+"_sub",u,x,u),o.call(a+"_mul",c,y,E),o.call(a+"_add",E,E,E),o.call(a+"_sub",F,u,g),o.call(a+"_mul",g,I,g),o.call(a+"_sub",g,E,g),o.call(a+"_add",l,L,f),o.call(a+"_square",f,f),o.call(a+"_sub",f,_,f),o.call(a+"_sub",f,w,f))}(),function(){const i=t.addFunction(e+"_add");i.addParam("p1","i32"),i.addParam("p2","i32"),i.addParam("pr","i32"),i.addLocal("z1","i32"),i.addLocal("z2","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const l=o.getLocal("z1"),s=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n));i.addCode(o.setLocal("z2",o.i32_add(o.getLocal("p2"),o.i32_const(2*n))));const u=o.getLocal("z2"),g=o.getLocal("pr"),f=o.i32_add(o.getLocal("pr"),o.i32_const(n)),_=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),p=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),b=o.i32_const(t.alloc(n)),A=o.i32_const(t.alloc(n)),y=o.i32_const(t.alloc(n)),I=o.i32_const(t.alloc(n)),C=o.i32_const(t.alloc(n)),F=o.i32_const(t.alloc(n)),x=o.i32_const(t.alloc(n)),E=o.i32_const(t.alloc(n)),B=o.i32_const(t.alloc(n)),v=o.i32_const(t.alloc(n)),S=o.i32_const(t.alloc(n)),G=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(e+"_copy",o.getLocal("p2"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(e+"_isZero",o.getLocal("p2")),[...o.call(e+"_copy",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(a+"_isOne",l),[...o.call(e+"_addMixed",s,r,g),...o.ret([])]),o.if(o.call(a+"_isOne",u),[...o.call(e+"_addMixed",r,s,g),...o.ret([])]),o.call(a+"_square",l,p),o.call(a+"_square",u,h),o.call(a+"_mul",r,h,m),o.call(a+"_mul",s,p,L),o.call(a+"_mul",l,p,w),o.call(a+"_mul",u,h,b),o.call(a+"_mul",c,b,A),o.call(a+"_mul",d,w,y),o.if(o.call(a+"_eq",m,L),o.if(o.call(a+"_eq",A,y),[...o.call(e+"_double",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])])),o.call(a+"_sub",L,m,I),o.call(a+"_sub",y,A,C),o.call(a+"_add",I,I,F),o.call(a+"_square",F,F),o.call(a+"_mul",I,F,x),o.call(a+"_add",C,C,E),o.call(a+"_mul",m,F,v),o.call(a+"_square",E,B),o.call(a+"_add",v,v,S),o.call(a+"_sub",B,x,g),o.call(a+"_sub",g,S,g),o.call(a+"_mul",A,x,G),o.call(a+"_add",G,G,G),o.call(a+"_sub",v,g,f),o.call(a+"_mul",f,E,f),o.call(a+"_sub",f,G,f),o.call(a+"_add",l,u,_),o.call(a+"_square",_,_),o.call(a+"_sub",_,p,_),o.call(a+"_sub",_,h,_),o.call(a+"_mul",_,I,_))}(),function(){const i=t.addFunction(e+"_negAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n)),l=o.getLocal("pr"),s=o.i32_add(o.getLocal("pr"),o.i32_const(n));i.addCode(o.call(a+"_copy",r,l),o.call(a+"_neg",c,s))}(),function(){const i=t.addFunction(e+"_neg");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n)),l=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),s=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_add(o.getLocal("pr"),o.i32_const(2*n));i.addCode(o.call(a+"_copy",r,s),o.call(a+"_neg",c,d),o.call(a+"_copy",l,u))}(),function(){const a=t.addFunction(e+"_subAffine");a.addParam("p1","i32"),a.addParam("p2","i32"),a.addParam("pr","i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(3*n));a.addCode(i.call(e+"_negAffine",i.getLocal("p2"),o),i.call(e+"_addAffine",i.getLocal("p1"),o,i.getLocal("pr")))}(),function(){const a=t.addFunction(e+"_subMixed");a.addParam("p1","i32"),a.addParam("p2","i32"),a.addParam("pr","i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(3*n));a.addCode(i.call(e+"_negAffine",i.getLocal("p2"),o),i.call(e+"_addMixed",i.getLocal("p1"),o,i.getLocal("pr")))}(),function(){const a=t.addFunction(e+"_sub");a.addParam("p1","i32"),a.addParam("p2","i32"),a.addParam("pr","i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(3*n));a.addCode(i.call(e+"_neg",i.getLocal("p2"),o),i.call(e+"_add",i.getLocal("p1"),o,i.getLocal("pr")))}(),function(){const i=t.addFunction(e+"_fromMontgomeryAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_fromMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<2;t++)i.addCode(o.call(a+"_fromMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_fromMontgomery");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_fromMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<3;t++)i.addCode(o.call(a+"_fromMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_toMontgomeryAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_toMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<2;t++)i.addCode(o.call(a+"_toMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_toMontgomery");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_toMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<3;t++)i.addCode(o.call(a+"_toMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_toAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n)),l=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),s=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_const(t.alloc(n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(a+"_zero",s),...o.call(a+"_zero",d)],[...o.call(a+"_inverse",l,u),...o.call(a+"_square",u,g),...o.call(a+"_mul",u,g,f),...o.call(a+"_mul",r,g,s),...o.call(a+"_mul",c,f,d)]))}(),function(){const o=t.addFunction(e+"_inCurveAffine");o.addParam("pIn","i32"),o.setReturnType("i32");const r=o.getCodeBuilder(),c=r.getLocal("pIn"),l=r.i32_add(r.getLocal("pIn"),r.i32_const(n)),s=r.i32_const(t.alloc(n)),d=r.i32_const(t.alloc(n));o.addCode(r.call(a+"_square",l,s),r.call(a+"_square",c,d),r.call(a+"_mul",c,d,d),r.call(a+"_add",d,r.i32_const(i),d),r.ret(r.call(a+"_eq",s,d)))}(),function(){const a=t.addFunction(e+"_inCurve");a.addParam("pIn","i32"),a.setReturnType("i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(2*n));a.addCode(i.call(e+"_toAffine",i.getLocal("pIn"),o),i.ret(i.call(e+"_inCurveAffine",o)))}(),function(){const i=t.addFunction(e+"_batchToAffine");i.addParam("pIn","i32"),i.addParam("n","i32"),i.addParam("pOut","i32"),i.addLocal("pAux","i32"),i.addLocal("itIn","i32"),i.addLocal("itAux","i32"),i.addLocal("itOut","i32"),i.addLocal("i","i32");const o=i.getCodeBuilder(),r=o.i32_const(t.alloc(n));i.addCode(o.setLocal("pAux",o.i32_load(o.i32_const(0))),o.i32_store(o.i32_const(0),o.i32_add(o.getLocal("pAux"),o.i32_mul(o.getLocal("n"),o.i32_const(n)))),o.call(a+"_batchInverse",o.i32_add(o.getLocal("pIn"),o.i32_const(2*n)),o.i32_const(3*n),o.getLocal("n"),o.getLocal("pAux"),o.i32_const(n)),o.setLocal("itIn",o.getLocal("pIn")),o.setLocal("itAux",o.getLocal("pAux")),o.setLocal("itOut",o.getLocal("pOut")),o.setLocal("i",o.i32_const(0)),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("i"),o.getLocal("n"))),o.if(o.call(a+"_isZero",o.getLocal("itAux")),[...o.call(a+"_zero",o.getLocal("itOut")),...o.call(a+"_zero",o.i32_add(o.getLocal("itOut"),o.i32_const(n)))],[...o.call(a+"_mul",o.getLocal("itAux"),o.i32_add(o.getLocal("itIn"),o.i32_const(n)),r),...o.call(a+"_square",o.getLocal("itAux"),o.getLocal("itAux")),...o.call(a+"_mul",o.getLocal("itAux"),o.getLocal("itIn"),o.getLocal("itOut")),...o.call(a+"_mul",o.getLocal("itAux"),r,o.i32_add(o.getLocal("itOut"),o.i32_const(n)))]),o.setLocal("itIn",o.i32_add(o.getLocal("itIn"),o.i32_const(3*n))),o.setLocal("itOut",o.i32_add(o.getLocal("itOut"),o.i32_const(2*n))),o.setLocal("itAux",o.i32_add(o.getLocal("itAux"),o.i32_const(n))),o.setLocal("i",o.i32_add(o.getLocal("i"),o.i32_const(1))),o.br(0))),o.i32_store(o.i32_const(0),o.getLocal("pAux")))}(),function(){const i=t.addFunction(e+"_normalize");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),r=o.getLocal("p1"),c=o.i32_add(o.getLocal("p1"),o.i32_const(n)),l=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),s=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),o.call(e+"_zero",o.getLocal("pr")),[...o.call(a+"_inverse",l,g),...o.call(a+"_square",g,f),...o.call(a+"_mul",g,f,_),...o.call(a+"_mul",r,f,s),...o.call(a+"_mul",c,_,d),...o.call(a+"_one",u)]))}(),function(){const a=t.addFunction(e+"__reverseBytes");a.addParam("pIn","i32"),a.addParam("n","i32"),a.addParam("pOut","i32"),a.addLocal("itOut","i32"),a.addLocal("itIn","i32");const i=a.getCodeBuilder();a.addCode(i.setLocal("itOut",i.i32_sub(i.i32_add(i.getLocal("pOut"),i.getLocal("n")),i.i32_const(1))),i.setLocal("itIn",i.getLocal("pIn")),i.block(i.loop(i.br_if(1,i.i32_lt_s(i.getLocal("itOut"),i.getLocal("pOut"))),i.i32_store8(i.getLocal("itOut"),i.i32_load8_u(i.getLocal("itIn"))),i.setLocal("itOut",i.i32_sub(i.getLocal("itOut"),i.i32_const(1))),i.setLocal("itIn",i.i32_add(i.getLocal("itIn"),i.i32_const(1))),i.br(0))))}(),function(){const a=t.addFunction(e+"_LEMtoU");a.addParam("pIn","i32"),a.addParam("pOut","i32");const i=a.getCodeBuilder(),o=t.alloc(2*n),r=i.i32_const(o),c=i.i32_const(o),l=i.i32_const(o+n);a.addCode(i.if(i.call(e+"_isZeroAffine",i.getLocal("pIn")),[...i.call(e+"_zeroAffine",i.getLocal("pOut")),...i.i32_store8(i.getLocal("pOut"),i.i32_const(64)),...i.ret([])]),i.call(e+"_fromMontgomeryAffine",i.getLocal("pIn"),r),i.call(e+"__reverseBytes",c,i.i32_const(n),i.getLocal("pOut")),i.call(e+"__reverseBytes",l,i.i32_const(n),i.i32_add(i.getLocal("pOut"),i.i32_const(n))))}(),function(){const i=t.addFunction(e+"_LEMtoC");i.addParam("pIn","i32"),i.addParam("pOut","i32");const o=i.getCodeBuilder(),r=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("pIn")),[...o.call(a+"_zero",o.getLocal("pOut")),...o.i32_store8(o.getLocal("pOut"),o.i32_const(64)),...o.ret([])]),o.call(a+"_fromMontgomery",o.getLocal("pIn"),r),o.call(e+"__reverseBytes",r,o.i32_const(n),o.getLocal("pOut")),o.if(o.i32_eq(o.call(a+"_sign",o.i32_add(o.getLocal("pIn"),o.i32_const(n))),o.i32_const(-1)),o.i32_store8(o.getLocal("pOut"),o.i32_or(o.i32_load8_u(o.getLocal("pOut")),o.i32_const(128)))))}(),function(){const a=t.addFunction(e+"_UtoLEM");a.addParam("pIn","i32"),a.addParam("pOut","i32");const i=a.getCodeBuilder(),o=t.alloc(2*n),r=i.i32_const(o),c=i.i32_const(o),l=i.i32_const(o+n);a.addCode(i.if(i.i32_and(i.i32_load8_u(i.getLocal("pIn")),i.i32_const(64)),[...i.call(e+"_zeroAffine",i.getLocal("pOut")),...i.ret([])]),i.call(e+"__reverseBytes",i.getLocal("pIn"),i.i32_const(n),c),i.call(e+"__reverseBytes",i.i32_add(i.getLocal("pIn"),i.i32_const(n)),i.i32_const(n),l),i.call(e+"_toMontgomeryAffine",r,i.getLocal("pOut")))}(),function(){const o=t.addFunction(e+"_CtoLEM");o.addParam("pIn","i32"),o.addParam("pOut","i32"),o.addLocal("firstByte","i32"),o.addLocal("greatest","i32");const r=o.getCodeBuilder(),c=t.alloc(2*n),l=r.i32_const(c),s=r.i32_const(c+n);o.addCode(r.setLocal("firstByte",r.i32_load8_u(r.getLocal("pIn"))),r.if(r.i32_and(r.getLocal("firstByte"),r.i32_const(64)),[...r.call(e+"_zeroAffine",r.getLocal("pOut")),...r.ret([])]),r.setLocal("greatest",r.i32_and(r.getLocal("firstByte"),r.i32_const(128))),r.call(a+"_copy",r.getLocal("pIn"),s),r.i32_store8(s,r.i32_and(r.getLocal("firstByte"),r.i32_const(63))),r.call(e+"__reverseBytes",s,r.i32_const(n),l),r.call(a+"_toMontgomery",l,r.getLocal("pOut")),r.call(a+"_square",r.getLocal("pOut"),s),r.call(a+"_mul",r.getLocal("pOut"),s,s),r.call(a+"_add",s,r.i32_const(i),s),r.call(a+"_sqrt",s,s),r.call(a+"_neg",s,l),r.if(r.i32_eq(r.call(a+"_sign",s),r.i32_const(-1)),r.if(r.getLocal("greatest"),r.call(a+"_copy",s,r.i32_add(r.getLocal("pOut"),r.i32_const(n))),r.call(a+"_neg",s,r.i32_add(r.getLocal("pOut"),r.i32_const(n)))),r.if(r.getLocal("greatest"),r.call(a+"_neg",s,r.i32_add(r.getLocal("pOut"),r.i32_const(n))),r.call(a+"_copy",s,r.i32_add(r.getLocal("pOut"),r.i32_const(n))))))}(),qt(t,e+"_batchLEMtoU",e+"_LEMtoU",2*n,2*n),qt(t,e+"_batchLEMtoC",e+"_LEMtoC",2*n,n),qt(t,e+"_batchUtoLEM",e+"_UtoLEM",2*n,2*n),qt(t,e+"_batchCtoLEM",e+"_CtoLEM",n,2*n,!0),qt(t,e+"_batchToJacobian",e+"_toJacobian",2*n,3*n,!0),Mt(t,e,e+"_multiexp",e+"_add",3*n),Mt(t,e,e+"_multiexpAffine",e+"_addMixed",2*n),Qt(t,e+"_timesScalar",3*n,e+"_add",e+"_double",e+"_sub",e+"_copy",e+"_zero"),Qt(t,e+"_timesScalarAffine",2*n,e+"_addMixed",e+"_double",e+"_subMixed",e+"_copyAffine",e+"_zero"),t.exportFunction(e+"_isZero"),t.exportFunction(e+"_isZeroAffine"),t.exportFunction(e+"_eq"),t.exportFunction(e+"_eqMixed"),t.exportFunction(e+"_eqAffine"),t.exportFunction(e+"_copy"),t.exportFunction(e+"_copyAffine"),t.exportFunction(e+"_zero"),t.exportFunction(e+"_zeroAffine"),t.exportFunction(e+"_double"),t.exportFunction(e+"_doubleAffine"),t.exportFunction(e+"_add"),t.exportFunction(e+"_addMixed"),t.exportFunction(e+"_addAffine"),t.exportFunction(e+"_neg"),t.exportFunction(e+"_negAffine"),t.exportFunction(e+"_sub"),t.exportFunction(e+"_subMixed"),t.exportFunction(e+"_subAffine"),t.exportFunction(e+"_fromMontgomery"),t.exportFunction(e+"_fromMontgomeryAffine"),t.exportFunction(e+"_toMontgomery"),t.exportFunction(e+"_toMontgomeryAffine"),t.exportFunction(e+"_timesScalar"),t.exportFunction(e+"_timesScalarAffine"),t.exportFunction(e+"_normalize"),t.exportFunction(e+"_LEMtoU"),t.exportFunction(e+"_LEMtoC"),t.exportFunction(e+"_UtoLEM"),t.exportFunction(e+"_CtoLEM"),t.exportFunction(e+"_batchLEMtoU"),t.exportFunction(e+"_batchLEMtoC"),t.exportFunction(e+"_batchUtoLEM"),t.exportFunction(e+"_batchCtoLEM"),t.exportFunction(e+"_toAffine"),t.exportFunction(e+"_toJacobian"),t.exportFunction(e+"_batchToAffine"),t.exportFunction(e+"_batchToJacobian"),t.exportFunction(e+"_inCurve"),t.exportFunction(e+"_inCurveAffine"),e};const{isOdd:kt,modInv:Rt,modPow:Dt}=X,Nt=$;var jt=function(t,e,a,i,o){const n=8*t.modules[i].n64,r=8*t.modules[a].n64,c=t.modules[i].q;let l=c-1n,s=0;for(;!kt(l);)s++,l>>=1n;let d=2n;for(;1n===Dt(d,c>>1n,c);)d+=1n;const u=new Array(s+1);u[s]=Dt(d,l,c);let g=s-1;for(;g>=0;)u[g]=Dt(u[g+1],2n,c),g--;const f=[],_=(1n<>a);return e}const F=Array(256);for(let t=0;t<256;t++)F[t]=C(t);const x=t.alloc(F);function E(){const a=t.addFunction(e+"_fft");a.addParam("px","i32"),a.addParam("n","i32"),a.addLocal("bits","i32");const o=a.getCodeBuilder(),r=o.i32_const(t.alloc(n));a.addCode(o.setLocal("bits",o.call(e+"__log2",o.getLocal("n"))),o.call(i+"_one",r),o.call(e+"_rawfft",o.getLocal("px"),o.getLocal("bits"),o.i32_const(0),r))}!function(){const a=t.addFunction(e+"__rev");a.addParam("x","i32"),a.addParam("bits","i32"),a.setReturnType("i32");const i=a.getCodeBuilder();a.addCode(i.i32_rotl(i.i32_add(i.i32_add(i.i32_shl(i.i32_load8_u(i.i32_and(i.getLocal("x"),i.i32_const(255)),x,0),i.i32_const(24)),i.i32_shl(i.i32_load8_u(i.i32_and(i.i32_shr_u(i.getLocal("x"),i.i32_const(8)),i.i32_const(255)),x,0),i.i32_const(16))),i.i32_add(i.i32_shl(i.i32_load8_u(i.i32_and(i.i32_shr_u(i.getLocal("x"),i.i32_const(16)),i.i32_const(255)),x,0),i.i32_const(8)),i.i32_load8_u(i.i32_and(i.i32_shr_u(i.getLocal("x"),i.i32_const(24)),i.i32_const(255)),x,0))),i.getLocal("bits")))}(),function(){const i=t.addFunction(e+"__reversePermutation");i.addParam("px","i32"),i.addParam("bits","i32"),i.addLocal("n","i32"),i.addLocal("i","i32"),i.addLocal("ri","i32"),i.addLocal("idx1","i32"),i.addLocal("idx2","i32");const o=i.getCodeBuilder(),n=o.i32_const(t.alloc(r));i.addCode(o.setLocal("n",o.i32_shl(o.i32_const(1),o.getLocal("bits"))),o.setLocal("i",o.i32_const(0)),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("i"),o.getLocal("n"))),o.setLocal("idx1",o.i32_add(o.getLocal("px"),o.i32_mul(o.getLocal("i"),o.i32_const(r)))),o.setLocal("ri",o.call(e+"__rev",o.getLocal("i"),o.getLocal("bits"))),o.setLocal("idx2",o.i32_add(o.getLocal("px"),o.i32_mul(o.getLocal("ri"),o.i32_const(r)))),o.if(o.i32_lt_u(o.getLocal("i"),o.getLocal("ri")),[...o.call(a+"_copy",o.getLocal("idx1"),n),...o.call(a+"_copy",o.getLocal("idx2"),o.getLocal("idx1")),...o.call(a+"_copy",n,o.getLocal("idx2"))]),o.setLocal("i",o.i32_add(o.getLocal("i"),o.i32_const(1))),o.br(0))))}(),function(){const n=t.addFunction(e+"__fftFinal");n.addParam("px","i32"),n.addParam("bits","i32"),n.addParam("reverse","i32"),n.addParam("mulFactor","i32"),n.addLocal("n","i32"),n.addLocal("ndiv2","i32"),n.addLocal("pInv2","i32"),n.addLocal("i","i32"),n.addLocal("mask","i32"),n.addLocal("idx1","i32"),n.addLocal("idx2","i32");const c=n.getCodeBuilder(),l=c.i32_const(t.alloc(r));n.addCode(c.if(c.i32_and(c.i32_eqz(c.getLocal("reverse")),c.call(i+"_isOne",c.getLocal("mulFactor"))),c.ret([])),c.setLocal("n",c.i32_shl(c.i32_const(1),c.getLocal("bits"))),c.setLocal("mask",c.i32_sub(c.getLocal("n"),c.i32_const(1))),c.setLocal("i",c.i32_const(1)),c.setLocal("ndiv2",c.i32_shr_u(c.getLocal("n"),c.i32_const(1))),c.block(c.loop(c.br_if(1,c.i32_ge_u(c.getLocal("i"),c.getLocal("ndiv2"))),c.setLocal("idx1",c.i32_add(c.getLocal("px"),c.i32_mul(c.getLocal("i"),c.i32_const(r)))),c.setLocal("idx2",c.i32_add(c.getLocal("px"),c.i32_mul(c.i32_sub(c.getLocal("n"),c.getLocal("i")),c.i32_const(r)))),c.if(c.getLocal("reverse"),c.if(c.call(i+"_isOne",c.getLocal("mulFactor")),[...c.call(a+"_copy",c.getLocal("idx1"),l),...c.call(a+"_copy",c.getLocal("idx2"),c.getLocal("idx1")),...c.call(a+"_copy",l,c.getLocal("idx2"))],[...c.call(a+"_copy",c.getLocal("idx1"),l),...c.call(o,c.getLocal("idx2"),c.getLocal("mulFactor"),c.getLocal("idx1")),...c.call(o,l,c.getLocal("mulFactor"),c.getLocal("idx2"))]),c.if(c.call(i+"_isOne",c.getLocal("mulFactor")),[],[...c.call(o,c.getLocal("idx1"),c.getLocal("mulFactor"),c.getLocal("idx1")),...c.call(o,c.getLocal("idx2"),c.getLocal("mulFactor"),c.getLocal("idx2"))])),c.setLocal("i",c.i32_add(c.getLocal("i"),c.i32_const(1))),c.br(0))),c.if(c.call(i+"_isOne",c.getLocal("mulFactor")),[],[...c.call(o,c.getLocal("px"),c.getLocal("mulFactor"),c.getLocal("px")),...c.setLocal("idx2",c.i32_add(c.getLocal("px"),c.i32_mul(c.getLocal("ndiv2"),c.i32_const(r)))),...c.call(o,c.getLocal("idx2"),c.getLocal("mulFactor"),c.getLocal("idx2"))]))}(),function(){const c=t.addFunction(e+"_rawfft");c.addParam("px","i32"),c.addParam("bits","i32"),c.addParam("reverse","i32"),c.addParam("mulFactor","i32"),c.addLocal("s","i32"),c.addLocal("k","i32"),c.addLocal("j","i32"),c.addLocal("m","i32"),c.addLocal("mdiv2","i32"),c.addLocal("n","i32"),c.addLocal("pwm","i32"),c.addLocal("idx1","i32"),c.addLocal("idx2","i32");const l=c.getCodeBuilder(),s=l.i32_const(t.alloc(n)),d=l.i32_const(t.alloc(r)),u=l.i32_const(t.alloc(r));c.addCode(l.call(e+"__reversePermutation",l.getLocal("px"),l.getLocal("bits")),l.setLocal("n",l.i32_shl(l.i32_const(1),l.getLocal("bits"))),l.setLocal("s",l.i32_const(1)),l.block(l.loop(l.br_if(1,l.i32_gt_u(l.getLocal("s"),l.getLocal("bits"))),l.setLocal("m",l.i32_shl(l.i32_const(1),l.getLocal("s"))),l.setLocal("pwm",l.i32_add(l.i32_const(p),l.i32_mul(l.getLocal("s"),l.i32_const(n)))),l.setLocal("k",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_ge_u(l.getLocal("k"),l.getLocal("n"))),l.call(i+"_one",s),l.setLocal("mdiv2",l.i32_shr_u(l.getLocal("m"),l.i32_const(1))),l.setLocal("j",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_ge_u(l.getLocal("j"),l.getLocal("mdiv2"))),l.setLocal("idx1",l.i32_add(l.getLocal("px"),l.i32_mul(l.i32_add(l.getLocal("k"),l.getLocal("j")),l.i32_const(r)))),l.setLocal("idx2",l.i32_add(l.getLocal("idx1"),l.i32_mul(l.getLocal("mdiv2"),l.i32_const(r)))),l.call(o,l.getLocal("idx2"),s,d),l.call(a+"_copy",l.getLocal("idx1"),u),l.call(a+"_add",u,d,l.getLocal("idx1")),l.call(a+"_sub",u,d,l.getLocal("idx2")),l.call(i+"_mul",s,l.getLocal("pwm"),s),l.setLocal("j",l.i32_add(l.getLocal("j"),l.i32_const(1))),l.br(0))),l.setLocal("k",l.i32_add(l.getLocal("k"),l.getLocal("m"))),l.br(0))),l.setLocal("s",l.i32_add(l.getLocal("s"),l.i32_const(1))),l.br(0))),l.call(e+"__fftFinal",l.getLocal("px"),l.getLocal("bits"),l.getLocal("reverse"),l.getLocal("mulFactor")))}(),function(){const a=t.addFunction(e+"__log2");a.addParam("n","i32"),a.setReturnType("i32"),a.addLocal("bits","i32"),a.addLocal("aux","i32");const i=a.getCodeBuilder();a.addCode(i.setLocal("aux",i.i32_shr_u(i.getLocal("n"),i.i32_const(1)))),a.addCode(i.setLocal("bits",i.i32_const(0))),a.addCode(i.block(i.loop(i.br_if(1,i.i32_eqz(i.getLocal("aux"))),i.setLocal("aux",i.i32_shr_u(i.getLocal("aux"),i.i32_const(1))),i.setLocal("bits",i.i32_add(i.getLocal("bits"),i.i32_const(1))),i.br(0)))),a.addCode(i.if(i.i32_ne(i.getLocal("n"),i.i32_shl(i.i32_const(1),i.getLocal("bits"))),i.unreachable())),a.addCode(i.if(i.i32_gt_u(i.getLocal("bits"),i.i32_const(s)),i.unreachable())),a.addCode(i.getLocal("bits"))}(),E(),function(){const a=t.addFunction(e+"_ifft");a.addParam("px","i32"),a.addParam("n","i32"),a.addLocal("bits","i32"),a.addLocal("pInv2","i32");const i=a.getCodeBuilder();a.addCode(i.setLocal("bits",i.call(e+"__log2",i.getLocal("n"))),i.setLocal("pInv2",i.i32_add(i.i32_const(L),i.i32_mul(i.getLocal("bits"),i.i32_const(n)))),i.call(e+"_rawfft",i.getLocal("px"),i.getLocal("bits"),i.i32_const(1),i.getLocal("pInv2")))}(),function(){const c=t.addFunction(e+"_fftJoin");c.addParam("pBuff1","i32"),c.addParam("pBuff2","i32"),c.addParam("n","i32"),c.addParam("first","i32"),c.addParam("inc","i32"),c.addLocal("idx1","i32"),c.addLocal("idx2","i32"),c.addLocal("i","i32");const l=c.getCodeBuilder(),s=l.i32_const(t.alloc(n)),d=l.i32_const(t.alloc(r)),u=l.i32_const(t.alloc(r));c.addCode(l.call(i+"_copy",l.getLocal("first"),s),l.setLocal("i",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_eq(l.getLocal("i"),l.getLocal("n"))),l.setLocal("idx1",l.i32_add(l.getLocal("pBuff1"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.setLocal("idx2",l.i32_add(l.getLocal("pBuff2"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.call(o,l.getLocal("idx2"),s,d),l.call(a+"_copy",l.getLocal("idx1"),u),l.call(a+"_add",u,d,l.getLocal("idx1")),l.call(a+"_sub",u,d,l.getLocal("idx2")),l.call(i+"_mul",s,l.getLocal("inc"),s),l.setLocal("i",l.i32_add(l.getLocal("i"),l.i32_const(1))),l.br(0))))}(),function(){const c=t.addFunction(e+"_fftJoinExt");c.addParam("pBuff1","i32"),c.addParam("pBuff2","i32"),c.addParam("n","i32"),c.addParam("first","i32"),c.addParam("inc","i32"),c.addParam("totalBits","i32"),c.addLocal("idx1","i32"),c.addLocal("idx2","i32"),c.addLocal("i","i32"),c.addLocal("pShiftToM","i32");const l=c.getCodeBuilder(),s=l.i32_const(t.alloc(n)),d=l.i32_const(t.alloc(r));c.addCode(l.setLocal("pShiftToM",l.i32_add(l.i32_const(y),l.i32_mul(l.getLocal("totalBits"),l.i32_const(n)))),l.call(i+"_copy",l.getLocal("first"),s),l.setLocal("i",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_eq(l.getLocal("i"),l.getLocal("n"))),l.setLocal("idx1",l.i32_add(l.getLocal("pBuff1"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.setLocal("idx2",l.i32_add(l.getLocal("pBuff2"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.call(a+"_add",l.getLocal("idx1"),l.getLocal("idx2"),d),l.call(o,l.getLocal("idx2"),l.getLocal("pShiftToM"),l.getLocal("idx2")),l.call(a+"_add",l.getLocal("idx1"),l.getLocal("idx2"),l.getLocal("idx2")),l.call(o,l.getLocal("idx2"),s,l.getLocal("idx2")),l.call(a+"_copy",d,l.getLocal("idx1")),l.call(i+"_mul",s,l.getLocal("inc"),s),l.setLocal("i",l.i32_add(l.getLocal("i"),l.i32_const(1))),l.br(0))))}(),function(){const c=t.addFunction(e+"_fftJoinExtInv");c.addParam("pBuff1","i32"),c.addParam("pBuff2","i32"),c.addParam("n","i32"),c.addParam("first","i32"),c.addParam("inc","i32"),c.addParam("totalBits","i32"),c.addLocal("idx1","i32"),c.addLocal("idx2","i32"),c.addLocal("i","i32"),c.addLocal("pShiftToM","i32"),c.addLocal("pSConst","i32");const l=c.getCodeBuilder(),s=l.i32_const(t.alloc(n)),d=l.i32_const(t.alloc(r));c.addCode(l.setLocal("pShiftToM",l.i32_add(l.i32_const(y),l.i32_mul(l.getLocal("totalBits"),l.i32_const(n)))),l.setLocal("pSConst",l.i32_add(l.i32_const(I),l.i32_mul(l.getLocal("totalBits"),l.i32_const(n)))),l.call(i+"_copy",l.getLocal("first"),s),l.setLocal("i",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_eq(l.getLocal("i"),l.getLocal("n"))),l.setLocal("idx1",l.i32_add(l.getLocal("pBuff1"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.setLocal("idx2",l.i32_add(l.getLocal("pBuff2"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.call(o,l.getLocal("idx2"),s,d),l.call(a+"_sub",l.getLocal("idx1"),d,l.getLocal("idx2")),l.call(o,l.getLocal("idx2"),l.getLocal("pSConst"),l.getLocal("idx2")),l.call(o,l.getLocal("idx1"),l.getLocal("pShiftToM"),l.getLocal("idx1")),l.call(a+"_sub",d,l.getLocal("idx1"),l.getLocal("idx1")),l.call(o,l.getLocal("idx1"),l.getLocal("pSConst"),l.getLocal("idx1")),l.call(i+"_mul",s,l.getLocal("inc"),s),l.setLocal("i",l.i32_add(l.getLocal("i"),l.i32_const(1))),l.br(0))))}(),function(){const c=t.addFunction(e+"_fftMix");c.addParam("pBuff","i32"),c.addParam("n","i32"),c.addParam("exp","i32"),c.addLocal("nGroups","i32"),c.addLocal("nPerGroup","i32"),c.addLocal("nPerGroupDiv2","i32"),c.addLocal("pairOffset","i32"),c.addLocal("idx1","i32"),c.addLocal("idx2","i32"),c.addLocal("i","i32"),c.addLocal("j","i32"),c.addLocal("pwm","i32");const l=c.getCodeBuilder(),s=l.i32_const(t.alloc(n)),d=l.i32_const(t.alloc(r)),u=l.i32_const(t.alloc(r));c.addCode(l.setLocal("nPerGroup",l.i32_shl(l.i32_const(1),l.getLocal("exp"))),l.setLocal("nPerGroupDiv2",l.i32_shr_u(l.getLocal("nPerGroup"),l.i32_const(1))),l.setLocal("nGroups",l.i32_shr_u(l.getLocal("n"),l.getLocal("exp"))),l.setLocal("pairOffset",l.i32_mul(l.getLocal("nPerGroupDiv2"),l.i32_const(r))),l.setLocal("pwm",l.i32_add(l.i32_const(p),l.i32_mul(l.getLocal("exp"),l.i32_const(n)))),l.setLocal("i",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_eq(l.getLocal("i"),l.getLocal("nGroups"))),l.call(i+"_one",s),l.setLocal("j",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_eq(l.getLocal("j"),l.getLocal("nPerGroupDiv2"))),l.setLocal("idx1",l.i32_add(l.getLocal("pBuff"),l.i32_mul(l.i32_add(l.i32_mul(l.getLocal("i"),l.getLocal("nPerGroup")),l.getLocal("j")),l.i32_const(r)))),l.setLocal("idx2",l.i32_add(l.getLocal("idx1"),l.getLocal("pairOffset"))),l.call(o,l.getLocal("idx2"),s,d),l.call(a+"_copy",l.getLocal("idx1"),u),l.call(a+"_add",u,d,l.getLocal("idx1")),l.call(a+"_sub",u,d,l.getLocal("idx2")),l.call(i+"_mul",s,l.getLocal("pwm"),s),l.setLocal("j",l.i32_add(l.getLocal("j"),l.i32_const(1))),l.br(0))),l.setLocal("i",l.i32_add(l.getLocal("i"),l.i32_const(1))),l.br(0))))}(),function(){const i=t.addFunction(e+"_fftFinal");i.addParam("pBuff","i32"),i.addParam("n","i32"),i.addParam("factor","i32"),i.addLocal("idx1","i32"),i.addLocal("idx2","i32"),i.addLocal("i","i32"),i.addLocal("ndiv2","i32");const n=i.getCodeBuilder(),c=n.i32_const(t.alloc(r));i.addCode(n.setLocal("ndiv2",n.i32_shr_u(n.getLocal("n"),n.i32_const(1))),n.if(n.i32_and(n.getLocal("n"),n.i32_const(1)),n.call(o,n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.getLocal("ndiv2"),n.i32_const(r))),n.getLocal("factor"),n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.getLocal("ndiv2"),n.i32_const(r))))),n.setLocal("i",n.i32_const(0)),n.block(n.loop(n.br_if(1,n.i32_ge_u(n.getLocal("i"),n.getLocal("ndiv2"))),n.setLocal("idx1",n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.getLocal("i"),n.i32_const(r)))),n.setLocal("idx2",n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.i32_sub(n.i32_sub(n.getLocal("n"),n.i32_const(1)),n.getLocal("i")),n.i32_const(r)))),n.call(o,n.getLocal("idx2"),n.getLocal("factor"),c),n.call(o,n.getLocal("idx1"),n.getLocal("factor"),n.getLocal("idx2")),n.call(a+"_copy",c,n.getLocal("idx1")),n.setLocal("i",n.i32_add(n.getLocal("i"),n.i32_const(1))),n.br(0))))}(),function(){const c=t.addFunction(e+"_prepareLagrangeEvaluation");c.addParam("pBuff1","i32"),c.addParam("pBuff2","i32"),c.addParam("n","i32"),c.addParam("first","i32"),c.addParam("inc","i32"),c.addParam("totalBits","i32"),c.addLocal("idx1","i32"),c.addLocal("idx2","i32"),c.addLocal("i","i32"),c.addLocal("pShiftToM","i32"),c.addLocal("pSConst","i32");const l=c.getCodeBuilder(),s=l.i32_const(t.alloc(n)),d=l.i32_const(t.alloc(r));c.addCode(l.setLocal("pShiftToM",l.i32_add(l.i32_const(y),l.i32_mul(l.getLocal("totalBits"),l.i32_const(n)))),l.setLocal("pSConst",l.i32_add(l.i32_const(I),l.i32_mul(l.getLocal("totalBits"),l.i32_const(n)))),l.call(i+"_copy",l.getLocal("first"),s),l.setLocal("i",l.i32_const(0)),l.block(l.loop(l.br_if(1,l.i32_eq(l.getLocal("i"),l.getLocal("n"))),l.setLocal("idx1",l.i32_add(l.getLocal("pBuff1"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.setLocal("idx2",l.i32_add(l.getLocal("pBuff2"),l.i32_mul(l.getLocal("i"),l.i32_const(r)))),l.call(o,l.getLocal("idx1"),l.getLocal("pShiftToM"),d),l.call(a+"_sub",l.getLocal("idx2"),d,d),l.call(a+"_sub",l.getLocal("idx1"),l.getLocal("idx2"),l.getLocal("idx2")),l.call(o,d,l.getLocal("pSConst"),l.getLocal("idx1")),l.call(o,l.getLocal("idx2"),s,l.getLocal("idx2")),l.call(i+"_mul",s,l.getLocal("inc"),s),l.setLocal("i",l.i32_add(l.getLocal("i"),l.i32_const(1))),l.br(0))))}(),t.exportFunction(e+"_fft"),t.exportFunction(e+"_ifft"),t.exportFunction(e+"_rawfft"),t.exportFunction(e+"_fftJoin"),t.exportFunction(e+"_fftJoinExt"),t.exportFunction(e+"_fftJoinExtInv"),t.exportFunction(e+"_fftMix"),t.exportFunction(e+"_fftFinal"),t.exportFunction(e+"_prepareLagrangeEvaluation")},Vt=function(t,e,a){const i=8*t.modules[a].n64;return function(){const o=t.addFunction(e+"_zero");o.addParam("px","i32"),o.addParam("n","i32"),o.addLocal("lastp","i32"),o.addLocal("p","i32");const n=o.getCodeBuilder();o.addCode(n.setLocal("p",n.getLocal("px")),n.setLocal("lastp",n.i32_add(n.getLocal("px"),n.i32_mul(n.getLocal("n"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("p"),n.getLocal("lastp"))),n.call(a+"_zero",n.getLocal("p")),n.setLocal("p",n.i32_add(n.getLocal("p"),n.i32_const(i))),n.br(0))))}(),function(){const o=t.addFunction(e+"_constructLC");o.addParam("ppolynomials","i32"),o.addParam("psignals","i32"),o.addParam("nSignals","i32"),o.addParam("pres","i32"),o.addLocal("i","i32"),o.addLocal("j","i32"),o.addLocal("pp","i32"),o.addLocal("ps","i32"),o.addLocal("pd","i32"),o.addLocal("ncoefs","i32");const n=o.getCodeBuilder(),r=n.i32_const(t.alloc(i));o.addCode(n.setLocal("i",n.i32_const(0)),n.setLocal("pp",n.getLocal("ppolynomials")),n.setLocal("ps",n.getLocal("psignals")),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("i"),n.getLocal("nSignals"))),n.setLocal("ncoefs",n.i32_load(n.getLocal("pp"))),n.setLocal("pp",n.i32_add(n.getLocal("pp"),n.i32_const(4))),n.setLocal("j",n.i32_const(0)),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("j"),n.getLocal("ncoefs"))),n.setLocal("pd",n.i32_add(n.getLocal("pres"),n.i32_mul(n.i32_load(n.getLocal("pp")),n.i32_const(i)))),n.setLocal("pp",n.i32_add(n.getLocal("pp"),n.i32_const(4))),n.call(a+"_mul",n.getLocal("ps"),n.getLocal("pp"),r),n.call(a+"_add",r,n.getLocal("pd"),n.getLocal("pd")),n.setLocal("pp",n.i32_add(n.getLocal("pp"),n.i32_const(i))),n.setLocal("j",n.i32_add(n.getLocal("j"),n.i32_const(1))),n.br(0))),n.setLocal("ps",n.i32_add(n.getLocal("ps"),n.i32_const(i))),n.setLocal("i",n.i32_add(n.getLocal("i"),n.i32_const(1))),n.br(0))))}(),t.exportFunction(e+"_zero"),t.exportFunction(e+"_constructLC"),e},Kt=function(t,e,a){const i=8*t.modules[a].n64;return function(){const o=t.addFunction(e+"_buildABC");o.addParam("pCoefs","i32"),o.addParam("nCoefs","i32"),o.addParam("pWitness","i32"),o.addParam("pA","i32"),o.addParam("pB","i32"),o.addParam("pC","i32"),o.addParam("offsetOut","i32"),o.addParam("nOut","i32"),o.addParam("offsetWitness","i32"),o.addParam("nWitness","i32"),o.addLocal("it","i32"),o.addLocal("ita","i32"),o.addLocal("itb","i32"),o.addLocal("last","i32"),o.addLocal("m","i32"),o.addLocal("c","i32"),o.addLocal("s","i32"),o.addLocal("pOut","i32");const n=o.getCodeBuilder(),r=n.i32_const(t.alloc(i));o.addCode(n.setLocal("ita",n.getLocal("pA")),n.setLocal("itb",n.getLocal("pB")),n.setLocal("last",n.i32_add(n.getLocal("pA"),n.i32_mul(n.getLocal("nOut"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_zero",n.getLocal("ita")),n.call(a+"_zero",n.getLocal("itb")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.br(0))),n.setLocal("it",n.getLocal("pCoefs")),n.setLocal("last",n.i32_add(n.getLocal("pCoefs"),n.i32_mul(n.getLocal("nCoefs"),n.i32_const(i+12)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("it"),n.getLocal("last"))),n.setLocal("s",n.i32_load(n.getLocal("it"),8)),n.if(n.i32_or(n.i32_lt_u(n.getLocal("s"),n.getLocal("offsetWitness")),n.i32_ge_u(n.getLocal("s"),n.i32_add(n.getLocal("offsetWitness"),n.getLocal("nWitness")))),[...n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),...n.br(1)]),n.setLocal("m",n.i32_load(n.getLocal("it"))),n.if(n.i32_eq(n.getLocal("m"),n.i32_const(0)),n.setLocal("pOut",n.getLocal("pA")),n.if(n.i32_eq(n.getLocal("m"),n.i32_const(1)),n.setLocal("pOut",n.getLocal("pB")),[...n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),...n.br(1)])),n.setLocal("c",n.i32_load(n.getLocal("it"),4)),n.if(n.i32_or(n.i32_lt_u(n.getLocal("c"),n.getLocal("offsetOut")),n.i32_ge_u(n.getLocal("c"),n.i32_add(n.getLocal("offsetOut"),n.getLocal("nOut")))),[...n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),...n.br(1)]),n.setLocal("pOut",n.i32_add(n.getLocal("pOut"),n.i32_mul(n.i32_sub(n.getLocal("c"),n.getLocal("offsetOut")),n.i32_const(i)))),n.call(a+"_mul",n.i32_add(n.getLocal("pWitness"),n.i32_mul(n.i32_sub(n.getLocal("s"),n.getLocal("offsetWitness")),n.i32_const(i))),n.i32_add(n.getLocal("it"),n.i32_const(12)),r),n.call(a+"_add",n.getLocal("pOut"),r,n.getLocal("pOut")),n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),n.br(0))),n.setLocal("ita",n.getLocal("pA")),n.setLocal("itb",n.getLocal("pB")),n.setLocal("it",n.getLocal("pC")),n.setLocal("last",n.i32_add(n.getLocal("pA"),n.i32_mul(n.getLocal("nOut"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_mul",n.getLocal("ita"),n.getLocal("itb"),n.getLocal("it")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i))),n.br(0))))}(),function(){const o=t.addFunction(e+"_joinABC");o.addParam("pA","i32"),o.addParam("pB","i32"),o.addParam("pC","i32"),o.addParam("n","i32"),o.addParam("pP","i32"),o.addLocal("ita","i32"),o.addLocal("itb","i32"),o.addLocal("itc","i32"),o.addLocal("itp","i32"),o.addLocal("last","i32");const n=o.getCodeBuilder(),r=n.i32_const(t.alloc(i));o.addCode(n.setLocal("ita",n.getLocal("pA")),n.setLocal("itb",n.getLocal("pB")),n.setLocal("itc",n.getLocal("pC")),n.setLocal("itp",n.getLocal("pP")),n.setLocal("last",n.i32_add(n.getLocal("pA"),n.i32_mul(n.getLocal("n"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_mul",n.getLocal("ita"),n.getLocal("itb"),r),n.call(a+"_sub",r,n.getLocal("itc"),n.getLocal("itp")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.setLocal("itc",n.i32_add(n.getLocal("itc"),n.i32_const(i))),n.setLocal("itp",n.i32_add(n.getLocal("itp"),n.i32_const(i))),n.br(0))))}(),function(){const o=t.addFunction(e+"_batchAdd");o.addParam("pa","i32"),o.addParam("pb","i32"),o.addParam("n","i32"),o.addParam("pr","i32"),o.addLocal("ita","i32"),o.addLocal("itb","i32"),o.addLocal("itr","i32"),o.addLocal("last","i32");const n=o.getCodeBuilder();o.addCode(n.setLocal("ita",n.getLocal("pa")),n.setLocal("itb",n.getLocal("pb")),n.setLocal("itr",n.getLocal("pr")),n.setLocal("last",n.i32_add(n.getLocal("pa"),n.i32_mul(n.getLocal("n"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_add",n.getLocal("ita"),n.getLocal("itb"),n.getLocal("itr")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.setLocal("itr",n.i32_add(n.getLocal("itr"),n.i32_const(i))),n.br(0))))}(),t.exportFunction(e+"_buildABC"),t.exportFunction(e+"_joinABC"),t.exportFunction(e+"_batchAdd"),e},Ht=function(t,e,a,i,o,n,r,c){const l=t.addFunction(e);l.addParam("pIn","i32"),l.addParam("n","i32"),l.addParam("pFirst","i32"),l.addParam("pInc","i32"),l.addParam("pOut","i32"),l.addLocal("pOldFree","i32"),l.addLocal("i","i32"),l.addLocal("pFrom","i32"),l.addLocal("pTo","i32");const s=l.getCodeBuilder(),d=s.i32_const(t.alloc(r));l.addCode(s.setLocal("pFrom",s.getLocal("pIn")),s.setLocal("pTo",s.getLocal("pOut"))),l.addCode(s.call(i+"_copy",s.getLocal("pFirst"),d)),l.addCode(s.setLocal("i",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("i"),s.getLocal("n"))),s.call(c,s.getLocal("pFrom"),d,s.getLocal("pTo")),s.setLocal("pFrom",s.i32_add(s.getLocal("pFrom"),s.i32_const(o))),s.setLocal("pTo",s.i32_add(s.getLocal("pTo"),s.i32_const(n))),s.call(i+"_mul",d,s.getLocal("pInc"),d),s.setLocal("i",s.i32_add(s.getLocal("i"),s.i32_const(1))),s.br(0)))),t.exportFunction(e)};const $t=$,Yt=Ft,Wt=Bt,Zt=Pt,Jt=zt,Xt=Tt,te=jt,ee=Vt,ae=Kt,ie=Ht,{bitLength:oe,modInv:ne,isOdd:re,isNegative:ce}=X;const le=$,se=Ft,de=Bt,ue=Pt,ge=zt,fe=Tt,_e=jt,pe=Vt,he=Kt,me=Ht,{bitLength:Le,isOdd:we,isNegative:be}=X;var Ae=function(t,e){const a=e||"bn128";if(t.modules[a])return a;const i=21888242871839275222246405745257275088696311157297823662689037894645226208583n,o=21888242871839275222246405745257275088548364400416034343698204186575808495617n,n=Math.floor((oe(i-1n)-1)/64)+1,r=8*n,c=r,l=r,s=2*l,d=12*l,u=t.alloc($t.bigInt2BytesLE(o,c)),g=Yt(t,i,"f1m");Wt(t,o,"fr","frm");const f=t.alloc($t.bigInt2BytesLE(w(3n),l)),_=Xt(t,"g1m","f1m",f);te(t,"frm","frm","frm","frm_mul"),ee(t,"pol","frm"),ae(t,"qap","frm");const p=Zt(t,"f1m_neg","f2m","f1m"),h=t.alloc([...$t.bigInt2BytesLE(w(19485874751759354771024239261021720505790618469301721065564631296452457478373n),l),...$t.bigInt2BytesLE(w(266929791119991161246907387137283842545076965332900288569378510910307636690n),l)]),m=Xt(t,"g2m","f2m",h);function L(e,a){const i=t.addFunction(e);i.addParam("pG","i32"),i.addParam("pFr","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),n=o.i32_const(t.alloc(r));i.addCode(o.call("frm_fromMontgomery",o.getLocal("pFr"),n),o.call(a,o.getLocal("pG"),n,o.i32_const(r),o.getLocal("pr"))),t.exportFunction(e)}function w(t){return BigInt(t)*(1n<0n;)re(e)?a.push(1):a.push(0),e>>=1n;return a}(29793968203157093288n),Q=t.alloc(z),q=3*s,M=z.length-1,T=z.reduce(((t,e)=>t+(0!=e?1:0)),0),k=6*r,R=3*r*2+(T+M+1)*q;t.modules[a]={n64:n,pG1gen:A,pG1zero:I,pG1b:f,pG2gen:F,pG2zero:E,pG2b:h,pq:t.modules.f1m.pq,pr:u,pOneT:B,prePSize:k,preQSize:R,r:o.toString(),q:i.toString()};const D=4965661367192848881n;function N(e){const o=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[8376118865763821496583973867626364092589906065868298776909617916018768340080n,16469823323077808223889137241176536799009286646108169935659301613961712198316n],[21888242871839275220042445260109153167277707414472061641714758635765020556617n,0n],[11697423496358154304825782922584725312912383441159505038794027105778954184319n,303847389135065887422783454877609941456349188919719272345083954437860409601n],[21888242871839275220042445260109153167277707414472061641714758635765020556616n,0n],[3321304630594332808241809054958361220322477375291206261884409189760185844239n,5722266937896532885780051958958348231143373700109372999374820235121374419868n],[21888242871839275222246405745257275088696311157297823662689037894645226208582n,0n],[13512124006075453725662431877630910996106405091429524885779419978626457868503n,5418419548761466998357268504080738289687024511189653727029736280683514010267n],[2203960485148121921418603742825762020974279258880205651966n,0n],[10190819375481120917420622822672549775783927716138318623895010788866272024264n,21584395482704209334823622290379665147239961968378104390343953940207365798982n],[2203960485148121921418603742825762020974279258880205651967n,0n],[18566938241244942414004596690298913868373833782006617400804628704885040364344n,16165975933942742336466353786298926857552937457188450663314217659523851788715n]]],n=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[21575463638280843010398324269430826099269044274347216827212613867836435027261n,10307601595873709700152284273816112264069230130616436755625194854815875713954n],[21888242871839275220042445260109153167277707414472061641714758635765020556616n,0n],[3772000881919853776433695186713858239009073593817195771773381919316419345261n,2236595495967245188281701248203181795121068902605861227855261137820944008926n],[2203960485148121921418603742825762020974279258880205651966n,0n],[18429021223477853657660792034369865839114504446431234726392080002137598044644n,9344045779998320333812420223237981029506012124075525679208581902008406485703n]],[[1n,0n],[2581911344467009335267311115468803099551665605076196740867805258568234346338n,19937756971775647987995932169929341994314640652964949448313374472400716661030n],[2203960485148121921418603742825762020974279258880205651966n,0n],[5324479202449903542726783395506214481928257762400643279780343368557297135718n,16208900380737693084919495127334387981393726419856888799917914180988844123039n],[21888242871839275220042445260109153167277707414472061641714758635765020556616n,0n],[13981852324922362344252311234282257507216387789820983642040889267519694726527n,7629828391165209371577384193250820201684255241773809077146787135900891633097n]]],r=t.addFunction(a+"__frobeniusMap"+e);r.addParam("x","i32"),r.addParam("r","i32");const c=r.getCodeBuilder();for(let a=0;a<6;a++){const i=0==a?c.getLocal("x"):c.i32_add(c.getLocal("x"),c.i32_const(a*s)),u=i,f=c.i32_add(c.getLocal("x"),c.i32_const(a*s+l)),_=0==a?c.getLocal("r"):c.i32_add(c.getLocal("r"),c.i32_const(a*s)),h=_,m=c.i32_add(c.getLocal("r"),c.i32_const(a*s+l)),L=d(o[Math.floor(a/3)][e%12],n[a%3][e%6]),b=t.alloc([...$t.bigInt2BytesLE(w(L[0]),32),...$t.bigInt2BytesLE(w(L[1]),32)]);e%2==1?r.addCode(c.call(g+"_copy",u,h),c.call(g+"_neg",f,m),c.call(p+"_mul",_,c.i32_const(b),_)):r.addCode(c.call(p+"_mul",i,c.i32_const(b),_))}function d(t,e){const a=BigInt(t[0]),o=BigInt(t[1]),n=BigInt(e[0]),r=BigInt(e[1]),c=[(a*n-o*r)%i,(a*r+o*n)%i];return ce(c[0])&&(c[0]=c[0]+i),c}}function j(e,i){const o=function(t){let e=t;const a=[];for(;e>0n;){if(re(e)){const t=2-Number(e%4n);a.push(t),e-=BigInt(t)}else a.push(0);e>>=1n}return a}(e).map((t=>-1==t?255:t)),n=t.alloc(o),r=t.addFunction(a+"__cyclotomicExp_"+i);r.addParam("x","i32"),r.addParam("r","i32"),r.addLocal("bit","i32"),r.addLocal("i","i32");const c=r.getCodeBuilder(),l=c.getLocal("x"),s=c.getLocal("r"),u=c.i32_const(t.alloc(d));r.addCode(c.call(U+"_conjugate",l,u),c.call(U+"_one",s),c.if(c.teeLocal("bit",c.i32_load8_s(c.i32_const(o.length-1),n)),c.if(c.i32_eq(c.getLocal("bit"),c.i32_const(1)),c.call(U+"_mul",s,l,s),c.call(U+"_mul",s,u,s))),c.setLocal("i",c.i32_const(o.length-2)),c.block(c.loop(c.call(a+"__cyclotomicSquare",s,s),c.if(c.teeLocal("bit",c.i32_load8_s(c.getLocal("i"),n)),c.if(c.i32_eq(c.getLocal("bit"),c.i32_const(1)),c.call(U+"_mul",s,l,s),c.call(U+"_mul",s,u,s))),c.br_if(1,c.i32_eqz(c.getLocal("i"))),c.setLocal("i",c.i32_sub(c.getLocal("i"),c.i32_const(1))),c.br(0))))}function V(){!function(){const e=t.addFunction(a+"__cyclotomicSquare");e.addParam("x","i32"),e.addParam("r","i32");const i=e.getCodeBuilder(),o=i.getLocal("x"),n=i.i32_add(i.getLocal("x"),i.i32_const(s)),r=i.i32_add(i.getLocal("x"),i.i32_const(2*s)),c=i.i32_add(i.getLocal("x"),i.i32_const(3*s)),l=i.i32_add(i.getLocal("x"),i.i32_const(4*s)),d=i.i32_add(i.getLocal("x"),i.i32_const(5*s)),u=i.getLocal("r"),g=i.i32_add(i.getLocal("r"),i.i32_const(s)),f=i.i32_add(i.getLocal("r"),i.i32_const(2*s)),_=i.i32_add(i.getLocal("r"),i.i32_const(3*s)),h=i.i32_add(i.getLocal("r"),i.i32_const(4*s)),m=i.i32_add(i.getLocal("r"),i.i32_const(5*s)),L=i.i32_const(t.alloc(s)),w=i.i32_const(t.alloc(s)),b=i.i32_const(t.alloc(s)),A=i.i32_const(t.alloc(s)),y=i.i32_const(t.alloc(s)),I=i.i32_const(t.alloc(s)),C=i.i32_const(t.alloc(s)),F=i.i32_const(t.alloc(s));e.addCode(i.call(p+"_mul",o,l,C),i.call(p+"_mul",l,i.i32_const(v),L),i.call(p+"_add",o,L,L),i.call(p+"_add",o,l,F),i.call(p+"_mul",F,L,L),i.call(p+"_mul",i.i32_const(v),C,F),i.call(p+"_add",C,F,F),i.call(p+"_sub",L,F,L),i.call(p+"_add",C,C,w),i.call(p+"_mul",c,r,C),i.call(p+"_mul",r,i.i32_const(v),b),i.call(p+"_add",c,b,b),i.call(p+"_add",c,r,F),i.call(p+"_mul",F,b,b),i.call(p+"_mul",i.i32_const(v),C,F),i.call(p+"_add",C,F,F),i.call(p+"_sub",b,F,b),i.call(p+"_add",C,C,A),i.call(p+"_mul",n,d,C),i.call(p+"_mul",d,i.i32_const(v),y),i.call(p+"_add",n,y,y),i.call(p+"_add",n,d,F),i.call(p+"_mul",F,y,y),i.call(p+"_mul",i.i32_const(v),C,F),i.call(p+"_add",C,F,F),i.call(p+"_sub",y,F,y),i.call(p+"_add",C,C,I),i.call(p+"_sub",L,o,u),i.call(p+"_add",u,u,u),i.call(p+"_add",L,u,u),i.call(p+"_add",w,l,h),i.call(p+"_add",h,h,h),i.call(p+"_add",w,h,h),i.call(p+"_mul",I,i.i32_const(G),F),i.call(p+"_add",F,c,_),i.call(p+"_add",_,_,_),i.call(p+"_add",F,_,_),i.call(p+"_sub",y,r,f),i.call(p+"_add",f,f,f),i.call(p+"_add",y,f,f),i.call(p+"_sub",b,n,g),i.call(p+"_add",g,g,g),i.call(p+"_add",b,g,g),i.call(p+"_add",A,d,m),i.call(p+"_add",m,m,m),i.call(p+"_add",A,m,m))}(),j(D,"w0");const e=t.addFunction(a+"__finalExponentiationLastChunk");e.addParam("x","i32"),e.addParam("r","i32");const i=e.getCodeBuilder(),o=i.getLocal("x"),n=i.getLocal("r"),r=i.i32_const(t.alloc(d)),c=i.i32_const(t.alloc(d)),l=i.i32_const(t.alloc(d)),u=i.i32_const(t.alloc(d)),g=i.i32_const(t.alloc(d)),f=i.i32_const(t.alloc(d)),_=i.i32_const(t.alloc(d)),h=i.i32_const(t.alloc(d)),m=i.i32_const(t.alloc(d)),L=i.i32_const(t.alloc(d)),w=i.i32_const(t.alloc(d)),b=i.i32_const(t.alloc(d)),A=i.i32_const(t.alloc(d)),y=i.i32_const(t.alloc(d)),I=i.i32_const(t.alloc(d)),C=i.i32_const(t.alloc(d)),F=i.i32_const(t.alloc(d)),x=i.i32_const(t.alloc(d)),E=i.i32_const(t.alloc(d)),B=i.i32_const(t.alloc(d)),S=i.i32_const(t.alloc(d));e.addCode(i.call(a+"__cyclotomicExp_w0",o,r),i.call(U+"_conjugate",r,r),i.call(a+"__cyclotomicSquare",r,c),i.call(a+"__cyclotomicSquare",c,l),i.call(U+"_mul",l,c,u),i.call(a+"__cyclotomicExp_w0",u,g),i.call(U+"_conjugate",g,g),i.call(a+"__cyclotomicSquare",g,f),i.call(a+"__cyclotomicExp_w0",f,_),i.call(U+"_conjugate",_,_),i.call(U+"_conjugate",u,h),i.call(U+"_conjugate",_,m),i.call(U+"_mul",m,g,L),i.call(U+"_mul",L,h,w),i.call(U+"_mul",w,c,b),i.call(U+"_mul",w,g,A),i.call(U+"_mul",A,o,y),i.call(a+"__frobeniusMap1",b,I),i.call(U+"_mul",I,y,C),i.call(a+"__frobeniusMap2",w,F),i.call(U+"_mul",F,C,x),i.call(U+"_conjugate",o,E),i.call(U+"_mul",E,b,B),i.call(a+"__frobeniusMap3",B,S),i.call(U+"_mul",S,x,n))}const K=t.alloc(k),H=t.alloc(R);function $(e){const i=t.addFunction(a+"_pairingEq"+e);for(let t=0;t0n;)we(e)?a.push(1):a.push(0),e>>=1n;return a}(0xd201000000010000n),z=t.alloc(U),Q=3*l,q=U.length-1,M=U.reduce(((t,e)=>t+(0!=e?1:0)),0),T=6*r,k=3*r*2+(M+q+1)*Q,R=!0,D=15132376222941642752n;function N(e){const a=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[3850754370037169011952147076051364057158807420970682438676050522613628423219637725072182697113062777891589506424760n,151655185184498381465642749684540099398075398968325446656007613510403227271200139370504932015952886146304766135027n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620351n,0n],[2973677408986561043442465346520108879172042883009249989176415018091420807192182638567116318576472649347015917690530n,1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n,0n],[3125332594171059424908108096204648978570118281977575435832422631601824034463382777937621250592425535493320683825557n,877076961050607968509681729531255177986764537961432449499635504522207616027455086505066378536590128544573588734230n],[4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559786n,0n],[151655185184498381465642749684540099398075398968325446656007613510403227271200139370504932015952886146304766135027n,3850754370037169011952147076051364057158807420970682438676050522613628423219637725072182697113062777891589506424760n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n,0n],[1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257n,2973677408986561043442465346520108879172042883009249989176415018091420807192182638567116318576472649347015917690530n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437n,0n],[877076961050607968509681729531255177986764537961432449499635504522207616027455086505066378536590128544573588734230n,3125332594171059424908108096204648978570118281977575435832422631601824034463382777937621250592425535493320683825557n]]],o=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[0n,4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n,0n],[0n,1n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n,0n],[0n,793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n]],[[1n,0n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437n,0n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n,0n],[4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559786n,0n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n,0n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620351n,0n]]],n=t.addFunction(O+"_frobeniusMap"+e);n.addParam("x","i32"),n.addParam("r","i32");const s=n.getCodeBuilder();for(let i=0;i<6;i++){const u=0==i?s.getLocal("x"):s.i32_add(s.getLocal("x"),s.i32_const(i*l)),g=u,f=s.i32_add(s.getLocal("x"),s.i32_const(i*l+c)),p=0==i?s.getLocal("r"):s.i32_add(s.getLocal("r"),s.i32_const(i*l)),h=p,L=s.i32_add(s.getLocal("r"),s.i32_const(i*l+c)),w=d(a[Math.floor(i/3)][e%12],o[i%3][e%6]),b=t.alloc([...le.bigInt2BytesLE(A(w[0]),r),...le.bigInt2BytesLE(A(w[1]),r)]);e%2==1?n.addCode(s.call(_+"_copy",g,h),s.call(_+"_neg",f,L),s.call(m+"_mul",p,s.i32_const(b),p)):n.addCode(s.call(m+"_mul",u,s.i32_const(b),p))}function d(t,e){const a=t[0],o=t[1],n=e[0],r=e[1],c=[(a*n-o*r)%i,(a*r+o*n)%i];return be(c[0])&&(c[0]=c[0]+i),c}}function j(e,i,o){const n=function(t){let e=t;const a=[];for(;e>0n;){if(we(e)){const t=2-Number(e%4n);a.push(t),e-=BigInt(t)}else a.push(0);e>>=1n}return a}(e).map((t=>-1==t?255:t)),r=t.alloc(n),c=t.addFunction(a+"__cyclotomicExp_"+o);c.addParam("x","i32"),c.addParam("r","i32"),c.addLocal("bit","i32"),c.addLocal("i","i32");const l=c.getCodeBuilder(),d=l.getLocal("x"),u=l.getLocal("r"),g=l.i32_const(t.alloc(s));c.addCode(l.call(O+"_conjugate",d,g),l.call(O+"_one",u),l.if(l.teeLocal("bit",l.i32_load8_s(l.i32_const(n.length-1),r)),l.if(l.i32_eq(l.getLocal("bit"),l.i32_const(1)),l.call(O+"_mul",u,d,u),l.call(O+"_mul",u,g,u))),l.setLocal("i",l.i32_const(n.length-2)),l.block(l.loop(l.call(a+"__cyclotomicSquare",u,u),l.if(l.teeLocal("bit",l.i32_load8_s(l.getLocal("i"),r)),l.if(l.i32_eq(l.getLocal("bit"),l.i32_const(1)),l.call(O+"_mul",u,d,u),l.call(O+"_mul",u,g,u))),l.br_if(1,l.i32_eqz(l.getLocal("i"))),l.setLocal("i",l.i32_sub(l.getLocal("i"),l.i32_const(1))),l.br(0)))),i&&c.addCode(l.call(O+"_conjugate",u,u))}t.modules[a]={n64q:n,n64r:d,n8q:r,n8r:u,pG1gen:I,pG1zero:F,pG1b:p,pG2gen:E,pG2zero:v,pG2b:L,pq:t.modules.f1m.pq,pr:f,pOneT:S,r:o,q:i,prePSize:T,preQSize:k},function(){const e=t.addFunction(P+"_mul1");e.addParam("pA","i32"),e.addParam("pC1","i32"),e.addParam("pR","i32");const a=e.getCodeBuilder(),i=a.getLocal("pA"),o=a.i32_add(a.getLocal("pA"),a.i32_const(2*c)),n=a.i32_add(a.getLocal("pA"),a.i32_const(4*c)),r=a.getLocal("pC1"),l=a.getLocal("pR"),s=a.i32_add(a.getLocal("pR"),a.i32_const(2*c)),d=a.i32_add(a.getLocal("pR"),a.i32_const(4*c)),u=a.i32_const(t.alloc(2*c)),g=a.i32_const(t.alloc(2*c));e.addCode(a.call(m+"_add",i,o,u),a.call(m+"_add",o,n,g),a.call(m+"_mul",o,r,d),a.call(m+"_mul",g,r,l),a.call(m+"_sub",l,d,l),a.call(m+"_mulNR",l,l),a.call(m+"_mul",u,r,s),a.call(m+"_sub",s,d,s))}(),function(){const e=t.addFunction(P+"_mul01");e.addParam("pA","i32"),e.addParam("pC0","i32"),e.addParam("pC1","i32"),e.addParam("pR","i32");const a=e.getCodeBuilder(),i=a.getLocal("pA"),o=a.i32_add(a.getLocal("pA"),a.i32_const(2*c)),n=a.i32_add(a.getLocal("pA"),a.i32_const(4*c)),r=a.getLocal("pC0"),l=a.getLocal("pC1"),s=a.getLocal("pR"),d=a.i32_add(a.getLocal("pR"),a.i32_const(2*c)),u=a.i32_add(a.getLocal("pR"),a.i32_const(4*c)),g=a.i32_const(t.alloc(2*c)),f=a.i32_const(t.alloc(2*c)),_=a.i32_const(t.alloc(2*c)),p=a.i32_const(t.alloc(2*c));e.addCode(a.call(m+"_mul",i,r,g),a.call(m+"_mul",o,l,f),a.call(m+"_add",i,o,_),a.call(m+"_add",i,n,p),a.call(m+"_add",o,n,s),a.call(m+"_mul",s,l,s),a.call(m+"_sub",s,f,s),a.call(m+"_mulNR",s,s),a.call(m+"_add",s,g,s),a.call(m+"_add",r,l,d),a.call(m+"_mul",d,_,d),a.call(m+"_sub",d,g,d),a.call(m+"_sub",d,f,d),a.call(m+"_mul",p,r,u),a.call(m+"_sub",u,g,u),a.call(m+"_add",u,f,u))}(),function(){const e=t.addFunction(O+"_mul014");e.addParam("pA","i32"),e.addParam("pC0","i32"),e.addParam("pC1","i32"),e.addParam("pC4","i32"),e.addParam("pR","i32");const a=e.getCodeBuilder(),i=a.getLocal("pA"),o=a.i32_add(a.getLocal("pA"),a.i32_const(6*c)),n=a.getLocal("pC0"),r=a.getLocal("pC1"),l=a.getLocal("pC4"),s=a.i32_const(t.alloc(6*c)),d=a.i32_const(t.alloc(6*c)),u=a.i32_const(t.alloc(2*c)),g=a.getLocal("pR"),f=a.i32_add(a.getLocal("pR"),a.i32_const(6*c));e.addCode(a.call(P+"_mul01",i,n,r,s),a.call(P+"_mul1",o,l,d),a.call(m+"_add",r,l,u),a.call(P+"_add",o,i,f),a.call(P+"_mul01",f,n,u,f),a.call(P+"_sub",f,s,f),a.call(P+"_sub",f,d,f),a.call(P+"_copy",d,g),a.call(P+"_mulNR",g,g),a.call(P+"_add",g,s,g))}(),function(){const e=t.addFunction(a+"_ell");e.addParam("pP","i32"),e.addParam("pCoefs","i32"),e.addParam("pF","i32");const i=e.getCodeBuilder(),o=i.getLocal("pP"),n=i.i32_add(i.getLocal("pP"),i.i32_const(r)),l=i.getLocal("pF"),s=i.getLocal("pCoefs"),d=i.i32_add(i.getLocal("pCoefs"),i.i32_const(c)),u=i.i32_add(i.getLocal("pCoefs"),i.i32_const(2*c)),g=i.i32_add(i.getLocal("pCoefs"),i.i32_const(3*c)),f=i.i32_add(i.getLocal("pCoefs"),i.i32_const(4*c)),p=t.alloc(2*c),h=i.i32_const(p),m=i.i32_const(p),L=i.i32_const(p+c),w=t.alloc(2*c),b=i.i32_const(w),A=i.i32_const(w),y=i.i32_const(w+c);e.addCode(i.call(_+"_mul",s,n,m),i.call(_+"_mul",d,n,L),i.call(_+"_mul",u,o,A),i.call(_+"_mul",g,o,y),i.call(O+"_mul014",l,f,b,h,l))}();const V=t.alloc(T),K=t.alloc(k);function H(e){const i=t.addFunction(a+"_pairingEq"+e);for(let t=0;t>=BigInt(32)):r+2<=e?(n.setUint16(r,Number(a&BigInt(65535)),!0),r+=2,a>>=BigInt(16)):(n.setUint8(r,Number(a&BigInt(255)),!0),r+=1,a>>=BigInt(8));if(a)throw new Error("Number does not fit in this length");return i}const Ce=[];for(let t=0;t<256;t++)Ce[t]=Fe(t,8);function Fe(t,e){let a=0,i=t;for(let t=0;t>=1;return a}function xe(t,e){return(Ce[t>>>24]|Ce[t>>>16&255]<<8|Ce[t>>>8&255]<<16|Ce[255&t]<<24)>>>32-e}function Ee(t){return(0!=(4294901760&t)?(t&=4294901760,16):0)|(0!=(4278255360&t)?(t&=4278255360,8):0)|(0!=(4042322160&t)?(t&=4042322160,4):0)|(0!=(3435973836&t)?(t&=3435973836,2):0)|0!=(2863311530&t)}function Be(t,e){const a=t.byteLength/e,i=Ee(a);if(a!=1<a){const i=t.slice(o*e,(o+1)*e);t.set(t.slice(a*e,(a+1)*e),o*e),t.set(i,a*e)}}}function ve(t,e){const a=new Uint8Array(e*t.length);for(let i=0;i{a[i]=t(e[i])})),a}return e},unstringifyBigInts:function t(e){if("string"==typeof e&&/^[0-9]+$/.test(e))return BigInt(e);if("string"==typeof e&&/^0x[0-9a-fA-F]+$/.test(e))return BigInt(e);if(Array.isArray(e))return e.map(t);if("object"==typeof e){if(null===e)return null;const a={};return Object.keys(e).forEach((i=>{a[i]=t(e[i])})),a}return e},beBuff2int:function(t){let e=BigInt(0),a=t.length,i=0;const o=new DataView(t.buffer,t.byteOffset,t.byteLength);for(;a>0;)a>=4?(a-=4,e+=BigInt(o.getUint32(a))<=2?(a-=2,e+=BigInt(o.getUint16(a))<0;)n-4>=0?(n-=4,o.setUint32(n,Number(a&BigInt(4294967295))),a>>=BigInt(32)):n-2>=0?(n-=2,o.setUint16(n,Number(a&BigInt(65535))),a>>=BigInt(16)):(n-=1,o.setUint8(n,Number(a&BigInt(255))),a>>=BigInt(8));if(a)throw new Error("Number does not fit in this length");return i},leBuff2int:function(t){let e=BigInt(0),a=0;const i=new DataView(t.buffer,t.byteOffset,t.byteLength);for(;a{i[o]=t(e,a[o])})),i}return a},unstringifyFElements:function t(e,a){if("string"==typeof a&&/^[0-9]+$/.test(a))return e.e(a);if("string"==typeof a&&/^0x[0-9a-fA-F]+$/.test(a))return e.e(a);if(Array.isArray(a))return a.map(t.bind(this,e));if("object"==typeof a){if(null===a)return null;const i={};return Object.keys(a).forEach((o=>{i[o]=t(e,a[o])})),i}return a},bitReverse:xe,log2:Ee,buffReverseBits:Be,array2buffer:ve,buffer2array:Se});const Pe=1<<30;class Oe{constructor(t){this.buffers=[],this.byteLength=t;for(let e=0;e0;){const t=r+c>Pe?Pe-r:c,e=new Uint8Array(this.buffers[n].buffer,this.buffers[n].byteOffset+r,t);if(t==a)return e.slice();o||(o=a<=Pe?new Uint8Array(a):new Oe(a)),o.set(e,a-c),c-=t,n++,r=0}return o}set(t,e){void 0===e&&(e=0);const a=t.byteLength;if(0==a)return;const i=Math.floor(e/Pe);if(i==Math.floor((e+a-1)/Pe))return t instanceof Oe&&1==t.buffers.length?this.buffers[i].set(t.buffers[0],e%Pe):this.buffers[i].set(t,e%Pe);let o=i,n=e%Pe,r=a;for(;r>0;){const e=n+r>Pe?Pe-n:r,i=t.slice(a-r,a-r+e);new Uint8Array(this.buffers[o].buffer,this.buffers[o].byteOffset+n,e).set(i),r-=e,o++,n=0}}}function Ue(t,e,a,i){return async function(o){const n=Math.floor(o.byteLength/a);if(n*a!==o.byteLength)throw new Error("Invalid buffer size");const r=Math.floor(n/t.concurrency),c=[];for(let l=0;l=0;t--)this.w[t]=this.square(this.w[t+1]);if(!this.eq(this.w[0],this.one))throw new Error("Error calculating roots of unity");this.batchToMontgomery=Ue(t,e+"_batchToMontgomery",this.n8,this.n8),this.batchFromMontgomery=Ue(t,e+"_batchFromMontgomery",this.n8,this.n8)}op2(t,e,a){return this.tm.setBuff(this.pOp1,e),this.tm.setBuff(this.pOp2,a),this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp2,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}op2Bool(t,e,a){return this.tm.setBuff(this.pOp1,e),this.tm.setBuff(this.pOp2,a),!!this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp2)}op1(t,e){return this.tm.setBuff(this.pOp1,e),this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}op1Bool(t,e){return this.tm.setBuff(this.pOp1,e),!!this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp3)}add(t,e){return this.op2("_add",t,e)}eq(t,e){return this.op2Bool("_eq",t,e)}isZero(t){return this.op1Bool("_isZero",t)}sub(t,e){return this.op2("_sub",t,e)}neg(t){return this.op1("_neg",t)}inv(t){return this.op1("_inverse",t)}toMontgomery(t){return this.op1("_toMontgomery",t)}fromMontgomery(t){return this.op1("_fromMontgomery",t)}mul(t,e){return this.op2("_mul",t,e)}div(t,e){return this.tm.setBuff(this.pOp1,t),this.tm.setBuff(this.pOp2,e),this.tm.instance.exports[this.prefix+"_inverse"](this.pOp2,this.pOp2),this.tm.instance.exports[this.prefix+"_mul"](this.pOp1,this.pOp2,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}square(t){return this.op1("_square",t)}isSquare(t){return this.op1Bool("_isSquare",t)}sqrt(t){return this.op1("_sqrt",t)}exp(t,e){return e instanceof Uint8Array||(e=S(i(e))),this.tm.setBuff(this.pOp1,t),this.tm.setBuff(this.pOp2,e),this.tm.instance.exports[this.prefix+"_exp"](this.pOp1,this.pOp2,e.byteLength,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}isNegative(t){return this.op1Bool("_isNegative",t)}e(t,e){if(t instanceof Uint8Array)return t;let a=i(t,e);n(a)?(a=h(a),y(a,this.p)&&(a=b(a,this.p)),a=p(this.p,a)):y(a,this.p)&&(a=b(a,this.p));const o=Ie(a,this.n8);return this.toMontgomery(o)}toString(t,e){return v(E(this.fromMontgomery(t),0),e)}fromRng(t){let e;const a=new Uint8Array(this.n8);do{e=G;for(let a=0;ai.buffer.byteLength){const o=i.buffer.byteLength/65536;let n=Math.floor((a[0]+t)/65536)+1;n>e&&(n=e),i.grow(n-o)}return o}function r(t){const e=n(t.byteLength);return l(e,t),e}function c(t,e){const a=new Uint8Array(i.buffer);return new Uint8Array(a.buffer,a.byteOffset+t,e)}function l(t,e){new Uint8Array(i.buffer).set(new Uint8Array(e),t)}function s(t){if("INIT"==t[0].cmd)return o(t[0]);const e={vars:[],out:[]},s=new Uint32Array(i.buffer,0,1)[0];for(let i=0;i{this.reject=e,this.resolve=t}))}}var je;const Ve="data:application/javascript;base64,"+(je="("+Te.toString()+")(self)",globalThis.btoa(je));class Ke{constructor(){this.actionQueue=[],this.oldPFree=0}startSyncOp(){if(0!=this.oldPFree)throw new Error("Sync operation in progress");this.oldPFree=this.u32[0]}endSyncOp(){if(0==this.oldPFree)throw new Error("No sync operation in progress");this.u32[0]=this.oldPFree,this.oldPFree=0}postAction(t,e,a,i){if(this.working[t])throw new Error("Posting a job t a working worker");return this.working[t]=!0,this.pendingDeferreds[t]=i||new Ne,this.workers[t].postMessage(e,a),this.pendingDeferreds[t].promise}processWorks(){for(let t=0;t0;t++)if(0==this.working[t]){const e=this.actionQueue.shift();this.postAction(t,e.data,e.transfers,e.deferred)}}queueAction(t,e){const a=new Ne;if(this.singleThread){const e=this.taskManager(t);a.resolve(e)}else this.actionQueue.push({data:t,transfers:e,deferred:a}),this.processWorks();return a.promise}resetMemory(){this.u32[0]=this.initalPFree}allocBuff(t){const e=this.alloc(t.byteLength);return this.setBuff(e,t),e}getBuff(t,e){return this.u8.slice(t,t+e)}setBuff(t,e){this.u8.set(new Uint8Array(e),t)}alloc(t){for(;3&this.u32[0];)this.u32[0]++;const e=this.u32[0];return this.u32[0]+=t,e}async terminate(){for(let t=0;tsetTimeout(e,t))))}}function He(t,e){const a=t[e],i=t.Fr,o=t.tm;t[e].batchApplyKey=async function(t,n,r,c,l){let s,d,u,g,f;if(c=c||"affine",l=l||"affine","G1"==e)"jacobian"==c?(u=3*a.F.n8,s="g1m_batchApplyKey"):(u=2*a.F.n8,s="g1m_batchApplyKeyMixed"),g=3*a.F.n8,"jacobian"==l?f=3*a.F.n8:(d="g1m_batchToAffine",f=2*a.F.n8);else if("G2"==e)"jacobian"==c?(u=3*a.F.n8,s="g2m_batchApplyKey"):(u=2*a.F.n8,s="g2m_batchApplyKeyMixed"),g=3*a.F.n8,"jacobian"==l?f=3*a.F.n8:(d="g2m_batchToAffine",f=2*a.F.n8);else{if("Fr"!=e)throw new Error("Invalid group: "+e);s="frm_batchApplyKey",u=a.n8,g=a.n8,f=a.n8}const _=Math.floor(t.byteLength/u),p=Math.floor(_/o.concurrency),h=[];r=i.e(r);let m=i.e(n);for(let e=0;e=0;t--){if(!a.isZero(p))for(let t=0;ts&&(p=s),p<1024&&(p=1024);const h=[];for(let e=0;e(c&&c.debug(`Multiexp end: ${l}: ${e}/${u}`),t))))}const m=await Promise.all(h);let L=a.zero;for(let t=m.length-1;t>=0;t--)L=a.add(L,m[t]);return L}a.multiExp=async function(t,e,a,i){return await n(t,e,"jacobian",a,i)},a.multiExpAffine=async function(t,e,a,i){return await n(t,e,"affine",a,i)}}function We(t,e){const a=t[e],i=t.Fr,o=a.tm;async function n(t,c,l,s,d,u){l=l||"affine",s=s||"affine";let g,f,_,p,h,m,L,w;"G1"==e?("affine"==l?(g=2*a.F.n8,p="g1m_batchToJacobian"):g=3*a.F.n8,f=3*a.F.n8,c&&(w="g1m_fftFinal"),L="g1m_fftJoin",m="g1m_fftMix","affine"==s?(_=2*a.F.n8,h="g1m_batchToAffine"):_=3*a.F.n8):"G2"==e?("affine"==l?(g=2*a.F.n8,p="g2m_batchToJacobian"):g=3*a.F.n8,f=3*a.F.n8,c&&(w="g2m_fftFinal"),L="g2m_fftJoin",m="g2m_fftMix","affine"==s?(_=2*a.F.n8,h="g2m_batchToAffine"):_=3*a.F.n8):"Fr"==e&&(g=a.n8,f=a.n8,_=a.n8,c&&(w="frm_fftFinal"),m="frm_fftMix",L="frm_fftJoin");let b=!1;Array.isArray(t)?(t=ve(t,g),b=!0):t=t.slice(0,t.byteLength);const A=t.byteLength/g,y=Ee(A);if(1<1<<28?new Oe(2*u[0].byteLength):new Uint8Array(2*u[0].byteLength);return g.set(u[0]),g.set(u[1],u[0].byteLength),g}(t,l,s,d,u):await async function(t,e,a,o,c){let l,s;l=t.slice(0,t.byteLength/2),s=t.slice(t.byteLength/2,t.byteLength);const d=[];[l,s]=await r(l,s,"fftJoinExt",i.one,i.shift,e,"jacobian",o,c),d.push(n(l,!1,"jacobian",a,o,c)),d.push(n(s,!1,"jacobian",a,o,c));const u=await Promise.all(d);let g;g=u[0].byteLength>1<<28?new Oe(2*u[0].byteLength):new Uint8Array(2*u[0].byteLength);return g.set(u[0]),g.set(u[1],u[0].byteLength),g}(t,l,s,d,u),b?Se(e,_):e}let I,C,F;c&&(I=i.inv(i.e(A))),Be(t,g);let x=Math.min(16384,A),E=A/x;for(;E=16;)E*=2,x/=2;const B=Ee(x),v=[];for(let e=0;e(d&&d.debug(`${u}: fft ${y} mix end: ${e}/${E}`),t))))}F=await Promise.all(v);for(let t=0;t(d&&d.debug(`${u}: fft ${y} join ${t}/${y} ${r+1}/${e} ${c}/${a/2}`),i))))}const r=await Promise.all(n);for(let t=0;t0;e--)C.set(F[e],t),t+=x*_,delete F[e];C.set(F[0].slice(0,(x-1)*_),t),delete F[0]}else for(let t=0;t65536&&(b=65536);const A=[];for(let e=0;e(u&&u.debug(`${g}: fftJoinExt End: ${e}/${w}`),t))))}const y=await Promise.all(A);let I,C;w*h>1<<28?(I=new Oe(w*h),C=new Oe(w*h)):(I=new Uint8Array(w*h),C=new Uint8Array(w*h));let F=0;for(let t=0;ti.s+1)throw l&&l.error("lagrangeEvaluations input too big"),new Error("lagrangeEvaluations input too big");let f=t.slice(0,t.byteLength/2),_=t.slice(t.byteLength/2,t.byteLength);const p=i.exp(i.shift,u/2),h=i.inv(i.sub(i.one,p));[f,_]=await r(f,_,"prepareLagrangeEvaluation",h,i.shiftInv,o,"jacobian",l,s+" prep");const m=[];let L;return m.push(n(f,!0,"jacobian",c,l,s+" t0")),m.push(n(_,!0,"jacobian",c,l,s+" t1")),[f,_]=await Promise.all(m),L=f.byteLength>1<<28?new Oe(2*f.byteLength):new Uint8Array(2*f.byteLength),L.set(f),L.set(_,f.byteLength),L},a.fftMix=async function(t){const n=3*a.F.n8;let r,c;if("G1"==e)r="g1m_fftMix",c="g1m_fftJoin";else if("G2"==e)r="g2m_fftMix",c="g2m_fftJoin";else{if("Fr"!=e)throw new Error("Invalid group");r="frm_fftMix",c="frm_fftJoin"}const l=Math.floor(t.byteLength/n),s=Ee(l);let d=1<=0;t--)f.set(g[t][0],_),_+=g[t][0].byteLength;return f}}async function Ze(t){const e=await async function(t,e){const a=new Ke;a.memory=new WebAssembly.Memory({initial:De}),a.u8=new Uint8Array(a.memory.buffer),a.u32=new Uint32Array(a.memory.buffer);const i=await WebAssembly.compile(t.code);if(a.instance=await WebAssembly.instantiate(i,{env:{memory:a.memory}}),a.singleThread=e,a.initalPFree=a.u32[0],a.pq=t.pq,a.pr=t.pr,a.pG1gen=t.pG1gen,a.pG1zero=t.pG1zero,a.pG2gen=t.pG2gen,a.pG2zero=t.pG2zero,a.pOneT=t.pOneT,e)a.code=t.code,a.taskManager=Te(),await a.taskManager([{cmd:"INIT",init:De,code:a.code.slice()}]),a.concurrency=1;else{let e;a.workers=[],a.pendingDeferreds=[],a.working=[],e="object"==typeof navigator&&navigator.hardwareConcurrency?navigator.hardwareConcurrency:ke.cpus().length,0==e&&(e=2),e>64&&(e=64),a.concurrency=e;for(let t=0;t>8n&0xFFn)),e.push(Number(a>>16n&0xFFn)),e.push(Number(a>>24n&0xFFn)),e}function aa(t){const e=function(t){for(var e=[],a=0;a>6,128|63&i):i<55296||i>=57344?e.push(224|i>>12,128|i>>6&63,128|63&i):(a++,i=65536+((1023&i)<<10|1023&t.charCodeAt(a)),e.push(240|i>>18,128|i>>12&63,128|i>>6&63,128|63&i))}return e}(t);return[...ca(e.length),...e]}function ia(t){const e=[];let a=Je(t);if(Xe(a))throw new Error("Number cannot be negative");for(;!ta(a);)e.push(Number(0x7Fn&a)),a>>=7n;0==e.length&&e.push(0);for(let t=0;t0xFFFFFFFFn)throw new Error("Number too big");if(e>0x7FFFFFFFn&&(e-=0x100000000n),e<-2147483648n)throw new Error("Number too small");return oa(e)}function ra(t){let e=Je(t);if(e>0xFFFFFFFFFFFFFFFFn)throw new Error("Number too big");if(e>0x7FFFFFFFFFFFFFFFn&&(e-=0x10000000000000000n),e<-9223372036854775808n)throw new Error("Number too small");return oa(e)}function ca(t){let e=Je(t);if(e>0xFFFFFFFFn)throw new Error("Number too big");return ia(e)}function la(t){return Array.from(t,(function(t){return("0"+(255&t).toString(16)).slice(-2)})).join("")}class sa{constructor(t){this.func=t,this.functionName=t.functionName,this.module=t.module}setLocal(t,e){const a=this.func.localIdxByName[t];if(void 0===a)throw new Error(`Local Variable not defined: Function: ${this.functionName} local: ${t} `);return[...e,33,...ca(a)]}teeLocal(t,e){const a=this.func.localIdxByName[t];if(void 0===a)throw new Error(`Local Variable not defined: Function: ${this.functionName} local: ${t} `);return[...e,34,...ca(a)]}getLocal(t){const e=this.func.localIdxByName[t];if(void 0===e)throw new Error(`Local Variable not defined: Function: ${this.functionName} local: ${t} `);return[32,...ca(e)]}i64_load8_s(t,e,a){return[...t,48,void 0===a?0:a,...ca(e||0)]}i64_load8_u(t,e,a){return[...t,49,void 0===a?0:a,...ca(e||0)]}i64_load16_s(t,e,a){return[...t,50,void 0===a?1:a,...ca(e||0)]}i64_load16_u(t,e,a){return[...t,51,void 0===a?1:a,...ca(e||0)]}i64_load32_s(t,e,a){return[...t,52,void 0===a?2:a,...ca(e||0)]}i64_load32_u(t,e,a){return[...t,53,void 0===a?2:a,...ca(e||0)]}i64_load(t,e,a){return[...t,41,void 0===a?3:a,...ca(e||0)]}i64_store(t,e,a,i){let o,n,r;return Array.isArray(e)?(o=0,n=3,r=e):Array.isArray(a)?(o=e,n=3,r=a):Array.isArray(i)&&(o=e,n=a,r=i),[...t,...r,55,n,...ca(o)]}i64_store32(t,e,a,i){let o,n,r;return Array.isArray(e)?(o=0,n=2,r=e):Array.isArray(a)?(o=e,n=2,r=a):Array.isArray(i)&&(o=e,n=a,r=i),[...t,...r,62,n,...ca(o)]}i64_store16(t,e,a,i){let o,n,r;return Array.isArray(e)?(o=0,n=1,r=e):Array.isArray(a)?(o=e,n=1,r=a):Array.isArray(i)&&(o=e,n=a,r=i),[...t,...r,61,n,...ca(o)]}i64_store8(t,e,a,i){let o,n,r;return Array.isArray(e)?(o=0,n=0,r=e):Array.isArray(a)?(o=e,n=0,r=a):Array.isArray(i)&&(o=e,n=a,r=i),[...t,...r,60,n,...ca(o)]}i32_load8_s(t,e,a){return[...t,44,void 0===a?0:a,...ca(e||0)]}i32_load8_u(t,e,a){return[...t,45,void 0===a?0:a,...ca(e||0)]}i32_load16_s(t,e,a){return[...t,46,void 0===a?1:a,...ca(e||0)]}i32_load16_u(t,e,a){return[...t,47,void 0===a?1:a,...ca(e||0)]}i32_load(t,e,a){return[...t,40,void 0===a?2:a,...ca(e||0)]}i32_store(t,e,a,i){let o,n,r;return Array.isArray(e)?(o=0,n=2,r=e):Array.isArray(a)?(o=e,n=2,r=a):Array.isArray(i)&&(o=e,n=a,r=i),[...t,...r,54,n,...ca(o)]}i32_store16(t,e,a,i){let o,n,r;return Array.isArray(e)?(o=0,n=1,r=e):Array.isArray(a)?(o=e,n=1,r=a):Array.isArray(i)&&(o=e,n=a,r=i),[...t,...r,59,n,...ca(o)]}i32_store8(t,e,a,i){let o,n,r;return Array.isArray(e)?(o=0,n=0,r=e):Array.isArray(a)?(o=e,n=0,r=a):Array.isArray(i)&&(o=e,n=a,r=i),[...t,...r,58,n,...ca(o)]}call(t,...e){const a=this.module.functionIdxByName[t];if(void 0===a)throw new Error(`Function not defined: Function: ${t}`);return[...[].concat(...e),16,...ca(a)]}call_indirect(t,...e){return[...[].concat(...e),...t,17,0,0]}if(t,e,a){return a?[...t,4,64,...e,5,...a,11]:[...t,4,64,...e,11]}block(t){return[2,64,...t,11]}loop(...t){return[3,64,...[].concat(...t),11]}br_if(t,e){return[...e,13,...ca(t)]}br(t){return[12,...ca(t)]}ret(t){return[...t,15]}drop(t){return[...t,26]}i64_const(t){return[66,...ra(t)]}i32_const(t){return[65,...na(t)]}i64_eqz(t){return[...t,80]}i64_eq(t,e){return[...t,...e,81]}i64_ne(t,e){return[...t,...e,82]}i64_lt_s(t,e){return[...t,...e,83]}i64_lt_u(t,e){return[...t,...e,84]}i64_gt_s(t,e){return[...t,...e,85]}i64_gt_u(t,e){return[...t,...e,86]}i64_le_s(t,e){return[...t,...e,87]}i64_le_u(t,e){return[...t,...e,88]}i64_ge_s(t,e){return[...t,...e,89]}i64_ge_u(t,e){return[...t,...e,90]}i64_add(t,e){return[...t,...e,124]}i64_sub(t,e){return[...t,...e,125]}i64_mul(t,e){return[...t,...e,126]}i64_div_s(t,e){return[...t,...e,127]}i64_div_u(t,e){return[...t,...e,128]}i64_rem_s(t,e){return[...t,...e,129]}i64_rem_u(t,e){return[...t,...e,130]}i64_and(t,e){return[...t,...e,131]}i64_or(t,e){return[...t,...e,132]}i64_xor(t,e){return[...t,...e,133]}i64_shl(t,e){return[...t,...e,134]}i64_shr_s(t,e){return[...t,...e,135]}i64_shr_u(t,e){return[...t,...e,136]}i64_extend_i32_s(t){return[...t,172]}i64_extend_i32_u(t){return[...t,173]}i64_clz(t){return[...t,121]}i64_ctz(t){return[...t,122]}i32_eqz(t){return[...t,69]}i32_eq(t,e){return[...t,...e,70]}i32_ne(t,e){return[...t,...e,71]}i32_lt_s(t,e){return[...t,...e,72]}i32_lt_u(t,e){return[...t,...e,73]}i32_gt_s(t,e){return[...t,...e,74]}i32_gt_u(t,e){return[...t,...e,75]}i32_le_s(t,e){return[...t,...e,76]}i32_le_u(t,e){return[...t,...e,77]}i32_ge_s(t,e){return[...t,...e,78]}i32_ge_u(t,e){return[...t,...e,79]}i32_add(t,e){return[...t,...e,106]}i32_sub(t,e){return[...t,...e,107]}i32_mul(t,e){return[...t,...e,108]}i32_div_s(t,e){return[...t,...e,109]}i32_div_u(t,e){return[...t,...e,110]}i32_rem_s(t,e){return[...t,...e,111]}i32_rem_u(t,e){return[...t,...e,112]}i32_and(t,e){return[...t,...e,113]}i32_or(t,e){return[...t,...e,114]}i32_xor(t,e){return[...t,...e,115]}i32_shl(t,e){return[...t,...e,116]}i32_shr_s(t,e){return[...t,...e,117]}i32_shr_u(t,e){return[...t,...e,118]}i32_rotl(t,e){return[...t,...e,119]}i32_rotr(t,e){return[...t,...e,120]}i32_wrap_i64(t){return[...t,167]}i32_clz(t){return[...t,103]}i32_ctz(t){return[...t,104]}unreachable(){return[0]}current_memory(){return[63,0]}comment(){return[]}}const da={i32:127,i64:126,f32:125,f64:124,anyfunc:112,func:96,emptyblock:64};class ua{constructor(t,e,a,i,o){if("import"==a)this.fnType="import",this.moduleName=i,this.fieldName=o;else{if("internal"!=a)throw new Error("Invalid function fnType: "+a);this.fnType="internal"}this.module=t,this.fnName=e,this.params=[],this.locals=[],this.localIdxByName={},this.code=[],this.returnType=null,this.nextLocal=0}addParam(t,e){if(this.localIdxByName[t])throw new Error(`param already exists. Function: ${this.fnName}, Param: ${t} `);const a=this.nextLocal++;this.localIdxByName[t]=a,this.params.push({type:e})}addLocal(t,e,a){const i=a||1;if(this.localIdxByName[t])throw new Error(`local already exists. Function: ${this.fnName}, Param: ${t} `);const o=this.nextLocal++;this.localIdxByName[t]=o,this.locals.push({type:e,length:i})}setReturnType(t){if(this.returnType)throw new Error(`returnType already defined. Function: ${this.fnName}`);this.returnType=t}getSignature(){return[96,...[...ca(this.params.length),...this.params.map((t=>da[t.type]))],...this.returnType?[1,da[this.returnType]]:[0]]}getBody(){const t=this.locals.map((t=>[...ca(t.length),da[t.type]])),e=[...ca(this.locals.length),...[].concat(...t),...this.code,11];return[...ca(e.length),...e]}addCode(...t){this.code.push(...[].concat(...t))}getCodeBuilder(){return new sa(this)}}class ga{constructor(){this.functions=[],this.functionIdxByName={},this.nImportFunctions=0,this.nInternalFunctions=0,this.memory={pagesSize:1,moduleName:"env",fieldName:"memory"},this.free=8,this.datas=[],this.modules={},this.exports=[],this.functionsTable=[]}build(){return this._setSignatures(),new Uint8Array([...ea(1836278016),...ea(1),...this._buildType(),...this._buildImport(),...this._buildFunctionDeclarations(),...this._buildFunctionsTable(),...this._buildExports(),...this._buildElements(),...this._buildCode(),...this._buildData()])}addFunction(t){if(void 0!==this.functionIdxByName[t])throw new Error(`Function already defined: ${t}`);const e=this.functions.length;return this.functionIdxByName[t]=e,this.functions.push(new ua(this,t,"internal")),this.nInternalFunctions++,this.functions[e]}addIimportFunction(t,e,a){if(void 0!==this.functionIdxByName[t])throw new Error(`Function already defined: ${t}`);if(this.functions.length>0&&"internal"==this.functions[this.functions.length-1].type)throw new Error(`Import functions must be declared before internal: ${t}`);let i=a||t;const o=this.functions.length;return this.functionIdxByName[t]=o,this.functions.push(new ua(this,t,"import",e,i)),this.nImportFunctions++,this.functions[o]}setMemory(t,e,a){this.memory={pagesSize:t,moduleName:e||"env",fieldName:a||"memory"}}exportFunction(t,e){const a=e||t;if(void 0===this.functionIdxByName[t])throw new Error(`Function not defined: ${t}`);const i=this.functionIdxByName[t];a!=t&&(this.functionIdxByName[a]=i),this.exports.push({exportName:a,idx:i})}addFunctionToTable(t){const e=this.functionIdxByName[t];this.functionsTable.push(e)}addData(t,e){this.datas.push({offset:t,bytes:e})}alloc(t,e){let a,i;(Array.isArray(t)||ArrayBuffer.isView(t))&&void 0===e?(a=t.length,i=t):(a=t,i=e),a=1+(a-1>>3)<<3;const o=this.free;return this.free+=a,i&&this.addData(o,i),o}allocString(t){const e=(new globalThis.TextEncoder).encode(t);return this.alloc([...e,0])}_setSignatures(){this.signatures=[];const t={};if(this.functionsTable.length>0){const e=this.functions[this.functionsTable[0]].getSignature();t["s_"+la(e)]=0,this.signatures.push(e)}for(let e=0;e{e.pendingLoads.push({page:t,resolve:a,reject:i})}));return e.__statusPage("After Load request: ",t),a}__statusPage(t,e){const a=[],i=this;if(!i.logHistory)return;a.push("=="+t+" "+e);let o="";for(let t=0;t "+e.history[t][a][i])}_triggerLoad(){const t=this;if(t.reading)return;if(0==t.pendingLoads.length)return;const e=Object.keys(t.pages),a=[];for(let i=0;i0&&(void 0!==t.pages[t.pendingLoads[0].page]||i>0||a.length>0);){const e=t.pendingLoads.shift();if(void 0!==t.pages[e.page]){t.pages[e.page].pendingOps++;const i=a.indexOf(e.page);i>=0&&a.splice(i,1),t.pages[e.page].loading?t.pages[e.page].loading.push(e):e.resolve(),t.__statusPage("After Load (cached): ",e.page)}else{if(i)i--;else{const e=a.shift();t.__statusPage("Before Unload: ",e),t.avBuffs.unshift(t.pages[e]),delete t.pages[e],t.__statusPage("After Unload: ",e)}e.page>=t.totalPages?(t.pages[e.page]=n(),e.resolve(),t.__statusPage("After Load (new): ",e.page)):(t.reading=!0,t.pages[e.page]=n(),t.pages[e.page].loading=[e],o.push(t.fd.read(t.pages[e.page].buff,0,t.pageSize,e.page*t.pageSize).then((a=>{t.pages[e.page].size=a.bytesRead;const i=t.pages[e.page].loading;delete t.pages[e.page].loading;for(let t=0;t{e.reject(t)}))),t.__statusPage("After Load (loading): ",e.page))}}function n(){if(t.avBuffs.length>0){const e=t.avBuffs.shift();return e.dirty=!1,e.pendingOps=1,e.size=0,e}return{dirty:!1,buff:new Uint8Array(t.pageSize),pendingOps:1,size:0}}Promise.all(o).then((()=>{t.reading=!1,t.pendingLoads.length>0&&setImmediate(t._triggerLoad.bind(t)),t._tryClose()}))}_triggerWrite(){const t=this;if(t.writing)return;const e=Object.keys(t.pages),a=[];for(let i=0;i{o.writing=!1}),(e=>{console.log("ERROR Writing: "+e),t.error=e,t._tryClose()}))))}t.writing&&Promise.all(a).then((()=>{t.writing=!1,setImmediate(t._triggerWrite.bind(t)),t._tryClose(),t.pendingLoads.length>0&&setImmediate(t._triggerLoad.bind(t))}))}_getDirtyPage(){for(let t in this.pages)if(this.pages[t].dirty)return t;return-1}async write(t,e){if(0==t.byteLength)return;const a=this;if(void 0===e&&(e=a.pos),a.pos=e+t.byteLength,a.totalSize0;){await n[r-i];const e=c+l>a.pageSize?a.pageSize-c:l,o=t.slice(t.byteLength-l,t.byteLength-l+e);new Uint8Array(a.pages[r].buff.buffer,c,e).set(o),a.pages[r].dirty=!0,a.pages[r].pendingOps--,a.pages[r].size=Math.max(c+e,a.pages[r].size),r>=a.totalPages&&(a.totalPages=r+1),l-=e,r++,c=0,a.writing||setImmediate(a._triggerWrite.bind(a))}}async read(t,e){let a=new Uint8Array(t);return await this.readToBuffer(a,0,t,e),a}async readToBuffer(t,e,a,i){if(0==a)return;const o=this;if(a>o.pageSize*o.maxPagesLoaded*.8){const t=Math.floor(1.1*a);this.maxPagesLoaded=Math.floor(t/o.pageSize)+1}if(void 0===i&&(i=o.pos),o.pos=i+a,o.pendingClose)throw new Error("Reading a closing file");const n=Math.floor(i/o.pageSize),r=Math.floor((i+a-1)/o.pageSize),c=[];for(let t=n;t<=r;t++)c.push(o._loadPage(t));o._triggerLoad();let l=n,s=i%o.pageSize,d=i+a>o.totalSize?a-(i+a-o.totalSize):a;for(;d>0;){await c[l-n],o.__statusPage("After Await (read): ",l);const i=s+d>o.pageSize?o.pageSize-s:d,r=new Uint8Array(o.pages[l].buff.buffer,o.pages[l].buff.byteOffset+s,i);t.set(r,e+a-d),o.pages[l].pendingOps--,o.__statusPage("After Op done: ",l),d-=i,l++,s=0,o.pendingLoads.length>0&&setImmediate(o._triggerLoad.bind(o))}this.pos=i+a}_tryClose(){const t=this;if(!t.pendingClose)return;t.error&&t.pendingCloseReject(t.error);t._getDirtyPage()>=0||t.writing||t.reading||t.pendingLoads.length>0||t.pendingClose()}close(){const t=this;if(t.pendingClose)throw new Error("Closing the file twice");return new Promise(((e,a)=>{t.pendingClose=e,t.pendingCloseReject=a,t._tryClose()})).then((()=>{t.fd.close()}),(e=>{throw t.fd.close(),e}))}async discard(){await this.close(),await wa.promises.unlink(this.fileName)}async writeULE32(t,e){const a=new Uint8Array(4);new DataView(a.buffer).setUint32(0,t,!0),await this.write(a,e)}async writeUBE32(t,e){const a=new Uint8Array(4);new DataView(a.buffer).setUint32(0,t,!1),await this.write(a,e)}async writeULE64(t,e){const a=new Uint8Array(8),i=new DataView(a.buffer);i.setUint32(0,4294967295&t,!0),i.setUint32(4,Math.floor(t/4294967296),!0),await this.write(a,e)}async readULE32(t){const e=await this.read(4,t);return new Uint32Array(e.buffer)[0]}async readUBE32(t){const e=await this.read(4,t);return new DataView(e.buffer).getUint32(0,!1)}async readULE64(t){const e=await this.read(8,t),a=new Uint32Array(e.buffer);return 4294967296*a[1]+a[0]}async readString(t){const e=this;if(e.pendingClose)throw new Error("Reading a closing file");let a=void 0===t?e.pos:t,i=Math.floor(a/e.pageSize),o=!1,n="";for(;!o;){let t=e._loadPage(i);e._triggerLoad(),await t,e.__statusPage("After Await (read): ",i);let r=a%e.pageSize;const c=new Uint8Array(e.pages[i].buff.buffer,e.pages[i].buff.byteOffset+r,e.pageSize-r);let l=c.findIndex((t=>0===t));o=-1!==l,o?(n+=(new TextDecoder).decode(c.slice(0,l)),e.pos=i*this.pageSize+r+l+1):(n+=(new TextDecoder).decode(c),e.pos=i*this.pageSize+r+c.length),e.pages[i].pendingOps--,e.__statusPage("After Op done: ",i),a=e.pos,i++,e.pendingLoads.length>0&&setImmediate(e._triggerLoad.bind(e))}return n}}const ya=new Uint8Array(4),Ia=new DataView(ya.buffer),Ca=new Uint8Array(8),Fa=new DataView(Ca.buffer);class xa{constructor(){this.pageSize=16384}_resizeIfNeeded(t){if(t>this.allocSize){const e=Math.max(this.allocSize+(1<<20),Math.floor(1.1*this.allocSize),t),a=new Uint8Array(e);a.set(this.o.data),this.o.data=a,this.allocSize=e}}async write(t,e){if(void 0===e&&(e=this.pos),this.readOnly)throw new Error("Writing a read only file");this._resizeIfNeeded(e+t.byteLength),this.o.data.set(t.slice(),e),e+t.byteLength>this.totalSize&&(this.totalSize=e+t.byteLength),this.pos=e+t.byteLength}async readToBuffer(t,e,a,i){if(void 0===i&&(i=this.pos),this.readOnly&&i+a>this.totalSize)throw new Error("Reading out of bounds");this._resizeIfNeeded(i+a);const o=new Uint8Array(this.o.data.buffer,this.o.data.byteOffset+i,a);t.set(o,e),this.pos=i+a}async read(t,e){const a=new Uint8Array(t);return await this.readToBuffer(a,0,t,e),a}close(){this.o.data.byteLength!=this.totalSize&&(this.o.data=this.o.data.slice(0,this.totalSize))}async discard(){}async writeULE32(t,e){Ia.setUint32(0,t,!0),await this.write(ya,e)}async writeUBE32(t,e){Ia.setUint32(0,t,!1),await this.write(ya,e)}async writeULE64(t,e){Fa.setUint32(0,4294967295&t,!0),Fa.setUint32(4,Math.floor(t/4294967296),!0),await this.write(Ca,e)}async readULE32(t){const e=await this.read(4,t);return new Uint32Array(e.buffer)[0]}async readUBE32(t){const e=await this.read(4,t);return new DataView(e.buffer).getUint32(0,!1)}async readULE64(t){const e=await this.read(8,t),a=new Uint32Array(e.buffer);return 4294967296*a[1]+a[0]}async readString(t){const e=this;let a=void 0===t?e.pos:t;if(a>this.totalSize){if(this.readOnly)throw new Error("Reading out of bounds");this._resizeIfNeeded(t)}const i=new Uint8Array(e.o.data.buffer,a,this.totalSize-a);let o=i.findIndex((t=>0===t)),n="";return-1!==o?(n=(new TextDecoder).decode(i.slice(0,o)),e.pos=a+o+1):e.pos=a,n}}const Ea=1<<22;const Ba=new Uint8Array(4),va=new DataView(Ba.buffer),Sa=new Uint8Array(8),Ga=new DataView(Sa.buffer);class Pa{constructor(){this.pageSize=16384}_resizeIfNeeded(t){if(t<=this.totalSize)return;if(this.readOnly)throw new Error("Reading out of file bounds");const e=Math.floor((t-1)/Ea)+1;for(let a=Math.max(this.o.data.length-1,0);a0;){const e=o+n>Ea?Ea-o:n,r=t.slice(t.byteLength-n,t.byteLength-n+e);new Uint8Array(a.o.data[i].buffer,o,e).set(r),n-=e,i++,o=0}this.pos=e+t.byteLength}async readToBuffer(t,e,a,i){const o=this;if(void 0===i&&(i=o.pos),this.readOnly&&i+a>this.totalSize)throw new Error("Reading out of bounds");this._resizeIfNeeded(i+a);let n=Math.floor(i/Ea),r=i%Ea,c=a;for(;c>0;){const i=r+c>Ea?Ea-r:c,l=new Uint8Array(o.o.data[n].buffer,r,i);t.set(l,e+a-c),c-=i,n++,r=0}this.pos=i+a}async read(t,e){const a=new Uint8Array(t);return await this.readToBuffer(a,0,t,e),a}close(){}async discard(){}async writeULE32(t,e){va.setUint32(0,t,!0),await this.write(Ba,e)}async writeUBE32(t,e){va.setUint32(0,t,!1),await this.write(Ba,e)}async writeULE64(t,e){Ga.setUint32(0,4294967295&t,!0),Ga.setUint32(4,Math.floor(t/4294967296),!0),await this.write(Sa,e)}async readULE32(t){const e=await this.read(4,t);return new Uint32Array(e.buffer)[0]}async readUBE32(t){const e=await this.read(4,t);return new DataView(e.buffer).getUint32(0,!1)}async readULE64(t){const e=await this.read(8,t),a=new Uint32Array(e.buffer);return 4294967296*a[1]+a[0]}async readString(t){const e=this;let a=void 0===t?e.pos:t;if(a>this.totalSize){if(this.readOnly)throw new Error("Reading out of bounds");this._resizeIfNeeded(t)}let i=!1,o="";for(;!i;){let t=Math.floor(a/Ea),n=a%Ea;if(void 0===e.o.data[t])throw new Error("ERROR");let r=Math.min(2048,e.o.data[t].length-n);const c=new Uint8Array(e.o.data[t].buffer,n,r);let l=c.findIndex((t=>0===t));i=-1!==l,i?(o+=(new TextDecoder).decode(c.slice(0,l)),e.pos=t*Ea+n+l+1):(o+=(new TextDecoder).decode(c),e.pos=t*Ea+n+c.length),a=e.pos}return o}}const Oa=1024,Ua=512,za=2,Qa=0,qa=65536,Ma=8192;async function Ta(t,e,a){if("string"==typeof t&&(t={type:"file",fileName:t,cacheSize:e||qa,pageSize:a||Ma}),"file"==t.type)return await ba(t.fileName,Oa|Ua|za,t.cacheSize,t.pageSize);if("mem"==t.type)return function(t){const e=t.initialSize||1<<20,a=new xa;return a.o=t,a.o.data=new Uint8Array(e),a.allocSize=e,a.totalSize=0,a.readOnly=!1,a.pos=0,a}(t);if("bigMem"==t.type)return function(t){const e=t.initialSize||0,a=new Pa;a.o=t;const i=e?Math.floor((e-1)/Ea)+1:0;a.o.data=[];for(let t=0;ta)throw new Error("Version not supported");const l=await n.readULE32();let s=[];for(let t=0;t1)throw new Error(t.fileName+": Section Duplicated "+a);t.pos=e[a][0].p,t.readingSection=e[a][0]}async function Ka(t,e){if(void 0===t.readingSection)throw new Error("Not reading a section");if(!e&&t.pos-t.readingSection.p!=t.readingSection.size)throw new Error("Invalid section size reading");delete t.readingSection}async function Ha(t,e,a,i){const o=new Uint8Array(a);ma.toRprLE(o,0,e,a),await t.write(o,i)}async function $a(t,e,a){const i=await t.read(e,a);return ma.fromRprLE(i,0,e)}async function Ya(t,e,a,i,o){void 0===o&&(o=e[i][0].size);const n=t.pageSize;await Va(t,e,i),await Na(a,i);for(let e=0;ee[a][0].size)throw new Error("Reading out of the range of the section");let n;return n=o<1<<30?new Uint8Array(o):new Oe(o),await t.readToBuffer(n,0,o,e[a][0].p+i),n}async function Za(t,e,a,i,o){const n=16*t.pageSize;if(await Va(t,e,o),await Va(a,i,o),e[o][0].size!=i[o][0].size)return!1;const r=e[o][0].size;for(let e=0;e=0)e=await fa();else{if(!(["BLS12381"].indexOf(a)>=0))throw new Error(`Curve not supported: ${t}`);e=await _a()}return e}var oi={exports:{}},ni=function t(e,a){if(!e){var i=new ri(a);throw Error.captureStackTrace&&Error.captureStackTrace(i,t),i}};class ri extends Error{}ri.prototype.name="AssertionError";var ci={exports:{}};function li(t){return t.length}var si={byteLength:li,toString:function(t){const e=t.byteLength;let a="";for(let i=0;i1&&61===t.charCodeAt(e-1)&&e--,3*e>>>2}ui[45]=62,ui[95]=63;var fi={byteLength:gi,toString:function(t){const e=t.byteLength;let a="";for(let i=0;i>2]+di[(3&t[i])<<4|t[i+1]>>4]+di[(15&t[i+1])<<2|t[i+2]>>6]+di[63&t[i+2]];return e%3==2?a=a.substring(0,a.length-1)+"=":e%3==1&&(a=a.substring(0,a.length-2)+"=="),a},write:function(t,e,a=0,i=gi(e)){const o=Math.min(i,t.byteLength-a);for(let a=0,i=0;i>4,t[i++]=(15&n)<<4|r>>2,t[i++]=(3&r)<<6|63&c}return o}};function _i(t){return t.length>>>1}var pi={byteLength:_i,toString:function(t){const e=t.byteLength;t=new DataView(t.buffer,t.byteOffset,e);let a="",i=0;for(let o=e-e%4;i=48&&t<=57?t-48:t>=65&&t<=70?t-65+10:t>=97&&t<=102?t-97+10:void 0}function mi(t){let e=0;for(let a=0,i=t.length;a=55296&&o<=56319&&a+1=56320&&i<=57343){e+=4,a++;continue}}e+=o<=127?1:o<=2047?2:3}return e}let Li,wi;if("undefined"!=typeof TextDecoder){const t=new TextDecoder;Li=function(e){return t.decode(e)}}else Li=function(t){const e=t.byteLength;let a="",i=0;for(;i0){let e=0;for(;e>i,i-=6;i>=0;)t[r++]=128|a>>i&63,i-=6;n+=a>=65536?2:1}return o};var bi={byteLength:mi,toString:Li,write:wi};function Ai(t){return 2*t.length}var yi,Ii,Ci={byteLength:Ai,toString:function(t){const e=t.byteLength;let a="";for(let i=0;i>8,r=o%256;t[a+2*i]=r,t[a+2*i+1]=n}return o}};!function(t,e){const a=si,i=fi,o=pi,n=bi,r=Ci,c=255===new Uint8Array(Uint16Array.of(255).buffer)[0];function l(t){switch(t){case"ascii":return a;case"base64":return i;case"hex":return o;case"utf8":case"utf-8":case void 0:return n;case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return r;default:throw new Error(`Unknown encoding: ${t}`)}}function s(t){return t instanceof Uint8Array}function d(t,e,a){return"string"==typeof t?function(t,e){const a=l(e),i=new Uint8Array(a.byteLength(t));return a.write(i,t,0,i.byteLength),i}(t,e):Array.isArray(t)?function(t){const e=new Uint8Array(t.length);return e.set(t),e}(t):ArrayBuffer.isView(t)?function(t){const e=new Uint8Array(t.byteLength);return e.set(t),e}(t):function(t,e,a){return new Uint8Array(t,e,a)}(t,e,a)}function u(t,e,a,i,o){if(0===t.byteLength)return-1;if("string"==typeof a?(i=a,a=0):void 0===a?a=o?0:t.length-1:a<0&&(a+=t.byteLength),a>=t.byteLength){if(o)return-1;a=t.byteLength-1}else if(a<0){if(!o)return-1;a=0}if("string"==typeof e)e=d(e,i);else if("number"==typeof e)return e&=255,o?t.indexOf(e,a):t.lastIndexOf(e,a);if(0===e.byteLength)return-1;if(o){let i=-1;for(let o=a;ot.byteLength&&(a=t.byteLength-e.byteLength);for(let i=a;i>=0;i--){let a=!0;for(let o=0;oo)return 1}return t.byteLength>e.byteLength?1:t.byteLengtht+e.byteLength),0));const a=new Uint8Array(e);return t.reduce(((t,e)=>(a.set(e,t),t+e.byteLength)),0),a},copy:function(t,e,a=0,i=0,o=t.byteLength){if(o>0&&o=t.byteLength)throw new RangeError("sourceStart is out of range");if(o<0)throw new RangeError("sourceEnd is out of range");a>=e.byteLength&&(a=e.byteLength),o>t.byteLength&&(o=t.byteLength),e.byteLength-a=o||i<=a?"":(a<0&&(a=0),i>o&&(i=o),(0!==a||i{for(var t=new Uint8Array(128),e=0;e<64;e++)t[e<26?e+65:e<52?e+71:e<62?e-4:4*e-205]=e;return e=>{for(var a=e.length,i=new Uint8Array(3*(a-("="==e[a-1])-("="==e[a-2]))/4|0),o=0,n=0;o>4,i[n++]=c<<4|l>>2,i[n++]=l<<6|s}return i}})(),e=((t,e)=>function(){return e||(0,t[Object.keys(t)[0]])((e={exports:{}}).exports,e),e.exports})({"wasm-binary:./blake2b.wat"(e,a){a.exports=t("")}}),a=e(),i=WebAssembly.compile(a);return yi=async t=>(await WebAssembly.instantiate(await i,t)).exports}()().then((t=>{Ei=t})),vi=64,Si=[];oi.exports=qi;var Gi=oi.exports.BYTES_MIN=16,Pi=oi.exports.BYTES_MAX=64;oi.exports.BYTES=32;var Oi=oi.exports.KEYBYTES_MIN=16,Ui=oi.exports.KEYBYTES_MAX=64;oi.exports.KEYBYTES=32;var zi=oi.exports.SALTBYTES=16,Qi=oi.exports.PERSONALBYTES=16;function qi(t,e,a,i,o){if(!(this instanceof qi))return new qi(t,e,a,i,o);if(!Ei)throw new Error("WASM not loaded. Wait for Blake2b.ready(cb)");t||(t=32),!0!==o&&(Fi(t>=Gi,"digestLength must be at least "+Gi+", was given "+t),Fi(t<=Pi,"digestLength must be at most "+Pi+", was given "+t),null!=e&&(Fi(e instanceof Uint8Array,"key must be Uint8Array or Buffer"),Fi(e.length>=Oi,"key must be at least "+Oi+", was given "+e.length),Fi(e.length<=Ui,"key must be at least "+Ui+", was given "+e.length)),null!=a&&(Fi(a instanceof Uint8Array,"salt must be Uint8Array or Buffer"),Fi(a.length===zi,"salt must be exactly "+zi+", was given "+a.length)),null!=i&&(Fi(i instanceof Uint8Array,"personal must be Uint8Array or Buffer"),Fi(i.length===Qi,"personal must be exactly "+Qi+", was given "+i.length))),Si.length||(Si.push(vi),vi+=216),this.digestLength=t,this.finalized=!1,this.pointer=Si.pop(),this._memory=new Uint8Array(Ei.memory.buffer),this._memory.fill(0,0,64),this._memory[0]=this.digestLength,this._memory[1]=e?e.length:0,this._memory[2]=1,this._memory[3]=1,a&&this._memory.set(a,32),i&&this._memory.set(i,48),this.pointer+216>this._memory.length&&this._realloc(this.pointer+216),Ei.blake2b_init(this.pointer,this.digestLength),e&&(this.update(e),this._memory.fill(0,vi,vi+e.length),this._memory[this.pointer+200]=128)}function Mi(){}function Ti(t){return(0!=(4294901760&t)?(t&=4294901760,16):0)|(0!=(4278255360&t)?(t&=4278255360,8):0)|(0!=(4042322160&t)?(t&=4042322160,4):0)|(0!=(3435973836&t)?(t&=3435973836,2):0)|0!=(2863311530&t)}function ki(t,e){const a=new DataView(t.buffer,t.byteOffset,t.byteLength);let i="";for(let t=0;t<4;t++){t>0&&(i+="\n"),i+="\t\t";for(let e=0;e<4;e++)e>0&&(i+=" "),i+=a.getUint32(16*t+4*e).toString(16).padStart(8,"0")}return e&&(i=e+"\n"+i),i}function Ri(t,e){if(t.byteLength!=e.byteLength)return!1;for(var a=new Int8Array(t),i=new Int8Array(e),o=0;o!=t.byteLength;o++)if(a[o]!=i[o])return!1;return!0}function Di(t){const e=t.getPartialHash(),a=oi.exports(64);return a.setPartialHash(e),a}async function Ni(t,e,a,i,o){if(t.G1.isZero(e))return!1;if(t.G1.isZero(a))return!1;if(t.G2.isZero(i))return!1;if(t.G2.isZero(o))return!1;return await t.pairingEq(e,o,t.G1.neg(a),i)}async function ji(t){for(;!t;)t=await window.prompt("Enter a random text. (Entropy): ","");const e=oi.exports(64);e.update(M.randomBytes(64));const a=new TextEncoder;e.update(a.encode(t));const i=Buffer.from(e.digest()),o=[];for(let t=0;t<8;t++)o[t]=i.readUInt32BE(4*t);return new q(o)}function Vi(t,e){let a,i;e<32?(a=1<>>0,i=1):(a=4294967296,i=1<>>0);let o=t;for(let t=0;t{a[i]=$i(t,e[i])})),a}return"bigint"==typeof e||void 0!==e.eq?e.toString(10):e}qi.prototype._realloc=function(t){Ei.memory.grow(Math.max(0,Math.ceil(Math.abs(t-this._memory.length)/65536))),this._memory=new Uint8Array(Ei.memory.buffer)},qi.prototype.update=function(t){return Fi(!1===this.finalized,"Hash instance finalized"),Fi(t instanceof Uint8Array,"input must be Uint8Array or Buffer"),vi+t.length>this._memory.length&&this._realloc(vi+t.length),this._memory.set(t,vi),Ei.blake2b_update(this.pointer,vi,vi+t.length),this},qi.prototype.digest=function(t){if(Fi(!1===this.finalized,"Hash instance finalized"),this.finalized=!0,Si.push(this.pointer),Ei.blake2b_final(this.pointer),!t||"binary"===t)return this._memory.slice(this.pointer+128,this.pointer+128+this.digestLength);if("string"==typeof t)return xi.toString(this._memory,t,this.pointer+128,this.pointer+128+this.digestLength);Fi(t instanceof Uint8Array&&t.length>=this.digestLength,"input must be Uint8Array or Buffer");for(var e=0;et()),t):t(new Error("WebAssembly not supported"))},qi.prototype.ready=qi.ready,qi.prototype.getPartialHash=function(){return this._memory.slice(this.pointer,this.pointer+216)},qi.prototype.setPartialHash=function(t){this._memory.set(t,this.pointer)};const Yi=1,Wi=2,Zi=10,Ji=2;async function Xi(t,e){await Na(t,1),await t.writeULE32(1),await ja(t);const a=await ai(e.q);await Na(t,2);const i=a.q,o=8*(Math.floor((ma.bitLength(i)-1)/64)+1),n=a.r,r=8*(Math.floor((ma.bitLength(n)-1)/64)+1);await t.writeULE32(o),await Ha(t,i,o),await t.writeULE32(r),await Ha(t,n,r),await t.writeULE32(e.nVars),await t.writeULE32(e.nPublic),await t.writeULE32(e.domainSize),await to(t,a,e.vk_alpha_1),await to(t,a,e.vk_beta_1),await eo(t,a,e.vk_beta_2),await eo(t,a,e.vk_gamma_2),await to(t,a,e.vk_delta_1),await eo(t,a,e.vk_delta_2),await ja(t)}async function to(t,e,a){const i=new Uint8Array(2*e.G1.F.n8);e.G1.toRprLEM(i,0,a),await t.write(i)}async function eo(t,e,a){const i=new Uint8Array(2*e.G2.F.n8);e.G2.toRprLEM(i,0,a),await t.write(i)}async function ao(t,e,a){const i=await t.read(2*e.G1.F.n8),o=e.G1.fromRprLEM(i,0);return a?e.G1.toObject(o):o}async function io(t,e,a){const i=await t.read(2*e.G2.F.n8),o=e.G2.fromRprLEM(i,0);return a?e.G2.toObject(o):o}async function oo(t,e,a){await Va(t,e,1);const i=await t.readULE32();if(await Ka(t),i===Yi)return await async function(t,e,a){const i={protocol:"groth16"};await Va(t,e,2);const o=await t.readULE32();i.n8q=o,i.q=await $a(t,o);const n=await t.readULE32();return i.n8r=n,i.r=await $a(t,n),i.curve=await ai(i.q),i.nVars=await t.readULE32(),i.nPublic=await t.readULE32(),i.domainSize=await t.readULE32(),i.power=Ti(i.domainSize),i.vk_alpha_1=await ao(t,i.curve,a),i.vk_beta_1=await ao(t,i.curve,a),i.vk_beta_2=await io(t,i.curve,a),i.vk_gamma_2=await io(t,i.curve,a),i.vk_delta_1=await ao(t,i.curve,a),i.vk_delta_2=await io(t,i.curve,a),await Ka(t),i}(t,e,a);if(i===Wi)return await async function(t,e,a){const i={protocol:"plonk"};await Va(t,e,2);const o=await t.readULE32();i.n8q=o,i.q=await $a(t,o);const n=await t.readULE32();return i.n8r=n,i.r=await $a(t,n),i.curve=await ai(i.q),i.nVars=await t.readULE32(),i.nPublic=await t.readULE32(),i.domainSize=await t.readULE32(),i.power=Ti(i.domainSize),i.nAdditions=await t.readULE32(),i.nConstrains=await t.readULE32(),i.k1=await t.read(n),i.k2=await t.read(n),i.Qm=await ao(t,i.curve,a),i.Ql=await ao(t,i.curve,a),i.Qr=await ao(t,i.curve,a),i.Qo=await ao(t,i.curve,a),i.Qc=await ao(t,i.curve,a),i.S1=await ao(t,i.curve,a),i.S2=await ao(t,i.curve,a),i.S3=await ao(t,i.curve,a),i.X_2=await io(t,i.curve,a),await Ka(t),i}(t,e,a);if(i===Zi)return await async function(t,e,a){const i={protocol:"fflonk"};i.protocolId=Zi,await Va(t,e,Ji);const o=await t.readULE32();i.n8q=o,i.q=await $a(t,o),i.curve=await ai(i.q);const n=await t.readULE32();return i.n8r=n,i.r=await $a(t,n),i.nVars=await t.readULE32(),i.nPublic=await t.readULE32(),i.domainSize=await t.readULE32(),i.power=Ti(i.domainSize),i.nAdditions=await t.readULE32(),i.nConstraints=await t.readULE32(),i.k1=await t.read(n),i.k2=await t.read(n),i.w3=await t.read(n),i.w4=await t.read(n),i.w8=await t.read(n),i.wr=await t.read(n),i.X_2=await io(t,i.curve,a),i.C0=await ao(t,i.curve,a),await Ka(t),i}(t,e,a);throw new Error("Protocol not supported: ")}async function no(t,e,a){const i={delta:{}};i.deltaAfter=await ao(t,e,a),i.delta.g1_s=await ao(t,e,a),i.delta.g1_sx=await ao(t,e,a),i.delta.g2_spx=await io(t,e,a),i.transcript=await t.read(64),i.type=await t.readULE32();const o=await t.readULE32(),n=t.pos;let r=0;for(;t.pos-n0){const e=new Uint8Array(i);await t.writeULE32(e.byteLength),await t.write(e)}else await t.writeULE32(0)}async function lo(t,e,a){await Na(t,10),await t.write(a.csHash),await t.writeULE32(a.contributions.length);for(let i=0;i0;)a.unshift(0),n--;return a}async function Lo(t,e){e=e||{};let a,i=32767,o=!1;for(;!o;)try{a=new WebAssembly.Memory({initial:i}),o=!0}catch(t){if(1===i)throw t;console.warn("Could not allocate "+1024*i*64+" bytes. This may cause severe instability. Trying with "+1024*i*64/2+" bytes"),i=Math.floor(i/2)}const n=await WebAssembly.compile(t);let r,c="",l="",s=1,d=0,u=0;const g=await WebAssembly.instantiate(n,{env:{memory:a},runtime:{exceptionHandler:function(t){let e;throw e=1==t?"Signal not found. ":2==t?"Too many signals set. ":3==t?"Signal already set. ":4==t?"Assert Failed. ":5==t?"Not enough memory. ":6==t?"Input signal array access exceeds the size. ":"Unknown error. ",console.error("ERROR: ",t,c),new Error(e+c)},printErrorMessage:function(){c+=_()+"\n"},writeBufferMessage:function(){const t=_();"\n"===t?(console.log(l),l=""):(""!==l&&(l+=" "),l+=t)},showSharedRWMemory:function(){const t=g.exports.getFieldNumLen32(),e=new Uint32Array(t);for(let a=0;a=2&&(d>=1||u>=7)){""!==l&&(l+=" ");const t=ma.fromArray(e,4294967296).toString();l+=t}else console.log(ma.fromArray(e,4294967296))},error:function(t,a,i,o,n,c){let l;throw l=7==t?p(a)+" "+r.getFr(o).toString()+" != "+r.getFr(n).toString()+" "+p(c):9==t?p(a)+" "+r.getFr(o).toString()+" "+p(n):5==t&&e.sym?p(a)+" "+e.sym.labelIdx2Name[n]:p(a)+" "+i+" "+o+" "+n+" "+c,console.log("ERROR: ",t,l),new Error(l)},log:function(t){console.log(r.getFr(t).toString())},logGetSignal:function(t,a){e.logGetSignal&&e.logGetSignal(t,r.getFr(a))},logSetSignal:function(t,a){e.logSetSignal&&e.logSetSignal(t,r.getFr(a))},logStartComponent:function(t){e.logStartComponent&&e.logStartComponent(t)},logFinishComponent:function(t){e.logFinishComponent&&e.logFinishComponent(t)}}});"function"==typeof g.exports.getVersion&&(s=g.exports.getVersion()),"function"==typeof g.exports.getMinorVersion&&(d=g.exports.getMinorVersion()),"function"==typeof g.exports.getPatchVersion&&(u=g.exports.getPatchVersion());const f=e&&(e.sanityCheck||e.logGetSignal||e.logSetSignal||e.logStartComponent||e.logFinishComponent);return r=2===s?new bo(g,f):new wo(a,g,f),r;function _(){for(var t="",e=g.exports.getMessageChar();0!=e;)t+=String.fromCharCode(e),e=g.exports.getMessageChar();return t}function p(t){const e=new Uint8Array(a.buffer),i=[];for(let a=0;e[t+a]>0;a++)i.push(e[t+a]);return String.fromCharCode.apply(null,i)}}class wo{constructor(t,e,a){this.memory=t,this.i32=new Uint32Array(t.buffer),this.instance=e,this.n32=(this.instance.exports.getFrLen()>>2)-2;const i=this.instance.exports.getPRawPrime(),o=new Array(this.n32);for(let t=0;t>2)+t];this.prime=ma.fromArray(o,4294967296),this.Fr=new V(this.prime),this.mask32=ma.fromString("FFFFFFFF",16),this.NVars=this.instance.exports.getNVars(),this.n64=Math.floor((this.Fr.bitLength-1)/64)+1,this.R=this.Fr.e(ma.shiftLeft(1,64*this.n64)),this.RInv=this.Fr.inv(this.R),this.sanityCheck=a}circom_version(){return 1}async _doCalculateWitness(t,e){this.instance.exports.init(this.sanityCheck||e?1:0);const a=this.allocInt(),i=this.allocFr();Object.keys(t).forEach((e=>{const o=ho(e),n=parseInt(o.slice(0,8),16),r=parseInt(o.slice(8,16),16);try{this.instance.exports.getSignalOffset32(a,0,n,r)}catch(t){throw new Error(`Signal ${e} is not an input of the circuit.`)}const c=this.getInt(a),l=po(t[e]);for(let t=0;t>2]}setInt(t,e){this.i32[t>>2]=e}getFr(t){const e=this,a=t>>2;if(2147483648&e.i32[a+1]){const t=new Array(e.n32);for(let i=0;i>2]=o,void(a.i32[1+(t>>2)]=0)}a.i32[t>>2]=0,a.i32[1+(t>>2)]=2147483648;const n=ma.toArray(e,4294967296);for(let e=0;e>2)+e]=i>=0?n[i]:0}}}class bo{constructor(t,e){this.instance=t,this.version=this.instance.exports.getVersion(),this.n32=this.instance.exports.getFieldNumLen32(),this.instance.exports.getRawPrime();const a=new Array(this.n32);for(let t=0;t{const a=ho(e),o=parseInt(a.slice(0,8),16),n=parseInt(a.slice(8,16),16),r=po(t[e]);for(let t=0;t1)throw new Error(t.fileName+": File has more than one header");t.pos=e[1][0].p;const a=await t.readULE32(),i=await t.read(a),o=ma.fromRprLE(i),n=await ai(o);if(8*n.F1.n64!=a)throw new Error(t.fileName+": Invalid size");const r=await t.readULE32(),c=await t.readULE32();if(t.pos-e[1][0].p!=e[1][0].size)throw new Error("Invalid PTau header size");return{curve:n,power:r,ceremonyPower:c}}function Uo(t,e,a,i){const o={tau:{},alpha:{},beta:{}};return o.tau.g1_s=n(),o.tau.g1_sx=n(),o.alpha.g1_s=n(),o.alpha.g1_sx=n(),o.beta.g1_s=n(),o.beta.g1_sx=n(),o.tau.g2_spx=r(),o.alpha.g2_spx=r(),o.beta.g2_spx=r(),o;function n(){let o;return o=i?a.G1.fromRprLEM(t,e):a.G1.fromRprUncompressed(t,e),e+=2*a.G1.F.n8,o}function r(){let o;return o=i?a.G2.fromRprLEM(t,e):a.G2.fromRprUncompressed(t,e),e+=2*a.G2.F.n8,o}}function zo(t,e,a,i,o){async function n(i){o?a.G1.toRprLEM(t,e,i):a.G1.toRprUncompressed(t,e,i),e+=2*a.F1.n8}async function r(i){o?a.G2.toRprLEM(t,e,i):a.G2.toRprUncompressed(t,e,i),e+=2*a.F2.n8}return n(i.tau.g1_s),n(i.tau.g1_sx),n(i.alpha.g1_s),n(i.alpha.g1_sx),n(i.beta.g1_s),n(i.beta.g1_sx),r(i.tau.g2_spx),r(i.alpha.g2_spx),r(i.beta.g2_spx),t}async function Qo(t,e){const a={};a.tauG1=await l(),a.tauG2=await s(),a.alphaG1=await l(),a.betaG1=await l(),a.betaG2=await s(),a.key=await async function(t,e,a){return Uo(await t.read(2*e.F1.n8*6+2*e.F2.n8*3),0,e,a)}(t,e,!0),a.partialHash=await t.read(216),a.nextChallenge=await t.read(64),a.type=await t.readULE32();const i=new Uint8Array(2*e.G1.F.n8*6+2*e.G2.F.n8*3);zo(i,0,e,a.key,!1);const o=oi.exports(64);o.setPartialHash(a.partialHash),o.update(i),a.responseHash=o.digest();const n=await t.readULE32(),r=t.pos;let c=0;for(;t.pos-r1)throw new Error(t.fileName+": File has more than one contributions section");t.pos=a[7][0].p;const i=await t.readULE32(),o=[];for(let a=0;a0){const e=new Uint8Array(n);await t.writeULE32(e.byteLength),await t.write(e)}else await t.writeULE32(0);async function r(a){e.G1.toRprLEM(i,0,a),await t.write(i)}async function c(a){e.G2.toRprLEM(o,0,a),await t.write(o)}}async function To(t,e,a){await t.writeULE32(7);const i=t.pos;await t.writeULE64(0),await t.writeULE32(a.length);for(let i=0;i0?u[u.length-1].nextChallenge:ko(s,d,n);const w=await Da(a,"ptau",1,o?7:2);await Po(w,s,d);const b=await m.read(64);if(Ri(r,L)&&(L=b,u[u.length-1].nextChallenge=L),!Ri(b,L))throw new Error("Wrong contribution. this contribution is not based on the previus hash");const A=new oi.exports(64);A.update(b);const y=[];let I;I=await x(m,w,"G1",2,2**d*2-1,[1],"tauG1"),g.tauG1=I[0],I=await x(m,w,"G2",3,2**d,[1],"tauG2"),g.tauG2=I[0],I=await x(m,w,"G1",4,2**d,[0],"alphaG1"),g.alphaG1=I[0],I=await x(m,w,"G1",5,2**d,[0],"betaG1"),g.betaG1=I[0],I=await x(m,w,"G2",6,1,[0],"betaG2"),g.betaG2=I[0],g.partialHash=A.getPartialHash();const C=await m.read(2*s.F1.n8*6+2*s.F2.n8*3);g.key=Uo(C,0,s,!1),A.update(new Uint8Array(C));const F=A.digest();if(n&&n.info(ki(F,"Contribution Response Hash imported: ")),o){const t=new oi.exports(64);t.update(F),await E(t,w,"G1",2,2**d*2-1,"tauG1",n),await E(t,w,"G2",3,2**d,"tauG2",n),await E(t,w,"G1",4,2**d,"alphaTauG1",n),await E(t,w,"G1",5,2**d,"betaTauG1",n),await E(t,w,"G2",6,1,"betaG2",n),g.nextChallenge=t.digest(),n&&n.info(ki(g.nextChallenge,"Next Challenge Hash: "))}else g.nextChallenge=r;return u.push(g),await To(w,s,u),await m.close(),await w.close(),await c.close(),g.nextChallenge;async function x(t,e,a,i,r,c,l){return o?await async function(t,e,a,i,o,r,c){const l=s[a],d=l.F.n8,u=2*l.F.n8,g=[];await Na(e,i);const f=Math.floor((1<<24)/u);y[i]=e.pos;for(let a=0;a=a&&e=e&&o1?l[l.length-2]:s;const u=l[l.length-1];if(e&&e.debug("Validating contribution #"+l[l.length-1].id),!await No(n,u,d,e))return!1;const g=oi.exports(64);g.update(u.responseHash),e&&e.debug("Verifying powers in tau*G1 section");const f=await b(2,"G1","tauG1",2**r*2-1,[0,1],e);if(a=await Do(n,f.R1,f.R2,n.G2.g,u.tauG2),!0!==a)return e&&e.error("tauG1 section. Powers do not match"),!1;if(!n.G1.eq(n.G1.g,f.singularPoints[0]))return e&&e.error("First element of tau*G1 section must be the generator"),!1;if(!n.G1.eq(u.tauG1,f.singularPoints[1]))return e&&e.error("Second element of tau*G1 section does not match the one in the contribution section"),!1;e&&e.debug("Verifying powers in tau*G2 section");const _=await b(3,"G2","tauG2",2**r,[0,1],e);if(a=await Do(n,n.G1.g,u.tauG1,_.R1,_.R2),!0!==a)return e&&e.error("tauG2 section. Powers do not match"),!1;if(!n.G2.eq(n.G2.g,_.singularPoints[0]))return e&&e.error("First element of tau*G2 section must be the generator"),!1;if(!n.G2.eq(u.tauG2,_.singularPoints[1]))return e&&e.error("Second element of tau*G2 section does not match the one in the contribution section"),!1;e&&e.debug("Verifying powers in alpha*tau*G1 section");const p=await b(4,"G1","alphatauG1",2**r,[0],e);if(a=await Do(n,p.R1,p.R2,n.G2.g,u.tauG2),!0!==a)return e&&e.error("alphaTauG1 section. Powers do not match"),!1;if(!n.G1.eq(u.alphaG1,p.singularPoints[0]))return e&&e.error("First element of alpha*tau*G1 section (alpha*G1) does not match the one in the contribution section"),!1;e&&e.debug("Verifying powers in beta*tau*G1 section");const h=await b(5,"G1","betatauG1",2**r,[0],e);if(a=await Do(n,h.R1,h.R2,n.G2.g,u.tauG2),!0!==a)return e&&e.error("betaTauG1 section. Powers do not match"),!1;if(!n.G1.eq(u.betaG1,h.singularPoints[0]))return e&&e.error("First element of beta*tau*G1 section (beta*G1) does not match the one in the contribution section"),!1;const m=await async function(t){const e=n.G2,a=2*e.F.n8,r=new Uint8Array(a);if(!o[6])throw t.error("File has no BetaG2 section"),new Error("File has no BetaG2 section");if(o[6].length>1)throw t.error("File has no BetaG2 section"),new Error("File has more than one GetaG2 section");i.pos=o[6][0].p;const c=await i.read(a),l=e.fromRprLEM(c);return e.toRprUncompressed(r,0,l),g.update(r),l}(e);if(!n.G2.eq(u.betaG2,m))return e&&e.error("betaG2 element in betaG2 section does not match the one in the contribution section"),!1;const L=g.digest();if(r==c&&!Ri(L,u.nextChallenge))return e&&e.error("Hash of the values does not match the next challenge of the last contributor in the contributions section"),!1;e&&e.info(ki(L,"Next challenge hash: ")),w(u,d);for(let t=l.length-2;t>=0;t--){const a=l[t],i=t>0?l[t-1]:s;if(!await No(n,a,i,e))return!1;w(a,i)}if(e&&e.info("-----------------------------------------------------"),o[12]&&o[13]&&o[14]&&o[15]){let t;if(t=await A("G1",2,12,"tauG1",e),!t)return!1;if(t=await A("G2",3,13,"tauG2",e),!t)return!1;if(t=await A("G1",4,14,"alphaTauG1",e),!t)return!1;if(t=await A("G1",5,15,"betaTauG1",e),!t)return!1}else e&&e.warn('this file does not contain phase2 precalculated values. Please run: \n snarkjs "powersoftau preparephase2" to prepare this file to be used in the phase2 ceremony.');return await i.close(),e&&e.info("Powers of Tau Ok!"),!0;function w(t,a){if(!e)return;e.info("-----------------------------------------------------"),e.info(`Contribution #${t.id}: ${t.name||""}`),e.info(ki(t.nextChallenge,"Next Challenge: "));const i=new Uint8Array(2*n.G1.F.n8*6+2*n.G2.F.n8*3);zo(i,0,n,t.key,!1);const o=oi.exports(64);o.setPartialHash(t.partialHash),o.update(i);const r=o.digest();e.info(ki(r,"Response Hash:")),e.info(ki(a.nextChallenge,"Response Hash:")),1==t.type&&(e.info(`Beacon generator: ${Hi(t.beaconHash)}`),e.info(`Beacon iterations Exp: ${t.numIterationsExp}`))}async function b(t,e,a,r,c,l){const s=n[e],d=2*s.F.n8;await Va(i,o,t);const u=[];let f=s.zero,_=s.zero,p=s.zero;for(let t=0;t0){const t=s.fromRprLEM(o,0),e=M.randomBytes(4).readUInt32BE(0,!0);f=s.add(f,s.timesScalar(p,e)),_=s.add(_,s.timesScalar(t,e))}const m=await s.multiExpAffine(o.slice(0,(e-1)*d),h),L=await s.multiExpAffine(o.slice(d),h);f=s.add(f,m),_=s.add(_,L),p=s.fromRprLEM(o,(e-1)*d);for(let a=0;a=t&&i1;)s/=2,d+=1;if(2**d!=l)throw new Error("Invalid file size");o&&o.debug("Power to tau size: "+d);const u=await ji(i),g=await Ta(a),f=oi.exports(64);for(let t=0;t{o.debug(e+".g1_s: "+t.G1.toString(h[e].g1_s,16)),o.debug(e+".g1_sx: "+t.G1.toString(h[e].g1_sx,16)),o.debug(e+".g2_sp: "+t.G2.toString(h[e].g2_sp,16)),o.debug(e+".g2_spx: "+t.G2.toString(h[e].g2_spx,16)),o.debug("")}));const m=oi.exports(64);await g.write(p),m.update(p),await Vo(n,g,m,t,"G1",2**d*2-1,t.Fr.one,h.tau.prvKey,"COMPRESSED","tauG1",o),await Vo(n,g,m,t,"G2",2**d,t.Fr.one,h.tau.prvKey,"COMPRESSED","tauG2",o),await Vo(n,g,m,t,"G1",2**d,h.alpha.prvKey,h.tau.prvKey,"COMPRESSED","alphaTauG1",o),await Vo(n,g,m,t,"G1",2**d,h.beta.prvKey,h.tau.prvKey,"COMPRESSED","betaTauG1",o),await Vo(n,g,m,t,"G2",1,h.beta.prvKey,h.tau.prvKey,"COMPRESSED","betaTauG2",o);const L=new Uint8Array(2*t.F1.n8*6+2*t.F2.n8*3);zo(L,0,t,h,!1),await g.write(L),m.update(L);const w=m.digest();o&&o.info(ki(w,"Contribution Response Hash: ")),await g.close(),await n.close()},beacon:async function(t,e,a,i,o,n){const r=Ki(i);if(0==r.byteLength||2*r.byteLength!=i.length)return n&&n.error("Invalid Beacon Hash. (It must be a valid hexadecimal sequence)"),!1;if(r.length>=256)return n&&n.error("Maximum lenght of beacon hash is 255 bytes"),!1;if((o=parseInt(o))<10||o>63)return n&&n.error("Invalid numIterationsExp. (Must be between 10 and 63)"),!1;await oi.exports.ready();const{fd:c,sections:l}=await Ra(t,"ptau",1),{curve:s,power:d,ceremonyPower:u}=await Oo(c,l);if(d!=u)return n&&n.error("This file has been reduced. You cannot contribute into a reduced file."),!1;l[12]&&n&&n.warn("Contributing into a file that has phase2 calculated. You will have to prepare phase2 again.");const g=await qo(c,s,l),f={name:a,type:1,numIterationsExp:o,beaconHash:r};let _;_=g.length>0?g[g.length-1].nextChallenge:ko(s,d,n),f.key=Ro(s,_,r,o);const p=new oi.exports(64);p.update(_);const h=await Da(e,"ptau",1,7);await Po(h,s,d);const m=[];let L;L=await y(2,"G1",2**d*2-1,s.Fr.e(1),f.key.tau.prvKey,"tauG1",n),f.tauG1=L[1],L=await y(3,"G2",2**d,s.Fr.e(1),f.key.tau.prvKey,"tauG2",n),f.tauG2=L[1],L=await y(4,"G1",2**d,f.key.alpha.prvKey,f.key.tau.prvKey,"alphaTauG1",n),f.alphaG1=L[0],L=await y(5,"G1",2**d,f.key.beta.prvKey,f.key.tau.prvKey,"betaTauG1",n),f.betaG1=L[0],L=await y(6,"G2",1,f.key.beta.prvKey,f.key.tau.prvKey,"betaTauG2",n),f.betaG2=L[0],f.partialHash=p.getPartialHash();const w=new Uint8Array(2*s.F1.n8*6+2*s.F2.n8*3);zo(w,0,s,f.key,!1),p.update(new Uint8Array(w));const b=p.digest();n&&n.info(ki(b,"Contribution Response Hash imported: "));const A=new oi.exports(64);return A.update(b),await I(h,"G1",2,2**d*2-1,"tauG1",n),await I(h,"G2",3,2**d,"tauG2",n),await I(h,"G1",4,2**d,"alphaTauG1",n),await I(h,"G1",5,2**d,"betaTauG1",n),await I(h,"G2",6,1,"betaG2",n),f.nextChallenge=A.digest(),n&&n.info(ki(f.nextChallenge,"Next Challenge Hash: ")),g.push(f),await To(h,s,g),await c.close(),await h.close(),b;async function y(t,e,a,i,o,n,r){const d=[];c.pos=l[t][0].p,await Na(h,t),m[t]=h.pos;const u=s[e],g=2*u.F.n8,f=Math.floor((1<<20)/g);let _=i;for(let t=0;t0?d[d.length-1].nextChallenge:ko(c,l,o),u.key=Go(c,g,f);const _=new oi.exports(64);_.update(g);const p=await Da(e,"ptau",1,7);await Po(p,c,l);const h=[];let m;m=await A(2,"G1",2**l*2-1,c.Fr.e(1),u.key.tau.prvKey,"tauG1"),u.tauG1=m[1],m=await A(3,"G2",2**l,c.Fr.e(1),u.key.tau.prvKey,"tauG2"),u.tauG2=m[1],m=await A(4,"G1",2**l,u.key.alpha.prvKey,u.key.tau.prvKey,"alphaTauG1"),u.alphaG1=m[0],m=await A(5,"G1",2**l,u.key.beta.prvKey,u.key.tau.prvKey,"betaTauG1"),u.betaG1=m[0],m=await A(6,"G2",1,u.key.beta.prvKey,u.key.tau.prvKey,"betaTauG2"),u.betaG2=m[0],u.partialHash=_.getPartialHash();const L=new Uint8Array(2*c.F1.n8*6+2*c.F2.n8*3);zo(L,0,c,u.key,!1),_.update(new Uint8Array(L));const w=_.digest();o&&o.info(ki(w,"Contribution Response Hash imported: "));const b=new oi.exports(64);return b.update(w),await y(p,"G1",2,2**l*2-1,"tauG1"),await y(p,"G2",3,2**l,"tauG2"),await y(p,"G1",4,2**l,"alphaTauG1"),await y(p,"G1",5,2**l,"betaTauG1"),await y(p,"G2",6,1,"betaG2"),u.nextChallenge=b.digest(),o&&o.info(ki(u.nextChallenge,"Next Challenge Hash: ")),d.push(u),await To(p,c,d),await n.close(),await p.close(),w;async function A(t,e,a,i,l,s){const d=[];n.pos=r[t][0].p,await Na(p,t),h[t]=p.pos;const u=c[e],g=2*u.F.n8,f=Math.floor((1<<20)/g);let m=i;for(let t=0;t=this.length&&(this.length=t+1),!0}getKeys(){const t=new Wo;for(let e=0;e1<<20?new Wo:[];for(let t=0;t1<<20?new Wo:[];for(let t=0;t1<<20?new Wo:[];for(let t=0;t{let i="";return Object.keys(a).forEach((o=>{let n=e.varIdx2Name[o];"one"==n&&(n="1");let r=t.curve.Fr.toString(a[o]);"1"==r&&(r=""),"-1"==r&&(r="-"),""!=i&&"-"!=r[0]&&(r="+"+r),""!=i&&(r=" "+r),i=i+r+n})),i},n=`[ ${o(i[0])} ] * [ ${o(i[1])} ] - [ ${o(i[2])} ] = 0`;a&&a.info(n)}},info:async function(t,e){const a=await en(t);return ma.eq(a.prime,on)?e&&e.info("Curve: bn-128"):ma.eq(a.prime,an)?e&&e.info("Curve: bls12-381"):e&&e.info(`Unknown Curve. Prime: ${ma.toString(a.prime)}`),e&&e.info(`# of Wires: ${a.nVars}`),e&&e.info(`# of Constraints: ${a.nConstraints}`),e&&e.info(`# of Private Inputs: ${a.nPrvInputs}`),e&&e.info(`# of Public Inputs: ${a.nPubInputs}`),e&&e.info(`# of Labels: ${a.nLabels}`),e&&e.info(`# of Outputs: ${a.nOutputs}`),a},exportJson:async function(t,e){const a=await en(t,!0,!0,!0,e),i=a.curve.Fr;return delete a.curve,delete a.F,$i(i,a)}});async function rn(t){const e={labelIdx2Name:["one"],varIdx2Name:["one"],componentIdx2Name:[]},a=await ka(t),i=await a.read(a.totalSize),o=new TextDecoder("utf-8").decode(i).split("\n");for(let t=0;t Reading r1cs file");const{fd:i,sections:o}=await Ra(t,"r1cs",1),n=await tn(i,o,{loadConstraints:!1,loadCustomGates:!1});a&&a.info("> Reading witness file");const{fd:r,sections:c}=await Ra(e,"wtns",2),l=await go(r,c);if(!ma.eq(n.prime,l.q))throw new Error("Curve of the witness does not match the curve of the proving key");const s=await Wa(r,c,2);await r.close();const d=(await async function(t){let e;if(ma.eq(t,Xa))e=await fa();else{if(!ma.eq(t,Ja))throw new Error(`Curve not supported: ${ma.toString(t)}`);e=await _a()}return e}(n.prime)).Fr,u=d.n8,g=await Wa(i,o,2);a&&(a.info("----------------------------"),a.info(" WITNESS CHECK"),a.info(` Curve: ${n.curve.name}`),a.info(` Vars (wires): ${n.nVars}`),a.info(` Ouputs: ${n.nOutputs}`),a.info(` Public Inputs: ${n.nPubInputs}`),a.info(` Private Inputs: ${n.nPrvInputs}`),a.info(` Labels: ${n.nLabels}`),a.info(` Constraints: ${n.nConstraints}`),a.info(` Custom Gates: ${n.useCustomGates}`),a.info("----------------------------")),a&&a.info("> Checking witness correctness");let f=0,_=!0;for(let t=0;t{const i=function(t){return d.fromRprLE(s.slice(t*u,t*u+u))}(a),o=t[a];e=d.add(e,d.mul(i,o))})),e}function h(){const t={},e=g.slice(f,f+4);f+=4;const a=new DataView(e.buffer).getUint32(0,!0),i=g.slice(f,f+(4+n.n8)*a);f+=(4+n.n8)*a;const o=new DataView(i.buffer);for(let e=0;e=this.length&&(this.length=t+1),!0}getKeys(){const t=new _n;for(let e=0;eg)return i&&i.error(`circuit too big for this power of tau ceremony. ${p.nConstraints}*2 > 2**${g}`),-1;if(!d[12])return i&&i.error("Powers of tau is not prepared."),-1;const b=p.nOutputs+p.nPubInputs,A=2**w;await Na(h,1),await h.writeULE32(1),await ja(h),await Na(h,2);const y=u.q,I=8*(Math.floor((ma.bitLength(y)-1)/64)+1),C=u.r,F=8*(Math.floor((ma.bitLength(C)-1)/64)+1),x=ma.mod(ma.shl(1,8*F),C),E=u.Fr.e(ma.mod(ma.mul(x,x),C));let B,v,S;await h.writeULE32(I),await Ha(h,y,I),await h.writeULE32(F),await Ha(h,C,F),await h.writeULE32(p.nVars),await h.writeULE32(b),await h.writeULE32(A),B=await s.read(m,d[4][0].p),await h.write(B),B=await u.G1.batchLEMtoU(B),l.update(B),v=await s.read(m,d[5][0].p),await h.write(v),v=await u.G1.batchLEMtoU(v),l.update(v),S=await s.read(L,d[6][0].p),await h.write(S),S=await u.G2.batchLEMtoU(S),l.update(S);const G=new Uint8Array(m);u.G1.toRprLEM(G,0,u.G1.g);const P=new Uint8Array(L);u.G2.toRprLEM(P,0,u.G2.g);const O=new Uint8Array(m);u.G1.toRprUncompressed(O,0,u.G1.g);const U=new Uint8Array(L);u.G2.toRprUncompressed(U,0,u.G2.g),await h.write(P),await h.write(G),await h.write(P),l.update(U),l.update(O),l.update(U),await ja(h),i&&i.info("Reading r1cs");let z=await Wa(f,_,2);const Q=new _n(p.nVars),q=new _n(p.nVars),M=new _n(p.nVars),T=new _n(p.nVars-b-1),k=new Array(b+1);i&&i.info("Reading tauG1");let R=await Wa(s,d,12,(A-1)*m,A*m);i&&i.info("Reading tauG2");let D=await Wa(s,d,13,(A-1)*L,A*L);i&&i.info("Reading alphatauG1");let N=await Wa(s,d,14,(A-1)*m,A*m);i&&i.info("Reading betatauG1");let j=await Wa(s,d,15,(A-1)*m,A*m);await async function(){const t=new Uint8Array(12+u.Fr.n8),e=new DataView(t.buffer),a=new Uint8Array(u.Fr.n8);u.Fr.toRprLE(a,0,u.Fr.e(1));let l=0;function s(){const t=z.slice(l,l+4);l+=4;return new DataView(t.buffer).getUint32(0,!0)}const d=new _n;for(let t=0;t=0?u.Fr.fromRprLE(z.slice(i[3],i[3]+u.Fr.n8),0):u.Fr.fromRprLE(a,0);const n=u.Fr.mul(o,E);u.Fr.toRprLE(t,12,n),g.set(t,_),_+=t.length}await h.write(g),await ja(h)}(),await K(3,"G1",k,"IC"),await async function(){await Na(h,9);const t=new Oe(A*m);if(w(i&&i.debug(`Writing points end ${o}: ${d}/${a.length}`),t)))),c+=n,t++}const s=await Promise.all(r);for(let t=0;t32768?(f=new Oe(p*n),_=new Oe(p*u.Fr.n8)):(f=new Uint8Array(p*n),_=new Uint8Array(p*u.Fr.n8));let h=0,m=0;const L=[R,D,N,j],w=new Uint8Array(u.Fr.n8);u.Fr.toRprLE(w,0,u.Fr.e(1));let b=0;for(let t=0;t=0?_.set(z.slice(e[t][o][2],e[t][o][2]+u.Fr.n8),b*u.Fr.n8):_.set(w,b*u.Fr.n8),b++;if(e.length>1){const t=[];t.push({cmd:"ALLOCSET",var:0,buff:f}),t.push({cmd:"ALLOCSET",var:1,buff:_}),t.push({cmd:"ALLOC",var:2,len:e.length*r}),h=0,m=0;let a=0;for(let i=0;i=0;t--){const e=d.contributions[t];i&&i.info("-------------------------"),i&&i.info(ki(e.contributionHash,`contribution #${t+1} ${e.name?e.name:""}:`)),1==e.type&&(i&&i.info(`Beacon generator: ${Hi(e.beaconHash)}`),i&&i.info(`Beacon iterations Exp: ${e.numIterationsExp}`))}return i&&i.info("-------------------------"),i&&i.info("ZKey Ok!"),!0;async function L(t,e){const a=2*l.G1.F.n8,i=t.byteLength/a,o=l.tm.concurrency,n=Math.floor(i/o),r=[];for(let a=0;a Detected protocol: "+o.protocol),"groth16"===o.protocol)n=await async function(t,e,a){const i=await ai(t.q),o=2*i.G1.F.n8,n=await i.pairing(t.vk_alpha_1,t.vk_beta_2);let r={protocol:t.protocol,curve:i.name,nPublic:t.nPublic,vk_alpha_1:i.G1.toObject(t.vk_alpha_1),vk_beta_2:i.G2.toObject(t.vk_beta_2),vk_gamma_2:i.G2.toObject(t.vk_gamma_2),vk_delta_2:i.G2.toObject(t.vk_delta_2),vk_alphabeta_12:i.Gt.toObject(n)};await Va(e,a,3),r.IC=[];for(let a=0;a<=t.nPublic;a++){const t=await e.read(o),a=i.G1.toObject(t);r.IC.push(a)}return await Ka(e),r=Ln(r),r}(o,a,i);else if("plonk"===o.protocol)n=await async function(t){const e=await ai(t.q);let a={protocol:t.protocol,curve:e.name,nPublic:t.nPublic,power:t.power,k1:e.Fr.toObject(t.k1),k2:e.Fr.toObject(t.k2),Qm:e.G1.toObject(t.Qm),Ql:e.G1.toObject(t.Ql),Qr:e.G1.toObject(t.Qr),Qo:e.G1.toObject(t.Qo),Qc:e.G1.toObject(t.Qc),S1:e.G1.toObject(t.S1),S2:e.G1.toObject(t.S2),S3:e.G1.toObject(t.S3),X_2:e.G2.toObject(t.X_2),w:e.Fr.toObject(e.Fr.w[t.power])};return a=Ln(a),a}(o);else{if(!o.protocolId||o.protocolId!==Zi)throw new Error("zkey file protocol unrecognized");n=await async function(t,e){const a=await ai(t.q);let i={protocol:t.protocol,curve:a.name,nPublic:t.nPublic,power:t.power,k1:a.Fr.toObject(t.k1),k2:a.Fr.toObject(t.k2),w:a.Fr.toObject(a.Fr.w[t.power]),w3:a.Fr.toObject(t.w3),w4:a.Fr.toObject(t.w4),w8:a.Fr.toObject(t.w8),wr:a.Fr.toObject(t.wr),X_2:a.G2.toObject(t.X_2),C0:a.G1.toObject(t.C0)};return Ln(i)}(o)}return await a.close(),e&&e.info("EXPORT VERIFICATION KEY FINISHED"),n}var bn,An={},yn={exports:{}};bn=yn,function(t){var e,a,i,o,n,r,c,l,s,d,u,g,f,_,p,h,m;function L(t){return null!=t}function w(t){return"number"==typeof t&&t>f&&t<_}function b(t){return"number"==typeof t&&t%1==0}function A(t,e){return w(t)&&t>e}function y(t,e){return w(t)&&t=e}function C(t,e){return w(t)&&t<=e}function F(t){return"string"==typeof t}function x(t){return F(t)&&""!==t}function E(t){return"[object Object]"===s.call(t)}function B(t,e){for(var a in t)if(l.call(t,a)&&e(a,t[a]))return!0;return!1}function v(t,e){try{return t instanceof e}catch(t){return!1}}function S(t){return L(t)&&t.length>=0}function G(t){return p?L(t)&&U(t[Symbol.iterator]):S(t)}function P(t,e){var a,i;if(!L(t))return!1;if(m&&v(t,Set))return t.has(e);if(F(t))return-1!==t.indexOf(e);if(p&&t[Symbol.iterator]&&U(t.values)){a=t.values();do{if((i=a.next()).value===e)return!0}while(!i.done);return!1}return B(t,(function(t,a){return a===e}))}function O(t,e){return!!L(t)&&(h&&v(t,Map)?t.has(e):!(G(t)&&!w(+e)||!t[e]))}function U(t){return"function"==typeof t}function z(t,e){for(var a in t)l.call(t,a)&&e(a,t[a])}function Q(t,e){var a;for(a=0;aa},s:"be between {e} and {e2}"},{n:"greaterOrEqual",f:I,s:"be greater than or equal to {e}"},{n:"lessOrEqual",f:C,s:"be less than or equal to {e}"},{n:"inRange",f:function(t,e,a){return e=a},s:"be in the range {e} to {e2}"},{n:"positive",f:function(t){return A(t,0)},s:"be positive number"},{n:"negative",f:function(t){return y(t,0)},s:"be negative number"},{n:"string",f:F,s:"be String"},{n:"emptyString",f:function(t){return""===t},s:"be empty string"},{n:"nonEmptyString",f:x,s:"be non-empty string"},{n:"match",f:function(t,e){return F(t)&&!!t.match(e)},s:"match {e}"},{n:"boolean",f:function(t){return!1===t||!0===t},s:"be Boolean"},{n:"object",f:E,s:"be Object"},{n:"emptyObject",f:function(t){return E(t)&&!B(t,(function(){return!0}))},s:"be empty object"},{n:"nonEmptyObject",f:function(t){return E(t)&&B(t,(function(){return!0}))},s:"be non-empty object"},{n:"instanceStrict",f:v,s:"be instanceof {t}"},{n:"thenable",f:function(t){return L(t)&&U(t.then)},s:"be promise-like"},{n:"instance",f:function(t,e){try{return v(t,e)||t.constructor.name===e.name||s.call(t)==="[object "+e.name+"]"}catch(t){return!1}},s:"be {t}"},{n:"like",f:function t(e,a){var i;if(!L(e)||!L(a))return e===a;for(i in a)if(l.call(a,i)){if(!l.call(e,i)||typeof e[i]!=typeof a[i])return!1;if(E(e[i])&&!t(e[i],a[i]))return!1}return!0},s:"be like {e}"},{n:"identical",f:function t(e,a){var i;if(!L(e)||!L(a))return e===a;for(i in a)if(l.call(a,i)){if(!l.call(e,i)||e[i]!==a[i])return!1;if(E(e[i])&&!t(e[i],a[i]))return!1}for(i in e)if(l.call(e,i)){if(!l.call(a,i)||a[i]!==e[i])return!1;if(E(a[i])&&!t(a[i],e[i]))return!1}return!0},s:"be identical to {e}"},{n:"array",f:function(t){return g(t)},s:"be Array"},{n:"emptyArray",f:function(t){return g(t)&&0===t.length},s:"be empty array"},{n:"nonEmptyArray",f:function(t){return g(t)&&t.length>0},s:"be non-empty array"},{n:"arrayLike",f:S,s:"be array-like"},{n:"iterable",f:G,s:"be iterable"},{n:"date",f:function(t){return v(t,Date)&&b(t.getTime())},s:"be valid Date"},{n:"function",f:U,s:"be Function"},{n:"hasLength",f:function(t,e){return L(t)&&t.length===e},s:"have length {e}"},{n:"throws",f:function(t){if(!U(t))return!1;try{t()}catch(t){return!0}return!1},s:"throw"}].map((function(t){var i=t.n;e[i]="assert failed: expected {a} to "+t.s,a[i]=t.f})),i={map:function t(e,a){var i;if(i=g(e)?[]:{},U(a))z(e,(function(t,e){i[t]=a(e)}));else{g(a)||o.object(a);var r=d(e||{});z(a,(function(a,o){r.some((function(t,e){return t===a&&(r.splice(e,1),!0)})),U(o)?n.assigned(e)?i[a]=!!o.m:i[a]=o(e[a]):i[a]=t(e[a],o)}))}return i},all:function(t){return g(t)?Q(t,!1):(o.object(t),q(t,!1))},any:function(t){return g(t)?Q(t,!0):(o.object(t),q(t,!0))}},c=["array","arrayLike","iterable","object"],l=Object.prototype.hasOwnProperty,s=Object.prototype.toString,d=Object.keys,u=Array.prototype.slice,g=Array.isArray,f=Number.NEGATIVE_INFINITY,_=Number.POSITIVE_INFINITY,p="function"==typeof Symbol,h="function"==typeof Map,m="function"==typeof Set,i=M(i,a),o=V(T,R),n=V(D,N),r=V((function(t){var e=function(){return!!n.assigned(arguments[0])||t.apply(null,arguments)};return e.l=t.length,e.m=!0,e}),(function(t){return!L(t)||t})),o.not=H(T,n,"not "),o.maybe=H(T,r,"maybe "),c.forEach((function(t){a[t].of=K([j.bind(null,null),a[t],a,{},""])})),$(o,T),$(n,D),c.forEach((function(t){r[t].of=K([j.bind(null,"maybe"),a[t],a,{},""]),o.maybe[t].of=H(T,r[t].of),o.not[t].of=H(T,n[t].of)})),function(e){null!==bn&&bn.exports?bn.exports=e:t.check=e}(M(i,{assert:o,not:n,maybe:r}))}(K);var In=H(Object.freeze({__proto__:null,default:{}}));!function(t){t.exports={array:"arr",object:"obj",property:"pro",string:"str",number:"num",literal:"lit",endPrefix:"end-",end:"end",error:"err"},t.exports.endArray=t.exports.endPrefix+t.exports.array,t.exports.endObject=t.exports.endPrefix+t.exports.object,t.exports.endLine=`${t.exports.endPrefix}line`,t.exports.dataError=`${t.exports.error}-data`}({exports:{}});var Cn=H(Object.freeze({__proto__:null,default:{}}));In.EventEmitter;var Fn=H(Object.freeze({__proto__:null,default:{}}));const xn=Fn,En=Cn.Readable,Bn=yn.exports;xn.inherits(Sn,En);var vn=Sn;function Sn(t,e){return Bn.not.instanceStrict(this,Sn)?new Sn(t):(Bn.assert.function(t,"Invalid read implementation"),this._read=function(){t()},En.call(this,e))}const Gn=yn.exports,Pn=vn;Fn.inherits((function t(e,a){if(Gn.not.instanceStrict(this,t))return new t(e,a);return Pn.call(this,e,{...a,objectMode:!0})}),Pn);class On extends Array{constructor(t){let e,a;if(!Un(t))throw new TypeError("Argument `size` must be a positive integer.");return super(t),this.grow=i=>{if(!Un(i))throw new TypeError("Argument `by` must be a positive integer.");let o;const n=t+i;for(o=t;o=n&&(e%=n),this[e]=this[o],this[o]=void 0}t=n},new Proxy(this,{get:(e,a)=>zn(a)?e[Qn(a,t)]:e[a],set:(i,o,n)=>(zn(o)?(e=Qn(o,t),i[e]=n,a=Math.abs(o)>=t):i[o]=n,!0)})}}function Un(t){return zn(t)&&t>0}function zn(t){try{return+t%1==0}catch(t){}return!1}function Qn(t,e){return 0===t?0:t<0?(e-Math.abs(t))%e:t%e}function qn(){throw new Error("Not implemented")}On.prototype.push=qn,On.prototype.pop=qn,On.prototype.shift=qn,On.prototype.unshift=qn,In.EventEmitter;const Mn=yn.exports,Tn=vn;Fn.inherits((function t(e,a){if(Mn.not.instanceStrict(this,t))return new t(e,a);return Tn.call(this,e,{...a,encoding:"utf8"})}),Tn);!function(t){!function(e){function a(t){function e(){a("when",e)&&n()}function a(e,a){return!!t[e]()||(function(t){t.count+=1}(t),!function(t){return t.limit>=0&&t.count>=t.limit}(t)?(i=a,o=function(t){var e=t.interval;return t.interval<0&&(t.interval*=2),e}(t),setTimeout(i,Math.abs(o))):t.fail(),!1);var i,o}function n(){var e;if(function(t){return 0===t.action.length}(t))return(e=t.action())&&o(e.then)?e.then(c,c):c();t.action(c)}function c(){a("until",n)&&t.pass()}t=function(t){return t=t||{},{count:0,when:i(t.when),until:i(t.until),action:r(t.action),fail:r(t.fail),pass:r(t.pass),interval:s(t.interval,-1e3),limit:s(t.limit,-1)}}(t),e()}function i(t){return l(t,o,n)}function o(t){return"function"==typeof t}function n(){return!0}function r(t){return l(t,o,c)}function c(){}function l(t,e,a){return e(t)?t:a}function s(t,e){return l(t,d,e)}function d(t){return"number"==typeof t&&t==t}null!==t?t.exports=a:e.tryer=a}(K)}({exports:{}});var kn={exports:{}};
+var snarkjs=function(t){"use strict";const e=[0,1,2,2,3,3,3,3,4,4,4,4,4,4,4,4];function a(t,e){return e&&10!=e?16==e?"0x"==t.slice(0,2)?BigInt(t):BigInt("0x"+t):void 0:BigInt(t)}const i=a;function o(t){const a=t.toString(16);return 4*(a.length-1)+e[parseInt(a[0],16)]}function n(t){return BigInt(t)>BigInt(e)}const c=r,d=s;function u(t){return(BigInt(t)&BigInt(1))==BigInt(1)}function g(t){let e=BigInt(t);const a=[];for(;e;)e&BigInt(1)?a.push(1):a.push(0),e>>=BigInt(1);return a}function f(t){if(t>BigInt(Number.MAX_SAFE_INTEGER))throw new Error("Number too big");return Number(t)}function h(t,e){return BigInt(t)+BigInt(e)}function _(t,e){return BigInt(t)-BigInt(e)}function p(t){return-BigInt(t)}function m(t,e){return BigInt(t)*BigInt(e)}function w(t,e){return BigInt(t)**BigInt(e)}function L(t,e){return BigInt(t)/BigInt(e)}function b(t,e){return BigInt(t)%BigInt(e)}function A(t,e){return BigInt(t)==BigInt(e)}function y(t,e){return BigInt(t)>BigInt(e)}function C(t,e){return BigInt(t)>=BigInt(e)}function I(t,e){return BigInt(t)&BigInt(e)}function F(t,e,a,i){const o="0000000"+a.toString(16),n=new Uint32Array(t.buffer,e,i/4),l=1+(4*(o.length-7)-1>>5);for(let t=0;t>5);for(let t=0;tn[n.length-e-1]=t.toString(16).padStart(8,"0"))),a(n.join(""),16)}function v(t,e,i){i=i||t.byteLength,e=e||0;const o=new DataView(t.buffer,t.byteOffset+e,i),n=new Array(i/4);for(let t=0;t>=BigInt(1)}return a},bits:g,toNumber:f,toArray:function(t,e){const a=[];let i=BigInt(t);for(e=BigInt(e);i;)a.unshift(Number(i%e)),i/=e;return a},add:h,sub:_,neg:p,mul:m,square:function(t){return BigInt(t)*BigInt(t)},pow:w,exp:function(t,e){return BigInt(t)**BigInt(e)},abs:function(t){return BigInt(t)>=0?BigInt(t):-BigInt(t)},div:L,mod:b,eq:A,neq:function(t,e){return BigInt(t)!=BigInt(e)},lt:function(t,e){return BigInt(t)=0;a--)o=t.square(o),i[a]&&(o=t.mul(o,e));return o}function U(t){if(t.m%2==1)if(A(b(t.p,4),1))if(A(b(t.p,8),1))if(A(b(t.p,16),1))!function(t){t.sqrt_q=w(t.p,t.m),t.sqrt_s=0,t.sqrt_t=_(t.sqrt_q,1);for(;!u(t.sqrt_t);)t.sqrt_s=t.sqrt_s+1,t.sqrt_t=L(t.sqrt_t,2);let e=t.one;for(;t.eq(e,t.one);){const a=t.random();t.sqrt_z=t.pow(a,t.sqrt_t),e=t.pow(t.sqrt_z,2**(t.sqrt_s-1))}t.sqrt_tm1d2=L(_(t.sqrt_t,1),2),t.sqrt=function(t){const e=this;if(e.isZero(t))return e.zero;let a=e.pow(t,e.sqrt_tm1d2);const i=e.pow(e.mul(e.square(a),t),2**(e.sqrt_s-1));if(e.eq(i,e.negone))return null;let o=e.sqrt_s,n=e.mul(t,a),l=e.mul(n,a),r=e.sqrt_z;for(;!e.eq(l,e.one);){let t=e.square(l),i=1;for(;!e.eq(t,e.one);)t=e.square(t),i++;a=r;for(let t=0;t>>0,t[o]=(t[o]^t[e])>>>0,t[o]=(t[o]<<16|t[o]>>>16&65535)>>>0,t[i]=t[i]+t[o]>>>0,t[a]=(t[a]^t[i])>>>0,t[a]=(t[a]<<12|t[a]>>>20&4095)>>>0,t[e]=t[e]+t[a]>>>0,t[o]=(t[o]^t[e])>>>0,t[o]=(t[o]<<8|t[o]>>>24&255)>>>0,t[i]=t[i]+t[o]>>>0,t[a]=(t[a]^t[i])>>>0,t[a]=(t[a]<<7|t[a]>>>25&127)>>>0}class T{constructor(t){t=t||[0,0,0,0,0,0,0,0],this.state=[1634760805,857760878,2036477234,1797285236,t[0],t[1],t[2],t[3],t[4],t[5],t[6],t[7],0,0,0,0],this.idx=16,this.buff=new Array(16)}nextU32(){return 16==this.idx&&this.update(),this.buff[this.idx++]}nextU64(){return h(m(this.nextU32(),4294967296),this.nextU32())}nextBool(){return 1==(1&this.nextU32())}update(){for(let t=0;t<16;t++)this.buff[t]=this.state[t];for(let e=0;e<10;e++)Q(t=this.buff,0,4,8,12),Q(t,1,5,9,13),Q(t,2,6,10,14),Q(t,3,7,11,15),Q(t,0,5,10,15),Q(t,1,6,11,12),Q(t,2,7,8,13),Q(t,3,4,9,14);var t;for(let t=0;t<16;t++)this.buff[t]=this.buff[t]+this.state[t]>>>0;this.idx=0,this.state[12]=this.state[12]+1>>>0,0==this.state[12]&&(this.state[13]=this.state[13]+1>>>0,0==this.state[13]&&(this.state[14]=this.state[14]+1>>>0,0==this.state[14]&&(this.state[15]=this.state[15]+1>>>0)))}}var q={};function M(t){let e=new Uint8Array(t);if(void 0!==globalThis.crypto)globalThis.crypto.getRandomValues(e);else for(let a=0;a>>0;return e}let k=null;function R(){return k||(k=new T(function(){const t=M(32),e=new Uint32Array(t.buffer),a=[];for(let t=0;t<8;t++)a.push(e[t]);return a}()),k)}class D{constructor(t,e,a){this.F=e,this.G=t,this.opMulGF=a;let i=e.sqrt_t||e.t,o=e.sqrt_s||e.s,n=e.one;for(;e.eq(e.pow(n,e.half),e.one);)n=e.add(n,e.one);this.w=new Array(o+1),this.wi=new Array(o+1),this.w[o]=this.F.pow(n,i),this.wi[o]=this.F.inv(this.w[o]);let l=o-1;for(;l>=0;)this.w[l]=this.F.square(this.w[l+1]),this.wi[l]=this.F.square(this.wi[l+1]),l--;this.roots=[],this._setRoots(Math.min(o,15))}_setRoots(t){for(let e=t;e>=0&&!this.roots[e];e--){let t=this.F.one;const a=1<>1,r=V(t,e,a-1,i,2*o),s=V(t,e,a-1,i+o,2*o),c=new Array(n);for(let e=0;e>this.one,this.bitLength=o(this.p),this.mask=(this.one<>this.one;this.nqr=this.two;let a=this.pow(this.nqr,e);for(;!this.eq(a,this.negone);)this.nqr=this.nqr+this.one,a=this.pow(this.nqr,e);for(this.s=0,this.t=this.negone;(this.t&this.one)==this.zero;)this.s=this.s+1,this.t=this.t>>this.one;this.nqr_to_t=this.pow(this.nqr,this.t),U(this),this.FFT=new D(this,this,this.mul.bind(this)),this.fft=this.FFT.fft.bind(this.FFT),this.ifft=this.FFT.ifft.bind(this.FFT),this.w=this.FFT.w,this.wi=this.FFT.wi,this.shift=this.square(this.nqr),this.k=this.exp(this.nqr,2**this.s)}e(t,e){let a;if(e?16==e&&(a=BigInt("0x"+t)):a=BigInt(t),a<0){let t=-a;return t>=this.p&&(t%=this.p),this.p-t}return a>=this.p?a%this.p:a}add(t,e){const a=t+e;return a>=this.p?a-this.p:a}sub(t,e){return t>=e?t-e:this.p-e+t}neg(t){return t?this.p-t:t}mul(t,e){return t*e%this.p}mulScalar(t,e){return t*this.e(e)%this.p}square(t){return t*t%this.p}eq(t,e){return t==e}neq(t,e){return t!=e}lt(t,e){return(t>this.half?t-this.p:t)<(e>this.half?e-this.p:e)}gt(t,e){return(t>this.half?t-this.p:t)>(e>this.half?e-this.p:e)}leq(t,e){return(t>this.half?t-this.p:t)<=(e>this.half?e-this.p:e)}geq(t,e){return(t>this.half?t-this.p:t)>=(e>this.half?e-this.p:e)}div(t,e){return this.mul(t,this.inv(e))}idiv(t,e){if(!e)throw new Error("Division by zero");return t/e}inv(t){if(!t)throw new Error("Division by zero");let e=this.zero,a=this.p,i=this.one,o=t%this.p;for(;o;){let t=a/o;[e,i]=[i,e-t*i],[a,o]=[o,a-t*o]}return e=this.p?a-this.p:a}bor(t,e){const a=(t|e)&this.mask;return a>=this.p?a-this.p:a}bxor(t,e){const a=(t^e)&this.mask;return a>=this.p?a-this.p:a}bnot(t){const e=t^this.mask;return e>=this.p?e-this.p:e}shl(t,e){if(Number(e)=this.p?a-this.p:a}{const a=this.p-e;return Number(a)>a:this.zero}}shr(t,e){if(Number(e)>e;{const a=this.p-e;if(Number(a)=this.p?e-this.p:e}return 0}}land(t,e){return t&&e?this.one:this.zero}lor(t,e){return t||e?this.one:this.zero}lnot(t){return t?this.zero:this.one}sqrt_old(t){if(t==this.zero)return this.zero;if(this.pow(t,this.negone>>this.one)!=this.one)return null;let e=this.s,a=this.nqr_to_t,i=this.pow(t,this.t),o=this.pow(t,this.add(this.t,this.one)>>this.one);for(;i!=this.one;){let t=this.square(i),n=1;for(;t!=this.one;)n++,t=this.square(t);let l=a;for(let t=0;tthis.p>>this.one&&(o=this.neg(o)),o}normalize(t,e){if((t=BigInt(t,e))<0){let e=-t;return e>=this.p&&(e%=this.p),this.p-e}return t>=this.p?t%this.p:t}random(){const t=2*this.bitLength/8;let e=this.zero;for(let a=0;athis.half&&10==e){a="-"+(this.p-t).toString(e)}else a=t.toString(e);return a}isZero(t){return t==this.zero}fromRng(t){let e;do{e=this.zero;for(let a=0;a=this.p);return e=e*this.Ri%this.p,e}fft(t){return this.FFT.fft(t)}ifft(t){return this.FFT.ifft(t)}toRprLE(t,e,a){F(t,e,a,8*this.n64)}toRprBE(t,e,a){x(t,e,a,8*this.n64)}toRprBEM(t,e,a){return this.toRprBE(t,e,this.mul(this.R,a))}toRprLEM(t,e,a){return this.toRprLE(t,e,this.mul(this.R,a))}fromRprLE(t,e){return E(t,e,this.n8)}fromRprBE(t,e){return v(t,e,this.n8)}fromRprLEM(t,e){return this.mul(this.fromRprLE(t,e),this.Ri)}fromRprBEM(t,e){return this.mul(this.fromRprBE(t,e),this.Ri)}toObject(t){return t}}var j="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},K={bigInt2BytesLE:function(t,e){const a=Array(e);let i=BigInt(t);for(let t=0;t>=8n;return a},bigInt2U32LE:function(t,e){const a=Array(e);let i=BigInt(t);for(let t=0;t>=32n;return a},isOcamNum:function(t){return!!Array.isArray(t)&&(3==t.length&&("number"==typeof t[0]&&("number"==typeof t[1]&&!!Array.isArray(t[2]))))}},H=function(t,e,a,i,o,n,l){const r=t.addFunction(e);r.addParam("base","i32"),r.addParam("scalar","i32"),r.addParam("scalarLength","i32"),r.addParam("r","i32"),r.addLocal("i","i32"),r.addLocal("b","i32");const s=r.getCodeBuilder(),c=s.i32_const(t.alloc(a));r.addCode(s.if(s.i32_eqz(s.getLocal("scalarLength")),[...s.call(l,s.getLocal("r")),...s.ret([])])),r.addCode(s.call(n,s.getLocal("base"),c)),r.addCode(s.call(l,s.getLocal("r"))),r.addCode(s.setLocal("i",s.getLocal("scalarLength"))),r.addCode(s.block(s.loop(s.setLocal("i",s.i32_sub(s.getLocal("i"),s.i32_const(1))),s.setLocal("b",s.i32_load8_u(s.i32_add(s.getLocal("scalar"),s.getLocal("i")))),...function(){const t=[];for(let e=0;e<8;e++)t.push(...s.call(o,s.getLocal("r"),s.getLocal("r")),...s.if(s.i32_ge_u(s.getLocal("b"),s.i32_const(128>>e)),[...s.setLocal("b",s.i32_sub(s.getLocal("b"),s.i32_const(128>>e))),...s.call(i,s.getLocal("r"),c,s.getLocal("r"))]));return t}(),s.br_if(1,s.i32_eqz(s.getLocal("i"))),s.br(0))))},Z=function(t,e){const a=8*t.modules[e].n64,i=t.addFunction(e+"_batchInverse");i.addParam("pIn","i32"),i.addParam("inStep","i32"),i.addParam("n","i32"),i.addParam("pOut","i32"),i.addParam("outStep","i32"),i.addLocal("itAux","i32"),i.addLocal("itIn","i32"),i.addLocal("itOut","i32"),i.addLocal("i","i32");const o=i.getCodeBuilder(),n=o.i32_const(t.alloc(a));i.addCode(o.setLocal("itAux",o.i32_load(o.i32_const(0))),o.i32_store(o.i32_const(0),o.i32_add(o.getLocal("itAux"),o.i32_mul(o.i32_add(o.getLocal("n"),o.i32_const(1)),o.i32_const(a))))),i.addCode(o.call(e+"_one",o.getLocal("itAux")),o.setLocal("itIn",o.getLocal("pIn")),o.setLocal("itAux",o.i32_add(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("i",o.i32_const(0)),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("i"),o.getLocal("n"))),o.if(o.call(e+"_isZero",o.getLocal("itIn")),o.call(e+"_copy",o.i32_sub(o.getLocal("itAux"),o.i32_const(a)),o.getLocal("itAux")),o.call(e+"_mul",o.getLocal("itIn"),o.i32_sub(o.getLocal("itAux"),o.i32_const(a)),o.getLocal("itAux"))),o.setLocal("itIn",o.i32_add(o.getLocal("itIn"),o.getLocal("inStep"))),o.setLocal("itAux",o.i32_add(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("i",o.i32_add(o.getLocal("i"),o.i32_const(1))),o.br(0))),o.setLocal("itIn",o.i32_sub(o.getLocal("itIn"),o.getLocal("inStep"))),o.setLocal("itAux",o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("itOut",o.i32_add(o.getLocal("pOut"),o.i32_mul(o.i32_sub(o.getLocal("n"),o.i32_const(1)),o.getLocal("outStep")))),o.call(e+"_inverse",o.getLocal("itAux"),o.getLocal("itAux")),o.block(o.loop(o.br_if(1,o.i32_eqz(o.getLocal("i"))),o.if(o.call(e+"_isZero",o.getLocal("itIn")),[...o.call(e+"_copy",o.getLocal("itAux"),o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),...o.call(e+"_zero",o.getLocal("itOut"))],[...o.call(e+"_copy",o.i32_sub(o.getLocal("itAux"),o.i32_const(a)),n),...o.call(e+"_mul",o.getLocal("itAux"),o.getLocal("itIn"),o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),...o.call(e+"_mul",o.getLocal("itAux"),n,o.getLocal("itOut"))]),o.setLocal("itIn",o.i32_sub(o.getLocal("itIn"),o.getLocal("inStep"))),o.setLocal("itOut",o.i32_sub(o.getLocal("itOut"),o.getLocal("outStep"))),o.setLocal("itAux",o.i32_sub(o.getLocal("itAux"),o.i32_const(a))),o.setLocal("i",o.i32_sub(o.getLocal("i"),o.i32_const(1))),o.br(0)))),i.addCode(o.i32_store(o.i32_const(0),o.getLocal("itAux")))};var W=function(t,e,a,i,o,n){void 0===n&&(n=ie?1:-1}function tt(t){return t*t}function et(t){return t%2n!==0n}function at(t){return t%2n===0n}function it(t){return t<0n}function ot(t){return t>0n}function nt(t){return it(t)?t.toString(2).length-1:t.toString(2).length}function lt(t){return t<0n?-t:t}function rt(t){return 1n===lt(t)}function st(t,e){for(var a,i,o,n=0n,l=1n,r=e,s=lt(t);0n!==s;)a=r/s,i=n,o=r,n=l,r=s,l=i-a*l,s=o-a*s;if(!rt(r))throw new Error(t.toString()+" and "+e.toString()+" are not co-prime");return-1===X(n,0n)&&(n+=e),it(t)?-n:n}function ct(t,e,a){if(0n===a)throw new Error("Cannot take modPow with modulus 0");var i=1n,o=t%a;for(it(e)&&(e*=-1n,o=st(o,a));ot(e);){if(0n===o)return 0n;et(e)&&(i=i*o%a),e/=2n,o=tt(o)%a}return i}function dt(t,e){return 0n!==e&&(!!rt(e)||(0===function(t,e){return(t=t>=0n?t:-t)===(e=e>=0n?e:-e)?0:t>e?1:-1}(e,2n)?at(t):t%e===0n))}function ut(t,e){for(var a,i,o,n=function(t){return t-1n}(t),l=n,r=0;at(l);)l/=2n,r++;t:for(i=0;i>1&&i>1,t>>1)))),e.addCode(a.setLocal(s,a.i64_add(a.getLocal(s),a.i64_shr_u(a.getLocal(r),a.i64_const(32)))))),t>0&&(e.addCode(a.setLocal(r,a.i64_add(a.i64_and(a.getLocal(r),a.i64_const(4294967295)),a.i64_and(a.getLocal(c),a.i64_const(4294967295))))),e.addCode(a.setLocal(s,a.i64_add(a.i64_add(a.getLocal(s),a.i64_shr_u(a.getLocal(r),a.i64_const(32))),a.getLocal(d))))),e.addCode(a.i64_store32(a.getLocal("r"),4*t,a.getLocal(r))),e.addCode(a.setLocal(c,a.getLocal(s)),a.setLocal(d,a.i64_shr_u(a.getLocal(c),a.i64_const(32))))}e.addCode(a.i64_store32(a.getLocal("r"),4*o*2-4,a.getLocal(c)))}(),function(){const e=t.addFunction(i+"_squareOld");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(i+"_mul",a.getLocal("x"),a.getLocal("x"),a.getLocal("r")))}(),function(){!function(){const e=t.addFunction(i+"__mul1");e.addParam("px","i32"),e.addParam("y","i64"),e.addParam("pr","i32"),e.addLocal("c","i64");const a=e.getCodeBuilder();e.addCode(a.setLocal("c",a.i64_mul(a.i64_load32_u(a.getLocal("px"),0,0),a.getLocal("y")))),e.addCode(a.i64_store32(a.getLocal("pr"),0,0,a.getLocal("c")));for(let t=1;t>1n,p=t.alloc(r,ft.bigInt2BytesLE(_,r)),m=_+1n,w=t.alloc(r,ft.bigInt2BytesLE(m,r));t.modules[s]={pq:d,pR2:u,n64:n,q:o,pOne:g,pZero:f,pePlusOne:w};let L=2n;if(At(o))for(;bt(L,_,o)!==h;)L+=1n;let b=0,A=h;for(;!yt(A)&&0n!==A;)b++,A>>=1n;const y=t.alloc(r,ft.bigInt2BytesLE(A,r)),C=bt(L,A,o),I=t.alloc(ft.bigInt2BytesLE((C<>1n,x=t.alloc(r,ft.bigInt2BytesLE(F,r));return t.exportFunction(c+"_copy",s+"_copy"),t.exportFunction(c+"_zero",s+"_zero"),t.exportFunction(c+"_isZero",s+"_isZero"),t.exportFunction(c+"_eq",s+"_eq"),function(){const e=t.addFunction(s+"_isOne");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder();e.addCode(a.ret(a.call(c+"_eq",a.getLocal("x"),a.i32_const(g))))}(),function(){const e=t.addFunction(s+"_add");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.if(a.call(c+"_add",a.getLocal("x"),a.getLocal("y"),a.getLocal("r")),a.drop(a.call(c+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),a.if(a.call(c+"_gte",a.getLocal("r"),a.i32_const(d)),a.drop(a.call(c+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))))))}(),function(){const e=t.addFunction(s+"_sub");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.if(a.call(c+"_sub",a.getLocal("x"),a.getLocal("y"),a.getLocal("r")),a.drop(a.call(c+"_add",a.getLocal("r"),a.i32_const(d),a.getLocal("r")))))}(),function(){const e=t.addFunction(s+"_neg");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_sub",a.i32_const(f),a.getLocal("x"),a.getLocal("r")))}(),function(){const e=t.alloc(l*l*8),a=t.addFunction(s+"_mReduct");a.addParam("t","i32"),a.addParam("r","i32"),a.addLocal("np32","i64"),a.addLocal("c","i64"),a.addLocal("m","i64");const i=a.getCodeBuilder(),n=Number(0x100000000n-Lt(o,0x100000000n));a.addCode(i.setLocal("np32",i.i64_const(n)));for(let t=0;t=l&&e.addCode(a.i64_store32(a.getLocal("r"),4*(t-l),a.getLocal(h))),[h,_]=[_,h],e.addCode(a.setLocal(_,a.i64_shr_u(a.getLocal(h),a.i64_const(32))))}e.addCode(a.i64_store32(a.getLocal("r"),4*l-4,a.getLocal(h))),e.addCode(a.if(a.i32_wrap_i64(a.getLocal(_)),a.drop(a.call(c+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),a.if(a.call(c+"_gte",a.getLocal("r"),a.i32_const(d)),a.drop(a.call(c+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))))))}(),function(){const e=t.addFunction(s+"_square");e.addParam("x","i32"),e.addParam("r","i32"),e.addLocal("c0","i64"),e.addLocal("c1","i64"),e.addLocal("c0_old","i64"),e.addLocal("c1_old","i64"),e.addLocal("np32","i64");for(let t=0;t>1&&i>1,t>>1)))),e.addCode(a.setLocal(h,a.i64_add(a.getLocal(h),a.i64_shr_u(a.getLocal(f),a.i64_const(32)))))),t>0&&(e.addCode(a.setLocal(f,a.i64_add(a.i64_and(a.getLocal(f),a.i64_const(4294967295)),a.i64_and(a.getLocal(_),a.i64_const(4294967295))))),e.addCode(a.setLocal(h,a.i64_add(a.i64_add(a.getLocal(h),a.i64_shr_u(a.getLocal(f),a.i64_const(32))),a.getLocal(p)))));for(let i=Math.max(1,t-l+1);i<=t&&i=l&&e.addCode(a.i64_store32(a.getLocal("r"),4*(t-l),a.getLocal(f))),e.addCode(a.setLocal(_,a.getLocal(h)),a.setLocal(p,a.i64_shr_u(a.getLocal(_),a.i64_const(32))))}e.addCode(a.i64_store32(a.getLocal("r"),4*l-4,a.getLocal(_))),e.addCode(a.if(a.i32_wrap_i64(a.getLocal(p)),a.drop(a.call(c+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),a.if(a.call(c+"_gte",a.getLocal("r"),a.i32_const(d)),a.drop(a.call(c+"_sub",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))))))}(),function(){const e=t.addFunction(s+"_squareOld");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_mul",a.getLocal("x"),a.getLocal("x"),a.getLocal("r")))}(),function(){const e=t.addFunction(s+"_toMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_mul",a.getLocal("x"),a.i32_const(u),a.getLocal("r")))}(),function(){const e=t.alloc(2*r),a=t.addFunction(s+"_fromMontgomery");a.addParam("x","i32"),a.addParam("r","i32");const i=a.getCodeBuilder();a.addCode(i.call(c+"_copy",i.getLocal("x"),i.i32_const(e))),a.addCode(i.call(c+"_zero",i.i32_const(e+r))),a.addCode(i.call(s+"_mReduct",i.i32_const(e),i.getLocal("r")))}(),function(){const e=t.addFunction(s+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(r));e.addCode(a.call(s+"_fromMontgomery",a.getLocal("x"),i),a.call(c+"_gte",i,a.i32_const(w)))}(),function(){const e=t.addFunction(s+"_sign");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(r));e.addCode(a.if(a.call(c+"_isZero",a.getLocal("x")),a.ret(a.i32_const(0))),a.call(s+"_fromMontgomery",a.getLocal("x"),i),a.if(a.call(c+"_gte",i,a.i32_const(w)),a.ret(a.i32_const(-1))),a.ret(a.i32_const(1)))}(),function(){const e=t.addFunction(s+"_inverse");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_fromMontgomery",a.getLocal("x"),a.getLocal("r"))),e.addCode(a.call(c+"_inverseMod",a.getLocal("r"),a.i32_const(d),a.getLocal("r"))),e.addCode(a.call(s+"_toMontgomery",a.getLocal("r"),a.getLocal("r")))}(),function(){const e=t.addFunction(s+"_one");e.addParam("pr","i32");const a=e.getCodeBuilder();e.addCode(a.call(c+"_copy",a.i32_const(g),a.getLocal("pr")))}(),function(){const e=t.addFunction(s+"_load");e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32"),e.addLocal("p","i32"),e.addLocal("l","i32"),e.addLocal("i","i32"),e.addLocal("j","i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(r)),o=t.alloc(r),n=a.i32_const(o);e.addCode(a.call(c+"_zero",a.getLocal("r")),a.setLocal("i",a.i32_const(r)),a.setLocal("p",a.getLocal("scalar")),a.block(a.loop(a.br_if(1,a.i32_gt_u(a.getLocal("i"),a.getLocal("scalarLen"))),a.if(a.i32_eq(a.getLocal("i"),a.i32_const(r)),a.call(s+"_one",i),a.call(s+"_mul",i,a.i32_const(u),i)),a.call(s+"_mul",a.getLocal("p"),i,n),a.call(s+"_add",a.getLocal("r"),n,a.getLocal("r")),a.setLocal("p",a.i32_add(a.getLocal("p"),a.i32_const(r))),a.setLocal("i",a.i32_add(a.getLocal("i"),a.i32_const(r))),a.br(0))),a.setLocal("l",a.i32_rem_u(a.getLocal("scalarLen"),a.i32_const(r))),a.if(a.i32_eqz(a.getLocal("l")),a.ret([])),a.call(c+"_zero",n),a.setLocal("j",a.i32_const(0)),a.block(a.loop(a.br_if(1,a.i32_eq(a.getLocal("j"),a.getLocal("l"))),a.i32_store8(a.getLocal("j"),o,a.i32_load8_u(a.getLocal("p"))),a.setLocal("p",a.i32_add(a.getLocal("p"),a.i32_const(1))),a.setLocal("j",a.i32_add(a.getLocal("j"),a.i32_const(1))),a.br(0))),a.if(a.i32_eq(a.getLocal("i"),a.i32_const(r)),a.call(s+"_one",i),a.call(s+"_mul",i,a.i32_const(u),i)),a.call(s+"_mul",n,i,n),a.call(s+"_add",a.getLocal("r"),n,a.getLocal("r")))}(),function(){const e=t.addFunction(s+"_timesScalar");e.addParam("x","i32"),e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32");const a=e.getCodeBuilder(),i=a.i32_const(t.alloc(r));e.addCode(a.call(s+"_load",a.getLocal("scalar"),a.getLocal("scalarLen"),i),a.call(s+"_toMontgomery",i,i),a.call(s+"_mul",a.getLocal("x"),i,a.getLocal("r")))}(),_t(t,s),pt(t,s+"_batchToMontgomery",s+"_toMontgomery",r,r),pt(t,s+"_batchFromMontgomery",s+"_fromMontgomery",r,r),pt(t,s+"_batchNeg",s+"_neg",r,r),mt(t,s+"_batchAdd",s+"_add",r,r),mt(t,s+"_batchSub",s+"_sub",r,r),mt(t,s+"_batchMul",s+"_mul",r,r),t.exportFunction(s+"_add"),t.exportFunction(s+"_sub"),t.exportFunction(s+"_neg"),t.exportFunction(s+"_isNegative"),t.exportFunction(s+"_isOne"),t.exportFunction(s+"_sign"),t.exportFunction(s+"_mReduct"),t.exportFunction(s+"_mul"),t.exportFunction(s+"_square"),t.exportFunction(s+"_squareOld"),t.exportFunction(s+"_fromMontgomery"),t.exportFunction(s+"_toMontgomery"),t.exportFunction(s+"_inverse"),t.exportFunction(s+"_one"),t.exportFunction(s+"_load"),t.exportFunction(s+"_timesScalar"),ht(t,s+"_exp",r,s+"_mul",s+"_square",c+"_copy",s+"_one"),t.exportFunction(s+"_exp"),t.exportFunction(s+"_batchInverse"),At(o)&&(!function(){const e=t.addFunction(s+"_sqrt");e.addParam("n","i32"),e.addParam("r","i32"),e.addLocal("m","i32"),e.addLocal("i","i32"),e.addLocal("j","i32");const a=e.getCodeBuilder(),i=a.i32_const(g),o=a.i32_const(t.alloc(r)),n=a.i32_const(t.alloc(r)),l=a.i32_const(t.alloc(r)),c=a.i32_const(t.alloc(r)),d=a.i32_const(t.alloc(r));e.addCode(a.if(a.call(s+"_isZero",a.getLocal("n")),a.ret(a.call(s+"_zero",a.getLocal("r")))),a.setLocal("m",a.i32_const(b)),a.call(s+"_copy",a.i32_const(I),o),a.call(s+"_exp",a.getLocal("n"),a.i32_const(y),a.i32_const(r),n),a.call(s+"_exp",a.getLocal("n"),a.i32_const(x),a.i32_const(r),l),a.block(a.loop(a.br_if(1,a.call(s+"_eq",n,i)),a.call(s+"_square",n,c),a.setLocal("i",a.i32_const(1)),a.block(a.loop(a.br_if(1,a.call(s+"_eq",c,i)),a.call(s+"_square",c,c),a.setLocal("i",a.i32_add(a.getLocal("i"),a.i32_const(1))),a.br(0))),a.call(s+"_copy",o,d),a.setLocal("j",a.i32_sub(a.i32_sub(a.getLocal("m"),a.getLocal("i")),a.i32_const(1))),a.block(a.loop(a.br_if(1,a.i32_eqz(a.getLocal("j"))),a.call(s+"_square",d,d),a.setLocal("j",a.i32_sub(a.getLocal("j"),a.i32_const(1))),a.br(0))),a.setLocal("m",a.getLocal("i")),a.call(s+"_square",d,o),a.call(s+"_mul",n,o,n),a.call(s+"_mul",l,d,l),a.br(0))),a.if(a.call(s+"_isNegative",l),a.call(s+"_neg",l,a.getLocal("r")),a.call(s+"_copy",l,a.getLocal("r"))))}(),function(){const e=t.addFunction(s+"_isSquare");e.addParam("n","i32"),e.setReturnType("i32");const a=e.getCodeBuilder(),i=a.i32_const(g),o=a.i32_const(t.alloc(r));e.addCode(a.if(a.call(s+"_isZero",a.getLocal("n")),a.ret(a.i32_const(1))),a.call(s+"_exp",a.getLocal("n"),a.i32_const(p),a.i32_const(r),o),a.call(s+"_eq",o,i))}(),t.exportFunction(s+"_sqrt"),t.exportFunction(s+"_isSquare")),t.exportFunction(s+"_batchToMontgomery"),t.exportFunction(s+"_batchFromMontgomery"),s};const Ft=It,{bitLength:xt}=J;var Et=function(t,e,a,i,o){const n=BigInt(e),l=Math.floor((xt(n-1n)-1)/64)+1,r=8*l,s=a||"f1";if(t.modules[s])return s;t.modules[s]={n64:l};const c=o||"int",d=Ft(t,n,i,c),u=t.modules[d].pR2,g=t.modules[d].pq,f=t.modules[d].pePlusOne;return function(){const e=t.alloc(r),a=t.addFunction(s+"_mul");a.addParam("x","i32"),a.addParam("y","i32"),a.addParam("r","i32");const i=a.getCodeBuilder();a.addCode(i.call(d+"_mul",i.getLocal("x"),i.getLocal("y"),i.i32_const(e))),a.addCode(i.call(d+"_mul",i.i32_const(e),i.i32_const(u),i.getLocal("r")))}(),function(){const e=t.addFunction(s+"_square");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(s+"_mul",a.getLocal("x"),a.getLocal("x"),a.getLocal("r")))}(),function(){const e=t.addFunction(s+"_inverse");e.addParam("x","i32"),e.addParam("r","i32");const a=e.getCodeBuilder();e.addCode(a.call(c+"_inverseMod",a.getLocal("x"),a.i32_const(g),a.getLocal("r")))}(),function(){const e=t.addFunction(s+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const a=e.getCodeBuilder();e.addCode(a.call(c+"_gte",a.getLocal("x"),a.i32_const(f)))}(),t.exportFunction(d+"_add",s+"_add"),t.exportFunction(d+"_sub",s+"_sub"),t.exportFunction(d+"_neg",s+"_neg"),t.exportFunction(s+"_mul"),t.exportFunction(s+"_square"),t.exportFunction(s+"_inverse"),t.exportFunction(s+"_isNegative"),t.exportFunction(d+"_copy",s+"_copy"),t.exportFunction(d+"_zero",s+"_zero"),t.exportFunction(d+"_one",s+"_one"),t.exportFunction(d+"_isZero",s+"_isZero"),t.exportFunction(d+"_eq",s+"_eq"),s};const vt=H,Bt=Z,St=K;var Pt=function(t,e,a,i){if(t.modules[a])return a;const o=8*t.modules[i].n64,n=t.modules[i].q;return t.modules[a]={n64:2*t.modules[i].n64},function(){const e=t.addFunction(a+"_isZero");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.i32_and(n.call(i+"_isZero",l),n.call(i+"_isZero",r)))}(),function(){const e=t.addFunction(a+"_isOne");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.ret(n.i32_and(n.call(i+"_isOne",l),n.call(i+"_isZero",r))))}(),function(){const e=t.addFunction(a+"_zero");e.addParam("x","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.call(i+"_zero",l),n.call(i+"_zero",r))}(),function(){const e=t.addFunction(a+"_one");e.addParam("x","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.call(i+"_one",l),n.call(i+"_zero",r))}(),function(){const e=t.addFunction(a+"_copy");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("r"),c=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_copy",l,s),n.call(i+"_copy",r,c))}(),function(){const n=t.addFunction(a+"_mul");n.addParam("x","i32"),n.addParam("y","i32"),n.addParam("r","i32");const l=n.getCodeBuilder(),r=l.getLocal("x"),s=l.i32_add(l.getLocal("x"),l.i32_const(o)),c=l.getLocal("y"),d=l.i32_add(l.getLocal("y"),l.i32_const(o)),u=l.getLocal("r"),g=l.i32_add(l.getLocal("r"),l.i32_const(o)),f=l.i32_const(t.alloc(o)),h=l.i32_const(t.alloc(o)),_=l.i32_const(t.alloc(o)),p=l.i32_const(t.alloc(o));n.addCode(l.call(i+"_mul",r,c,f),l.call(i+"_mul",s,d,h),l.call(i+"_add",r,s,_),l.call(i+"_add",c,d,p),l.call(i+"_mul",_,p,_),l.call(e,h,u),l.call(i+"_add",f,u,u),l.call(i+"_add",f,h,g),l.call(i+"_sub",_,g,g))}(),function(){const e=t.addFunction(a+"_mul1");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("y"),c=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_mul",l,s,c),n.call(i+"_mul",r,s,d))}(),function(){const n=t.addFunction(a+"_square");n.addParam("x","i32"),n.addParam("r","i32");const l=n.getCodeBuilder(),r=l.getLocal("x"),s=l.i32_add(l.getLocal("x"),l.i32_const(o)),c=l.getLocal("r"),d=l.i32_add(l.getLocal("r"),l.i32_const(o)),u=l.i32_const(t.alloc(o)),g=l.i32_const(t.alloc(o)),f=l.i32_const(t.alloc(o)),h=l.i32_const(t.alloc(o));n.addCode(l.call(i+"_mul",r,s,u),l.call(i+"_add",r,s,g),l.call(e,s,f),l.call(i+"_add",r,f,f),l.call(e,u,h),l.call(i+"_add",h,u,h),l.call(i+"_mul",g,f,c),l.call(i+"_sub",c,h,c),l.call(i+"_add",u,u,d))}(),function(){const e=t.addFunction(a+"_add");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("y"),c=n.i32_add(n.getLocal("y"),n.i32_const(o)),d=n.getLocal("r"),u=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_add",l,s,d),n.call(i+"_add",r,c,u))}(),function(){const e=t.addFunction(a+"_sub");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("y"),c=n.i32_add(n.getLocal("y"),n.i32_const(o)),d=n.getLocal("r"),u=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_sub",l,s,d),n.call(i+"_sub",r,c,u))}(),function(){const e=t.addFunction(a+"_neg");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("r"),c=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_neg",l,s),n.call(i+"_neg",r,c))}(),function(){const e=t.addFunction(a+"_conjugate");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("r"),c=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_copy",l,s),n.call(i+"_neg",r,c))}(),function(){const e=t.addFunction(a+"_toMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("r"),c=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_toMontgomery",l,s),n.call(i+"_toMontgomery",r,c))}(),function(){const e=t.addFunction(a+"_fromMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("r"),c=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_fromMontgomery",l,s),n.call(i+"_fromMontgomery",r,c))}(),function(){const e=t.addFunction(a+"_eq");e.addParam("x","i32"),e.addParam("y","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("y"),c=n.i32_add(n.getLocal("y"),n.i32_const(o));e.addCode(n.i32_and(n.call(i+"_eq",l,s),n.call(i+"_eq",r,c)))}(),function(){const n=t.addFunction(a+"_inverse");n.addParam("x","i32"),n.addParam("r","i32");const l=n.getCodeBuilder(),r=l.getLocal("x"),s=l.i32_add(l.getLocal("x"),l.i32_const(o)),c=l.getLocal("r"),d=l.i32_add(l.getLocal("r"),l.i32_const(o)),u=l.i32_const(t.alloc(o)),g=l.i32_const(t.alloc(o)),f=l.i32_const(t.alloc(o)),h=l.i32_const(t.alloc(o));n.addCode(l.call(i+"_square",r,u),l.call(i+"_square",s,g),l.call(e,g,f),l.call(i+"_sub",u,f,f),l.call(i+"_inverse",f,h),l.call(i+"_mul",r,h,c),l.call(i+"_mul",s,h,d),l.call(i+"_neg",d,d))}(),function(){const e=t.addFunction(a+"_timesScalar");e.addParam("x","i32"),e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.getLocal("r"),c=n.i32_add(n.getLocal("r"),n.i32_const(o));e.addCode(n.call(i+"_timesScalar",l,n.getLocal("scalar"),n.getLocal("scalarLen"),s),n.call(i+"_timesScalar",r,n.getLocal("scalar"),n.getLocal("scalarLen"),c))}(),function(){const e=t.addFunction(a+"_sign");e.addParam("x","i32"),e.addLocal("s","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.setLocal("s",n.call(i+"_sign",r)),n.if(n.getLocal("s"),n.ret(n.getLocal("s"))),n.ret(n.call(i+"_sign",l)))}(),function(){const e=t.addFunction(a+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o));e.addCode(n.if(n.call(i+"_isZero",r),n.ret(n.call(i+"_isNegative",l))),n.ret(n.call(i+"_isNegative",r)))}(),t.exportFunction(a+"_isZero"),t.exportFunction(a+"_isOne"),t.exportFunction(a+"_zero"),t.exportFunction(a+"_one"),t.exportFunction(a+"_copy"),t.exportFunction(a+"_mul"),t.exportFunction(a+"_mul1"),t.exportFunction(a+"_square"),t.exportFunction(a+"_add"),t.exportFunction(a+"_sub"),t.exportFunction(a+"_neg"),t.exportFunction(a+"_sign"),t.exportFunction(a+"_conjugate"),t.exportFunction(a+"_fromMontgomery"),t.exportFunction(a+"_toMontgomery"),t.exportFunction(a+"_eq"),t.exportFunction(a+"_inverse"),Bt(t,a),vt(t,a+"_exp",2*o,a+"_mul",a+"_square",a+"_copy",a+"_one"),function(){const e=t.addFunction(a+"_sqrt");e.addParam("a","i32"),e.addParam("pr","i32");const l=e.getCodeBuilder(),r=l.i32_const(t.alloc(St.bigInt2BytesLE((BigInt(n||0)-3n)/4n,o))),s=l.i32_const(t.alloc(St.bigInt2BytesLE((BigInt(n||0)-1n)/2n,o))),c=l.getLocal("a"),d=l.i32_const(t.alloc(2*o)),u=l.i32_const(t.alloc(2*o)),g=l.i32_const(t.alloc(2*o)),f=t.alloc(2*o),h=l.i32_const(f),_=l.i32_const(f),p=l.i32_const(f+o),m=l.i32_const(t.alloc(2*o)),w=l.i32_const(t.alloc(2*o));e.addCode(l.call(a+"_one",h),l.call(a+"_neg",h,h),l.call(a+"_exp",c,r,l.i32_const(o),d),l.call(a+"_square",d,u),l.call(a+"_mul",c,u,u),l.call(a+"_conjugate",u,g),l.call(a+"_mul",g,u,g),l.if(l.call(a+"_eq",g,h),l.unreachable()),l.call(a+"_mul",d,c,m),l.if(l.call(a+"_eq",u,h),[...l.call(i+"_zero",_),...l.call(i+"_one",p),...l.call(a+"_mul",h,m,l.getLocal("pr"))],[...l.call(a+"_one",w),...l.call(a+"_add",w,u,w),...l.call(a+"_exp",w,s,l.i32_const(o),w),...l.call(a+"_mul",w,m,l.getLocal("pr"))]))}(),function(){const e=t.addFunction(a+"_isSquare");e.addParam("a","i32"),e.setReturnType("i32");const i=e.getCodeBuilder(),l=i.i32_const(t.alloc(St.bigInt2BytesLE((BigInt(n||0)-3n)/4n,o))),r=i.getLocal("a"),s=i.i32_const(t.alloc(2*o)),c=i.i32_const(t.alloc(2*o)),d=i.i32_const(t.alloc(2*o)),u=t.alloc(2*o),g=i.i32_const(u);e.addCode(i.call(a+"_one",g),i.call(a+"_neg",g,g),i.call(a+"_exp",r,l,i.i32_const(o),s),i.call(a+"_square",s,c),i.call(a+"_mul",r,c,c),i.call(a+"_conjugate",c,d),i.call(a+"_mul",d,c,d),i.if(i.call(a+"_eq",d,g),i.ret(i.i32_const(0))),i.ret(i.i32_const(1)))}(),t.exportFunction(a+"_exp"),t.exportFunction(a+"_timesScalar"),t.exportFunction(a+"_batchInverse"),t.exportFunction(a+"_sqrt"),t.exportFunction(a+"_isSquare"),t.exportFunction(a+"_isNegative"),a};const Gt=H,zt=Z;var Ot=function(t,e,a,i){if(t.modules[a])return a;const o=8*t.modules[i].n64;return t.modules[a]={n64:3*t.modules[i].n64},function(){const e=t.addFunction(a+"_isZero");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.i32_and(n.i32_and(n.call(i+"_isZero",l),n.call(i+"_isZero",r)),n.call(i+"_isZero",s)))}(),function(){const e=t.addFunction(a+"_isOne");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.ret(n.i32_and(n.i32_and(n.call(i+"_isOne",l),n.call(i+"_isZero",r)),n.call(i+"_isZero",s))))}(),function(){const e=t.addFunction(a+"_zero");e.addParam("x","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.call(i+"_zero",l),n.call(i+"_zero",r),n.call(i+"_zero",s))}(),function(){const e=t.addFunction(a+"_one");e.addParam("x","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.call(i+"_one",l),n.call(i+"_zero",r),n.call(i+"_zero",s))}(),function(){const e=t.addFunction(a+"_copy");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_copy",l,c),n.call(i+"_copy",r,d),n.call(i+"_copy",s,u))}(),function(){const n=t.addFunction(a+"_mul");n.addParam("x","i32"),n.addParam("y","i32"),n.addParam("r","i32");const l=n.getCodeBuilder(),r=l.getLocal("x"),s=l.i32_add(l.getLocal("x"),l.i32_const(o)),c=l.i32_add(l.getLocal("x"),l.i32_const(2*o)),d=l.getLocal("y"),u=l.i32_add(l.getLocal("y"),l.i32_const(o)),g=l.i32_add(l.getLocal("y"),l.i32_const(2*o)),f=l.getLocal("r"),h=l.i32_add(l.getLocal("r"),l.i32_const(o)),_=l.i32_add(l.getLocal("r"),l.i32_const(2*o)),p=l.i32_const(t.alloc(o)),m=l.i32_const(t.alloc(o)),w=l.i32_const(t.alloc(o)),L=l.i32_const(t.alloc(o)),b=l.i32_const(t.alloc(o)),A=l.i32_const(t.alloc(o)),y=l.i32_const(t.alloc(o)),C=l.i32_const(t.alloc(o)),I=l.i32_const(t.alloc(o)),F=l.i32_const(t.alloc(o)),x=l.i32_const(t.alloc(o)),E=l.i32_const(t.alloc(o)),v=l.i32_const(t.alloc(o));n.addCode(l.call(i+"_mul",r,d,p),l.call(i+"_mul",s,u,m),l.call(i+"_mul",c,g,w),l.call(i+"_add",r,s,L),l.call(i+"_add",d,u,b),l.call(i+"_add",r,c,A),l.call(i+"_add",d,g,y),l.call(i+"_add",s,c,C),l.call(i+"_add",u,g,I),l.call(i+"_add",p,m,F),l.call(i+"_add",p,w,x),l.call(i+"_add",m,w,E),l.call(i+"_mul",C,I,f),l.call(i+"_sub",f,E,f),l.call(e,f,f),l.call(i+"_add",p,f,f),l.call(i+"_mul",L,b,h),l.call(i+"_sub",h,F,h),l.call(e,w,v),l.call(i+"_add",h,v,h),l.call(i+"_mul",A,y,_),l.call(i+"_sub",_,x,_),l.call(i+"_add",_,m,_))}(),function(){const n=t.addFunction(a+"_square");n.addParam("x","i32"),n.addParam("r","i32");const l=n.getCodeBuilder(),r=l.getLocal("x"),s=l.i32_add(l.getLocal("x"),l.i32_const(o)),c=l.i32_add(l.getLocal("x"),l.i32_const(2*o)),d=l.getLocal("r"),u=l.i32_add(l.getLocal("r"),l.i32_const(o)),g=l.i32_add(l.getLocal("r"),l.i32_const(2*o)),f=l.i32_const(t.alloc(o)),h=l.i32_const(t.alloc(o)),_=l.i32_const(t.alloc(o)),p=l.i32_const(t.alloc(o)),m=l.i32_const(t.alloc(o)),w=l.i32_const(t.alloc(o)),L=l.i32_const(t.alloc(o));n.addCode(l.call(i+"_square",r,f),l.call(i+"_mul",r,s,h),l.call(i+"_add",h,h,_),l.call(i+"_sub",r,s,p),l.call(i+"_add",p,c,p),l.call(i+"_square",p,p),l.call(i+"_mul",s,c,m),l.call(i+"_add",m,m,w),l.call(i+"_square",c,L),l.call(e,w,d),l.call(i+"_add",f,d,d),l.call(e,L,u),l.call(i+"_add",_,u,u),l.call(i+"_add",f,L,g),l.call(i+"_sub",w,g,g),l.call(i+"_add",p,g,g),l.call(i+"_add",_,g,g))}(),function(){const e=t.addFunction(a+"_add");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("y"),d=n.i32_add(n.getLocal("y"),n.i32_const(o)),u=n.i32_add(n.getLocal("y"),n.i32_const(2*o)),g=n.getLocal("r"),f=n.i32_add(n.getLocal("r"),n.i32_const(o)),h=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_add",l,c,g),n.call(i+"_add",r,d,f),n.call(i+"_add",s,u,h))}(),function(){const e=t.addFunction(a+"_sub");e.addParam("x","i32"),e.addParam("y","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("y"),d=n.i32_add(n.getLocal("y"),n.i32_const(o)),u=n.i32_add(n.getLocal("y"),n.i32_const(2*o)),g=n.getLocal("r"),f=n.i32_add(n.getLocal("r"),n.i32_const(o)),h=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_sub",l,c,g),n.call(i+"_sub",r,d,f),n.call(i+"_sub",s,u,h))}(),function(){const e=t.addFunction(a+"_neg");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_neg",l,c),n.call(i+"_neg",r,d),n.call(i+"_neg",s,u))}(),function(){const e=t.addFunction(a+"_sign");e.addParam("x","i32"),e.addLocal("s","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.setLocal("s",n.call(i+"_sign",s)),n.if(n.getLocal("s"),n.ret(n.getLocal("s"))),n.setLocal("s",n.call(i+"_sign",r)),n.if(n.getLocal("s"),n.ret(n.getLocal("s"))),n.ret(n.call(i+"_sign",l)))}(),function(){const e=t.addFunction(a+"_toMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_toMontgomery",l,c),n.call(i+"_toMontgomery",r,d),n.call(i+"_toMontgomery",s,u))}(),function(){const e=t.addFunction(a+"_fromMontgomery");e.addParam("x","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_fromMontgomery",l,c),n.call(i+"_fromMontgomery",r,d),n.call(i+"_fromMontgomery",s,u))}(),function(){const e=t.addFunction(a+"_eq");e.addParam("x","i32"),e.addParam("y","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("y"),d=n.i32_add(n.getLocal("y"),n.i32_const(o)),u=n.i32_add(n.getLocal("y"),n.i32_const(2*o));e.addCode(n.i32_and(n.i32_and(n.call(i+"_eq",l,c),n.call(i+"_eq",r,d)),n.call(i+"_eq",s,u)))}(),function(){const n=t.addFunction(a+"_inverse");n.addParam("x","i32"),n.addParam("r","i32");const l=n.getCodeBuilder(),r=l.getLocal("x"),s=l.i32_add(l.getLocal("x"),l.i32_const(o)),c=l.i32_add(l.getLocal("x"),l.i32_const(2*o)),d=l.getLocal("r"),u=l.i32_add(l.getLocal("r"),l.i32_const(o)),g=l.i32_add(l.getLocal("r"),l.i32_const(2*o)),f=l.i32_const(t.alloc(o)),h=l.i32_const(t.alloc(o)),_=l.i32_const(t.alloc(o)),p=l.i32_const(t.alloc(o)),m=l.i32_const(t.alloc(o)),w=l.i32_const(t.alloc(o)),L=l.i32_const(t.alloc(o)),b=l.i32_const(t.alloc(o)),A=l.i32_const(t.alloc(o)),y=l.i32_const(t.alloc(o)),C=l.i32_const(t.alloc(o));n.addCode(l.call(i+"_square",r,f),l.call(i+"_square",s,h),l.call(i+"_square",c,_),l.call(i+"_mul",r,s,p),l.call(i+"_mul",r,c,m),l.call(i+"_mul",s,c,w),l.call(e,w,L),l.call(i+"_sub",f,L,L),l.call(e,_,b),l.call(i+"_sub",b,p,b),l.call(i+"_sub",h,m,A),l.call(i+"_mul",c,b,y),l.call(i+"_mul",s,A,C),l.call(i+"_add",y,C,y),l.call(e,y,y),l.call(i+"_mul",r,L,C),l.call(i+"_add",C,y,y),l.call(i+"_inverse",y,y),l.call(i+"_mul",y,L,d),l.call(i+"_mul",y,b,u),l.call(i+"_mul",y,A,g))}(),function(){const e=t.addFunction(a+"_timesScalar");e.addParam("x","i32"),e.addParam("scalar","i32"),e.addParam("scalarLen","i32"),e.addParam("r","i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o)),c=n.getLocal("r"),d=n.i32_add(n.getLocal("r"),n.i32_const(o)),u=n.i32_add(n.getLocal("r"),n.i32_const(2*o));e.addCode(n.call(i+"_timesScalar",l,n.getLocal("scalar"),n.getLocal("scalarLen"),c),n.call(i+"_timesScalar",r,n.getLocal("scalar"),n.getLocal("scalarLen"),d),n.call(i+"_timesScalar",s,n.getLocal("scalar"),n.getLocal("scalarLen"),u))}(),function(){const e=t.addFunction(a+"_isNegative");e.addParam("x","i32"),e.setReturnType("i32");const n=e.getCodeBuilder(),l=n.getLocal("x"),r=n.i32_add(n.getLocal("x"),n.i32_const(o)),s=n.i32_add(n.getLocal("x"),n.i32_const(2*o));e.addCode(n.if(n.call(i+"_isZero",s),n.if(n.call(i+"_isZero",r),n.ret(n.call(i+"_isNegative",l)),n.ret(n.call(i+"_isNegative",r)))),n.ret(n.call(i+"_isNegative",s)))}(),t.exportFunction(a+"_isZero"),t.exportFunction(a+"_isOne"),t.exportFunction(a+"_zero"),t.exportFunction(a+"_one"),t.exportFunction(a+"_copy"),t.exportFunction(a+"_mul"),t.exportFunction(a+"_square"),t.exportFunction(a+"_add"),t.exportFunction(a+"_sub"),t.exportFunction(a+"_neg"),t.exportFunction(a+"_sign"),t.exportFunction(a+"_fromMontgomery"),t.exportFunction(a+"_toMontgomery"),t.exportFunction(a+"_eq"),t.exportFunction(a+"_inverse"),zt(t,a),Gt(t,a+"_exp",3*o,a+"_mul",a+"_square",a+"_copy",a+"_one"),t.exportFunction(a+"_exp"),t.exportFunction(a+"_timesScalar"),t.exportFunction(a+"_batchInverse"),t.exportFunction(a+"_isNegative"),a};const Ut=function(t,e,a,i,o,n,l,r){const s=t.addFunction(e);s.addParam("base","i32"),s.addParam("scalar","i32"),s.addParam("scalarLength","i32"),s.addParam("r","i32"),s.addLocal("old0","i32"),s.addLocal("nbits","i32"),s.addLocal("i","i32"),s.addLocal("last","i32"),s.addLocal("cur","i32"),s.addLocal("carry","i32"),s.addLocal("p","i32");const c=s.getCodeBuilder(),d=c.i32_const(t.alloc(a));function u(t){return c.i32_and(c.i32_shr_u(c.i32_load(c.i32_add(c.getLocal("scalar"),c.i32_and(c.i32_shr_u(t,c.i32_const(3)),c.i32_const(4294967292)))),c.i32_and(t,c.i32_const(31))),c.i32_const(1))}function g(t){return[...c.i32_store8(c.getLocal("p"),c.i32_const(t)),...c.setLocal("p",c.i32_add(c.getLocal("p"),c.i32_const(1)))]}s.addCode(c.if(c.i32_eqz(c.getLocal("scalarLength")),[...c.call(r,c.getLocal("r")),...c.ret([])]),c.setLocal("nbits",c.i32_shl(c.getLocal("scalarLength"),c.i32_const(3))),c.setLocal("old0",c.i32_load(c.i32_const(0))),c.setLocal("p",c.getLocal("old0")),c.i32_store(c.i32_const(0),c.i32_and(c.i32_add(c.i32_add(c.getLocal("old0"),c.i32_const(32)),c.getLocal("nbits")),c.i32_const(4294967288))),c.setLocal("i",c.i32_const(1)),c.setLocal("last",u(c.i32_const(0))),c.setLocal("carry",c.i32_const(0)),c.block(c.loop(c.br_if(1,c.i32_eq(c.getLocal("i"),c.getLocal("nbits"))),c.setLocal("cur",u(c.getLocal("i"))),c.if(c.getLocal("last"),c.if(c.getLocal("cur"),c.if(c.getLocal("carry"),[...c.setLocal("last",c.i32_const(0)),...c.setLocal("carry",c.i32_const(1)),...g(1)],[...c.setLocal("last",c.i32_const(0)),...c.setLocal("carry",c.i32_const(1)),...g(255)]),c.if(c.getLocal("carry"),[...c.setLocal("last",c.i32_const(0)),...c.setLocal("carry",c.i32_const(1)),...g(255)],[...c.setLocal("last",c.i32_const(0)),...c.setLocal("carry",c.i32_const(0)),...g(1)])),c.if(c.getLocal("cur"),c.if(c.getLocal("carry"),[...c.setLocal("last",c.i32_const(0)),...c.setLocal("carry",c.i32_const(1)),...g(0)],[...c.setLocal("last",c.i32_const(1)),...c.setLocal("carry",c.i32_const(0)),...g(0)]),c.if(c.getLocal("carry"),[...c.setLocal("last",c.i32_const(1)),...c.setLocal("carry",c.i32_const(0)),...g(0)],[...c.setLocal("last",c.i32_const(0)),...c.setLocal("carry",c.i32_const(0)),...g(0)]))),c.setLocal("i",c.i32_add(c.getLocal("i"),c.i32_const(1))),c.br(0))),c.if(c.getLocal("last"),c.if(c.getLocal("carry"),[...g(255),...g(0),...g(1)],[...g(1)]),c.if(c.getLocal("carry"),[...g(0),...g(1)])),c.setLocal("p",c.i32_sub(c.getLocal("p"),c.i32_const(1))),c.call(l,c.getLocal("base"),d),c.call(r,c.getLocal("r")),c.block(c.loop(c.call(o,c.getLocal("r"),c.getLocal("r")),c.setLocal("cur",c.i32_load8_u(c.getLocal("p"))),c.if(c.getLocal("cur"),c.if(c.i32_eq(c.getLocal("cur"),c.i32_const(1)),c.call(i,c.getLocal("r"),d,c.getLocal("r")),c.call(n,c.getLocal("r"),d,c.getLocal("r")))),c.br_if(1,c.i32_eq(c.getLocal("old0"),c.getLocal("p"))),c.setLocal("p",c.i32_sub(c.getLocal("p"),c.i32_const(1))),c.br(0))),c.i32_store(c.i32_const(0),c.getLocal("old0")))},Qt=W,Tt=function(t,e,a,i,o){const n=8*t.modules[e].n64;function l(){const i=t.addFunction(a);i.addParam("pBases","i32"),i.addParam("pScalars","i32"),i.addParam("scalarSize","i32"),i.addParam("n","i32"),i.addParam("pr","i32"),i.addLocal("chunkSize","i32"),i.addLocal("nChunks","i32"),i.addLocal("itScalar","i32"),i.addLocal("endScalar","i32"),i.addLocal("itBase","i32"),i.addLocal("itBit","i32"),i.addLocal("i","i32"),i.addLocal("j","i32"),i.addLocal("nTable","i32"),i.addLocal("pTable","i32"),i.addLocal("idx","i32"),i.addLocal("pIdxTable","i32");const o=i.getCodeBuilder(),l=o.i32_const(t.alloc(n)),r=t.alloc([17,17,17,17,17,17,17,17,17,17,16,16,15,14,13,13,12,11,10,9,8,7,7,6,5,4,3,2,1,1,1,1]);i.addCode(o.call(e+"_zero",o.getLocal("pr")),o.if(o.i32_eqz(o.getLocal("n")),o.ret([])),o.setLocal("chunkSize",o.i32_load8_u(o.i32_clz(o.getLocal("n")),r)),o.setLocal("nChunks",o.i32_add(o.i32_div_u(o.i32_sub(o.i32_shl(o.getLocal("scalarSize"),o.i32_const(3)),o.i32_const(1)),o.getLocal("chunkSize")),o.i32_const(1))),o.setLocal("itBit",o.i32_mul(o.i32_sub(o.getLocal("nChunks"),o.i32_const(1)),o.getLocal("chunkSize"))),o.block(o.loop(o.br_if(1,o.i32_lt_s(o.getLocal("itBit"),o.i32_const(0))),o.if(o.i32_eqz(o.call(e+"_isZero",o.getLocal("pr"))),[...o.setLocal("j",o.i32_const(0)),...o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("j"),o.getLocal("chunkSize"))),o.call(e+"_double",o.getLocal("pr"),o.getLocal("pr")),o.setLocal("j",o.i32_add(o.getLocal("j"),o.i32_const(1))),o.br(0)))]),o.call(a+"_chunk",o.getLocal("pBases"),o.getLocal("pScalars"),o.getLocal("scalarSize"),o.getLocal("n"),o.getLocal("itBit"),o.getLocal("chunkSize"),l),o.call(e+"_add",o.getLocal("pr"),l,o.getLocal("pr")),o.setLocal("itBit",o.i32_sub(o.getLocal("itBit"),o.getLocal("chunkSize"))),o.br(0))))}!function(){const e=t.addFunction(a+"_getChunk");e.addParam("pScalar","i32"),e.addParam("scalarSize","i32"),e.addParam("startBit","i32"),e.addParam("chunkSize","i32"),e.addLocal("bitsToEnd","i32"),e.addLocal("mask","i32"),e.setReturnType("i32");const i=e.getCodeBuilder();e.addCode(i.setLocal("bitsToEnd",i.i32_sub(i.i32_mul(i.getLocal("scalarSize"),i.i32_const(8)),i.getLocal("startBit"))),i.if(i.i32_gt_s(i.getLocal("chunkSize"),i.getLocal("bitsToEnd")),i.setLocal("mask",i.i32_sub(i.i32_shl(i.i32_const(1),i.getLocal("bitsToEnd")),i.i32_const(1))),i.setLocal("mask",i.i32_sub(i.i32_shl(i.i32_const(1),i.getLocal("chunkSize")),i.i32_const(1)))),i.i32_and(i.i32_shr_u(i.i32_load(i.i32_add(i.getLocal("pScalar"),i.i32_shr_u(i.getLocal("startBit"),i.i32_const(3))),0,0),i.i32_and(i.getLocal("startBit"),i.i32_const(7))),i.getLocal("mask")))}(),function(){const i=t.addFunction(a+"_reduceTable");i.addParam("pTable","i32"),i.addParam("p","i32"),i.addLocal("half","i32"),i.addLocal("it1","i32"),i.addLocal("it2","i32"),i.addLocal("pAcc","i32");const o=i.getCodeBuilder();i.addCode(o.if(o.i32_eq(o.getLocal("p"),o.i32_const(1)),o.ret([])),o.setLocal("half",o.i32_shl(o.i32_const(1),o.i32_sub(o.getLocal("p"),o.i32_const(1)))),o.setLocal("it1",o.getLocal("pTable")),o.setLocal("it2",o.i32_add(o.getLocal("pTable"),o.i32_mul(o.getLocal("half"),o.i32_const(n)))),o.setLocal("pAcc",o.i32_sub(o.getLocal("it2"),o.i32_const(n))),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("it1"),o.getLocal("pAcc"))),o.call(e+"_add",o.getLocal("it1"),o.getLocal("it2"),o.getLocal("it1")),o.call(e+"_add",o.getLocal("pAcc"),o.getLocal("it2"),o.getLocal("pAcc")),o.setLocal("it1",o.i32_add(o.getLocal("it1"),o.i32_const(n))),o.setLocal("it2",o.i32_add(o.getLocal("it2"),o.i32_const(n))),o.br(0))),o.call(a+"_reduceTable",o.getLocal("pTable"),o.i32_sub(o.getLocal("p"),o.i32_const(1))),o.setLocal("p",o.i32_sub(o.getLocal("p"),o.i32_const(1))),o.block(o.loop(o.br_if(1,o.i32_eqz(o.getLocal("p"))),o.call(e+"_double",o.getLocal("pAcc"),o.getLocal("pAcc")),o.setLocal("p",o.i32_sub(o.getLocal("p"),o.i32_const(1))),o.br(0))),o.call(e+"_add",o.getLocal("pTable"),o.getLocal("pAcc"),o.getLocal("pTable")))}(),function(){const l=t.addFunction(a+"_chunk");l.addParam("pBases","i32"),l.addParam("pScalars","i32"),l.addParam("scalarSize","i32"),l.addParam("n","i32"),l.addParam("startBit","i32"),l.addParam("chunkSize","i32"),l.addParam("pr","i32"),l.addLocal("nChunks","i32"),l.addLocal("itScalar","i32"),l.addLocal("endScalar","i32"),l.addLocal("itBase","i32"),l.addLocal("i","i32"),l.addLocal("j","i32"),l.addLocal("nTable","i32"),l.addLocal("pTable","i32"),l.addLocal("idx","i32"),l.addLocal("pIdxTable","i32");const r=l.getCodeBuilder();l.addCode(r.if(r.i32_eqz(r.getLocal("n")),[...r.call(e+"_zero",r.getLocal("pr")),...r.ret([])]),r.setLocal("nTable",r.i32_shl(r.i32_const(1),r.getLocal("chunkSize"))),r.setLocal("pTable",r.i32_load(r.i32_const(0))),r.i32_store(r.i32_const(0),r.i32_add(r.getLocal("pTable"),r.i32_mul(r.getLocal("nTable"),r.i32_const(n)))),r.setLocal("j",r.i32_const(0)),r.block(r.loop(r.br_if(1,r.i32_eq(r.getLocal("j"),r.getLocal("nTable"))),r.call(e+"_zero",r.i32_add(r.getLocal("pTable"),r.i32_mul(r.getLocal("j"),r.i32_const(n)))),r.setLocal("j",r.i32_add(r.getLocal("j"),r.i32_const(1))),r.br(0))),r.setLocal("itBase",r.getLocal("pBases")),r.setLocal("itScalar",r.getLocal("pScalars")),r.setLocal("endScalar",r.i32_add(r.getLocal("pScalars"),r.i32_mul(r.getLocal("n"),r.getLocal("scalarSize")))),r.block(r.loop(r.br_if(1,r.i32_eq(r.getLocal("itScalar"),r.getLocal("endScalar"))),r.setLocal("idx",r.call(a+"_getChunk",r.getLocal("itScalar"),r.getLocal("scalarSize"),r.getLocal("startBit"),r.getLocal("chunkSize"))),r.if(r.getLocal("idx"),[...r.setLocal("pIdxTable",r.i32_add(r.getLocal("pTable"),r.i32_mul(r.i32_sub(r.getLocal("idx"),r.i32_const(1)),r.i32_const(n)))),...r.call(i,r.getLocal("pIdxTable"),r.getLocal("itBase"),r.getLocal("pIdxTable"))]),r.setLocal("itScalar",r.i32_add(r.getLocal("itScalar"),r.getLocal("scalarSize"))),r.setLocal("itBase",r.i32_add(r.getLocal("itBase"),r.i32_const(o))),r.br(0))),r.call(a+"_reduceTable",r.getLocal("pTable"),r.getLocal("chunkSize")),r.call(e+"_copy",r.getLocal("pTable"),r.getLocal("pr")),r.i32_store(r.i32_const(0),r.getLocal("pTable")))}(),l(),t.exportFunction(a),t.exportFunction(a+"_chunk")};var qt=function(t,e,a,i){const o=t.modules[a].n64,n=8*o;if(t.modules[e])return e;return t.modules[e]={n64:3*o},function(){const i=t.addFunction(e+"_isZeroAffine");i.addParam("p1","i32"),i.setReturnType("i32");const o=i.getCodeBuilder();i.addCode(o.i32_and(o.call(a+"_isZero",o.getLocal("p1")),o.call(a+"_isZero",o.i32_add(o.getLocal("p1"),o.i32_const(n)))))}(),function(){const i=t.addFunction(e+"_isZero");i.addParam("p1","i32"),i.setReturnType("i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_isZero",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))))}(),function(){const i=t.addFunction(e+"_zeroAffine");i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_zero",o.getLocal("pr"))),i.addCode(o.call(a+"_zero",o.i32_add(o.getLocal("pr"),o.i32_const(n))))}(),function(){const i=t.addFunction(e+"_zero");i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_zero",o.getLocal("pr"))),i.addCode(o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(n)))),i.addCode(o.call(a+"_zero",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))))}(),function(){const a=t.addFunction(e+"_copyAffine");a.addParam("ps","i32"),a.addParam("pd","i32");const i=a.getCodeBuilder();for(let t=0;t<2*o;t++)a.addCode(i.i64_store(i.getLocal("pd"),8*t,i.i64_load(i.getLocal("ps"),8*t)))}(),function(){const a=t.addFunction(e+"_copy");a.addParam("ps","i32"),a.addParam("pd","i32");const i=a.getCodeBuilder();for(let t=0;t<3*o;t++)a.addCode(i.i64_store(i.getLocal("pd"),8*t,i.i64_load(i.getLocal("ps"),8*t)))}(),function(){const i=t.addFunction(e+"_toJacobian");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n)),s=o.getLocal("pr"),c=o.i32_add(o.getLocal("pr"),o.i32_const(n)),d=o.i32_add(o.getLocal("pr"),o.i32_const(2*n));i.addCode(o.if(o.call(e+"_isZeroAffine",o.getLocal("p1")),o.call(e+"_zero",o.getLocal("pr")),[...o.call(a+"_one",d),...o.call(a+"_copy",r,c),...o.call(a+"_copy",l,s)]))}(),function(){const i=t.addFunction(e+"_eqAffine");i.addParam("p1","i32"),i.addParam("p2","i32"),i.setReturnType("i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder();i.addCode(o.ret(o.i32_and(o.call(a+"_eq",o.getLocal("p1"),o.getLocal("p2")),o.call(a+"_eq",o.i32_add(o.getLocal("p1"),o.i32_const(n)),o.i32_add(o.getLocal("p2"),o.i32_const(n))))))}(),function(){const i=t.addFunction(e+"_eqMixed");i.addParam("p1","i32"),i.addParam("p2","i32"),i.setReturnType("i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const s=o.getLocal("z1"),c=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n)),u=o.i32_const(t.alloc(n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),o.ret(o.call(e+"_isZeroAffine",o.getLocal("p2")))),o.if(o.call(e+"_isZeroAffine",o.getLocal("p2")),o.ret(o.i32_const(0))),o.if(o.call(a+"_isOne",s),o.ret(o.call(e+"_eqAffine",o.getLocal("p1"),o.getLocal("p2")))),o.call(a+"_square",s,u),o.call(a+"_mul",c,u,g),o.call(a+"_mul",s,u,f),o.call(a+"_mul",d,f,h),o.if(o.call(a+"_eq",l,g),o.if(o.call(a+"_eq",r,h),o.ret(o.i32_const(1)))),o.ret(o.i32_const(0)))}(),function(){const i=t.addFunction(e+"_eq");i.addParam("p1","i32"),i.addParam("p2","i32"),i.setReturnType("i32"),i.addLocal("z1","i32"),i.addLocal("z2","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const s=o.getLocal("z1"),c=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n));i.addCode(o.setLocal("z2",o.i32_add(o.getLocal("p2"),o.i32_const(2*n))));const u=o.getLocal("z2"),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),o.ret(o.call(e+"_isZero",o.getLocal("p2")))),o.if(o.call(e+"_isZero",o.getLocal("p2")),o.ret(o.i32_const(0))),o.if(o.call(a+"_isOne",s),o.ret(o.call(e+"_eqMixed",o.getLocal("p2"),o.getLocal("p1")))),o.if(o.call(a+"_isOne",u),o.ret(o.call(e+"_eqMixed",o.getLocal("p1"),o.getLocal("p2")))),o.call(a+"_square",s,g),o.call(a+"_square",u,f),o.call(a+"_mul",l,f,h),o.call(a+"_mul",c,g,_),o.call(a+"_mul",s,g,p),o.call(a+"_mul",u,f,m),o.call(a+"_mul",r,m,w),o.call(a+"_mul",d,p,L),o.if(o.call(a+"_eq",h,_),o.if(o.call(a+"_eq",w,L),o.ret(o.i32_const(1)))),o.ret(o.i32_const(0)))}(),function(){const i=t.addFunction(e+"_doubleAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n)),s=o.getLocal("pr"),c=o.i32_add(o.getLocal("pr"),o.i32_const(n)),d=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),u=o.i32_const(t.alloc(n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZeroAffine",o.getLocal("p1")),[...o.call(e+"_toJacobian",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.call(a+"_square",l,u),o.call(a+"_square",r,g),o.call(a+"_square",g,f),o.call(a+"_add",l,g,h),o.call(a+"_square",h,h),o.call(a+"_sub",h,u,h),o.call(a+"_sub",h,f,h),o.call(a+"_add",h,h,h),o.call(a+"_add",u,u,_),o.call(a+"_add",_,u,_),o.call(a+"_add",r,r,d),o.call(a+"_square",_,s),o.call(a+"_sub",s,h,s),o.call(a+"_sub",s,h,s),o.call(a+"_add",f,f,p),o.call(a+"_add",p,p,p),o.call(a+"_add",p,p,p),o.call(a+"_sub",h,s,c),o.call(a+"_mul",c,_,c),o.call(a+"_sub",c,p,c))}(),function(){const i=t.addFunction(e+"_double");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n)),s=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),c=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(e+"_copy",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(a+"_isOne",s),[...o.ret(o.call(e+"_doubleAffine",o.getLocal("p1"),o.getLocal("pr"))),...o.ret([])]),o.call(a+"_square",l,g),o.call(a+"_square",r,f),o.call(a+"_square",f,h),o.call(a+"_add",l,f,_),o.call(a+"_square",_,_),o.call(a+"_sub",_,g,_),o.call(a+"_sub",_,h,_),o.call(a+"_add",_,_,_),o.call(a+"_add",g,g,p),o.call(a+"_add",p,g,p),o.call(a+"_square",p,m),o.call(a+"_mul",r,s,w),o.call(a+"_add",_,_,c),o.call(a+"_sub",m,c,c),o.call(a+"_add",h,h,L),o.call(a+"_add",L,L,L),o.call(a+"_add",L,L,L),o.call(a+"_sub",_,c,d),o.call(a+"_mul",d,p,d),o.call(a+"_sub",d,L,d),o.call(a+"_add",w,w,u))}(),function(){const i=t.addFunction(e+"_addAffine");i.addParam("p1","i32"),i.addParam("p2","i32"),i.addParam("pr","i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const s=o.getLocal("p2"),c=o.i32_add(o.getLocal("p2"),o.i32_const(n)),d=o.getLocal("pr"),u=o.i32_add(o.getLocal("pr"),o.i32_const(n)),g=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),f=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),b=o.i32_const(t.alloc(n)),A=o.i32_const(t.alloc(n)),y=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZeroAffine",o.getLocal("p1")),[...o.call(e+"_copyAffine",o.getLocal("p2"),o.getLocal("pr")),...o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))),...o.ret([])]),o.if(o.call(e+"_isZeroAffine",o.getLocal("p2")),[...o.call(e+"_copyAffine",o.getLocal("p1"),o.getLocal("pr")),...o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))),...o.ret([])]),o.if(o.call(a+"_eq",l,s),o.if(o.call(a+"_eq",r,c),[...o.call(e+"_doubleAffine",o.getLocal("p2"),o.getLocal("pr")),...o.ret([])])),o.call(a+"_sub",s,l,f),o.call(a+"_sub",c,r,_),o.call(a+"_square",f,h),o.call(a+"_add",h,h,p),o.call(a+"_add",p,p,p),o.call(a+"_mul",f,p,m),o.call(a+"_add",_,_,w),o.call(a+"_mul",l,p,b),o.call(a+"_square",w,L),o.call(a+"_add",b,b,A),o.call(a+"_sub",L,m,d),o.call(a+"_sub",d,A,d),o.call(a+"_mul",r,m,y),o.call(a+"_add",y,y,y),o.call(a+"_sub",b,d,u),o.call(a+"_mul",u,w,u),o.call(a+"_sub",u,y,u),o.call(a+"_add",f,f,g))}(),function(){const i=t.addFunction(e+"_addMixed");i.addParam("p1","i32"),i.addParam("p2","i32"),i.addParam("pr","i32"),i.addLocal("z1","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const s=o.getLocal("z1"),c=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n)),u=o.getLocal("pr"),g=o.i32_add(o.getLocal("pr"),o.i32_const(n)),f=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),h=o.i32_const(t.alloc(n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),b=o.i32_const(t.alloc(n)),A=o.i32_const(t.alloc(n)),y=o.i32_const(t.alloc(n)),C=o.i32_const(t.alloc(n)),I=o.i32_const(t.alloc(n)),F=o.i32_const(t.alloc(n)),x=o.i32_const(t.alloc(n)),E=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(e+"_copyAffine",o.getLocal("p2"),o.getLocal("pr")),...o.call(a+"_one",o.i32_add(o.getLocal("pr"),o.i32_const(2*n))),...o.ret([])]),o.if(o.call(e+"_isZeroAffine",o.getLocal("p2")),[...o.call(e+"_copy",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(a+"_isOne",s),[...o.call(e+"_addAffine",l,c,u),...o.ret([])]),o.call(a+"_square",s,h),o.call(a+"_mul",c,h,_),o.call(a+"_mul",s,h,p),o.call(a+"_mul",d,p,m),o.if(o.call(a+"_eq",l,_),o.if(o.call(a+"_eq",r,m),[...o.call(e+"_doubleAffine",o.getLocal("p2"),o.getLocal("pr")),...o.ret([])])),o.call(a+"_sub",_,l,w),o.call(a+"_sub",m,r,b),o.call(a+"_square",w,L),o.call(a+"_add",L,L,A),o.call(a+"_add",A,A,A),o.call(a+"_mul",w,A,y),o.call(a+"_add",b,b,C),o.call(a+"_mul",l,A,F),o.call(a+"_square",C,I),o.call(a+"_add",F,F,x),o.call(a+"_sub",I,y,u),o.call(a+"_sub",u,x,u),o.call(a+"_mul",r,y,E),o.call(a+"_add",E,E,E),o.call(a+"_sub",F,u,g),o.call(a+"_mul",g,C,g),o.call(a+"_sub",g,E,g),o.call(a+"_add",s,w,f),o.call(a+"_square",f,f),o.call(a+"_sub",f,h,f),o.call(a+"_sub",f,L,f))}(),function(){const i=t.addFunction(e+"_add");i.addParam("p1","i32"),i.addParam("p2","i32"),i.addParam("pr","i32"),i.addLocal("z1","i32"),i.addLocal("z2","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n));i.addCode(o.setLocal("z1",o.i32_add(o.getLocal("p1"),o.i32_const(2*n))));const s=o.getLocal("z1"),c=o.getLocal("p2"),d=o.i32_add(o.getLocal("p2"),o.i32_const(n));i.addCode(o.setLocal("z2",o.i32_add(o.getLocal("p2"),o.i32_const(2*n))));const u=o.getLocal("z2"),g=o.getLocal("pr"),f=o.i32_add(o.getLocal("pr"),o.i32_const(n)),h=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),_=o.i32_const(t.alloc(n)),p=o.i32_const(t.alloc(n)),m=o.i32_const(t.alloc(n)),w=o.i32_const(t.alloc(n)),L=o.i32_const(t.alloc(n)),b=o.i32_const(t.alloc(n)),A=o.i32_const(t.alloc(n)),y=o.i32_const(t.alloc(n)),C=o.i32_const(t.alloc(n)),I=o.i32_const(t.alloc(n)),F=o.i32_const(t.alloc(n)),x=o.i32_const(t.alloc(n)),E=o.i32_const(t.alloc(n)),v=o.i32_const(t.alloc(n)),B=o.i32_const(t.alloc(n)),S=o.i32_const(t.alloc(n)),P=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(e+"_copy",o.getLocal("p2"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(e+"_isZero",o.getLocal("p2")),[...o.call(e+"_copy",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])]),o.if(o.call(a+"_isOne",s),[...o.call(e+"_addMixed",c,l,g),...o.ret([])]),o.if(o.call(a+"_isOne",u),[...o.call(e+"_addMixed",l,c,g),...o.ret([])]),o.call(a+"_square",s,_),o.call(a+"_square",u,p),o.call(a+"_mul",l,p,m),o.call(a+"_mul",c,_,w),o.call(a+"_mul",s,_,L),o.call(a+"_mul",u,p,b),o.call(a+"_mul",r,b,A),o.call(a+"_mul",d,L,y),o.if(o.call(a+"_eq",m,w),o.if(o.call(a+"_eq",A,y),[...o.call(e+"_double",o.getLocal("p1"),o.getLocal("pr")),...o.ret([])])),o.call(a+"_sub",w,m,C),o.call(a+"_sub",y,A,I),o.call(a+"_add",C,C,F),o.call(a+"_square",F,F),o.call(a+"_mul",C,F,x),o.call(a+"_add",I,I,E),o.call(a+"_mul",m,F,B),o.call(a+"_square",E,v),o.call(a+"_add",B,B,S),o.call(a+"_sub",v,x,g),o.call(a+"_sub",g,S,g),o.call(a+"_mul",A,x,P),o.call(a+"_add",P,P,P),o.call(a+"_sub",B,g,f),o.call(a+"_mul",f,E,f),o.call(a+"_sub",f,P,f),o.call(a+"_add",s,u,h),o.call(a+"_square",h,h),o.call(a+"_sub",h,_,h),o.call(a+"_sub",h,p,h),o.call(a+"_mul",h,C,h))}(),function(){const i=t.addFunction(e+"_negAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n)),s=o.getLocal("pr"),c=o.i32_add(o.getLocal("pr"),o.i32_const(n));i.addCode(o.call(a+"_copy",l,s),o.call(a+"_neg",r,c))}(),function(){const i=t.addFunction(e+"_neg");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n)),s=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),c=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_add(o.getLocal("pr"),o.i32_const(2*n));i.addCode(o.call(a+"_copy",l,c),o.call(a+"_neg",r,d),o.call(a+"_copy",s,u))}(),function(){const a=t.addFunction(e+"_subAffine");a.addParam("p1","i32"),a.addParam("p2","i32"),a.addParam("pr","i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(3*n));a.addCode(i.call(e+"_negAffine",i.getLocal("p2"),o),i.call(e+"_addAffine",i.getLocal("p1"),o,i.getLocal("pr")))}(),function(){const a=t.addFunction(e+"_subMixed");a.addParam("p1","i32"),a.addParam("p2","i32"),a.addParam("pr","i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(3*n));a.addCode(i.call(e+"_negAffine",i.getLocal("p2"),o),i.call(e+"_addMixed",i.getLocal("p1"),o,i.getLocal("pr")))}(),function(){const a=t.addFunction(e+"_sub");a.addParam("p1","i32"),a.addParam("p2","i32"),a.addParam("pr","i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(3*n));a.addCode(i.call(e+"_neg",i.getLocal("p2"),o),i.call(e+"_add",i.getLocal("p1"),o,i.getLocal("pr")))}(),function(){const i=t.addFunction(e+"_fromMontgomeryAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_fromMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<2;t++)i.addCode(o.call(a+"_fromMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_fromMontgomery");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_fromMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<3;t++)i.addCode(o.call(a+"_fromMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_toMontgomeryAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_toMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<2;t++)i.addCode(o.call(a+"_toMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_toMontgomery");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder();i.addCode(o.call(a+"_toMontgomery",o.getLocal("p1"),o.getLocal("pr")));for(let t=1;t<3;t++)i.addCode(o.call(a+"_toMontgomery",o.i32_add(o.getLocal("p1"),o.i32_const(t*n)),o.i32_add(o.getLocal("pr"),o.i32_const(t*n))))}(),function(){const i=t.addFunction(e+"_toAffine");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n)),s=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),c=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_const(t.alloc(n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),[...o.call(a+"_zero",c),...o.call(a+"_zero",d)],[...o.call(a+"_inverse",s,u),...o.call(a+"_square",u,g),...o.call(a+"_mul",u,g,f),...o.call(a+"_mul",l,g,c),...o.call(a+"_mul",r,f,d)]))}(),function(){const o=t.addFunction(e+"_inCurveAffine");o.addParam("pIn","i32"),o.setReturnType("i32");const l=o.getCodeBuilder(),r=l.getLocal("pIn"),s=l.i32_add(l.getLocal("pIn"),l.i32_const(n)),c=l.i32_const(t.alloc(n)),d=l.i32_const(t.alloc(n));o.addCode(l.call(a+"_square",s,c),l.call(a+"_square",r,d),l.call(a+"_mul",r,d,d),l.call(a+"_add",d,l.i32_const(i),d),l.ret(l.call(a+"_eq",c,d)))}(),function(){const a=t.addFunction(e+"_inCurve");a.addParam("pIn","i32"),a.setReturnType("i32");const i=a.getCodeBuilder(),o=i.i32_const(t.alloc(2*n));a.addCode(i.call(e+"_toAffine",i.getLocal("pIn"),o),i.ret(i.call(e+"_inCurveAffine",o)))}(),function(){const i=t.addFunction(e+"_batchToAffine");i.addParam("pIn","i32"),i.addParam("n","i32"),i.addParam("pOut","i32"),i.addLocal("pAux","i32"),i.addLocal("itIn","i32"),i.addLocal("itAux","i32"),i.addLocal("itOut","i32"),i.addLocal("i","i32");const o=i.getCodeBuilder(),l=o.i32_const(t.alloc(n));i.addCode(o.setLocal("pAux",o.i32_load(o.i32_const(0))),o.i32_store(o.i32_const(0),o.i32_add(o.getLocal("pAux"),o.i32_mul(o.getLocal("n"),o.i32_const(n)))),o.call(a+"_batchInverse",o.i32_add(o.getLocal("pIn"),o.i32_const(2*n)),o.i32_const(3*n),o.getLocal("n"),o.getLocal("pAux"),o.i32_const(n)),o.setLocal("itIn",o.getLocal("pIn")),o.setLocal("itAux",o.getLocal("pAux")),o.setLocal("itOut",o.getLocal("pOut")),o.setLocal("i",o.i32_const(0)),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("i"),o.getLocal("n"))),o.if(o.call(a+"_isZero",o.getLocal("itAux")),[...o.call(a+"_zero",o.getLocal("itOut")),...o.call(a+"_zero",o.i32_add(o.getLocal("itOut"),o.i32_const(n)))],[...o.call(a+"_mul",o.getLocal("itAux"),o.i32_add(o.getLocal("itIn"),o.i32_const(n)),l),...o.call(a+"_square",o.getLocal("itAux"),o.getLocal("itAux")),...o.call(a+"_mul",o.getLocal("itAux"),o.getLocal("itIn"),o.getLocal("itOut")),...o.call(a+"_mul",o.getLocal("itAux"),l,o.i32_add(o.getLocal("itOut"),o.i32_const(n)))]),o.setLocal("itIn",o.i32_add(o.getLocal("itIn"),o.i32_const(3*n))),o.setLocal("itOut",o.i32_add(o.getLocal("itOut"),o.i32_const(2*n))),o.setLocal("itAux",o.i32_add(o.getLocal("itAux"),o.i32_const(n))),o.setLocal("i",o.i32_add(o.getLocal("i"),o.i32_const(1))),o.br(0))),o.i32_store(o.i32_const(0),o.getLocal("pAux")))}(),function(){const i=t.addFunction(e+"_normalize");i.addParam("p1","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),l=o.getLocal("p1"),r=o.i32_add(o.getLocal("p1"),o.i32_const(n)),s=o.i32_add(o.getLocal("p1"),o.i32_const(2*n)),c=o.getLocal("pr"),d=o.i32_add(o.getLocal("pr"),o.i32_const(n)),u=o.i32_add(o.getLocal("pr"),o.i32_const(2*n)),g=o.i32_const(t.alloc(n)),f=o.i32_const(t.alloc(n)),h=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("p1")),o.call(e+"_zero",o.getLocal("pr")),[...o.call(a+"_inverse",s,g),...o.call(a+"_square",g,f),...o.call(a+"_mul",g,f,h),...o.call(a+"_mul",l,f,c),...o.call(a+"_mul",r,h,d),...o.call(a+"_one",u)]))}(),function(){const a=t.addFunction(e+"__reverseBytes");a.addParam("pIn","i32"),a.addParam("n","i32"),a.addParam("pOut","i32"),a.addLocal("itOut","i32"),a.addLocal("itIn","i32");const i=a.getCodeBuilder();a.addCode(i.setLocal("itOut",i.i32_sub(i.i32_add(i.getLocal("pOut"),i.getLocal("n")),i.i32_const(1))),i.setLocal("itIn",i.getLocal("pIn")),i.block(i.loop(i.br_if(1,i.i32_lt_s(i.getLocal("itOut"),i.getLocal("pOut"))),i.i32_store8(i.getLocal("itOut"),i.i32_load8_u(i.getLocal("itIn"))),i.setLocal("itOut",i.i32_sub(i.getLocal("itOut"),i.i32_const(1))),i.setLocal("itIn",i.i32_add(i.getLocal("itIn"),i.i32_const(1))),i.br(0))))}(),function(){const a=t.addFunction(e+"_LEMtoU");a.addParam("pIn","i32"),a.addParam("pOut","i32");const i=a.getCodeBuilder(),o=t.alloc(2*n),l=i.i32_const(o),r=i.i32_const(o),s=i.i32_const(o+n);a.addCode(i.if(i.call(e+"_isZeroAffine",i.getLocal("pIn")),[...i.call(e+"_zeroAffine",i.getLocal("pOut")),...i.i32_store8(i.getLocal("pOut"),i.i32_const(64)),...i.ret([])]),i.call(e+"_fromMontgomeryAffine",i.getLocal("pIn"),l),i.call(e+"__reverseBytes",r,i.i32_const(n),i.getLocal("pOut")),i.call(e+"__reverseBytes",s,i.i32_const(n),i.i32_add(i.getLocal("pOut"),i.i32_const(n))))}(),function(){const i=t.addFunction(e+"_LEMtoC");i.addParam("pIn","i32"),i.addParam("pOut","i32");const o=i.getCodeBuilder(),l=o.i32_const(t.alloc(n));i.addCode(o.if(o.call(e+"_isZero",o.getLocal("pIn")),[...o.call(a+"_zero",o.getLocal("pOut")),...o.i32_store8(o.getLocal("pOut"),o.i32_const(64)),...o.ret([])]),o.call(a+"_fromMontgomery",o.getLocal("pIn"),l),o.call(e+"__reverseBytes",l,o.i32_const(n),o.getLocal("pOut")),o.if(o.i32_eq(o.call(a+"_sign",o.i32_add(o.getLocal("pIn"),o.i32_const(n))),o.i32_const(-1)),o.i32_store8(o.getLocal("pOut"),o.i32_or(o.i32_load8_u(o.getLocal("pOut")),o.i32_const(128)))))}(),function(){const a=t.addFunction(e+"_UtoLEM");a.addParam("pIn","i32"),a.addParam("pOut","i32");const i=a.getCodeBuilder(),o=t.alloc(2*n),l=i.i32_const(o),r=i.i32_const(o),s=i.i32_const(o+n);a.addCode(i.if(i.i32_and(i.i32_load8_u(i.getLocal("pIn")),i.i32_const(64)),[...i.call(e+"_zeroAffine",i.getLocal("pOut")),...i.ret([])]),i.call(e+"__reverseBytes",i.getLocal("pIn"),i.i32_const(n),r),i.call(e+"__reverseBytes",i.i32_add(i.getLocal("pIn"),i.i32_const(n)),i.i32_const(n),s),i.call(e+"_toMontgomeryAffine",l,i.getLocal("pOut")))}(),function(){const o=t.addFunction(e+"_CtoLEM");o.addParam("pIn","i32"),o.addParam("pOut","i32"),o.addLocal("firstByte","i32"),o.addLocal("greatest","i32");const l=o.getCodeBuilder(),r=t.alloc(2*n),s=l.i32_const(r),c=l.i32_const(r+n);o.addCode(l.setLocal("firstByte",l.i32_load8_u(l.getLocal("pIn"))),l.if(l.i32_and(l.getLocal("firstByte"),l.i32_const(64)),[...l.call(e+"_zeroAffine",l.getLocal("pOut")),...l.ret([])]),l.setLocal("greatest",l.i32_and(l.getLocal("firstByte"),l.i32_const(128))),l.call(a+"_copy",l.getLocal("pIn"),c),l.i32_store8(c,l.i32_and(l.getLocal("firstByte"),l.i32_const(63))),l.call(e+"__reverseBytes",c,l.i32_const(n),s),l.call(a+"_toMontgomery",s,l.getLocal("pOut")),l.call(a+"_square",l.getLocal("pOut"),c),l.call(a+"_mul",l.getLocal("pOut"),c,c),l.call(a+"_add",c,l.i32_const(i),c),l.call(a+"_sqrt",c,c),l.call(a+"_neg",c,s),l.if(l.i32_eq(l.call(a+"_sign",c),l.i32_const(-1)),l.if(l.getLocal("greatest"),l.call(a+"_copy",c,l.i32_add(l.getLocal("pOut"),l.i32_const(n))),l.call(a+"_neg",c,l.i32_add(l.getLocal("pOut"),l.i32_const(n)))),l.if(l.getLocal("greatest"),l.call(a+"_neg",c,l.i32_add(l.getLocal("pOut"),l.i32_const(n))),l.call(a+"_copy",c,l.i32_add(l.getLocal("pOut"),l.i32_const(n))))))}(),Qt(t,e+"_batchLEMtoU",e+"_LEMtoU",2*n,2*n),Qt(t,e+"_batchLEMtoC",e+"_LEMtoC",2*n,n),Qt(t,e+"_batchUtoLEM",e+"_UtoLEM",2*n,2*n),Qt(t,e+"_batchCtoLEM",e+"_CtoLEM",n,2*n,!0),Qt(t,e+"_batchToJacobian",e+"_toJacobian",2*n,3*n,!0),Tt(t,e,e+"_multiexp",e+"_add",3*n),Tt(t,e,e+"_multiexpAffine",e+"_addMixed",2*n),Ut(t,e+"_timesScalar",3*n,e+"_add",e+"_double",e+"_sub",e+"_copy",e+"_zero"),Ut(t,e+"_timesScalarAffine",2*n,e+"_addMixed",e+"_double",e+"_subMixed",e+"_copyAffine",e+"_zero"),t.exportFunction(e+"_isZero"),t.exportFunction(e+"_isZeroAffine"),t.exportFunction(e+"_eq"),t.exportFunction(e+"_eqMixed"),t.exportFunction(e+"_eqAffine"),t.exportFunction(e+"_copy"),t.exportFunction(e+"_copyAffine"),t.exportFunction(e+"_zero"),t.exportFunction(e+"_zeroAffine"),t.exportFunction(e+"_double"),t.exportFunction(e+"_doubleAffine"),t.exportFunction(e+"_add"),t.exportFunction(e+"_addMixed"),t.exportFunction(e+"_addAffine"),t.exportFunction(e+"_neg"),t.exportFunction(e+"_negAffine"),t.exportFunction(e+"_sub"),t.exportFunction(e+"_subMixed"),t.exportFunction(e+"_subAffine"),t.exportFunction(e+"_fromMontgomery"),t.exportFunction(e+"_fromMontgomeryAffine"),t.exportFunction(e+"_toMontgomery"),t.exportFunction(e+"_toMontgomeryAffine"),t.exportFunction(e+"_timesScalar"),t.exportFunction(e+"_timesScalarAffine"),t.exportFunction(e+"_normalize"),t.exportFunction(e+"_LEMtoU"),t.exportFunction(e+"_LEMtoC"),t.exportFunction(e+"_UtoLEM"),t.exportFunction(e+"_CtoLEM"),t.exportFunction(e+"_batchLEMtoU"),t.exportFunction(e+"_batchLEMtoC"),t.exportFunction(e+"_batchUtoLEM"),t.exportFunction(e+"_batchCtoLEM"),t.exportFunction(e+"_toAffine"),t.exportFunction(e+"_toJacobian"),t.exportFunction(e+"_batchToAffine"),t.exportFunction(e+"_batchToJacobian"),t.exportFunction(e+"_inCurve"),t.exportFunction(e+"_inCurveAffine"),e};const{isOdd:Mt,modInv:kt,modPow:Rt}=J,Dt=K;var Nt=function(t,e,a,i,o){const n=8*t.modules[i].n64,l=8*t.modules[a].n64,r=t.modules[i].q;let s=r-1n,c=0;for(;!Mt(s);)c++,s>>=1n;let d=2n;for(;1n===Rt(d,r>>1n,r);)d+=1n;const u=new Array(c+1);u[c]=Rt(d,s,r);let g=c-1;for(;g>=0;)u[g]=Rt(u[g+1],2n,r),g--;const f=[],h=(1n<>a);return e}const F=Array(256);for(let t=0;t<256;t++)F[t]=I(t);const x=t.alloc(F);function E(){const a=t.addFunction(e+"_fft");a.addParam("px","i32"),a.addParam("n","i32"),a.addLocal("bits","i32");const o=a.getCodeBuilder(),l=o.i32_const(t.alloc(n));a.addCode(o.setLocal("bits",o.call(e+"__log2",o.getLocal("n"))),o.call(i+"_one",l),o.call(e+"_rawfft",o.getLocal("px"),o.getLocal("bits"),o.i32_const(0),l))}!function(){const a=t.addFunction(e+"__rev");a.addParam("x","i32"),a.addParam("bits","i32"),a.setReturnType("i32");const i=a.getCodeBuilder();a.addCode(i.i32_rotl(i.i32_add(i.i32_add(i.i32_shl(i.i32_load8_u(i.i32_and(i.getLocal("x"),i.i32_const(255)),x,0),i.i32_const(24)),i.i32_shl(i.i32_load8_u(i.i32_and(i.i32_shr_u(i.getLocal("x"),i.i32_const(8)),i.i32_const(255)),x,0),i.i32_const(16))),i.i32_add(i.i32_shl(i.i32_load8_u(i.i32_and(i.i32_shr_u(i.getLocal("x"),i.i32_const(16)),i.i32_const(255)),x,0),i.i32_const(8)),i.i32_load8_u(i.i32_and(i.i32_shr_u(i.getLocal("x"),i.i32_const(24)),i.i32_const(255)),x,0))),i.getLocal("bits")))}(),function(){const i=t.addFunction(e+"__reversePermutation");i.addParam("px","i32"),i.addParam("bits","i32"),i.addLocal("n","i32"),i.addLocal("i","i32"),i.addLocal("ri","i32"),i.addLocal("idx1","i32"),i.addLocal("idx2","i32");const o=i.getCodeBuilder(),n=o.i32_const(t.alloc(l));i.addCode(o.setLocal("n",o.i32_shl(o.i32_const(1),o.getLocal("bits"))),o.setLocal("i",o.i32_const(0)),o.block(o.loop(o.br_if(1,o.i32_eq(o.getLocal("i"),o.getLocal("n"))),o.setLocal("idx1",o.i32_add(o.getLocal("px"),o.i32_mul(o.getLocal("i"),o.i32_const(l)))),o.setLocal("ri",o.call(e+"__rev",o.getLocal("i"),o.getLocal("bits"))),o.setLocal("idx2",o.i32_add(o.getLocal("px"),o.i32_mul(o.getLocal("ri"),o.i32_const(l)))),o.if(o.i32_lt_u(o.getLocal("i"),o.getLocal("ri")),[...o.call(a+"_copy",o.getLocal("idx1"),n),...o.call(a+"_copy",o.getLocal("idx2"),o.getLocal("idx1")),...o.call(a+"_copy",n,o.getLocal("idx2"))]),o.setLocal("i",o.i32_add(o.getLocal("i"),o.i32_const(1))),o.br(0))))}(),function(){const n=t.addFunction(e+"__fftFinal");n.addParam("px","i32"),n.addParam("bits","i32"),n.addParam("reverse","i32"),n.addParam("mulFactor","i32"),n.addLocal("n","i32"),n.addLocal("ndiv2","i32"),n.addLocal("pInv2","i32"),n.addLocal("i","i32"),n.addLocal("mask","i32"),n.addLocal("idx1","i32"),n.addLocal("idx2","i32");const r=n.getCodeBuilder(),s=r.i32_const(t.alloc(l));n.addCode(r.if(r.i32_and(r.i32_eqz(r.getLocal("reverse")),r.call(i+"_isOne",r.getLocal("mulFactor"))),r.ret([])),r.setLocal("n",r.i32_shl(r.i32_const(1),r.getLocal("bits"))),r.setLocal("mask",r.i32_sub(r.getLocal("n"),r.i32_const(1))),r.setLocal("i",r.i32_const(1)),r.setLocal("ndiv2",r.i32_shr_u(r.getLocal("n"),r.i32_const(1))),r.block(r.loop(r.br_if(1,r.i32_ge_u(r.getLocal("i"),r.getLocal("ndiv2"))),r.setLocal("idx1",r.i32_add(r.getLocal("px"),r.i32_mul(r.getLocal("i"),r.i32_const(l)))),r.setLocal("idx2",r.i32_add(r.getLocal("px"),r.i32_mul(r.i32_sub(r.getLocal("n"),r.getLocal("i")),r.i32_const(l)))),r.if(r.getLocal("reverse"),r.if(r.call(i+"_isOne",r.getLocal("mulFactor")),[...r.call(a+"_copy",r.getLocal("idx1"),s),...r.call(a+"_copy",r.getLocal("idx2"),r.getLocal("idx1")),...r.call(a+"_copy",s,r.getLocal("idx2"))],[...r.call(a+"_copy",r.getLocal("idx1"),s),...r.call(o,r.getLocal("idx2"),r.getLocal("mulFactor"),r.getLocal("idx1")),...r.call(o,s,r.getLocal("mulFactor"),r.getLocal("idx2"))]),r.if(r.call(i+"_isOne",r.getLocal("mulFactor")),[],[...r.call(o,r.getLocal("idx1"),r.getLocal("mulFactor"),r.getLocal("idx1")),...r.call(o,r.getLocal("idx2"),r.getLocal("mulFactor"),r.getLocal("idx2"))])),r.setLocal("i",r.i32_add(r.getLocal("i"),r.i32_const(1))),r.br(0))),r.if(r.call(i+"_isOne",r.getLocal("mulFactor")),[],[...r.call(o,r.getLocal("px"),r.getLocal("mulFactor"),r.getLocal("px")),...r.setLocal("idx2",r.i32_add(r.getLocal("px"),r.i32_mul(r.getLocal("ndiv2"),r.i32_const(l)))),...r.call(o,r.getLocal("idx2"),r.getLocal("mulFactor"),r.getLocal("idx2"))]))}(),function(){const r=t.addFunction(e+"_rawfft");r.addParam("px","i32"),r.addParam("bits","i32"),r.addParam("reverse","i32"),r.addParam("mulFactor","i32"),r.addLocal("s","i32"),r.addLocal("k","i32"),r.addLocal("j","i32"),r.addLocal("m","i32"),r.addLocal("mdiv2","i32"),r.addLocal("n","i32"),r.addLocal("pwm","i32"),r.addLocal("idx1","i32"),r.addLocal("idx2","i32");const s=r.getCodeBuilder(),c=s.i32_const(t.alloc(n)),d=s.i32_const(t.alloc(l)),u=s.i32_const(t.alloc(l));r.addCode(s.call(e+"__reversePermutation",s.getLocal("px"),s.getLocal("bits")),s.setLocal("n",s.i32_shl(s.i32_const(1),s.getLocal("bits"))),s.setLocal("s",s.i32_const(1)),s.block(s.loop(s.br_if(1,s.i32_gt_u(s.getLocal("s"),s.getLocal("bits"))),s.setLocal("m",s.i32_shl(s.i32_const(1),s.getLocal("s"))),s.setLocal("pwm",s.i32_add(s.i32_const(_),s.i32_mul(s.getLocal("s"),s.i32_const(n)))),s.setLocal("k",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_ge_u(s.getLocal("k"),s.getLocal("n"))),s.call(i+"_one",c),s.setLocal("mdiv2",s.i32_shr_u(s.getLocal("m"),s.i32_const(1))),s.setLocal("j",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_ge_u(s.getLocal("j"),s.getLocal("mdiv2"))),s.setLocal("idx1",s.i32_add(s.getLocal("px"),s.i32_mul(s.i32_add(s.getLocal("k"),s.getLocal("j")),s.i32_const(l)))),s.setLocal("idx2",s.i32_add(s.getLocal("idx1"),s.i32_mul(s.getLocal("mdiv2"),s.i32_const(l)))),s.call(o,s.getLocal("idx2"),c,d),s.call(a+"_copy",s.getLocal("idx1"),u),s.call(a+"_add",u,d,s.getLocal("idx1")),s.call(a+"_sub",u,d,s.getLocal("idx2")),s.call(i+"_mul",c,s.getLocal("pwm"),c),s.setLocal("j",s.i32_add(s.getLocal("j"),s.i32_const(1))),s.br(0))),s.setLocal("k",s.i32_add(s.getLocal("k"),s.getLocal("m"))),s.br(0))),s.setLocal("s",s.i32_add(s.getLocal("s"),s.i32_const(1))),s.br(0))),s.call(e+"__fftFinal",s.getLocal("px"),s.getLocal("bits"),s.getLocal("reverse"),s.getLocal("mulFactor")))}(),function(){const a=t.addFunction(e+"__log2");a.addParam("n","i32"),a.setReturnType("i32"),a.addLocal("bits","i32"),a.addLocal("aux","i32");const i=a.getCodeBuilder();a.addCode(i.setLocal("aux",i.i32_shr_u(i.getLocal("n"),i.i32_const(1)))),a.addCode(i.setLocal("bits",i.i32_const(0))),a.addCode(i.block(i.loop(i.br_if(1,i.i32_eqz(i.getLocal("aux"))),i.setLocal("aux",i.i32_shr_u(i.getLocal("aux"),i.i32_const(1))),i.setLocal("bits",i.i32_add(i.getLocal("bits"),i.i32_const(1))),i.br(0)))),a.addCode(i.if(i.i32_ne(i.getLocal("n"),i.i32_shl(i.i32_const(1),i.getLocal("bits"))),i.unreachable())),a.addCode(i.if(i.i32_gt_u(i.getLocal("bits"),i.i32_const(c)),i.unreachable())),a.addCode(i.getLocal("bits"))}(),E(),function(){const a=t.addFunction(e+"_ifft");a.addParam("px","i32"),a.addParam("n","i32"),a.addLocal("bits","i32"),a.addLocal("pInv2","i32");const i=a.getCodeBuilder();a.addCode(i.setLocal("bits",i.call(e+"__log2",i.getLocal("n"))),i.setLocal("pInv2",i.i32_add(i.i32_const(w),i.i32_mul(i.getLocal("bits"),i.i32_const(n)))),i.call(e+"_rawfft",i.getLocal("px"),i.getLocal("bits"),i.i32_const(1),i.getLocal("pInv2")))}(),function(){const r=t.addFunction(e+"_fftJoin");r.addParam("pBuff1","i32"),r.addParam("pBuff2","i32"),r.addParam("n","i32"),r.addParam("first","i32"),r.addParam("inc","i32"),r.addLocal("idx1","i32"),r.addLocal("idx2","i32"),r.addLocal("i","i32");const s=r.getCodeBuilder(),c=s.i32_const(t.alloc(n)),d=s.i32_const(t.alloc(l)),u=s.i32_const(t.alloc(l));r.addCode(s.call(i+"_copy",s.getLocal("first"),c),s.setLocal("i",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("i"),s.getLocal("n"))),s.setLocal("idx1",s.i32_add(s.getLocal("pBuff1"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.setLocal("idx2",s.i32_add(s.getLocal("pBuff2"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.call(o,s.getLocal("idx2"),c,d),s.call(a+"_copy",s.getLocal("idx1"),u),s.call(a+"_add",u,d,s.getLocal("idx1")),s.call(a+"_sub",u,d,s.getLocal("idx2")),s.call(i+"_mul",c,s.getLocal("inc"),c),s.setLocal("i",s.i32_add(s.getLocal("i"),s.i32_const(1))),s.br(0))))}(),function(){const r=t.addFunction(e+"_fftJoinExt");r.addParam("pBuff1","i32"),r.addParam("pBuff2","i32"),r.addParam("n","i32"),r.addParam("first","i32"),r.addParam("inc","i32"),r.addParam("totalBits","i32"),r.addLocal("idx1","i32"),r.addLocal("idx2","i32"),r.addLocal("i","i32"),r.addLocal("pShiftToM","i32");const s=r.getCodeBuilder(),c=s.i32_const(t.alloc(n)),d=s.i32_const(t.alloc(l));r.addCode(s.setLocal("pShiftToM",s.i32_add(s.i32_const(y),s.i32_mul(s.getLocal("totalBits"),s.i32_const(n)))),s.call(i+"_copy",s.getLocal("first"),c),s.setLocal("i",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("i"),s.getLocal("n"))),s.setLocal("idx1",s.i32_add(s.getLocal("pBuff1"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.setLocal("idx2",s.i32_add(s.getLocal("pBuff2"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.call(a+"_add",s.getLocal("idx1"),s.getLocal("idx2"),d),s.call(o,s.getLocal("idx2"),s.getLocal("pShiftToM"),s.getLocal("idx2")),s.call(a+"_add",s.getLocal("idx1"),s.getLocal("idx2"),s.getLocal("idx2")),s.call(o,s.getLocal("idx2"),c,s.getLocal("idx2")),s.call(a+"_copy",d,s.getLocal("idx1")),s.call(i+"_mul",c,s.getLocal("inc"),c),s.setLocal("i",s.i32_add(s.getLocal("i"),s.i32_const(1))),s.br(0))))}(),function(){const r=t.addFunction(e+"_fftJoinExtInv");r.addParam("pBuff1","i32"),r.addParam("pBuff2","i32"),r.addParam("n","i32"),r.addParam("first","i32"),r.addParam("inc","i32"),r.addParam("totalBits","i32"),r.addLocal("idx1","i32"),r.addLocal("idx2","i32"),r.addLocal("i","i32"),r.addLocal("pShiftToM","i32"),r.addLocal("pSConst","i32");const s=r.getCodeBuilder(),c=s.i32_const(t.alloc(n)),d=s.i32_const(t.alloc(l));r.addCode(s.setLocal("pShiftToM",s.i32_add(s.i32_const(y),s.i32_mul(s.getLocal("totalBits"),s.i32_const(n)))),s.setLocal("pSConst",s.i32_add(s.i32_const(C),s.i32_mul(s.getLocal("totalBits"),s.i32_const(n)))),s.call(i+"_copy",s.getLocal("first"),c),s.setLocal("i",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("i"),s.getLocal("n"))),s.setLocal("idx1",s.i32_add(s.getLocal("pBuff1"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.setLocal("idx2",s.i32_add(s.getLocal("pBuff2"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.call(o,s.getLocal("idx2"),c,d),s.call(a+"_sub",s.getLocal("idx1"),d,s.getLocal("idx2")),s.call(o,s.getLocal("idx2"),s.getLocal("pSConst"),s.getLocal("idx2")),s.call(o,s.getLocal("idx1"),s.getLocal("pShiftToM"),s.getLocal("idx1")),s.call(a+"_sub",d,s.getLocal("idx1"),s.getLocal("idx1")),s.call(o,s.getLocal("idx1"),s.getLocal("pSConst"),s.getLocal("idx1")),s.call(i+"_mul",c,s.getLocal("inc"),c),s.setLocal("i",s.i32_add(s.getLocal("i"),s.i32_const(1))),s.br(0))))}(),function(){const r=t.addFunction(e+"_fftMix");r.addParam("pBuff","i32"),r.addParam("n","i32"),r.addParam("exp","i32"),r.addLocal("nGroups","i32"),r.addLocal("nPerGroup","i32"),r.addLocal("nPerGroupDiv2","i32"),r.addLocal("pairOffset","i32"),r.addLocal("idx1","i32"),r.addLocal("idx2","i32"),r.addLocal("i","i32"),r.addLocal("j","i32"),r.addLocal("pwm","i32");const s=r.getCodeBuilder(),c=s.i32_const(t.alloc(n)),d=s.i32_const(t.alloc(l)),u=s.i32_const(t.alloc(l));r.addCode(s.setLocal("nPerGroup",s.i32_shl(s.i32_const(1),s.getLocal("exp"))),s.setLocal("nPerGroupDiv2",s.i32_shr_u(s.getLocal("nPerGroup"),s.i32_const(1))),s.setLocal("nGroups",s.i32_shr_u(s.getLocal("n"),s.getLocal("exp"))),s.setLocal("pairOffset",s.i32_mul(s.getLocal("nPerGroupDiv2"),s.i32_const(l))),s.setLocal("pwm",s.i32_add(s.i32_const(_),s.i32_mul(s.getLocal("exp"),s.i32_const(n)))),s.setLocal("i",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("i"),s.getLocal("nGroups"))),s.call(i+"_one",c),s.setLocal("j",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("j"),s.getLocal("nPerGroupDiv2"))),s.setLocal("idx1",s.i32_add(s.getLocal("pBuff"),s.i32_mul(s.i32_add(s.i32_mul(s.getLocal("i"),s.getLocal("nPerGroup")),s.getLocal("j")),s.i32_const(l)))),s.setLocal("idx2",s.i32_add(s.getLocal("idx1"),s.getLocal("pairOffset"))),s.call(o,s.getLocal("idx2"),c,d),s.call(a+"_copy",s.getLocal("idx1"),u),s.call(a+"_add",u,d,s.getLocal("idx1")),s.call(a+"_sub",u,d,s.getLocal("idx2")),s.call(i+"_mul",c,s.getLocal("pwm"),c),s.setLocal("j",s.i32_add(s.getLocal("j"),s.i32_const(1))),s.br(0))),s.setLocal("i",s.i32_add(s.getLocal("i"),s.i32_const(1))),s.br(0))))}(),function(){const i=t.addFunction(e+"_fftFinal");i.addParam("pBuff","i32"),i.addParam("n","i32"),i.addParam("factor","i32"),i.addLocal("idx1","i32"),i.addLocal("idx2","i32"),i.addLocal("i","i32"),i.addLocal("ndiv2","i32");const n=i.getCodeBuilder(),r=n.i32_const(t.alloc(l));i.addCode(n.setLocal("ndiv2",n.i32_shr_u(n.getLocal("n"),n.i32_const(1))),n.if(n.i32_and(n.getLocal("n"),n.i32_const(1)),n.call(o,n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.getLocal("ndiv2"),n.i32_const(l))),n.getLocal("factor"),n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.getLocal("ndiv2"),n.i32_const(l))))),n.setLocal("i",n.i32_const(0)),n.block(n.loop(n.br_if(1,n.i32_ge_u(n.getLocal("i"),n.getLocal("ndiv2"))),n.setLocal("idx1",n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.getLocal("i"),n.i32_const(l)))),n.setLocal("idx2",n.i32_add(n.getLocal("pBuff"),n.i32_mul(n.i32_sub(n.i32_sub(n.getLocal("n"),n.i32_const(1)),n.getLocal("i")),n.i32_const(l)))),n.call(o,n.getLocal("idx2"),n.getLocal("factor"),r),n.call(o,n.getLocal("idx1"),n.getLocal("factor"),n.getLocal("idx2")),n.call(a+"_copy",r,n.getLocal("idx1")),n.setLocal("i",n.i32_add(n.getLocal("i"),n.i32_const(1))),n.br(0))))}(),function(){const r=t.addFunction(e+"_prepareLagrangeEvaluation");r.addParam("pBuff1","i32"),r.addParam("pBuff2","i32"),r.addParam("n","i32"),r.addParam("first","i32"),r.addParam("inc","i32"),r.addParam("totalBits","i32"),r.addLocal("idx1","i32"),r.addLocal("idx2","i32"),r.addLocal("i","i32"),r.addLocal("pShiftToM","i32"),r.addLocal("pSConst","i32");const s=r.getCodeBuilder(),c=s.i32_const(t.alloc(n)),d=s.i32_const(t.alloc(l));r.addCode(s.setLocal("pShiftToM",s.i32_add(s.i32_const(y),s.i32_mul(s.getLocal("totalBits"),s.i32_const(n)))),s.setLocal("pSConst",s.i32_add(s.i32_const(C),s.i32_mul(s.getLocal("totalBits"),s.i32_const(n)))),s.call(i+"_copy",s.getLocal("first"),c),s.setLocal("i",s.i32_const(0)),s.block(s.loop(s.br_if(1,s.i32_eq(s.getLocal("i"),s.getLocal("n"))),s.setLocal("idx1",s.i32_add(s.getLocal("pBuff1"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.setLocal("idx2",s.i32_add(s.getLocal("pBuff2"),s.i32_mul(s.getLocal("i"),s.i32_const(l)))),s.call(o,s.getLocal("idx1"),s.getLocal("pShiftToM"),d),s.call(a+"_sub",s.getLocal("idx2"),d,d),s.call(a+"_sub",s.getLocal("idx1"),s.getLocal("idx2"),s.getLocal("idx2")),s.call(o,d,s.getLocal("pSConst"),s.getLocal("idx1")),s.call(o,s.getLocal("idx2"),c,s.getLocal("idx2")),s.call(i+"_mul",c,s.getLocal("inc"),c),s.setLocal("i",s.i32_add(s.getLocal("i"),s.i32_const(1))),s.br(0))))}(),t.exportFunction(e+"_fft"),t.exportFunction(e+"_ifft"),t.exportFunction(e+"_rawfft"),t.exportFunction(e+"_fftJoin"),t.exportFunction(e+"_fftJoinExt"),t.exportFunction(e+"_fftJoinExtInv"),t.exportFunction(e+"_fftMix"),t.exportFunction(e+"_fftFinal"),t.exportFunction(e+"_prepareLagrangeEvaluation")},Vt=function(t,e,a){const i=8*t.modules[a].n64;return function(){const o=t.addFunction(e+"_zero");o.addParam("px","i32"),o.addParam("n","i32"),o.addLocal("lastp","i32"),o.addLocal("p","i32");const n=o.getCodeBuilder();o.addCode(n.setLocal("p",n.getLocal("px")),n.setLocal("lastp",n.i32_add(n.getLocal("px"),n.i32_mul(n.getLocal("n"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("p"),n.getLocal("lastp"))),n.call(a+"_zero",n.getLocal("p")),n.setLocal("p",n.i32_add(n.getLocal("p"),n.i32_const(i))),n.br(0))))}(),function(){const o=t.addFunction(e+"_constructLC");o.addParam("ppolynomials","i32"),o.addParam("psignals","i32"),o.addParam("nSignals","i32"),o.addParam("pres","i32"),o.addLocal("i","i32"),o.addLocal("j","i32"),o.addLocal("pp","i32"),o.addLocal("ps","i32"),o.addLocal("pd","i32"),o.addLocal("ncoefs","i32");const n=o.getCodeBuilder(),l=n.i32_const(t.alloc(i));o.addCode(n.setLocal("i",n.i32_const(0)),n.setLocal("pp",n.getLocal("ppolynomials")),n.setLocal("ps",n.getLocal("psignals")),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("i"),n.getLocal("nSignals"))),n.setLocal("ncoefs",n.i32_load(n.getLocal("pp"))),n.setLocal("pp",n.i32_add(n.getLocal("pp"),n.i32_const(4))),n.setLocal("j",n.i32_const(0)),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("j"),n.getLocal("ncoefs"))),n.setLocal("pd",n.i32_add(n.getLocal("pres"),n.i32_mul(n.i32_load(n.getLocal("pp")),n.i32_const(i)))),n.setLocal("pp",n.i32_add(n.getLocal("pp"),n.i32_const(4))),n.call(a+"_mul",n.getLocal("ps"),n.getLocal("pp"),l),n.call(a+"_add",l,n.getLocal("pd"),n.getLocal("pd")),n.setLocal("pp",n.i32_add(n.getLocal("pp"),n.i32_const(i))),n.setLocal("j",n.i32_add(n.getLocal("j"),n.i32_const(1))),n.br(0))),n.setLocal("ps",n.i32_add(n.getLocal("ps"),n.i32_const(i))),n.setLocal("i",n.i32_add(n.getLocal("i"),n.i32_const(1))),n.br(0))))}(),t.exportFunction(e+"_zero"),t.exportFunction(e+"_constructLC"),e},$t=function(t,e,a){const i=8*t.modules[a].n64;return function(){const o=t.addFunction(e+"_buildABC");o.addParam("pCoefs","i32"),o.addParam("nCoefs","i32"),o.addParam("pWitness","i32"),o.addParam("pA","i32"),o.addParam("pB","i32"),o.addParam("pC","i32"),o.addParam("offsetOut","i32"),o.addParam("nOut","i32"),o.addParam("offsetWitness","i32"),o.addParam("nWitness","i32"),o.addLocal("it","i32"),o.addLocal("ita","i32"),o.addLocal("itb","i32"),o.addLocal("last","i32"),o.addLocal("m","i32"),o.addLocal("c","i32"),o.addLocal("s","i32"),o.addLocal("pOut","i32");const n=o.getCodeBuilder(),l=n.i32_const(t.alloc(i));o.addCode(n.setLocal("ita",n.getLocal("pA")),n.setLocal("itb",n.getLocal("pB")),n.setLocal("last",n.i32_add(n.getLocal("pA"),n.i32_mul(n.getLocal("nOut"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_zero",n.getLocal("ita")),n.call(a+"_zero",n.getLocal("itb")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.br(0))),n.setLocal("it",n.getLocal("pCoefs")),n.setLocal("last",n.i32_add(n.getLocal("pCoefs"),n.i32_mul(n.getLocal("nCoefs"),n.i32_const(i+12)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("it"),n.getLocal("last"))),n.setLocal("s",n.i32_load(n.getLocal("it"),8)),n.if(n.i32_or(n.i32_lt_u(n.getLocal("s"),n.getLocal("offsetWitness")),n.i32_ge_u(n.getLocal("s"),n.i32_add(n.getLocal("offsetWitness"),n.getLocal("nWitness")))),[...n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),...n.br(1)]),n.setLocal("m",n.i32_load(n.getLocal("it"))),n.if(n.i32_eq(n.getLocal("m"),n.i32_const(0)),n.setLocal("pOut",n.getLocal("pA")),n.if(n.i32_eq(n.getLocal("m"),n.i32_const(1)),n.setLocal("pOut",n.getLocal("pB")),[...n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),...n.br(1)])),n.setLocal("c",n.i32_load(n.getLocal("it"),4)),n.if(n.i32_or(n.i32_lt_u(n.getLocal("c"),n.getLocal("offsetOut")),n.i32_ge_u(n.getLocal("c"),n.i32_add(n.getLocal("offsetOut"),n.getLocal("nOut")))),[...n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),...n.br(1)]),n.setLocal("pOut",n.i32_add(n.getLocal("pOut"),n.i32_mul(n.i32_sub(n.getLocal("c"),n.getLocal("offsetOut")),n.i32_const(i)))),n.call(a+"_mul",n.i32_add(n.getLocal("pWitness"),n.i32_mul(n.i32_sub(n.getLocal("s"),n.getLocal("offsetWitness")),n.i32_const(i))),n.i32_add(n.getLocal("it"),n.i32_const(12)),l),n.call(a+"_add",n.getLocal("pOut"),l,n.getLocal("pOut")),n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i+12))),n.br(0))),n.setLocal("ita",n.getLocal("pA")),n.setLocal("itb",n.getLocal("pB")),n.setLocal("it",n.getLocal("pC")),n.setLocal("last",n.i32_add(n.getLocal("pA"),n.i32_mul(n.getLocal("nOut"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_mul",n.getLocal("ita"),n.getLocal("itb"),n.getLocal("it")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.setLocal("it",n.i32_add(n.getLocal("it"),n.i32_const(i))),n.br(0))))}(),function(){const o=t.addFunction(e+"_joinABC");o.addParam("pA","i32"),o.addParam("pB","i32"),o.addParam("pC","i32"),o.addParam("n","i32"),o.addParam("pP","i32"),o.addLocal("ita","i32"),o.addLocal("itb","i32"),o.addLocal("itc","i32"),o.addLocal("itp","i32"),o.addLocal("last","i32");const n=o.getCodeBuilder(),l=n.i32_const(t.alloc(i));o.addCode(n.setLocal("ita",n.getLocal("pA")),n.setLocal("itb",n.getLocal("pB")),n.setLocal("itc",n.getLocal("pC")),n.setLocal("itp",n.getLocal("pP")),n.setLocal("last",n.i32_add(n.getLocal("pA"),n.i32_mul(n.getLocal("n"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_mul",n.getLocal("ita"),n.getLocal("itb"),l),n.call(a+"_sub",l,n.getLocal("itc"),n.getLocal("itp")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.setLocal("itc",n.i32_add(n.getLocal("itc"),n.i32_const(i))),n.setLocal("itp",n.i32_add(n.getLocal("itp"),n.i32_const(i))),n.br(0))))}(),function(){const o=t.addFunction(e+"_batchAdd");o.addParam("pa","i32"),o.addParam("pb","i32"),o.addParam("n","i32"),o.addParam("pr","i32"),o.addLocal("ita","i32"),o.addLocal("itb","i32"),o.addLocal("itr","i32"),o.addLocal("last","i32");const n=o.getCodeBuilder();o.addCode(n.setLocal("ita",n.getLocal("pa")),n.setLocal("itb",n.getLocal("pb")),n.setLocal("itr",n.getLocal("pr")),n.setLocal("last",n.i32_add(n.getLocal("pa"),n.i32_mul(n.getLocal("n"),n.i32_const(i)))),n.block(n.loop(n.br_if(1,n.i32_eq(n.getLocal("ita"),n.getLocal("last"))),n.call(a+"_add",n.getLocal("ita"),n.getLocal("itb"),n.getLocal("itr")),n.setLocal("ita",n.i32_add(n.getLocal("ita"),n.i32_const(i))),n.setLocal("itb",n.i32_add(n.getLocal("itb"),n.i32_const(i))),n.setLocal("itr",n.i32_add(n.getLocal("itr"),n.i32_const(i))),n.br(0))))}(),t.exportFunction(e+"_buildABC"),t.exportFunction(e+"_joinABC"),t.exportFunction(e+"_batchAdd"),e},jt=function(t,e,a,i,o,n,l,r){const s=t.addFunction(e);s.addParam("pIn","i32"),s.addParam("n","i32"),s.addParam("pFirst","i32"),s.addParam("pInc","i32"),s.addParam("pOut","i32"),s.addLocal("pOldFree","i32"),s.addLocal("i","i32"),s.addLocal("pFrom","i32"),s.addLocal("pTo","i32");const c=s.getCodeBuilder(),d=c.i32_const(t.alloc(l));s.addCode(c.setLocal("pFrom",c.getLocal("pIn")),c.setLocal("pTo",c.getLocal("pOut"))),s.addCode(c.call(i+"_copy",c.getLocal("pFirst"),d)),s.addCode(c.setLocal("i",c.i32_const(0)),c.block(c.loop(c.br_if(1,c.i32_eq(c.getLocal("i"),c.getLocal("n"))),c.call(r,c.getLocal("pFrom"),d,c.getLocal("pTo")),c.setLocal("pFrom",c.i32_add(c.getLocal("pFrom"),c.i32_const(o))),c.setLocal("pTo",c.i32_add(c.getLocal("pTo"),c.i32_const(n))),c.call(i+"_mul",d,c.getLocal("pInc"),d),c.setLocal("i",c.i32_add(c.getLocal("i"),c.i32_const(1))),c.br(0)))),t.exportFunction(e)};const Kt=K,Ht=It,Zt=Et,Wt=Pt,Yt=Ot,Jt=qt,Xt=Nt,te=Vt,ee=$t,ae=jt,{bitLength:ie,modInv:oe,isOdd:ne,isNegative:le}=J;const re=K,se=It,ce=Et,de=Pt,ue=Ot,ge=qt,fe=Nt,he=Vt,_e=$t,pe=jt,{bitLength:me,isOdd:we,isNegative:Le}=J;var be=function(t,e){const a=e||"bn128";if(t.modules[a])return a;const i=21888242871839275222246405745257275088696311157297823662689037894645226208583n,o=21888242871839275222246405745257275088548364400416034343698204186575808495617n,n=Math.floor((ie(i-1n)-1)/64)+1,l=8*n,r=l,s=l,c=2*s,d=12*s,u=t.alloc(Kt.bigInt2BytesLE(o,r)),g=Ht(t,i,"f1m");Zt(t,o,"fr","frm");const f=t.alloc(Kt.bigInt2BytesLE(L(3n),s)),h=Jt(t,"g1m","f1m",f);Xt(t,"frm","frm","frm","frm_mul"),te(t,"pol","frm"),ee(t,"qap","frm");const _=Wt(t,"f1m_neg","f2m","f1m"),p=t.alloc([...Kt.bigInt2BytesLE(L(19485874751759354771024239261021720505790618469301721065564631296452457478373n),s),...Kt.bigInt2BytesLE(L(266929791119991161246907387137283842545076965332900288569378510910307636690n),s)]),m=Jt(t,"g2m","f2m",p);function w(e,a){const i=t.addFunction(e);i.addParam("pG","i32"),i.addParam("pFr","i32"),i.addParam("pr","i32");const o=i.getCodeBuilder(),n=o.i32_const(t.alloc(l));i.addCode(o.call("frm_fromMontgomery",o.getLocal("pFr"),n),o.call(a,o.getLocal("pG"),n,o.i32_const(l),o.getLocal("pr"))),t.exportFunction(e)}function L(t){return BigInt(t)*(1n<0n;)ne(e)?a.push(1):a.push(0),e>>=1n;return a}(29793968203157093288n),Q=t.alloc(U),T=3*c,q=U.length-1,M=U.reduce(((t,e)=>t+(0!=e?1:0)),0),k=6*l,R=3*l*2+(M+q+1)*T;t.modules[a]={n64:n,pG1gen:A,pG1zero:C,pG1b:f,pG2gen:F,pG2zero:E,pG2b:p,pq:t.modules.f1m.pq,pr:u,pOneT:v,prePSize:k,preQSize:R,r:o.toString(),q:i.toString()};const D=4965661367192848881n;function N(e){const o=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[8376118865763821496583973867626364092589906065868298776909617916018768340080n,16469823323077808223889137241176536799009286646108169935659301613961712198316n],[21888242871839275220042445260109153167277707414472061641714758635765020556617n,0n],[11697423496358154304825782922584725312912383441159505038794027105778954184319n,303847389135065887422783454877609941456349188919719272345083954437860409601n],[21888242871839275220042445260109153167277707414472061641714758635765020556616n,0n],[3321304630594332808241809054958361220322477375291206261884409189760185844239n,5722266937896532885780051958958348231143373700109372999374820235121374419868n],[21888242871839275222246405745257275088696311157297823662689037894645226208582n,0n],[13512124006075453725662431877630910996106405091429524885779419978626457868503n,5418419548761466998357268504080738289687024511189653727029736280683514010267n],[2203960485148121921418603742825762020974279258880205651966n,0n],[10190819375481120917420622822672549775783927716138318623895010788866272024264n,21584395482704209334823622290379665147239961968378104390343953940207365798982n],[2203960485148121921418603742825762020974279258880205651967n,0n],[18566938241244942414004596690298913868373833782006617400804628704885040364344n,16165975933942742336466353786298926857552937457188450663314217659523851788715n]]],n=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[21575463638280843010398324269430826099269044274347216827212613867836435027261n,10307601595873709700152284273816112264069230130616436755625194854815875713954n],[21888242871839275220042445260109153167277707414472061641714758635765020556616n,0n],[3772000881919853776433695186713858239009073593817195771773381919316419345261n,2236595495967245188281701248203181795121068902605861227855261137820944008926n],[2203960485148121921418603742825762020974279258880205651966n,0n],[18429021223477853657660792034369865839114504446431234726392080002137598044644n,9344045779998320333812420223237981029506012124075525679208581902008406485703n]],[[1n,0n],[2581911344467009335267311115468803099551665605076196740867805258568234346338n,19937756971775647987995932169929341994314640652964949448313374472400716661030n],[2203960485148121921418603742825762020974279258880205651966n,0n],[5324479202449903542726783395506214481928257762400643279780343368557297135718n,16208900380737693084919495127334387981393726419856888799917914180988844123039n],[21888242871839275220042445260109153167277707414472061641714758635765020556616n,0n],[13981852324922362344252311234282257507216387789820983642040889267519694726527n,7629828391165209371577384193250820201684255241773809077146787135900891633097n]]],l=t.addFunction(a+"__frobeniusMap"+e);l.addParam("x","i32"),l.addParam("r","i32");const r=l.getCodeBuilder();for(let a=0;a<6;a++){const i=0==a?r.getLocal("x"):r.i32_add(r.getLocal("x"),r.i32_const(a*c)),u=i,f=r.i32_add(r.getLocal("x"),r.i32_const(a*c+s)),h=0==a?r.getLocal("r"):r.i32_add(r.getLocal("r"),r.i32_const(a*c)),p=h,m=r.i32_add(r.getLocal("r"),r.i32_const(a*c+s)),w=d(o[Math.floor(a/3)][e%12],n[a%3][e%6]),b=t.alloc([...Kt.bigInt2BytesLE(L(w[0]),32),...Kt.bigInt2BytesLE(L(w[1]),32)]);e%2==1?l.addCode(r.call(g+"_copy",u,p),r.call(g+"_neg",f,m),r.call(_+"_mul",h,r.i32_const(b),h)):l.addCode(r.call(_+"_mul",i,r.i32_const(b),h))}function d(t,e){const a=BigInt(t[0]),o=BigInt(t[1]),n=BigInt(e[0]),l=BigInt(e[1]),r=[(a*n-o*l)%i,(a*l+o*n)%i];return le(r[0])&&(r[0]=r[0]+i),r}}function V(e,i){const o=function(t){let e=t;const a=[];for(;e>0n;){if(ne(e)){const t=2-Number(e%4n);a.push(t),e-=BigInt(t)}else a.push(0);e>>=1n}return a}(e).map((t=>-1==t?255:t)),n=t.alloc(o),l=t.addFunction(a+"__cyclotomicExp_"+i);l.addParam("x","i32"),l.addParam("r","i32"),l.addLocal("bit","i32"),l.addLocal("i","i32");const r=l.getCodeBuilder(),s=r.getLocal("x"),c=r.getLocal("r"),u=r.i32_const(t.alloc(d));l.addCode(r.call(O+"_conjugate",s,u),r.call(O+"_one",c),r.if(r.teeLocal("bit",r.i32_load8_s(r.i32_const(o.length-1),n)),r.if(r.i32_eq(r.getLocal("bit"),r.i32_const(1)),r.call(O+"_mul",c,s,c),r.call(O+"_mul",c,u,c))),r.setLocal("i",r.i32_const(o.length-2)),r.block(r.loop(r.call(a+"__cyclotomicSquare",c,c),r.if(r.teeLocal("bit",r.i32_load8_s(r.getLocal("i"),n)),r.if(r.i32_eq(r.getLocal("bit"),r.i32_const(1)),r.call(O+"_mul",c,s,c),r.call(O+"_mul",c,u,c))),r.br_if(1,r.i32_eqz(r.getLocal("i"))),r.setLocal("i",r.i32_sub(r.getLocal("i"),r.i32_const(1))),r.br(0))))}function $(){!function(){const e=t.addFunction(a+"__cyclotomicSquare");e.addParam("x","i32"),e.addParam("r","i32");const i=e.getCodeBuilder(),o=i.getLocal("x"),n=i.i32_add(i.getLocal("x"),i.i32_const(c)),l=i.i32_add(i.getLocal("x"),i.i32_const(2*c)),r=i.i32_add(i.getLocal("x"),i.i32_const(3*c)),s=i.i32_add(i.getLocal("x"),i.i32_const(4*c)),d=i.i32_add(i.getLocal("x"),i.i32_const(5*c)),u=i.getLocal("r"),g=i.i32_add(i.getLocal("r"),i.i32_const(c)),f=i.i32_add(i.getLocal("r"),i.i32_const(2*c)),h=i.i32_add(i.getLocal("r"),i.i32_const(3*c)),p=i.i32_add(i.getLocal("r"),i.i32_const(4*c)),m=i.i32_add(i.getLocal("r"),i.i32_const(5*c)),w=i.i32_const(t.alloc(c)),L=i.i32_const(t.alloc(c)),b=i.i32_const(t.alloc(c)),A=i.i32_const(t.alloc(c)),y=i.i32_const(t.alloc(c)),C=i.i32_const(t.alloc(c)),I=i.i32_const(t.alloc(c)),F=i.i32_const(t.alloc(c));e.addCode(i.call(_+"_mul",o,s,I),i.call(_+"_mul",s,i.i32_const(B),w),i.call(_+"_add",o,w,w),i.call(_+"_add",o,s,F),i.call(_+"_mul",F,w,w),i.call(_+"_mul",i.i32_const(B),I,F),i.call(_+"_add",I,F,F),i.call(_+"_sub",w,F,w),i.call(_+"_add",I,I,L),i.call(_+"_mul",r,l,I),i.call(_+"_mul",l,i.i32_const(B),b),i.call(_+"_add",r,b,b),i.call(_+"_add",r,l,F),i.call(_+"_mul",F,b,b),i.call(_+"_mul",i.i32_const(B),I,F),i.call(_+"_add",I,F,F),i.call(_+"_sub",b,F,b),i.call(_+"_add",I,I,A),i.call(_+"_mul",n,d,I),i.call(_+"_mul",d,i.i32_const(B),y),i.call(_+"_add",n,y,y),i.call(_+"_add",n,d,F),i.call(_+"_mul",F,y,y),i.call(_+"_mul",i.i32_const(B),I,F),i.call(_+"_add",I,F,F),i.call(_+"_sub",y,F,y),i.call(_+"_add",I,I,C),i.call(_+"_sub",w,o,u),i.call(_+"_add",u,u,u),i.call(_+"_add",w,u,u),i.call(_+"_add",L,s,p),i.call(_+"_add",p,p,p),i.call(_+"_add",L,p,p),i.call(_+"_mul",C,i.i32_const(P),F),i.call(_+"_add",F,r,h),i.call(_+"_add",h,h,h),i.call(_+"_add",F,h,h),i.call(_+"_sub",y,l,f),i.call(_+"_add",f,f,f),i.call(_+"_add",y,f,f),i.call(_+"_sub",b,n,g),i.call(_+"_add",g,g,g),i.call(_+"_add",b,g,g),i.call(_+"_add",A,d,m),i.call(_+"_add",m,m,m),i.call(_+"_add",A,m,m))}(),V(D,"w0");const e=t.addFunction(a+"__finalExponentiationLastChunk");e.addParam("x","i32"),e.addParam("r","i32");const i=e.getCodeBuilder(),o=i.getLocal("x"),n=i.getLocal("r"),l=i.i32_const(t.alloc(d)),r=i.i32_const(t.alloc(d)),s=i.i32_const(t.alloc(d)),u=i.i32_const(t.alloc(d)),g=i.i32_const(t.alloc(d)),f=i.i32_const(t.alloc(d)),h=i.i32_const(t.alloc(d)),p=i.i32_const(t.alloc(d)),m=i.i32_const(t.alloc(d)),w=i.i32_const(t.alloc(d)),L=i.i32_const(t.alloc(d)),b=i.i32_const(t.alloc(d)),A=i.i32_const(t.alloc(d)),y=i.i32_const(t.alloc(d)),C=i.i32_const(t.alloc(d)),I=i.i32_const(t.alloc(d)),F=i.i32_const(t.alloc(d)),x=i.i32_const(t.alloc(d)),E=i.i32_const(t.alloc(d)),v=i.i32_const(t.alloc(d)),S=i.i32_const(t.alloc(d));e.addCode(i.call(a+"__cyclotomicExp_w0",o,l),i.call(O+"_conjugate",l,l),i.call(a+"__cyclotomicSquare",l,r),i.call(a+"__cyclotomicSquare",r,s),i.call(O+"_mul",s,r,u),i.call(a+"__cyclotomicExp_w0",u,g),i.call(O+"_conjugate",g,g),i.call(a+"__cyclotomicSquare",g,f),i.call(a+"__cyclotomicExp_w0",f,h),i.call(O+"_conjugate",h,h),i.call(O+"_conjugate",u,p),i.call(O+"_conjugate",h,m),i.call(O+"_mul",m,g,w),i.call(O+"_mul",w,p,L),i.call(O+"_mul",L,r,b),i.call(O+"_mul",L,g,A),i.call(O+"_mul",A,o,y),i.call(a+"__frobeniusMap1",b,C),i.call(O+"_mul",C,y,I),i.call(a+"__frobeniusMap2",L,F),i.call(O+"_mul",F,I,x),i.call(O+"_conjugate",o,E),i.call(O+"_mul",E,b,v),i.call(a+"__frobeniusMap3",v,S),i.call(O+"_mul",S,x,n))}const j=t.alloc(k),K=t.alloc(R);function H(e){const i=t.addFunction(a+"_pairingEq"+e);for(let t=0;t0n;)we(e)?a.push(1):a.push(0),e>>=1n;return a}(0xd201000000010000n),U=t.alloc(O),Q=3*s,T=O.length-1,q=O.reduce(((t,e)=>t+(0!=e?1:0)),0),M=6*l,k=3*l*2+(q+T+1)*Q,R=!0,D=15132376222941642752n;function N(e){const a=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[3850754370037169011952147076051364057158807420970682438676050522613628423219637725072182697113062777891589506424760n,151655185184498381465642749684540099398075398968325446656007613510403227271200139370504932015952886146304766135027n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620351n,0n],[2973677408986561043442465346520108879172042883009249989176415018091420807192182638567116318576472649347015917690530n,1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n,0n],[3125332594171059424908108096204648978570118281977575435832422631601824034463382777937621250592425535493320683825557n,877076961050607968509681729531255177986764537961432449499635504522207616027455086505066378536590128544573588734230n],[4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559786n,0n],[151655185184498381465642749684540099398075398968325446656007613510403227271200139370504932015952886146304766135027n,3850754370037169011952147076051364057158807420970682438676050522613628423219637725072182697113062777891589506424760n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n,0n],[1028732146235106349975324479215795277384839936929757896155643118032610843298655225875571310552543014690878354869257n,2973677408986561043442465346520108879172042883009249989176415018091420807192182638567116318576472649347015917690530n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437n,0n],[877076961050607968509681729531255177986764537961432449499635504522207616027455086505066378536590128544573588734230n,3125332594171059424908108096204648978570118281977575435832422631601824034463382777937621250592425535493320683825557n]]],o=[[[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n],[1n,0n]],[[1n,0n],[0n,4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n,0n],[0n,1n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n,0n],[0n,793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n]],[[1n,0n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939437n,0n],[4002409555221667392624310435006688643935503118305586438271171395842971157480381377015405980053539358417135540939436n,0n],[4002409555221667393417789825735904156556882819939007885332058136124031650490837864442687629129015664037894272559786n,0n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620350n,0n],[793479390729215512621379701633421447060886740281060493010456487427281649075476305620758731620351n,0n]]],n=t.addFunction(z+"_frobeniusMap"+e);n.addParam("x","i32"),n.addParam("r","i32");const c=n.getCodeBuilder();for(let i=0;i<6;i++){const u=0==i?c.getLocal("x"):c.i32_add(c.getLocal("x"),c.i32_const(i*s)),g=u,f=c.i32_add(c.getLocal("x"),c.i32_const(i*s+r)),_=0==i?c.getLocal("r"):c.i32_add(c.getLocal("r"),c.i32_const(i*s)),p=_,w=c.i32_add(c.getLocal("r"),c.i32_const(i*s+r)),L=d(a[Math.floor(i/3)][e%12],o[i%3][e%6]),b=t.alloc([...re.bigInt2BytesLE(A(L[0]),l),...re.bigInt2BytesLE(A(L[1]),l)]);e%2==1?n.addCode(c.call(h+"_copy",g,p),c.call(h+"_neg",f,w),c.call(m+"_mul",_,c.i32_const(b),_)):n.addCode(c.call(m+"_mul",u,c.i32_const(b),_))}function d(t,e){const a=t[0],o=t[1],n=e[0],l=e[1],r=[(a*n-o*l)%i,(a*l+o*n)%i];return Le(r[0])&&(r[0]=r[0]+i),r}}function V(e,i,o){const n=function(t){let e=t;const a=[];for(;e>0n;){if(we(e)){const t=2-Number(e%4n);a.push(t),e-=BigInt(t)}else a.push(0);e>>=1n}return a}(e).map((t=>-1==t?255:t)),l=t.alloc(n),r=t.addFunction(a+"__cyclotomicExp_"+o);r.addParam("x","i32"),r.addParam("r","i32"),r.addLocal("bit","i32"),r.addLocal("i","i32");const s=r.getCodeBuilder(),d=s.getLocal("x"),u=s.getLocal("r"),g=s.i32_const(t.alloc(c));r.addCode(s.call(z+"_conjugate",d,g),s.call(z+"_one",u),s.if(s.teeLocal("bit",s.i32_load8_s(s.i32_const(n.length-1),l)),s.if(s.i32_eq(s.getLocal("bit"),s.i32_const(1)),s.call(z+"_mul",u,d,u),s.call(z+"_mul",u,g,u))),s.setLocal("i",s.i32_const(n.length-2)),s.block(s.loop(s.call(a+"__cyclotomicSquare",u,u),s.if(s.teeLocal("bit",s.i32_load8_s(s.getLocal("i"),l)),s.if(s.i32_eq(s.getLocal("bit"),s.i32_const(1)),s.call(z+"_mul",u,d,u),s.call(z+"_mul",u,g,u))),s.br_if(1,s.i32_eqz(s.getLocal("i"))),s.setLocal("i",s.i32_sub(s.getLocal("i"),s.i32_const(1))),s.br(0)))),i&&r.addCode(s.call(z+"_conjugate",u,u))}t.modules[a]={n64q:n,n64r:d,n8q:l,n8r:u,pG1gen:C,pG1zero:F,pG1b:_,pG2gen:E,pG2zero:B,pG2b:w,pq:t.modules.f1m.pq,pr:f,pOneT:S,r:o,q:i,prePSize:M,preQSize:k},function(){const e=t.addFunction(G+"_mul1");e.addParam("pA","i32"),e.addParam("pC1","i32"),e.addParam("pR","i32");const a=e.getCodeBuilder(),i=a.getLocal("pA"),o=a.i32_add(a.getLocal("pA"),a.i32_const(2*r)),n=a.i32_add(a.getLocal("pA"),a.i32_const(4*r)),l=a.getLocal("pC1"),s=a.getLocal("pR"),c=a.i32_add(a.getLocal("pR"),a.i32_const(2*r)),d=a.i32_add(a.getLocal("pR"),a.i32_const(4*r)),u=a.i32_const(t.alloc(2*r)),g=a.i32_const(t.alloc(2*r));e.addCode(a.call(m+"_add",i,o,u),a.call(m+"_add",o,n,g),a.call(m+"_mul",o,l,d),a.call(m+"_mul",g,l,s),a.call(m+"_sub",s,d,s),a.call(m+"_mulNR",s,s),a.call(m+"_mul",u,l,c),a.call(m+"_sub",c,d,c))}(),function(){const e=t.addFunction(G+"_mul01");e.addParam("pA","i32"),e.addParam("pC0","i32"),e.addParam("pC1","i32"),e.addParam("pR","i32");const a=e.getCodeBuilder(),i=a.getLocal("pA"),o=a.i32_add(a.getLocal("pA"),a.i32_const(2*r)),n=a.i32_add(a.getLocal("pA"),a.i32_const(4*r)),l=a.getLocal("pC0"),s=a.getLocal("pC1"),c=a.getLocal("pR"),d=a.i32_add(a.getLocal("pR"),a.i32_const(2*r)),u=a.i32_add(a.getLocal("pR"),a.i32_const(4*r)),g=a.i32_const(t.alloc(2*r)),f=a.i32_const(t.alloc(2*r)),h=a.i32_const(t.alloc(2*r)),_=a.i32_const(t.alloc(2*r));e.addCode(a.call(m+"_mul",i,l,g),a.call(m+"_mul",o,s,f),a.call(m+"_add",i,o,h),a.call(m+"_add",i,n,_),a.call(m+"_add",o,n,c),a.call(m+"_mul",c,s,c),a.call(m+"_sub",c,f,c),a.call(m+"_mulNR",c,c),a.call(m+"_add",c,g,c),a.call(m+"_add",l,s,d),a.call(m+"_mul",d,h,d),a.call(m+"_sub",d,g,d),a.call(m+"_sub",d,f,d),a.call(m+"_mul",_,l,u),a.call(m+"_sub",u,g,u),a.call(m+"_add",u,f,u))}(),function(){const e=t.addFunction(z+"_mul014");e.addParam("pA","i32"),e.addParam("pC0","i32"),e.addParam("pC1","i32"),e.addParam("pC4","i32"),e.addParam("pR","i32");const a=e.getCodeBuilder(),i=a.getLocal("pA"),o=a.i32_add(a.getLocal("pA"),a.i32_const(6*r)),n=a.getLocal("pC0"),l=a.getLocal("pC1"),s=a.getLocal("pC4"),c=a.i32_const(t.alloc(6*r)),d=a.i32_const(t.alloc(6*r)),u=a.i32_const(t.alloc(2*r)),g=a.getLocal("pR"),f=a.i32_add(a.getLocal("pR"),a.i32_const(6*r));e.addCode(a.call(G+"_mul01",i,n,l,c),a.call(G+"_mul1",o,s,d),a.call(m+"_add",l,s,u),a.call(G+"_add",o,i,f),a.call(G+"_mul01",f,n,u,f),a.call(G+"_sub",f,c,f),a.call(G+"_sub",f,d,f),a.call(G+"_copy",d,g),a.call(G+"_mulNR",g,g),a.call(G+"_add",g,c,g))}(),function(){const e=t.addFunction(a+"_ell");e.addParam("pP","i32"),e.addParam("pCoefs","i32"),e.addParam("pF","i32");const i=e.getCodeBuilder(),o=i.getLocal("pP"),n=i.i32_add(i.getLocal("pP"),i.i32_const(l)),s=i.getLocal("pF"),c=i.getLocal("pCoefs"),d=i.i32_add(i.getLocal("pCoefs"),i.i32_const(r)),u=i.i32_add(i.getLocal("pCoefs"),i.i32_const(2*r)),g=i.i32_add(i.getLocal("pCoefs"),i.i32_const(3*r)),f=i.i32_add(i.getLocal("pCoefs"),i.i32_const(4*r)),_=t.alloc(2*r),p=i.i32_const(_),m=i.i32_const(_),w=i.i32_const(_+r),L=t.alloc(2*r),b=i.i32_const(L),A=i.i32_const(L),y=i.i32_const(L+r);e.addCode(i.call(h+"_mul",c,n,m),i.call(h+"_mul",d,n,w),i.call(h+"_mul",u,o,A),i.call(h+"_mul",g,o,y),i.call(z+"_mul014",s,f,b,p,s))}();const $=t.alloc(M),j=t.alloc(k);function K(e){const i=t.addFunction(a+"_pairingEq"+e);for(let t=0;t>=BigInt(32)):l+2<=e?(n.setUint16(l,Number(a&BigInt(65535)),!0),l+=2,a>>=BigInt(16)):(n.setUint8(l,Number(a&BigInt(255)),!0),l+=1,a>>=BigInt(8));if(a)throw new Error("Number does not fit in this length");return i}const Ce=[];for(let t=0;t<256;t++)Ce[t]=Ie(t,8);function Ie(t,e){let a=0,i=t;for(let t=0;t>=1;return a}function Fe(t,e){return(Ce[t>>>24]|Ce[t>>>16&255]<<8|Ce[t>>>8&255]<<16|Ce[255&t]<<24)>>>32-e}function xe(t){return(0!=(4294901760&t)?(t&=4294901760,16):0)|(0!=(4278255360&t)?(t&=4278255360,8):0)|(0!=(4042322160&t)?(t&=4042322160,4):0)|(0!=(3435973836&t)?(t&=3435973836,2):0)|0!=(2863311530&t)}function Ee(t,e){const a=t.byteLength/e,i=xe(a);if(a!=1<a){const i=t.slice(o*e,(o+1)*e);t.set(t.slice(a*e,(a+1)*e),o*e),t.set(i,a*e)}}}function ve(t,e){const a=new Uint8Array(e*t.length);for(let i=0;i{a[i]=t(e[i])})),a}return e},unstringifyBigInts:function t(e){if("string"==typeof e&&/^[0-9]+$/.test(e))return BigInt(e);if("string"==typeof e&&/^0x[0-9a-fA-F]+$/.test(e))return BigInt(e);if(Array.isArray(e))return e.map(t);if("object"==typeof e){if(null===e)return null;const a={};return Object.keys(e).forEach((i=>{a[i]=t(e[i])})),a}return e},beBuff2int:function(t){let e=BigInt(0),a=t.length,i=0;const o=new DataView(t.buffer,t.byteOffset,t.byteLength);for(;a>0;)a>=4?(a-=4,e+=BigInt(o.getUint32(a))<=2?(a-=2,e+=BigInt(o.getUint16(a))<0;)n-4>=0?(n-=4,o.setUint32(n,Number(a&BigInt(4294967295))),a>>=BigInt(32)):n-2>=0?(n-=2,o.setUint16(n,Number(a&BigInt(65535))),a>>=BigInt(16)):(n-=1,o.setUint8(n,Number(a&BigInt(255))),a>>=BigInt(8));if(a)throw new Error("Number does not fit in this length");return i},leBuff2int:function(t){let e=BigInt(0),a=0;const i=new DataView(t.buffer,t.byteOffset,t.byteLength);for(;a{i[o]=t(e,a[o])})),i}return a},unstringifyFElements:function t(e,a){if("string"==typeof a&&/^[0-9]+$/.test(a))return e.e(a);if("string"==typeof a&&/^0x[0-9a-fA-F]+$/.test(a))return e.e(a);if(Array.isArray(a))return a.map(t.bind(this,e));if("object"==typeof a){if(null===a)return null;const i={};return Object.keys(a).forEach((o=>{i[o]=t(e,a[o])})),i}return a},bitReverse:Fe,log2:xe,buffReverseBits:Ee,array2buffer:ve,buffer2array:Be});const Pe=1<<30;class Ge{constructor(t){this.buffers=[],this.byteLength=t;for(let e=0;e0;){const t=l+r>Pe?Pe-l:r,e=new Uint8Array(this.buffers[n].buffer,this.buffers[n].byteOffset+l,t);if(t==a)return e.slice();o||(o=a<=Pe?new Uint8Array(a):new Ge(a)),o.set(e,a-r),r-=t,n++,l=0}return o}set(t,e){void 0===e&&(e=0);const a=t.byteLength;if(0==a)return;const i=Math.floor(e/Pe);if(i==Math.floor((e+a-1)/Pe))return t instanceof Ge&&1==t.buffers.length?this.buffers[i].set(t.buffers[0],e%Pe):this.buffers[i].set(t,e%Pe);let o=i,n=e%Pe,l=a;for(;l>0;){const e=n+l>Pe?Pe-n:l,i=t.slice(a-l,a-l+e);new Uint8Array(this.buffers[o].buffer,this.buffers[o].byteOffset+n,e).set(i),l-=e,o++,n=0}}}function ze(t,e,a,i){return async function(o){const n=Math.floor(o.byteLength/a);if(n*a!==o.byteLength)throw new Error("Invalid buffer size");const l=Math.floor(n/t.concurrency),r=[];for(let s=0;s=0;t--)this.w[t]=this.square(this.w[t+1]);if(!this.eq(this.w[0],this.one))throw new Error("Error calculating roots of unity");this.batchToMontgomery=ze(t,e+"_batchToMontgomery",this.n8,this.n8),this.batchFromMontgomery=ze(t,e+"_batchFromMontgomery",this.n8,this.n8)}op2(t,e,a){return this.tm.setBuff(this.pOp1,e),this.tm.setBuff(this.pOp2,a),this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp2,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}op2Bool(t,e,a){return this.tm.setBuff(this.pOp1,e),this.tm.setBuff(this.pOp2,a),!!this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp2)}op1(t,e){return this.tm.setBuff(this.pOp1,e),this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}op1Bool(t,e){return this.tm.setBuff(this.pOp1,e),!!this.tm.instance.exports[this.prefix+t](this.pOp1,this.pOp3)}add(t,e){return this.op2("_add",t,e)}eq(t,e){return this.op2Bool("_eq",t,e)}isZero(t){return this.op1Bool("_isZero",t)}sub(t,e){return this.op2("_sub",t,e)}neg(t){return this.op1("_neg",t)}inv(t){return this.op1("_inverse",t)}toMontgomery(t){return this.op1("_toMontgomery",t)}fromMontgomery(t){return this.op1("_fromMontgomery",t)}mul(t,e){return this.op2("_mul",t,e)}div(t,e){return this.tm.setBuff(this.pOp1,t),this.tm.setBuff(this.pOp2,e),this.tm.instance.exports[this.prefix+"_inverse"](this.pOp2,this.pOp2),this.tm.instance.exports[this.prefix+"_mul"](this.pOp1,this.pOp2,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}square(t){return this.op1("_square",t)}isSquare(t){return this.op1Bool("_isSquare",t)}sqrt(t){return this.op1("_sqrt",t)}exp(t,e){return e instanceof Uint8Array||(e=S(i(e))),this.tm.setBuff(this.pOp1,t),this.tm.setBuff(this.pOp2,e),this.tm.instance.exports[this.prefix+"_exp"](this.pOp1,this.pOp2,e.byteLength,this.pOp3),this.tm.getBuff(this.pOp3,this.n8)}isNegative(t){return this.op1Bool("_isNegative",t)}e(t,e){if(t instanceof Uint8Array)return t;let a=i(t,e);n(a)?(a=p(a),y(a,this.p)&&(a=b(a,this.p)),a=_(this.p,a)):y(a,this.p)&&(a=b(a,this.p));const o=ye(a,this.n8);return this.toMontgomery(o)}toString(t,e){return B(E(this.fromMontgomery(t),0),e)}fromRng(t){let e;const a=new Uint8Array(this.n8);do{e=P;for(let a=0;ai.buffer.byteLength){const o=i.buffer.byteLength/65536;let n=Math.floor((a[0]+t)/65536)+1;n>e&&(n=e),i.grow(n-o)}return o}function l(t){const e=n(t.byteLength);return s(e,t),e}function r(t,e){const a=new Uint8Array(i.buffer);return new Uint8Array(a.buffer,a.byteOffset+t,e)}function s(t,e){new Uint8Array(i.buffer).set(new Uint8Array(e),t)}function c(t){if("INIT"==t[0].cmd)return o(t[0]);const e={vars:[],out:[]},c=new Uint32Array(i.buffer,0,1)[0];for(let i=0;i{this.reject=e,this.resolve=t}))}}var Ne;const Ve="data:application/javascript;base64,"+(Ne="("+qe.toString()+")(self)",globalThis.btoa(Ne));class $e{constructor(){this.actionQueue=[],this.oldPFree=0}startSyncOp(){if(0!=this.oldPFree)throw new Error("Sync operation in progress");this.oldPFree=this.u32[0]}endSyncOp(){if(0==this.oldPFree)throw new Error("No sync operation in progress");this.u32[0]=this.oldPFree,this.oldPFree=0}postAction(t,e,a,i){if(this.working[t])throw new Error("Posting a job t a working worker");return this.working[t]=!0,this.pendingDeferreds[t]=i||new De,this.workers[t].postMessage(e,a),this.pendingDeferreds[t].promise}processWorks(){for(let t=0;t0;t++)if(0==this.working[t]){const e=this.actionQueue.shift();this.postAction(t,e.data,e.transfers,e.deferred)}}queueAction(t,e){const a=new De;if(this.singleThread){const e=this.taskManager(t);a.resolve(e)}else this.actionQueue.push({data:t,transfers:e,deferred:a}),this.processWorks();return a.promise}resetMemory(){this.u32[0]=this.initalPFree}allocBuff(t){const e=this.alloc(t.byteLength);return this.setBuff(e,t),e}getBuff(t,e){return this.u8.slice(t,t+e)}setBuff(t,e){this.u8.set(new Uint8Array(e),t)}alloc(t){for(;3&this.u32[0];)this.u32[0]++;const e=this.u32[0];return this.u32[0]+=t,e}async terminate(){for(let t=0;tsetTimeout(e,t))))}}function je(t,e){const a=t[e],i=t.Fr,o=t.tm;t[e].batchApplyKey=async function(t,n,l,r,s){let c,d,u,g,f;if(r=r||"affine",s=s||"affine","G1"==e)"jacobian"==r?(u=3*a.F.n8,c="g1m_batchApplyKey"):(u=2*a.F.n8,c="g1m_batchApplyKeyMixed"),g=3*a.F.n8,"jacobian"==s?f=3*a.F.n8:(d="g1m_batchToAffine",f=2*a.F.n8);else if("G2"==e)"jacobian"==r?(u=3*a.F.n8,c="g2m_batchApplyKey"):(u=2*a.F.n8,c="g2m_batchApplyKeyMixed"),g=3*a.F.n8,"jacobian"==s?f=3*a.F.n8:(d="g2m_batchToAffine",f=2*a.F.n8);else{if("Fr"!=e)throw new Error("Invalid group: "+e);c="frm_batchApplyKey",u=a.n8,g=a.n8,f=a.n8}const h=Math.floor(t.byteLength/u),_=Math.floor(h/o.concurrency),p=[];l=i.e(l);let m=i.e(n);for(let e=0;e=0;t--){if(!a.isZero(_))for(let t=0;tc&&(_=c),_<1024&&(_=1024);const p=[];for(let e=0;e(r&&r.debug(`Multiexp end: ${s}: ${e}/${u}`),t))))}const m=await Promise.all(p);let w=a.zero;for(let t=m.length-1;t>=0;t--)w=a.add(w,m[t]);return w}a.multiExp=async function(t,e,a,i){return await n(t,e,"jacobian",a,i)},a.multiExpAffine=async function(t,e,a,i){return await n(t,e,"affine",a,i)}}function Ze(t,e){const a=t[e],i=t.Fr,o=a.tm;async function n(t,r,s,c,d,u){s=s||"affine",c=c||"affine";let g,f,h,_,p,m,w,L;"G1"==e?("affine"==s?(g=2*a.F.n8,_="g1m_batchToJacobian"):g=3*a.F.n8,f=3*a.F.n8,r&&(L="g1m_fftFinal"),w="g1m_fftJoin",m="g1m_fftMix","affine"==c?(h=2*a.F.n8,p="g1m_batchToAffine"):h=3*a.F.n8):"G2"==e?("affine"==s?(g=2*a.F.n8,_="g2m_batchToJacobian"):g=3*a.F.n8,f=3*a.F.n8,r&&(L="g2m_fftFinal"),w="g2m_fftJoin",m="g2m_fftMix","affine"==c?(h=2*a.F.n8,p="g2m_batchToAffine"):h=3*a.F.n8):"Fr"==e&&(g=a.n8,f=a.n8,h=a.n8,r&&(L="frm_fftFinal"),m="frm_fftMix",w="frm_fftJoin");let b=!1;Array.isArray(t)?(t=ve(t,g),b=!0):t=t.slice(0,t.byteLength);const A=t.byteLength/g,y=xe(A);if(1<1<<28?new Ge(2*u[0].byteLength):new Uint8Array(2*u[0].byteLength);return g.set(u[0]),g.set(u[1],u[0].byteLength),g}(t,s,c,d,u):await async function(t,e,a,o,r){let s,c;s=t.slice(0,t.byteLength/2),c=t.slice(t.byteLength/2,t.byteLength);const d=[];[s,c]=await l(s,c,"fftJoinExt",i.one,i.shift,e,"jacobian",o,r),d.push(n(s,!1,"jacobian",a,o,r)),d.push(n(c,!1,"jacobian",a,o,r));const u=await Promise.all(d);let g;g=u[0].byteLength>1<<28?new Ge(2*u[0].byteLength):new Uint8Array(2*u[0].byteLength);return g.set(u[0]),g.set(u[1],u[0].byteLength),g}(t,s,c,d,u),b?Be(e,h):e}let C,I,F;r&&(C=i.inv(i.e(A))),Ee(t,g);let x=Math.min(16384,A),E=A/x;for(;E=16;)E*=2,x/=2;const v=xe(x),B=[];for(let e=0;e(d&&d.debug(`${u}: fft ${y} mix end: ${e}/${E}`),t))))}F=await Promise.all(B);for(let t=0;t(d&&d.debug(`${u}: fft ${y} join ${t}/${y} ${l+1}/${e} ${r}/${a/2}`),i))))}const l=await Promise.all(n);for(let t=0;t0;e--)I.set(F[e],t),t+=x*h,delete F[e];I.set(F[0].slice(0,(x-1)*h),t),delete F[0]}else for(let t=0;t65536&&(b=65536);const A=[];for(let e=0;e(u&&u.debug(`${g}: fftJoinExt End: ${e}/${L}`),t))))}const y=await Promise.all(A);let C,I;L*p>1<<28?(C=new Ge(L*p),I=new Ge(L*p)):(C=new Uint8Array(L*p),I=new Uint8Array(L*p));let F=0;for(let t=0;ti.s+1)throw s&&s.error("lagrangeEvaluations input too big"),new Error("lagrangeEvaluations input too big");let f=t.slice(0,t.byteLength/2),h=t.slice(t.byteLength/2,t.byteLength);const _=i.exp(i.shift,u/2),p=i.inv(i.sub(i.one,_));[f,h]=await l(f,h,"prepareLagrangeEvaluation",p,i.shiftInv,o,"jacobian",s,c+" prep");const m=[];let w;return m.push(n(f,!0,"jacobian",r,s,c+" t0")),m.push(n(h,!0,"jacobian",r,s,c+" t1")),[f,h]=await Promise.all(m),w=f.byteLength>1<<28?new Ge(2*f.byteLength):new Uint8Array(2*f.byteLength),w.set(f),w.set(h,f.byteLength),w},a.fftMix=async function(t){const n=3*a.F.n8;let l,r;if("G1"==e)l="g1m_fftMix",r="g1m_fftJoin";else if("G2"==e)l="g2m_fftMix",r="g2m_fftJoin";else{if("Fr"!=e)throw new Error("Invalid group");l="frm_fftMix",r="frm_fftJoin"}const s=Math.floor(t.byteLength/n),c=xe(s);let d=1<=0;t--)f.set(g[t][0],h),h+=g[t][0].byteLength;return f}}async function We(t){const e=await async function(t,e){const a=new $e;a.memory=new WebAssembly.Memory({initial:Re}),a.u8=new Uint8Array(a.memory.buffer),a.u32=new Uint32Array(a.memory.buffer);const i=await WebAssembly.compile(t.code);if(a.instance=await WebAssembly.instantiate(i,{env:{memory:a.memory}}),a.singleThread=e,a.initalPFree=a.u32[0],a.pq=t.pq,a.pr=t.pr,a.pG1gen=t.pG1gen,a.pG1zero=t.pG1zero,a.pG2gen=t.pG2gen,a.pG2zero=t.pG2zero,a.pOneT=t.pOneT,e)a.code=t.code,a.taskManager=qe(),await a.taskManager([{cmd:"INIT",init:Re,code:a.code.slice()}]),a.concurrency=1;else{let e;a.workers=[],a.pendingDeferreds=[],a.working=[],e="object"==typeof navigator&&navigator.hardwareConcurrency?navigator.hardwareConcurrency:Me.cpus().length,0==e&&(e=2),e>64&&(e=64),a.concurrency=e;for(let t=0;t>8n&0xFFn)),e.push(Number(a>>16n&0xFFn)),e.push(Number(a>>24n&0xFFn)),e}function ea(t){const e=function(t){for(var e=[],a=0;a>6,128|63&i):i<55296||i>=57344?e.push(224|i>>12,128|i>>6&63,128|63&i):(a++,i=65536+((1023&i)<<10|1023&t.charCodeAt(a)),e.push(240|i>>18,128|i>>12&63,128|i>>6&63,128|63&i))}return e}(t);return[...la(e.length),...e]}function aa(t){const e=[];let a=Ye(t);if(Je(a))throw new Error("Number cannot be negative");for(;!Xe(a);)e.push(Number(0x7Fn&a)),a>>=7n;0==e.length&&e.push(0);for(let t=0;t0xFFFFFFFFn)throw new Error("Number too big");if(e>0x7FFFFFFFn&&(e-=0x100000000n),e<-2147483648n)throw new Error("Number too small");return ia(e)}function na(t){let e=Ye(t);if(e>0xFFFFFFFFFFFFFFFFn)throw new Error("Number too big");if(e>0x7FFFFFFFFFFFFFFFn&&(e-=0x10000000000000000n),e<-9223372036854775808n)throw new Error("Number too small");return ia(e)}function la(t){let e=Ye(t);if(e>0xFFFFFFFFn)throw new Error("Number too big");return aa(e)}function ra(t){return Array.from(t,(function(t){return("0"+(255&t).toString(16)).slice(-2)})).join("")}class sa{constructor(t){this.func=t,this.functionName=t.functionName,this.module=t.module}setLocal(t,e){const a=this.func.localIdxByName[t];if(void 0===a)throw new Error(`Local Variable not defined: Function: ${this.functionName} local: ${t} `);return[...e,33,...la(a)]}teeLocal(t,e){const a=this.func.localIdxByName[t];if(void 0===a)throw new Error(`Local Variable not defined: Function: ${this.functionName} local: ${t} `);return[...e,34,...la(a)]}getLocal(t){const e=this.func.localIdxByName[t];if(void 0===e)throw new Error(`Local Variable not defined: Function: ${this.functionName} local: ${t} `);return[32,...la(e)]}i64_load8_s(t,e,a){return[...t,48,void 0===a?0:a,...la(e||0)]}i64_load8_u(t,e,a){return[...t,49,void 0===a?0:a,...la(e||0)]}i64_load16_s(t,e,a){return[...t,50,void 0===a?1:a,...la(e||0)]}i64_load16_u(t,e,a){return[...t,51,void 0===a?1:a,...la(e||0)]}i64_load32_s(t,e,a){return[...t,52,void 0===a?2:a,...la(e||0)]}i64_load32_u(t,e,a){return[...t,53,void 0===a?2:a,...la(e||0)]}i64_load(t,e,a){return[...t,41,void 0===a?3:a,...la(e||0)]}i64_store(t,e,a,i){let o,n,l;return Array.isArray(e)?(o=0,n=3,l=e):Array.isArray(a)?(o=e,n=3,l=a):Array.isArray(i)&&(o=e,n=a,l=i),[...t,...l,55,n,...la(o)]}i64_store32(t,e,a,i){let o,n,l;return Array.isArray(e)?(o=0,n=2,l=e):Array.isArray(a)?(o=e,n=2,l=a):Array.isArray(i)&&(o=e,n=a,l=i),[...t,...l,62,n,...la(o)]}i64_store16(t,e,a,i){let o,n,l;return Array.isArray(e)?(o=0,n=1,l=e):Array.isArray(a)?(o=e,n=1,l=a):Array.isArray(i)&&(o=e,n=a,l=i),[...t,...l,61,n,...la(o)]}i64_store8(t,e,a,i){let o,n,l;return Array.isArray(e)?(o=0,n=0,l=e):Array.isArray(a)?(o=e,n=0,l=a):Array.isArray(i)&&(o=e,n=a,l=i),[...t,...l,60,n,...la(o)]}i32_load8_s(t,e,a){return[...t,44,void 0===a?0:a,...la(e||0)]}i32_load8_u(t,e,a){return[...t,45,void 0===a?0:a,...la(e||0)]}i32_load16_s(t,e,a){return[...t,46,void 0===a?1:a,...la(e||0)]}i32_load16_u(t,e,a){return[...t,47,void 0===a?1:a,...la(e||0)]}i32_load(t,e,a){return[...t,40,void 0===a?2:a,...la(e||0)]}i32_store(t,e,a,i){let o,n,l;return Array.isArray(e)?(o=0,n=2,l=e):Array.isArray(a)?(o=e,n=2,l=a):Array.isArray(i)&&(o=e,n=a,l=i),[...t,...l,54,n,...la(o)]}i32_store16(t,e,a,i){let o,n,l;return Array.isArray(e)?(o=0,n=1,l=e):Array.isArray(a)?(o=e,n=1,l=a):Array.isArray(i)&&(o=e,n=a,l=i),[...t,...l,59,n,...la(o)]}i32_store8(t,e,a,i){let o,n,l;return Array.isArray(e)?(o=0,n=0,l=e):Array.isArray(a)?(o=e,n=0,l=a):Array.isArray(i)&&(o=e,n=a,l=i),[...t,...l,58,n,...la(o)]}call(t,...e){const a=this.module.functionIdxByName[t];if(void 0===a)throw new Error(`Function not defined: Function: ${t}`);return[...[].concat(...e),16,...la(a)]}call_indirect(t,...e){return[...[].concat(...e),...t,17,0,0]}if(t,e,a){return a?[...t,4,64,...e,5,...a,11]:[...t,4,64,...e,11]}block(t){return[2,64,...t,11]}loop(...t){return[3,64,...[].concat(...t),11]}br_if(t,e){return[...e,13,...la(t)]}br(t){return[12,...la(t)]}ret(t){return[...t,15]}drop(t){return[...t,26]}i64_const(t){return[66,...na(t)]}i32_const(t){return[65,...oa(t)]}i64_eqz(t){return[...t,80]}i64_eq(t,e){return[...t,...e,81]}i64_ne(t,e){return[...t,...e,82]}i64_lt_s(t,e){return[...t,...e,83]}i64_lt_u(t,e){return[...t,...e,84]}i64_gt_s(t,e){return[...t,...e,85]}i64_gt_u(t,e){return[...t,...e,86]}i64_le_s(t,e){return[...t,...e,87]}i64_le_u(t,e){return[...t,...e,88]}i64_ge_s(t,e){return[...t,...e,89]}i64_ge_u(t,e){return[...t,...e,90]}i64_add(t,e){return[...t,...e,124]}i64_sub(t,e){return[...t,...e,125]}i64_mul(t,e){return[...t,...e,126]}i64_div_s(t,e){return[...t,...e,127]}i64_div_u(t,e){return[...t,...e,128]}i64_rem_s(t,e){return[...t,...e,129]}i64_rem_u(t,e){return[...t,...e,130]}i64_and(t,e){return[...t,...e,131]}i64_or(t,e){return[...t,...e,132]}i64_xor(t,e){return[...t,...e,133]}i64_shl(t,e){return[...t,...e,134]}i64_shr_s(t,e){return[...t,...e,135]}i64_shr_u(t,e){return[...t,...e,136]}i64_extend_i32_s(t){return[...t,172]}i64_extend_i32_u(t){return[...t,173]}i64_clz(t){return[...t,121]}i64_ctz(t){return[...t,122]}i32_eqz(t){return[...t,69]}i32_eq(t,e){return[...t,...e,70]}i32_ne(t,e){return[...t,...e,71]}i32_lt_s(t,e){return[...t,...e,72]}i32_lt_u(t,e){return[...t,...e,73]}i32_gt_s(t,e){return[...t,...e,74]}i32_gt_u(t,e){return[...t,...e,75]}i32_le_s(t,e){return[...t,...e,76]}i32_le_u(t,e){return[...t,...e,77]}i32_ge_s(t,e){return[...t,...e,78]}i32_ge_u(t,e){return[...t,...e,79]}i32_add(t,e){return[...t,...e,106]}i32_sub(t,e){return[...t,...e,107]}i32_mul(t,e){return[...t,...e,108]}i32_div_s(t,e){return[...t,...e,109]}i32_div_u(t,e){return[...t,...e,110]}i32_rem_s(t,e){return[...t,...e,111]}i32_rem_u(t,e){return[...t,...e,112]}i32_and(t,e){return[...t,...e,113]}i32_or(t,e){return[...t,...e,114]}i32_xor(t,e){return[...t,...e,115]}i32_shl(t,e){return[...t,...e,116]}i32_shr_s(t,e){return[...t,...e,117]}i32_shr_u(t,e){return[...t,...e,118]}i32_rotl(t,e){return[...t,...e,119]}i32_rotr(t,e){return[...t,...e,120]}i32_wrap_i64(t){return[...t,167]}i32_clz(t){return[...t,103]}i32_ctz(t){return[...t,104]}unreachable(){return[0]}current_memory(){return[63,0]}comment(){return[]}}const ca={i32:127,i64:126,f32:125,f64:124,anyfunc:112,func:96,emptyblock:64};class da{constructor(t,e,a,i,o){if("import"==a)this.fnType="import",this.moduleName=i,this.fieldName=o;else{if("internal"!=a)throw new Error("Invalid function fnType: "+a);this.fnType="internal"}this.module=t,this.fnName=e,this.params=[],this.locals=[],this.localIdxByName={},this.code=[],this.returnType=null,this.nextLocal=0}addParam(t,e){if(this.localIdxByName[t])throw new Error(`param already exists. Function: ${this.fnName}, Param: ${t} `);const a=this.nextLocal++;this.localIdxByName[t]=a,this.params.push({type:e})}addLocal(t,e,a){const i=a||1;if(this.localIdxByName[t])throw new Error(`local already exists. Function: ${this.fnName}, Param: ${t} `);const o=this.nextLocal++;this.localIdxByName[t]=o,this.locals.push({type:e,length:i})}setReturnType(t){if(this.returnType)throw new Error(`returnType already defined. Function: ${this.fnName}`);this.returnType=t}getSignature(){return[96,...[...la(this.params.length),...this.params.map((t=>ca[t.type]))],...this.returnType?[1,ca[this.returnType]]:[0]]}getBody(){const t=this.locals.map((t=>[...la(t.length),ca[t.type]])),e=[...la(this.locals.length),...[].concat(...t),...this.code,11];return[...la(e.length),...e]}addCode(...t){this.code.push(...[].concat(...t))}getCodeBuilder(){return new sa(this)}}class ua{constructor(){this.functions=[],this.functionIdxByName={},this.nImportFunctions=0,this.nInternalFunctions=0,this.memory={pagesSize:1,moduleName:"env",fieldName:"memory"},this.free=8,this.datas=[],this.modules={},this.exports=[],this.functionsTable=[]}build(){return this._setSignatures(),new Uint8Array([...ta(1836278016),...ta(1),...this._buildType(),...this._buildImport(),...this._buildFunctionDeclarations(),...this._buildFunctionsTable(),...this._buildExports(),...this._buildElements(),...this._buildCode(),...this._buildData()])}addFunction(t){if(void 0!==this.functionIdxByName[t])throw new Error(`Function already defined: ${t}`);const e=this.functions.length;return this.functionIdxByName[t]=e,this.functions.push(new da(this,t,"internal")),this.nInternalFunctions++,this.functions[e]}addIimportFunction(t,e,a){if(void 0!==this.functionIdxByName[t])throw new Error(`Function already defined: ${t}`);if(this.functions.length>0&&"internal"==this.functions[this.functions.length-1].type)throw new Error(`Import functions must be declared before internal: ${t}`);let i=a||t;const o=this.functions.length;return this.functionIdxByName[t]=o,this.functions.push(new da(this,t,"import",e,i)),this.nImportFunctions++,this.functions[o]}setMemory(t,e,a){this.memory={pagesSize:t,moduleName:e||"env",fieldName:a||"memory"}}exportFunction(t,e){const a=e||t;if(void 0===this.functionIdxByName[t])throw new Error(`Function not defined: ${t}`);const i=this.functionIdxByName[t];a!=t&&(this.functionIdxByName[a]=i),this.exports.push({exportName:a,idx:i})}addFunctionToTable(t){const e=this.functionIdxByName[t];this.functionsTable.push(e)}addData(t,e){this.datas.push({offset:t,bytes:e})}alloc(t,e){let a,i;(Array.isArray(t)||ArrayBuffer.isView(t))&&void 0===e?(a=t.length,i=t):(a=t,i=e),a=1+(a-1>>3)<<3;const o=this.free;return this.free+=a,i&&this.addData(o,i),o}allocString(t){const e=(new globalThis.TextEncoder).encode(t);return this.alloc([...e,0])}_setSignatures(){this.signatures=[];const t={};if(this.functionsTable.length>0){const e=this.functions[this.functionsTable[0]].getSignature();t["s_"+ra(e)]=0,this.signatures.push(e)}for(let e=0;e{e.pendingLoads.push({page:t,resolve:a,reject:i})}));return e.__statusPage("After Load request: ",t),a}__statusPage(t,e){const a=[],i=this;if(!i.logHistory)return;a.push("=="+t+" "+e);let o="";for(let t=0;t "+e.history[t][a][i])}_triggerLoad(){const t=this;if(t.reading)return;if(0==t.pendingLoads.length)return;const e=Object.keys(t.pages),a=[];for(let i=0;i0&&(void 0!==t.pages[t.pendingLoads[0].page]||i>0||a.length>0);){const e=t.pendingLoads.shift();if(void 0!==t.pages[e.page]){t.pages[e.page].pendingOps++;const i=a.indexOf(e.page);i>=0&&a.splice(i,1),t.pages[e.page].loading?t.pages[e.page].loading.push(e):e.resolve(),t.__statusPage("After Load (cached): ",e.page)}else{if(i)i--;else{const e=a.shift();t.__statusPage("Before Unload: ",e),t.avBuffs.unshift(t.pages[e]),delete t.pages[e],t.__statusPage("After Unload: ",e)}e.page>=t.totalPages?(t.pages[e.page]=n(),e.resolve(),t.__statusPage("After Load (new): ",e.page)):(t.reading=!0,t.pages[e.page]=n(),t.pages[e.page].loading=[e],o.push(t.fd.read(t.pages[e.page].buff,0,t.pageSize,e.page*t.pageSize).then((a=>{t.pages[e.page].size=a.bytesRead;const i=t.pages[e.page].loading;delete t.pages[e.page].loading;for(let t=0;t