Shouldn't the Reduce function constrain that both r and d are less than the Order() p instead of just constraining that they're less than 2^64?
|
// Gl: Goldilocks |
|
// range check d < 1 << N |
|
template GlReduce(N) { |
|
signal input x; |
|
signal output out; |
|
|
|
var r = x % Order(); |
|
var d = (x - r) \ Order(); |
|
out <-- r; |
|
signal tmp0 <-- d; |
|
tmp0 * Order() + out === x; |
|
|
|
component c0 = LessNBits(N); |
|
c0.x <== tmp0; |
|
component c1 = LessNBits(64); |
|
c1.x <== out; |
|
} |
Eg. If x is p + 1, then both (d, r) = (1, 1) and (0, p + 1) are valid witnesses with the current code
Shouldn't the
Reducefunction constrain that bothranddare less than theOrder()pinstead of just constraining that they're less than2^64?plonky2-circom/circom/circuits/goldilocks.circom
Lines 21 to 37 in 806f6a4
Eg. If
xisp + 1, then both(d, r) = (1, 1)and(0, p + 1)are valid witnesses with the current code