github/self
1
1
Fork 0
mirror of https://github.com/selfxyz/self.git synced 2026-01-10 15:18:18 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add new ECDSA verifier for brainpoolP512r1 (#455)

Browse Source
This commit is contained in:
Seshanth.S🐺
2025-03-19 17:39:53 +05:30
committed by GitHub
parent 9d8c475de0
commit b6fc6bd9eb
5 changed files with 718 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
common/src/constants/constants.ts
View File

@@ -47,11 +47,11 @@ export const DEPLOYED_CIRCUITS_REGISTER = [
'register_sha256_sha256_sha256_rsapss_65537_32_2048',
'register_sha256_sha256_sha256_rsapss_65537_32_3072',
'register_sha384_sha384_sha384_ecdsa_brainpoolP384r1',
//'register_sha384_sha384_sha384_ecdsa_brainpoolP512r1',//
'register_sha384_sha384_sha384_ecdsa_brainpoolP512r1',
'register_sha384_sha384_sha384_ecdsa_secp384r1',
'register_sha384_sha384_sha384_rsapss_65537_48_2048',
'register_sha1_sha1_sha1_ecdsa_brainpoolP224r1',
//'register_sha512_sha512_sha512_ecdsa_brainpoolP512r1',//
'register_sha512_sha512_sha512_ecdsa_brainpoolP512r1',
'register_sha512_sha512_sha512_rsa_65537_4096',
'register_sha512_sha512_sha512_rsapss_65537_64_2048',
]
@@ -70,9 +70,9 @@ export const DEPLOYED_CIRCUITS_DSC = [
'dsc_sha256_rsapss_65537_32_3072',
'dsc_sha256_rsapss_65537_32_4096',
'dsc_sha384_ecdsa_brainpoolP384r1',
//'dsc_sha384_ecdsa_brainpoolP512r1',
'dsc_sha384_ecdsa_brainpoolP512r1',
'dsc_sha384_ecdsa_secp384r1',
//'dsc_sha512_ecdsa_brainpoolP512r1',
'dsc_sha512_ecdsa_brainpoolP512r1',
'dsc_sha512_rsa_65537_4096',
'dsc_sha512_rsapss_65537_64_4096',
]

175
contracts/contracts/verifiers/dsc/Verifier_dsc_sha384_ecdsa_brainpoolP512r1.sol Normal file
View File

@@ -0,0 +1,175 @@
// SPDX-License-Identifier: GPL-3.0
/*
Copyright 2021 0KIMS association.
This file is generated with [snarkJS](https://github.com/iden3/snarkjs).
snarkJS is a free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
snarkJS is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see <https://www.gnu.org/licenses/>.
*/
pragma solidity >=0.7.0 <0.9.0;
contract Verifier_dsc_sha384_ecdsa_brainpoolP512r1 {
// Scalar field size
uint256 constant r = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
// Base field size
uint256 constant q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
// Verification Key data
uint256 constant alphax = 16428432848801857252194528405604668803277877773566238944394625302971855135431;
uint256 constant alphay = 16846502678714586896801519656441059708016666274385668027902869494772365009666;
uint256 constant betax1 = 3182164110458002340215786955198810119980427837186618912744689678939861918171;
uint256 constant betax2 = 16348171800823588416173124589066524623406261996681292662100840445103873053252;
uint256 constant betay1 = 4920802715848186258981584729175884379674325733638798907835771393452862684714;
uint256 constant betay2 = 19687132236965066906216944365591810874384658708175106803089633851114028275753;
uint256 constant gammax1 = 11559732032986387107991004021392285783925812861821192530917403151452391805634;
uint256 constant gammax2 = 10857046999023057135944570762232829481370756359578518086990519993285655852781;
uint256 constant gammay1 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
uint256 constant gammay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
uint256 constant deltax1 = 4530066936154441847386294156578094399842131550980516874400905993800052131851;
uint256 constant deltax2 = 1335399363840606323513598206854614361608964545021499959158665510890398562234;
uint256 constant deltay1 = 10452224917351194123308059032281451103653454874683303402314888743840039443461;
uint256 constant deltay2 = 13972882024340202656863090949141567962592926995017196610940982386480842856715;
uint256 constant IC0x = 7873767668004917131331802256306079363018497214917800406656003818258696939352;
uint256 constant IC0y = 14912976041983106474346819001420266588695308519687724079672778493226556096333;
uint256 constant IC1x = 4852604638607648213334720160588381103064185393513751826938979884897144830675;
uint256 constant IC1y = 3477474541202451761549969552535751441286210351780330568982051126043768194976;
uint256 constant IC2x = 8747441738906818716672964476834702185117504770235935488924766630345322944183;
uint256 constant IC2y = 18164498138633665708832988193754261643195939997946514564956248753295561758554;
// Memory data
uint16 constant pVk = 0;
uint16 constant pPairing = 128;
uint16 constant pLastMem = 896;
function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[2] calldata _pubSignals) public view returns (bool) {
assembly {
function checkField(v) {
if iszero(lt(v, r)) {
mstore(0, 0)
return(0, 0x20)
}
}
// G1 function to multiply a G1 value(x,y) to value in an address
function g1_mulAccC(pR, x, y, s) {
let success
let mIn := mload(0x40)
mstore(mIn, x)
mstore(add(mIn, 32), y)
mstore(add(mIn, 64), s)
success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
mstore(add(mIn, 64), mload(pR))
mstore(add(mIn, 96), mload(add(pR, 32)))
success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
}
function checkPairing(pA, pB, pC, pubSignals, pMem) -> isOk {
let _pPairing := add(pMem, pPairing)
let _pVk := add(pMem, pVk)
mstore(_pVk, IC0x)
mstore(add(_pVk, 32), IC0y)
// Compute the linear combination vk_x
g1_mulAccC(_pVk, IC1x, IC1y, calldataload(add(pubSignals, 0)))
g1_mulAccC(_pVk, IC2x, IC2y, calldataload(add(pubSignals, 32)))
// -A
mstore(_pPairing, calldataload(pA))
mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
// B
mstore(add(_pPairing, 64), calldataload(pB))
mstore(add(_pPairing, 96), calldataload(add(pB, 32)))
mstore(add(_pPairing, 128), calldataload(add(pB, 64)))
mstore(add(_pPairing, 160), calldataload(add(pB, 96)))
// alpha1
mstore(add(_pPairing, 192), alphax)
mstore(add(_pPairing, 224), alphay)
// beta2
mstore(add(_pPairing, 256), betax1)
mstore(add(_pPairing, 288), betax2)
mstore(add(_pPairing, 320), betay1)
mstore(add(_pPairing, 352), betay2)
// vk_x
mstore(add(_pPairing, 384), mload(add(pMem, pVk)))
mstore(add(_pPairing, 416), mload(add(pMem, add(pVk, 32))))
// gamma2
mstore(add(_pPairing, 448), gammax1)
mstore(add(_pPairing, 480), gammax2)
mstore(add(_pPairing, 512), gammay1)
mstore(add(_pPairing, 544), gammay2)
// C
mstore(add(_pPairing, 576), calldataload(pC))
mstore(add(_pPairing, 608), calldataload(add(pC, 32)))
// delta2
mstore(add(_pPairing, 640), deltax1)
mstore(add(_pPairing, 672), deltax2)
mstore(add(_pPairing, 704), deltay1)
mstore(add(_pPairing, 736), deltay2)
let success := staticcall(sub(gas(), 2000), 8, _pPairing, 768, _pPairing, 0x20)
isOk := and(success, mload(_pPairing))
}
let pMem := mload(0x40)
mstore(0x40, add(pMem, pLastMem))
// Validate that all evaluations ∈ F
checkField(calldataload(add(_pubSignals, 0)))
checkField(calldataload(add(_pubSignals, 32)))
// Validate all evaluations
let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
mstore(0, isValid)
return(0, 0x20)
}
}
}

175
contracts/contracts/verifiers/dsc/Verifier_dsc_sha512_ecdsa_brainpoolP512r1.sol Normal file
View File

@@ -0,0 +1,175 @@
// SPDX-License-Identifier: GPL-3.0
/*
Copyright 2021 0KIMS association.
This file is generated with [snarkJS](https://github.com/iden3/snarkjs).
snarkJS is a free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
snarkJS is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see <https://www.gnu.org/licenses/>.
*/
pragma solidity >=0.7.0 <0.9.0;
contract Verifier_dsc_sha512_ecdsa_brainpoolP512r1 {
// Scalar field size
uint256 constant r = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
// Base field size
uint256 constant q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
// Verification Key data
uint256 constant alphax = 16428432848801857252194528405604668803277877773566238944394625302971855135431;
uint256 constant alphay = 16846502678714586896801519656441059708016666274385668027902869494772365009666;
uint256 constant betax1 = 3182164110458002340215786955198810119980427837186618912744689678939861918171;
uint256 constant betax2 = 16348171800823588416173124589066524623406261996681292662100840445103873053252;
uint256 constant betay1 = 4920802715848186258981584729175884379674325733638798907835771393452862684714;
uint256 constant betay2 = 19687132236965066906216944365591810874384658708175106803089633851114028275753;
uint256 constant gammax1 = 11559732032986387107991004021392285783925812861821192530917403151452391805634;
uint256 constant gammax2 = 10857046999023057135944570762232829481370756359578518086990519993285655852781;
uint256 constant gammay1 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
uint256 constant gammay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
uint256 constant deltax1 = 12251427448627772330888437982481332885211120883213646323847047551684983810433;
uint256 constant deltax2 = 4499228752502959023023615045419258170224547094133191343676224662128847718489;
uint256 constant deltay1 = 1145910484125996562423466364321116685334339390367394077688418150019571935876;
uint256 constant deltay2 = 12743357927810336971509918465104159910509976902535911210911764265655920424296;
uint256 constant IC0x = 7110132793288072767884827502282660170267797993274915717940191029955641310538;
uint256 constant IC0y = 10299852420887189493119478491329778285635466242816933287032586884932562952292;
uint256 constant IC1x = 10462856252310642708967113711602078244597530575840127617899411065726432761715;
uint256 constant IC1y = 21455733862726938196001268421736903102080585668491271076545254402577567362511;
uint256 constant IC2x = 14639827374068177133096238896519227626933201045213709406539301182675722983984;
uint256 constant IC2y = 682185347318813323331775462199336704076786332751913888115496045164186659645;
// Memory data
uint16 constant pVk = 0;
uint16 constant pPairing = 128;
uint16 constant pLastMem = 896;
function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[2] calldata _pubSignals) public view returns (bool) {
assembly {
function checkField(v) {
if iszero(lt(v, r)) {
mstore(0, 0)
return(0, 0x20)
}
}
// G1 function to multiply a G1 value(x,y) to value in an address
function g1_mulAccC(pR, x, y, s) {
let success
let mIn := mload(0x40)
mstore(mIn, x)
mstore(add(mIn, 32), y)
mstore(add(mIn, 64), s)
success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
mstore(add(mIn, 64), mload(pR))
mstore(add(mIn, 96), mload(add(pR, 32)))
success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
}
function checkPairing(pA, pB, pC, pubSignals, pMem) -> isOk {
let _pPairing := add(pMem, pPairing)
let _pVk := add(pMem, pVk)
mstore(_pVk, IC0x)
mstore(add(_pVk, 32), IC0y)
// Compute the linear combination vk_x
g1_mulAccC(_pVk, IC1x, IC1y, calldataload(add(pubSignals, 0)))
g1_mulAccC(_pVk, IC2x, IC2y, calldataload(add(pubSignals, 32)))
// -A
mstore(_pPairing, calldataload(pA))
mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
// B
mstore(add(_pPairing, 64), calldataload(pB))
mstore(add(_pPairing, 96), calldataload(add(pB, 32)))
mstore(add(_pPairing, 128), calldataload(add(pB, 64)))
mstore(add(_pPairing, 160), calldataload(add(pB, 96)))
// alpha1
mstore(add(_pPairing, 192), alphax)
mstore(add(_pPairing, 224), alphay)
// beta2
mstore(add(_pPairing, 256), betax1)
mstore(add(_pPairing, 288), betax2)
mstore(add(_pPairing, 320), betay1)
mstore(add(_pPairing, 352), betay2)
// vk_x
mstore(add(_pPairing, 384), mload(add(pMem, pVk)))
mstore(add(_pPairing, 416), mload(add(pMem, add(pVk, 32))))
// gamma2
mstore(add(_pPairing, 448), gammax1)
mstore(add(_pPairing, 480), gammax2)
mstore(add(_pPairing, 512), gammay1)
mstore(add(_pPairing, 544), gammay2)
// C
mstore(add(_pPairing, 576), calldataload(pC))
mstore(add(_pPairing, 608), calldataload(add(pC, 32)))
// delta2
mstore(add(_pPairing, 640), deltax1)
mstore(add(_pPairing, 672), deltax2)
mstore(add(_pPairing, 704), deltay1)
mstore(add(_pPairing, 736), deltay2)
let success := staticcall(sub(gas(), 2000), 8, _pPairing, 768, _pPairing, 0x20)
isOk := and(success, mload(_pPairing))
}
let pMem := mload(0x40)
mstore(0x40, add(pMem, pLastMem))
// Validate that all evaluations ∈ F
checkField(calldataload(add(_pubSignals, 0)))
checkField(calldataload(add(_pubSignals, 32)))
// Validate all evaluations
let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
mstore(0, isValid)
return(0, 0x20)
}
}
}

182
contracts/contracts/verifiers/register/Verifier_register_sha384_sha384_sha384_ecdsa_brainpoolP512r1.sol Normal file
View File

@@ -0,0 +1,182 @@
// SPDX-License-Identifier: GPL-3.0
/*
Copyright 2021 0KIMS association.
This file is generated with [snarkJS](https://github.com/iden3/snarkjs).
snarkJS is a free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
snarkJS is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see <https://www.gnu.org/licenses/>.
*/
pragma solidity >=0.7.0 <0.9.0;
contract Verifier_register_sha384_sha384_sha384_ecdsa_brainpoolP512r1 {
// Scalar field size
uint256 constant r = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
// Base field size
uint256 constant q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
// Verification Key data
uint256 constant alphax = 16428432848801857252194528405604668803277877773566238944394625302971855135431;
uint256 constant alphay = 16846502678714586896801519656441059708016666274385668027902869494772365009666;
uint256 constant betax1 = 3182164110458002340215786955198810119980427837186618912744689678939861918171;
uint256 constant betax2 = 16348171800823588416173124589066524623406261996681292662100840445103873053252;
uint256 constant betay1 = 4920802715848186258981584729175884379674325733638798907835771393452862684714;
uint256 constant betay2 = 19687132236965066906216944365591810874384658708175106803089633851114028275753;
uint256 constant gammax1 = 11559732032986387107991004021392285783925812861821192530917403151452391805634;
uint256 constant gammax2 = 10857046999023057135944570762232829481370756359578518086990519993285655852781;
uint256 constant gammay1 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
uint256 constant gammay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
uint256 constant deltax1 = 18854993247039179624581179152332998094566280877936639849872841751375344022557;
uint256 constant deltax2 = 20826100243565833643966718129499036093825495657454618124809301323069134789967;
uint256 constant deltay1 = 14873387777512603238202291899184271790755514580527473327518246092956340721506;
uint256 constant deltay2 = 14390611362883461355955787694696658528915413320294561035084608364017878919822;
uint256 constant IC0x = 8735192185444852843909796464662622311966954494624979798830494437573487040586;
uint256 constant IC0y = 6050735154878376107549186154135524222506843051956047858431384872560380356975;
uint256 constant IC1x = 5483196628939056089826409818400143037210780641446014927489547989787587699201;
uint256 constant IC1y = 1171374649921067872693612253412870791859793815073010265752227736881757200924;
uint256 constant IC2x = 16482995488537871424875041705348410284861593053282641089562844970643442627513;
uint256 constant IC2y = 19176167821727984438488135935030091689049819304751596160342283375278346324312;
uint256 constant IC3x = 15777780268455716462763947803251713833182250613008125174940265570223026085835;
uint256 constant IC3y = 4875711447580581709474407572392202914066259658604550614725631006355405476979;
// Memory data
uint16 constant pVk = 0;
uint16 constant pPairing = 128;
uint16 constant pLastMem = 896;
function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[3] calldata _pubSignals) public view returns (bool) {
assembly {
function checkField(v) {
if iszero(lt(v, r)) {
mstore(0, 0)
return(0, 0x20)
}
}
// G1 function to multiply a G1 value(x,y) to value in an address
function g1_mulAccC(pR, x, y, s) {
let success
let mIn := mload(0x40)
mstore(mIn, x)
mstore(add(mIn, 32), y)
mstore(add(mIn, 64), s)
success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
mstore(add(mIn, 64), mload(pR))
mstore(add(mIn, 96), mload(add(pR, 32)))
success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
}
function checkPairing(pA, pB, pC, pubSignals, pMem) -> isOk {
let _pPairing := add(pMem, pPairing)
let _pVk := add(pMem, pVk)
mstore(_pVk, IC0x)
mstore(add(_pVk, 32), IC0y)
// Compute the linear combination vk_x
g1_mulAccC(_pVk, IC1x, IC1y, calldataload(add(pubSignals, 0)))
g1_mulAccC(_pVk, IC2x, IC2y, calldataload(add(pubSignals, 32)))
g1_mulAccC(_pVk, IC3x, IC3y, calldataload(add(pubSignals, 64)))
// -A
mstore(_pPairing, calldataload(pA))
mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
// B
mstore(add(_pPairing, 64), calldataload(pB))
mstore(add(_pPairing, 96), calldataload(add(pB, 32)))
mstore(add(_pPairing, 128), calldataload(add(pB, 64)))
mstore(add(_pPairing, 160), calldataload(add(pB, 96)))
// alpha1
mstore(add(_pPairing, 192), alphax)
mstore(add(_pPairing, 224), alphay)
// beta2
mstore(add(_pPairing, 256), betax1)
mstore(add(_pPairing, 288), betax2)
mstore(add(_pPairing, 320), betay1)
mstore(add(_pPairing, 352), betay2)
// vk_x
mstore(add(_pPairing, 384), mload(add(pMem, pVk)))
mstore(add(_pPairing, 416), mload(add(pMem, add(pVk, 32))))
// gamma2
mstore(add(_pPairing, 448), gammax1)
mstore(add(_pPairing, 480), gammax2)
mstore(add(_pPairing, 512), gammay1)
mstore(add(_pPairing, 544), gammay2)
// C
mstore(add(_pPairing, 576), calldataload(pC))
mstore(add(_pPairing, 608), calldataload(add(pC, 32)))
// delta2
mstore(add(_pPairing, 640), deltax1)
mstore(add(_pPairing, 672), deltax2)
mstore(add(_pPairing, 704), deltay1)
mstore(add(_pPairing, 736), deltay2)
let success := staticcall(sub(gas(), 2000), 8, _pPairing, 768, _pPairing, 0x20)
isOk := and(success, mload(_pPairing))
}
let pMem := mload(0x40)
mstore(0x40, add(pMem, pLastMem))
// Validate that all evaluations ∈ F
checkField(calldataload(add(_pubSignals, 0)))
checkField(calldataload(add(_pubSignals, 32)))
checkField(calldataload(add(_pubSignals, 64)))
// Validate all evaluations
let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
mstore(0, isValid)
return(0, 0x20)
}
}
}

182
contracts/contracts/verifiers/register/Verifier_register_sha512_sha512_sha512_ecdsa_brainpoolP512r1.sol Normal file
View File

@@ -0,0 +1,182 @@
// SPDX-License-Identifier: GPL-3.0
/*
Copyright 2021 0KIMS association.
This file is generated with [snarkJS](https://github.com/iden3/snarkjs).
snarkJS is a free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
snarkJS is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License
along with snarkJS. If not, see <https://www.gnu.org/licenses/>.
*/
pragma solidity >=0.7.0 <0.9.0;
contract Verifier_register_sha512_sha512_sha512_ecdsa_brainpoolP512r1 {
// Scalar field size
uint256 constant r = 21888242871839275222246405745257275088548364400416034343698204186575808495617;
// Base field size
uint256 constant q = 21888242871839275222246405745257275088696311157297823662689037894645226208583;
// Verification Key data
uint256 constant alphax = 16428432848801857252194528405604668803277877773566238944394625302971855135431;
uint256 constant alphay = 16846502678714586896801519656441059708016666274385668027902869494772365009666;
uint256 constant betax1 = 3182164110458002340215786955198810119980427837186618912744689678939861918171;
uint256 constant betax2 = 16348171800823588416173124589066524623406261996681292662100840445103873053252;
uint256 constant betay1 = 4920802715848186258981584729175884379674325733638798907835771393452862684714;
uint256 constant betay2 = 19687132236965066906216944365591810874384658708175106803089633851114028275753;
uint256 constant gammax1 = 11559732032986387107991004021392285783925812861821192530917403151452391805634;
uint256 constant gammax2 = 10857046999023057135944570762232829481370756359578518086990519993285655852781;
uint256 constant gammay1 = 4082367875863433681332203403145435568316851327593401208105741076214120093531;
uint256 constant gammay2 = 8495653923123431417604973247489272438418190587263600148770280649306958101930;
uint256 constant deltax1 = 6068821402545744197100702940866949399745328072257075410624696349030277099415;
uint256 constant deltax2 = 4590924314567562979189136087201755518445085199177330754320416677313572977102;
uint256 constant deltay1 = 18166959287221332415767368018929503078315106563710994156348604460979714762741;
uint256 constant deltay2 = 14908064929580417939168737694833933618386052899840219036224614307551672747916;
uint256 constant IC0x = 18710498748220767227705003302977305323071337506522987320895689013754828757421;
uint256 constant IC0y = 16102011319913061201700546418800139175766194462922175370869548963760320631597;
uint256 constant IC1x = 19286529769583304814784702520019126192803570206401018970719909847974158324329;
uint256 constant IC1y = 1155242236517285926726013444715647056857111823469336078757282575745236301050;
uint256 constant IC2x = 7121483107375013561864881366222242761945265932327408281758084321102607697296;
uint256 constant IC2y = 13210769923775439019992165720378141251278877718479947970068953633811830722237;
uint256 constant IC3x = 6342858539600635210736844370527058585508847306654018171123849143234084040487;
uint256 constant IC3y = 8189602452833790560637976876815510209304393905453779032446627471985274992928;
// Memory data
uint16 constant pVk = 0;
uint16 constant pPairing = 128;
uint16 constant pLastMem = 896;
function verifyProof(uint[2] calldata _pA, uint[2][2] calldata _pB, uint[2] calldata _pC, uint[3] calldata _pubSignals) public view returns (bool) {
assembly {
function checkField(v) {
if iszero(lt(v, r)) {
mstore(0, 0)
return(0, 0x20)
}
}
// G1 function to multiply a G1 value(x,y) to value in an address
function g1_mulAccC(pR, x, y, s) {
let success
let mIn := mload(0x40)
mstore(mIn, x)
mstore(add(mIn, 32), y)
mstore(add(mIn, 64), s)
success := staticcall(sub(gas(), 2000), 7, mIn, 96, mIn, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
mstore(add(mIn, 64), mload(pR))
mstore(add(mIn, 96), mload(add(pR, 32)))
success := staticcall(sub(gas(), 2000), 6, mIn, 128, pR, 64)
if iszero(success) {
mstore(0, 0)
return(0, 0x20)
}
}
function checkPairing(pA, pB, pC, pubSignals, pMem) -> isOk {
let _pPairing := add(pMem, pPairing)
let _pVk := add(pMem, pVk)
mstore(_pVk, IC0x)
mstore(add(_pVk, 32), IC0y)
// Compute the linear combination vk_x
g1_mulAccC(_pVk, IC1x, IC1y, calldataload(add(pubSignals, 0)))
g1_mulAccC(_pVk, IC2x, IC2y, calldataload(add(pubSignals, 32)))
g1_mulAccC(_pVk, IC3x, IC3y, calldataload(add(pubSignals, 64)))
// -A
mstore(_pPairing, calldataload(pA))
mstore(add(_pPairing, 32), mod(sub(q, calldataload(add(pA, 32))), q))
// B
mstore(add(_pPairing, 64), calldataload(pB))
mstore(add(_pPairing, 96), calldataload(add(pB, 32)))
mstore(add(_pPairing, 128), calldataload(add(pB, 64)))
mstore(add(_pPairing, 160), calldataload(add(pB, 96)))
// alpha1
mstore(add(_pPairing, 192), alphax)
mstore(add(_pPairing, 224), alphay)
// beta2
mstore(add(_pPairing, 256), betax1)
mstore(add(_pPairing, 288), betax2)
mstore(add(_pPairing, 320), betay1)
mstore(add(_pPairing, 352), betay2)
// vk_x
mstore(add(_pPairing, 384), mload(add(pMem, pVk)))
mstore(add(_pPairing, 416), mload(add(pMem, add(pVk, 32))))
// gamma2
mstore(add(_pPairing, 448), gammax1)
mstore(add(_pPairing, 480), gammax2)
mstore(add(_pPairing, 512), gammay1)
mstore(add(_pPairing, 544), gammay2)
// C
mstore(add(_pPairing, 576), calldataload(pC))
mstore(add(_pPairing, 608), calldataload(add(pC, 32)))
// delta2
mstore(add(_pPairing, 640), deltax1)
mstore(add(_pPairing, 672), deltax2)
mstore(add(_pPairing, 704), deltay1)
mstore(add(_pPairing, 736), deltay2)
let success := staticcall(sub(gas(), 2000), 8, _pPairing, 768, _pPairing, 0x20)
isOk := and(success, mload(_pPairing))
}
let pMem := mload(0x40)
mstore(0x40, add(pMem, pLastMem))
// Validate that all evaluations ∈ F
checkField(calldataload(add(_pubSignals, 0)))
checkField(calldataload(add(_pubSignals, 32)))
checkField(calldataload(add(_pubSignals, 64)))
// Validate all evaluations
let isValid := checkPairing(_pA, _pB, _pC, _pubSignals, pMem)
mstore(0, isValid)
return(0, 0x20)
}
}
}