ark_poly/domain/mod.rs
1//! This module contains an `EvaluationDomain` abstraction for
2//! performing various kinds of polynomial arithmetic on top of
3//! fields that are friendly to fast-fourier-transforms (FFTs).
4//!
5//! A field is FFT-friendly if it contains enough
6//! roots of unity to perform the FFT in O(n log n) time.
7//! These roots of unity comprise the domain over which
8//! polynomial arithmetic is performed.
9
10use ark_ff::FftField;
11use ark_serialize::{CanonicalDeserialize, CanonicalSerialize};
12use ark_std::{fmt, hash, rand::Rng, vec::*, Zero};
13
14#[cfg(feature = "parallel")]
15use rayon::prelude::*;
16
17pub mod general;
18pub mod mixed_radix;
19pub mod radix2;
20pub(crate) mod utils;
21
22pub use general::GeneralEvaluationDomain;
23pub use mixed_radix::MixedRadixEvaluationDomain;
24pub use radix2::Radix2EvaluationDomain;
25
26/// Defines a domain over which finite field (I)FFTs can be performed. The
27/// size of the supported FFT depends on the size of the multiplicative
28/// subgroup. For efficiency, we recommend that the field has at least one large
29/// subgroup generated by a root of unity.
30pub trait EvaluationDomain<F: FftField>:
31 Copy + Clone + hash::Hash + Eq + PartialEq + fmt::Debug + CanonicalSerialize + CanonicalDeserialize
32{
33 /// The type of the elements iterator.
34 type Elements: Iterator<Item = F> + Sized;
35
36 /// Sample an element that is *not* in the domain.
37 fn sample_element_outside_domain<R: Rng>(&self, rng: &mut R) -> F {
38 let mut t = F::rand(rng);
39 while self.evaluate_vanishing_polynomial(t).is_zero() {
40 t = F::rand(rng);
41 }
42 t
43 }
44
45 /// Construct a domain that is large enough for evaluations of a polynomial
46 /// having `num_coeffs` coefficients.
47 fn new(num_coeffs: usize) -> Option<Self>;
48
49 /// Construct a coset domain that is large enough for evaluations of a polynomial
50 /// having `num_coeffs` coefficients.
51 fn new_coset(num_coeffs: usize, offset: F) -> Option<Self> {
52 Self::new(num_coeffs)?.get_coset(offset)
53 }
54
55 /// Construct a coset domain from a subgroup domain
56 fn get_coset(&self, offset: F) -> Option<Self>;
57
58 /// Return the size of a domain that is large enough for evaluations of a
59 /// polynomial having `num_coeffs` coefficients.
60 fn compute_size_of_domain(num_coeffs: usize) -> Option<usize>;
61
62 /// Return the size of `self`.
63 fn size(&self) -> usize;
64
65 /// Return the size of `self` as a field element.
66 fn size_as_field_element(&self) -> F {
67 F::from(self.size() as u64)
68 }
69
70 /// Return log_2(size) of `self`.
71 fn log_size_of_group(&self) -> u64;
72
73 /// Return the inverse of `self.size_as_field_element()`.
74 fn size_inv(&self) -> F;
75
76 /// Return the generator for the multiplicative subgroup that defines this domain.
77 fn group_gen(&self) -> F;
78
79 /// Return the group inverse of `self.group_gen()`.
80 fn group_gen_inv(&self) -> F;
81
82 /// Return the group offset that defines this domain.
83 fn coset_offset(&self) -> F;
84
85 /// Return the inverse of `self.offset()`.
86 fn coset_offset_inv(&self) -> F;
87
88 /// Return `offset^size`.
89 fn coset_offset_pow_size(&self) -> F;
90
91 /// Compute a FFT.
92 #[inline]
93 fn fft<T: DomainCoeff<F>>(&self, coeffs: &[T]) -> Vec<T> {
94 let mut coeffs = coeffs.to_vec();
95 self.fft_in_place(&mut coeffs);
96 coeffs
97 }
98
99 /// Compute a FFT, modifying the vector in place.
100 fn fft_in_place<T: DomainCoeff<F>>(&self, coeffs: &mut Vec<T>);
101
102 /// Compute a IFFT.
103 #[inline]
104 fn ifft<T: DomainCoeff<F>>(&self, evals: &[T]) -> Vec<T> {
105 let mut evals = evals.to_vec();
106 self.ifft_in_place(&mut evals);
107 evals
108 }
109
110 /// Compute a IFFT, modifying the vector in place.
111 fn ifft_in_place<T: DomainCoeff<F>>(&self, evals: &mut Vec<T>);
112
113 /// Multiply the `i`-th element of `coeffs` with `g^i`.
114 fn distribute_powers<T: DomainCoeff<F>>(coeffs: &mut [T], g: F) {
115 Self::distribute_powers_and_mul_by_const(coeffs, g, F::one());
116 }
117
118 /// Multiply the `i`-th element of `coeffs` with `c*g^i`.
119 #[cfg(not(feature = "parallel"))]
120 fn distribute_powers_and_mul_by_const<T: DomainCoeff<F>>(coeffs: &mut [T], g: F, c: F) {
121 // invariant: pow = c*g^i at the ith iteration of the loop
122 let mut pow = c;
123 coeffs.iter_mut().for_each(|coeff| {
124 *coeff *= pow;
125 pow *= &g
126 })
127 }
128
129 /// Multiply the `i`-th element of `coeffs` with `c*g^i`.
130 #[cfg(feature = "parallel")]
131 fn distribute_powers_and_mul_by_const<T: DomainCoeff<F>>(coeffs: &mut [T], g: F, c: F) {
132 use ark_std::cmp::max;
133 let min_parallel_chunk_size = 1024;
134 let num_cpus_available = rayon::current_num_threads();
135 let num_elem_per_thread = max(coeffs.len() / num_cpus_available, min_parallel_chunk_size);
136
137 ark_std::cfg_chunks_mut!(coeffs, num_elem_per_thread)
138 .enumerate()
139 .for_each(|(i, chunk)| {
140 let offset = c * g.pow([(i * num_elem_per_thread) as u64]);
141 let mut pow = offset;
142 chunk.iter_mut().for_each(|coeff| {
143 *coeff *= pow;
144 pow *= &g
145 })
146 });
147 }
148
149 /// Evaluate all the lagrange polynomials defined by this domain at the
150 /// point `tau`. This is computed in time O(|domain|).
151 /// Then given the evaluations of a degree d polynomial P over this domain,
152 /// where d < |domain|, `P(tau)` can be computed as
153 /// `P(tau) = sum_{i in [|Domain|]} L_{i, Domain}(tau) * P(g^i)`.
154 /// `L_{i, Domain}` is the value of the i-th lagrange coefficient
155 /// in the returned vector.
156 fn evaluate_all_lagrange_coefficients(&self, tau: F) -> Vec<F> {
157 // Evaluate all Lagrange polynomials at tau to get the lagrange coefficients.
158 // Define the following as
159 // - H: The coset we are in, with generator g and offset h
160 // - m: The size of the coset H
161 // - Z_H: The vanishing polynomial for H. Z_H(x) = prod_{i in m} (x - hg^i) = x^m - h^m
162 // - v_i: A sequence of values, where v_0 = 1/(m * h^(m-1)), and v_{i + 1} = g * v_i
163 //
164 // We then compute L_{i,H}(tau) as `L_{i,H}(tau) = Z_H(tau) * v_i / (tau - h * g^i)`
165 //
166 // However, if tau in H, both the numerator and denominator equal 0
167 // when i corresponds to the value tau equals, and the coefficient is 0
168 // everywhere else. We handle this case separately, and we can easily
169 // detect by checking if the vanishing poly is 0.
170 let size = self.size();
171 let z_h_at_tau = self.evaluate_vanishing_polynomial(tau);
172 let offset = self.coset_offset();
173 let group_gen = self.group_gen();
174 if z_h_at_tau.is_zero() {
175 // In this case, we know that tau = hg^i, for some value i.
176 // Then i-th lagrange coefficient in this case is then simply 1,
177 // and all other lagrange coefficients are 0.
178 // Thus we find i by brute force.
179 let mut u = vec![F::zero(); size];
180 let mut omega_i = offset;
181 for u_i in u.iter_mut().take(size) {
182 if omega_i == tau {
183 *u_i = F::one();
184 break;
185 }
186 omega_i *= &group_gen;
187 }
188 u
189 } else {
190 // In this case we have to compute `Z_H(tau) * v_i / (tau - h g^i)`
191 // for i in 0..size
192 // We actually compute this by computing (Z_H(tau) * v_i)^{-1} * (tau - h g^i)
193 // and then batch inverting to get the correct lagrange coefficients.
194 // We let `l_i = (Z_H(tau) * v_i)^-1` and `r_i = tau - h g^i`
195 // Notice that since Z_H(tau) is i-independent,
196 // and v_i = g * v_{i-1}, it follows that
197 // l_i = g^-1 * l_{i-1}
198 // TODO: consider caching the computation of l_i to save N multiplications
199 use ark_ff::fields::batch_inversion;
200
201 let group_gen_inv = self.group_gen_inv();
202
203 // v_0_inv = m * h^(m-1)
204 let v_0_inv = self.size_as_field_element() * offset.pow([size as u64 - 1]);
205 let mut l_i = z_h_at_tau.inverse().unwrap() * v_0_inv;
206 let mut negative_cur_elem = -offset;
207 let mut lagrange_coefficients_inverse = vec![F::zero(); size];
208 for coeff in &mut lagrange_coefficients_inverse {
209 let r_i = tau + negative_cur_elem;
210 *coeff = l_i * r_i;
211 // Increment l_i and negative_cur_elem
212 l_i *= &group_gen_inv;
213 negative_cur_elem *= &group_gen;
214 }
215
216 // Invert the lagrange coefficients inverse, to get the actual coefficients,
217 // and return these
218 batch_inversion(lagrange_coefficients_inverse.as_mut_slice());
219 lagrange_coefficients_inverse
220 }
221 }
222
223 /// Return the sparse vanishing polynomial.
224 fn vanishing_polynomial(&self) -> crate::univariate::SparsePolynomial<F> {
225 let constant_coeff = self.coset_offset_pow_size();
226 let coeffs = vec![(0, -constant_coeff), (self.size(), F::one())];
227 crate::univariate::SparsePolynomial::from_coefficients_vec(coeffs)
228 }
229
230 /// This evaluates the vanishing polynomial for this domain at tau.
231 fn evaluate_vanishing_polynomial(&self, tau: F) -> F {
232 // TODO: Consider precomputed exponentiation tables if we need this to be
233 // faster.
234 tau.pow([self.size() as u64]) - self.coset_offset_pow_size()
235 }
236
237 /// Return the filter polynomial of `self` with respect to the subdomain `subdomain`.
238 /// Assumes that `subdomain` is contained within `self`.
239 ///
240 /// # Panics
241 ///
242 /// Panics if `subdomain` is not contained within `self`.
243 fn filter_polynomial(&self, subdomain: &Self) -> crate::univariate::DensePolynomial<F> {
244 use crate::univariate::DenseOrSparsePolynomial;
245 let self_vanishing_poly = DenseOrSparsePolynomial::from(
246 &self.vanishing_polynomial()
247 * (subdomain.size_as_field_element()
248 * subdomain.coset_offset().pow([subdomain.size() as u64])),
249 );
250 let subdomain_vanishing_poly = DenseOrSparsePolynomial::from(
251 &subdomain.vanishing_polynomial() * self.size_as_field_element(),
252 );
253 let (quotient, remainder) = self_vanishing_poly
254 .divide_with_q_and_r(&subdomain_vanishing_poly)
255 .unwrap();
256 assert!(remainder.is_zero());
257 quotient
258 }
259
260 /// This evaluates at `tau` the filter polynomial for `self` with respect
261 /// to the subdomain `subdomain`.
262 fn evaluate_filter_polynomial(&self, subdomain: &Self, tau: F) -> F {
263 let v_subdomain_of_tau = subdomain.evaluate_vanishing_polynomial(tau);
264 if v_subdomain_of_tau.is_zero() {
265 F::one()
266 } else {
267 subdomain.size_as_field_element() * self.evaluate_vanishing_polynomial(tau)
268 / (self.size_as_field_element() * v_subdomain_of_tau)
269 }
270 }
271
272 /// Returns the `i`-th element of the domain.
273 fn element(&self, i: usize) -> F {
274 let mut result = self.group_gen().pow([i as u64]);
275 if !self.coset_offset().is_one() {
276 result *= self.coset_offset()
277 }
278 result
279 }
280
281 /// Return an iterator over the elements of the domain.
282 fn elements(&self) -> Self::Elements;
283
284 /// Given an index which assumes the first elements of this domain are the
285 /// elements of another (sub)domain,
286 /// this returns the actual index into this domain.
287 fn reindex_by_subdomain(&self, other: Self, index: usize) -> usize {
288 assert!(self.size() >= other.size());
289 // Let this subgroup be G, and the subgroup we're re-indexing by be S.
290 // Since its a subgroup, the 0th element of S is at index 0 in G, the first
291 // element of S is at index |G|/|S|, the second at 2*|G|/|S|, etc.
292 // Thus for an index i that corresponds to S, the index in G is i*|G|/|S|
293 let period = self.size() / other.size();
294 if index < other.size() {
295 index * period
296 } else {
297 // Let i now be the index of this element in G \ S
298 // Let x be the number of elements in G \ S, for every element in S. Then x =
299 // (|G|/|S| - 1). At index i in G \ S, the number of elements in S
300 // that appear before the index in G to which i corresponds to, is
301 // floor(i / x) + 1. The +1 is because index 0 of G is S_0, so the
302 // position is offset by at least one. The floor(i / x) term is
303 // because after x elements in G \ S, there is one more element from S
304 // that will have appeared in G.
305 let i = index - other.size();
306 let x = period - 1;
307 i + (i / x) + 1
308 }
309 }
310
311 /// Perform O(n) multiplication of two polynomials that are presented by
312 /// their evaluations in the domain.
313 /// Returns the evaluations of the product over the domain.
314 ///
315 /// Assumes that the domain is large enough to allow for successful
316 /// interpolation after multiplication.
317 #[must_use]
318 fn mul_polynomials_in_evaluation_domain(&self, self_evals: &[F], other_evals: &[F]) -> Vec<F> {
319 assert_eq!(self_evals.len(), other_evals.len());
320 let mut result = self_evals.to_vec();
321
322 ark_std::cfg_iter_mut!(result)
323 .zip(other_evals)
324 .for_each(|(a, b)| *a *= b);
325
326 result
327 }
328}
329
330/// Types that can be FFT-ed must implement this trait.
331pub trait DomainCoeff<F: FftField>:
332 Copy
333 + Send
334 + Sync
335 + core::ops::Add<Output = Self>
336 + core::ops::Sub<Output = Self>
337 + core::ops::AddAssign
338 + core::ops::SubAssign
339 + ark_ff::Zero
340 + core::ops::MulAssign<F>
341 + core::fmt::Debug
342 + PartialEq
343{
344}
345
346impl<T, F> DomainCoeff<F> for T
347where
348 F: FftField,
349 T: Copy
350 + Send
351 + Sync
352 + core::ops::Add<Output = Self>
353 + core::ops::Sub<Output = Self>
354 + core::ops::AddAssign
355 + core::ops::SubAssign
356 + ark_ff::Zero
357 + core::ops::MulAssign<F>
358 + core::fmt::Debug
359 + PartialEq,
360{
361}