Fixes random generation of r and s

aptos-labs · Oct 4, 2024 · 9dfd680 · 9dfd680
1 parent 59c38c1
commit 9dfd680
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/src/groth16.cpp b/src/groth16.cpp
@@ -291,10 +291,10 @@ Prover<Engine>::prove(typename Engine::FrElement* wtns)
  E.fr.copy(r, E.fr.zero());
  E.fr.copy(s, E.fr.zero());
 
- // randombytes_buf((void*)&(r.v[0]), sizeof(r) - 1); // TODO(zi): WHY -1
-
- fill_with_random_bytes(r);
- fill_with_random_bytes(s);
+ // FIlling in the last byte here with a non-zero value causes a small amount of proofs to fail,
+ // possibly due to overflowing the field modulus
+ randombytes_buf((void*)&(r.v[0]), sizeof(r) - 1);
+ randombytes_buf((void*)&(s.v[0]), sizeof(s) - 1);
 
 # ifndef DONT_USE_FUTURES
  pA_future.get();