Merge pull request #42 from succinctlabs/kevjue/audit_fixes

fix: Veridise audit fixes
1 year ago · b064847007
28 changed files with 203 additions and 198 deletions
--- a/README.md
+++ b/README.md
@ -10,7 +10,7 @@ Besides the verifier, there are some Gnark implementation of circuits in this re

 ## Requirements

 - [Go (1.20.1+)](https://go.dev/doc/install)
 - [Go (1.19+)](https://go.dev/doc/install)

 ## Benchmark

--- a/challenger/challenger.go
+++ b/challenger/challenger.go
@ -15,13 +15,13 @@ type Chip struct {
 	api               frontend.API `gnark:"-"`
 	poseidonChip      *poseidon.GoldilocksChip
 	poseidonBN254Chip *poseidon.BN254Chip
 	spongeState       [poseidon.SPONGE_WIDTH]gl.Variable
 	spongeState       poseidon.GoldilocksState
 	inputBuffer       []gl.Variable
 	outputBuffer      []gl.Variable
 }

 func NewChip(api frontend.API) *Chip {
 	var spongeState [poseidon.SPONGE_WIDTH]gl.Variable
 	var spongeState poseidon.GoldilocksState
 	var inputBuffer []gl.Variable
 	var outputBuffer []gl.Variable
 	for i := 0; i < poseidon.SPONGE_WIDTH; i++ {
@ -40,7 +40,8 @@ func NewChip(api frontend.API) *Chip {
 }

 func (c *Chip) ObserveElement(element gl.Variable) {
 	c.outputBuffer = clearBuffer(c.outputBuffer)
 	// Clear the output buffer
 	c.outputBuffer = make([]gl.Variable, 0)
 	c.inputBuffer = append(c.inputBuffer, element)
 	if len(c.inputBuffer) == poseidon.SPONGE_RATE {
 		c.duplexing()
@ -110,14 +111,13 @@ func (c *Chip) GetExtensionChallenge() gl.QuadraticExtensionVariable {
 }

 func (c *Chip) GetHash() poseidon.GoldilocksHashOut {
 	return [4]gl.Variable{c.GetChallenge(), c.GetChallenge(), c.GetChallenge(), c.GetChallenge()}
 	return [poseidon.POSEIDON_GL_HASH_SIZE]gl.Variable{c.GetChallenge(), c.GetChallenge(), c.GetChallenge(), c.GetChallenge()}
 }

 func (c *Chip) GetFriChallenges(
 	commitPhaseMerkleCaps []variables.FriMerkleCap,
 	finalPoly variables.PolynomialCoeffs,
 	powWitness gl.Variable,
 	degreeBits uint64,
 	config types.FriConfig,
 ) variables.FriChallenges {
 	numFriQueries := config.NumQueryRounds
@ -143,10 +143,6 @@ func (c *Chip) GetFriChallenges(
 	}
 }

 func clearBuffer(buffer []gl.Variable) []gl.Variable {
 	return make([]gl.Variable, 0)
 }

 func (c *Chip) duplexing() {
 	if len(c.inputBuffer) > poseidon.SPONGE_RATE {
 		fmt.Println(len(c.inputBuffer))
@ -158,9 +154,12 @@ func (c *Chip) duplexing() {
 	for i := 0; i < len(c.inputBuffer); i++ {
 		c.spongeState[i] = glApi.Reduce(c.inputBuffer[i])
 	}
 	c.inputBuffer = clearBuffer(c.inputBuffer)
 	// Clear the input buffer
 	c.inputBuffer = make([]gl.Variable, 0)
 	c.spongeState = c.poseidonChip.Poseidon(c.spongeState)
 	clearBuffer(c.outputBuffer)

 	// Clear the output buffer
 	c.outputBuffer = make([]gl.Variable, 0)
 	for i := 0; i < poseidon.SPONGE_RATE; i++ {
 		c.outputBuffer = append(c.outputBuffer, c.spongeState[i])
 	}
--- a/fri/fri.go
+++ b/fri/fri.go
@ -49,14 +49,14 @@ func (f *Chip) GetInstance(zeta gl.QuadraticExtensionVariable) InstanceInfo {
 		zeta,
 	)

 	zetaNextBath := BatchInfo{
 	zetaNextBatch := BatchInfo{
 		Point:       zetaNext,
 		Polynomials: friZSPolys(f.commonData),
 	}

 	return InstanceInfo{
 		Oracles: friOracles(f.commonData),
 		Batches: []BatchInfo{zetaBatch, zetaNextBath},
 		Batches: []BatchInfo{zetaBatch, zetaNextBatch},
 	}
 }

@ -73,12 +73,10 @@ func (f *Chip) ToOpenings(c variables.OpeningSet) Openings {
 }

 func (f *Chip) assertLeadingZeros(powWitness gl.Variable, friConfig types.FriConfig) {
 	// Asserts that powWitness'es big-endian bit representation has at least `leading_zeros` leading zeros.
 	// Asserts that powWitness'es big-endian bit representation has at least friConfig.ProofOfWorkBits leading zeros.
 	// Note that this is assuming that the Goldilocks field is being used.  Specfically that the
 	// field is 64 bits long
 	maxPowWitness := uint64(math.Pow(2, float64(64-friConfig.ProofOfWorkBits))) - 1
 	reducedPowWitness := f.gl.Reduce(powWitness)
 	f.api.AssertIsLessOrEqual(reducedPowWitness.Limb, frontend.Variable(maxPowWitness))
 	// field is 64 bits long.
 	f.gl.RangeCheckWithMaxBits(powWitness, 64-friConfig.ProofOfWorkBits)
 }

 func (f *Chip) fromOpeningsAndAlpha(
@ -128,13 +126,15 @@ func (f *Chip) verifyMerkleProofToCapWithCapIndex(
 	}

 	const NUM_LEAF_LOOKUPS = 4
 	// Each lookup gadget will connect to 4 merkleCap entries
 	const STRIDE_LENGTH = 4
 	var leafLookups [NUM_LEAF_LOOKUPS]poseidon.BN254HashOut
 	// First create the "leaf" lookup2 circuits
 	// The will use the least significant bits of the capIndexBits array
 	// This will use the least significant bits of the capIndexBits array
 	for i := 0; i < NUM_LEAF_LOOKUPS; i++ {
 		leafLookups[i] = f.api.Lookup2(
 			capIndexBits[0], capIndexBits[1],
 			merkleCap[i*NUM_LEAF_LOOKUPS], merkleCap[i*NUM_LEAF_LOOKUPS+1], merkleCap[i*NUM_LEAF_LOOKUPS+2], merkleCap[i*NUM_LEAF_LOOKUPS+3],
 			merkleCap[i*STRIDE_LENGTH], merkleCap[i*STRIDE_LENGTH+1], merkleCap[i*STRIDE_LENGTH+2], merkleCap[i*STRIDE_LENGTH+3],
 		)
 	}

@ -162,7 +162,7 @@ func (f *Chip) expFromBitsConstBase(
 ) gl.Variable {
 	product := gl.One()
 	for i, bit := range exponentBits {
 		// If the bit is on, we multiply product by base^pow.
 		// If the bit is 1, we multiply product by base^pow.
 		// We can arithmetize this as:
 		//     product *= 1 + bit (base^pow - 1)
 		//     product = (base^pow - 1) product bit + product
@ -238,9 +238,11 @@ func (f *Chip) friCombineInitial(
 		numerator := f.gl.SubExtensionNoReduce(reducedEvals, reducedOpenings)
 		denominator := f.gl.SubExtension(subgroupX_QE, point)
 		sum = f.gl.MulExtension(f.gl.ExpExtension(friAlpha, uint64(len(evals))), sum)
 		inv, hasInv := f.gl.InverseExtension(denominator)
 		f.api.AssertIsEqual(hasInv, frontend.Variable(1))
 		sum = f.gl.MulAddExtension(
 			numerator,
 			f.gl.InverseExtension(denominator),
 			inv,
 			sum,
 		)
 	}
@ -272,17 +274,23 @@ func (f *Chip) interpolate(
 	}

 	sum := gl.ZeroExtension()

 	lookupFromPoints := frontend.Variable(1)
 	for i := 0; i < len(xPoints); i++ {
 		quotient, hasQuotient := f.gl.DivExtension(
 			barycentricWeights[i],
 			f.gl.SubExtension(
 				x,
 				xPoints[i],
 			),
 		)

 		lookupFromPoints = f.api.Mul(hasQuotient, lookupFromPoints)

 		sum = f.gl.AddExtension(
 			f.gl.MulExtension(
 				f.gl.DivExtension(
 					barycentricWeights[i],
 					f.gl.SubExtension(
 						x,
 						xPoints[i],
 					),
 				),
 				yPoints[i],
 				quotient,
 			),
 			sum,
 		)
@ -290,17 +298,17 @@ func (f *Chip) interpolate(

 	interpolation := f.gl.MulExtension(lX, sum)

 	returnField := interpolation
 	lookupVal := gl.ZeroExtension()
 	// Now check if x is already within the xPoints
 	for i := 0; i < len(xPoints); i++ {
 		returnField = f.gl.Lookup(
 		lookupVal = f.gl.Lookup(
 			f.gl.IsZero(f.gl.SubExtension(x, xPoints[i])),
 			returnField,
 			lookupVal,
 			yPoints[i],
 		)
 	}

 	return returnField
 	return f.gl.Lookup(lookupFromPoints, lookupVal, interpolation)
 }

 func (f *Chip) computeEvaluation(
@ -312,7 +320,7 @@ func (f *Chip) computeEvaluation(
 ) gl.QuadraticExtensionVariable {
 	arity := 1 << arityBits
 	if (len(evals)) != arity {
 		panic("len(evals) ! arity")
 		panic("len(evals) != arity")
 	}
 	if arityBits > 8 {
 		panic("currently assuming that arityBits is <= 8")
@ -327,8 +335,8 @@ func (f *Chip) computeEvaluation(
 	// OPTIMIZE - Since the size of the evals array should be constant (e.g. 2^arityBits),
 	//        we can just hard code the permutation.
 	permutedEvals := make([]gl.QuadraticExtensionVariable, len(evals))
 	for i := uint8(0); i < uint8(len(evals)); i++ {
 		newIndex := bits.Reverse8(i) >> arityBits
 	for i := uint8(0); i <= uint8(len(evals)-1); i++ {
 		newIndex := bits.Reverse8(i) >> (8 - arityBits)
 		permutedEvals[newIndex] = evals[i]
 	}

@ -367,7 +375,9 @@ func (f *Chip) computeEvaluation(
 		}
 		// Take the inverse of the barycentric weights
 		// OPTIMIZE: Can provide a witness to this value
 		barycentricWeights[i] = f.gl.InverseExtension(barycentricWeights[i])
 		inv, hasInv := f.gl.InverseExtension(barycentricWeights[i])
 		f.api.AssertIsEqual(hasInv, frontend.Variable(1))
 		barycentricWeights[i] = inv
 	}

 	return f.interpolate(beta, xPoints, yPoints, barycentricWeights)
--- a/fri/fri_test.go
+++ b/fri/fri_test.go
@ -52,7 +52,6 @@ func (circuit *TestFriCircuit) Define(api frontend.API) error {
 		proofWithPis.Proof.OpeningProof.CommitPhaseMerkleCaps,
 		proofWithPis.Proof.OpeningProof.FinalPoly,
 		proofWithPis.Proof.OpeningProof.PowWitness,
 		commonCircuitData.DegreeBits,
 		commonCircuitData.Config.FriConfig,
 	)

--- a/goldilocks/base.go
+++ b/goldilocks/base.go
@ -38,9 +38,6 @@ var POWER_OF_TWO_GENERATOR goldilocks.Element = goldilocks.NewElement(1753635133
 // The modulus of the field.
 var MODULUS *big.Int = emulated.Goldilocks{}.Modulus()

 // The threshold maximum number of bits at which we must reduce the element.
 var REDUCE_NB_BITS_THRESHOLD uint8 = 254 - 64

 // The number of bits to use for range checks on inner products of field elements.
 var RANGE_CHECK_NB_BITS int = 140

@ -90,38 +87,41 @@ func New(api frontend.API) *Chip {
 	return &Chip{api: api, rangeChecker: rangeChecker}
 }

 // Adds two field elements such that x + y = z within the Golidlocks field.
 // Adds two goldilocks field elements and returns a value within the goldilocks field.
 func (p *Chip) Add(a Variable, b Variable) Variable {
 	return p.MulAdd(a, NewVariable(1), b)
 }

 // Adds two field elements such that x + y = z within the Golidlocks field without reducing.
 // Adds two goldilocks field elements and returns a value that may not be within the goldilocks field
 // (e.g. the sum is not reduced).
 func (p *Chip) AddNoReduce(a Variable, b Variable) Variable {
 	return NewVariable(p.api.Add(a.Limb, b.Limb))
 }

 // Subtracts two field elements such that x + y = z within the Golidlocks field.
 // Subracts two goldilocks field elements and returns a value within the goldilocks field.
 func (p *Chip) Sub(a Variable, b Variable) Variable {
 	return p.MulAdd(b, NewVariable(MODULUS.Uint64()-1), a)
 	return p.MulAdd(b, NegOne(), a)
 }

 // Subtracts two field elements such that x + y = z within the Golidlocks field without reducing.
 // Subracts two goldilocks field elements and returns a value that may not be within the goldilocks field
 // (e.g. the difference is not reduced).
 func (p *Chip) SubNoReduce(a Variable, b Variable) Variable {
 	return NewVariable(p.api.Add(a.Limb, p.api.Mul(b.Limb, MODULUS.Uint64()-1)))
 	return NewVariable(p.api.Add(a.Limb, p.api.Mul(b.Limb, NegOne().Limb)))
 }

 // Multiplies two field elements such that x * y = z within the Golidlocks field.
 // Multiplies two goldilocks field elements and returns a value within the goldilocks field.
 func (p *Chip) Mul(a Variable, b Variable) Variable {
 	return p.MulAdd(a, b, Zero())
 }

 // Multiplies two field elements such that x * y = z within the Golidlocks field without reducing.
 // Multiplies two goldilocks field elements and returns a value that may not be within the goldilocks field
 // (e.g. the product is not reduced).
 func (p *Chip) MulNoReduce(a Variable, b Variable) Variable {
 	return NewVariable(p.api.Mul(a.Limb, b.Limb))
 }

 // Multiplies two field elements and adds a field element such that x * y + z = c within the
 // Golidlocks field.
 // Multiplies two field elements and adds a field element (e.g. computes a * b + c).  The returned value
 // will be within the goldilocks field.
 func (p *Chip) MulAdd(a Variable, b Variable, c Variable) Variable {
 	result, err := p.api.Compiler().NewHint(MulAddHint, 2, a.Limb, b.Limb, c.Limb)
 	if err != nil {
@ -131,7 +131,8 @@ func (p *Chip) MulAdd(a Variable, b Variable, c Variable) Variable {
 	quotient := NewVariable(result[0])
 	remainder := NewVariable(result[1])

 	lhs := p.api.MulAcc(c.Limb, a.Limb, b.Limb)
 	cLimbCopy := p.api.Mul(c.Limb, 1)
 	lhs := p.api.MulAcc(cLimbCopy, a.Limb, b.Limb)
 	rhs := p.api.MulAcc(remainder.Limb, MODULUS, quotient.Limb)
 	p.api.AssertIsEqual(lhs, rhs)

@ -140,10 +141,11 @@ func (p *Chip) MulAdd(a Variable, b Variable, c Variable) Variable {
 	return remainder
 }

 // Multiplies two field elements and adds a field element such that x * y + z = c within the
 // Golidlocks field without reducing.
 // Multiplies two field elements and adds a field element (e.g. computes a * b + c).  The returned value
 // may no be within the goldilocks field (e.g. the result is not reduced).
 func (p *Chip) MulAddNoReduce(a Variable, b Variable, c Variable) Variable {
 	return NewVariable(p.api.MulAcc(c.Limb, a.Limb, b.Limb))
 	cLimbCopy := p.api.Mul(c.Limb, 1)
 	return NewVariable(p.api.MulAcc(cLimbCopy, a.Limb, b.Limb))
 }

 // The hint used to compute MulAdd.
@ -179,18 +181,7 @@ func (p *Chip) Reduce(x Variable) Variable {
 	// that this computation does not overflow. We use 2^RANGE_CHECK_NB_BITS to reduce the cost of the range check
 	//
 	// In other words, we assume that we at most compute a a dot product with dimension at most RANGE_CHECK_NB_BITS - 128.

 	result, err := p.api.Compiler().NewHint(ReduceHint, 2, x.Limb)
 	if err != nil {
 		panic(err)
 	}

 	quotient := result[0]
 	p.rangeChecker.Check(quotient, RANGE_CHECK_NB_BITS)

 	remainder := NewVariable(result[1])
 	p.RangeCheck(remainder)
 	return remainder
 	return p.ReduceWithMaxBits(x, uint64(RANGE_CHECK_NB_BITS))
 }

 // Reduces a field element x such that x % MODULUS = y.
@ -212,6 +203,9 @@ func (p *Chip) ReduceWithMaxBits(x Variable, maxNbBits uint64) Variable {

 	remainder := NewVariable(result[1])
 	p.RangeCheck(remainder)

 	p.api.AssertIsEqual(x.Limb, p.api.Add(p.api.Mul(quotient, MODULUS), remainder.Limb))

 	return remainder
 }

@ -229,16 +223,22 @@ func ReduceHint(_ *big.Int, inputs []*big.Int, results []*big.Int) error {
 }

 // Computes the inverse of a field element x such that x * x^-1 = 1.
 func (p *Chip) Inverse(x Variable) Variable {
 func (p *Chip) Inverse(x Variable) (Variable, frontend.Variable) {
 	result, err := p.api.Compiler().NewHint(InverseHint, 1, x.Limb)
 	if err != nil {
 		panic(err)
 	}

 	inverse := NewVariable(result[0])
 	isZero := p.api.IsZero(x.Limb)
 	hasInv := p.api.Sub(1, isZero)
 	p.RangeCheck(inverse)

 	product := p.Mul(inverse, x)
 	p.api.AssertIsEqual(product.Limb, frontend.Variable(1))
 	return inverse
 	productToCheck := p.api.Select(hasInv, product.Limb, frontend.Variable(1))
 	p.api.AssertIsEqual(productToCheck, frontend.Variable(1))

 	return inverse, hasInv
 }

 // The hint used to compute Inverse.
@ -254,6 +254,8 @@ func InverseHint(_ *big.Int, inputs []*big.Int, results []*big.Int) error {

 	inputGl := goldilocks.NewElement(input.Uint64())
 	resultGl := goldilocks.NewElement(0)

 	// Will set resultGL if inputGL == 0
 	resultGl.Inverse(&inputGl)

 	result := big.NewInt(0)
@ -262,28 +264,6 @@ func InverseHint(_ *big.Int, inputs []*big.Int, results []*big.Int) error {
 	return nil
 }

 // Computes a field element raised to some power.
 func (p *Chip) Exp(x Variable, k *big.Int) Variable {
 	if k.IsUint64() && k.Uint64() == 0 {
 		return One()
 	}

 	e := k
 	if k.Sign() == -1 {
 		panic("Unsupported negative exponent. Need to implement inversion.")
 	}

 	z := x
 	for i := e.BitLen() - 2; i >= 0; i-- {
 		z = p.Mul(z, z)
 		if e.Bit(i) == 1 {
 			z = p.Mul(z, x)
 		}
 	}

 	return z
 }

 // The hint used to split a GoldilocksVariable into 2 32 bit limbs.
 func SplitLimbsHint(_ *big.Int, inputs []*big.Int, results []*big.Int) error {
 	if len(inputs) != 1 {
@ -348,6 +328,11 @@ func (p *Chip) RangeCheck(x Variable) {
 	)
 }

 // This function will assert that the field element x is less than 2^maxNbBits.
 func (p *Chip) RangeCheckWithMaxBits(x Variable, maxNbBits uint64) {
 	p.rangeChecker.Check(x.Limb, int(maxNbBits))
 }

 func (p *Chip) AssertIsEqual(x, y Variable) {
 	p.api.AssertIsEqual(x.Limb, y.Limb)
 }
@ -373,7 +358,7 @@ func TwoAdicSubgroup(nLog uint64) []goldilocks.Element {
 	rootOfUnity := PrimitiveRootOfUnity(nLog)
 	res = append(res, goldilocks.NewElement(1))

 	for i := 0; i < (1 << nLog); i++ {
 	for i := 0; i < (1<<nLog)-1; i++ {
 		lastElement := res[len(res)-1]
 		res = append(res, *lastElement.Mul(&lastElement, &rootOfUnity))
 	}
--- a/goldilocks/quadratic_extension.go
+++ b/goldilocks/quadratic_extension.go
@ -58,15 +58,13 @@ func (p *Chip) SubExtensionNoReduce(a, b QuadraticExtensionVariable) QuadraticEx
 // Multiplies quadratic extension variable in the Goldilocks field.
 func (p *Chip) MulExtension(a, b QuadraticExtensionVariable) QuadraticExtensionVariable {
 	product := p.MulExtensionNoReduce(a, b)
 	product[0] = p.Reduce(product[0])
 	product[1] = p.Reduce(product[1])
 	return product
 	return p.ReduceExtension(product)
 }

 // Multiplies quadratic extension variable in the Goldilocks field without reducing.
 func (p *Chip) MulExtensionNoReduce(a, b QuadraticExtensionVariable) QuadraticExtensionVariable {
 	c0o0 := p.MulNoReduce(a[0], b[0])
 	c0o1 := p.MulNoReduce(p.MulNoReduce(NewVariable(7), a[1]), b[1])
 	c0o1 := p.MulNoReduce(p.MulNoReduce(NewVariable(W), a[1]), b[1])
 	c0 := p.AddNoReduce(c0o0, c0o1)
 	c1 := p.AddNoReduce(p.MulNoReduce(a[0], b[1]), p.MulNoReduce(a[1], b[0]))
 	return NewQuadraticExtensionVariable(c0, c1)
@ -77,9 +75,7 @@ func (p *Chip) MulExtensionNoReduce(a, b QuadraticExtensionVariable) QuadraticEx
 func (p *Chip) MulAddExtension(a, b, c QuadraticExtensionVariable) QuadraticExtensionVariable {
 	product := p.MulExtensionNoReduce(a, b)
 	sum := p.AddExtensionNoReduce(product, c)
 	sum[0] = p.Reduce(sum[0])
 	sum[1] = p.Reduce(sum[1])
 	return sum
 	return p.ReduceExtension(sum)
 }

 func (p *Chip) MulAddExtensionNoReduce(a, b, c QuadraticExtensionVariable) QuadraticExtensionVariable {
@ -88,14 +84,12 @@ func (p *Chip) MulAddExtensionNoReduce(a, b, c QuadraticExtensionVariable) Quadr
 	return sum
 }

 // Multiplies two operands a and b and subtracts to c in the Goldilocks extension field. a * b - c must
 // Subtracts two operands a and b and multiplies the diff by c in the Goldilocks extension field. (a - b) * c must
 // be less than RANGE_CHECK_NB_BITS bits.
 func (p *Chip) SubMulExtension(a, b, c QuadraticExtensionVariable) QuadraticExtensionVariable {
 	difference := p.SubExtensionNoReduce(a, b)
 	product := p.MulExtensionNoReduce(difference, c)
 	product[0] = p.Reduce(product[0])
 	product[1] = p.Reduce(product[1])
 	return product
 	return p.ReduceExtension(product)
 }

 // Multiplies quadratic extension variable in the Goldilocks field by a scalar.
@ -126,21 +120,23 @@ func (p *Chip) InnerProductExtension(
 }

 // Computes the inverse of a quadratic extension variable in the Goldilocks field.
 func (p *Chip) InverseExtension(a QuadraticExtensionVariable) QuadraticExtensionVariable {
 	a0IsZero := p.api.IsZero(a[0].Limb)
 	a1IsZero := p.api.IsZero(a[1].Limb)
 	p.api.AssertIsEqual(p.api.Mul(a0IsZero, a1IsZero), frontend.Variable(0))
 func (p *Chip) InverseExtension(a QuadraticExtensionVariable) (QuadraticExtensionVariable, frontend.Variable) {
 	aIsZero := p.IsZero(a)
 	p.api.AssertIsEqual(aIsZero, frontend.Variable(0))
 	aPowRMinus1 := QuadraticExtensionVariable{
 		a[0],
 		p.Mul(a[1], NewVariable(DTH_ROOT)),
 	}
 	aPowR := p.MulExtension(aPowRMinus1, a)
 	return p.ScalarMulExtension(aPowRMinus1, p.Inverse(aPowR[0]))

 	aPowRInv, hasInv := p.Inverse(aPowR[0])
 	return p.ScalarMulExtension(aPowRMinus1, aPowRInv), hasInv
 }

 // Divides two quadratic extension variables in the Goldilocks field.
 func (p *Chip) DivExtension(a, b QuadraticExtensionVariable) QuadraticExtensionVariable {
 	return p.MulExtension(a, p.InverseExtension(b))
 func (p *Chip) DivExtension(a, b QuadraticExtensionVariable) (QuadraticExtensionVariable, frontend.Variable) {
 	bInv, hasInv := p.InverseExtension(b)
 	return p.MulExtension(a, bInv), hasInv
 }

 // Exponentiates a quadratic extension variable to some exponent in the Golidlocks field.
@ -213,7 +209,7 @@ func (p *Chip) Lookup(
 	return NewQuadraticExtensionVariable(NewVariable(c0), NewVariable(c1))
 }

 // Lookup2 is similar to select2, but returns the first variable if the bit is zero and vice-versa.
 // Lookup2 is similar to Lookup2.  It returns the ith qe value (0 indexed) where i is bit decomposed to b0,b1 (little endian).
 func (p *Chip) Lookup2(
 	b0 frontend.Variable,
 	b1 frontend.Variable,
--- a/goldilocks/quadratic_extension_algebra.go
+++ b/goldilocks/quadratic_extension_algebra.go
@ -14,7 +14,7 @@ func NewQuadraticExtensionAlgebraVariable(
 }

 func (p QuadraticExtensionVariable) ToQuadraticExtensionAlgebra() QuadraticExtensionAlgebraVariable {
 	return [2]QuadraticExtensionVariable{p, ZeroExtension()}
 	return [D]QuadraticExtensionVariable{p, ZeroExtension()}
 }

 func ZeroExtensionAlgebra() QuadraticExtensionAlgebraVariable {
--- a/goldilocks/quadratic_extension_test.go
+++ b/goldilocks/quadratic_extension_test.go
@ -59,7 +59,7 @@ type TestQuadraticExtensionDivCircuit struct {

 func (c *TestQuadraticExtensionDivCircuit) Define(api frontend.API) error {
 	glAPI := New(api)
 	actualRes := glAPI.DivExtension(c.Operand1, c.Operand2)
 	actualRes, _ := glAPI.DivExtension(c.Operand1, c.Operand2)
 	glAPI.AssertIsEqual(actualRes[0], c.ExpectedResult[0])
 	glAPI.AssertIsEqual(actualRes[1], c.ExpectedResult[1])
 	return nil
--- a/plonk/gates/arithmetic_extension_gate.go
+++ b/plonk/gates/arithmetic_extension_gate.go
@ -9,7 +9,7 @@ import (
 	gl "github.com/succinctlabs/gnark-plonky2-verifier/goldilocks"
 )

 var aritheticExtensionGateRegex = regexp.MustCompile("ArithmeticExtensionGate { num_ops: (?P<numOps>[0-9]+) }")
 var arithmeticExtensionGateRegex = regexp.MustCompile("ArithmeticExtensionGate { num_ops: (?P<numOps>[0-9]+) }")

 func deserializeExtensionArithmeticGate(parameters map[string]string) Gate {
 	// Has the format "ArithmeticExtensionGate { num_ops: 10 }"
--- a/plonk/gates/arithmetic_gate.go
+++ b/plonk/gates/arithmetic_gate.go
@ -9,7 +9,7 @@ import (
 	gl "github.com/succinctlabs/gnark-plonky2-verifier/goldilocks"
 )

 var aritheticGateRegex = regexp.MustCompile("ArithmeticGate { num_ops: (?P<numOps>[0-9]+) }")
 var arithmeticGateRegex = regexp.MustCompile("ArithmeticGate { num_ops: (?P<numOps>[0-9]+) }")

 func deserializeArithmeticGate(parameters map[string]string) Gate {
 	// Has the format "ArithmeticGate { num_ops: 10 }"
--- a/plonk/gates/base_sum_gate.go
+++ b/plonk/gates/base_sum_gate.go
@ -51,7 +51,7 @@ func NewBaseSumGate(numLimbs uint64, base uint64) *BaseSumGate {
 }

 func (g *BaseSumGate) Id() string {
 	return fmt.Sprintf("BaseSumGate { num_ops: %d } + Base: %d", g.numLimbs, g.base)
 	return fmt.Sprintf("BaseSumGate { num_limbs: %d } + Base: %d", g.numLimbs, g.base)
 }

 func (g *BaseSumGate) limbs() []uint64 {
--- a/plonk/gates/constant_gate.go
+++ b/plonk/gates/constant_gate.go
@ -41,14 +41,14 @@ func (g *ConstantGate) Id() string {
 }

 func (g *ConstantGate) ConstInput(i uint64) uint64 {
 	if i > g.numConsts {
 	if i >= g.numConsts {
 		panic("Invalid constant index")
 	}
 	return i
 }

 func (g *ConstantGate) WireOutput(i uint64) uint64 {
 	if i > g.numConsts {
 	if i >= g.numConsts {
 		panic("Invalid wire index")
 	}
 	return i
--- a/plonk/gates/coset_interpolation_gate.go
+++ b/plonk/gates/coset_interpolation_gate.go
@ -32,6 +32,9 @@ func deserializeCosetInterpolationGate(parameters map[string]string) Gate {
 	if err != nil {
 		panic("invalid degree in CosetInterpolationGate")
 	}
 	if degreeInt < 2 {
 		panic("degree must be at least 2 in CosetInterpolationGate")
 	}

 	barycentricWeightsStr := strings.Split(barycentricWeights, ",")
 	barycentricWeightsInt := make([]goldilocks.Element, len(barycentricWeightsStr))
@ -199,6 +202,10 @@ func (g *CosetInterpolationGate) EvalUnfiltered(

 		startIndex := 1 + (g.degree-1)*(i+1)
 		endIndex := startIndex + g.degree - 1
 		if endIndex > g.numPoints() {
 			endIndex = g.numPoints()
 		}

 		computedEval, computedProd = glApi.PartialInterpolateExtAlgebra(
 			domain[startIndex:endIndex],
 			values[startIndex:endIndex],
--- a/plonk/gates/exponentiation_gate.go
+++ b/plonk/gates/exponentiation_gate.go
@ -23,6 +23,20 @@ func deserializeExponentiationGate(parameters map[string]string) Gate {
 		panic("Invalid num_power_bits field in ExponentiationGate")
 	}

 	base, hasBase := parameters["base"]
 	if !hasBase {
 		panic("Missing field base in ExponentiationGate")
 	}

 	baseInt, err := strconv.Atoi(base)
 	if err != nil {
 		panic("Invalid base field in ExponentiationGate")
 	}

 	if baseInt != gl.D {
 		panic("Expected base field in ExponentiationGate to equal gl.D")
 	}

 	return NewExponentiationGate(uint64(numPowerBitsInt))
 }

--- a/plonk/gates/gates.go
+++ b/plonk/gates/gates.go
@ -18,20 +18,20 @@ type Gate interface {
 }

 var gateRegexHandlers = map[*regexp.Regexp]func(parameters map[string]string) Gate{
 	aritheticGateRegex:          deserializeArithmeticGate,
 	aritheticExtensionGateRegex: deserializeExtensionArithmeticGate,
 	baseSumGateRegex:            deserializeBaseSumGate,
 	constantGateRegex:           deserializeConstantGate,
 	cosetInterpolationGateRegex: deserializeCosetInterpolationGate,
 	exponentiationGateRegex:     deserializeExponentiationGate,
 	mulExtensionGateRegex:       deserializeMulExtensionGate,
 	noopGateRegex:               deserializeNoopGate,
 	poseidonGateRegex:           deserializePoseidonGate,
 	poseidonMdsGateRegex:        deserializePoseidonMdsGate,
 	publicInputGateRegex:        deserializePublicInputGate,
 	randomAccessGateRegex:       deserializeRandomAccessGate,
 	reducingExtensionGateRegex:  deserializeReducingExtensionGate,
 	reducingGateRegex:           deserializeReducingGate,
 	arithmeticGateRegex:          deserializeArithmeticGate,
 	arithmeticExtensionGateRegex: deserializeExtensionArithmeticGate,
 	baseSumGateRegex:             deserializeBaseSumGate,
 	constantGateRegex:            deserializeConstantGate,
 	cosetInterpolationGateRegex:  deserializeCosetInterpolationGate,
 	exponentiationGateRegex:      deserializeExponentiationGate,
 	mulExtensionGateRegex:        deserializeMulExtensionGate,
 	noopGateRegex:                deserializeNoopGate,
 	poseidonGateRegex:            deserializePoseidonGate,
 	poseidonMdsGateRegex:         deserializePoseidonMdsGate,
 	publicInputGateRegex:         deserializePublicInputGate,
 	randomAccessGateRegex:        deserializeRandomAccessGate,
 	reducingExtensionGateRegex:   deserializeReducingExtensionGate,
 	reducingGateRegex:            deserializeReducingGate,
 }

 func GateInstanceFromId(gateId string) Gate {
--- a/plonk/gates/multiplication_extension_gate.go
+++ b/plonk/gates/multiplication_extension_gate.go
@ -37,7 +37,7 @@ func NewMultiplicationExtensionGate(numOps uint64) *MultiplicationExtensionGate
 }

 func (g *MultiplicationExtensionGate) Id() string {
 	return fmt.Sprintf("ArithmeticExtensionGate { num_ops: %d }", g.numOps)
 	return fmt.Sprintf("MulExtensionGate { num_ops: %d }", g.numOps)
 }

 func (g *MultiplicationExtensionGate) wiresIthMultiplicand0(i uint64) Range {
--- a/plonk/gates/poseidon_mds_gate.go
+++ b/plonk/gates/poseidon_mds_gate.go
@ -90,7 +90,9 @@ func (g *PoseidonMdsGate) EvalUnfiltered(
 	for i := uint64(0); i < poseidon.SPONGE_WIDTH; i++ {
 		output := vars.GetLocalExtAlgebra(g.WireOutput(i))
 		diff := glApi.SubExtensionAlgebra(output, computed_outputs[i])
 		constraints = append(constraints, diff[0], diff[1])
 		for i := 0; i < gl.D; i++ {
 			constraints = append(constraints, diff[i])
 		}
 	}

 	return constraints
--- a/plonk/gates/public_input_gate.go
+++ b/plonk/gates/public_input_gate.go
@ -38,7 +38,7 @@ func (g *PublicInputGate) EvalUnfiltered(

 	wires := g.WiresPublicInputsHash()
 	hash_parts := vars.publicInputsHash
 	for i := 0; i < 4; i++ {
 	for i := 0; i < len(wires); i++ {
 		wire := wires[i]
 		hash_part := hash_parts[i]

--- a/plonk/gates/random_access_gate.go
+++ b/plonk/gates/random_access_gate.go
@ -36,6 +36,20 @@ func deserializeRandomAccessGate(parameters map[string]string) Gate {
 		panic("invalid numExtraConstants in RandomAccessGate")
 	}

 	base, hasBase := parameters["base"]
 	if !hasBase {
 		panic("Missing field base in RandomAccessGate")
 	}

 	baseInt, err := strconv.Atoi(base)
 	if err != nil {
 		panic("Invalid base field in RandomAccessGate")
 	}

 	if baseInt != gl.D {
 		panic("Expected base field in RandomAccessGate to equal gl.D")
 	}

 	return NewRandomAccessGate(bitsInt, numCopiesInt, numExtraConstantsInt)
 }

@ -151,14 +165,12 @@ func (g *RandomAccessGate) EvalUnfiltered(
 				y := listItems[i+1]

 				// This is computing `if b { x } else { y }`
 				// i.e. `bx - (by-y)`.
 				mul1 := glApi.MulExtension(b, x)
 				sub1 := glApi.SubExtension(mul1, x)

 				mul2 := glApi.MulExtension(b, y)
 				sub2 := glApi.SubExtension(mul2, sub1)
 				// i.e. `x + b(y - x)`.
 				diff := glApi.SubExtension(y, x)
 				mul := glApi.MulExtension(b, diff)
 				add := glApi.AddExtension(x, mul)

 				listItemsTmp = append(listItemsTmp, sub2)
 				listItemsTmp = append(listItemsTmp, add)
 			}
 			listItems = listItemsTmp
 		}
--- a/plonk/gates/reducing_extension_gate.go
+++ b/plonk/gates/reducing_extension_gate.go
@ -12,7 +12,7 @@ import (
 var reducingExtensionGateRegex = regexp.MustCompile("ReducingExtensionGate { num_coeffs: (?P<numCoeffs>[0-9]+) }")

 func deserializeReducingExtensionGate(parameters map[string]string) Gate {
 	// Has the format "ReducingGate { num_coeffs: 33 }"
 	// Has the format "ReducingExtensionGate { num_coeffs: 33 }"
 	numCoeffs, hasNumCoeffs := parameters["numCoeffs"]
 	if !hasNumCoeffs {
 		panic("Missing field num_coeffs in ReducingExtensionGate")
@ -39,7 +39,7 @@ func NewReducingExtensionGate(numCoeffs uint64) *ReducingExtensionGate {
 }

 func (g *ReducingExtensionGate) Id() string {
 	return fmt.Sprintf("ReducingExtensionGate { num_ops: %d }", g.numCoeffs)
 	return fmt.Sprintf("ReducingExtensionGate { num_coeffs: %d }", g.numCoeffs)
 }

 func (g *ReducingExtensionGate) wiresOutput() Range {
--- a/plonk/gates/reducing_gate.go
+++ b/plonk/gates/reducing_gate.go
@ -39,7 +39,7 @@ func NewReducingGate(numCoeffs uint64) *ReducingGate {
 }

 func (g *ReducingGate) Id() string {
 	return fmt.Sprintf("ReducingExtensionGate { num_ops: %d }", g.numCoeffs)
 	return fmt.Sprintf("ReducingGate { num_coeffs: %d }", g.numCoeffs)
 }

 func (g *ReducingGate) wiresOutput() Range {
@ -96,11 +96,7 @@ func (g *ReducingGate) EvalUnfiltered(
 	constraints := []gl.QuadraticExtensionVariable{}
 	acc := oldAcc
 	for i := uint64(0); i < g.numCoeffs; i++ {
 		var coeff gl.QuadraticExtensionAlgebraVariable
 		for j := 0; j < gl.D; j++ {
 			coeff[j] = gl.ZeroExtension()
 		}
 		coeff[0] = coeffs[i]
 		coeff := coeffs[i].ToQuadraticExtensionAlgebra()
 		tmp := glApi.MulExtensionAlgebra(acc, alpha)
 		tmp = glApi.AddExtensionAlgebra(tmp, coeff)
 		tmp = glApi.SubExtensionAlgebra(tmp, accs[i])
--- a/plonk/plonk.go
+++ b/plonk/plonk.go
@ -71,10 +71,15 @@ func (p *PlonkChip) evalL0(x gl.QuadraticExtensionVariable, xPowN gl.QuadraticEx
 		glApi.ScalarMulExtension(x, p.DEGREE),
 		p.DEGREE_QE,
 	)
 	return glApi.DivExtension(

 	quotient, hasQuotient := glApi.DivExtension(
 		evalZeroPoly,
 		denominator,
 	)

 	p.api.AssertIsEqual(hasQuotient, frontend.Variable(1))

 	return quotient
 }

 func (p *PlonkChip) checkPartialProducts(
--- a/poseidon/bn254.go
+++ b/poseidon/bn254.go
@ -10,6 +10,7 @@ package poseidon
 import (
 	"math/big"

 	"github.com/consensys/gnark-crypto/ecc/bn254"
 	"github.com/consensys/gnark/frontend"
 	gl "github.com/succinctlabs/gnark-plonky2-verifier/goldilocks"
 )
@ -28,6 +29,10 @@ type BN254State = [BN254_SPONGE_WIDTH]frontend.Variable
 type BN254HashOut = frontend.Variable

 func NewBN254Chip(api frontend.API) *BN254Chip {
 	if api.Compiler().Field().Cmp(bn254.ID.ScalarField()) != 0 {
 		panic("Gnark compiler not set to BN254 scalar field")
 	}

 	return &BN254Chip{api: api, gl: *gl.New(api)}
 }

@ -76,8 +81,10 @@ func (c *BN254Chip) HashOrNoop(input []gl.Variable) BN254HashOut {
 		returnVal := frontend.Variable(0)

 		alpha := new(big.Int).SetInt64(1 << 32)
 		alpha = new(big.Int).Mul(alpha, alpha)
 		for i, inputElement := range input {
 			returnVal = c.api.MulAcc(returnVal, inputElement, alpha.Exp(alpha, big.NewInt(int64(i)), nil))
 			mulFactor := new(big.Int).Exp(alpha, big.NewInt(int64(i)), nil)
 			returnVal = c.api.MulAcc(returnVal, inputElement.Limb, mulFactor)
 		}

 		return BN254HashOut(returnVal)
--- a/poseidon/goldilocks.go
+++ b/poseidon/goldilocks.go
@ -7,13 +7,13 @@ import (

 const HALF_N_FULL_ROUNDS = 4
 const N_PARTIAL_ROUNDS = 22
 const MAX_WIDTH = 12
 const SPONGE_WIDTH = 12
 const SPONGE_RATE = 8
 const POSEIDON_GL_HASH_SIZE = 4

 type GoldilocksState = [SPONGE_WIDTH]gl.Variable
 type GoldilocksStateExtension = [SPONGE_WIDTH]gl.QuadraticExtensionVariable
 type GoldilocksHashOut = [4]gl.Variable
 type GoldilocksHashOut = [POSEIDON_GL_HASH_SIZE]gl.Variable

 type GoldilocksChip struct {
 	api frontend.API `gnark:"-"`
@ -77,8 +77,8 @@ func (c *GoldilocksChip) HashNoPad(input []gl.Variable) GoldilocksHashOut {
 		inputVars = append(inputVars, c.gl.Reduce(input[i]))
 	}

 	outputVars := c.HashNToMNoPad(inputVars, 4)
 	for i := 0; i < 4; i++ {
 	outputVars := c.HashNToMNoPad(inputVars, len(hash))
 	for i := 0; i < len(hash); i++ {
 		hash[i] = outputVars[i]
 	}

@ -118,7 +118,7 @@ func (c *GoldilocksChip) constantLayer(state GoldilocksState, roundCounter *int)
 	for i := 0; i < 12; i++ {
 		if i < SPONGE_WIDTH {
 			roundConstant := ALL_ROUND_CONSTANTS[i+SPONGE_WIDTH*(*roundCounter)]
 			state[i] = c.gl.MulAdd(state[i], gl.NewVariable(1), gl.NewVariable(roundConstant))
 			state[i] = c.gl.Add(state[i], gl.NewVariable(roundConstant))
 		}
 	}
 	return state
@ -169,7 +169,7 @@ func (c *GoldilocksChip) SBoxLayerExtension(state GoldilocksStateExtension) Gold
 	return state
 }

 func (c *GoldilocksChip) mdsRowShf(r int, v [SPONGE_WIDTH]gl.Variable) gl.Variable {
 func (c *GoldilocksChip) mdsRowShf(r int, v GoldilocksState) gl.Variable {
 	res := gl.Zero()

 	for i := 0; i < 12; i++ {
@ -182,7 +182,7 @@ func (c *GoldilocksChip) mdsRowShf(r int, v [SPONGE_WIDTH]gl.Variable) gl.Variab
 	return c.gl.Reduce(res)
 }

 func (c *GoldilocksChip) MdsRowShfExtension(r int, v [SPONGE_WIDTH]gl.QuadraticExtensionVariable) gl.QuadraticExtensionVariable {
 func (c *GoldilocksChip) MdsRowShfExtension(r int, v GoldilocksStateExtension) gl.QuadraticExtensionVariable {
 	res := gl.ZeroExtension()

 	for i := 0; i < 12; i++ {
@ -251,7 +251,7 @@ func (c *GoldilocksChip) PartialFirstConstantLayerExtension(state GoldilocksStat
 func (c *GoldilocksChip) mdsPartialLayerInit(state GoldilocksState) GoldilocksState {
 	var result GoldilocksState
 	for i := 0; i < 12; i++ {
 		result[i] = gl.NewVariable(0)
 		result[i] = gl.Zero()
 	}

 	result[0] = state[0]
--- a/types/common_data.go
+++ b/types/common_data.go
@ -118,5 +118,10 @@ func ReadCommonCircuitData(path string) CommonCircuitData {
 	commonCircuitData.KIs = raw.KIs
 	commonCircuitData.NumPartialProducts = raw.NumPartialProducts

 	// Don't support circuits that have hiding enabled
 	if raw.FriParams.Hiding {
 		panic("Circuit has hiding enabled, which is not supported")
 	}

 	return commonCircuitData
 }
--- a/types/utils.go
+++ b/types/utils.go
@ -1,21 +0,0 @@
 package types

 func ReductionArityBits(
 	arityBits uint64,
 	finalPolyBits uint64,
 	degreeBits uint64,
 	rateBits uint64,
 	capHeight uint64,
 ) []uint64 {
 	returnArr := make([]uint64, 0)

 	for degreeBits > finalPolyBits && degreeBits+rateBits-arityBits >= capHeight {
 		returnArr = append(returnArr, arityBits)
 		if degreeBits < arityBits {
 			panic("degreeBits < arityBits")
 		}
 		degreeBits -= arityBits
 	}

 	return returnArr
 }
--- a/variables/plonk.go
+++ b/variables/plonk.go
@ -12,18 +12,6 @@ type OpeningSet struct {
 	QuotientPolys   []gl.QuadraticExtensionVariable // Length = CommonCircuitData.NumChallenges * CommonCircuitData.QuotientDegreeFactor
 }

 func NewOpeningSet(numConstants uint64, numRoutedWires uint64, numWires uint64, numChallenges uint64, numPartialProducts uint64, quotientDegreeFactor uint64) OpeningSet {
 	return OpeningSet{
 		Constants:       make([]gl.QuadraticExtensionVariable, numConstants),
 		PlonkSigmas:     make([]gl.QuadraticExtensionVariable, numRoutedWires),
 		Wires:           make([]gl.QuadraticExtensionVariable, numWires),
 		PlonkZs:         make([]gl.QuadraticExtensionVariable, numChallenges),
 		PlonkZsNext:     make([]gl.QuadraticExtensionVariable, numChallenges),
 		PartialProducts: make([]gl.QuadraticExtensionVariable, numChallenges*numPartialProducts),
 		QuotientPolys:   make([]gl.QuadraticExtensionVariable, numChallenges*quotientDegreeFactor),
 	}
 }

 type ProofChallenges struct {
 	PlonkBetas    []gl.Variable
 	PlonkGammas   []gl.Variable
--- a/verifier/verifier.go
+++ b/verifier/verifier.go
@ -76,7 +76,6 @@ func (c *VerifierChip) GetChallenges(
 			proof.OpeningProof.CommitPhaseMerkleCaps,
 			proof.OpeningProof.FinalPoly,
 			proof.OpeningProof.PowWitness,
 			c.commonData.DegreeBits,
 			config.FriConfig,
 		),
 	}
@ -119,8 +118,10 @@ func (c *VerifierChip) rangeCheckProof(proof variables.Proof) {

 	// Range check the openings proof.
 	for _, queryRound := range proof.OpeningProof.QueryRoundProofs {
 		for _, initialTreesElement := range queryRound.InitialTreesProof.EvalsProofs[0].Elements {
 			c.glChip.RangeCheck(initialTreesElement)
 		for _, evalsProof := range queryRound.InitialTreesProof.EvalsProofs {
 			for _, evalsProofElement := range evalsProof.Elements {
 				c.glChip.RangeCheck(evalsProofElement)
 			}
 		}

 		for _, queryStep := range queryRound.Steps {