From 31f4eee367fc8f6aa3210385aa52c22bceccda61 Mon Sep 17 00:00:00 2001
From: wborgeaud <williamborgeaud@gmail.com>
Date: Thu, 24 Jun 2021 14:11:47 +0200
Subject: [PATCH] Fix bug with shifted `x`

---
 src/field/extension_field/mod.rs | 3 ++-
 src/field/field.rs               | 4 ++++
 src/gates/gate.rs                | 7 +++++++
 src/polynomial/commitment.rs     | 9 +++------
 src/prover.rs                    | 7 ++++---
 src/vars.rs                      | 4 ++--
 6 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/src/field/extension_field/mod.rs b/src/field/extension_field/mod.rs
index 9caa7dc8..2a176fe9 100644
--- a/src/field/extension_field/mod.rs
+++ b/src/field/extension_field/mod.rs
@@ -1,6 +1,7 @@
-use crate::field::field::Field;
 use std::convert::TryInto;
 
+use crate::field::field::Field;
+
 pub mod algebra;
 pub mod quadratic;
 pub mod quartic;
diff --git a/src/field/field.rs b/src/field/field.rs
index b19f175e..3156d2c3 100644
--- a/src/field/field.rs
+++ b/src/field/field.rs
@@ -266,6 +266,10 @@ pub trait Field:
     fn rand_vec(n: usize) -> Vec<Self> {
         (0..n).map(|_| Self::rand()).collect()
     }
+
+    fn coset_shift() -> Self {
+        Self::MULTIPLICATIVE_GROUP_GENERATOR
+    }
 }
 
 /// An iterator over the powers of a certain base element `b`: `b^0, b^1, b^2, ...`.
diff --git a/src/gates/gate.rs b/src/gates/gate.rs
index 1765191e..cb8decef 100644
--- a/src/gates/gate.rs
+++ b/src/gates/gate.rs
@@ -1,9 +1,16 @@
+use std::borrow::Borrow;
+use std::collections::HashMap;
+use std::fmt::{Debug, Error, Formatter};
 use std::hash::{Hash, Hasher};
+use std::iter::FromIterator;
+use std::ops::Index;
 use std::sync::Arc;
 
 use crate::circuit_builder::CircuitBuilder;
 use crate::field::extension_field::target::ExtensionTarget;
 use crate::field::extension_field::{Extendable, FieldExtension};
+use crate::field::field::Field;
+use crate::gates::gate_tree::Tree;
 use crate::generator::WitnessGenerator;
 use crate::vars::{EvaluationTargets, EvaluationVars, EvaluationVarsBase};
 
diff --git a/src/polynomial/commitment.rs b/src/polynomial/commitment.rs
index e403cd36..aa70fd68 100644
--- a/src/polynomial/commitment.rs
+++ b/src/polynomial/commitment.rs
@@ -92,10 +92,7 @@ impl<F: Field> ListPolynomialCommitment<F> {
             .par_iter()
             .map(|p| {
                 assert_eq!(p.len(), degree, "Polynomial degree invalid.");
-                p.clone()
-                    .lde(rate_bits)
-                    .coset_fft(F::MULTIPLICATIVE_GROUP_GENERATOR)
-                    .values
+                p.clone().lde(rate_bits).coset_fft(F::coset_shift()).values
             })
             .chain(if blinding {
                 // If blinding, salt with two random elements to each leaf vector.
@@ -111,8 +108,8 @@ impl<F: Field> ListPolynomialCommitment<F> {
     pub fn original_values(&self, index: usize) -> Vec<F> {
         self.values.iter().map(|v| v.values[index]).collect()
     }
-    pub fn get_lde_values(&self, mut index: usize) -> &[F] {
-        reverse_bits(index, self.degree_log + self.rate_bits);
+    pub fn get_lde_values(&self, index: usize) -> &[F] {
+        let index = reverse_bits(index, self.degree_log + self.rate_bits);
         let slice = &self.merkle_tree.leaves[index];
         &slice[..slice.len() - if self.blinding { SALT_SIZE } else { 0 }]
     }
diff --git a/src/prover.rs b/src/prover.rs
index cd03f6e7..c0cc3d75 100644
--- a/src/prover.rs
+++ b/src/prover.rs
@@ -238,6 +238,7 @@ fn compute_quotient_polys<'a, F: Extendable<D>, const D: usize>(
         .into_par_iter()
         .enumerate()
         .map(|(i, x)| {
+            let shifted_x = F::coset_shift() * x;
             let i_next = (i + next_step) % lde_size;
             let local_constants = get_at_index(&prover_data.constants_commitment, i);
             let s_sigmas = get_at_index(&prover_data.sigmas_commitment, i);
@@ -254,7 +255,7 @@ fn compute_quotient_polys<'a, F: Extendable<D>, const D: usize>(
             };
             let mut quotient_values = eval_vanishing_poly_base(
                 common_data,
-                x,
+                shifted_x,
                 vars,
                 local_plonk_zs,
                 next_plonk_zs,
@@ -264,7 +265,7 @@ fn compute_quotient_polys<'a, F: Extendable<D>, const D: usize>(
                 alphas,
             );
             // TODO: We can avoid computing the exp.
-            let denominator_inv = x.exp(common_data.degree() as u64).inverse();
+            let denominator_inv = (shifted_x.exp(common_data.degree() as u64) - F::ONE).inverse();
             quotient_values
                 .iter_mut()
                 .for_each(|v| *v *= denominator_inv);
@@ -275,6 +276,6 @@ fn compute_quotient_polys<'a, F: Extendable<D>, const D: usize>(
     transpose(&quotient_values)
         .into_iter()
         .map(PolynomialValues::new)
-        .map(|values| values.coset_ifft(F::MULTIPLICATIVE_GROUP_GENERATOR))
+        .map(|values| values.coset_ifft(F::coset_shift()))
         .collect()
 }
diff --git a/src/vars.rs b/src/vars.rs
index 74f15f23..9815dcce 100644
--- a/src/vars.rs
+++ b/src/vars.rs
@@ -6,13 +6,13 @@ use crate::field::extension_field::target::{ExtensionAlgebraTarget, ExtensionTar
 use crate::field::extension_field::Extendable;
 use crate::field::field::Field;
 
-#[derive(Copy, Clone)]
+#[derive(Debug, Copy, Clone)]
 pub struct EvaluationVars<'a, F: Extendable<D>, const D: usize> {
     pub(crate) local_constants: &'a [F::Extension],
     pub(crate) local_wires: &'a [F::Extension],
 }
 
-#[derive(Copy, Clone)]
+#[derive(Debug, Copy, Clone)]
 pub struct EvaluationVarsBase<'a, F: Field> {
     pub(crate) local_constants: &'a [F],
     pub(crate) local_wires: &'a [F],