Solidity Libraries
Audited Solidity libraries for Circle STARK verification, PLONK, BLS12-381, and Merkle proofs.
Status
These libraries currently live in upp-sdk and upc-sdk. They will be extracted into @permissionless-technologies/uph once ready for standalone publication.
Solidity Libraries
Circle STARK Verifier Stack
Built for the Stwo prover, using the Mersenne-31 field and circle group.
M31Lib.sol
Mersenne-31 field arithmetic: M31, CM31 (complex extension), QM31 (quartic extension / SecureField).
| Function | Description |
|---|---|
m31Add(a, b) | Addition in |
m31Mul(a, b) | Multiplication via Mersenne reduction |
m31Inv(a) | Inversion via Fermat's little theorem |
cm31Pack(real, imag) | Pack CM31 into uint64 |
cm31Mul(a, b) | Complex multiplication |
qm31FromM31(a, b, c, d) | Construct QM31 from four M31 values |
qm31Mul(a, b) | Quartic field multiplication |
Reuse potential: Any STARK implementation using the Mersenne-31 field.
CircleDomain.sol
Circle curve domain construction for Circle STARKs.
| Function | Description |
|---|---|
circleDomainAt(logSize, i) | Get domain point at index i |
subgroupGen(logSize) | Get subgroup generator |
circleMul(x, y, scalar) | Circle point scalar multiplication |
Reuse potential: Any Stwo-compatible prover or verifier.
FriVerifier.sol
FRI (Fast Reed-Solomon IOP) protocol verification over the circle domain.
| Function | Description |
|---|---|
verifyFriProof(...) | Full FRI layer verification |
fold(fP, fNeg, twiddleInv, alpha) | Single fold operation |
verifyLastLayer(...) | Last-layer polynomial check |
bitReverseIndex(i, logSize) | Bit reversal for domain indexing |
Reuse potential: Any FRI-based proof system.
OodQuotients.sol (DEEP)
DEEP (Domain Extension for Eliminating Pretenders) quotient computation.
Reuse potential: Circle STARK verifiers using the DEEP-FRI approach.
KeccakChannel.sol
Fiat-Shamir channel using Keccak-256 (instead of Blake2s, for EVM efficiency).
| Function | Description |
|---|---|
mixRoot(state, root) | Mix a Merkle root into channel state |
mixFeltsFlat(state, values) | Mix M31 values into channel |
drawSecureFelt(state) | Draw a random QM31 challenge |
drawU32s(state) | Draw 8 random uint32 values |
verifyPowNonce(state, nBits, nonce) | Verify proof-of-work nonce |
Reuse potential: Any STARK verifier that wants Keccak-based Fiat-Shamir on EVM.
CircleStarkVerifier.sol
Full parameterized Circle STARK verifier. Combines all the above libraries.
Parameters (constructor):
TRACE_WIDTH— number of trace columns (46 for withdrawal, 57 for transfer)N_CONSTRAINTS— number of constraintsMULTI_MASK_COL_0,MULTI_MASK_COL_1— shifted column indices
Reuse potential: Any protocol using Stwo-generated STARK proofs.
PLONK / BLS12-381 Stack
BLS12381.sol
Wrapper around EIP-2537 precompiles (live since Pectra, May 2025).
| Function | Description |
|---|---|
g1Add(a, b) | G1 point addition |
g1Mul(point, scalar) | G1 scalar multiplication |
g2Add(a, b) | G2 point addition |
pairing(pairs) | Multi-pairing check |
Reuse potential: Any BLS12-381 application (BLS signatures, KZG commitments, PLONK).
PlonkVerifierBLS12381.sol
Generic PLONK verifier for any circuit compiled to BLS12-381.
| Function | Description |
|---|---|
verify(proof, publicInputs) | Verify a PLONK proof |
Implements IAttestationVerifier — plug directly into the AttestationHub.
Reuse potential: Any PLONK circuit targeting BLS12-381.
Utilities
MerkleVerifier.sol
Merkle proof verification with Keccak-256 (compatible with standard Merkle trees).
function verify(
bytes32 root,
bytes32 leaf,
bytes32[] calldata proof
) internal pure returns (bool)Reuse potential: Universal — any protocol using Merkle proofs.