Open shuklaayush opened 9 months ago
Shouldn't the Reduce function constrain that both r and d are less than the Order() p instead of just constraining that they're less than 2^64?
Reduce
r
d
Order()
p
2^64
https://github.com/polymerdao/plonky2-circom/blob/806f6a47026c453c547b95c18209b214c8366aba/circom/circuits/goldilocks.circom#L21-L37
Eg. If x is p + 1, then both (d, r) = (1, 1) and (0, p + 1) are valid witnesses with the current code
x
p + 1
(d, r) = (1, 1)
(0, p + 1)
Shouldn't the
Reducefunction constrain that bothranddare less than theOrder()pinstead of just constraining that they're less than2^64?https://github.com/polymerdao/plonky2-circom/blob/806f6a47026c453c547b95c18209b214c8366aba/circom/circuits/goldilocks.circom#L21-L37
Eg. If
xisp + 1, then both(d, r) = (1, 1)and(0, p + 1)are valid witnesses with the current code