fix: use WASM Montgomery constants in coset_generator()#22486
Open
ElusAegis wants to merge 1 commit intoAztecProtocol:nextfrom
Open
fix: use WASM Montgomery constants in coset_generator()#22486ElusAegis wants to merge 1 commit intoAztecProtocol:nextfrom
ElusAegis wants to merge 1 commit intoAztecProtocol:nextfrom
Conversation
The WASM branch of coset_generator() was using native Montgomery form constants (R=2^256) instead of the WASM-specific constants (R=2^261). Every other constant accessor (cube_root_of_unity, get_root_of_unity, r_squared) correctly dispatches to Params::*_wasm_* variants — this was a copy-paste oversight. On WASM, coset_generator() returned field element 0x28d4a230...d2800001 instead of the correct value (5 for BN254 Fr). Added CosetGeneratorUsesCorrectConstants test that independently derives the expected value and catches this on any WASM test run.
ElusAegis
force-pushed
the
fix/coset-generator-wasm-constants
branch
from
bb7197a to
b3a58e1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
coset_generator()infield_declarations.hpphas a preprocessor split for native vs WASM Montgomery form, but both branches use the native constants (Params::coset_generator_0..3). The WASM branch should useParams::coset_generator_wasm_0..3, matching the pattern used by every other constant accessor (cube_root_of_unity,get_root_of_unity,r_squared_uint).This is a copy-paste oversight — the
_wasmconstants exist in all field parameter files and were correctly computed for the WASM Montgomery basis (R=2^261 vs native R=2^256).The bug, numerically
The coset generator is the field element
g = 5. Its Montgomery encodings are:g * R mod p)0x463456c8...8fffffe70x1484c05b...dffffcb2Before this fix, the WASM branch returned the native encoding. Interpreting native constants under the WASM basis gives field element
0x28d4a230...d2800001(≈1.8×10^76) instead of5. The error is exactlyR_native / R_wasm mod p— a silent, mathematically consistent wrong value that would produce invalid proofs.Why it hasn't been noticed
constexprevaluation uses host arithmetic. The primary consumer —tonelli_shanks_sqrt— evaluatescoset_generator().pow(Q)at compile time. Clang'sconstexprevaluator runs host-native code even when cross-compiling to WASM, so#if defined(__SIZEOF_INT128__)takes the native (correct) path. The buggy WASM branch is never exercised at compile time.Honk doesn't use
EvaluationDomain. The modern proving system doesn't touch coset generators at runtime. The only runtime call site is inevaluation_domain.cpp, which is legacy Plonk polynomial arithmetic.Tests run natively. Field tests for
coset_generator()always take the native branch on the host machine.Risk and relevance
If
EvaluationDomainis ever exercised in a WASM build (e.g., client-side Plonk proving), coset FFTs would produce silently wrong results due to incorrect Montgomery encoding. The bug is also fragile — a compiler change toconstexprevaluation behavior could expose it.Practically, this is low-risk today since Honk has replaced Plonk. But it's the sole remaining inconsistency in constant dispatch and should be fixed for correctness.
Changes
Params::coset_generator_0..3withParams::coset_generator_wasm_0..3in the#elsebranch ofcoset_generator()CosetGeneratorUsesCorrectConstantstofield_params_constants.test.cpp— verifiescoset_generator()returns values matching the expected platform constants. Would have caught this on any WASM test run.