From 6723388b013c7d5187be720aec50310ce3f45adc Mon Sep 17 00:00:00 2001
From: Marius van der Wijden <m.vanderwijden@live.de>
Date: Fri, 20 Jun 2025 12:47:48 +0200
Subject: [PATCH] crypto/bn256/gnark: align marshaling behavior (#32065)

Aligns the marshaling behavior of gnark to google and cloudflare

Co-authored-by: kevaundray <kevtheappdev@gmail.com>
---
 crypto/bn256/gnark/g2.go | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/crypto/bn256/gnark/g2.go b/crypto/bn256/gnark/g2.go
index 07452cc2d8..48a797e5a7 100644
--- a/crypto/bn256/gnark/g2.go
+++ b/crypto/bn256/gnark/g2.go
@@ -21,7 +21,7 @@ type G2 struct {
 // Unmarshal deserializes `buf` into `g`
 //
 // The input is expected to be in the EVM format:
-// 128 bytes: [32-byte x.0][32-byte x.1][32-byte y.0][32-byte y.1]
+// 128 bytes: [32-byte x.1][32-byte x.0][32-byte y.1][32-byte y.0]
 // where each value is a big-endian integer.
 //
 // This method also checks whether the point is on the
@@ -39,16 +39,16 @@ func (g *G2) Unmarshal(buf []byte) (int, error) {
 		g.inner.Y.A1.SetZero()
 		return 128, nil
 	}
-	if err := g.inner.X.A0.SetBytesCanonical(buf[0:32]); err != nil {
+	if err := g.inner.X.A1.SetBytesCanonical(buf[0:32]); err != nil {
 		return 0, err
 	}
-	if err := g.inner.X.A1.SetBytesCanonical(buf[32:64]); err != nil {
+	if err := g.inner.X.A0.SetBytesCanonical(buf[32:64]); err != nil {
 		return 0, err
 	}
-	if err := g.inner.Y.A0.SetBytesCanonical(buf[64:96]); err != nil {
+	if err := g.inner.Y.A1.SetBytesCanonical(buf[64:96]); err != nil {
 		return 0, err
 	}
-	if err := g.inner.Y.A1.SetBytesCanonical(buf[96:128]); err != nil {
+	if err := g.inner.Y.A0.SetBytesCanonical(buf[96:128]); err != nil {
 		return 0, err
 	}
 
@@ -64,22 +64,22 @@ func (g *G2) Unmarshal(buf []byte) (int, error) {
 // Marshal serializes the point into a byte slice.
 //
 // The output is in EVM format: 128 bytes total.
-// [32-byte x.0][32-byte x.1][32-byte y.0][32-byte y.1]
+// [32-byte x.1][32-byte x.0][32-byte y.1][32-byte y.0]
 // where each value is a big-endian integer.
 func (g *G2) Marshal() []byte {
 	output := make([]byte, 128)
 
-	xA0Bytes := g.inner.X.A0.Bytes()
-	copy(output[:32], xA0Bytes[:])
-
 	xA1Bytes := g.inner.X.A1.Bytes()
-	copy(output[32:64], xA1Bytes[:])
+	copy(output[:32], xA1Bytes[:])
 
-	yA0Bytes := g.inner.Y.A0.Bytes()
-	copy(output[64:96], yA0Bytes[:])
+	xA0Bytes := g.inner.X.A0.Bytes()
+	copy(output[32:64], xA0Bytes[:])
 
 	yA1Bytes := g.inner.Y.A1.Bytes()
-	copy(output[96:128], yA1Bytes[:])
+	copy(output[64:96], yA1Bytes[:])
+
+	yA0Bytes := g.inner.Y.A0.Bytes()
+	copy(output[96:128], yA0Bytes[:])
 
 	return output
 }