fix: use WASM Montgomery constants in coset_generator()

artem-nm · artem-nm · commit b3a58e1b09ae · 2026-04-11T13:37:43.000+01:00
The WASM branch of coset_generator() was using native Montgomery form
constants (R=2^256) instead of the WASM-specific constants (R=2^261).
Every other constant accessor (cube_root_of_unity, get_root_of_unity,
r_squared) correctly dispatches to Params::*_wasm_* variants — this
was a copy-paste oversight.

On WASM, coset_generator() returned field element 0x28d4a230...d2800001
instead of the correct value (5 for BN254 Fr). Added
CosetGeneratorUsesCorrectConstants test that independently derives the
expected value and catches this on any WASM test run.
diff --git a/barretenberg/cpp/src/barretenberg/ecc/curves/field_params_constants.test.cpp b/barretenberg/cpp/src/barretenberg/ecc/curves/field_params_constants.test.cpp
@@ -328,6 +328,46 @@ TYPED_TEST_P(FieldConstantsTest, CosetGeneratorConsistency)
     EXPECT_EQ(expected, static_cast<uint512_t>(coset_generator_wasm));
 }
 
+// Verify coset_generator() returns the correct field element by independently computing
+// Montgomery form from the raw integer value using platform-specific field arithmetic.
+// Before the fix, the WASM branch of coset_generator() used native Montgomery constants
+// (R=2^256) instead of WASM constants (R=2^261). On WASM, Fr(5) computes the WASM-Montgomery
+// encoding via self_to_montgomery_form(), while the buggy coset_generator() returned the
+// native encoding — a completely different field element.
+TYPED_TEST_P(FieldConstantsTest, CosetGeneratorUsesCorrectConstants)
+{
+    using Params = typename TypeParam::Params;
+    using Field = typename TypeParam::Field;
+    Field coset_gen = Field::coset_generator();
+
+    // Recover the raw (non-Montgomery) integer value from the known-correct native constants.
+    // native_encoding = g * R_native mod p, so g = native_encoding * R_native^{-1} mod p.
+    // We compute this via uint512 arithmetic (independent of platform Montgomery machinery).
+    uint256_t mod{ Params::modulus_0, Params::modulus_1, Params::modulus_2, Params::modulus_3 };
+    uint256_t native_encoding{
+        Params::coset_generator_0, Params::coset_generator_1, Params::coset_generator_2, Params::coset_generator_3
+    };
+
+    // R_native = 2^256. Compute R_native^{-1} mod p via Fermat's little theorem: R^{-1} = R^{p-2} mod p.
+    // But for a simpler approach: native_encoding IS g*R mod p, and Field(uint256_t) does self_to_montgomery_form()
+    // which computes input * R mod p. So if we can extract g first, Field(g) gives us the correct platform encoding.
+    //
+    // Approach: use the known relationship wasm = native * 32 mod p (since R_wasm/R_native = 2^5).
+    // On WASM: coset_generator() should return native * 32 mod p as its internal representation.
+    // On native: coset_generator() should return native directly.
+    uint512_t expected_wasm_encoding = (uint512_t(native_encoding) * 32) % mod;
+#if defined(__SIZEOF_INT128__) && !defined(__wasm__)
+    Field expected(
+        Params::coset_generator_0, Params::coset_generator_1, Params::coset_generator_2, Params::coset_generator_3);
+#else
+    Field expected(static_cast<uint64_t>(expected_wasm_encoding.lo.data[0]),
+                   static_cast<uint64_t>(expected_wasm_encoding.lo.data[1]),
+                   static_cast<uint64_t>(expected_wasm_encoding.lo.data[2]),
+                   static_cast<uint64_t>(expected_wasm_encoding.lo.data[3]));
+#endif
+    EXPECT_EQ(coset_gen, expected);
+}
+
 REGISTER_TYPED_TEST_SUITE_P(FieldConstantsTest,
                             Modulus,
                             RSquared,
@@ -341,7 +381,8 @@ REGISTER_TYPED_TEST_SUITE_P(FieldConstantsTest,
                             WasmPowMinus29,
                             WasmCubeRootConsistency,
                             WasmPrimitiveRootConsistency,
-                            CosetGeneratorConsistency);
+                            CosetGeneratorConsistency,
+                            CosetGeneratorUsesCorrectConstants);
 
 using FieldTestTypes = ::testing::Types<Bn254FqTestConfig,
                                         Bn254FrTestConfig,
@@ -351,3 +392,16 @@ using FieldTestTypes = ::testing::Types<Bn254FqTestConfig,
                                         Secp256r1FrTestConfig>;
 
 INSTANTIATE_TYPED_TEST_SUITE_P(AllFields, FieldConstantsTest, FieldTestTypes);
+
+// BN254 Fr-specific test: the coset generator is the field element 5.
+// Fr(5) independently computes 5 → Montgomery form using the platform's arithmetic.
+// coset_generator() returns a precomputed Montgomery encoding.
+// If the precomputed encoding is for the wrong platform, these will differ.
+// Before the fix on WASM: Fr(5) = 5*R_wasm mod p, but coset_generator() = 5*R_native mod p → mismatch.
+TEST(CosetGeneratorBn254, CosetGeneratorMatchesFieldElement)
+{
+    bb::fr coset_gen = bb::fr::coset_generator();
+    bb::fr expected(5);
+    EXPECT_EQ(coset_gen, expected) << "coset_generator() does not equal Fr(5) — "
+                                      "likely using wrong Montgomery basis constants";
+}
diff --git a/barretenberg/cpp/src/barretenberg/ecc/fields/field_declarations.hpp b/barretenberg/cpp/src/barretenberg/ecc/fields/field_declarations.hpp
@@ -289,10 +289,10 @@ template <class Params_> struct alignas(32) field {
         };
 #else
         const field result{
-            Params::coset_generator_0,
-            Params::coset_generator_1,
-            Params::coset_generator_2,
-            Params::coset_generator_3,
+            Params::coset_generator_wasm_0,
+            Params::coset_generator_wasm_1,
+            Params::coset_generator_wasm_2,
+            Params::coset_generator_wasm_3,
         };
 #endif
 
