p3_mersenne_31/

mersenne_31.rs

use alloc::vec;
use alloc::vec::Vec;
use core::fmt::{Debug, Display, Formatter};
use core::hash::{Hash, Hasher};
use core::iter::{Product, Sum};
use core::ops::{Add, AddAssign, Div, DivAssign, Mul, MulAssign, Neg, Sub, SubAssign};
use core::{array, fmt, iter};

use num_bigint::BigUint;
use p3_challenger::UniformSamplingField;
use p3_field::exponentiation::exp_1717986917;
use p3_field::integers::QuotientMap;
use p3_field::op_assign_macros::{
    impl_add_assign, impl_div_methods, impl_mul_methods, impl_sub_assign,
};
use p3_field::{
    Field, InjectiveMonomial, Packable, PermutationMonomial, PrimeCharacteristicRing, PrimeField,
    PrimeField32, PrimeField64, RawDataSerializable, halve_u32, impl_raw_serializable_primefield32,
    quotient_map_large_iint, quotient_map_large_uint, quotient_map_small_int,
};
use p3_util::{flatten_to_base, gcd_inversion_prime_field_32};
use rand::Rng;
use rand::distr::{Distribution, StandardUniform};
use serde::de::Error;
use serde::{Deserialize, Deserializer, Serialize};

/// The Mersenne31 prime
const P: u32 = (1 << 31) - 1;

/// The prime field `F_p` where `p = 2^31 - 1`.
///
/// The serde encoding is canonical: every field element has exactly one valid byte representation.
#[derive(Copy, Clone, Default)]
#[repr(transparent)] // Important for reasoning about memory layout.
#[must_use]
pub struct Mersenne31 {
    /// Not necessarily canonical, but must fit in 31 bits.
    pub(crate) value: u32,
}

impl Mersenne31 {
    /// Create a new field element from any `u32`.
    ///
    /// Any `u32` value is accepted and automatically reduced modulo P.
    #[inline]
    pub const fn new(value: u32) -> Self {
        Self { value: value % P }
    }

    /// Create a field element from a value assumed to be < 2^31.
    ///
    /// # Safety
    /// The element must lie in the range: `[0, 2^31 - 1]`.
    #[inline]
    pub(crate) const fn new_reduced(value: u32) -> Self {
        debug_assert!((value >> 31) == 0);
        Self { value }
    }

    /// Convert a u32 element into a Mersenne31 element.
    ///
    /// Returns `None` if the element does not lie in the range: `[0, 2^31 - 1]`.
    #[inline]
    pub const fn new_checked(value: u32) -> Option<Self> {
        if (value >> 31) == 0 {
            Some(Self { value })
        } else {
            None
        }
    }

    /// Convert a `[u32; N]` array to an array of field elements.
    ///
    /// Const version of `input.map(Mersenne31::new)`.
    #[inline]
    pub const fn new_array<const N: usize>(input: [u32; N]) -> [Self; N] {
        let mut output = [Self::ZERO; N];
        let mut i = 0;
        while i < N {
            output[i].value = input[i] % P;
            i += 1;
        }
        output
    }

    /// Precomputed table of generators for two-adic subgroups of the degree two extension field over Mersenne31.
    /// The `i`'th element is a generator of the subgroup of order `2^i`.
    pub const EXT_TWO_ADIC_GENERATORS: [[Self; 2]; 33] = [
        [Self::ONE, Self::ZERO],
        [Self::new(2_147_483_646), Self::new(0)],
        [Self::new(0), Self::new(2_147_483_646)],
        [Self::new(32_768), Self::new(2_147_450_879)],
        [Self::new(590_768_354), Self::new(978_592_373)],
        [Self::new(1_179_735_656), Self::new(1_241_207_368)],
        [Self::new(1_567_857_810), Self::new(456_695_729)],
        [Self::new(1_774_253_895), Self::new(1_309_288_441)],
        [Self::new(736_262_640), Self::new(1_553_669_210)],
        [Self::new(1_819_216_575), Self::new(1_662_816_114)],
        [Self::new(1_323_191_254), Self::new(1_936_974_060)],
        [Self::new(605_622_498), Self::new(1_964_232_216)],
        [Self::new(343_674_985), Self::new(501_786_993)],
        [Self::new(1_995_316_534), Self::new(149_306_621)],
        [Self::new(2_107_600_913), Self::new(1_378_821_388)],
        [Self::new(541_476_169), Self::new(2_101_081_972)],
        [Self::new(2_135_874_973), Self::new(483_411_332)],
        [Self::new(2_097_144_245), Self::new(1_684_033_590)],
        [Self::new(1_662_322_247), Self::new(670_236_780)],
        [Self::new(1_172_215_635), Self::new(595_888_646)],
        [Self::new(241_940_101), Self::new(323_856_519)],
        [Self::new(1_957_194_259), Self::new(2_139_647_100)],
        [Self::new(1_957_419_629), Self::new(1_541_039_442)],
        [Self::new(1_062_045_235), Self::new(1_824_580_421)],
        [Self::new(1_929_382_196), Self::new(1_664_698_822)],
        [Self::new(1_889_294_251), Self::new(331_248_939)],
        [Self::new(1_214_231_414), Self::new(1_646_302_518)],
        [Self::new(1_765_392_370), Self::new(461_136_547)],
        [Self::new(1_629_751_483), Self::new(66_485_474)],
        [Self::new(1_501_355_827), Self::new(1_439_063_420)],
        [Self::new(509_778_402), Self::new(800_467_507)],
        [Self::new(311_014_874), Self::new(1_584_694_829)],
        [Self::new(1_166_849_849), Self::new(1_117_296_306)],
    ];
}

impl PartialEq for Mersenne31 {
    #[inline]
    fn eq(&self, other: &Self) -> bool {
        self.as_canonical_u32() == other.as_canonical_u32()
    }
}

impl Eq for Mersenne31 {}

impl Packable for Mersenne31 {}

impl Hash for Mersenne31 {
    fn hash<H: Hasher>(&self, state: &mut H) {
        state.write_u32(self.to_unique_u32());
    }
}

impl Ord for Mersenne31 {
    #[inline]
    fn cmp(&self, other: &Self) -> core::cmp::Ordering {
        self.as_canonical_u32().cmp(&other.as_canonical_u32())
    }
}

impl PartialOrd for Mersenne31 {
    #[inline]
    fn partial_cmp(&self, other: &Self) -> Option<core::cmp::Ordering> {
        Some(self.cmp(other))
    }
}

impl Display for Mersenne31 {
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        Display::fmt(&self.value, f)
    }
}

impl Debug for Mersenne31 {
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        Debug::fmt(&self.value, f)
    }
}

impl Distribution<Mersenne31> for StandardUniform {
    fn sample<R: Rng + ?Sized>(&self, rng: &mut R) -> Mersenne31 {
        loop {
            let next_u31 = rng.next_u32() >> 1;
            let is_canonical = next_u31 != Mersenne31::ORDER_U32;
            if is_canonical {
                return Mersenne31::new_reduced(next_u31);
            }
        }
    }
}

impl Serialize for Mersenne31 {
    fn serialize<S: serde::Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
        // Emit the canonical representative so every field element has one encoding.
        serializer.serialize_u32(self.as_canonical_u32())
    }
}

impl<'a> Deserialize<'a> for Mersenne31 {
    fn deserialize<D: Deserializer<'a>>(d: D) -> Result<Self, D::Error> {
        let val = u32::deserialize(d)?;
        // Reject non-canonical encodings so a proof cannot be re-encoded without the witness.
        // `val == P` is field-equal to 0, so only `[0, P)` is canonical.
        if val < P {
            Ok(Self::new_reduced(val))
        } else {
            Err(D::Error::custom("Value is out of range"))
        }
    }
}

impl RawDataSerializable for Mersenne31 {
    impl_raw_serializable_primefield32!();
}

impl PrimeCharacteristicRing for Mersenne31 {
    type PrimeSubfield = Self;

    const ZERO: Self = Self { value: 0 };
    const ONE: Self = Self { value: 1 };
    const TWO: Self = Self { value: 2 };
    const NEG_ONE: Self = Self {
        value: Self::ORDER_U32 - 1,
    };

    #[inline]
    fn from_prime_subfield(f: Self::PrimeSubfield) -> Self {
        f
    }

    #[inline]
    fn from_bool(b: bool) -> Self {
        Self::new_reduced(b as u32)
    }

    #[inline]
    fn halve(&self) -> Self {
        Self::new_reduced(halve_u32::<P>(self.value))
    }

    #[inline]
    fn mul_2exp_u64(&self, exp: u64) -> Self {
        // In a Mersenne field, multiplication by 2^k is just a left rotation by k bits.
        let exp = exp % 31;
        let left = (self.value << exp) & ((1 << 31) - 1);
        let right = self.value >> (31 - exp);
        let rotated = left | right;
        Self::new_reduced(rotated)
    }

    #[inline]
    fn div_2exp_u64(&self, exp: u64) -> Self {
        // In a Mersenne field, division by 2^k is just a right rotation by k bits.
        let exp = (exp % 31) as u8;
        let left = self.value >> exp;
        let right = (self.value << (31 - exp)) & ((1 << 31) - 1);
        let rotated = left | right;
        Self::new_reduced(rotated)
    }

    #[inline]
    fn sum_array<const N: usize>(input: &[Self]) -> Self {
        assert_eq!(N, input.len());
        // Benchmarking shows that for N <= 5 it's faster to sum the elements directly
        // but for N > 5 it's faster to use the .sum() methods which passes through u64's
        // allowing for delayed reductions.
        match N {
            0 => Self::ZERO,
            1 => input[0],
            2 => input[0] + input[1],
            3 => input[0] + input[1] + input[2],
            4 => (input[0] + input[1]) + (input[2] + input[3]),
            5 => {
                let lhs = input[0] + input[1];
                let rhs = input[2] + input[3];
                lhs + rhs + input[4]
            }
            _ => input.iter().copied().sum(),
        }
    }

    #[inline]
    fn dot_product<const N: usize>(lhs: &[Self; N], rhs: &[Self; N]) -> Self {
        // Accumulate products as u64 to avoid per-multiply reductions.
        // For M31: each value < P < 2^31, so product < P^2 < 2^62.
        // Sum of 4 products < 4 * (P-1)^2 = 2^64 - 2^35 + 16 < 2^64, which fits in u64.
        match N {
            0 => Self::ZERO,
            1 => lhs[0] * rhs[0],
            2 => {
                let sum = (lhs[0].value as u64) * (rhs[0].value as u64)
                    + (lhs[1].value as u64) * (rhs[1].value as u64);
                Self::new_reduced(reduce_64(sum))
            }
            3 => {
                let sum = (lhs[0].value as u64) * (rhs[0].value as u64)
                    + (lhs[1].value as u64) * (rhs[1].value as u64)
                    + (lhs[2].value as u64) * (rhs[2].value as u64);
                Self::new_reduced(reduce_64(sum))
            }
            4 => {
                let sum = (lhs[0].value as u64) * (rhs[0].value as u64)
                    + (lhs[1].value as u64) * (rhs[1].value as u64)
                    + (lhs[2].value as u64) * (rhs[2].value as u64)
                    + (lhs[3].value as u64) * (rhs[3].value as u64);
                Self::new_reduced(reduce_64(sum))
            }
            _ => {
                // Process in chunks of 4 with intermediate reductions
                let mut acc = 0u64;
                let mut i = 0;
                while i + 4 <= N {
                    let chunk_sum = (lhs[i].value as u64) * (rhs[i].value as u64)
                        + (lhs[i + 1].value as u64) * (rhs[i + 1].value as u64)
                        + (lhs[i + 2].value as u64) * (rhs[i + 2].value as u64)
                        + (lhs[i + 3].value as u64) * (rhs[i + 3].value as u64);
                    // Reduce chunk_sum to ~34 bits and add to accumulator
                    acc += partial_reduce(chunk_sum);
                    i += 4;
                }
                // Handle remainder
                while i < N {
                    acc += (lhs[i].value as u64) * (rhs[i].value as u64);
                    i += 1;
                }
                Self::new_reduced(reduce_64(acc))
            }
        }
    }

    #[inline]
    fn zero_vec(len: usize) -> Vec<Self> {
        // SAFETY:
        // Due to `#[repr(transparent)]`, Mersenne31 and u32 have the same size, alignment
        // and memory layout making `flatten_to_base` safe. This this will create
        // a vector Mersenne31 elements with value set to 0.
        unsafe { flatten_to_base(vec![0u32; len]) }
    }
}

// Degree of the smallest permutation polynomial for Mersenne31.
//
// As p - 1 = 2×3^2×7×11×... the smallest choice for a degree D satisfying gcd(p - 1, D) = 1 is 5.
impl InjectiveMonomial<5> for Mersenne31 {}

impl PermutationMonomial<5> for Mersenne31 {
    /// In the field `Mersenne31`, `a^{1/5}` is equal to a^{1717986917}.
    ///
    /// This follows from the calculation `5 * 1717986917 = 4*(2^31 - 2) + 1 = 1 mod p - 1`.
    fn injective_exp_root_n(&self) -> Self {
        exp_1717986917(*self)
    }
}

impl Field for Mersenne31 {
    #[cfg(all(target_arch = "aarch64", target_feature = "neon"))]
    type Packing = crate::PackedMersenne31Neon;
    #[cfg(all(
        target_arch = "x86_64",
        target_feature = "avx2",
        not(target_feature = "avx512f")
    ))]
    type Packing = crate::PackedMersenne31AVX2;
    #[cfg(all(target_arch = "x86_64", target_feature = "avx512f"))]
    type Packing = crate::PackedMersenne31AVX512;
    #[cfg(not(any(
        all(target_arch = "aarch64", target_feature = "neon"),
        all(
            target_arch = "x86_64",
            target_feature = "avx2",
            not(target_feature = "avx512f")
        ),
        all(target_arch = "x86_64", target_feature = "avx512f"),
    )))]
    type Packing = Self;

    // Sage: GF(2^31 - 1).multiplicative_generator()
    const GENERATOR: Self = Self::new(7);

    #[inline]
    fn is_zero(&self) -> bool {
        self.value == 0 || self.value == Self::ORDER_U32
    }

    fn try_inverse(&self) -> Option<Self> {
        if self.is_zero() {
            return None;
        }

        // Number of bits in the Mersenne31 prime.
        const NUM_PRIME_BITS: u32 = 31;

        // gcd_inversion returns the inverse multiplied by 2^60 so we need to correct for that.
        let inverse_i64 = gcd_inversion_prime_field_32::<NUM_PRIME_BITS>(self.value, P);
        Some(Self::from_int(inverse_i64).div_2exp_u64(60))
    }

    #[inline]
    fn order() -> BigUint {
        P.into()
    }

    #[cfg(all(target_arch = "aarch64", target_feature = "neon"))]
    #[inline]
    fn batched_columnwise_dot_product<EF, R, I, const N: usize>(
        acc: &mut [EF::ExtensionPacking],
        items: I,
    ) where
        EF: p3_field::ExtensionField<Self>,
        R: Iterator<Item = Self::Packing>,
        I: Iterator<Item = (R, [EF; N])>,
    {
        crate::aarch64_neon::batched_columnwise_dot_product::<EF, R, I, N>(acc, items);
    }
}

// We can use some macros to implement QuotientMap<Int> for all integer types except for u32 and i32's.
quotient_map_small_int!(Mersenne31, u32, [u8, u16]);
quotient_map_small_int!(Mersenne31, i32, [i8, i16]);
quotient_map_large_uint!(
    Mersenne31,
    u32,
    Mersenne31::ORDER_U32,
    "`[0, 2^31 - 2]`",
    "`[0, 2^31 - 1]`",
    [u64, u128]
);
quotient_map_large_iint!(
    Mersenne31,
    i32,
    "`[-2^30, 2^30]`",
    "`[1 - 2^31, 2^31 - 1]`",
    [(i64, u64), (i128, u128)]
);

// We simple need to prove custom Mersenne31 impls for QuotientMap<u32> and QuotientMap<i32>
impl QuotientMap<u32> for Mersenne31 {
    /// Convert a given `u32` integer into an element of the `Mersenne31` field.
    #[inline]
    fn from_int(int: u32) -> Self {
        // To reduce `n` to 31 bits, we clear its MSB, then add it back in its reduced form.
        let msb = int & (1 << 31);
        let msb_reduced = msb >> 31;
        Self::new_reduced(int ^ msb) + Self::new_reduced(msb_reduced)
    }

    /// Convert a given `u32` integer into an element of the `Mersenne31` field.
    ///
    /// Returns none if the input does not lie in the range `[0, 2^31 - 1]`.
    #[inline]
    fn from_canonical_checked(int: u32) -> Option<Self> {
        (int < Self::ORDER_U32).then(|| Self::new_reduced(int))
    }

    /// Convert a given `u32` integer into an element of the `Mersenne31` field.
    ///
    /// # Safety
    /// The input must lie in the range: `[0, 2^31 - 1]`.
    #[inline(always)]
    unsafe fn from_canonical_unchecked(int: u32) -> Self {
        debug_assert!(int < Self::ORDER_U32);
        Self::new_reduced(int)
    }
}

impl QuotientMap<i32> for Mersenne31 {
    /// Convert a given `i32` integer into an element of the `Mersenne31` field.
    #[inline]
    fn from_int(int: i32) -> Self {
        if int >= 0 {
            Self::new_reduced(int as u32)
        } else if int > (-1 << 31) {
            Self::new_reduced(Self::ORDER_U32.wrapping_add_signed(int))
        } else {
            // The only other option is int = -(2^31) = -1 mod p.
            Self::NEG_ONE
        }
    }

    /// Convert a given `i32` integer into an element of the `Mersenne31` field.
    ///
    /// Returns none if the input does not lie in the range `(-2^30, 2^30)`.
    #[inline]
    fn from_canonical_checked(int: i32) -> Option<Self> {
        const TWO_EXP_30: i32 = 1 << 30;
        const NEG_TWO_EXP_30_PLUS_1: i32 = (-1 << 30) + 1;
        match int {
            0..TWO_EXP_30 => Some(Self::new_reduced(int as u32)),
            NEG_TWO_EXP_30_PLUS_1..0 => {
                Some(Self::new_reduced(Self::ORDER_U32.wrapping_add_signed(int)))
            }
            _ => None,
        }
    }

    /// Convert a given `i32` integer into an element of the `Mersenne31` field.
    ///
    /// # Safety
    /// The input must lie in the range: `[1 - 2^31, 2^31 - 1]`.
    #[inline(always)]
    unsafe fn from_canonical_unchecked(int: i32) -> Self {
        if int >= 0 {
            Self::new_reduced(int as u32)
        } else {
            Self::new_reduced(Self::ORDER_U32.wrapping_add_signed(int))
        }
    }
}

impl PrimeField for Mersenne31 {
    fn as_canonical_biguint(&self) -> BigUint {
        <Self as PrimeField32>::as_canonical_u32(self).into()
    }
}

impl PrimeField32 for Mersenne31 {
    const ORDER_U32: u32 = P;

    #[inline]
    fn as_canonical_u32(&self) -> u32 {
        // Since our invariant guarantees that `value` fits in 31 bits, there is only one possible
        // `value` that is not canonical, namely 2^31 - 1 = p = 0.
        if self.value == Self::ORDER_U32 {
            0
        } else {
            self.value
        }
    }
}

impl PrimeField64 for Mersenne31 {
    const ORDER_U64: u64 = <Self as PrimeField32>::ORDER_U32 as u64;

    #[inline]
    fn as_canonical_u64(&self) -> u64 {
        self.as_canonical_u32().into()
    }
}

impl Add for Mersenne31 {
    type Output = Self;

    #[inline]
    fn add(self, rhs: Self) -> Self {
        // See the following for a way to compute the sum that avoids
        // the conditional which may be preferable on some
        // architectures.
        // https://github.com/Plonky3/Plonky3/blob/6049a30c3b1f5351c3eb0f7c994dc97e8f68d10d/mersenne-31/src/lib.rs#L249

        // Working with i32 means we get a flag which informs us if overflow happened.
        let (sum_i32, over) = (self.value as i32).overflowing_add(rhs.value as i32);
        let sum_u32 = sum_i32 as u32;
        let sum_corr = sum_u32.wrapping_sub(Self::ORDER_U32);

        // If self + rhs did not overflow, return it.
        // If self + rhs overflowed, sum_corr = self + rhs - (2**31 - 1).
        Self::new_reduced(if over { sum_corr } else { sum_u32 })
    }
}

impl Sub for Mersenne31 {
    type Output = Self;

    #[inline]
    fn sub(self, rhs: Self) -> Self {
        let (mut sub, over) = self.value.overflowing_sub(rhs.value);

        // If we didn't overflow we have the correct value.
        // Otherwise we have added 2**32 = 2**31 + 1 mod 2**31 - 1.
        // Hence we need to remove the most significant bit and subtract 1.
        sub -= over as u32;
        Self::new_reduced(sub & Self::ORDER_U32)
    }
}

impl Neg for Mersenne31 {
    type Output = Self;

    #[inline]
    fn neg(self) -> Self::Output {
        // Can't underflow, since self.value is 31-bits and thus can't exceed ORDER.
        Self::new_reduced(Self::ORDER_U32 - self.value)
    }
}

impl Mul for Mersenne31 {
    type Output = Self;

    #[inline]
    #[allow(clippy::cast_possible_truncation)]
    fn mul(self, rhs: Self) -> Self {
        let prod = u64::from(self.value) * u64::from(rhs.value);
        from_u62(prod)
    }
}

impl_add_assign!(Mersenne31);
impl_sub_assign!(Mersenne31);
impl_mul_methods!(Mersenne31);
impl_div_methods!(Mersenne31, Mersenne31);

impl Sum for Mersenne31 {
    #[inline]
    fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
        // This is faster than iter.reduce(|x, y| x + y).unwrap_or(Self::ZERO) for iterators of length >= 6.
        // It assumes that iter.len() < 2^31.

        // This sum will not overflow so long as iter.len() < 2^33.
        let sum = iter.map(|x| x.value as u64).sum::<u64>();

        // sum is < 2^62 provided iter.len() < 2^31.
        from_u62(sum)
    }
}

/// Perform a partial reduction of a u64 value modulo P = 2^31 - 1.
/// The result will be contained in [0, 2^34 - 1].
#[inline(always)]
pub(crate) const fn partial_reduce(val: u64) -> u64 {
    // Refer to the full reduction process in `reduce_64`.
    let lo = (val & (P as u64)) as u32;
    let hi = val >> 31;
    lo as u64 + hi
}

/// Reduce a u64 value modulo P = 2^31 - 1.
/// Uses the identity: 2^31 ≡ 1 (mod P), so val ≡ (val & P) + (val >> 31) (mod P).
/// Returns a value in [0, P].
#[inline(always)]
pub(crate) fn reduce_64(val: u64) -> u32 {
    // First reduction: split into low 31 bits and high 33 bits
    // For val < 2^64: hi < 2^33, lo < 2^31
    // sum1 = lo + hi < 2^33 + 2^31 < 2^34
    let lo = (val & (P as u64)) as u32;
    let hi = val >> 31;
    let sum1 = lo as u64 + hi;

    // Second reduction: sum1 < 2^34
    let lo2 = (sum1 & (P as u64)) as u32;
    let hi2 = (sum1 >> 31) as u32; // hi2 < 2^3 = 8
    let sum2 = lo2 + hi2; // sum2 < 2^31 + 8

    // Final reduction to [0, P]
    sum2.min(sum2.wrapping_sub(P))
}

#[inline(always)]
pub(crate) fn from_u62(input: u64) -> Mersenne31 {
    debug_assert!(input < (1 << 62));
    let input_lo = (input & ((1 << 31) - 1)) as u32;
    let input_high = (input >> 31) as u32;
    Mersenne31::new_reduced(input_lo) + Mersenne31::new_reduced(input_high)
}

impl UniformSamplingField for Mersenne31 {
    const MAX_SINGLE_SAMPLE_BITS: usize = 16;
    // For Mersenne31 uniform sampling really only makes sense if we allow rejection sampling.
    // Sampling 16 bits already has a chance of 3e-5 to require a resample!
    const SAMPLING_BITS_M: [u64; 64] = {
        let prime: u64 = P as u64;
        let mut a = [0u64; 64];
        let mut k = 0;
        while k < 64 {
            if k == 0 {
                a[k] = prime; // This value is irrelevant in practice. `bits = 0` returns 0 always.
            } else {
                // Create a mask to zero out the last k bits
                let mask = !((1u64 << k) - 1);
                a[k] = prime & mask;
            }
            k += 1;
        }
        a
    };
}

#[cfg(test)]
mod tests {
    use num_bigint::BigUint;
    use p3_field::{InjectiveMonomial, PermutationMonomial, PrimeCharacteristicRing};
    use p3_field_testing::{
        test_field, test_prime_field, test_prime_field_32, test_prime_field_64,
    };

    use crate::Mersenne31;

    type F = Mersenne31;

    #[test]
    fn exp_root() {
        // Confirm that (x^{1/5})^5 = x

        let m1 = F::from_u32(0x34167c58);
        let m2 = F::from_u32(0x61f3207b);

        assert_eq!(m1.injective_exp_n().injective_exp_root_n(), m1);
        assert_eq!(m2.injective_exp_n().injective_exp_root_n(), m2);
        assert_eq!(F::TWO.injective_exp_n().injective_exp_root_n(), F::TWO);
    }

    #[test]
    fn serialize_is_canonical() {
        // `P` is the redundant in-memory representation of zero.
        // `new_reduced` preserves it; `new` would collapse it to 0.
        let redundant_zero = F::new_reduced((1 << 31) - 1);
        assert_eq!(redundant_zero, F::ZERO);

        // Both representations serialize to the single canonical encoding.
        assert_eq!(serde_json::to_string(&redundant_zero).unwrap(), "0");
        assert_eq!(serde_json::to_string(&F::ZERO).unwrap(), "0");
    }

    #[test]
    fn deserialize_rejects_non_canonical_encodings() {
        // `P` is field-equal to 0, so its encoding is non-canonical and must be rejected.
        // This blocks re-encoding a proof as `P` without the witness.
        let p_json = serde_json::to_string(&((1u32 << 31) - 1)).unwrap();
        assert!(serde_json::from_str::<F>(&p_json).is_err());

        // The largest canonical value, p - 1, still deserializes.
        let max_canonical_json = serde_json::to_string(&((1u32 << 31) - 2)).unwrap();
        let max_canonical: F = serde_json::from_str(&max_canonical_json).unwrap();
        assert_eq!(max_canonical, F::new((1 << 31) - 2));
    }

    // Mersenne31 has a redundant representation of Zero but no redundant representation of One.
    // The second entry deliberately uses `new_reduced` to *preserve* the `value == P` encoding:
    // the public `new` constructor reduces modulo P and would silently collapse it to 0,
    // making the redundant-representation tests no-ops (cf. #1684).
    const ZEROS: [Mersenne31; 2] = [Mersenne31::ZERO, Mersenne31::new_reduced((1_u32 << 31) - 1)];
    const ONES: [Mersenne31; 1] = [Mersenne31::ONE];

    // Get the prime factorization of the order of the multiplicative group.
    // i.e. the prime factorization of P - 1.
    fn multiplicative_group_prime_factorization() -> [(BigUint, u32); 7] {
        [
            (BigUint::from(2u8), 1),
            (BigUint::from(3u8), 2),
            (BigUint::from(7u8), 1),
            (BigUint::from(11u8), 1),
            (BigUint::from(31u8), 1),
            (BigUint::from(151u8), 1),
            (BigUint::from(331u16), 1),
        ]
    }

    test_field!(
        crate::Mersenne31,
        &super::ZEROS,
        &super::ONES,
        &super::multiplicative_group_prime_factorization()
    );
    test_prime_field!(crate::Mersenne31);
    test_prime_field_64!(crate::Mersenne31, &super::ZEROS, &super::ONES);
    test_prime_field_32!(crate::Mersenne31, &super::ZEROS, &super::ONES);
}