From 71a18ca621734cf07517d32a9b28eaf5b8480710 Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@users.noreply.github.com>
Date: Wed, 16 Nov 2022 10:17:12 +0100
Subject: [PATCH] Fix field montgomery_mul_bug on 32-bit/wasm (#1752)

Fixes https://github.com/AztecProtocol/aztec2-internal/issues/1635
---
 src/aztec/ecc/curves/secp256k1/secp256k1.test.cpp |  8 ++++++++
 src/aztec/ecc/curves/secp256r1/secp256r1.test.cpp | 12 ++++++++++++
 src/aztec/ecc/fields/field_impl_generic.hpp       |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/aztec/ecc/curves/secp256k1/secp256k1.test.cpp b/src/aztec/ecc/curves/secp256k1/secp256k1.test.cpp
index c05b356f710..6397bc3557c 100644
--- a/src/aztec/ecc/curves/secp256k1/secp256k1.test.cpp
+++ b/src/aztec/ecc/curves/secp256k1/secp256k1.test.cpp
@@ -506,4 +506,12 @@ TEST(secp256k1, neg_and_self_neg_0_cmp_regression)
     EXPECT_EQ((a == a_neg), true);
 }
 
+TEST(secp256k1, montgomery_mul_big_bug)
+{
+    secp256k1::fq a(uint256_t{0xfffffffe630dc02f, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff});
+    secp256k1::fq a_sqr = a.sqr();
+    secp256k1::fq expected(uint256_t{0x60381e557e100000, 0x0, 0x0, 0x0});
+    EXPECT_EQ((a_sqr == expected), true);
+}
+
 } // namespace test_secp256k1
\ No newline at end of file
diff --git a/src/aztec/ecc/curves/secp256r1/secp256r1.test.cpp b/src/aztec/ecc/curves/secp256r1/secp256r1.test.cpp
index 28405903757..af0ff4ba629 100644
--- a/src/aztec/ecc/curves/secp256r1/secp256r1.test.cpp
+++ b/src/aztec/ecc/curves/secp256r1/secp256r1.test.cpp
@@ -468,4 +468,16 @@ TEST(secp256r1, check_compression_constructor)
     std::cout << "Affine element: " << el << std::endl;
 }**/
 
+TEST(secp256r1, montgomery_mul_big_bug)
+{
+    secp256r1::fr a;
+    a.data[0] = 0xC5BF4F6AFF993D09;
+    a.data[1] = 0xA3361BDA67E62E0E;
+    a.data[2] = 0xAAAAAAAAAAAAAAAA;
+    a.data[3] = 0xFFFFFFFFE38E38E3;
+    secp256r1::fr a_sqr = a.sqr();
+    secp256r1::fr expected(uint256_t{0x57abc6aa0349c084, 0x65b21b232a4cb7a5, 0x5ba781948b0fcd6e, 0xd6e9e0644bda12f7});
+    EXPECT_EQ((a_sqr == expected), true);
+}
+
 } // namespace test_secp256r1
\ No newline at end of file
diff --git a/src/aztec/ecc/fields/field_impl_generic.hpp b/src/aztec/ecc/fields/field_impl_generic.hpp
index a0ba8f9ae21..859dfdae1db 100644
--- a/src/aztec/ecc/fields/field_impl_generic.hpp
+++ b/src/aztec/ecc/fields/field_impl_generic.hpp
@@ -389,7 +389,7 @@ template <class T> constexpr field<T> field<T>::montgomery_mul_big(const field&
     uint64_t v1 = t2 + (t3 << 32);
     uint64_t v2 = t4 + (t5 << 32);
     uint64_t v3 = t6 + (t7 << 32);
-    uint64_t v4 = t8 + (t9 << 32);
+    uint64_t v4 = t8;
     uint64_t borrow = 0;
     uint64_t r0 = sbb(v0, modulus.data[0], borrow, borrow);
     uint64_t r1 = sbb(v1, modulus.data[1], borrow, borrow);