Merge pull request #18 from iden3/feature/fix32bits

Fix compat with 32 bit arch
2026-02-07 11:36:41 +01:00 · 2020-03-18 11:55:56 +01:00 · 2020-03-17 17:17:45 +01:00 · 2020-03-06 16:27:36 +01:00 · 2020-03-06 16:24:41 +01:00 · 2020-03-05 17:35:25 +01:00
17 changed files with 1748 additions and 472 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -4,5 +4,12 @@ language: go
 go:
  - "1.12"

+jobs:
+  include:
+    - name: "Unit Tests 64 bit arch"
+      env: GOARCH="amd64"
+    - name: "Unit Test 32 bit arch"
+      env: GOARCH="386"
+
 env:
  - GO111MODULE=on
--- a/babyjub/babyjub.go
+++ b/babyjub/babyjub.go
@@ -2,9 +2,10 @@ package babyjub

 import (
 	"fmt"
+	"math/big"
+
 	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/utils"
-	"math/big"
 )

 // A is one of the babyjub constants.
@@ -35,9 +36,9 @@ func init() {

 	B8 = NewPoint()
 	B8.X = utils.NewIntFromString(
-		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
+		"5299619240641551281634865583518297030282874472190772894086521144482721001553")
 	B8.Y = utils.NewIntFromString(
-		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
+		"16950150798460657717958625567821834550301663161624707787222815936182638968203")
 }

 // Point represents a point of the babyjub curve.
@@ -74,7 +75,7 @@ func (res *Point) Add(a *Point, b *Point) *Point {
 	x2.Mod(x2, constants.Q)
 	x2.ModInverse(x2, constants.Q) // x2 = (1 + D * a.x * b.x * a.y * b.y)^-1

-	// y = (a.y * b.y + A * a.x * a.x) * (1 - D * a.x * b.x * a.y * b.y)^-1 mod q
+	// y = (a.y * b.y - A * a.x * b.x) * (1 - D * a.x * b.x * a.y * b.y)^-1 mod q
 	y1a := new(big.Int).Mul(a.Y, b.Y)
 	y1b := new(big.Int).Set(A)
 	y1b.Mul(y1b, a.X)
@@ -170,10 +171,7 @@ func PackPoint(ay *big.Int, sign bool) [32]byte {
 // Compress the point into a 32 byte array that contains the y coordinate in
 // little endian and the sign of the x coordinate.
 func (p *Point) Compress() [32]byte {
-	sign := false
-	if PointCoordSign(p.X) {
-		sign = true
-	}
+	sign := PointCoordSign(p.X)
 	return PackPoint(p.Y, sign)
 }

@@ -205,7 +203,10 @@ func (p *Point) Decompress(leBuf [32]byte) (*Point, error) {
 	xb.ModInverse(xb, constants.Q)
 	p.X.Mul(xa, xb) // xa / xb
 	p.X.Mod(p.X, constants.Q)
-	p.X.ModSqrt(p.X, constants.Q)
+	noSqrt := p.X.ModSqrt(p.X, constants.Q)
+	if noSqrt == nil {
+		return nil, fmt.Errorf("x is not a square mod q")
+	}
 	if (sign && !PointCoordSign(p.X)) || (!sign && PointCoordSign(p.X)) {
 		p.X.Mul(p.X, constants.MinusOne)
 	}
--- a/babyjub/babyjub_test.go
+++ b/babyjub/babyjub_test.go
@@ -3,8 +3,10 @@ package babyjub
 import (
 	"encoding/hex"
 	"math/big"
+	"math/rand"
 	"testing"

+	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
 )
@@ -231,3 +233,74 @@ func TestCompressDecompressRnd(t *testing.T) {
 		assert.Equal(t, p1, p2)
 	}
 }
+
+func BenchmarkBabyjub(b *testing.B) {
+	const n = 256
+
+	rnd := rand.New(rand.NewSource(42))
+
+	var badpoints [n]*Point
+	for i := 0; i < n; i++ {
+		x := new(big.Int).Rand(rnd, constants.Q)
+		y := new(big.Int).Rand(rnd, constants.Q)
+		badpoints[i] = &Point{X: x, Y: y}
+	}
+
+	var points [n]*Point
+	baseX := utils.NewIntFromString(
+		"17777552123799933955779906779655732241715742912184938656739573121738514868268")
+	baseY := utils.NewIntFromString(
+		"2626589144620713026669568689430873010625803728049924121243784502389097019475")
+	base := &Point{X: baseX, Y: baseY}
+	for i := 0; i < n; i++ {
+		s := new(big.Int).Rand(rnd, constants.Q)
+		points[i] = NewPoint().Mul(s, base)
+	}
+
+	var scalars [n]*big.Int
+	for i := 0; i < n; i++ {
+		scalars[i] = new(big.Int).Rand(rnd, constants.Q)
+	}
+
+	b.Run("AddConst", func(b *testing.B) {
+		p0 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
+		p1 := &Point{X: big.NewInt(0), Y: big.NewInt(1)}
+
+		p2 := NewPoint()
+		for i := 0; i < b.N; i++ {
+			p2.Add(p0, p1)
+		}
+	})
+
+	b.Run("AddRnd", func(b *testing.B) {
+		res := NewPoint()
+		for i := 0; i < b.N; i++ {
+			res.Add(points[i%(n/2)], points[i%(n/2)+1])
+		}
+	})
+
+	b.Run("MulRnd", func(b *testing.B) {
+		res := NewPoint()
+		for i := 0; i < b.N; i++ {
+			res.Mul(scalars[i%n], points[i%n])
+		}
+	})
+
+	b.Run("Compress", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			points[i%n].Compress()
+		}
+	})
+
+	b.Run("InCurve", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			badpoints[i%n].InCurve()
+		}
+	})
+
+	b.Run("InSubGroup", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			points[i%n].InCurve()
+		}
+	})
+}
--- a/babyjub/eddsa.go
+++ b/babyjub/eddsa.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"

 	"github.com/iden3/go-iden3-crypto/mimc7"
+	"github.com/iden3/go-iden3-crypto/poseidon"
 	"github.com/iden3/go-iden3-crypto/utils"

 	"math/big"
@@ -179,11 +180,11 @@ func (k *PrivateKey) SignMimc7(msg *big.Int) *Signature {
 	r.Mod(r, SubOrder)
 	R8 := NewPoint().Mul(r, B8) // R8 = r * 8 * B
 	A := k.Public().Point()
-	hmInput, err := mimc7.BigIntsToRElems([]*big.Int{R8.X, R8.Y, A.X, A.Y, msg})
+	hmInput := []*big.Int{R8.X, R8.Y, A.X, A.Y, msg}
+	hm, err := mimc7.Hash(hmInput, nil) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	if err != nil {
 		panic(err)
 	}
-	hm := mimc7.Hash(hmInput, nil) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	S := new(big.Int).Lsh(k.Scalar().BigInt(), 3)
 	S = S.Mul(hm, S)
 	S.Add(r, S)
@@ -195,11 +196,55 @@ func (k *PrivateKey) SignMimc7(msg *big.Int) *Signature {
 // VerifyMimc7 verifies the signature of a message encoded as a big.Int in Zq
 // using blake-512 hash for buffer hashing and mimc7 for big.Int hashing.
 func (p *PublicKey) VerifyMimc7(msg *big.Int, sig *Signature) bool {
-	hmInput, err := mimc7.BigIntsToRElems([]*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg})
+	hmInput := []*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg}
+	hm, err := mimc7.Hash(hmInput, nil) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
+	if err != nil {
+		panic(err)
+	}
+
+	left := NewPoint().Mul(sig.S, B8) // left = s * 8 * B
+	r1 := big.NewInt(8)
+	r1.Mul(r1, hm)
+	right := NewPoint().Mul(r1, p.Point())
+	right.Add(sig.R8, right) // right = 8 * R + 8 * hm * A
+	return (left.X.Cmp(right.X) == 0) && (left.Y.Cmp(right.Y) == 0)
+}
+
+// SignPoseidon signs a message encoded as a big.Int in Zq using blake-512 hash
+// for buffer hashing and Poseidon for big.Int hashing.
+func (k *PrivateKey) SignPoseidon(msg *big.Int) *Signature {
+	h1 := Blake512(k[:])
+	msgBuf := utils.BigIntLEBytes(msg)
+	msgBuf32 := [32]byte{}
+	copy(msgBuf32[:], msgBuf[:])
+	rBuf := Blake512(append(h1[32:], msgBuf32[:]...))
+	r := utils.SetBigIntFromLEBytes(new(big.Int), rBuf) // r = H(H_{32..63}(k), msg)
+	r.Mod(r, SubOrder)
+	R8 := NewPoint().Mul(r, B8) // R8 = r * 8 * B
+	A := k.Public().Point()
+
+	hmInput := [poseidon.T]*big.Int{R8.X, R8.Y, A.X, A.Y, msg, big.NewInt(int64(0))}
+	hm, err := poseidon.PoseidonHash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
+	if err != nil {
+		panic(err)
+	}
+
+	S := new(big.Int).Lsh(k.Scalar().BigInt(), 3)
+	S = S.Mul(hm, S)
+	S.Add(r, S)
+	S.Mod(S, SubOrder) // S = r + hm * 8 * s
+
+	return &Signature{R8: R8, S: S}
+}
+
+// VerifyPoseidon verifies the signature of a message encoded as a big.Int in Zq
+// using blake-512 hash for buffer hashing and Poseidon for big.Int hashing.
+func (p *PublicKey) VerifyPoseidon(msg *big.Int, sig *Signature) bool {
+	hmInput := [poseidon.T]*big.Int{sig.R8.X, sig.R8.Y, p.X, p.Y, msg, big.NewInt(int64(0))}
+	hm, err := poseidon.PoseidonHash(hmInput) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)
 	if err != nil {
 		panic(err)
 	}
-	hm := mimc7.Hash(hmInput, nil) // hm = H1(8*R.x, 8*R.y, A.x, A.y, msg)

 	left := NewPoint().Mul(sig.S, B8) // left = s * 8 * B
 	r1 := big.NewInt(8)
--- a/babyjub/eddsa_test.go
+++ b/babyjub/eddsa_test.go
@@ -4,13 +4,12 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"fmt"
+	"math/big"
+	"testing"

 	"github.com/iden3/go-iden3-crypto/constants"
 	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
-
-	"math/big"
-	"testing"
 )

 func genInputs() (*PrivateKey, *big.Int) {
@@ -26,7 +25,17 @@ func genInputs() (*PrivateKey, *big.Int) {
 	return &k, msg
 }

-func TestSignVerify1(t *testing.T) {
+func TestPublicKey(t *testing.T) {
+	var k PrivateKey
+	for i := 0; i < 256; i++ {
+		hex.Decode(k[:], []byte{byte(i)})
+	}
+	pk := k.Public()
+	assert.True(t, pk.X.Cmp(constants.Q) == -1)
+	assert.True(t, pk.Y.Cmp(constants.Q) == -1)
+}
+
+func TestSignVerifyMimc7(t *testing.T) {
 	var k PrivateKey
 	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
 	msgBuf, err := hex.DecodeString("00010203040506070809")
@@ -37,21 +46,21 @@ func TestSignVerify1(t *testing.T) {

 	pk := k.Public()
 	assert.Equal(t,
-		"2610057752638682202795145288373380503107623443963127956230801721756904484787",
+		"13277427435165878497778222415993513565335242147425444199013288855685581939618",
 		pk.X.String())
 	assert.Equal(t,
-		"16617171478497210597712478520507818259149717466230047843969353176573634386897",
+		"13622229784656158136036771217484571176836296686641868549125388198837476602820",
 		pk.Y.String())

 	sig := k.SignMimc7(msg)
 	assert.Equal(t,
-		"4974729414807584049518234760796200867685098748448054182902488636762478901554",
+		"11384336176656855268977457483345535180380036354188103142384839473266348197733",
 		sig.R8.X.String())
 	assert.Equal(t,
-		"18714049394522540751536514815950425694461287643205706667341348804546050128733",
+		"15383486972088797283337779941324724402501462225528836549661220478783371668959",
 		sig.R8.Y.String())
 	assert.Equal(t,
-		"2171284143457722024136077617757713039502332290425057126942676527240038689549",
+		"2523202440825208709475937830811065542425109372212752003460238913256192595070",
 		sig.S.String())

 	ok := pk.VerifyMimc7(msg, sig)
@@ -62,14 +71,58 @@ func TestSignVerify1(t *testing.T) {
 	assert.Equal(t, nil, err)

 	assert.Equal(t, ""+
-		"5dfb6f843c023fe3e52548ccf22e55c81b426f7af81b4f51f7152f2fcfc65f29"+
-		"0dab19c5a0a75973cd75a54780de0c3a41ede6f57396fe99b5307fff3ce7cc04",
+		"dfedb4315d3f2eb4de2d3c510d7a987dcab67089c8ace06308827bf5bcbe02a2"+
+		"7ed40dab29bf993c928e789d007387998901a24913d44fddb64b1f21fc149405",
 		hex.EncodeToString(sigBuf[:]))

 	ok = pk.VerifyMimc7(msg, sig2)
 	assert.Equal(t, true, ok)
 }

+func TestSignVerifyPoseidon(t *testing.T) {
+	var k PrivateKey
+	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
+	msgBuf, err := hex.DecodeString("00010203040506070809")
+	if err != nil {
+		panic(err)
+	}
+	msg := utils.SetBigIntFromLEBytes(new(big.Int), msgBuf)
+
+	pk := k.Public()
+	assert.Equal(t,
+		"13277427435165878497778222415993513565335242147425444199013288855685581939618",
+		pk.X.String())
+	assert.Equal(t,
+		"13622229784656158136036771217484571176836296686641868549125388198837476602820",
+		pk.Y.String())
+
+	sig := k.SignPoseidon(msg)
+	assert.Equal(t,
+		"11384336176656855268977457483345535180380036354188103142384839473266348197733",
+		sig.R8.X.String())
+	assert.Equal(t,
+		"15383486972088797283337779941324724402501462225528836549661220478783371668959",
+		sig.R8.Y.String())
+	assert.Equal(t,
+		"248298168863866362217836334079793350221620631973732197668910946177382043688",
+		sig.S.String())
+
+	ok := pk.VerifyPoseidon(msg, sig)
+	assert.Equal(t, true, ok)
+
+	sigBuf := sig.Compress()
+	sig2, err := new(Signature).Decompress(sigBuf)
+	assert.Equal(t, nil, err)
+
+	assert.Equal(t, ""+
+		"dfedb4315d3f2eb4de2d3c510d7a987dcab67089c8ace06308827bf5bcbe02a2"+
+		"28506bce274aa1b3f7e7c2fd7e4fe09bff8f9aa37a42def7994e98f322888c00",
+		hex.EncodeToString(sigBuf[:]))
+
+	ok = pk.VerifyPoseidon(msg, sig2)
+	assert.Equal(t, true, ok)
+}
+
 func TestCompressDecompress(t *testing.T) {
 	var k PrivateKey
 	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
@@ -88,3 +141,54 @@ func TestCompressDecompress(t *testing.T) {
 		assert.Equal(t, true, ok)
 	}
 }
+
+func BenchmarkBabyjubEddsa(b *testing.B) {
+	var k PrivateKey
+	hex.Decode(k[:], []byte("0001020304050607080900010203040506070809000102030405060708090001"))
+	pk := k.Public()
+
+	const n = 256
+
+	msgBuf, err := hex.DecodeString("00010203040506070809")
+	if err != nil {
+		panic(err)
+	}
+	msg := utils.SetBigIntFromLEBytes(new(big.Int), msgBuf)
+	var msgs [n]*big.Int
+	for i := 0; i < n; i++ {
+		msgs[i] = new(big.Int).Add(msg, big.NewInt(int64(i)))
+	}
+	var sigs [n]*Signature
+
+	b.Run("SignMimc7", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			k.SignMimc7(msgs[i%n])
+		}
+	})
+
+	for i := 0; i < n; i++ {
+		sigs[i%n] = k.SignMimc7(msgs[i%n])
+	}
+
+	b.Run("VerifyMimc7", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			pk.VerifyMimc7(msgs[i%n], sigs[i%n])
+		}
+	})
+
+	b.Run("SignPoseidon", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			k.SignPoseidon(msgs[i%n])
+		}
+	})
+
+	for i := 0; i < n; i++ {
+		sigs[i%n] = k.SignPoseidon(msgs[i%n])
+	}
+
+	b.Run("VerifyPoseidon", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			pk.VerifyPoseidon(msgs[i%n], sigs[i%n])
+		}
+	})
+}
--- a/constants/constants.go
+++ b/constants/constants.go
@@ -1,12 +1,15 @@
 package constants

 import (
-	"github.com/iden3/go-iden3-crypto/utils"
+	"fmt"
 	"math/big"
+
+	"github.com/iden3/go-iden3-crypto/ff"
 )

 // Q is the order of the integer field (Zq) that fits inside the SNARK.
 var Q *big.Int
+var QE *ff.Element

 // Zero is 0.
 var Zero *big.Int
@@ -21,6 +24,11 @@ func init() {
 	Zero = big.NewInt(0)
 	One = big.NewInt(1)
 	MinusOne = big.NewInt(-1)
-	Q = utils.NewIntFromString(
-		"21888242871839275222246405745257275088548364400416034343698204186575808495617")
+
+	qString := "21888242871839275222246405745257275088548364400416034343698204186575808495617"
+	var ok bool
+	Q, ok = new(big.Int).SetString(qString, 10)
+	if !ok {
+		panic(fmt.Sprintf("Bad base 10 string %s", qString))
+	}
 }
--- a/ff/arith.go
+++ b/ff/arith.go
@@ -0,0 +1,122 @@
+// Copyright 2020 ConsenSys AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by goff DO NOT EDIT
+
+package ff
+
+import (
+	"math/bits"
+)
+
+func madd(a, b, t, u, v uint64) (uint64, uint64, uint64) {
+	var carry uint64
+	hi, lo := bits.Mul64(a, b)
+	v, carry = bits.Add64(lo, v, 0)
+	u, carry = bits.Add64(hi, u, carry)
+	t, _ = bits.Add64(t, 0, carry)
+	return t, u, v
+}
+
+// madd0 hi = a*b + c (discards lo bits)
+func madd0(a, b, c uint64) (hi uint64) {
+	var carry, lo uint64
+	hi, lo = bits.Mul64(a, b)
+	_, carry = bits.Add64(lo, c, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	return
+}
+
+// madd1 hi, lo = a*b + c
+func madd1(a, b, c uint64) (hi uint64, lo uint64) {
+	var carry uint64
+	hi, lo = bits.Mul64(a, b)
+	lo, carry = bits.Add64(lo, c, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	return
+}
+
+// madd2 hi, lo = a*b + c + d
+func madd2(a, b, c, d uint64) (hi uint64, lo uint64) {
+	var carry uint64
+	hi, lo = bits.Mul64(a, b)
+	c, carry = bits.Add64(c, d, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	lo, carry = bits.Add64(lo, c, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	return
+}
+
+// madd2s superhi, hi, lo = 2*a*b + c + d + e
+func madd2s(a, b, c, d, e uint64) (superhi, hi, lo uint64) {
+	var carry, sum uint64
+
+	hi, lo = bits.Mul64(a, b)
+	lo, carry = bits.Add64(lo, lo, 0)
+	hi, superhi = bits.Add64(hi, hi, carry)
+
+	sum, carry = bits.Add64(c, e, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	lo, carry = bits.Add64(lo, sum, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	hi, _ = bits.Add64(hi, 0, d)
+	return
+}
+
+func madd1s(a, b, d, e uint64) (superhi, hi, lo uint64) {
+	var carry uint64
+
+	hi, lo = bits.Mul64(a, b)
+	lo, carry = bits.Add64(lo, lo, 0)
+	hi, superhi = bits.Add64(hi, hi, carry)
+	lo, carry = bits.Add64(lo, e, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	hi, _ = bits.Add64(hi, 0, d)
+	return
+}
+
+func madd2sb(a, b, c, e uint64) (superhi, hi, lo uint64) {
+	var carry, sum uint64
+
+	hi, lo = bits.Mul64(a, b)
+	lo, carry = bits.Add64(lo, lo, 0)
+	hi, superhi = bits.Add64(hi, hi, carry)
+
+	sum, carry = bits.Add64(c, e, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	lo, carry = bits.Add64(lo, sum, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	return
+}
+
+func madd1sb(a, b, e uint64) (superhi, hi, lo uint64) {
+	var carry uint64
+
+	hi, lo = bits.Mul64(a, b)
+	lo, carry = bits.Add64(lo, lo, 0)
+	hi, superhi = bits.Add64(hi, hi, carry)
+	lo, carry = bits.Add64(lo, e, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	return
+}
+
+func madd3(a, b, c, d, e uint64) (hi uint64, lo uint64) {
+	var carry uint64
+	hi, lo = bits.Mul64(a, b)
+	c, carry = bits.Add64(c, d, 0)
+	hi, _ = bits.Add64(hi, 0, carry)
+	lo, carry = bits.Add64(lo, c, 0)
+	hi, _ = bits.Add64(hi, e, carry)
+	return
+}
--- a/ff/element.go
+++ b/ff/element.go
@@ -0,0 +1,792 @@
+// Copyright 2020 ConsenSys AG
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// field modulus q =
+//
+// 21888242871839275222246405745257275088548364400416034343698204186575808495617
+// Code generated by goff DO NOT EDIT
+// goff version:  - build:
+// Element are assumed to be in Montgomery form in all methods
+
+// Package ff (generated by goff) contains field arithmetics operations
+package ff
+
+import (
+	"crypto/rand"
+	"encoding/binary"
+	"io"
+	"math/big"
+	"math/bits"
+	"sync"
+
+	"unsafe"
+)
+
+// Element represents a field element stored on 4 words (uint64)
+// Element are assumed to be in Montgomery form in all methods
+type Element [4]uint64
+
+// ElementLimbs number of 64 bits words needed to represent Element
+const ElementLimbs = 4
+
+// ElementBits number bits needed to represent Element
+const ElementBits = 254
+
+// SetUint64 z = v, sets z LSB to v (non-Montgomery form) and convert z to Montgomery form
+func (z *Element) SetUint64(v uint64) *Element {
+	z[0] = v
+	z[1] = 0
+	z[2] = 0
+	z[3] = 0
+	return z.ToMont()
+}
+
+// Set z = x
+func (z *Element) Set(x *Element) *Element {
+	z[0] = x[0]
+	z[1] = x[1]
+	z[2] = x[2]
+	z[3] = x[3]
+	return z
+}
+
+// SetZero z = 0
+func (z *Element) SetZero() *Element {
+	z[0] = 0
+	z[1] = 0
+	z[2] = 0
+	z[3] = 0
+	return z
+}
+
+// SetOne z = 1 (in Montgomery form)
+func (z *Element) SetOne() *Element {
+	z[0] = 12436184717236109307
+	z[1] = 3962172157175319849
+	z[2] = 7381016538464732718
+	z[3] = 1011752739694698287
+	return z
+}
+
+// Neg z = q - x
+func (z *Element) Neg(x *Element) *Element {
+	if x.IsZero() {
+		return z.SetZero()
+	}
+	var borrow uint64
+	z[0], borrow = bits.Sub64(4891460686036598785, x[0], 0)
+	z[1], borrow = bits.Sub64(2896914383306846353, x[1], borrow)
+	z[2], borrow = bits.Sub64(13281191951274694749, x[2], borrow)
+	z[3], _ = bits.Sub64(3486998266802970665, x[3], borrow)
+	return z
+}
+
+// Div z = x*y^-1 mod q
+func (z *Element) Div(x, y *Element) *Element {
+	var yInv Element
+	yInv.Inverse(y)
+	z.Mul(x, &yInv)
+	return z
+}
+
+// Equal returns z == x
+func (z *Element) Equal(x *Element) bool {
+	return (z[3] == x[3]) && (z[2] == x[2]) && (z[1] == x[1]) && (z[0] == x[0])
+}
+
+// IsZero returns z == 0
+func (z *Element) IsZero() bool {
+	return (z[3] | z[2] | z[1] | z[0]) == 0
+}
+
+// field modulus stored as big.Int
+var _elementModulusBigInt big.Int
+var onceelementModulus sync.Once
+
+func elementModulusBigInt() *big.Int {
+	onceelementModulus.Do(func() {
+		_elementModulusBigInt.SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
+	})
+	return &_elementModulusBigInt
+}
+
+// Inverse z = x^-1 mod q
+// Algorithm 16 in "Efficient Software-Implementation of Finite Fields with Applications to Cryptography"
+// if x == 0, sets and returns z = x
+func (z *Element) Inverse(x *Element) *Element {
+	if x.IsZero() {
+		return z.Set(x)
+	}
+
+	// initialize u = q
+	var u = Element{
+		4891460686036598785,
+		2896914383306846353,
+		13281191951274694749,
+		3486998266802970665,
+	}
+
+	// initialize s = r^2
+	var s = Element{
+		1997599621687373223,
+		6052339484930628067,
+		10108755138030829701,
+		150537098327114917,
+	}
+
+	// r = 0
+	r := Element{}
+
+	v := *x
+
+	var carry, borrow, t, t2 uint64
+	var bigger, uIsOne, vIsOne bool
+
+	for !uIsOne && !vIsOne {
+		for v[0]&1 == 0 {
+
+			// v = v >> 1
+			t2 = v[3] << 63
+			v[3] >>= 1
+			t = t2
+			t2 = v[2] << 63
+			v[2] = (v[2] >> 1) | t
+			t = t2
+			t2 = v[1] << 63
+			v[1] = (v[1] >> 1) | t
+			t = t2
+			v[0] = (v[0] >> 1) | t
+
+			if s[0]&1 == 1 {
+
+				// s = s + q
+				s[0], carry = bits.Add64(s[0], 4891460686036598785, 0)
+				s[1], carry = bits.Add64(s[1], 2896914383306846353, carry)
+				s[2], carry = bits.Add64(s[2], 13281191951274694749, carry)
+				s[3], _ = bits.Add64(s[3], 3486998266802970665, carry)
+
+			}
+
+			// s = s >> 1
+			t2 = s[3] << 63
+			s[3] >>= 1
+			t = t2
+			t2 = s[2] << 63
+			s[2] = (s[2] >> 1) | t
+			t = t2
+			t2 = s[1] << 63
+			s[1] = (s[1] >> 1) | t
+			t = t2
+			s[0] = (s[0] >> 1) | t
+
+		}
+		for u[0]&1 == 0 {
+
+			// u = u >> 1
+			t2 = u[3] << 63
+			u[3] >>= 1
+			t = t2
+			t2 = u[2] << 63
+			u[2] = (u[2] >> 1) | t
+			t = t2
+			t2 = u[1] << 63
+			u[1] = (u[1] >> 1) | t
+			t = t2
+			u[0] = (u[0] >> 1) | t
+
+			if r[0]&1 == 1 {
+
+				// r = r + q
+				r[0], carry = bits.Add64(r[0], 4891460686036598785, 0)
+				r[1], carry = bits.Add64(r[1], 2896914383306846353, carry)
+				r[2], carry = bits.Add64(r[2], 13281191951274694749, carry)
+				r[3], _ = bits.Add64(r[3], 3486998266802970665, carry)
+
+			}
+
+			// r = r >> 1
+			t2 = r[3] << 63
+			r[3] >>= 1
+			t = t2
+			t2 = r[2] << 63
+			r[2] = (r[2] >> 1) | t
+			t = t2
+			t2 = r[1] << 63
+			r[1] = (r[1] >> 1) | t
+			t = t2
+			r[0] = (r[0] >> 1) | t
+
+		}
+
+		// v >= u
+		bigger = !(v[3] < u[3] || (v[3] == u[3] && (v[2] < u[2] || (v[2] == u[2] && (v[1] < u[1] || (v[1] == u[1] && (v[0] < u[0])))))))
+
+		if bigger {
+
+			// v = v - u
+			v[0], borrow = bits.Sub64(v[0], u[0], 0)
+			v[1], borrow = bits.Sub64(v[1], u[1], borrow)
+			v[2], borrow = bits.Sub64(v[2], u[2], borrow)
+			v[3], _ = bits.Sub64(v[3], u[3], borrow)
+
+			// r >= s
+			bigger = !(r[3] < s[3] || (r[3] == s[3] && (r[2] < s[2] || (r[2] == s[2] && (r[1] < s[1] || (r[1] == s[1] && (r[0] < s[0])))))))
+
+			if bigger {
+
+				// s = s + q
+				s[0], carry = bits.Add64(s[0], 4891460686036598785, 0)
+				s[1], carry = bits.Add64(s[1], 2896914383306846353, carry)
+				s[2], carry = bits.Add64(s[2], 13281191951274694749, carry)
+				s[3], _ = bits.Add64(s[3], 3486998266802970665, carry)
+
+			}
+
+			// s = s - r
+			s[0], borrow = bits.Sub64(s[0], r[0], 0)
+			s[1], borrow = bits.Sub64(s[1], r[1], borrow)
+			s[2], borrow = bits.Sub64(s[2], r[2], borrow)
+			s[3], _ = bits.Sub64(s[3], r[3], borrow)
+
+		} else {
+
+			// u = u - v
+			u[0], borrow = bits.Sub64(u[0], v[0], 0)
+			u[1], borrow = bits.Sub64(u[1], v[1], borrow)
+			u[2], borrow = bits.Sub64(u[2], v[2], borrow)
+			u[3], _ = bits.Sub64(u[3], v[3], borrow)
+
+			// s >= r
+			bigger = !(s[3] < r[3] || (s[3] == r[3] && (s[2] < r[2] || (s[2] == r[2] && (s[1] < r[1] || (s[1] == r[1] && (s[0] < r[0])))))))
+
+			if bigger {
+
+				// r = r + q
+				r[0], carry = bits.Add64(r[0], 4891460686036598785, 0)
+				r[1], carry = bits.Add64(r[1], 2896914383306846353, carry)
+				r[2], carry = bits.Add64(r[2], 13281191951274694749, carry)
+				r[3], _ = bits.Add64(r[3], 3486998266802970665, carry)
+
+			}
+
+			// r = r - s
+			r[0], borrow = bits.Sub64(r[0], s[0], 0)
+			r[1], borrow = bits.Sub64(r[1], s[1], borrow)
+			r[2], borrow = bits.Sub64(r[2], s[2], borrow)
+			r[3], _ = bits.Sub64(r[3], s[3], borrow)
+
+		}
+		uIsOne = (u[0] == 1) && (u[3]|u[2]|u[1]) == 0
+		vIsOne = (v[0] == 1) && (v[3]|v[2]|v[1]) == 0
+	}
+
+	if uIsOne {
+		z.Set(&r)
+	} else {
+		z.Set(&s)
+	}
+
+	return z
+}
+
+// SetRandom sets z to a random element < q
+func (z *Element) SetRandom() *Element {
+	bytes := make([]byte, 32)
+	io.ReadFull(rand.Reader, bytes)
+	z[0] = binary.BigEndian.Uint64(bytes[0:8])
+	z[1] = binary.BigEndian.Uint64(bytes[8:16])
+	z[2] = binary.BigEndian.Uint64(bytes[16:24])
+	z[3] = binary.BigEndian.Uint64(bytes[24:32])
+	z[3] %= 3486998266802970665
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+
+	return z
+}
+
+// Add z = x + y mod q
+func (z *Element) Add(x, y *Element) *Element {
+	var carry uint64
+
+	z[0], carry = bits.Add64(x[0], y[0], 0)
+	z[1], carry = bits.Add64(x[1], y[1], carry)
+	z[2], carry = bits.Add64(x[2], y[2], carry)
+	z[3], _ = bits.Add64(x[3], y[3], carry)
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+	return z
+}
+
+// AddAssign z = z + x mod q
+func (z *Element) AddAssign(x *Element) *Element {
+	var carry uint64
+
+	z[0], carry = bits.Add64(z[0], x[0], 0)
+	z[1], carry = bits.Add64(z[1], x[1], carry)
+	z[2], carry = bits.Add64(z[2], x[2], carry)
+	z[3], _ = bits.Add64(z[3], x[3], carry)
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+	return z
+}
+
+// Double z = x + x mod q, aka Lsh 1
+func (z *Element) Double(x *Element) *Element {
+	var carry uint64
+
+	z[0], carry = bits.Add64(x[0], x[0], 0)
+	z[1], carry = bits.Add64(x[1], x[1], carry)
+	z[2], carry = bits.Add64(x[2], x[2], carry)
+	z[3], _ = bits.Add64(x[3], x[3], carry)
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+	return z
+}
+
+// Sub  z = x - y mod q
+func (z *Element) Sub(x, y *Element) *Element {
+	var b uint64
+	z[0], b = bits.Sub64(x[0], y[0], 0)
+	z[1], b = bits.Sub64(x[1], y[1], b)
+	z[2], b = bits.Sub64(x[2], y[2], b)
+	z[3], b = bits.Sub64(x[3], y[3], b)
+	if b != 0 {
+		var c uint64
+		z[0], c = bits.Add64(z[0], 4891460686036598785, 0)
+		z[1], c = bits.Add64(z[1], 2896914383306846353, c)
+		z[2], c = bits.Add64(z[2], 13281191951274694749, c)
+		z[3], _ = bits.Add64(z[3], 3486998266802970665, c)
+	}
+	return z
+}
+
+// SubAssign  z = z - x mod q
+func (z *Element) SubAssign(x *Element) *Element {
+	var b uint64
+	z[0], b = bits.Sub64(z[0], x[0], 0)
+	z[1], b = bits.Sub64(z[1], x[1], b)
+	z[2], b = bits.Sub64(z[2], x[2], b)
+	z[3], b = bits.Sub64(z[3], x[3], b)
+	if b != 0 {
+		var c uint64
+		z[0], c = bits.Add64(z[0], 4891460686036598785, 0)
+		z[1], c = bits.Add64(z[1], 2896914383306846353, c)
+		z[2], c = bits.Add64(z[2], 13281191951274694749, c)
+		z[3], _ = bits.Add64(z[3], 3486998266802970665, c)
+	}
+	return z
+}
+
+// Exp z = x^e mod q
+func (z *Element) Exp(x Element, e uint64) *Element {
+	if e == 0 {
+		return z.SetOne()
+	}
+
+	z.Set(&x)
+
+	l := bits.Len64(e) - 2
+	for i := l; i >= 0; i-- {
+		z.Square(z)
+		if e&(1<<uint(i)) != 0 {
+			z.MulAssign(&x)
+		}
+	}
+	return z
+}
+
+// FromMont converts z in place (i.e. mutates) from Montgomery to regular representation
+// sets and returns z = z * 1
+func (z *Element) FromMont() *Element {
+
+	// the following lines implement z = z * 1
+	// with a modified CIOS montgomery multiplication
+	{
+		// m = z[0]n'[0] mod W
+		m := z[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, z[0])
+		C, z[0] = madd2(m, 2896914383306846353, z[1], C)
+		C, z[1] = madd2(m, 13281191951274694749, z[2], C)
+		C, z[2] = madd2(m, 3486998266802970665, z[3], C)
+		z[3] = C
+	}
+	{
+		// m = z[0]n'[0] mod W
+		m := z[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, z[0])
+		C, z[0] = madd2(m, 2896914383306846353, z[1], C)
+		C, z[1] = madd2(m, 13281191951274694749, z[2], C)
+		C, z[2] = madd2(m, 3486998266802970665, z[3], C)
+		z[3] = C
+	}
+	{
+		// m = z[0]n'[0] mod W
+		m := z[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, z[0])
+		C, z[0] = madd2(m, 2896914383306846353, z[1], C)
+		C, z[1] = madd2(m, 13281191951274694749, z[2], C)
+		C, z[2] = madd2(m, 3486998266802970665, z[3], C)
+		z[3] = C
+	}
+	{
+		// m = z[0]n'[0] mod W
+		m := z[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, z[0])
+		C, z[0] = madd2(m, 2896914383306846353, z[1], C)
+		C, z[1] = madd2(m, 13281191951274694749, z[2], C)
+		C, z[2] = madd2(m, 3486998266802970665, z[3], C)
+		z[3] = C
+	}
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+	return z
+}
+
+// ToMont converts z to Montgomery form
+// sets and returns z = z * r^2
+func (z *Element) ToMont() *Element {
+	var rSquare = Element{
+		1997599621687373223,
+		6052339484930628067,
+		10108755138030829701,
+		150537098327114917,
+	}
+	return z.MulAssign(&rSquare)
+}
+
+// ToRegular returns z in regular form (doesn't mutate z)
+func (z Element) ToRegular() Element {
+	return *z.FromMont()
+}
+
+// String returns the string form of an Element in Montgomery form
+func (z *Element) String() string {
+	var _z big.Int
+	return z.ToBigIntRegular(&_z).String()
+}
+
+// ToBigInt returns z as a big.Int in Montgomery form
+func (z *Element) ToBigInt(res *big.Int) *big.Int {
+	if bits.UintSize == 64 {
+		bits := (*[4]big.Word)(unsafe.Pointer(z))
+		return res.SetBits(bits[:])
+	} else {
+		var bits [8]big.Word
+		for i := 0; i < len(z); i++ {
+			bits[i*2] = big.Word(z[i])
+			bits[i*2+1] = big.Word(z[i] >> 32)
+		}
+		return res.SetBits(bits[:])
+	}
+}
+
+// ToBigIntRegular returns z as a big.Int in regular form
+func (z Element) ToBigIntRegular(res *big.Int) *big.Int {
+	z.FromMont()
+	if bits.UintSize == 64 {
+		bits := (*[4]big.Word)(unsafe.Pointer(&z))
+		return res.SetBits(bits[:])
+	} else {
+		var bits [8]big.Word
+		for i := 0; i < len(z); i++ {
+			bits[i*2] = big.Word(z[i])
+			bits[i*2+1] = big.Word(z[i] >> 32)
+		}
+		return res.SetBits(bits[:])
+	}
+}
+
+// SetBigInt sets z to v (regular form) and returns z in Montgomery form
+func (z *Element) SetBigInt(v *big.Int) *Element {
+	z.SetZero()
+
+	zero := big.NewInt(0)
+	q := elementModulusBigInt()
+
+	// copy input
+	vv := new(big.Int).Set(v)
+
+	// while v < 0, v+=q
+	for vv.Cmp(zero) == -1 {
+		vv.Add(vv, q)
+	}
+	// while v > q, v-=q
+	for vv.Cmp(q) == 1 {
+		vv.Sub(vv, q)
+	}
+	// if v == q, return 0
+	if vv.Cmp(q) == 0 {
+		return z
+	}
+	// v should
+	vBits := vv.Bits()
+	if bits.UintSize == 64 {
+		for i := 0; i < len(vBits); i++ {
+			z[i] = uint64(vBits[i])
+		}
+	} else {
+		for i := 0; i < len(vBits); i++ {
+			if i%2 == 0 {
+				z[i/2] = uint64(vBits[i])
+			} else {
+				z[i/2] |= uint64(vBits[i]) << 32
+			}
+		}
+	}
+	return z.ToMont()
+}
+
+// SetString creates a big.Int with s (in base 10) and calls SetBigInt on z
+func (z *Element) SetString(s string) *Element {
+	x, ok := new(big.Int).SetString(s, 10)
+	if !ok {
+		panic("Element.SetString failed -> can't parse number in base10 into a big.Int")
+	}
+	return z.SetBigInt(x)
+}
+
+// Mul z = x * y mod q
+func (z *Element) Mul(x, y *Element) *Element {
+
+	var t [4]uint64
+	var c [3]uint64
+	{
+		// round 0
+		v := x[0]
+		c[1], c[0] = bits.Mul64(v, y[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd1(v, y[1], c[1])
+		c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd1(v, y[2], c[1])
+		c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd1(v, y[3], c[1])
+		t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+	{
+		// round 1
+		v := x[1]
+		c[1], c[0] = madd1(v, y[0], t[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd2(v, y[1], c[1], t[1])
+		c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd2(v, y[2], c[1], t[2])
+		c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd2(v, y[3], c[1], t[3])
+		t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+	{
+		// round 2
+		v := x[2]
+		c[1], c[0] = madd1(v, y[0], t[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd2(v, y[1], c[1], t[1])
+		c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd2(v, y[2], c[1], t[2])
+		c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd2(v, y[3], c[1], t[3])
+		t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+	{
+		// round 3
+		v := x[3]
+		c[1], c[0] = madd1(v, y[0], t[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd2(v, y[1], c[1], t[1])
+		c[2], z[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd2(v, y[2], c[1], t[2])
+		c[2], z[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd2(v, y[3], c[1], t[3])
+		z[3], z[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+	return z
+}
+
+// MulAssign z = z * x mod q
+func (z *Element) MulAssign(x *Element) *Element {
+
+	var t [4]uint64
+	var c [3]uint64
+	{
+		// round 0
+		v := z[0]
+		c[1], c[0] = bits.Mul64(v, x[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd1(v, x[1], c[1])
+		c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd1(v, x[2], c[1])
+		c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd1(v, x[3], c[1])
+		t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+	{
+		// round 1
+		v := z[1]
+		c[1], c[0] = madd1(v, x[0], t[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd2(v, x[1], c[1], t[1])
+		c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd2(v, x[2], c[1], t[2])
+		c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd2(v, x[3], c[1], t[3])
+		t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+	{
+		// round 2
+		v := z[2]
+		c[1], c[0] = madd1(v, x[0], t[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd2(v, x[1], c[1], t[1])
+		c[2], t[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd2(v, x[2], c[1], t[2])
+		c[2], t[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd2(v, x[3], c[1], t[3])
+		t[3], t[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+	{
+		// round 3
+		v := z[3]
+		c[1], c[0] = madd1(v, x[0], t[0])
+		m := c[0] * 14042775128853446655
+		c[2] = madd0(m, 4891460686036598785, c[0])
+		c[1], c[0] = madd2(v, x[1], c[1], t[1])
+		c[2], z[0] = madd2(m, 2896914383306846353, c[2], c[0])
+		c[1], c[0] = madd2(v, x[2], c[1], t[2])
+		c[2], z[1] = madd2(m, 13281191951274694749, c[2], c[0])
+		c[1], c[0] = madd2(v, x[3], c[1], t[3])
+		z[3], z[2] = madd3(m, 3486998266802970665, c[0], c[2], c[1])
+	}
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+	return z
+}
+
+// Square z = x * x mod q
+func (z *Element) Square(x *Element) *Element {
+
+	var p [4]uint64
+
+	var u, v uint64
+	{
+		// round 0
+		u, p[0] = bits.Mul64(x[0], x[0])
+		m := p[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, p[0])
+		var t uint64
+		t, u, v = madd1sb(x[0], x[1], u)
+		C, p[0] = madd2(m, 2896914383306846353, v, C)
+		t, u, v = madd1s(x[0], x[2], t, u)
+		C, p[1] = madd2(m, 13281191951274694749, v, C)
+		_, u, v = madd1s(x[0], x[3], t, u)
+		p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
+	}
+	{
+		// round 1
+		m := p[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, p[0])
+		u, v = madd1(x[1], x[1], p[1])
+		C, p[0] = madd2(m, 2896914383306846353, v, C)
+		var t uint64
+		t, u, v = madd2sb(x[1], x[2], p[2], u)
+		C, p[1] = madd2(m, 13281191951274694749, v, C)
+		_, u, v = madd2s(x[1], x[3], p[3], t, u)
+		p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
+	}
+	{
+		// round 2
+		m := p[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, p[0])
+		C, p[0] = madd2(m, 2896914383306846353, p[1], C)
+		u, v = madd1(x[2], x[2], p[2])
+		C, p[1] = madd2(m, 13281191951274694749, v, C)
+		_, u, v = madd2sb(x[2], x[3], p[3], u)
+		p[3], p[2] = madd3(m, 3486998266802970665, v, C, u)
+	}
+	{
+		// round 3
+		m := p[0] * 14042775128853446655
+		C := madd0(m, 4891460686036598785, p[0])
+		C, z[0] = madd2(m, 2896914383306846353, p[1], C)
+		C, z[1] = madd2(m, 13281191951274694749, p[2], C)
+		u, v = madd1(x[3], x[3], p[3])
+		z[3], z[2] = madd3(m, 3486998266802970665, v, C, u)
+	}
+
+	// if z > q --> z -= q
+	if !(z[3] < 3486998266802970665 || (z[3] == 3486998266802970665 && (z[2] < 13281191951274694749 || (z[2] == 13281191951274694749 && (z[1] < 2896914383306846353 || (z[1] == 2896914383306846353 && (z[0] < 4891460686036598785))))))) {
+		var b uint64
+		z[0], b = bits.Sub64(z[0], 4891460686036598785, 0)
+		z[1], b = bits.Sub64(z[1], 2896914383306846353, b)
+		z[2], b = bits.Sub64(z[2], 13281191951274694749, b)
+		z[3], _ = bits.Sub64(z[3], 3486998266802970665, b)
+	}
+	return z
+}
--- a/ff/element_test.go
+++ b/ff/element_test.go
@@ -0,0 +1,234 @@
+// Code generated by goff DO NOT EDIT
+package ff
+
+import (
+	"crypto/rand"
+	"math/big"
+	mrand "math/rand"
+	"testing"
+)
+
+func TestELEMENTCorrectnessAgainstBigInt(t *testing.T) {
+	modulus, _ := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
+	cmpEandB := func(e *Element, b *big.Int, name string) {
+		var _e big.Int
+		if e.FromMont().ToBigInt(&_e).Cmp(b) != 0 {
+			t.Fatal(name, "failed")
+		}
+	}
+	var modulusMinusOne, one big.Int
+	one.SetUint64(1)
+
+	modulusMinusOne.Sub(modulus, &one)
+
+	for i := 0; i < 1000; i++ {
+
+		// sample 2 random big int
+		b1, _ := rand.Int(rand.Reader, modulus)
+		b2, _ := rand.Int(rand.Reader, modulus)
+		rExp := mrand.Uint64()
+
+		// adding edge cases
+		// TODO need more edge cases
+		switch i {
+		case 0:
+			rExp = 0
+			b1.SetUint64(0)
+		case 1:
+			b2.SetUint64(0)
+		case 2:
+			b1.SetUint64(0)
+			b2.SetUint64(0)
+		case 3:
+			rExp = 0
+		case 4:
+			rExp = 1
+		case 5:
+			rExp = ^uint64(0) // max uint
+		case 6:
+			rExp = 2
+			b1.Set(&modulusMinusOne)
+		case 7:
+			b2.Set(&modulusMinusOne)
+		case 8:
+			b1.Set(&modulusMinusOne)
+			b2.Set(&modulusMinusOne)
+		}
+
+		rbExp := new(big.Int).SetUint64(rExp)
+
+		var bMul, bAdd, bSub, bDiv, bNeg, bLsh, bInv, bExp, bSquare big.Int
+
+		// e1 = mont(b1), e2 = mont(b2)
+		var e1, e2, eMul, eAdd, eSub, eDiv, eNeg, eLsh, eInv, eExp, eSquare, eMulAssign, eSubAssign, eAddAssign Element
+		e1.SetBigInt(b1)
+		e2.SetBigInt(b2)
+
+		// (e1*e2).FromMont() === b1*b2 mod q ... etc
+		eSquare.Square(&e1)
+		eMul.Mul(&e1, &e2)
+		eMulAssign.Set(&e1)
+		eMulAssign.MulAssign(&e2)
+		eAdd.Add(&e1, &e2)
+		eAddAssign.Set(&e1)
+		eAddAssign.AddAssign(&e2)
+		eSub.Sub(&e1, &e2)
+		eSubAssign.Set(&e1)
+		eSubAssign.SubAssign(&e2)
+		eDiv.Div(&e1, &e2)
+		eNeg.Neg(&e1)
+		eInv.Inverse(&e1)
+		eExp.Exp(e1, rExp)
+		eLsh.Double(&e1)
+
+		// same operations with big int
+		bAdd.Add(b1, b2).Mod(&bAdd, modulus)
+		bMul.Mul(b1, b2).Mod(&bMul, modulus)
+		bSquare.Mul(b1, b1).Mod(&bSquare, modulus)
+		bSub.Sub(b1, b2).Mod(&bSub, modulus)
+		bDiv.ModInverse(b2, modulus)
+		bDiv.Mul(&bDiv, b1).
+			Mod(&bDiv, modulus)
+		bNeg.Neg(b1).Mod(&bNeg, modulus)
+
+		bInv.ModInverse(b1, modulus)
+		bExp.Exp(b1, rbExp, modulus)
+		bLsh.Lsh(b1, 1).Mod(&bLsh, modulus)
+
+		cmpEandB(&eSquare, &bSquare, "Square")
+		cmpEandB(&eMul, &bMul, "Mul")
+		cmpEandB(&eMulAssign, &bMul, "MulAssign")
+		cmpEandB(&eAdd, &bAdd, "Add")
+		cmpEandB(&eAddAssign, &bAdd, "AddAssign")
+		cmpEandB(&eSub, &bSub, "Sub")
+		cmpEandB(&eSubAssign, &bSub, "SubAssign")
+		cmpEandB(&eDiv, &bDiv, "Div")
+		cmpEandB(&eNeg, &bNeg, "Neg")
+		cmpEandB(&eInv, &bInv, "Inv")
+		cmpEandB(&eExp, &bExp, "Exp")
+		cmpEandB(&eLsh, &bLsh, "Lsh")
+	}
+}
+
+func TestELEMENTIsRandom(t *testing.T) {
+	for i := 0; i < 1000; i++ {
+		var x, y Element
+		x.SetRandom()
+		y.SetRandom()
+		if x.Equal(&y) {
+			t.Fatal("2 random numbers are unlikely to be equal")
+		}
+	}
+}
+
+// -------------------------------------------------------------------------------------------------
+// benchmarks
+// most benchmarks are rudimentary and should sample a large number of random inputs
+// or be run multiple times to ensure it didn't measure the fastest path of the function
+// TODO: clean up and push benchmarking branch
+
+var benchResElement Element
+
+func BenchmarkInverseELEMENT(b *testing.B) {
+	var x Element
+	x.SetRandom()
+	benchResElement.SetRandom()
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		benchResElement.Inverse(&x)
+	}
+
+}
+func BenchmarkExpELEMENT(b *testing.B) {
+	var x Element
+	x.SetRandom()
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.Exp(x, mrand.Uint64())
+	}
+}
+
+func BenchmarkDoubleELEMENT(b *testing.B) {
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.Double(&benchResElement)
+	}
+}
+
+func BenchmarkAddELEMENT(b *testing.B) {
+	var x Element
+	x.SetRandom()
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.Add(&x, &benchResElement)
+	}
+}
+
+func BenchmarkSubELEMENT(b *testing.B) {
+	var x Element
+	x.SetRandom()
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.Sub(&x, &benchResElement)
+	}
+}
+
+func BenchmarkNegELEMENT(b *testing.B) {
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.Neg(&benchResElement)
+	}
+}
+
+func BenchmarkDivELEMENT(b *testing.B) {
+	var x Element
+	x.SetRandom()
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.Div(&x, &benchResElement)
+	}
+}
+
+func BenchmarkFromMontELEMENT(b *testing.B) {
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.FromMont()
+	}
+}
+
+func BenchmarkToMontELEMENT(b *testing.B) {
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.ToMont()
+	}
+}
+func BenchmarkSquareELEMENT(b *testing.B) {
+	benchResElement.SetRandom()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.Square(&benchResElement)
+	}
+}
+
+func BenchmarkMulAssignELEMENT(b *testing.B) {
+	x := Element{
+		1997599621687373223,
+		6052339484930628067,
+		10108755138030829701,
+		150537098327114917,
+	}
+	benchResElement.SetOne()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		benchResElement.MulAssign(&x)
+	}
+}
--- a/ff/util.go
+++ b/ff/util.go
@@ -0,0 +1,5 @@
+package ff
+
+func NewElement() *Element {
+	return &Element{}
+}
--- a/field/field.go
+++ b/field/field.go
@@ -1,152 +0,0 @@
-// code originally taken from https://github.com/arnaucube/go-snark (https://github.com/arnaucube/go-snark/blob/master/fields/fq.go), pasted here to ensure compatibility among future changes
-
-package field
-
-import (
-	"bytes"
-	"crypto/rand"
-	"math/big"
-)
-
-// Fq is the Z field over modulus Q
-type Fq struct {
-	Q *big.Int // Q
-}
-
-// NewFq generates a new Fq
-func NewFq(q *big.Int) Fq {
-	return Fq{
-		q,
-	}
-}
-
-// Zero returns a Zero value on the Fq
-func (fq Fq) Zero() *big.Int {
-	return big.NewInt(int64(0))
-}
-
-// One returns a One value on the Fq
-func (fq Fq) One() *big.Int {
-	return big.NewInt(int64(1))
-}
-
-// Add performs an addition on the Fq
-func (fq Fq) Add(a, b *big.Int) *big.Int {
-	r := new(big.Int).Add(a, b)
-	return new(big.Int).Mod(r, fq.Q)
-}
-
-// Double performs a doubling on the Fq
-func (fq Fq) Double(a *big.Int) *big.Int {
-	r := new(big.Int).Add(a, a)
-	return new(big.Int).Mod(r, fq.Q)
-}
-
-// Sub performs a subtraction on the Fq
-func (fq Fq) Sub(a, b *big.Int) *big.Int {
-	r := new(big.Int).Sub(a, b)
-	return new(big.Int).Mod(r, fq.Q)
-}
-
-// Neg performs a negation on the Fq
-func (fq Fq) Neg(a *big.Int) *big.Int {
-	m := new(big.Int).Neg(a)
-	return new(big.Int).Mod(m, fq.Q)
-}
-
-// Mul performs a multiplication on the Fq
-func (fq Fq) Mul(a, b *big.Int) *big.Int {
-	m := new(big.Int).Mul(a, b)
-	return new(big.Int).Mod(m, fq.Q)
-}
-
-func (fq Fq) MulScalar(base, e *big.Int) *big.Int {
-	return fq.Mul(base, e)
-}
-
-// Inverse returns the inverse on the Fq
-func (fq Fq) Inverse(a *big.Int) *big.Int {
-	return new(big.Int).ModInverse(a, fq.Q)
-}
-
-// Div performs the division over the finite field
-func (fq Fq) Div(a, b *big.Int) *big.Int {
-	d := fq.Mul(a, fq.Inverse(b))
-	return new(big.Int).Mod(d, fq.Q)
-}
-
-// Square performs a square operation on the Fq
-func (fq Fq) Square(a *big.Int) *big.Int {
-	m := new(big.Int).Mul(a, a)
-	return new(big.Int).Mod(m, fq.Q)
-}
-
-// Exp performs the exponential over Fq
-func (fq Fq) Exp(base *big.Int, e *big.Int) *big.Int {
-	res := fq.One()
-	rem := fq.Copy(e)
-	exp := base
-
-	for !bytes.Equal(rem.Bytes(), big.NewInt(int64(0)).Bytes()) {
-		if BigIsOdd(rem) {
-			res = fq.Mul(res, exp)
-		}
-		exp = fq.Square(exp)
-		rem = new(big.Int).Rsh(rem, 1)
-	}
-	return res
-}
-
-func (fq Fq) Rand() (*big.Int, error) {
-
-	maxbits := fq.Q.BitLen()
-	b := make([]byte, (maxbits/8)-1)
-	_, err := rand.Read(b)
-	if err != nil {
-		return nil, err
-	}
-	r := new(big.Int).SetBytes(b)
-	rq := new(big.Int).Mod(r, fq.Q)
-
-	// r over q, nil
-	return rq, nil
-}
-
-func (fq Fq) IsZero(a *big.Int) bool {
-	return bytes.Equal(a.Bytes(), fq.Zero().Bytes())
-}
-
-func (fq Fq) Copy(a *big.Int) *big.Int {
-	return new(big.Int).SetBytes(a.Bytes())
-}
-
-func (fq Fq) Affine(a *big.Int) *big.Int {
-	nq := fq.Neg(fq.Q)
-
-	aux := a
-	if aux.Cmp(big.NewInt(int64(0))) == -1 { // negative value
-		if aux.Cmp(nq) != 1 { // aux less or equal nq
-			aux = new(big.Int).Mod(aux, fq.Q)
-		}
-		if aux.Cmp(big.NewInt(int64(0))) == -1 { // negative value
-			aux = new(big.Int).Add(aux, fq.Q)
-		}
-	} else {
-		if aux.Cmp(fq.Q) != -1 { // aux greater or equal nq
-			aux = new(big.Int).Mod(aux, fq.Q)
-		}
-	}
-	return aux
-}
-
-func (fq Fq) Equal(a, b *big.Int) bool {
-	aAff := fq.Affine(a)
-	bAff := fq.Affine(b)
-	return bytes.Equal(aAff.Bytes(), bAff.Bytes())
-}
-
-func BigIsOdd(n *big.Int) bool {
-	one := big.NewInt(int64(1))
-	and := new(big.Int).And(n, one)
-	return bytes.Equal(and.Bytes(), big.NewInt(int64(1)).Bytes())
-}
--- a/field/field_test.go
+++ b/field/field_test.go
@@ -1,39 +0,0 @@
-// code originally taken from https://github.com/arnaucube/go-snark (https://github.com/arnaucube/go-snark/blob/master/fields/fq.go), pasted here to ensure compatibility among future changes
-
-package field
-
-import (
-	"math/big"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func iToBig(a int) *big.Int {
-	return big.NewInt(int64(a))
-}
-
-func TestFq1(t *testing.T) {
-	fq1 := NewFq(iToBig(7))
-
-	res := fq1.Add(iToBig(4), iToBig(4))
-	assert.Equal(t, iToBig(1), fq1.Affine(res))
-
-	res = fq1.Double(iToBig(5))
-	assert.Equal(t, iToBig(3), fq1.Affine(res))
-
-	res = fq1.Sub(iToBig(5), iToBig(7))
-	assert.Equal(t, iToBig(5), fq1.Affine(res))
-
-	res = fq1.Neg(iToBig(5))
-	assert.Equal(t, iToBig(2), fq1.Affine(res))
-
-	res = fq1.Mul(iToBig(5), iToBig(11))
-	assert.Equal(t, iToBig(6), fq1.Affine(res))
-
-	res = fq1.Inverse(iToBig(4))
-	assert.Equal(t, iToBig(2), res)
-
-	res = fq1.Square(iToBig(5))
-	assert.Equal(t, iToBig(4), res)
-}
--- a/mimc7/mimc7.go
+++ b/mimc7/mimc7.go
@@ -2,167 +2,153 @@ package mimc7

 import (
 	"errors"
-	"fmt"
 	"math/big"

 	"github.com/ethereum/go-ethereum/crypto"
 	_constants "github.com/iden3/go-iden3-crypto/constants"
-	"github.com/iden3/go-iden3-crypto/field"
+	"github.com/iden3/go-iden3-crypto/ff"
+	"github.com/iden3/go-iden3-crypto/utils"
 )

 const SEED = "mimc"

-// RElem is a big.Int of maximum 253 bits
-type RElem *big.Int
-
 var constants = generateConstantsData()

 type constantsData struct {
-	maxFieldVal *big.Int
-	seedHash    *big.Int
-	iv          *big.Int
-	fqR         field.Fq
-	nRounds     int
-	cts         []*big.Int
-}
-
-func getIV(seed string) {
+	seedHash *big.Int
+	iv       *big.Int
+	nRounds  int
+	cts      []*ff.Element
 }

 func generateConstantsData() constantsData {
 	var constants constantsData

-	fqR := field.NewFq(_constants.Q)
-	constants.fqR = fqR
-
-	// maxFieldVal is the R value of the Finite Field
-	constants.maxFieldVal = constants.fqR.Q
-
 	constants.seedHash = new(big.Int).SetBytes(crypto.Keccak256([]byte(SEED)))
 	c := new(big.Int).SetBytes(crypto.Keccak256([]byte(SEED + "_iv")))
-	constants.iv = new(big.Int).Mod(c, constants.maxFieldVal)
+	constants.iv = new(big.Int).Mod(c, _constants.Q)

 	constants.nRounds = 91
-	cts, err := getConstants(constants.fqR, SEED, constants.nRounds)
-	if err != nil {
-		panic(err)
-	}
+	cts := getConstants(SEED, constants.nRounds)
 	constants.cts = cts
 	return constants
 }

-// BigIntToRElem checks if given big.Int fits in a Field R element, and returns the RElem type
-func BigIntToRElem(a *big.Int) (RElem, error) {
-	if a.Cmp(constants.maxFieldVal) != -1 {
-		return RElem(a), errors.New("Given big.Int don't fits in the Finite Field over R")
-	}
-	return RElem(a), nil
-}
-
-//BigIntsToRElems converts from array of *big.Int to array of RElem
-func BigIntsToRElems(arr []*big.Int) ([]RElem, error) {
-	o := make([]RElem, len(arr))
-	for i, a := range arr {
-		e, err := BigIntToRElem(a)
-		if err != nil {
-			return o, fmt.Errorf("element in position %v don't fits in Finite Field over R", i)
-		}
-		o[i] = e
-	}
-	return o, nil
-}
-
-// RElemsToBigInts converts from array of RElem to array of *big.Int
-func RElemsToBigInts(arr []RElem) []*big.Int {
-	o := make([]*big.Int, len(arr))
-	for i, a := range arr {
-		o[i] = a
-	}
-	return o
-}
-
-func getConstants(fqR field.Fq, seed string, nRounds int) ([]*big.Int, error) {
-	cts := make([]*big.Int, nRounds)
-	cts[0] = big.NewInt(int64(0))
+func getConstants(seed string, nRounds int) []*ff.Element {
+	cts := make([]*ff.Element, nRounds)
+	cts[0] = ff.NewElement()
 	c := new(big.Int).SetBytes(crypto.Keccak256([]byte(SEED)))
 	for i := 1; i < nRounds; i++ {
 		c = new(big.Int).SetBytes(crypto.Keccak256(c.Bytes()))

-		n := fqR.Affine(c)
-		cts[i] = n
+		n := new(big.Int).Mod(c, _constants.Q)
+		cts[i] = ff.NewElement().SetBigInt(n)
 	}
-	return cts, nil
+	return cts
 }

-// MIMC7HashGeneric performs the MIMC7 hash over a RElem, in a generic way, where it can be specified the Finite Field over R, and the number of rounds
-func MIMC7HashGeneric(fqR field.Fq, xIn, k *big.Int, nRounds int) (*big.Int, error) {
-	cts, err := getConstants(fqR, SEED, nRounds)
-	if err != nil {
-		return &big.Int{}, err
-	}
-	var r *big.Int
+// MIMC7HashGeneric performs the MIMC7 hash over a *big.Int, in a generic way, where it can be specified the Finite Field over R, and the number of rounds
+func MIMC7HashGeneric(xInBI, kBI *big.Int, nRounds int) *big.Int {
+	xIn := ff.NewElement().SetBigInt(xInBI)
+	k := ff.NewElement().SetBigInt(kBI)
+
+	cts := getConstants(SEED, nRounds)
+	var r *ff.Element
 	for i := 0; i < nRounds; i++ {
-		var t *big.Int
+		var t *ff.Element
 		if i == 0 {
-			t = fqR.Add(xIn, k)
+			t = ff.NewElement().Add(xIn, k)
 		} else {
-			t = fqR.Add(fqR.Add(r, k), cts[i])
+			t = ff.NewElement().Add(ff.NewElement().Add(r, k), cts[i])
 		}
-		t2 := fqR.Square(t)
-		t4 := fqR.Square(t2)
-		r = fqR.Mul(fqR.Mul(t4, t2), t)
+		t2 := ff.NewElement().Square(t)
+		t4 := ff.NewElement().Square(t2)
+		r = ff.NewElement().Mul(ff.NewElement().Mul(t4, t2), t)
 	}
-	return fqR.Affine(fqR.Add(r, k)), nil
+	rE := ff.NewElement().Add(r, k)
+
+	res := big.NewInt(0)
+	rE.ToBigIntRegular(res)
+	return res
 }

-// HashGeneric performs the MIMC7 hash over a RElem array, in a generic way, where it can be specified the Finite Field over R, and the number of rounds
-func HashGeneric(iv *big.Int, arrEl []RElem, fqR field.Fq, nRounds int) (RElem, error) {
-	arr := RElemsToBigInts(arrEl)
+// HashGeneric performs the MIMC7 hash over a *big.Int array, in a generic way, where it can be specified the Finite Field over R, and the number of rounds
+func HashGeneric(iv *big.Int, arr []*big.Int, nRounds int) (*big.Int, error) {
+	if !utils.CheckBigIntArrayInField(arr) {
+		return nil, errors.New("inputs values not inside Finite Field")
+	}
 	r := iv
 	var err error
 	for i := 0; i < len(arr); i++ {
-		r, err = MIMC7HashGeneric(fqR, r, arr[i], nRounds)
+		r = MIMC7HashGeneric(r, arr[i], nRounds)
 		if err != nil {
 			return r, err
 		}
 	}
-	return RElem(r), nil
+	return r, nil
 }

-// MIMC7Hash performs the MIMC7 hash over a RElem, using the Finite Field over R and the number of rounds setted in the `constants` variable
-func MIMC7Hash(xIn, k *big.Int) *big.Int {
-	var r *big.Int
+// MIMC7Hash performs the MIMC7 hash over a *big.Int, using the Finite Field over R and the number of rounds setted in the `constants` variable
+func MIMC7Hash(xInBI, kBI *big.Int) *big.Int {
+	xIn := ff.NewElement().SetBigInt(xInBI)
+	k := ff.NewElement().SetBigInt(kBI)
+
+	var r *ff.Element
 	for i := 0; i < constants.nRounds; i++ {
-		var t *big.Int
+		var t *ff.Element
 		if i == 0 {
-			t = constants.fqR.Add(xIn, k)
+			t = ff.NewElement().Add(xIn, k)
 		} else {
-			t = constants.fqR.Add(constants.fqR.Add(r, k), constants.cts[i])
+			t = ff.NewElement().Add(ff.NewElement().Add(r, k), constants.cts[i])
 		}
-		t2 := constants.fqR.Square(t)
-		t4 := constants.fqR.Square(t2)
-		r = constants.fqR.Mul(constants.fqR.Mul(t4, t2), t)
+		t2 := ff.NewElement().Square(t)
+		t4 := ff.NewElement().Square(t2)
+		r = ff.NewElement().Mul(ff.NewElement().Mul(t4, t2), t)
 	}
-	return constants.fqR.Affine(constants.fqR.Add(r, k))
+	rE := ff.NewElement().Add(r, k)
+
+	res := big.NewInt(0)
+	rE.ToBigIntRegular(res)
+	return res
 }

-// Hash performs the MIMC7 hash over a RElem array
-func Hash(arrEl []RElem, key *big.Int) RElem {
-	arr := RElemsToBigInts(arrEl)
+// Hash performs the MIMC7 hash over a *big.Int array
+func Hash(arr []*big.Int, key *big.Int) (*big.Int, error) {
+	if !utils.CheckBigIntArrayInField(arr) {
+		return nil, errors.New("inputs values not inside Finite Field")
+	}
 	var r *big.Int
 	if key == nil {
-		r = constants.fqR.Zero()
+		r = big.NewInt(0)
 	} else {
 		r = key
 	}
-	// r := constants.iv
 	for i := 0; i < len(arr); i++ {
-		r = constants.fqR.Add(
-			constants.fqR.Add(
+		r = new(big.Int).Add(
+			new(big.Int).Add(
 				r,
 				arr[i],
 			),
 			MIMC7Hash(arr[i], r))
+		r = new(big.Int).Mod(r, _constants.Q)
 	}
-	return RElem(r)
+	return r, nil
+}
+
+// HashBytes hashes a msg byte slice by blocks of 31 bytes encoded as
+// little-endian
+func HashBytes(b []byte) (*big.Int, error) {
+	n := 31
+	bElems := make([]*big.Int, 0, len(b)/n+1)
+	for i := 0; i < len(b)/n; i++ {
+		v := new(big.Int)
+		utils.SetBigIntFromLEBytes(v, b[n*i:n*(i+1)])
+		bElems = append(bElems, v)
+	}
+	if len(b)%n != 0 {
+		v := new(big.Int)
+		utils.SetBigIntFromLEBytes(v, b[(len(b)/n)*n:])
+		bElems = append(bElems, v)
+	}
+	return Hash(bElems, nil)
 }
--- a/mimc7/mimc7_test.go
+++ b/mimc7/mimc7_test.go
@@ -5,42 +5,15 @@ import (
 	"math/big"
 	"testing"

-	"github.com/iden3/go-iden3-crypto/field"
+	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/stretchr/testify/assert"
 )

-func TestUtils(t *testing.T) {
-	b1 := big.NewInt(int64(1))
-	b2 := big.NewInt(int64(2))
-	b3 := big.NewInt(int64(3))
-	arrBigInt := []*big.Int{b1, b2, b3}
-
-	// *big.Int array to RElem array
-	rElems, err := BigIntsToRElems(arrBigInt)
-	assert.Nil(t, err)
-
-	// RElem array to *big.Int array
-	bElems := RElemsToBigInts(rElems)
-
-	assert.Equal(t, arrBigInt, bElems)
-
-	r, ok := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
-	assert.True(t, ok)
-
-	// greater or equal than R will give error when passing bigInts to RElems, to fit in the R Finite Field
-	overR, ok := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495618", 10)
-	assert.True(t, ok)
-	_, err = BigIntsToRElems([]*big.Int{b1, overR, b2})
-	assert.True(t, err != nil)
-
-	_, err = BigIntsToRElems([]*big.Int{b1, r, b2})
-	assert.True(t, err != nil)
-
-	// smaller than R will not give error when passing bigInts to RElems, to fit in the R Finite Field
-	underR, ok := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495616", 10)
-	assert.True(t, ok)
-	_, err = BigIntsToRElems([]*big.Int{b1, underR, b2})
-	assert.Nil(t, err)
+func TestKeccak256(t *testing.T) {
+	res := crypto.Keccak256([]byte(SEED))
+	assert.Equal(t, "b6e489e6b37224a50bebfddbe7d89fa8fdcaa84304a70bd13f79b5d9f7951e9e", hex.EncodeToString(res))
+	c := new(big.Int).SetBytes(crypto.Keccak256([]byte(SEED)))
+	assert.Equal(t, "82724731331859054037315113496710413141112897654334566532528783843265082629790", c.String())
 }

 func TestMIMC7Generic(t *testing.T) {
@@ -48,19 +21,12 @@ func TestMIMC7Generic(t *testing.T) {
 	b2 := big.NewInt(int64(2))
 	b3 := big.NewInt(int64(3))

-	r, ok := new(big.Int).SetString("21888242871839275222246405745257275088548364400416034343698204186575808495617", 10)
-	assert.True(t, ok)
-	fqR := field.NewFq(r)
-
 	bigArray := []*big.Int{b1, b2, b3}
-	elementsArray, err := BigIntsToRElems(bigArray)
-	assert.Nil(t, err)

 	// Generic Hash
-	mhg, err := MIMC7HashGeneric(fqR, b1, b2, 91)
-	assert.Nil(t, err)
+	mhg := MIMC7HashGeneric(b1, b2, 91)
 	assert.Equal(t, "10594780656576967754230020536574539122676596303354946869887184401991294982664", mhg.String())
-	hg, err := HashGeneric(fqR.Zero(), elementsArray, fqR, 91)
+	hg, err := HashGeneric(big.NewInt(0), bigArray, 91)
 	assert.Nil(t, err)
 	assert.Equal(t, "6464402164086696096195815557694604139393321133243036833927490113253119343397", (*big.Int)(hg).String())
 }
@@ -73,51 +39,44 @@ func TestMIMC7(t *testing.T) {

 	// h1, hash of 1 elements
 	bigArray1 := []*big.Int{b12}
-	elementsArray1, err := BigIntsToRElems(bigArray1)
-	assert.Nil(t, err)

-	h1 := Hash(elementsArray1, nil)
+	h1, err := Hash(bigArray1, nil)
 	assert.Nil(t, err)
 	// same hash value than the iden3js and circomlib tests:
 	assert.Equal(t, "0x"+hex.EncodeToString((*big.Int)(h1).Bytes()), "0x237c92644dbddb86d8a259e0e923aaab65a93f1ec5758b8799988894ac0958fd")

 	// h2a, hash of 2 elements
 	bigArray2a := []*big.Int{b78, b41}
-	elementsArray2a, err := BigIntsToRElems(bigArray2a)
-	assert.Nil(t, err)

-	mh2a := MIMC7Hash(b12, b45)
-	assert.Nil(t, err)
-	assert.Equal(t, "0x"+hex.EncodeToString((*big.Int)(mh2a).Bytes()), "0x2ba7ebad3c6b6f5a20bdecba2333c63173ca1a5f2f49d958081d9fa7179c44e4")
-
-	h2a := Hash(elementsArray2a, nil)
+	h2a, err := Hash(bigArray2a, nil)
 	assert.Nil(t, err)
 	// same hash value than the iden3js and circomlib tests:
 	assert.Equal(t, "0x"+hex.EncodeToString((*big.Int)(h2a).Bytes()), "0x067f3202335ea256ae6e6aadcd2d5f7f4b06a00b2d1e0de903980d5ab552dc70")

 	// h2b, hash of 2 elements
 	bigArray2b := []*big.Int{b12, b45}
-	elementsArray2b, err := BigIntsToRElems(bigArray2b)
-	assert.Nil(t, err)

 	mh2b := MIMC7Hash(b12, b45)
 	assert.Nil(t, err)
 	assert.Equal(t, "0x"+hex.EncodeToString((*big.Int)(mh2b).Bytes()), "0x2ba7ebad3c6b6f5a20bdecba2333c63173ca1a5f2f49d958081d9fa7179c44e4")

-	h2b := Hash(elementsArray2b, nil)
+	h2b, err := Hash(bigArray2b, nil)
 	assert.Nil(t, err)
 	// same hash value than the iden3js and circomlib tests:
 	assert.Equal(t, "0x"+hex.EncodeToString((*big.Int)(h2b).Bytes()), "0x15ff7fe9793346a17c3150804bcb36d161c8662b110c50f55ccb7113948d8879")

 	// h4, hash of 4 elements
 	bigArray4 := []*big.Int{b12, b45, b78, b41}
-	elementsArray4, err := BigIntsToRElems(bigArray4)
-	assert.Nil(t, err)

-	h4 := Hash(elementsArray4, nil)
+	h4, err := Hash(bigArray4, nil)
 	assert.Nil(t, err)
 	// same hash value than the iden3js and circomlib tests:
 	assert.Equal(t, "0x"+hex.EncodeToString((*big.Int)(h4).Bytes()), "0x284bc1f34f335933a23a433b6ff3ee179d682cd5e5e2fcdd2d964afa85104beb")
+
+	msg := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.")
+	hmsg, err := HashBytes(msg)
+	assert.Nil(t, err)
+	assert.Equal(t, "16855787120419064316734350414336285711017110414939748784029922801367685456065", hmsg.String())
 }

 func BenchmarkMIMC7(b *testing.B) {
@@ -126,12 +85,8 @@ func BenchmarkMIMC7(b *testing.B) {
 	b78 := big.NewInt(int64(78))
 	b41 := big.NewInt(int64(41))
 	bigArray4 := []*big.Int{b12, b45, b78, b41}
-	elementsArray4, err := BigIntsToRElems(bigArray4)
-	assert.Nil(b, err)

-	var h4 RElem
 	for i := 0; i < b.N; i++ {
-		h4 = Hash(elementsArray4, nil)
+		Hash(bigArray4, nil)
 	}
-	println(h4)
 }
--- a/poseidon/poseidon.go
+++ b/poseidon/poseidon.go
@@ -1,13 +1,12 @@
 package poseidon

 import (
-	"bytes"
 	"errors"
 	"math/big"
 	"strconv"

-	_constants "github.com/iden3/go-iden3-crypto/constants"
-	"github.com/iden3/go-iden3-crypto/field"
+	"github.com/iden3/go-iden3-crypto/constants"
+	"github.com/iden3/go-iden3-crypto/ff"
 	"github.com/iden3/go-iden3-crypto/utils"
 	"golang.org/x/crypto/blake2b"
 )
@@ -17,42 +16,28 @@ const NROUNDSF = 8
 const NROUNDSP = 57
 const T = 6

-var constants = generateConstantsData()
+var constC []*ff.Element
+var constM [T][T]*ff.Element

-type constantsData struct {
-	fqR field.Fq
-	c   []*big.Int
-	m   [][]*big.Int
+func Zero() *ff.Element {
+	return ff.NewElement()
 }

-func generateConstantsData() constantsData {
-	var constants constantsData
-
-	fqR := field.NewFq(_constants.Q)
-	constants.fqR = fqR
-	constants.c = getPseudoRandom(fqR, SEED+"_constants", NROUNDSF+NROUNDSP)
-	constants.m = getMDS(fqR)
-
-	return constants
+func modQ(v *big.Int) {
+	v.Mod(v, constants.Q)
 }

-func leByteArrayToBigInt(b []byte) *big.Int {
-	res := big.NewInt(0)
-	for i := 0; i < len(b); i++ {
-		n := big.NewInt(int64(b[i]))
-		res = new(big.Int).Add(res, new(big.Int).Lsh(n, uint(i*8)))
-	}
-	return res
+func init() {
+	constC = getPseudoRandom(SEED+"_constants", NROUNDSF+NROUNDSP)
+	constM = getMDS()
 }

-func getPseudoRandom(fqR field.Fq, seed string, n int) []*big.Int {
-	var res []*big.Int
+func getPseudoRandom(seed string, n int) []*ff.Element {
+	res := make([]*ff.Element, n)
 	hash := blake2b.Sum256([]byte(seed))
-	for len(res) < n {
-		hashBigInt := new(big.Int)
-		newN := fqR.Affine(utils.SetBigIntFromLEBytes(hashBigInt, hash[:]))
-		// newN := fqR.Affine(leByteArrayToBigInt(hash[:]))
-		res = append(res, newN)
+	for i := 0; i < n; i++ {
+		hashBigInt := big.NewInt(int64(0))
+		res[i] = ff.NewElement().SetBigInt(utils.SetBigIntFromLEBytes(hashBigInt, hash[:]))
 		hash = blake2b.Sum256(hash[:])
 	}
 	return res
@@ -67,31 +52,30 @@ func nonceToString(n int) string {
 }

 // https://eprint.iacr.org/2019/458.pdf pag.8
-func getMDS(fqR field.Fq) [][]*big.Int {
+func getMDS() [T][T]*ff.Element {
 	nonce := 0
-	cauchyMatrix := getPseudoRandom(fqR, SEED+"_matrix_"+nonceToString(nonce), T*2)
+	cauchyMatrix := getPseudoRandom(SEED+"_matrix_"+nonceToString(nonce), T*2)
 	for !checkAllDifferent(cauchyMatrix) {
 		nonce += 1
-		cauchyMatrix = getPseudoRandom(fqR, SEED+"_matrix_"+nonceToString(nonce), T*2)
+		cauchyMatrix = getPseudoRandom(SEED+"_matrix_"+nonceToString(nonce), T*2)
 	}
-	var m [][]*big.Int
+	var m [T][T]*ff.Element
 	for i := 0; i < T; i++ {
-		var mi []*big.Int
 		for j := 0; j < T; j++ {
-			mi = append(mi, fqR.Inverse(fqR.Sub(cauchyMatrix[i], cauchyMatrix[T+j])))
+			m[i][j] = ff.NewElement().Sub(cauchyMatrix[i], cauchyMatrix[T+j])
+			m[i][j].Inverse(m[i][j])
 		}
-		m = append(m, mi)
 	}
 	return m
 }

-func checkAllDifferent(v []*big.Int) bool {
+func checkAllDifferent(v []*ff.Element) bool {
 	for i := 0; i < len(v); i++ {
-		if bytes.Equal(v[i].Bytes(), big.NewInt(int64(0)).Bytes()) {
+		if v[i].Equal(ff.NewElement()) {
 			return false
 		}
 		for j := i + 1; j < len(v); j++ {
-			if bytes.Equal(v[i].Bytes(), v[j].Bytes()) {
+			if v[i].Equal(v[j]) {
 				return false
 			}
 		}
@@ -100,67 +84,114 @@ func checkAllDifferent(v []*big.Int) bool {
 }

 // ark computes Add-Round Key, from the paper https://eprint.iacr.org/2019/458.pdf
-func ark(state []*big.Int, c *big.Int) []*big.Int {
-	for i := 0; i < len(state); i++ {
-		state[i] = constants.fqR.Add(state[i], c)
+func ark(state [T]*ff.Element, c *ff.Element) {
+	for i := 0; i < T; i++ {
+		state[i].Add(state[i], c)
 	}
-	return state
 }

-// cubic performs x^3 mod p
-func cubic(a *big.Int) *big.Int {
-	return constants.fqR.Mul(a, constants.fqR.Square(constants.fqR.Square(a)))
+// cubic performs x^5 mod p
+// https://eprint.iacr.org/2019/458.pdf page 8
+
+func cubic(a *ff.Element) {
+	a.Exp(*a, 5)
 }

-// sbox https://eprint.iacr.org/2019/458.pdf pag.6
-func sbox(state []*big.Int, i int) []*big.Int {
+// sbox https://eprint.iacr.org/2019/458.pdf page 6
+func sbox(state [T]*ff.Element, i int) {
 	if (i < NROUNDSF/2) || (i >= NROUNDSF/2+NROUNDSP) {
 		for j := 0; j < T; j++ {
-			state[j] = cubic(state[j])
+			cubic(state[j])
 		}
 	} else {
-		state[0] = cubic(state[0])
+		cubic(state[0])
 	}
-	return state
 }

 // mix returns [[matrix]] * [vector]
-func mix(state []*big.Int, m [][]*big.Int) []*big.Int {
-	var newState []*big.Int
-	for i := 0; i < len(state); i++ {
-		newState = append(newState, constants.fqR.Zero())
-		for j := 0; j < len(state); j++ {
-			newState[i] = constants.fqR.Add(newState[i], constants.fqR.Mul(m[i][j], state[j]))
+func mix(state [T]*ff.Element, newState [T]*ff.Element, m [T][T]*ff.Element) {
+	mul := Zero()
+	for i := 0; i < T; i++ {
+		newState[i].SetUint64(0)
+		for j := 0; j < T; j++ {
+			mul.Mul(m[i][j], state[j])
+			newState[i].Add(newState[i], mul)
 		}
 	}
-	for i := 0; i < len(state); i++ {
-		state[i] = newState[i]
-	}
-	return state
 }

-// Hash computes the Poseidon hash for the given inputs
-func Hash(inp []*big.Int) (*big.Int, error) {
-	var state []*big.Int
-	if len(inp) == 0 || len(inp) > T {
-		return nil, errors.New("wrong inputs length")
-	}
-	if !utils.CheckBigIntArrayInField(inp, constants.fqR.Q) {
+// PoseidonHash computes the Poseidon hash for the given inputs
+func PoseidonHash(inpBI [T]*big.Int) (*big.Int, error) {
+	if !utils.CheckBigIntArrayInField(inpBI[:]) {
 		return nil, errors.New("inputs values not inside Finite Field")
 	}
-
-	for i := 0; i < len(inp); i++ {
-		state = append(state, inp[i])
-	}
-	for i := len(inp); i < T; i++ {
-		state = append(state, constants.fqR.Zero())
+	inp := utils.BigIntArrayToElementArray(inpBI[:])
+	state := [T]*ff.Element{}
+	for i := 0; i < T; i++ {
+		state[i] = ff.NewElement().Set(inp[i])
 	}

 	// ARK --> SBox --> M, https://eprint.iacr.org/2019/458.pdf pag.5
-	for i := 0; i < NROUNDSF+NROUNDSP; i++ {
-		state = ark(state, constants.c[i])
-		state = sbox(state, i)
-		state = mix(state, constants.m)
+	var newState [T]*ff.Element
+	for i := 0; i < T; i++ {
+		newState[i] = Zero()
 	}
-	return state[0], nil
+	for i := 0; i < NROUNDSF+NROUNDSP; i++ {
+		ark(state, constC[i])
+		sbox(state, i)
+		mix(state, newState, constM)
+		state, newState = newState, state
+	}
+	rE := state[0]
+	r := big.NewInt(0)
+	rE.ToBigIntRegular(r)
+	return r, nil
+}
+
+// Hash performs the Poseidon hash over a ff.Element array
+// in chunks of 5 elements
+func Hash(arr []*big.Int) (*big.Int, error) {
+	r := big.NewInt(int64(1))
+	for i := 0; i < len(arr); i = i + T - 1 {
+		var toHash [T]*big.Int
+		j := 0
+		for ; j < T-1; j++ {
+			if i+j >= len(arr) {
+				break
+			}
+			toHash[j] = arr[i+j]
+		}
+		toHash[j] = r
+		j++
+		for ; j < T; j++ {
+			toHash[j] = big.NewInt(0)
+		}
+
+		ph, err := PoseidonHash(toHash)
+		if err != nil {
+			return nil, err
+		}
+		modQ(r.Add(r, ph))
+	}
+
+	return r, nil
+}
+
+// HashBytes hashes a msg byte slice by blocks of 31 bytes encoded as
+// little-endian
+func HashBytes(b []byte) (*big.Int, error) {
+	n := 31
+	bElems := make([]*big.Int, 0, len(b)/n+1)
+	for i := 0; i < len(b)/n; i++ {
+		v := big.NewInt(int64(0))
+		utils.SetBigIntFromLEBytes(v, b[n*i:n*(i+1)])
+		bElems = append(bElems, v)
+
+	}
+	if len(b)%n != 0 {
+		v := big.NewInt(int64(0))
+		utils.SetBigIntFromLEBytes(v, b[(len(b)/n)*n:])
+		bElems = append(bElems, v)
+	}
+	return Hash(bElems)
 }
--- a/poseidon/poseidon_test.go
+++ b/poseidon/poseidon_test.go
@@ -5,6 +5,7 @@ import (
 	"math/big"
 	"testing"

+	"github.com/iden3/go-iden3-crypto/utils"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/crypto/blake2b"
 )
@@ -15,15 +16,107 @@ func TestBlake2bVersion(t *testing.T) {
 }

 func TestPoseidon(t *testing.T) {
-	b1 := big.NewInt(int64(1))
-	b2 := big.NewInt(int64(2))
+	b1 := big.NewInt(1)
+	b2 := big.NewInt(2)
 	h, err := Hash([]*big.Int{b1, b2})
 	assert.Nil(t, err)
-	assert.Equal(t, "12242166908188651009877250812424843524687801523336557272219921456462821518061", h.String())
+	assert.Equal(t, "4932297968297298434239270129193057052722409868268166443802652458940273154855", h.String())

-	b3 := big.NewInt(int64(3))
-	b4 := big.NewInt(int64(4))
+	b3 := big.NewInt(3)
+	b4 := big.NewInt(4)
 	h, err = Hash([]*big.Int{b3, b4})
 	assert.Nil(t, err)
-	assert.Equal(t, "17185195740979599334254027721507328033796809509313949281114643312710535000993", h.String())
+	assert.Equal(t, "4635491972858758537477743930622086396911540895966845494943021655521913507504", h.String())
+
+	b5 := big.NewInt(5)
+	b6 := big.NewInt(6)
+	b7 := big.NewInt(7)
+	b8 := big.NewInt(8)
+	b9 := big.NewInt(9)
+	b10 := big.NewInt(10)
+	b11 := big.NewInt(11)
+	b12 := big.NewInt(12)
+	h, err = Hash([]*big.Int{b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12})
+	assert.Nil(t, err)
+	assert.Equal(t, "15278801138972282646981503374384603641625274360649669926363020545395022098027", h.String())
+
+	msg := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.")
+	n := 31
+	msgElems := make([]*big.Int, 0, len(msg)/n+1)
+	for i := 0; i < len(msg)/n; i++ {
+		v := new(big.Int)
+		utils.SetBigIntFromLEBytes(v, msg[n*i:n*(i+1)])
+		msgElems = append(msgElems, v)
+	}
+	if len(msg)%n != 0 {
+		v := new(big.Int)
+		utils.SetBigIntFromLEBytes(v, msg[(len(msg)/n)*n:])
+		msgElems = append(msgElems, v)
+	}
+	hmsg, err := Hash(msgElems)
+	assert.Nil(t, err)
+	assert.Equal(t, "16019700159595764790637132363672701294192939959594423814006267756172551741065", hmsg.String())
+
+	msg2 := []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet.")
+	msg2Elems := make([]*big.Int, 0, len(msg2)/n+1)
+	for i := 0; i < len(msg2)/n; i++ {
+		v := new(big.Int)
+		utils.SetBigIntFromLEBytes(v, msg2[n*i:n*(i+1)])
+		msg2Elems = append(msg2Elems, v)
+	}
+	if len(msg2)%n != 0 {
+		v := new(big.Int)
+		utils.SetBigIntFromLEBytes(v, msg2[(len(msg2)/n)*n:])
+		msg2Elems = append(msg2Elems, v)
+	}
+	hmsg2, err := Hash(msg2Elems)
+	assert.Nil(t, err)
+	assert.Equal(t, "2978613163687734485261639854325792381691890647104372645321246092227111432722", hmsg2.String())
+
+	hmsg2, err = HashBytes(msg2)
+	assert.Nil(t, err)
+	assert.Equal(t, "2978613163687734485261639854325792381691890647104372645321246092227111432722", hmsg2.String())
+}
+
+func TestPoseidonBrokenChunks(t *testing.T) {
+	h1, err := Hash([]*big.Int{big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4),
+		big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9)})
+	assert.Nil(t, err)
+	h2, err := Hash([]*big.Int{big.NewInt(5), big.NewInt(6), big.NewInt(7), big.NewInt(8), big.NewInt(9),
+		big.NewInt(0), big.NewInt(1), big.NewInt(2), big.NewInt(3), big.NewInt(4)})
+	assert.Nil(t, err)
+	assert.NotEqual(t, h1, h2)
+}
+
+func TestPoseidonBrokenPadding(t *testing.T) {
+	h1, err := Hash([]*big.Int{big.NewInt(int64(1))})
+	assert.Nil(t, err)
+	h2, err := Hash([]*big.Int{big.NewInt(int64(1)), big.NewInt(int64(0))})
+	assert.Nil(t, err)
+	assert.NotEqual(t, h1, h2)
+}
+
+func BenchmarkPoseidon(b *testing.B) {
+	b12 := big.NewInt(int64(12))
+	b45 := big.NewInt(int64(45))
+	b78 := big.NewInt(int64(78))
+	b41 := big.NewInt(int64(41))
+	bigArray4 := []*big.Int{b12, b45, b78, b41}
+
+	for i := 0; i < b.N; i++ {
+		Hash(bigArray4)
+	}
+}
+
+func BenchmarkPoseidonLarge(b *testing.B) {
+	b12 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
+	b45 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
+	b78 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
+	b41 := utils.NewIntFromString("11384336176656855268977457483345535180380036354188103142384839473266348197733")
+
+	bigArray4 := []*big.Int{b12, b45, b78, b41}
+
+	for i := 0; i < b.N; i++ {
+		Hash(bigArray4)
+	}
 }
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -6,6 +6,9 @@ import (
 	"fmt"
 	"math/big"
 	"strings"
+
+	"github.com/iden3/go-iden3-crypto/constants"
+	"github.com/iden3/go-iden3-crypto/ff"
 )

 // NewIntFromString creates a new big.Int from a decimal integer encoded as a
@@ -87,20 +90,28 @@ func HexDecodeInto(dst []byte, h []byte) error {
 	return nil
 }

-// CheckBigIntInField checks if given big.Int fits in a Field Q element
-func CheckBigIntInField(a *big.Int, q *big.Int) bool {
-	if a.Cmp(q) != -1 {
+// CheckBigIntInField checks if given *big.Int fits in a Field Q element
+func CheckBigIntInField(a *big.Int) bool {
+	if a.Cmp(constants.Q) != -1 {
 		return false
 	}
 	return true
 }

-// CheckBigIntArrayInField checks if given big.Int fits in a Field Q element
-func CheckBigIntArrayInField(arr []*big.Int, q *big.Int) bool {
+// CheckBigIntArrayInField checks if given *big.Int fits in a Field Q element
+func CheckBigIntArrayInField(arr []*big.Int) bool {
 	for _, a := range arr {
-		if !CheckBigIntInField(a, q) {
+		if !CheckBigIntInField(a) {
 			return false
 		}
 	}
 	return true
 }
+
+func BigIntArrayToElementArray(bi []*big.Int) []*ff.Element {
+	var o []*ff.Element
+	for i := range bi {
+		o = append(o, ff.NewElement().SetBigInt(bi[i]))
+	}
+	return o
+}
Author	SHA1	Message	Date
arnau	eb41fe0757	Merge pull request #18 from iden3/feature/fix32bits Fix compat with 32 bit arch	2020-03-18 11:55:56 +01:00
Eduard S	e10db811aa	Fix compat with 32 bit arch	2020-03-17 17:17:45 +01:00
Eduard S	ee467c6215	Merge pull request #16 from iden3/feature/mimc7-goff Feature/mimc7 goff	2020-03-06 16:27:36 +01:00
arnaucube	4750e9c83c	Remove field package which is no longer used	2020-03-06 16:24:41 +01:00
arnaucube	16a8a18a6d	Optimize MiMC7 migrating from big.Int to goff Optimize MiMC7 migrating from big.Int to goff generated finite field operations. There is still a lot of room for optimization for MiMC7 in the way that is done internally, but will be done in the future. Benchmarks: Tested on a Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, with 16GB of RAM. - Before: ``` BenchmarkMIMC7-4 1026 1160298 ns/op ``` - After this commit: ``` BenchmarkMIMC7-4 19263 61651 ns/op ```	2020-03-05 17:35:25 +01:00
arnau	e8be761ec7	Merge pull request #15 from iden3/feature/poseidon-opt-goff Feature/poseidon opt goff	2020-03-04 18:34:17 +01:00
arnaucube	2a3f0d9ed5	Adapt babyjub/eddsa to new Poseidon methods	2020-03-04 12:57:20 +01:00
Eduard S	5d88f7c4cd	Merge pull request #13 from iden3/feature/update-bbjj-sig Update BabyJubJub signature with Poseidon	2020-03-03 17:57:27 +01:00
arnaucube	b45d8a582b	Optimize Poseidon migrating from big.Int to goff Optimize Poseidon migrating from big.Int to goff generated finite field operations. Benchmarks: Tested on a Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, with 16GB of RAM. - Before the optimizations: ``` BenchmarkPoseidon-4 470 2489678 ns/op BenchmarkPoseidonLarge-4 476 2530568 ns/op ``` - With the optimizations of #12: ``` BenchmarkPoseidon-4 766 1550013 ns/op BenchmarkPoseidonLarge-4 782 1547572 ns/op ``` - With the changes of this PR, where uses goff generated code instead of *big.Int: ``` BenchmarkPoseidon-4 9638 121651 ns/op BenchmarkPoseidonLarge-4 9781 119921 ns/op ```	2020-03-03 16:31:40 +01:00
arnaucube	83f87bfa46	Resolve #4	2020-03-03 16:31:09 +01:00
arnaucube	17bad75853	Add goff generated finite field arithmetic code for used field	2020-03-03 16:30:00 +01:00
arnaucube	97c76ce614	Update BabyJubJub signature with Poseidon	2020-03-03 12:42:18 +01:00
arnau	937500b203	Merge pull request #12 from iden3/feature/optimizeposeidon Optimize Poseidon	2019-12-22 20:40:00 +01:00
Eduard S	c0c4ff2dd7	Optimize Poseidon	2019-12-18 11:46:17 +01:00
Eduard S	8d5a7a7ccb	Merge pull request #11 from iden3/fix/issue-9 Fix/issue #9	2019-12-18 11:03:37 +01:00
arnaucube	c754d01ce0	poseidon consistent use of T	2019-12-17 18:15:22 +01:00
arnaucube	fcb586591a	fix #9	2019-12-17 18:04:49 +01:00
Eduard S	7c6170453e	Add test that breaks poseidion due to padding	2019-12-16 17:24:22 +01:00
Eduard S	27ec5b26df	Add test that breaks poseidon due to a security issue	2019-12-16 16:48:38 +01:00
Eduard S	53b9050d0a	Add babujub eddsa benchmarks	2019-12-16 13:36:43 +01:00
Eduard S	a5b6afcb16	Add poseidon and babyjub benchmarks	2019-12-16 13:08:34 +01:00
arnau	4356f44a3d	Merge pull request #6 from iden3/feature/testBJPKField Test that babyjub pk is always < Q	2019-12-09 15:59:10 +01:00
Eduard S	5ade04e079	Test that babyjub pk is always < Q	2019-12-09 12:30:50 +01:00
Eduard S	eb7d86c5b3	Merge pull request #5 from iden3/decompress-modsqrt return error if no ModSqrt(x, q) exist in babyjubjub decompress point	2019-09-10 10:48:18 +02:00
arnaucube	a60e154d86	return error if no ModSqrt(x, q) exist in babyjubjub decompress point	2019-09-10 00:36:54 +02:00
arnaucube	c95c95b7b1	add Poseidon multihash ([]*big.Int), add HashBytes for MiMC7 & Poseidon	2019-08-31 20:07:03 +02:00
arnaucube	2b1935299c	MiMC7 finite field over R comprovation moved inside hash, same approach as Poseidon impl	2019-08-30 11:58:10 +02:00
arnaucube	0bac1c84ba	add babyjub-eddsa Poseidon sign & verify	2019-08-29 17:52:30 +02:00
arnaucube	c4b3b7a09c	update babyjub B8, clean unused funcs & errs in mimc7, small update in mimc7 tests	2019-08-03 20:55:08 +02:00