chore: address feedback

CHANGELOG.md

@@ -15,6 +15,7 @@
 - Added `miden_core::mast::MastForest::advice_map` to load it into the advice provider before the `MastForest` execution (#1574).
 - Optimized the computation of the DEEP queries in the recursive verifier (#1594).
 - Added validity checks for the inputs to the recursive verifier (#1596).
+- Improved Falcon signiture verification (#1623).
 
 ## 0.11.0 (2024-11-04)
 

core/src/debuginfo/source_file.rs

@@ -515,7 +515,7 @@ impl SourceContent {
     ///
     /// Returns `None` if the given index is out of bounds
     pub fn line_start(&self, line_index: LineIndex) -> Option<ByteIndex> {
-        self.line_starts.get(line_index.to_usize()).copied().map(ByteIndex::from)
+        self.line_starts.get(line_index.to_usize()).copied()
     }
 
     /// Returns the index of the last line in this file

stdlib/asm/crypto/dsa/rpo_falcon512.masm

@@ -8,6 +8,7 @@ const.J=77321994752
 const.M=12289
 const.M_HALF=6144 # (M-1) / 2
 const.SQUARE_NORM_BOUND=34034726
+const.MEMORY_POINTER_OFFSET_OF_HASH_TO_POINT_POLY_FROM_PRODUCT_POLY=1281
 
 # MODULAR REDUCTION FALCON PRIME
 # =============================================================================================
@@ -535,7 +536,7 @@ export.compute_s1_norm_sq
 
         # load the next four c_i
         padw
-        dup.12 add.1281
+        dup.12 add.MEMORY_POINTER_OFFSET_OF_HASH_TO_POINT_POLY_FROM_PRODUCT_POLY
         mem_loadw
         #=> [C, PI_{i+512}, PI, pi_ptr, ...]
 
@@ -626,21 +627,28 @@ export.compute_s2_norm_sq
         padw
         dup.4
         mem_loadw
+        # => [c3, c2, c1, c0, s2_ptr, ...] where ci are coefficients of s2
 
         exec.norm_sq
         swap
+        # => [c2, norm_sq(c3), c1, c0, s2_ptr, ...]
         exec.norm_sq
         add
         swap
+        # => [c1, norm_sq(c2) + norm_sq(c3), c0, s2_ptr, ...]
         exec.norm_sq
         add
         swap
+        # => [c0, norm_sq(c1) + norm_sq(c2) + norm_sq(c3), s2_ptr, ...]
         exec.norm_sq
         add
+        # => [norm_sq(c0) + norm_sq(c1) + norm_sq(c2) + norm_sq(c3), s2_ptr, ...]
         swap
         add.1
+        # => [s2_ptr + 1, norm_sq(c0) + norm_sq(c1) + norm_sq(c2) + norm_sq(c3), ...]
     end
     drop
+    # (512 / 4) - 1 = 127 additions are needed
     repeat.127
         add
     end

stdlib/tests/crypto/falcon.rs

@@ -85,10 +85,12 @@ fn test_falcon512_diff_mod_q() {
         exec.rpo_falcon512::diff_mod_q
     end
     ";
-    let v = rand::thread_rng().gen_range(0..Felt::MODULUS);
+    let v = Felt::MODULUS - 1;
     let (v_lo, v_hi) = (v as u32, v >> 32);
-    let w = rand::thread_rng().gen_range(0..J);
-    let u = rand::thread_rng().gen_range(0..J);
+
+    // test largest possible value given v
+    let w = J - 1;
+    let u = 0;
 
     let test1 = build_test!(source, &[v_lo as u64, v_hi as u64, w + J, u]);
 
@@ -100,6 +102,21 @@ fn test_falcon512_diff_mod_q() {
     assert_eq!(expanded_answer, i128::try_from(simplified_answer).unwrap());
 
     test1.expect_stack(&[simplified_answer as u64]);
+
+    // test smallest possible value given v
+    let w = 0;
+    let u = J - 1;
+
+    let test2 = build_test!(source, &[v_lo as u64, v_hi as u64, w + J, u]);
+
+    // Calculating (v - (u + (- w % q) % q) % q) should be the same as (v + w + J - u) % q.
+    let expanded_answer = (v as i128
+        - ((u as i64 + -(w as i64).rem_euclid(M as i64)).rem_euclid(M as i64) as i128))
+        .rem_euclid(M as i128);
+    let simplified_answer = (v as i128 + w as i128 + J as i128 - u as i128).rem_euclid(M as i128);
+    assert_eq!(expanded_answer, i128::try_from(simplified_answer).unwrap());
+
+    test2.expect_stack(&[simplified_answer as u64]);
 }
 
 proptest! {