From 96171410b0e3f0e7a2a73163b177d6759c5f1f82 Mon Sep 17 00:00:00 2001
From: Kevin Jue <kjue235@gmail.com>
Date: Mon, 18 Dec 2023 17:58:56 -0800
Subject: [PATCH] fix for V-SCT-VUL-015

---
 challenger/challenger.go                  |  4 ++--
 goldilocks/base.go                        | 20 +++-----------------
 goldilocks/quadratic_extension.go         | 19 ++++++-------------
 goldilocks/quadratic_extension_algebra.go |  2 +-
 plonk/gates/reducing_gate.go              |  6 +-----
 poseidon/goldilocks.go                    | 12 ++++++------
 6 files changed, 19 insertions(+), 44 deletions(-)

diff --git a/challenger/challenger.go b/challenger/challenger.go
index b61f2a5..4827d8c 100644
--- a/challenger/challenger.go
+++ b/challenger/challenger.go
@@ -15,13 +15,13 @@ type Chip struct {
 	api               frontend.API `gnark:"-"`
 	poseidonChip      *poseidon.GoldilocksChip
 	poseidonBN254Chip *poseidon.BN254Chip
-	spongeState       [poseidon.SPONGE_WIDTH]gl.Variable
+	spongeState       poseidon.GoldilocksState
 	inputBuffer       []gl.Variable
 	outputBuffer      []gl.Variable
 }
 
 func NewChip(api frontend.API) *Chip {
-	var spongeState [poseidon.SPONGE_WIDTH]gl.Variable
+	var spongeState poseidon.GoldilocksState
 	var inputBuffer []gl.Variable
 	var outputBuffer []gl.Variable
 	for i := 0; i < poseidon.SPONGE_WIDTH; i++ {
diff --git a/goldilocks/base.go b/goldilocks/base.go
index 8cc16f9..5c64706 100644
--- a/goldilocks/base.go
+++ b/goldilocks/base.go
@@ -102,12 +102,12 @@ func (p *Chip) AddNoReduce(a Variable, b Variable) Variable {
 
 // Subtracts two field elements such that x + y = z within the Golidlocks field.
 func (p *Chip) Sub(a Variable, b Variable) Variable {
-	return p.MulAdd(b, NewVariable(MODULUS.Uint64()-1), a)
+	return p.MulAdd(b, NegOne(), a)
 }
 
 // Subtracts two field elements such that x + y = z within the Golidlocks field without reducing.
 func (p *Chip) SubNoReduce(a Variable, b Variable) Variable {
-	return NewVariable(p.api.Add(a.Limb, p.api.Mul(b.Limb, MODULUS.Uint64()-1)))
+	return NewVariable(p.api.Add(a.Limb, p.api.Mul(b.Limb, NegOne().Limb)))
 }
 
 // Multiplies two field elements such that x * y = z within the Golidlocks field.
@@ -181,21 +181,7 @@ func (p *Chip) Reduce(x Variable) Variable {
 	// that this computation does not overflow. We use 2^RANGE_CHECK_NB_BITS to reduce the cost of the range check
 	//
 	// In other words, we assume that we at most compute a a dot product with dimension at most RANGE_CHECK_NB_BITS - 128.
-
-	result, err := p.api.Compiler().NewHint(ReduceHint, 2, x.Limb)
-	if err != nil {
-		panic(err)
-	}
-
-	quotient := result[0]
-	p.rangeChecker.Check(quotient, RANGE_CHECK_NB_BITS)
-
-	remainder := NewVariable(result[1])
-	p.RangeCheck(remainder)
-
-	p.api.AssertIsEqual(x.Limb, p.api.Add(p.api.Mul(quotient, MODULUS), remainder.Limb))
-
-	return remainder
+	return p.ReduceWithMaxBits(x, uint64(RANGE_CHECK_NB_BITS))
 }
 
 // Reduces a field element x such that x % MODULUS = y.
diff --git a/goldilocks/quadratic_extension.go b/goldilocks/quadratic_extension.go
index 38e77d3..9b9fecc 100644
--- a/goldilocks/quadratic_extension.go
+++ b/goldilocks/quadratic_extension.go
@@ -58,15 +58,13 @@ func (p *Chip) SubExtensionNoReduce(a, b QuadraticExtensionVariable) QuadraticEx
 // Multiplies quadratic extension variable in the Goldilocks field.
 func (p *Chip) MulExtension(a, b QuadraticExtensionVariable) QuadraticExtensionVariable {
 	product := p.MulExtensionNoReduce(a, b)
-	product[0] = p.Reduce(product[0])
-	product[1] = p.Reduce(product[1])
-	return product
+	return p.ReduceExtension(product)
 }
 
 // Multiplies quadratic extension variable in the Goldilocks field without reducing.
 func (p *Chip) MulExtensionNoReduce(a, b QuadraticExtensionVariable) QuadraticExtensionVariable {
 	c0o0 := p.MulNoReduce(a[0], b[0])
-	c0o1 := p.MulNoReduce(p.MulNoReduce(NewVariable(7), a[1]), b[1])
+	c0o1 := p.MulNoReduce(p.MulNoReduce(NewVariable(W), a[1]), b[1])
 	c0 := p.AddNoReduce(c0o0, c0o1)
 	c1 := p.AddNoReduce(p.MulNoReduce(a[0], b[1]), p.MulNoReduce(a[1], b[0]))
 	return NewQuadraticExtensionVariable(c0, c1)
@@ -77,9 +75,7 @@ func (p *Chip) MulExtensionNoReduce(a, b QuadraticExtensionVariable) QuadraticEx
 func (p *Chip) MulAddExtension(a, b, c QuadraticExtensionVariable) QuadraticExtensionVariable {
 	product := p.MulExtensionNoReduce(a, b)
 	sum := p.AddExtensionNoReduce(product, c)
-	sum[0] = p.Reduce(sum[0])
-	sum[1] = p.Reduce(sum[1])
-	return sum
+	return p.ReduceExtension(sum)
 }
 
 func (p *Chip) MulAddExtensionNoReduce(a, b, c QuadraticExtensionVariable) QuadraticExtensionVariable {
@@ -93,9 +89,7 @@ func (p *Chip) MulAddExtensionNoReduce(a, b, c QuadraticExtensionVariable) Quadr
 func (p *Chip) SubMulExtension(a, b, c QuadraticExtensionVariable) QuadraticExtensionVariable {
 	difference := p.SubExtensionNoReduce(a, b)
 	product := p.MulExtensionNoReduce(difference, c)
-	product[0] = p.Reduce(product[0])
-	product[1] = p.Reduce(product[1])
-	return product
+	return p.ReduceExtension(product)
 }
 
 // Multiplies quadratic extension variable in the Goldilocks field by a scalar.
@@ -127,9 +121,8 @@ func (p *Chip) InnerProductExtension(
 
 // Computes the inverse of a quadratic extension variable in the Goldilocks field.
 func (p *Chip) InverseExtension(a QuadraticExtensionVariable) (QuadraticExtensionVariable, frontend.Variable) {
-	a0IsZero := p.api.IsZero(a[0].Limb)
-	a1IsZero := p.api.IsZero(a[1].Limb)
-	p.api.AssertIsEqual(p.api.Mul(a0IsZero, a1IsZero), frontend.Variable(0))
+	aIsZero := p.IsZero(a)
+	p.api.AssertIsEqual(aIsZero, frontend.Variable(0))
 	aPowRMinus1 := QuadraticExtensionVariable{
 		a[0],
 		p.Mul(a[1], NewVariable(DTH_ROOT)),
diff --git a/goldilocks/quadratic_extension_algebra.go b/goldilocks/quadratic_extension_algebra.go
index 9ce1028..d3d5aa2 100644
--- a/goldilocks/quadratic_extension_algebra.go
+++ b/goldilocks/quadratic_extension_algebra.go
@@ -14,7 +14,7 @@ func NewQuadraticExtensionAlgebraVariable(
 }
 
 func (p QuadraticExtensionVariable) ToQuadraticExtensionAlgebra() QuadraticExtensionAlgebraVariable {
-	return [2]QuadraticExtensionVariable{p, ZeroExtension()}
+	return [D]QuadraticExtensionVariable{p, ZeroExtension()}
 }
 
 func ZeroExtensionAlgebra() QuadraticExtensionAlgebraVariable {
diff --git a/plonk/gates/reducing_gate.go b/plonk/gates/reducing_gate.go
index 2212f2b..56ed7ce 100644
--- a/plonk/gates/reducing_gate.go
+++ b/plonk/gates/reducing_gate.go
@@ -96,11 +96,7 @@ func (g *ReducingGate) EvalUnfiltered(
 	constraints := []gl.QuadraticExtensionVariable{}
 	acc := oldAcc
 	for i := uint64(0); i < g.numCoeffs; i++ {
-		var coeff gl.QuadraticExtensionAlgebraVariable
-		for j := 0; j < gl.D; j++ {
-			coeff[j] = gl.ZeroExtension()
-		}
-		coeff[0] = coeffs[i]
+		coeff := coeffs[i].ToQuadraticExtensionAlgebra()
 		tmp := glApi.MulExtensionAlgebra(acc, alpha)
 		tmp = glApi.AddExtensionAlgebra(tmp, coeff)
 		tmp = glApi.SubExtensionAlgebra(tmp, accs[i])
diff --git a/poseidon/goldilocks.go b/poseidon/goldilocks.go
index 7fd6c34..66e6b96 100644
--- a/poseidon/goldilocks.go
+++ b/poseidon/goldilocks.go
@@ -77,8 +77,8 @@ func (c *GoldilocksChip) HashNoPad(input []gl.Variable) GoldilocksHashOut {
 		inputVars = append(inputVars, c.gl.Reduce(input[i]))
 	}
 
-	outputVars := c.HashNToMNoPad(inputVars, 4)
-	for i := 0; i < 4; i++ {
+	outputVars := c.HashNToMNoPad(inputVars, len(hash))
+	for i := 0; i < len(hash); i++ {
 		hash[i] = outputVars[i]
 	}
 
@@ -118,7 +118,7 @@ func (c *GoldilocksChip) constantLayer(state GoldilocksState, roundCounter *int)
 	for i := 0; i < 12; i++ {
 		if i < SPONGE_WIDTH {
 			roundConstant := ALL_ROUND_CONSTANTS[i+SPONGE_WIDTH*(*roundCounter)]
-			state[i] = c.gl.MulAdd(state[i], gl.NewVariable(1), gl.NewVariable(roundConstant))
+			state[i] = c.gl.Add(state[i], gl.NewVariable(roundConstant))
 		}
 	}
 	return state
@@ -169,7 +169,7 @@ func (c *GoldilocksChip) SBoxLayerExtension(state GoldilocksStateExtension) Gold
 	return state
 }
 
-func (c *GoldilocksChip) mdsRowShf(r int, v [SPONGE_WIDTH]gl.Variable) gl.Variable {
+func (c *GoldilocksChip) mdsRowShf(r int, v GoldilocksState) gl.Variable {
 	res := gl.Zero()
 
 	for i := 0; i < 12; i++ {
@@ -182,7 +182,7 @@ func (c *GoldilocksChip) mdsRowShf(r int, v [SPONGE_WIDTH]gl.Variable) gl.Variab
 	return c.gl.Reduce(res)
 }
 
-func (c *GoldilocksChip) MdsRowShfExtension(r int, v [SPONGE_WIDTH]gl.QuadraticExtensionVariable) gl.QuadraticExtensionVariable {
+func (c *GoldilocksChip) MdsRowShfExtension(r int, v GoldilocksStateExtension) gl.QuadraticExtensionVariable {
 	res := gl.ZeroExtension()
 
 	for i := 0; i < 12; i++ {
@@ -251,7 +251,7 @@ func (c *GoldilocksChip) PartialFirstConstantLayerExtension(state GoldilocksStat
 func (c *GoldilocksChip) mdsPartialLayerInit(state GoldilocksState) GoldilocksState {
 	var result GoldilocksState
 	for i := 0; i < 12; i++ {
-		result[i] = gl.NewVariable(0)
+		result[i] = gl.Zero()
 	}
 
 	result[0] = state[0]