From 50dd6bda1970596f78558e3d4aa705958696e58f Mon Sep 17 00:00:00 2001
From: Al-Kindi-0 <82364884+Al-Kindi-0@users.noreply.github.com>
Date: Mon, 18 Nov 2024 09:16:27 +0100
Subject: [PATCH] fix: skip using the field element containing the
 proof-of-work (#343)

---
 CHANGELOG.md    | 1 +
 src/rand/rpo.rs | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bc22853..562dff6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ## 0.11.0 (2024-10-30)
 
 - [BREAKING] Updated Winterfell dependency to v0.10 (#338).
+- Fixed a bug in the implementation of `draw_integers` for `RpoRandomCoin` (#343).
 
 ## 0.11.0 (2024-10-17)
 
diff --git a/src/rand/rpo.rs b/src/rand/rpo.rs
index a6add39..2669592 100644
--- a/src/rand/rpo.rs
+++ b/src/rand/rpo.rs
@@ -145,8 +145,10 @@ impl RandomCoin for RpoRandomCoin {
         self.state[RATE_START] += nonce;
         Rpo256::apply_permutation(&mut self.state);
 
-        // reset the buffer
-        self.current = RATE_START;
+        // reset the buffer and move the next random element pointer to the second rate element.
+        // this is done as the first rate element will be "biased" via the provided `nonce` to
+        // contain some number of leading zeros.
+        self.current = RATE_START + 1;
 
         // determine how many bits are needed to represent valid values in the domain
         let v_mask = (domain_size - 1) as u64;