worldfnd · ocdbytes · Feb 26, 2026 · Feb 28, 2026 · Mar 2, 2026 · Mar 4, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -113,6 +113,7 @@ chrono = "0.4.41"
 divan = "0.1.21"
 hex = "0.4.3"
 itertools = "0.14.0"
+num-bigint = "0.4"
 paste = "1.0.15"
 postcard = { version = "1.1.1", features = ["use-std"] }
 primitive-types = "0.13.1"

diff --git a/noir-examples/embedded_curve_msm/Nargo.toml b/noir-examples/embedded_curve_msm/Nargo.toml
@@ -0,0 +1,7 @@
+[package]
+name = "embedded_curve_msm"
+type = "bin"
+authors = [""]
+compiler_version = ">=0.22.0"
+
+[dependencies]
diff --git a/noir-examples/embedded_curve_msm/Prover.toml b/noir-examples/embedded_curve_msm/Prover.toml
@@ -0,0 +1,9 @@
+# ============================================================
+# MSM test vectors: result = s1 * G + s2 * G
+# Grumpkin curve order n = 21888242871839275222246405745257275088696311157297823662689037894645226208583
+# ============================================================
+# n - 2, n - 3 (previously failing with [2]G offset)
+scalar1_lo = "201385395114098847380338600778089168197"
+scalar1_hi = "64323764613183177041862057485226039389"
+scalar2_lo = "201385395114098847380338600778089168196"
+scalar2_hi = "64323764613183177041862057485226039389"
diff --git a/noir-examples/embedded_curve_msm/Prover_near_identity.toml b/noir-examples/embedded_curve_msm/Prover_near_identity.toml
@@ -0,0 +1,6 @@
+# MSM edge case: n-2 and n-3 (previously failing with [2]G offset)
+# Grumpkin curve order n = 21888242871839275222246405745257275088696311157297823662689037894645226208583
+scalar1_lo = "201385395114098847380338600778089168197"
+scalar1_hi = "64323764613183177041862057485226039389"
+scalar2_lo = "201385395114098847380338600778089168196"
+scalar2_hi = "64323764613183177041862057485226039389"
diff --git a/noir-examples/embedded_curve_msm/Prover_near_order.toml b/noir-examples/embedded_curve_msm/Prover_near_order.toml
@@ -0,0 +1,6 @@
+# MSM edge case: near-max scalars (n-10 and n-20)
+# Grumpkin curve order n = 21888242871839275222246405745257275088696311157297823662689037894645226208583
+scalar1_lo = "201385395114098847380338600778089168189"
+scalar1_hi = "64323764613183177041862057485226039389"
+scalar2_lo = "201385395114098847380338600778089168179"
+scalar2_hi = "64323764613183177041862057485226039389"
diff --git a/noir-examples/embedded_curve_msm/Prover_single_nonzero.toml b/noir-examples/embedded_curve_msm/Prover_single_nonzero.toml
@@ -0,0 +1,5 @@
+# MSM edge case: one zero scalar, one non-zero (0*G + 5*G = 5*G)
+scalar1_lo = "0"
+scalar1_hi = "0"
+scalar2_lo = "5"
+scalar2_hi = "0"
diff --git a/noir-examples/embedded_curve_msm/Prover_zero_scalars.toml b/noir-examples/embedded_curve_msm/Prover_zero_scalars.toml
@@ -0,0 +1,5 @@
+# MSM edge case: all-zero scalars (0*G + 0*G = point at infinity)
+scalar1_lo = "0"
+scalar1_hi = "0"
+scalar2_lo = "0"
+scalar2_hi = "0"
diff --git a/noir-examples/embedded_curve_msm/src/main.nr b/noir-examples/embedded_curve_msm/src/main.nr
@@ -0,0 +1,52 @@
+use std::embedded_curve_ops::{
+    EmbeddedCurvePoint,
+    EmbeddedCurveScalar,
+    multi_scalar_mul,
+};
+
+/// Exercises the MultiScalarMul ACIR blackbox with 2 Grumpkin points.
+/// Computes s1 * G + s2 * G where G is the Grumpkin generator.
+fn main(
+    scalar1_lo: Field,
+    scalar1_hi: Field,
+    scalar2_lo: Field,
+    scalar2_hi: Field,
+) {
+    // Grumpkin generator
+    let g = EmbeddedCurvePoint {
+        x: 1,
+        y: 17631683881184975370165255887551781615748388533673675138860,
+        is_infinite: false,
+    };
+
+    let s1 = EmbeddedCurveScalar { lo: scalar1_lo, hi: scalar1_hi };
+    let s2 = EmbeddedCurveScalar { lo: scalar2_lo, hi: scalar2_hi };
+
+    // MSM: result = s1 * G + s2 * G
+    let result = multi_scalar_mul([g, g], [s1, s2]);
+
+    // Prevent dead-code elimination - forces the blackbox to be retained
+    // Using is_infinite as return value ensures the MSM is computed
+    assert(result.is_infinite == (scalar1_lo + scalar1_hi + scalar2_lo + scalar2_hi == 0));
+}
+
+#[test]
+fn test_msm() {
+    // 3*G on Grumpkin
+    let expected_x = 18660890509582237958343981571981920822503400000196279471655180441138020044621;
+    let expected_y = 8902249110305491597038405103722863701255802573786510474664632793109847672620;
+
+    main(1, 0, 2, 0);
+
+    // Verify by computing independently: 3*G should match
+    let g = EmbeddedCurvePoint {
+        x: 1,
+        y: 17631683881184975370165255887551781615748388533673675138860,
+        is_infinite: false,
+    };
+    let s3 = EmbeddedCurveScalar { lo: 3, hi: 0 };
+    let check = multi_scalar_mul([g], [s3]);
+
+    assert(check.x == expected_x);
+    assert(check.y == expected_y);
+}
diff --git a/noir-examples/native_msm/Nargo.toml b/noir-examples/native_msm/Nargo.toml
@@ -0,0 +1,6 @@
+[package]
+name = "native_msm"
+type = "bin"
+authors = [""]
+
+[dependencies]
diff --git a/noir-examples/native_msm/Prover.toml b/noir-examples/native_msm/Prover.toml
@@ -0,0 +1,5 @@
+# MSM: result = s1 * G + s2 * G = 1*G + 2*G = 3*G
+scalar1_lo = "1"
+scalar1_hi = "0"
+scalar2_lo = "2"
+scalar2_hi = "0"