Assume MULTIPLICATIVE_GROUP_GENERATOR to be small for prime fields

0xPolygonZero · Jul 31, 2023 · 880f39f · 880f39f
1 parent 3293870
commit 880f39f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/field/src/types.rs b/field/src/types.rs
@@ -84,6 +84,9 @@ pub trait Field:
     const CHARACTERISTIC_TWO_ADICITY: usize;
 
     /// Generator of the entire multiplicative group, i.e. all non-zero elements.
+    ///
+    /// **For prime fields, this element is expected to fit in a u32
+    /// when canonically reduced.**
     const MULTIPLICATIVE_GROUP_GENERATOR: Self;
     /// Generator of a multiplicative subgroup of order `2^TWO_ADICITY`.
     const POWER_OF_TWO_GENERATOR: Self;

diff --git a/plonky2/src/plonk/prover.rs b/plonky2/src/plonk/prover.rs
@@ -697,7 +697,9 @@ fn compute_quotient_polys<
             let mut local_wires_batch_refs = Vec::with_capacity(xs_batch.len());
 
             for (&i, &x) in indices_batch.iter().zip(xs_batch) {
-                let shifted_x = F::coset_shift() * x;
+                // F::coset_shift() returns the multiplicative generator,
+                // which fits in a u32 for `RichField`.
+                let shifted_x = x.mul_u32(F::coset_shift().to_noncanonical_u64() as u32);
                 let i_next = (i + next_step) % lde_size;
                 let local_constants_sigmas = prover_data
                     .constants_sigmas_commitment