[INFO] cloning repository https://github.com/ronin207/vc-pqc [INFO] running `Command { std: "git" "-c" "credential.helper=" "-c" "credential.helper=/workspace/cargo-home/bin/git-credential-null" "clone" "--bare" "https://github.com/ronin207/vc-pqc" "/workspace/cache/git-repos/https%3A%2F%2Fgithub.com%2Fronin207%2Fvc-pqc", kill_on_drop: false }` [INFO] [stderr] Cloning into bare repository '/workspace/cache/git-repos/https%3A%2F%2Fgithub.com%2Fronin207%2Fvc-pqc'... [INFO] running `Command { std: "git" "rev-parse" "HEAD", kill_on_drop: false }` [INFO] [stdout] 468edb09f0ba1aacacb69eb0a7b4e5a800503499 [INFO] testing ronin207/vc-pqc against 1.91.0 for beta-1.92-2 [INFO] running `Command { std: "git" "clone" "/workspace/cache/git-repos/https%3A%2F%2Fgithub.com%2Fronin207%2Fvc-pqc" "/workspace/builds/worker-0-tc1/source", kill_on_drop: false }` [INFO] [stderr] Cloning into '/workspace/builds/worker-0-tc1/source'... [INFO] [stderr] done. [INFO] started tweaking git repo https://github.com/ronin207/vc-pqc [INFO] finished tweaking git repo https://github.com/ronin207/vc-pqc [INFO] tweaked toml for git repo https://github.com/ronin207/vc-pqc written to /workspace/builds/worker-0-tc1/source/Cargo.toml [INFO] validating manifest of git repo https://github.com/ronin207/vc-pqc on toolchain 1.91.0 [INFO] running `Command { std: CARGO_HOME="/workspace/cargo-home" RUSTUP_HOME="/workspace/rustup-home" "/workspace/cargo-home/bin/cargo" "+1.91.0" "metadata" "--manifest-path" "Cargo.toml" "--no-deps", kill_on_drop: false }` [INFO] crate git repo https://github.com/ronin207/vc-pqc already has a lockfile, it will not be regenerated [INFO] running `Command { std: CARGO_HOME="/workspace/cargo-home" RUSTUP_HOME="/workspace/rustup-home" "/workspace/cargo-home/bin/cargo" "+1.91.0" "fetch" "--manifest-path" "Cargo.toml", kill_on_drop: false }` [INFO] [stderr] Downloading crates ... [INFO] [stderr] Downloaded criterion-plot v0.5.0 [INFO] [stderr] Downloaded criterion v0.5.1 [INFO] running `Command { std: "docker" "create" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/target:/opt/rustwide/target:rw,Z" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/source:/opt/rustwide/workdir:ro,Z" "-v" "/var/lib/crater-agent-workspace/cargo-home:/opt/rustwide/cargo-home:ro,Z" "-v" "/var/lib/crater-agent-workspace/rustup-home:/opt/rustwide/rustup-home:ro,Z" "-e" "SOURCE_DIR=/opt/rustwide/workdir" "-e" "CARGO_TARGET_DIR=/opt/rustwide/target" "-e" "CARGO_HOME=/opt/rustwide/cargo-home" "-e" "RUSTUP_HOME=/opt/rustwide/rustup-home" "-w" "/opt/rustwide/workdir" "-m" "1610612736" "--user" "0:0" "--network" "none" "ghcr.io/rust-lang/crates-build-env/linux@sha256:4848fb76d95f26979359cc7e45710b1dbc8f3acb7aeedee7c460d7702230f228" "/opt/rustwide/cargo-home/bin/cargo" "+1.91.0" "metadata" "--no-deps" "--format-version=1", kill_on_drop: false }` [INFO] [stdout] 4f89768ea23e24e210319f27e9f26d7672d81b517265865aa98591d3bcc16753 [INFO] running `Command { std: "docker" "start" "-a" "4f89768ea23e24e210319f27e9f26d7672d81b517265865aa98591d3bcc16753", kill_on_drop: false }` [INFO] running `Command { std: "docker" "inspect" "4f89768ea23e24e210319f27e9f26d7672d81b517265865aa98591d3bcc16753", kill_on_drop: false }` [INFO] running `Command { std: "docker" "rm" "-f" "4f89768ea23e24e210319f27e9f26d7672d81b517265865aa98591d3bcc16753", kill_on_drop: false }` [INFO] [stdout] 4f89768ea23e24e210319f27e9f26d7672d81b517265865aa98591d3bcc16753 [INFO] running `Command { std: "docker" "create" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/target:/opt/rustwide/target:rw,Z" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/source:/opt/rustwide/workdir:ro,Z" "-v" "/var/lib/crater-agent-workspace/cargo-home:/opt/rustwide/cargo-home:ro,Z" "-v" "/var/lib/crater-agent-workspace/rustup-home:/opt/rustwide/rustup-home:ro,Z" "-e" "SOURCE_DIR=/opt/rustwide/workdir" "-e" "CARGO_TARGET_DIR=/opt/rustwide/target" "-e" "CARGO_INCREMENTAL=0" "-e" "RUST_BACKTRACE=full" "-e" "RUSTFLAGS=--cap-lints=warn" "-e" "RUSTDOCFLAGS=--cap-lints=warn" "-e" "CARGO_HOME=/opt/rustwide/cargo-home" "-e" "RUSTUP_HOME=/opt/rustwide/rustup-home" "-w" "/opt/rustwide/workdir" "-m" "1610612736" "--user" "0:0" "--network" "none" "ghcr.io/rust-lang/crates-build-env/linux@sha256:4848fb76d95f26979359cc7e45710b1dbc8f3acb7aeedee7c460d7702230f228" "/opt/rustwide/cargo-home/bin/cargo" "+1.91.0" "build" "--frozen" "--message-format=json", kill_on_drop: false }` [INFO] [stdout] eb9f9947b575aefe05b5f0b00124cdebad379feb3396bf4fdd2bf247842eddef [INFO] running `Command { std: "docker" "start" "-a" "eb9f9947b575aefe05b5f0b00124cdebad379feb3396bf4fdd2bf247842eddef", kill_on_drop: false }` [INFO] [stderr] Compiling syn v2.0.101 [INFO] [stderr] Compiling libc v0.2.172 [INFO] [stderr] Compiling zerocopy v0.8.25 [INFO] [stderr] Compiling serde v1.0.219 [INFO] [stderr] Compiling digest v0.10.7 [INFO] [stderr] Compiling sha2 v0.10.9 [INFO] [stderr] Compiling getrandom v0.2.16 [INFO] [stderr] Compiling rand_core v0.6.4 [INFO] [stderr] Compiling ppv-lite86 v0.2.21 [INFO] [stderr] Compiling rand_chacha v0.3.1 [INFO] [stderr] Compiling rand v0.8.5 [INFO] [stderr] Compiling serde_derive v1.0.219 [INFO] [stderr] Compiling zeroize_derive v1.4.2 [INFO] [stderr] Compiling thiserror-impl v1.0.69 [INFO] [stderr] Compiling zeroize v1.8.1 [INFO] [stderr] Compiling merlin v3.0.0 [INFO] [stderr] Compiling thiserror v1.0.69 [INFO] [stderr] Compiling bincode v1.3.3 [INFO] [stderr] Compiling vc-pqc v0.1.0 (/opt/rustwide/workdir) [INFO] [stderr] Finished `dev` profile [unoptimized + debuginfo] target(s) in 18.75s [INFO] running `Command { std: "docker" "inspect" "eb9f9947b575aefe05b5f0b00124cdebad379feb3396bf4fdd2bf247842eddef", kill_on_drop: false }` [INFO] running `Command { std: "docker" "rm" "-f" "eb9f9947b575aefe05b5f0b00124cdebad379feb3396bf4fdd2bf247842eddef", kill_on_drop: false }` [INFO] [stdout] eb9f9947b575aefe05b5f0b00124cdebad379feb3396bf4fdd2bf247842eddef [INFO] running `Command { std: "docker" "create" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/target:/opt/rustwide/target:rw,Z" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/source:/opt/rustwide/workdir:ro,Z" "-v" "/var/lib/crater-agent-workspace/cargo-home:/opt/rustwide/cargo-home:ro,Z" "-v" "/var/lib/crater-agent-workspace/rustup-home:/opt/rustwide/rustup-home:ro,Z" "-e" "SOURCE_DIR=/opt/rustwide/workdir" "-e" "CARGO_TARGET_DIR=/opt/rustwide/target" "-e" "CARGO_INCREMENTAL=0" "-e" "RUST_BACKTRACE=full" "-e" "RUSTFLAGS=--cap-lints=warn" "-e" "RUSTDOCFLAGS=--cap-lints=warn" "-e" "CARGO_HOME=/opt/rustwide/cargo-home" "-e" "RUSTUP_HOME=/opt/rustwide/rustup-home" "-w" "/opt/rustwide/workdir" "-m" "1610612736" "--user" "0:0" "--network" "none" "ghcr.io/rust-lang/crates-build-env/linux@sha256:4848fb76d95f26979359cc7e45710b1dbc8f3acb7aeedee7c460d7702230f228" "/opt/rustwide/cargo-home/bin/cargo" "+1.91.0" "test" "--frozen" "--no-run" "--message-format=json", kill_on_drop: false }` [INFO] [stdout] 8edd0b0f390f6dae33b7a671c25541f87e586a9fd3370410f91781c729506059 [INFO] running `Command { std: "docker" "start" "-a" "8edd0b0f390f6dae33b7a671c25541f87e586a9fd3370410f91781c729506059", kill_on_drop: false }` [INFO] [stderr] Compiling libc v0.2.172 [INFO] [stderr] Compiling either v1.15.0 [INFO] [stderr] Compiling half v2.6.0 [INFO] [stderr] Compiling serde v1.0.219 [INFO] [stderr] Compiling num-traits v0.2.19 [INFO] [stderr] Compiling memchr v2.7.5 [INFO] [stderr] Compiling ciborium-io v0.2.2 [INFO] [stderr] Compiling plotters-backend v0.3.7 [INFO] [stderr] Compiling regex-syntax v0.8.5 [INFO] [stderr] Compiling clap_builder v4.5.41 [INFO] [stderr] Compiling cast v0.3.0 [INFO] [stderr] Compiling oorandom v11.1.5 [INFO] [stderr] Compiling anes v0.1.6 [INFO] [stderr] Compiling itertools v0.10.5 [INFO] [stderr] Compiling rayon v1.10.0 [INFO] [stderr] Compiling plotters-svg v0.3.7 [INFO] [stderr] Compiling ciborium-ll v0.2.2 [INFO] [stderr] Compiling getrandom v0.2.16 [INFO] [stderr] Compiling is-terminal v0.4.16 [INFO] [stderr] Compiling rand_core v0.6.4 [INFO] [stderr] Compiling plotters v0.3.7 [INFO] [stderr] Compiling rand_chacha v0.3.1 [INFO] [stderr] Compiling merlin v3.0.0 [INFO] [stderr] Compiling rand v0.8.5 [INFO] [stderr] Compiling criterion-plot v0.5.0 [INFO] [stderr] Compiling regex-automata v0.4.9 [INFO] [stderr] Compiling serde_json v1.0.140 [INFO] [stderr] Compiling bincode v1.3.3 [INFO] [stderr] Compiling ciborium v0.2.2 [INFO] [stderr] Compiling clap v4.5.41 [INFO] [stderr] Compiling vc-pqc v0.1.0 (/opt/rustwide/workdir) [INFO] [stderr] Compiling tinytemplate v1.2.1 [INFO] [stderr] Compiling regex v1.11.1 [INFO] [stderr] Compiling criterion v0.5.1 [INFO] [stderr] Finished `test` profile [unoptimized + debuginfo] target(s) in 25.32s [INFO] running `Command { std: "docker" "inspect" "8edd0b0f390f6dae33b7a671c25541f87e586a9fd3370410f91781c729506059", kill_on_drop: false }` [INFO] running `Command { std: "docker" "rm" "-f" "8edd0b0f390f6dae33b7a671c25541f87e586a9fd3370410f91781c729506059", kill_on_drop: false }` [INFO] [stdout] 8edd0b0f390f6dae33b7a671c25541f87e586a9fd3370410f91781c729506059 [INFO] running `Command { std: "docker" "create" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/target:/opt/rustwide/target:rw,Z" "-v" "/var/lib/crater-agent-workspace/builds/worker-0-tc1/source:/opt/rustwide/workdir:ro,Z" "-v" "/var/lib/crater-agent-workspace/cargo-home:/opt/rustwide/cargo-home:ro,Z" "-v" "/var/lib/crater-agent-workspace/rustup-home:/opt/rustwide/rustup-home:ro,Z" "-e" "SOURCE_DIR=/opt/rustwide/workdir" "-e" "CARGO_TARGET_DIR=/opt/rustwide/target" "-e" "CARGO_INCREMENTAL=0" "-e" "RUST_BACKTRACE=full" "-e" "RUSTFLAGS=--cap-lints=warn" "-e" "RUSTDOCFLAGS=--cap-lints=warn" "-e" "CARGO_HOME=/opt/rustwide/cargo-home" "-e" "RUSTUP_HOME=/opt/rustwide/rustup-home" "-w" "/opt/rustwide/workdir" "-m" "1610612736" "--user" "0:0" "--network" "none" "ghcr.io/rust-lang/crates-build-env/linux@sha256:4848fb76d95f26979359cc7e45710b1dbc8f3acb7aeedee7c460d7702230f228" "/opt/rustwide/cargo-home/bin/cargo" "+1.91.0" "test" "--frozen", kill_on_drop: false }` [INFO] [stdout] 14f1f7cfa4a471ff1c4627b1c832a213bf24beccde6408b09b126910c4b5339b [INFO] running `Command { std: "docker" "start" "-a" "14f1f7cfa4a471ff1c4627b1c832a213bf24beccde6408b09b126910c4b5339b", kill_on_drop: false }` [INFO] [stderr] Finished `test` profile [unoptimized + debuginfo] target(s) in 0.14s [INFO] [stderr] Running unittests src/lib.rs (/opt/rustwide/target/debug/deps/vc_pqc-efee575d92413719) [INFO] [stdout] [INFO] [stdout] running 33 tests [INFO] [stdout] test loquat::field_utils::tests::test_legendre_prf_deterministic ... ok [INFO] [stdout] test loquat::field_p127::tests::test_fp2_pow_two_matches_squaring ... ok [INFO] [stdout] test loquat::field_p127::tests::test_fp127_rand_nonzero ... ok [INFO] [stdout] test loquat::fft::tests::test_fft_ifft_roundtrip ... ok [INFO] [stdout] test loquat::field_utils::tests::test_u128_field_conversion ... ok [INFO] [stdout] test loquat::setup::tests::test_hash_functions_generation ... ok [INFO] [stdout] test loquat::fft::tests::test_fft_matches_naive_evaluations ... ok [INFO] [stdout] test loquat::sumcheck::tests::test_sumcheck_protocol ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_field_arithmetic_edge_cases ... ok [INFO] [stdout] test loquat::field_utils::tests::test_field_operations ... ok [INFO] [stdout] test loquat::field_utils::tests::test_constant_time_legendre ... ok [INFO] [stdout] test loquat::setup::tests::test_coset_generator_power ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_invalid_setup_parameters ... ok [INFO] [stdout] test loquat::setup::tests::test_invalid_security_level ... ok [INFO] [stdout] test loquat::fft::tests::test_fft_constant_polynomial ... ok [INFO] [stdout] test loquat::setup::tests::test_loquat_setup_parameters ... ok [INFO] [stdout] test loquat::keygen::tests::test_keygen_with_params ... ok [INFO] [stdout] test loquat::iop_key_id::tests::test_invalid_witness_rejection ... ok [INFO] [stdout] test loquat::iop_key_id::tests::test_iop_key_identification ... ok [INFO] [stdout] test loquat::iop_key_id::tests::test_iop_verification ... ok [INFO] [stdout] test loquat::keygen::tests::test_forbidden_value_avoidance_with_setup ... ok [INFO] [stdout] test loquat::iop_key_id::tests::test_challenge_determinism ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_complete_signature_flow ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_message_binding ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_malformed_signature_rejection ... ok [INFO] [stdout] test loquat::verify::tests::test_valid_signature_verification ... ok [INFO] [stdout] test loquat::verify::tests::test_invalid_signature_tampered_message ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_public_key_mismatch ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_signature_unforgeability ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_large_message_signature ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_empty_message_signature ... ok [INFO] [stdout] test loquat::tests::integration_tests::test_tampered_signature_components ... FAILED [INFO] [stderr] error: test failed, to rerun pass `--lib` [INFO] [stdout] test loquat::tests::integration_tests::test_different_security_levels ... ok [INFO] [stdout] [INFO] [stdout] failures: [INFO] [stdout] [INFO] [stdout] ---- loquat::tests::integration_tests::test_tampered_signature_components stdout ---- [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 2: LOQUAT SETUP ================== [INFO] [stdout] INPUT: Security Parameter λ = 128 [INFO] [stdout] [INFO] [stdout] --- STEP 2: Public Parameters for Legendre PRF --- [INFO] [stdout] ✓ L (public key bits): 256 (derived from λ=128) [INFO] [stdout] ✓ B (challenged residuosity symbols): 64 (B ≤ L constraint satisfied) [INFO] [stdout] ✓ I = {I₁, ..., I_L}: Generated 256 random field elements from F_p [INFO] [stdout] ✓ m (degree bound): 16 (power of 2 requirement satisfied) [INFO] [stdout] ✓ n (parallel executions): 4 (where m * n = 64 ≥ B = 64) [INFO] [stdout] [INFO] [stdout] --- STEP 3: Public Parameters for Univariate Sumcheck and LDT --- [INFO] [stdout] ✓ η (localization parameter): 2 [INFO] [stdout] ✓ κ (query repetition parameter): 80 [INFO] [stdout] ✓ Minimum rate denominator: 4m + κ*2^η = 384 [INFO] [stdout] ✓ |H| = 32 [INFO] [stdout] ✓ |U| = 512 (next power of 2 ≥ 384) [INFO] [stdout] ✓ ρ* = 1 (power of two bound) [INFO] [stdout] ✓ r (LDT round complexity): 4 [INFO] [stdout] • U(1) size: 128 [INFO] [stdout] • U(2) size: 32 [INFO] [stdout] • U(3) size: 8 [INFO] [stdout] • U(4) size: 2 [INFO] [stdout] [INFO] [stdout] --- STEP 5: Parameter Validation --- [INFO] [stdout] ✓ All parameter constraints satisfied [INFO] [stdout] [INFO] [stdout] --- OUTPUT: L-pp Generated Successfully --- [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 3: LOQUAT KEY GENERATION ================== [INFO] [stdout] INPUT: Public parameters L-pp [INFO] [stdout] Following Algorithm 3 specification from rules.mdc [INFO] [stdout] [INFO] [stdout] --- STEP 2: L-KeyGen Process --- [INFO] [stdout] Parameters received: [INFO] [stdout] L = 256 (public key bit length) [INFO] [stdout] |I| = 256 (number of public indices) [INFO] [stdout] [INFO] [stdout] --- STEP 3: Generate Secret Key --- [INFO] [stdout] Requirement: Randomly pick K from F_p* excluding {-I₁, ..., -I_L} [INFO] [stdout] ✓ Excluded set {-I₁, ..., -I_L} created with 256 elements [INFO] [stdout] ✓ Secret key sampled after 1 attempt(s) [INFO] [stdout] Constraint K ∈ F_p* \ {-I₁, ..., -I_L} satisfied [INFO] [stdout] [INFO] [stdout] --- STEP 4: Generate Public Key --- [INFO] [stdout] Computing pk = L_K(I) = (L_K(I₁), ..., L_K(I_L)) [INFO] [stdout] L_K(I_1) = L_K(Fp127(0x7e3b5f21767614d75f2deb959a40c939)) = Fp127(0x0) [INFO] [stdout] L_K(I_2) = L_K(Fp127(0x6410d0ea293a7436365efa64d8de6aad)) = Fp127(0x0) [INFO] [stdout] L_K(I_3) = L_K(Fp127(0x12b85ee35619853081fa52559a81252f)) = Fp127(0x1) [INFO] [stdout] L_K(I_4) = L_K(Fp127(0x4d16a035b5fd04bb897a1897513bc6c)) = Fp127(0x1) [INFO] [stdout] L_K(I_5) = L_K(Fp127(0x34dad5dd2f99191a86ed01a14a0a56ed)) = Fp127(0x1) [INFO] [stdout] ... (computing remaining 251 values) [INFO] [stdout] ✓ Public key computed: L = 256 bits [INFO] [stdout] Legendre PRF output distribution: [INFO] [stdout] Value Fp127(0x1): 135 occurrences (52.7%) [INFO] [stdout] Value Fp127(0x0): 121 occurrences (47.3%) [INFO] [stdout] [INFO] [stdout] --- VERIFICATION: Legendre PRF Constraints --- [INFO] [stdout] ✓ All Legendre PRF computations verified correctly [INFO] [stdout] ✓ pk[i] = L_K(I_i) constraint satisfied for all i ∈ [L] [INFO] [stdout] [INFO] [stdout] --- STEP 5: Output Key Pair --- [INFO] [stdout] ✓ Key pair (sk, pk) generated successfully [INFO] [stdout] Secret key size: 1 field elements [INFO] [stdout] Public key size: 256 field elements (256 bits) [INFO] [stdout] [INFO] [stdout] --- SECURITY VERIFICATION --- [INFO] [stdout] ✓ sk ∉ {-I₁, ..., -I_L} (collision avoidance) [INFO] [stdout] ✓ sk ≠ 0 (non-zero requirement) [INFO] [stdout] ✓ pk = L_K(I) where L_K is the Legendre PRF with key K [INFO] [stdout] ================== ALGORITHM 3 COMPLETE ================== [INFO] [stdout] [INFO] [stdout] [INFO] [stdout] ================== ALGORITHMS 4-6: LOQUAT SIGN ================== [INFO] [stdout] INPUT: Public parameter L-pp, secret key sk, message M [INFO] [stdout] Following Algorithms 4, 5, 6 specification from rules.mdc [INFO] [stdout] Message length: 14 bytes [INFO] [stdout] Public key length: 256 field elements [INFO] [stdout] Parameters: m=16, n=4, L=256, B=64, κ=80 [INFO] [stdout] ✓ Message commitment computed: 32 bytes [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 4: LOQUAT SIGN PART I ================== [INFO] [stdout] [INFO] [stdout] --- PHASE 1: Commit to secret key and randomness --- [INFO] [stdout] Following Algorithm 4, Phase 1 specification [INFO] [stdout] [INFO] [stdout] --- Step 1.1: Computing T values (Legendre PRF outputs) --- [INFO] [stdout] ✓ Generated vanishing polynomial values Z_H(x) over U [INFO] [stdout] ✓ Sampling randomness matrix r_{j,i} and constructing masked polynomials [INFO] [stdout] ✓ Generated randomness matrix r_{j,i} for j ∈ [4], i ∈ [16] [INFO] [stdout] ✓ Masked commitments prepared for Merkle binding over U [INFO] [stdout] ✓ Computed masked evaluations ĉ'_j|_U for all j ∈ [n] [INFO] [stdout] [INFO] [stdout] --- Step 1.4: Merkle commitment to c'_j evaluations over U --- [INFO] [stdout] ✓ Merkle tree created with 512 leaves for |U| = 512 [INFO] [stdout] ✓ root_c committed to transcript [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 2: Compute residuosity symbols --- [INFO] [stdout] Following Algorithm 4, Phase 2 specification [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) computed [INFO] [stdout] ✓ Expanded h₁ to get I_{i,j} indices: 64 total [INFO] [stdout] [INFO] [stdout] --- Step 2.1: Computing o_{i,j} values --- [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 3: Compute witness vector for univariate sumcheck --- [INFO] [stdout] Following Algorithm 4, Phase 3 specification [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) computed [INFO] [stdout] ✓ Expanded h₂ to get λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] --- Step 3.3: Building witness polynomial data --- [INFO] [stdout] ✓ Polynomial evaluations over H sum to μ [INFO] [stdout] ✓ μ = Σ_{j=1}^n ε_j * (Σ_{i=1}^m λ_{i,j} * o_{i,j}) = Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306e), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] --- Step 3.4: Executing univariate sumcheck protocol --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK PROOF GENERATION --- [INFO] [stdout] Polynomial evaluations length: 32 [INFO] [stdout] Expected length (2^5): 32 [INFO] [stdout] Claimed sum: Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306e), Fp127(0x0)) [INFO] [stdout] First few evaluations: [Fp2(Fp127(0x75201ef20592d68a34a5043a08f7b875), Fp127(0x0)), Fp2(Fp127(0x13b666fdfa839d4ef6a72953e4138f7e), Fp127(0x0)), Fp2(Fp127(0x7e4e5f3f80d32dd4a222c7c7f8bb63fc), Fp127(0x0)), Fp2(Fp127(0x6489f3212c73801c49d6b28e2309421), Fp127(0x0)), Fp2(Fp127(0x14f9891622e409030616e90cfedc543d), Fp127(0x0)), Fp2(Fp127(0x3bee1341f3173cad15cf8f5b1b604139), Fp127(0x0)), Fp2(Fp127(0xdbffe8be28291af6ea11a9cbf6676ef), Fp127(0x0)), Fp2(Fp127(0x7c0828cfadb6009b808204ce997c218), Fp127(0x0))] [INFO] [stdout] Computed sum from polynomial_evals: Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306e), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Prover Round 0: [INFO] [stdout] Current evaluations length: 32 [INFO] [stdout] g_0(0): Fp2(Fp127(0x4bd2c8097d4de5a39340564667ec1491), Fp127(0x0)) [INFO] [stdout] g_0(1): Fp2(Fp127(0x64a71ba2b3147fb8770d8b05aaa11bdc), Fp127(0x0)) [INFO] [stdout] g_0(0) + g_0(1): Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306e), Fp127(0x0)) [INFO] [stdout] Challenge: Fp2(Fp127(0x81099315d359b4ecfc46bb4fdf8de05), Fp127(0x6ac75b61618fe45451d360caddfce681)) [INFO] [stdout] Next evaluations length: 16 [INFO] [stdout] [INFO] [stdout] Prover Round 1: [INFO] [stdout] Current evaluations length: 16 [INFO] [stdout] g_1(0): Fp2(Fp127(0x5ac07c444504272f83f16212ead82512), Fp127(0x713b79d78d300819e057a640d1f32e27)) [INFO] [stdout] g_1(1): Fp2(Fp127(0x7511ba5c78c2673540819c369f584b40), Fp127(0x46843773acc4ba3b6eea03e2a66f9743)) [INFO] [stdout] g_1(0) + g_1(1): Fp2(Fp127(0x4fd236a0bdc68e64c472fe498a307053), Fp127(0x37bfb14b39f4c2554f41aa237862c56b)) [INFO] [stdout] Challenge: Fp2(Fp127(0x1393b02b2001a4465f9cdfb44874f512), Fp127(0x4435004f55f8dce2606a5901c09a0962)) [INFO] [stdout] Next evaluations length: 8 [INFO] [stdout] [INFO] [stdout] Prover Round 2: [INFO] [stdout] Current evaluations length: 8 [INFO] [stdout] g_2(0): Fp2(Fp127(0x2407409eded2f50017655da9d6b89a1e), Fp127(0x317abb2e7e9109387922fc002078a547)) [INFO] [stdout] g_2(1): Fp2(Fp127(0x4a3b93d2dfc03810ccfed36134dff046), Fp127(0x4e9378a721c0cdc7e2f3192d1cbb0208)) [INFO] [stdout] g_2(0) + g_2(1): Fp2(Fp127(0x6e42d471be932d10e464310b0b988a64), Fp127(0xe33d5a051d7005c16152d3d33a750)) [INFO] [stdout] Challenge: Fp2(Fp127(0x4879cd607727923ce0f75b9ba0c1181d), Fp127(0x5704308de6eae8af62ad9edb604e2038)) [INFO] [stdout] Next evaluations length: 4 [INFO] [stdout] [INFO] [stdout] Prover Round 3: [INFO] [stdout] Current evaluations length: 4 [INFO] [stdout] g_3(0): Fp2(Fp127(0x46bdb6fd47cd7944202a8eabc4162e44), Fp127(0x1f701698497e5d255775e5afef579105)) [INFO] [stdout] g_3(1): Fp2(Fp127(0x74f4a8b68eb72710999f8be9572d4d51), Fp127(0x261a1eabe15e8491d447d6c6ed8e0b0d)) [INFO] [stdout] g_3(0) + g_3(1): Fp2(Fp127(0x3bb25fb3d684a054b9ca1a951b437b96), Fp127(0x458a35442adce1b72bbdbc76dce59c12)) [INFO] [stdout] Challenge: Fp2(Fp127(0x737f2c431bfe36174750114f817df393), Fp127(0x6d6e093f017edcbe731528539c26dc9e)) [INFO] [stdout] Next evaluations length: 2 [INFO] [stdout] [INFO] [stdout] Prover Round 4: [INFO] [stdout] Current evaluations length: 2 [INFO] [stdout] g_4(0): Fp2(Fp127(0x27f29961302c28733e5762cd2b063dea), Fp127(0x5f7db59e647be303664d4ceb4ee07f06)) [INFO] [stdout] g_4(1): Fp2(Fp127(0x1d2bd8ec20ac3869009650309b5e81df), Fp127(0x6109a0a25933f80d9176ec2e35221c26)) [INFO] [stdout] g_4(0) + g_4(1): Fp2(Fp127(0x451e724d50d860dc3eedb2fdc664bfc9), Fp127(0x40875640bdafdb10f7c4391984029b2d)) [INFO] [stdout] Challenge: Fp2(Fp127(0x7c9d1a40a5c806840951c6023cd70370), Fp127(0x43e5aac3152b38d9269aaacadd1bcf3b)) [INFO] [stdout] Next evaluations length: 1 [INFO] [stdout] [INFO] [stdout] Final evaluation: Fp2(Fp127(0x47b612a83fef2cd5ea9a1f38523ec3d4), Fp127(0x91a4dfa63c38ac612d1520e2b4860c5)) [INFO] [stdout] Generated 5 round polynomials [INFO] [stdout] ✓ Generated πUS with claimed_sum: Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306e), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 5: LOQUAT SIGN PART II ================== [INFO] [stdout] ✓ σ₃ = (root_s, S) added to transcript [INFO] [stdout] ✓ h₃ = H₃(σ₃, h₂) computed [INFO] [stdout] ✓ σ₄ = (root_h) added to transcript [INFO] [stdout] ✓ h₄ = H₄(σ₄, h₃) computed [INFO] [stdout] ✓ f^(0) evaluations computed over U [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 6: LOQUAT SIGN PART III (LDT) ================== [INFO] [stdout] ✓ LDT codeword length: 512 (evaluations of f^(0) over U) [INFO] [stdout] [INFO] [stdout] --- FINAL SIGNATURE ASSEMBLY --- [INFO] [stdout] ✓ σ = {root_c, root_s, root_h, T_{i,j}, o_{i,j}, πUS, πLDT} assembled [INFO] [stdout] ================== ALGORITHMS 4-6 COMPLETE ================== [INFO] [stdout] [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: LOQUAT VERIFY ================== [INFO] [stdout] INPUT: Signature σ, public key pk, message M [INFO] [stdout] ✓ Message commitment verified [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) recomputed [INFO] [stdout] ✓ Expanded h₁ to regenerate I_{i,j} indices [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) recomputed [INFO] [stdout] ✓ Expanded h₂ to regenerate λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: STEP 3 - CHECKING PROOFS ================== [INFO] [stdout] [INFO] [stdout] --- Step 3.1: Legendre PRF Constraint Verification --- [INFO] [stdout] ✗ FAILED: Legendre PRF check failed at [0][3] [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: LOQUAT VERIFY ================== [INFO] [stdout] INPUT: Signature σ, public key pk, message M [INFO] [stdout] ✓ Message commitment verified [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) recomputed [INFO] [stdout] ✓ Expanded h₁ to regenerate I_{i,j} indices [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) recomputed [INFO] [stdout] ✓ Expanded h₂ to regenerate λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: STEP 3 - CHECKING PROOFS ================== [INFO] [stdout] [INFO] [stdout] --- Step 3.1: Legendre PRF Constraint Verification --- [INFO] [stdout] ✓ All Legendre PRF checks passed [INFO] [stdout] ✓ μ value verified [INFO] [stdout] ✓ Π rows verified [INFO] [stdout] ✓ f^(0) evaluations verified [INFO] [stdout] [INFO] [stdout] --- Step 3.2: Univariate Sumcheck Verification --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK VERIFICATION DETAILS --- [INFO] [stdout] Number of variables: 5 [INFO] [stdout] Proof round polynomials: 5 [INFO] [stdout] Proof claimed sum: Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306f), Fp127(0x0)) [INFO] [stdout] Proof final evaluation: Fp2(Fp127(0x47b612a83fef2cd5ea9a1f38523ec3d4), Fp127(0x91a4dfa63c38ac612d1520e2b4860c5)) [INFO] [stdout] Following Univariate Sumcheck protocol from rules.mdc [INFO] [stdout] ✓ Claimed sum added to transcript [INFO] [stdout] Starting verification with claimed sum: Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306f), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Round 0: [INFO] [stdout] p(0): Fp2(Fp127(0x4bd2c8097d4de5a39340564667ec1491), Fp127(0x0)) [INFO] [stdout] p(1): Fp2(Fp127(0x64a71ba2b3147fb8770d8b05aaa11bdc), Fp127(0x0)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306e), Fp127(0x0)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306f), Fp127(0x0)) [INFO] [stdout] ✗ SUMCHECK FAILED at round 0: Sum constraint violation [INFO] [stdout] p(0) + p(1) = Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306e), Fp127(0x0)) [INFO] [stdout] Expected: Fp2(Fp127(0x3079e3ac3062655c0a4de14c128d306f), Fp127(0x0)) [INFO] [stdout] ✗ SUMCHECK FAILED [INFO] [stdout] [INFO] [stdout] ================== ALGORITHMS 4-6: LOQUAT SIGN ================== [INFO] [stdout] INPUT: Public parameter L-pp, secret key sk, message M [INFO] [stdout] Following Algorithms 4, 5, 6 specification from rules.mdc [INFO] [stdout] Message length: 14 bytes [INFO] [stdout] Public key length: 256 field elements [INFO] [stdout] Parameters: m=16, n=4, L=256, B=64, κ=80 [INFO] [stdout] ✓ Message commitment computed: 32 bytes [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 4: LOQUAT SIGN PART I ================== [INFO] [stdout] [INFO] [stdout] --- PHASE 1: Commit to secret key and randomness --- [INFO] [stdout] Following Algorithm 4, Phase 1 specification [INFO] [stdout] [INFO] [stdout] --- Step 1.1: Computing T values (Legendre PRF outputs) --- [INFO] [stdout] ✓ Generated vanishing polynomial values Z_H(x) over U [INFO] [stdout] ✓ Sampling randomness matrix r_{j,i} and constructing masked polynomials [INFO] [stdout] ✓ Generated randomness matrix r_{j,i} for j ∈ [4], i ∈ [16] [INFO] [stdout] ✓ Masked commitments prepared for Merkle binding over U [INFO] [stdout] ✓ Computed masked evaluations ĉ'_j|_U for all j ∈ [n] [INFO] [stdout] [INFO] [stdout] --- Step 1.4: Merkle commitment to c'_j evaluations over U --- [INFO] [stdout] ✓ Merkle tree created with 512 leaves for |U| = 512 [INFO] [stdout] ✓ root_c committed to transcript [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 2: Compute residuosity symbols --- [INFO] [stdout] Following Algorithm 4, Phase 2 specification [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) computed [INFO] [stdout] ✓ Expanded h₁ to get I_{i,j} indices: 64 total [INFO] [stdout] [INFO] [stdout] --- Step 2.1: Computing o_{i,j} values --- [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 3: Compute witness vector for univariate sumcheck --- [INFO] [stdout] Following Algorithm 4, Phase 3 specification [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) computed [INFO] [stdout] ✓ Expanded h₂ to get λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] --- Step 3.3: Building witness polynomial data --- [INFO] [stdout] ✓ Polynomial evaluations over H sum to μ [INFO] [stdout] ✓ μ = Σ_{j=1}^n ε_j * (Σ_{i=1}^m λ_{i,j} * o_{i,j}) = Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] --- Step 3.4: Executing univariate sumcheck protocol --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK PROOF GENERATION --- [INFO] [stdout] Polynomial evaluations length: 32 [INFO] [stdout] Expected length (2^5): 32 [INFO] [stdout] Claimed sum: Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] First few evaluations: [Fp2(Fp127(0x5d6f01df1e371f6caef4503bea0624f3), Fp127(0x0)), Fp2(Fp127(0x7ef9a48e12729be62557aed84ee6032), Fp127(0x0)), Fp2(Fp127(0x3db0c9d90e6d12d01a9cbbdfc3823a41), Fp127(0x0)), Fp2(Fp127(0x7179924cc728400a358418e76ca5624b), Fp127(0x0)), Fp2(Fp127(0x2fb7c07f64baec968c697c4434b69e45), Fp127(0x0)), Fp2(Fp127(0x24a4ea4b495de56c0311ece097d1997c), Fp127(0x0)), Fp2(Fp127(0x50a86e4192e1f6314cb344ade9a12162), Fp127(0x0)), Fp2(Fp127(0x53544b147afdffb49812e57708206434), Fp127(0x0))] [INFO] [stdout] Computed sum from polynomial_evals: Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Prover Round 0: [INFO] [stdout] Current evaluations length: 32 [INFO] [stdout] g_0(0): Fp2(Fp127(0x4c9b973ccb32fb658b50770ca9c2fa71), Fp127(0x0)) [INFO] [stdout] g_0(1): Fp2(Fp127(0x2e64ef0222ebabda0a47f4992537c15f), Fp127(0x0)) [INFO] [stdout] g_0(0) + g_0(1): Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] Challenge: Fp2(Fp127(0x9109394e53adcbb5caf52b22bf94506), Fp127(0x1153831232f929af18122456a4f8a3ee)) [INFO] [stdout] Next evaluations length: 16 [INFO] [stdout] [INFO] [stdout] Prover Round 1: [INFO] [stdout] Current evaluations length: 16 [INFO] [stdout] g_1(0): Fp2(Fp127(0x267f50ad42e743ab831eab3cde5ea3ae), Fp127(0x3ee560ca40a6df586de8fd04687ccaae)) [INFO] [stdout] g_1(1): Fp2(Fp127(0x21c9644bde073574a1fed96df78f9324), Fp127(0x4a9ff9e7e1c01ef13f11987f7e8da171)) [INFO] [stdout] g_1(0) + g_1(1): Fp2(Fp127(0x4848b4f920ee7920251d84aad5ee36d2), Fp127(0x9855ab22266fe49acfa9583e70a6c20)) [INFO] [stdout] Challenge: Fp2(Fp127(0x7b495d96591d665275837509fe8509ce), Fp127(0x104ad804271e0cb459c2c12c65d7ac7b)) [INFO] [stdout] Next evaluations length: 8 [INFO] [stdout] [INFO] [stdout] Prover Round 2: [INFO] [stdout] Current evaluations length: 8 [INFO] [stdout] g_2(0): Fp2(Fp127(0x4a5dd2e3840803ef86ac9b38a6a8db5c), Fp127(0x304c7ef6b2c0a8be8bf184323e2e8f50)) [INFO] [stdout] g_2(1): Fp2(Fp127(0x3ee81fc0d5a8b6113148230e3154b4cf), Fp127(0x845d80f60817b3b0b0974934d392a28)) [INFO] [stdout] g_2(0) + g_2(1): Fp2(Fp127(0x945f2a459b0ba00b7f4be46d7fd902c), Fp127(0x38925706134223f996faf8c58b67b978)) [INFO] [stdout] Challenge: Fp2(Fp127(0x3f0e6e980338216be9cfb212a80ed66a), Fp127(0x74f95241afbc68a7574ba5bfa2106320)) [INFO] [stdout] Next evaluations length: 4 [INFO] [stdout] [INFO] [stdout] Prover Round 3: [INFO] [stdout] Current evaluations length: 4 [INFO] [stdout] g_3(0): Fp2(Fp127(0xc2ede9a46051de3192940012ae58b88), Fp127(0x4a9a77410c6b73745081c846ca29697e)) [INFO] [stdout] g_3(1): Fp2(Fp127(0x55d9e3e9ed103b6445cfd35856b8fd70), Fp127(0x2359095f0e5178a4c66d531ab638c019)) [INFO] [stdout] g_3(0) + g_3(1): Fp2(Fp127(0x6208c284331559475ef91359819e88f8), Fp127(0x6df380a01abcec1916ef1b6180622997)) [INFO] [stdout] Challenge: Fp2(Fp127(0x241e3613a4815c370ea662d91ee9a10c), Fp127(0x77b14a91ed749dffb0e325d670d8b2f2)) [INFO] [stdout] Next evaluations length: 2 [INFO] [stdout] [INFO] [stdout] Prover Round 4: [INFO] [stdout] Current evaluations length: 2 [INFO] [stdout] g_4(0): Fp2(Fp127(0x21881d445102808b10844bb315603908), Fp127(0xb313ad2f4e3c9e4da939954143d322d)) [INFO] [stdout] g_4(1): Fp2(Fp127(0x19e0c8ce5bfb133f9da2c9f0f4ab9cea), Fp127(0x4f6642af353b79ded44b39bcd546cbe6)) [INFO] [stdout] g_4(0) + g_4(1): Fp2(Fp127(0x3b68e612acfd93caae2715a40a0bd5f2), Fp127(0x5a977d822a1f43c3aeded310e983fe13)) [INFO] [stdout] Challenge: Fp2(Fp127(0x5b60baefb102a659e329340ede4cc9e8), Fp127(0xd5df41ce70a07ea579dc5c2856047ce)) [INFO] [stdout] Next evaluations length: 1 [INFO] [stdout] [INFO] [stdout] Final evaluation: Fp2(Fp127(0x4a0da734813b24b71161e98927691e8b), Fp127(0x63cbd08bc54c61c0e98772bd7354ae01)) [INFO] [stdout] Generated 5 round polynomials [INFO] [stdout] ✓ Generated πUS with claimed_sum: Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 5: LOQUAT SIGN PART II ================== [INFO] [stdout] ✓ σ₃ = (root_s, S) added to transcript [INFO] [stdout] ✓ h₃ = H₃(σ₃, h₂) computed [INFO] [stdout] ✓ σ₄ = (root_h) added to transcript [INFO] [stdout] ✓ h₄ = H₄(σ₄, h₃) computed [INFO] [stdout] ✓ f^(0) evaluations computed over U [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 6: LOQUAT SIGN PART III (LDT) ================== [INFO] [stdout] ✓ LDT codeword length: 512 (evaluations of f^(0) over U) [INFO] [stdout] [INFO] [stdout] --- FINAL SIGNATURE ASSEMBLY --- [INFO] [stdout] ✓ σ = {root_c, root_s, root_h, T_{i,j}, o_{i,j}, πUS, πLDT} assembled [INFO] [stdout] ================== ALGORITHMS 4-6 COMPLETE ================== [INFO] [stdout] [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: LOQUAT VERIFY ================== [INFO] [stdout] INPUT: Signature σ, public key pk, message M [INFO] [stdout] ✓ Message commitment verified [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) recomputed [INFO] [stdout] ✓ Expanded h₁ to regenerate I_{i,j} indices [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) recomputed [INFO] [stdout] ✓ Expanded h₂ to regenerate λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: STEP 3 - CHECKING PROOFS ================== [INFO] [stdout] [INFO] [stdout] --- Step 3.1: Legendre PRF Constraint Verification --- [INFO] [stdout] ✓ All Legendre PRF checks passed [INFO] [stdout] ✓ μ value verified [INFO] [stdout] ✓ Π rows verified [INFO] [stdout] ✓ f^(0) evaluations verified [INFO] [stdout] [INFO] [stdout] --- Step 3.2: Univariate Sumcheck Verification --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK VERIFICATION DETAILS --- [INFO] [stdout] Number of variables: 5 [INFO] [stdout] Proof round polynomials: 5 [INFO] [stdout] Proof claimed sum: Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] Proof final evaluation: Fp2(Fp127(0x4a0da734813b24b71161e98927691e8b), Fp127(0x63cbd08bc54c61c0e98772bd7354ae01)) [INFO] [stdout] Following Univariate Sumcheck protocol from rules.mdc [INFO] [stdout] ✓ Claimed sum added to transcript [INFO] [stdout] Starting verification with claimed sum: Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Round 0: [INFO] [stdout] p(0): Fp2(Fp127(0x4c9b973ccb32fb658b50770ca9c2fa71), Fp127(0x0)) [INFO] [stdout] p(1): Fp2(Fp127(0x2e64ef0222ebabda0a47f4992537c15f), Fp127(0x0)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x7b00863eee1ea73f95986ba5cefabbd0), Fp127(0x0)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x9109394e53adcbb5caf52b22bf94506), Fp127(0x1153831232f929af18122456a4f8a3ee)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x4848b4f920ee7920251d84aad5ee36d2), Fp127(0x9855ab22266fe49acfa9583e70a6c20)) [INFO] [stdout] Next evaluations length: 16 [INFO] [stdout] [INFO] [stdout] Round 1: [INFO] [stdout] p(0): Fp2(Fp127(0x267f50ad42e743ab831eab3cde5ea3ae), Fp127(0x3ee560ca40a6df586de8fd04687ccaae)) [INFO] [stdout] p(1): Fp2(Fp127(0x21c9644bde073574a1fed96df78f9324), Fp127(0x4a9ff9e7e1c01ef13f11987f7e8da171)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x4848b4f920ee7920251d84aad5ee36d2), Fp127(0x9855ab22266fe49acfa9583e70a6c20)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x4848b4f920ee7920251d84aad5ee36d2), Fp127(0x9855ab22266fe49acfa9583e70a6c20)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x7b495d96591d665275837509fe8509ce), Fp127(0x104ad804271e0cb459c2c12c65d7ac7b)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x945f2a459b0ba00b7f4be46d7fd902c), Fp127(0x38925706134223f996faf8c58b67b978)) [INFO] [stdout] Next evaluations length: 8 [INFO] [stdout] [INFO] [stdout] Round 2: [INFO] [stdout] p(0): Fp2(Fp127(0x4a5dd2e3840803ef86ac9b38a6a8db5c), Fp127(0x304c7ef6b2c0a8be8bf184323e2e8f50)) [INFO] [stdout] p(1): Fp2(Fp127(0x3ee81fc0d5a8b6113148230e3154b4cf), Fp127(0x845d80f60817b3b0b0974934d392a28)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x945f2a459b0ba00b7f4be46d7fd902c), Fp127(0x38925706134223f996faf8c58b67b978)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x945f2a459b0ba00b7f4be46d7fd902c), Fp127(0x38925706134223f996faf8c58b67b978)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x3f0e6e980338216be9cfb212a80ed66a), Fp127(0x74f95241afbc68a7574ba5bfa2106320)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x6208c284331559475ef91359819e88f8), Fp127(0x6df380a01abcec1916ef1b6180622997)) [INFO] [stdout] Next evaluations length: 4 [INFO] [stdout] [INFO] [stdout] Round 3: [INFO] [stdout] p(0): Fp2(Fp127(0xc2ede9a46051de3192940012ae58b88), Fp127(0x4a9a77410c6b73745081c846ca29697e)) [INFO] [stdout] p(1): Fp2(Fp127(0x55d9e3e9ed103b6445cfd35856b8fd70), Fp127(0x2359095f0e5178a4c66d531ab638c019)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x6208c284331559475ef91359819e88f8), Fp127(0x6df380a01abcec1916ef1b6180622997)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x6208c284331559475ef91359819e88f8), Fp127(0x6df380a01abcec1916ef1b6180622997)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x241e3613a4815c370ea662d91ee9a10c), Fp127(0x77b14a91ed749dffb0e325d670d8b2f2)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x3b68e612acfd93caae2715a40a0bd5f2), Fp127(0x5a977d822a1f43c3aeded310e983fe13)) [INFO] [stdout] Next evaluations length: 2 [INFO] [stdout] [INFO] [stdout] Round 4: [INFO] [stdout] p(0): Fp2(Fp127(0x21881d445102808b10844bb315603908), Fp127(0xb313ad2f4e3c9e4da939954143d322d)) [INFO] [stdout] p(1): Fp2(Fp127(0x19e0c8ce5bfb133f9da2c9f0f4ab9cea), Fp127(0x4f6642af353b79ded44b39bcd546cbe6)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x3b68e612acfd93caae2715a40a0bd5f2), Fp127(0x5a977d822a1f43c3aeded310e983fe13)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x3b68e612acfd93caae2715a40a0bd5f2), Fp127(0x5a977d822a1f43c3aeded310e983fe13)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x5b60baefb102a659e329340ede4cc9e8), Fp127(0xd5df41ce70a07ea579dc5c2856047ce)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x4a0da734813b24b71161e98927691e8b), Fp127(0x63cbd08bc54c61c0e98772bd7354ae01)) [INFO] [stdout] Next evaluations length: 1 [INFO] [stdout] [INFO] [stdout] Final evaluation check: [INFO] [stdout] Computed final value: Fp2(Fp127(0x4a0da734813b24b71161e98927691e8b), Fp127(0x63cbd08bc54c61c0e98772bd7354ae01)) [INFO] [stdout] Proof final evaluation: Fp2(Fp127(0x4a0da734813b24b71161e98927691e8b), Fp127(0x63cbd08bc54c61c0e98772bd7354ae01)) [INFO] [stdout] Match: true [INFO] [stdout] ✓ SUMCHECK VERIFICATION COMPLETE: All rounds passed [INFO] [stdout] ✓ SUMCHECK PASSED [INFO] [stdout] ✓ σ₃ = (root_s, S) added to transcript [INFO] [stdout] ✓ h₃ challenge verified [INFO] [stdout] ✓ σ₄ = (root_h) added to transcript [INFO] [stdout] ✓ h₄ challenge verified [INFO] [stdout] [INFO] [stdout] --- Step 3.3: Low-Degree Test Verification --- [INFO] [stdout] --- ALGORITHM 7: LDT VERIFICATION (Steps 4-6) --- [INFO] [stdout] Following rules.mdc: 'Verify LDT and Sumcheck Consistency at Query Points' [INFO] [stdout] ✓ LDT structure verification: 5 commitments, 80 openings [INFO] [stdout] ✓ Re-derived 4 FRI folding challenges [INFO] [stdout] ✗ FRI commitment mismatch at layer 1 [INFO] [stdout] ✗ LDT FAILED [INFO] [stdout] [INFO] [stdout] ================== ALGORITHMS 4-6: LOQUAT SIGN ================== [INFO] [stdout] INPUT: Public parameter L-pp, secret key sk, message M [INFO] [stdout] Following Algorithms 4, 5, 6 specification from rules.mdc [INFO] [stdout] Message length: 14 bytes [INFO] [stdout] Public key length: 256 field elements [INFO] [stdout] Parameters: m=16, n=4, L=256, B=64, κ=80 [INFO] [stdout] ✓ Message commitment computed: 32 bytes [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 4: LOQUAT SIGN PART I ================== [INFO] [stdout] [INFO] [stdout] --- PHASE 1: Commit to secret key and randomness --- [INFO] [stdout] Following Algorithm 4, Phase 1 specification [INFO] [stdout] [INFO] [stdout] --- Step 1.1: Computing T values (Legendre PRF outputs) --- [INFO] [stdout] ✓ Generated vanishing polynomial values Z_H(x) over U [INFO] [stdout] ✓ Sampling randomness matrix r_{j,i} and constructing masked polynomials [INFO] [stdout] ✓ Generated randomness matrix r_{j,i} for j ∈ [4], i ∈ [16] [INFO] [stdout] ✓ Masked commitments prepared for Merkle binding over U [INFO] [stdout] ✓ Computed masked evaluations ĉ'_j|_U for all j ∈ [n] [INFO] [stdout] [INFO] [stdout] --- Step 1.4: Merkle commitment to c'_j evaluations over U --- [INFO] [stdout] ✓ Merkle tree created with 512 leaves for |U| = 512 [INFO] [stdout] ✓ root_c committed to transcript [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 2: Compute residuosity symbols --- [INFO] [stdout] Following Algorithm 4, Phase 2 specification [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) computed [INFO] [stdout] ✓ Expanded h₁ to get I_{i,j} indices: 64 total [INFO] [stdout] [INFO] [stdout] --- Step 2.1: Computing o_{i,j} values --- [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 3: Compute witness vector for univariate sumcheck --- [INFO] [stdout] Following Algorithm 4, Phase 3 specification [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) computed [INFO] [stdout] ✓ Expanded h₂ to get λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] --- Step 3.3: Building witness polynomial data --- [INFO] [stdout] ✓ Polynomial evaluations over H sum to μ [INFO] [stdout] ✓ μ = Σ_{j=1}^n ε_j * (Σ_{i=1}^m λ_{i,j} * o_{i,j}) = Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] --- Step 3.4: Executing univariate sumcheck protocol --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK PROOF GENERATION --- [INFO] [stdout] Polynomial evaluations length: 32 [INFO] [stdout] Expected length (2^5): 32 [INFO] [stdout] Claimed sum: Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] First few evaluations: [Fp2(Fp127(0xa8b549d7deb6cffead8fe4035b86334), Fp127(0x0)), Fp2(Fp127(0x6e865cfe30fd3efbaffc44a3413628b4), Fp127(0x0)), Fp2(Fp127(0xb71c851db7189801167f10540d2d2f2), Fp127(0x0)), Fp2(Fp127(0x5573f0c90300b8ac5313fb4f072c0752), Fp127(0x0)), Fp2(Fp127(0x479bc022186a4432e28bd25ec1335010), Fp127(0x0)), Fp2(Fp127(0x795334c18c08aa73d793aac9a974d793), Fp127(0x0)), Fp2(Fp127(0x464d1a3719a8f7e2836e44599f67b0c8), Fp127(0x0)), Fp2(Fp127(0x796c4f28c92d3dac48fb768d8fdaaad5), Fp127(0x0))] [INFO] [stdout] Computed sum from polynomial_evals: Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Prover Round 0: [INFO] [stdout] Current evaluations length: 32 [INFO] [stdout] g_0(0): Fp2(Fp127(0x319c0af0b92f3c57eec3bc62802b439a), Fp127(0x0)) [INFO] [stdout] g_0(1): Fp2(Fp127(0x1e4cc1ae54069ee54815cf55f86ec948), Fp127(0x0)) [INFO] [stdout] g_0(0) + g_0(1): Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] Challenge: Fp2(Fp127(0x689613c1d5af7fc249740f01dfe0ae16), Fp127(0x62d70418ac8ee8d4f0ece193b682f8b8)) [INFO] [stdout] Next evaluations length: 16 [INFO] [stdout] [INFO] [stdout] Prover Round 1: [INFO] [stdout] Current evaluations length: 16 [INFO] [stdout] g_1(0): Fp2(Fp127(0x12d11be648fab1ca4472231927cd8864), Fp127(0x89b4722f5694f78cc3fc74f85f674cc)) [INFO] [stdout] g_1(1): Fp2(Fp127(0x63345594a8022c13918ce3b2822515d8), Fp127(0xcc722fe6d8cac1297255c925c2dd994)) [INFO] [stdout] g_1(0) + g_1(1): Fp2(Fp127(0x7605717af0fcddddd5ff06cba9f29e3c), Fp127(0x15626a2162f5fb8b636523e1e2244e60)) [INFO] [stdout] Challenge: Fp2(Fp127(0x5ec139362ef17fda543649b944dabbbb), Fp127(0x75fa463325144fb38fc9a58ce87dd20b)) [INFO] [stdout] Next evaluations length: 8 [INFO] [stdout] [INFO] [stdout] Prover Round 2: [INFO] [stdout] Current evaluations length: 8 [INFO] [stdout] g_2(0): Fp2(Fp127(0x4ce44eb059c2c990e82797509b052451), Fp127(0xedbe7b5c30a352d339e3229c5aa1dde)) [INFO] [stdout] g_2(1): Fp2(Fp127(0x3e206c6f86001a94379f51a177c5ae2), Fp127(0x2c2ad818c3c39ca37f0f76f3f0352ffc)) [INFO] [stdout] g_2(0) + g_2(1): Fp2(Fp127(0x50c655775222cb3a2ba18c6ab2817f33), Fp127(0x3b06bfce86cdd1d0b2ada91db5df4dda)) [INFO] [stdout] Challenge: Fp2(Fp127(0x78cf4ae12e273c438484bc6c451cecbf), Fp127(0x32e2fff3428768e27e88d977d3a6eb2d)) [INFO] [stdout] Next evaluations length: 4 [INFO] [stdout] [INFO] [stdout] Prover Round 3: [INFO] [stdout] Current evaluations length: 4 [INFO] [stdout] g_3(0): Fp2(Fp127(0x4feb1eab1d9c8bdddbcb3e358661920c), Fp127(0x22a3d6d06850a6acea7f1486668e2cb8)) [INFO] [stdout] g_3(1): Fp2(Fp127(0x2a95d615deef7363b34d42f87ba8bb07), Fp127(0x7b97b2f254ffcd7e550388d56f98a731)) [INFO] [stdout] g_3(0) + g_3(1): Fp2(Fp127(0x7a80f4c0fc8bff418f18812e020a4d13), Fp127(0x1e3b89c2bd50742b3f829d5bd626d3ea)) [INFO] [stdout] Challenge: Fp2(Fp127(0x4de2d5f87cb141bbcc385d6594fbe8dc), Fp127(0x7f7660d77c8488ae143dfa9f99e6e397)) [INFO] [stdout] Next evaluations length: 2 [INFO] [stdout] [INFO] [stdout] Prover Round 4: [INFO] [stdout] Current evaluations length: 2 [INFO] [stdout] g_4(0): Fp2(Fp127(0x2ef664c0cb33ea24abdbb90a744c42d1), Fp127(0x2159a9e7e12b49b15d951b0cfde7e17e)) [INFO] [stdout] g_4(1): Fp2(Fp127(0x6893e4479f4fa760c7bbf420716e0c41), Fp127(0x19a3e9aa9ef0be10541eef49069e050e)) [INFO] [stdout] g_4(0) + g_4(1): Fp2(Fp127(0x178a49086a8391857397ad2ae5ba4f13), Fp127(0x3afd9392801c07c1b1b40a560485e68c)) [INFO] [stdout] Challenge: Fp2(Fp127(0x9fa43f623e4bf5865bf8da953569bd5), Fp127(0x787dfdd6e908898164cd04b29310e6c1)) [INFO] [stdout] Next evaluations length: 1 [INFO] [stdout] [INFO] [stdout] Final evaluation: Fp2(Fp127(0x3d8b6a7355a64d2bf425c11bfa9abf98), Fp127(0x6bb8ca9c3bff2b4ea59dbe9b6980ee6c)) [INFO] [stdout] Generated 5 round polynomials [INFO] [stdout] ✓ Generated πUS with claimed_sum: Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 5: LOQUAT SIGN PART II ================== [INFO] [stdout] ✓ σ₃ = (root_s, S) added to transcript [INFO] [stdout] ✓ h₃ = H₃(σ₃, h₂) computed [INFO] [stdout] ✓ σ₄ = (root_h) added to transcript [INFO] [stdout] ✓ h₄ = H₄(σ₄, h₃) computed [INFO] [stdout] ✓ f^(0) evaluations computed over U [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 6: LOQUAT SIGN PART III (LDT) ================== [INFO] [stdout] ✓ LDT codeword length: 512 (evaluations of f^(0) over U) [INFO] [stdout] [INFO] [stdout] --- FINAL SIGNATURE ASSEMBLY --- [INFO] [stdout] ✓ σ = {root_c, root_s, root_h, T_{i,j}, o_{i,j}, πUS, πLDT} assembled [INFO] [stdout] ================== ALGORITHMS 4-6 COMPLETE ================== [INFO] [stdout] [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: LOQUAT VERIFY ================== [INFO] [stdout] INPUT: Signature σ, public key pk, message M [INFO] [stdout] ✓ Message commitment verified [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) recomputed [INFO] [stdout] ✓ Expanded h₁ to regenerate I_{i,j} indices [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) recomputed [INFO] [stdout] ✓ Expanded h₂ to regenerate λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: STEP 3 - CHECKING PROOFS ================== [INFO] [stdout] [INFO] [stdout] --- Step 3.1: Legendre PRF Constraint Verification --- [INFO] [stdout] ✓ All Legendre PRF checks passed [INFO] [stdout] ✓ μ value verified [INFO] [stdout] ✓ Π rows verified [INFO] [stdout] ✓ f^(0) evaluations verified [INFO] [stdout] [INFO] [stdout] --- Step 3.2: Univariate Sumcheck Verification --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK VERIFICATION DETAILS --- [INFO] [stdout] Number of variables: 5 [INFO] [stdout] Proof round polynomials: 5 [INFO] [stdout] Proof claimed sum: Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] Proof final evaluation: Fp2(Fp127(0x3d8b6a7355a64d2bf425c11bfa9abf98), Fp127(0x6bb8ca9c3bff2b4ea59dbe9b6980ee6c)) [INFO] [stdout] Following Univariate Sumcheck protocol from rules.mdc [INFO] [stdout] ✓ Claimed sum added to transcript [INFO] [stdout] Starting verification with claimed sum: Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Round 0: [INFO] [stdout] p(0): Fp2(Fp127(0x319c0af0b92f3c57eec3bc62802b439a), Fp127(0x0)) [INFO] [stdout] p(1): Fp2(Fp127(0x1e4cc1ae54069ee54815cf55f86ec948), Fp127(0x0)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x4fe8cc9f0d35db3d36d98bb8789a0ce2), Fp127(0x0)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x689613c1d5af7fc249740f01dfe0ae16), Fp127(0x62d70418ac8ee8d4f0ece193b682f8b8)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x7605717af0fcddddd5ff06cba9f29e3c), Fp127(0x15626a2162f5fb8b636523e1e2244e60)) [INFO] [stdout] Next evaluations length: 16 [INFO] [stdout] [INFO] [stdout] Round 1: [INFO] [stdout] p(0): Fp2(Fp127(0x12d11be648fab1ca4472231927cd8864), Fp127(0x89b4722f5694f78cc3fc74f85f674cc)) [INFO] [stdout] p(1): Fp2(Fp127(0x63345594a8022c13918ce3b2822515d8), Fp127(0xcc722fe6d8cac1297255c925c2dd994)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x7605717af0fcddddd5ff06cba9f29e3c), Fp127(0x15626a2162f5fb8b636523e1e2244e60)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x7605717af0fcddddd5ff06cba9f29e3c), Fp127(0x15626a2162f5fb8b636523e1e2244e60)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x5ec139362ef17fda543649b944dabbbb), Fp127(0x75fa463325144fb38fc9a58ce87dd20b)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x50c655775222cb3a2ba18c6ab2817f33), Fp127(0x3b06bfce86cdd1d0b2ada91db5df4dda)) [INFO] [stdout] Next evaluations length: 8 [INFO] [stdout] [INFO] [stdout] Round 2: [INFO] [stdout] p(0): Fp2(Fp127(0x4ce44eb059c2c990e82797509b052451), Fp127(0xedbe7b5c30a352d339e3229c5aa1dde)) [INFO] [stdout] p(1): Fp2(Fp127(0x3e206c6f86001a94379f51a177c5ae2), Fp127(0x2c2ad818c3c39ca37f0f76f3f0352ffc)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x50c655775222cb3a2ba18c6ab2817f33), Fp127(0x3b06bfce86cdd1d0b2ada91db5df4dda)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x50c655775222cb3a2ba18c6ab2817f33), Fp127(0x3b06bfce86cdd1d0b2ada91db5df4dda)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x78cf4ae12e273c438484bc6c451cecbf), Fp127(0x32e2fff3428768e27e88d977d3a6eb2d)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x7a80f4c0fc8bff418f18812e020a4d13), Fp127(0x1e3b89c2bd50742b3f829d5bd626d3ea)) [INFO] [stdout] Next evaluations length: 4 [INFO] [stdout] [INFO] [stdout] Round 3: [INFO] [stdout] p(0): Fp2(Fp127(0x4feb1eab1d9c8bdddbcb3e358661920c), Fp127(0x22a3d6d06850a6acea7f1486668e2cb8)) [INFO] [stdout] p(1): Fp2(Fp127(0x2a95d615deef7363b34d42f87ba8bb07), Fp127(0x7b97b2f254ffcd7e550388d56f98a731)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x7a80f4c0fc8bff418f18812e020a4d13), Fp127(0x1e3b89c2bd50742b3f829d5bd626d3ea)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x7a80f4c0fc8bff418f18812e020a4d13), Fp127(0x1e3b89c2bd50742b3f829d5bd626d3ea)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x4de2d5f87cb141bbcc385d6594fbe8dc), Fp127(0x7f7660d77c8488ae143dfa9f99e6e397)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x178a49086a8391857397ad2ae5ba4f13), Fp127(0x3afd9392801c07c1b1b40a560485e68c)) [INFO] [stdout] Next evaluations length: 2 [INFO] [stdout] [INFO] [stdout] Round 4: [INFO] [stdout] p(0): Fp2(Fp127(0x2ef664c0cb33ea24abdbb90a744c42d1), Fp127(0x2159a9e7e12b49b15d951b0cfde7e17e)) [INFO] [stdout] p(1): Fp2(Fp127(0x6893e4479f4fa760c7bbf420716e0c41), Fp127(0x19a3e9aa9ef0be10541eef49069e050e)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x178a49086a8391857397ad2ae5ba4f13), Fp127(0x3afd9392801c07c1b1b40a560485e68c)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x178a49086a8391857397ad2ae5ba4f13), Fp127(0x3afd9392801c07c1b1b40a560485e68c)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x9fa43f623e4bf5865bf8da953569bd5), Fp127(0x787dfdd6e908898164cd04b29310e6c1)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x3d8b6a7355a64d2bf425c11bfa9abf98), Fp127(0x6bb8ca9c3bff2b4ea59dbe9b6980ee6c)) [INFO] [stdout] Next evaluations length: 1 [INFO] [stdout] [INFO] [stdout] Final evaluation check: [INFO] [stdout] Computed final value: Fp2(Fp127(0x3d8b6a7355a64d2bf425c11bfa9abf98), Fp127(0x6bb8ca9c3bff2b4ea59dbe9b6980ee6c)) [INFO] [stdout] Proof final evaluation: Fp2(Fp127(0x3d8b6a7355a64d2bf425c11bfa9abf98), Fp127(0x6bb8ca9c3bff2b4ea59dbe9b6980ee6c)) [INFO] [stdout] Match: true [INFO] [stdout] ✓ SUMCHECK VERIFICATION COMPLETE: All rounds passed [INFO] [stdout] ✓ SUMCHECK PASSED [INFO] [stdout] ✓ σ₃ = (root_s, S) added to transcript [INFO] [stdout] ✓ h₃ challenge verified [INFO] [stdout] ✓ σ₄ = (root_h) added to transcript [INFO] [stdout] ✓ h₄ challenge verified [INFO] [stdout] [INFO] [stdout] --- Step 3.3: Low-Degree Test Verification --- [INFO] [stdout] --- ALGORITHM 7: LDT VERIFICATION (Steps 4-6) --- [INFO] [stdout] Following rules.mdc: 'Verify LDT and Sumcheck Consistency at Query Points' [INFO] [stdout] ✓ LDT structure verification: 5 commitments, 80 openings [INFO] [stdout] ✓ Re-derived 4 FRI folding challenges [INFO] [stdout] ✗ FRI commitment mismatch at layer 0 [INFO] [stdout] ✗ LDT FAILED [INFO] [stdout] [INFO] [stdout] ================== ALGORITHMS 4-6: LOQUAT SIGN ================== [INFO] [stdout] INPUT: Public parameter L-pp, secret key sk, message M [INFO] [stdout] Following Algorithms 4, 5, 6 specification from rules.mdc [INFO] [stdout] Message length: 14 bytes [INFO] [stdout] Public key length: 256 field elements [INFO] [stdout] Parameters: m=16, n=4, L=256, B=64, κ=80 [INFO] [stdout] ✓ Message commitment computed: 32 bytes [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 4: LOQUAT SIGN PART I ================== [INFO] [stdout] [INFO] [stdout] --- PHASE 1: Commit to secret key and randomness --- [INFO] [stdout] Following Algorithm 4, Phase 1 specification [INFO] [stdout] [INFO] [stdout] --- Step 1.1: Computing T values (Legendre PRF outputs) --- [INFO] [stdout] ✓ Generated vanishing polynomial values Z_H(x) over U [INFO] [stdout] ✓ Sampling randomness matrix r_{j,i} and constructing masked polynomials [INFO] [stdout] ✓ Generated randomness matrix r_{j,i} for j ∈ [4], i ∈ [16] [INFO] [stdout] ✓ Masked commitments prepared for Merkle binding over U [INFO] [stdout] ✓ Computed masked evaluations ĉ'_j|_U for all j ∈ [n] [INFO] [stdout] [INFO] [stdout] --- Step 1.4: Merkle commitment to c'_j evaluations over U --- [INFO] [stdout] ✓ Merkle tree created with 512 leaves for |U| = 512 [INFO] [stdout] ✓ root_c committed to transcript [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 2: Compute residuosity symbols --- [INFO] [stdout] Following Algorithm 4, Phase 2 specification [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) computed [INFO] [stdout] ✓ Expanded h₁ to get I_{i,j} indices: 64 total [INFO] [stdout] [INFO] [stdout] --- Step 2.1: Computing o_{i,j} values --- [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] [INFO] [stdout] --- PHASE 3: Compute witness vector for univariate sumcheck --- [INFO] [stdout] Following Algorithm 4, Phase 3 specification [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) computed [INFO] [stdout] ✓ Expanded h₂ to get λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] --- Step 3.3: Building witness polynomial data --- [INFO] [stdout] ✓ Polynomial evaluations over H sum to μ [INFO] [stdout] ✓ μ = Σ_{j=1}^n ε_j * (Σ_{i=1}^m λ_{i,j} * o_{i,j}) = Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] --- Step 3.4: Executing univariate sumcheck protocol --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK PROOF GENERATION --- [INFO] [stdout] Polynomial evaluations length: 32 [INFO] [stdout] Expected length (2^5): 32 [INFO] [stdout] Claimed sum: Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] First few evaluations: [Fp2(Fp127(0x50094d41c8020409dea2faa7d3488eb0), Fp127(0x0)), Fp2(Fp127(0x26db1ddccfd609e216777c9ac898407c), Fp127(0x0)), Fp2(Fp127(0x5e76e4c002d85b09ebf7c9ee05004903), Fp127(0x0)), Fp2(Fp127(0x338df568404fd677551cfaaa837e1229), Fp127(0x0)), Fp2(Fp127(0x3545271ed9b73e0e4a0ee3175e583e9), Fp127(0x0)), Fp2(Fp127(0x392f92b17e2204b5eccc4a0a498e4a7a), Fp127(0x0)), Fp2(Fp127(0x39aec68215fc1b1dba84efacf452af), Fp127(0x0)), Fp2(Fp127(0x7c1343ab1223ea274fbbb155d6abd68c), Fp127(0x0))] [INFO] [stdout] Computed sum from polynomial_evals: Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Prover Round 0: [INFO] [stdout] Current evaluations length: 32 [INFO] [stdout] g_0(0): Fp2(Fp127(0x592a9ed2d8012503f5496216c7a015e5), Fp127(0x0)) [INFO] [stdout] g_0(1): Fp2(Fp127(0x4cffafeec89b77f7025c1140a562c3ba), Fp127(0x0)) [INFO] [stdout] g_0(0) + g_0(1): Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] Challenge: Fp2(Fp127(0x16159e371f38dfb24952a31cc6c057be), Fp127(0x2c754be7fe4e62b95457e9837b7725b5)) [INFO] [stdout] Next evaluations length: 16 [INFO] [stdout] [INFO] [stdout] Prover Round 1: [INFO] [stdout] Current evaluations length: 16 [INFO] [stdout] g_1(0): Fp2(Fp127(0x73e8013d8a371a73777421b342fa0d64), Fp127(0x303c2595d916b4eff45518243d2b4eaf)) [INFO] [stdout] g_1(1): Fp2(Fp127(0x469aaf5ddc28445db1cccab5166f08e5), Fp127(0x16e2e630fbffd7688cb22a30f16c4437)) [INFO] [stdout] g_1(0) + g_1(1): Fp2(Fp127(0x3a82b09b665f5ed12940ec685969164a), Fp127(0x471f0bc6d5168c58810742552e9792e6)) [INFO] [stdout] Challenge: Fp2(Fp127(0x7178f9d2aa8449920ee556f03bd747dd), Fp127(0x72141d9a4e6f4886fcfb977deea0e1de)) [INFO] [stdout] Next evaluations length: 8 [INFO] [stdout] [INFO] [stdout] Prover Round 2: [INFO] [stdout] Current evaluations length: 8 [INFO] [stdout] g_2(0): Fp2(Fp127(0x43b6144ae7a6739f83654ae57f8a8ff8), Fp127(0x2e4a04b50e422120afa250804da2fe7c)) [INFO] [stdout] g_2(1): Fp2(Fp127(0x483281ab5470a2dccce70d3dbace1a1b), Fp127(0x6387cd14c6a69ae37c99a9db3938b1f8)) [INFO] [stdout] g_2(0) + g_2(1): Fp2(Fp127(0xbe895f63c17167c504c58233a58aa14), Fp127(0x11d1d1c9d4e8bc042c3bfa5b86dbb075)) [INFO] [stdout] Challenge: Fp2(Fp127(0x74c7653362c61b3fee264a5926d2730c), Fp127(0x27bbf24c60311c75b1d90605d176f240)) [INFO] [stdout] Next evaluations length: 4 [INFO] [stdout] [INFO] [stdout] Prover Round 3: [INFO] [stdout] Current evaluations length: 4 [INFO] [stdout] g_3(0): Fp2(Fp127(0x2338ddcc2249092ab511a3e11161e3a0), Fp127(0x21631eaa2b73f6892cf23cbb0be8ed21)) [INFO] [stdout] g_3(1): Fp2(Fp127(0x2793f606e5846e8cf10f1fa794759dcf), Fp127(0x758f0448f03aeb4c551f79c4429f2f21)) [INFO] [stdout] g_3(0) + g_3(1): Fp2(Fp127(0x4accd3d307cd77b7a620c388a5d7816f), Fp127(0x16f222f31baee1d58211b67f4e881c43)) [INFO] [stdout] Challenge: Fp2(Fp127(0x76b30063f6acb42273f9b416242fe368), Fp127(0x121c47c662d75ed8a66746ce07d0e93b)) [INFO] [stdout] Next evaluations length: 2 [INFO] [stdout] [INFO] [stdout] Prover Round 4: [INFO] [stdout] Current evaluations length: 2 [INFO] [stdout] g_4(0): Fp2(Fp127(0x2b9a1904ed73ce182835c60d47b78296), Fp127(0x5825678a75bf4800e4d1561eb2998ef1)) [INFO] [stdout] g_4(1): Fp2(Fp127(0xd61fbb2ccf9d7ade9ce5272a929efc5), Fp127(0x3ebdc2f3733505a2694f32fa169b8b06)) [INFO] [stdout] g_4(0) + g_4(1): Fp2(Fp127(0x38fc14b7ba6da5c61204187ff0e1725b), Fp127(0x16e32a7de8f44da34e208918c93519f8)) [INFO] [stdout] Challenge: Fp2(Fp127(0x4f0c516cc01c25918b98d1ce70ad93ce), Fp127(0x64d806ed905391a6709e9e2909dc0a95)) [INFO] [stdout] Next evaluations length: 1 [INFO] [stdout] [INFO] [stdout] Final evaluation: Fp2(Fp127(0x444567c80467b9940429c9abb7168145), Fp127(0x5206cb816432083ebd4990ea79767614)) [INFO] [stdout] Generated 5 round polynomials [INFO] [stdout] ✓ Generated πUS with claimed_sum: Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 5: LOQUAT SIGN PART II ================== [INFO] [stdout] ✓ σ₃ = (root_s, S) added to transcript [INFO] [stdout] ✓ h₃ = H₃(σ₃, h₂) computed [INFO] [stdout] ✓ σ₄ = (root_h) added to transcript [INFO] [stdout] ✓ h₄ = H₄(σ₄, h₃) computed [INFO] [stdout] ✓ f^(0) evaluations computed over U [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 6: LOQUAT SIGN PART III (LDT) ================== [INFO] [stdout] ✓ LDT codeword length: 512 (evaluations of f^(0) over U) [INFO] [stdout] [INFO] [stdout] --- FINAL SIGNATURE ASSEMBLY --- [INFO] [stdout] ✓ σ = {root_c, root_s, root_h, T_{i,j}, o_{i,j}, πUS, πLDT} assembled [INFO] [stdout] ================== ALGORITHMS 4-6 COMPLETE ================== [INFO] [stdout] [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: LOQUAT VERIFY ================== [INFO] [stdout] INPUT: Signature σ, public key pk, message M [INFO] [stdout] ✓ Message commitment verified [INFO] [stdout] ✓ σ₁ = (root_c, {T_{i,j}}) added to transcript [INFO] [stdout] ✓ h₁ = H₁(σ₁, M) recomputed [INFO] [stdout] ✓ Expanded h₁ to regenerate I_{i,j} indices [INFO] [stdout] ✓ σ₂ = {o_{i,j}} added to transcript [INFO] [stdout] ✓ h₂ = H₂(σ₂, h₁) recomputed [INFO] [stdout] ✓ Expanded h₂ to regenerate λ_{i,j} and ε_j values [INFO] [stdout] [INFO] [stdout] ================== ALGORITHM 7: STEP 3 - CHECKING PROOFS ================== [INFO] [stdout] [INFO] [stdout] --- Step 3.1: Legendre PRF Constraint Verification --- [INFO] [stdout] ✓ All Legendre PRF checks passed [INFO] [stdout] ✓ μ value verified [INFO] [stdout] ✓ Π rows verified [INFO] [stdout] ✓ f^(0) evaluations verified [INFO] [stdout] [INFO] [stdout] --- Step 3.2: Univariate Sumcheck Verification --- [INFO] [stdout] [INFO] [stdout] --- SUMCHECK VERIFICATION DETAILS --- [INFO] [stdout] Number of variables: 5 [INFO] [stdout] Proof round polynomials: 5 [INFO] [stdout] Proof claimed sum: Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] Proof final evaluation: Fp2(Fp127(0x444567c80467b9940429c9abb7168145), Fp127(0x5206cb816432083ebd4990ea79767614)) [INFO] [stdout] Following Univariate Sumcheck protocol from rules.mdc [INFO] [stdout] ✓ Claimed sum added to transcript [INFO] [stdout] Starting verification with claimed sum: Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] [INFO] [stdout] Round 0: [INFO] [stdout] p(0): Fp2(Fp127(0x592a9ed2d8012503f5496216c7a015e5), Fp127(0x0)) [INFO] [stdout] p(1): Fp2(Fp127(0x4cffafeec89b77f7025c1140a562c3ba), Fp127(0x0)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x262a4ec1a09c9cfaf7a573576d02d9a0), Fp127(0x0)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x16159e371f38dfb24952a31cc6c057be), Fp127(0x2c754be7fe4e62b95457e9837b7725b5)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x3a82b09b665f5ed12940ec685969164a), Fp127(0x471f0bc6d5168c58810742552e9792e6)) [INFO] [stdout] Next evaluations length: 16 [INFO] [stdout] [INFO] [stdout] Round 1: [INFO] [stdout] p(0): Fp2(Fp127(0x73e8013d8a371a73777421b342fa0d64), Fp127(0x303c2595d916b4eff45518243d2b4eaf)) [INFO] [stdout] p(1): Fp2(Fp127(0x469aaf5ddc28445db1cccab5166f08e5), Fp127(0x16e2e630fbffd7688cb22a30f16c4437)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x3a82b09b665f5ed12940ec685969164a), Fp127(0x471f0bc6d5168c58810742552e9792e6)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x3a82b09b665f5ed12940ec685969164a), Fp127(0x471f0bc6d5168c58810742552e9792e6)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x7178f9d2aa8449920ee556f03bd747dd), Fp127(0x72141d9a4e6f4886fcfb977deea0e1de)) [INFO] [stdout] p(challenge): Fp2(Fp127(0xbe895f63c17167c504c58233a58aa14), Fp127(0x11d1d1c9d4e8bc042c3bfa5b86dbb075)) [INFO] [stdout] Next evaluations length: 8 [INFO] [stdout] [INFO] [stdout] Round 2: [INFO] [stdout] p(0): Fp2(Fp127(0x43b6144ae7a6739f83654ae57f8a8ff8), Fp127(0x2e4a04b50e422120afa250804da2fe7c)) [INFO] [stdout] p(1): Fp2(Fp127(0x483281ab5470a2dccce70d3dbace1a1b), Fp127(0x6387cd14c6a69ae37c99a9db3938b1f8)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0xbe895f63c17167c504c58233a58aa14), Fp127(0x11d1d1c9d4e8bc042c3bfa5b86dbb075)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0xbe895f63c17167c504c58233a58aa14), Fp127(0x11d1d1c9d4e8bc042c3bfa5b86dbb075)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x74c7653362c61b3fee264a5926d2730c), Fp127(0x27bbf24c60311c75b1d90605d176f240)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x4accd3d307cd77b7a620c388a5d7816f), Fp127(0x16f222f31baee1d58211b67f4e881c43)) [INFO] [stdout] Next evaluations length: 4 [INFO] [stdout] [INFO] [stdout] Round 3: [INFO] [stdout] p(0): Fp2(Fp127(0x2338ddcc2249092ab511a3e11161e3a0), Fp127(0x21631eaa2b73f6892cf23cbb0be8ed21)) [INFO] [stdout] p(1): Fp2(Fp127(0x2793f606e5846e8cf10f1fa794759dcf), Fp127(0x758f0448f03aeb4c551f79c4429f2f21)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x4accd3d307cd77b7a620c388a5d7816f), Fp127(0x16f222f31baee1d58211b67f4e881c43)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x4accd3d307cd77b7a620c388a5d7816f), Fp127(0x16f222f31baee1d58211b67f4e881c43)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x76b30063f6acb42273f9b416242fe368), Fp127(0x121c47c662d75ed8a66746ce07d0e93b)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x38fc14b7ba6da5c61204187ff0e1725b), Fp127(0x16e32a7de8f44da34e208918c93519f8)) [INFO] [stdout] Next evaluations length: 2 [INFO] [stdout] [INFO] [stdout] Round 4: [INFO] [stdout] p(0): Fp2(Fp127(0x2b9a1904ed73ce182835c60d47b78296), Fp127(0x5825678a75bf4800e4d1561eb2998ef1)) [INFO] [stdout] p(1): Fp2(Fp127(0xd61fbb2ccf9d7ade9ce5272a929efc5), Fp127(0x3ebdc2f3733505a2694f32fa169b8b06)) [INFO] [stdout] p(0) + p(1): Fp2(Fp127(0x38fc14b7ba6da5c61204187ff0e1725b), Fp127(0x16e32a7de8f44da34e208918c93519f8)) [INFO] [stdout] Expected sum (last_sum): Fp2(Fp127(0x38fc14b7ba6da5c61204187ff0e1725b), Fp127(0x16e32a7de8f44da34e208918c93519f8)) [INFO] [stdout] ✓ Sum constraint satisfied: p(0) + p(1) = last_sum [INFO] [stdout] Challenge: Fp2(Fp127(0x4f0c516cc01c25918b98d1ce70ad93ce), Fp127(0x64d806ed905391a6709e9e2909dc0a95)) [INFO] [stdout] p(challenge): Fp2(Fp127(0x444567c80467b9940429c9abb7168145), Fp127(0x5206cb816432083ebd4990ea79767614)) [INFO] [stdout] Next evaluations length: 1 [INFO] [stdout] [INFO] [stdout] Final evaluation check: [INFO] [stdout] Computed final value: Fp2(Fp127(0x444567c80467b9940429c9abb7168145), Fp127(0x5206cb816432083ebd4990ea79767614)) [INFO] [stdout] Proof final evaluation: Fp2(Fp127(0x444567c80467b9940429c9abb7168145), Fp127(0x5206cb816432083ebd4990ea79767614)) [INFO] [stdout] Match: true [INFO] [stdout] ✓ SUMCHECK VERIFICATION COMPLETE: All rounds passed [INFO] [stdout] ✓ SUMCHECK PASSED [INFO] [stdout] ✓ σ₃ = (root_s, S) added to transcript [INFO] [stdout] ✓ h₃ challenge verified [INFO] [stdout] ✓ σ₄ = (root_h) added to transcript [INFO] [stdout] ✓ h₄ challenge verified [INFO] [stdout] [INFO] [stdout] --- Step 3.3: Low-Degree Test Verification --- [INFO] [stdout] --- ALGORITHM 7: LDT VERIFICATION (Steps 4-6) --- [INFO] [stdout] Following rules.mdc: 'Verify LDT and Sumcheck Consistency at Query Points' [INFO] [stdout] ✓ LDT structure verification: 5 commitments, 80 openings [INFO] [stdout] ✓ Re-derived 4 FRI folding challenges [INFO] [stdout] [INFO] [stdout] --- Step 4: Verifying κ=80 LDT Query Proofs --- [INFO] [stdout] ✓ LDT Query Verification: 80 queries passed [INFO] [stdout] ✓ LDT VERIFICATION SUCCESSFUL [INFO] [stdout] ✓ LDT PASSED [INFO] [stdout] [INFO] [stdout] --- ALGORITHM 7: FINAL DECISION --- [INFO] [stdout] ✓ VERIFICATION SUCCESSFUL: Signature is valid [INFO] [stdout] [INFO] [stdout] thread 'loquat::tests::integration_tests::test_tampered_signature_components' (55) panicked at src/loquat/tests.rs:170:9: [INFO] [stdout] Signature with tampered Π row folding data should be invalid [INFO] [stdout] stack backtrace: [INFO] [stdout] 0: 0x557c70d09252 - std::backtrace_rs::backtrace::libunwind::trace::h62f3c6bea0fedab3 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/../../backtrace/src/backtrace/libunwind.rs:117:9 [INFO] [stdout] 1: 0x557c70d09252 - std::backtrace_rs::backtrace::trace_unsynchronized::hc41aaca6c0af0bde [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/../../backtrace/src/backtrace/mod.rs:66:14 [INFO] [stdout] 2: 0x557c70d09252 - std::sys::backtrace::_print_fmt::h33ac2b97007106cc [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/sys/backtrace.rs:66:9 [INFO] [stdout] 3: 0x557c70d09252 - ::fmt::h4e0a3aeea0f9c085 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/sys/backtrace.rs:39:26 [INFO] [stdout] 4: 0x557c70d1a4af - core::fmt::rt::Argument::fmt::h1edd6a3e00b22f10 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/fmt/rt.rs:173:76 [INFO] [stdout] 5: 0x557c70d1a4af - core::fmt::write::hecf68a131630c74d [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/fmt/mod.rs:1468:25 [INFO] [stdout] 6: 0x557c70cd67a1 - std::io::default_write_fmt::ha6b238eff7f0ef8a [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/io/mod.rs:639:11 [INFO] [stdout] 7: 0x557c70cd67a1 - std::io::Write::write_fmt::h9846fe3d2a36c1ea [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/io/mod.rs:1954:13 [INFO] [stdout] 8: 0x557c70ce2872 - std::sys::backtrace::BacktraceLock::print::h75160192768e5621 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/sys/backtrace.rs:42:9 [INFO] [stdout] 9: 0x557c70ce73bf - std::panicking::default_hook::{{closure}}::h14d82797cfb1ddcb [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:301:27 [INFO] [stdout] 10: 0x557c70ce7251 - std::panicking::default_hook::h63f9bf8161c5d325 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:325:9 [INFO] [stdout] 11: 0x557c70c5c88e - as core::ops::function::Fn>::call::hb8126f8384f98101 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/boxed.rs:1999:9 [INFO] [stdout] 12: 0x557c70c5c88e - test::test_main_with_exit_callback::{{closure}}::hae96ae0cd2f2ce70 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/test/src/lib.rs:145:21 [INFO] [stdout] 13: 0x557c70ce7a7f - as core::ops::function::Fn>::call::ha703f6686c81d0c6 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/boxed.rs:1999:9 [INFO] [stdout] 14: 0x557c70ce7a7f - std::panicking::panic_with_hook::h3173740e06bd0752 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:842:13 [INFO] [stdout] 15: 0x557c70ce78a6 - std::panicking::panic_handler::{{closure}}::hbac492c61eb56a87 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:700:13 [INFO] [stdout] 16: 0x557c70ce29a9 - std::sys::backtrace::__rust_end_short_backtrace::haa3eac3df9535320 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/sys/backtrace.rs:174:18 [INFO] [stdout] 17: 0x557c70ccaddd - __rustc[de0091b922c53d7e]::rust_begin_unwind [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:698:5 [INFO] [stdout] 18: 0x557c70d21f70 - core::panicking::panic_fmt::h5138da2ef87be35b [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/panicking.rs:75:14 [INFO] [stdout] 19: 0x557c70bf3df2 - vc_pqc::loquat::tests::integration_tests::test_tampered_signature_components::h92161127d1a2b38e [INFO] [stdout] at /opt/rustwide/workdir/src/loquat/tests.rs:170:9 [INFO] [stdout] 20: 0x557c70bf3e97 - vc_pqc::loquat::tests::integration_tests::test_tampered_signature_components::{{closure}}::h14e2b7553c3eab14 [INFO] [stdout] at /opt/rustwide/workdir/src/loquat/tests.rs:137:44 [INFO] [stdout] 21: 0x557c70c14e66 - core::ops::function::FnOnce::call_once::h533e2706cb23029d [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/ops/function.rs:250:5 [INFO] [stdout] 22: 0x557c70c5c66b - core::ops::function::FnOnce::call_once::h8f50ae93d93b62b4 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/ops/function.rs:250:5 [INFO] [stdout] 23: 0x557c70c5c66b - test::__rust_begin_short_backtrace::h447963718d05a644 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/test/src/lib.rs:663:18 [INFO] [stdout] 24: 0x557c70c722a5 - test::run_test_in_process::{{closure}}::hf890ba4755ca86c0 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/test/src/lib.rs:686:74 [INFO] [stdout] 25: 0x557c70c722a5 - as core::ops::function::FnOnce<()>>::call_once::h31e4b2860e583faa [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/panic/unwind_safe.rs:274:9 [INFO] [stdout] 26: 0x557c70c722a5 - std::panicking::catch_unwind::do_call::hec7cdbbe797e2cab [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:590:40 [INFO] [stdout] 27: 0x557c70c722a5 - std::panicking::catch_unwind::h24d3b93458b5ba67 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:553:19 [INFO] [stdout] 28: 0x557c70c722a5 - std::panic::catch_unwind::h46eeec7cf9c9336c [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panic.rs:359:14 [INFO] [stdout] 29: 0x557c70c722a5 - test::run_test_in_process::h290de6e559006104 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/test/src/lib.rs:686:27 [INFO] [stdout] 30: 0x557c70c722a5 - test::run_test::{{closure}}::h26eeb2c5f7e9a995 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/test/src/lib.rs:607:43 [INFO] [stdout] 31: 0x557c70c48aa4 - test::run_test::{{closure}}::h85af00882daabeaa [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/test/src/lib.rs:637:41 [INFO] [stdout] 32: 0x557c70c48aa4 - std::sys::backtrace::__rust_begin_short_backtrace::h9d9305dda51fa5f2 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/sys/backtrace.rs:158:18 [INFO] [stdout] 33: 0x557c70c4c44a - std::thread::Builder::spawn_unchecked_::{{closure}}::{{closure}}::hc6aada8b43f0527b [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/thread/mod.rs:559:17 [INFO] [stdout] 34: 0x557c70c4c44a - as core::ops::function::FnOnce<()>>::call_once::ha89fe5505c1206f5 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/panic/unwind_safe.rs:274:9 [INFO] [stdout] 35: 0x557c70c4c44a - std::panicking::catch_unwind::do_call::he3e0bef721d99583 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:590:40 [INFO] [stdout] 36: 0x557c70c4c44a - std::panicking::catch_unwind::ha8241964d3d773cd [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panicking.rs:553:19 [INFO] [stdout] 37: 0x557c70c4c44a - std::panic::catch_unwind::ha8554bc7696cae72 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/panic.rs:359:14 [INFO] [stdout] 38: 0x557c70c4c44a - std::thread::Builder::spawn_unchecked_::{{closure}}::he06f1f62b4c90f8d [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/thread/mod.rs:557:30 [INFO] [stdout] 39: 0x557c70c4c44a - core::ops::function::FnOnce::call_once{{vtable.shim}}::ha7fd20ecae19b9b9 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/core/src/ops/function.rs:250:5 [INFO] [stdout] 40: 0x557c70cddb9f - as core::ops::function::FnOnce>::call_once::h43642ed9c40e0ab2 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/alloc/src/boxed.rs:1985:9 [INFO] [stdout] 41: 0x557c70cddb9f - std::sys::thread::unix::Thread::new::thread_start::h38da0f633f090ce2 [INFO] [stdout] at /rustc/f8297e351a40c1439a467bbbb6879088047f50b3/library/std/src/sys/thread/unix.rs:126:17 [INFO] [stdout] 42: 0x76bae5afeaa4 - [INFO] [stdout] 43: 0x76bae5b8ba64 - clone [INFO] [stdout] 44: 0x0 - [INFO] [stdout] [INFO] [stdout] [INFO] [stdout] failures: [INFO] [stdout] loquat::tests::integration_tests::test_tampered_signature_components [INFO] [stdout] [INFO] [stdout] test result: FAILED. 32 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out; finished in 1.87s [INFO] [stdout] [INFO] running `Command { std: "docker" "inspect" "14f1f7cfa4a471ff1c4627b1c832a213bf24beccde6408b09b126910c4b5339b", kill_on_drop: false }` [INFO] running `Command { std: "docker" "rm" "-f" "14f1f7cfa4a471ff1c4627b1c832a213bf24beccde6408b09b126910c4b5339b", kill_on_drop: false }` [INFO] [stdout] 14f1f7cfa4a471ff1c4627b1c832a213bf24beccde6408b09b126910c4b5339b