Lagrange comp pow2pow fix

src/lib/pickles/wrap_verifier.ml

@@ -369,8 +369,20 @@ struct
           (* TODO: num_bits should maybe be input_length - 1. *)
           Ops.bits_per_chunk * Ops.chunks_needed ~num_bits:input_length
         in
-        let rec pow2pow x i =
-          if i = 0 then x else pow2pow Inner_curve.Constant.(x + x) (i - 1)
+        (* computes 2^i *)
+        let rec field2pow f i =
+          if i = 1 then f
+          else
+            let j = i - 1 in
+            Inner_curve.Constant.Scalar.(f * field2pow f j)
+        in
+        (* computes 2^actual_shift *)
+        let two_to_actual_shift =
+          field2pow (Inner_curve.Constant.Scalar.of_int 2) actual_shift
+        in
+        (* computes [2^actual_shift] G *)
+        let field_to_two_to_shift g =
+          Inner_curve.Constant.scale g two_to_actual_shift
         in
         let base_and_correction (h : Domain.t) =
           let d = Int.pow 2 (Domain.log2_size h) in
@@ -383,7 +395,7 @@ struct
                 let open Inner_curve.Constant in
                 let g = of_affine g in
                 ( Inner_curve.constant g
-                , Inner_curve.constant (negate (pow2pow g actual_shift)) )
+                , Inner_curve.constant (negate (field_to_two_to_shift g)) )
             | Infinity ->
                 (* Point at infinity should be impossible in the SRS *)
                 assert false )
@@ -1373,6 +1385,7 @@ struct
 
   let challenge_polynomial = G.challenge_polynomial (module Field)
 
+  (* computes pt^{2^n} *)
   let pow2pow (pt : Field.t) (n : int) : Field.t =
     with_label __LOC__ (fun () ->
         let rec go acc i =