Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Ecfft zk studyclub 9.9
Similar to Ecfft zk studyclub 9.9 (20)
More from Alex Pruden
More from Alex Pruden (16)
Recently uploaded
Recently uploaded (20)
Ecfft zk studyclub 9.9
- 1. ECFFT Elliptic Curves Fast Fourier Transform David Levit Joint work with Eli Ben-Sasson, Dan Carmon and Swastik Kopparty https://arxiv.org/abs/2107.08473
- 2. Overview Classical FFT requires an FFT friendly field (e.g. |K* | divisible by 2n ) Problem: what if K is not FFT friendly?
- 3. Overview Classical FFT requires an FFT friendly field (e.g. |K* | divisible by 2n ) Problem: what if K is not FFT friendly? Solution: replace K* with an elliptic curve group over K (Hasse-Weil bound: q - 2√q + 1 ≤ |E| ≤ q + 2√q + 1) https://arxiv.org/abs/2107.08473
- 4. FFT A field: K Algebraic group: G over K A set of points: S of size m=2n A function: f : G ⟶ K given as coefficients (linear combination of basis functions whose span is L) Evaluate f at all points of S in O(m log(m)) steps.
- 5. Classical FFT ● K is a prime field ● G = K* ● S = a coset of {group of 2n roots of unity} ● L = RR((2n -1)[∞]) = polynomials of degree at most 2n -1
- 6. FFT more details A sequence of maps: G = G0 ⟶ G1 ⟶ G2 ⟶ … ⟶ Gn And a point: P ∊ Gn Such that: S = 𝜑0 -1 ∘𝜑1 -1 ∘𝜑2 -1 ∘...∘𝜑n-1 -1 (P) S = S0 ⟶ S1 ⟶ S2 ⟶ … ⟶ Sn = {P} The maps are 2 to 1 𝜑0 𝜑1 𝜑2 𝜑n-1 𝜑0 𝜑1 𝜑2 𝜑n-1
- 7. ● K is a prime field ● Gi = G = K* ● Si = a coset of {group of 2n-i roots of unity} ● L = RR((2n -1)[∞]) = polynomials of degree at most 2n -1 ● 𝜑i : x ⟼ x2 Classical FFT
- 8. FFT last important property (we want to evaluate f) f(x) = g(𝜑i (x)) + x h(𝜑i (x)) L = L0 ⟵ L1 ⟵ L2 ⟵ … ⟵ Ln = K (𝜑i * g = g ∘ 𝜑i ) Li = 𝜑i * (Li+1 ) ⊕ x 𝜑i * (Li+1 ) 𝜑0 * 𝜑1 * 𝜑2 * 𝜑n-1 * * Actually x could be replaced by other functions
- 9. ● K is a prime field ● Gi = G = K* ● Si = a coset of {group of 2n-i roots of unity} ● Li = RR((2n-i -1)[∞]) = polynomials of degree at most 2n-i -1 ● 𝜑i : x ⟼ x2 Classical FFT
- 10. FFT step f(x) = g(𝜑i (x)) + x h(𝜑i (x)) ● Apply 𝜑i on all elements of Si to get Si+1 . ● Decompose f ∊ Li = 𝜑i * (Li+1 ) ⊕ x 𝜑i * (Li+1 ) to get g and h. We represent f as a linear combination of a basis of Li , a right choice of basis is a union of the bases of 𝜑i * (Li+1 ) and x 𝜑i * (Li+1 ). So this decomposition is trivial. ● Solve by recursion the smaller problems for g and h. ● Evaluate the equation to get f at all points of Si . Running time: T(m) = 2T(m/2) + O(m) = O(m log(m))
- 11. Reminder - Overview Classical FFT requires an FFT friendly field (e.g. |K* | divisible by 2n ) Problem: what if K is not FFT friendly? Solution: replace K* with an elliptic curve group over K (Hasse-Weil bound: q - 2√q + 1 ≤ |E| ≤ q + 2√q + 1) https://arxiv.org/abs/2107.08473
- 12. EC-FFT ● K can be any prime or binary field ● G = E (An elliptic curve of nice order)
- 13. Isogenies A morphism between elliptic curves that is also a group homomorphism is called isogeny. 𝜓 : E0 ⟶ E1 Theorem: Any finite subgroup of an elliptic curve is a kernel of some isogeny.
- 14. Isogenies Example: E0 : y2 = x3 + a x2 + b2 x E1 : y2 = x3 + (a + 6 b) x2 + (4 a b + 8 b2 ) x 𝜓 : E0 ⟶ E1 𝜓 : (x, y) ⟼ (x - 2 b + b2 / x, y (1 - b2 / x2 )) Ker(𝜓) = {(0, 0), ∞}
- 15. Isogenies Theorem: The x coordinate of any isogeny depends only on the x coordinate of the input. 𝜓 : E0 ⟶ E1 𝜓 : (x, y) ⟼ (𝜓x (x), 𝜓y (x, y)) Commutative diagram: E0 ⟶ E1 ↓ ↓ 1 (K) ⟶ 1 (K) 𝜓 𝜓x x x
- 16. Back to EC-FFT G0 = E0 ⟶ E1 ⟶ E2 ⟶ ... ⟶ En-1 ↓ ↓ ↓ ↓ G1 = 1 (K) ⟶ 1 (K) ⟶ 1 (K) ⟶ … ⟶ 1 (K) = Gn x x x x 𝜓0 𝜓1 𝜓2 𝜓n-2 𝜓0,x 𝜓1,x 𝜓2,x 𝜓n-2,x
- 17. EC-FFT ● K can be any prime or binary field ● G0 = E, Gi = 1 (K) for i > 0 ● S0 = Two cosets of Ker(𝜓n-2 ∘...∘𝜓1 ∘𝜓0 ) Si+1 = The x coordinate of the elements of two cosets of Ker(𝜓n-2 ∘...∘𝜓i+1 ∘𝜓i ) ● 𝜑0 : (x, y) ⟼ x, 𝜑i+1 = 𝜓i,x : x ⟼ x - 2 bi + bi 2 /x
- 18. Reminder - Overview Classical FFT requires an FFT friendly field (e.g. |K* | divisible by 2n ) Problem: what if K is not FFT friendly? Solution: replace K* with an elliptic curve group over K (Hasse-Weil bound: q - 2√q + 1 ≤ |E| ≤ q + 2√q + 1) https://arxiv.org/abs/2107.08473
- 19. EC-FFT Ln = constant functions = RR(0) Li = 𝜑i * (Li+1 ) ⊕ 𝜉i 𝜑i * (Li+1 ) (𝜉i TBD) Theorem: Let 𝜑 : 1 (K) ⟶ 1 (K) be a 2 to 1 morphism. Let L = RR(D) for some D ∊ Div( 1 (K)). Let 𝜉 be a rational function with exactly one pole, denote that pole P. Then 𝜑* (L) ⊕ 𝜉 𝜑* (L) = RR(𝜑* (D) + [P])
- 20. EC-FFT first step In the first step: f(x, y) = g(x) + 𝜉0 h(x) 𝜑0 : (x, y) ⟼ x L0 = x* (RR(D1 )) ⊕ 𝜉0 x* (RR(D1 )) x* (RR(D1 )) = rational functions in x only, with poles only at points that go to D1 .
- 21. EC-FFT first step Choose: 𝜉0 = y b0 2 /x 𝜉0 has one pole at P0 = (0, 0) and one pole at P∞ A similar result for this case yields: L0 = x* (RR(D1 )) ⊕ 𝜉0 x* (RR(D1 )) = RR(x* (D1 ) + [P0 ] + [P∞ ])
- 22. EC-FFT ● K can be any prime or binary field ● G0 = E, Gi = 1 (K) for i > 0 ● S0 = Two cosets of Ker(𝜓n-2 ∘...∘𝜓1 ∘𝜓0 ) Si+1 = The x coordinate of the elements of two cosets of Ker(𝜓n-2 ∘...∘𝜓i+1 ∘𝜓i ) ● Li = RR(Di ), Dn = 0, Di = 𝜓i,x * (Di+1 ) + [Pi ], D0 = x* (D1 ) + [P0 ] + [P∞ ] ● 𝜑0 : (x, y) ⟼ x, 𝜑i+1 = 𝜓i,x : x ⟼ x - 2 bi + bi 2 /x
- 23. EC-FFT Choose: 𝜉i+1 = (x + bi ) / (x - bi ) 𝜉i+1 has a pole at bi which is the x coordinate of a point of order 4 in Ei . Dn = 0, Di = 𝜓i,x * (Di+1 ) + [bi ], D0 = x* (D1 ) + [P0 ] + [P∞ ] The result: D0 = 𝛴P∊<g> [P] (sum over all points in a cyclic group of size 2n )