The document proposes an elliptic curve fast Fourier transform (ECFFT) algorithm that can perform FFTs over any prime or binary field, unlike the classical FFT which requires a field with a special structure. It works by replacing the multiplicative group used in classical FFT with an elliptic curve group, and using isogenies between elliptic curves instead of field multiplication to map points between subgroups. This allows performing FFTs in O(n log n) time like the classical FFT, but over any field by leveraging properties of elliptic curves and isogenies.

1. ECFFT
Elliptic Curves Fast Fourier Transform
David Levit
Joint work with Eli Ben-Sasson, Dan Carmon and Swastik Kopparty
https://arxiv.org/abs/2107.08473

2. Overview
Classical FFT requires an FFT friendly field (e.g. |K*
| divisible by 2n
)
Problem: what if K is not FFT friendly?

3. Overview
Classical FFT requires an FFT friendly field (e.g. |K*
| divisible by 2n
)
Problem: what if K is not FFT friendly?
Solution: replace K* with an elliptic curve group over K
(Hasse-Weil bound: q - 2√q + 1 ≤ |E| ≤ q + 2√q + 1)
https://arxiv.org/abs/2107.08473

4. FFT
A field: K
Algebraic group: G over K
A set of points: S of size m=2n
A function: f : G ⟶ K given as coefficients (linear combination of basis
functions whose span is L)
Evaluate f at all points of S in O(m log(m)) steps.

5. Classical FFT
● K is a prime field
● G = K*
● S = a coset of {group of 2n
roots of unity}
● L = RR((2n
-1)[∞]) = polynomials of degree at most 2n
-1

6. FFT more details
A sequence of maps: G = G0
⟶ G1
⟶ G2
⟶ … ⟶ Gn
And a point: P ∊ Gn
Such that: S = 𝜑0
-1
∘𝜑1
-1
∘𝜑2
-1
∘...∘𝜑n-1
-1
(P)
S = S0
⟶ S1
⟶ S2
⟶ … ⟶ Sn
= {P}
The maps are 2 to 1
𝜑0
𝜑1
𝜑2
𝜑n-1
𝜑0
𝜑1
𝜑2
𝜑n-1

7. ● K is a prime field
● Gi
= G = K*
● Si
= a coset of {group of 2n-i
roots of unity}
● L = RR((2n
-1)[∞]) = polynomials of degree at most 2n
-1
● 𝜑i
: x ⟼ x2
Classical FFT

8. FFT last important property
(we want to evaluate f)
f(x) = g(𝜑i
(x)) + x h(𝜑i
(x))
L = L0
⟵ L1
⟵ L2
⟵ … ⟵ Ln
= K (𝜑i
*
g = g ∘ 𝜑i
)
Li
= 𝜑i
*
(Li+1
) ⊕ x 𝜑i
*
(Li+1
)
𝜑0
*
𝜑1
*
𝜑2
*
𝜑n-1
*
* Actually x could be replaced by other functions

9. ● K is a prime field
● Gi
= G = K*
● Si
= a coset of {group of 2n-i
roots of unity}
● Li
= RR((2n-i
-1)[∞]) = polynomials of degree at most 2n-i
-1
● 𝜑i
: x ⟼ x2
Classical FFT

10. FFT step
f(x) = g(𝜑i
(x)) + x h(𝜑i
(x))
● Apply 𝜑i
on all elements of Si
to get Si+1
.
● Decompose f ∊ Li
= 𝜑i
*
(Li+1
) ⊕ x 𝜑i
*
(Li+1
) to get g and h. We represent f as a
linear combination of a basis of Li
, a right choice of basis is a union of the
bases of 𝜑i
*
(Li+1
) and x 𝜑i
*
(Li+1
). So this decomposition is trivial.
● Solve by recursion the smaller problems for g and h.
● Evaluate the equation to get f at all points of Si
.
Running time: T(m) = 2T(m/2) + O(m) = O(m log(m))

11. Reminder - Overview
Classical FFT requires an FFT friendly field (e.g. |K*
| divisible by 2n
)
Problem: what if K is not FFT friendly?
Solution: replace K* with an elliptic curve group over K
(Hasse-Weil bound: q - 2√q + 1 ≤ |E| ≤ q + 2√q + 1)
https://arxiv.org/abs/2107.08473

12. EC-FFT
● K can be any prime or binary field
● G = E (An elliptic curve of nice order)

13. Isogenies
A morphism between elliptic curves that is also a group homomorphism is called
isogeny.
𝜓 : E0
⟶ E1
Theorem:
Any finite subgroup of an elliptic curve is a kernel of some isogeny.

14. Isogenies
Example:
E0
: y2
= x3
+ a x2
+ b2
x E1
: y2
= x3
+ (a + 6 b) x2
+ (4 a b + 8 b2
) x
𝜓 : E0
⟶ E1
𝜓 : (x, y) ⟼ (x - 2 b + b2
/ x, y (1 - b2
/ x2
))
Ker(𝜓) = {(0, 0), ∞}

15. Isogenies
Theorem:
The x coordinate of any isogeny depends only on the x coordinate of the input.
𝜓 : E0
⟶ E1
𝜓 : (x, y) ⟼ (𝜓x
(x), 𝜓y
(x, y))
Commutative diagram: E0
⟶ E1
￬ ￬
1
(K) ⟶ 1
(K)
𝜓
𝜓x
x x

16. Back to EC-FFT
G0
= E0
⟶ E1
⟶ E2
⟶ ... ⟶ En-1
￬ ￬ ￬ ￬
G1
= 1
(K) ⟶ 1
(K) ⟶ 1
(K) ⟶ … ⟶ 1
(K) = Gn
x x x x
𝜓0
𝜓1
𝜓2
𝜓n-2
𝜓0,x
𝜓1,x
𝜓2,x
𝜓n-2,x

17. EC-FFT
● K can be any prime or binary field
● G0
= E, Gi
= 1
(K) for i > 0
● S0
= Two cosets of Ker(𝜓n-2
∘...∘𝜓1
∘𝜓0
)
Si+1
= The x coordinate of the elements of two cosets of Ker(𝜓n-2
∘...∘𝜓i+1
∘𝜓i
)
● 𝜑0
: (x, y) ⟼ x, 𝜑i+1
= 𝜓i,x
: x ⟼ x - 2 bi
+ bi
2
/x

18. Reminder - Overview
Classical FFT requires an FFT friendly field (e.g. |K*
| divisible by 2n
)
Problem: what if K is not FFT friendly?
Solution: replace K* with an elliptic curve group over K
(Hasse-Weil bound: q - 2√q + 1 ≤ |E| ≤ q + 2√q + 1)
https://arxiv.org/abs/2107.08473

19. EC-FFT
Ln
= constant functions = RR(0) Li
= 𝜑i
*
(Li+1
) ⊕ 𝜉i
𝜑i
*
(Li+1
) (𝜉i
TBD)
Theorem:
Let 𝜑 : 1
(K) ⟶ 1
(K) be a 2 to 1 morphism.
Let L = RR(D) for some D ∊ Div( 1
(K)).
Let 𝜉 be a rational function with exactly one pole, denote that pole P.
Then 𝜑*
(L) ⊕ 𝜉 𝜑*
(L) = RR(𝜑*
(D) + [P])

20. EC-FFT first step
In the first step:
f(x, y) = g(x) + 𝜉0
h(x) 𝜑0
: (x, y) ⟼ x
L0
= x*
(RR(D1
)) ⊕ 𝜉0
x*
(RR(D1
))
x*
(RR(D1
)) = rational functions in x only, with poles only at points that go to D1
.

21. EC-FFT first step
Choose: 𝜉0
= y b0
2
/x
𝜉0
has one pole at P0
= (0, 0) and one pole at P∞
A similar result for this case yields:
L0
= x*
(RR(D1
)) ⊕ 𝜉0
x*
(RR(D1
)) = RR(x*
(D1
) + [P0
] + [P∞
])

22. EC-FFT
● K can be any prime or binary field
● G0
= E, Gi
= 1
(K) for i > 0
● S0
= Two cosets of Ker(𝜓n-2
∘...∘𝜓1
∘𝜓0
)
Si+1
= The x coordinate of the elements of two cosets of Ker(𝜓n-2
∘...∘𝜓i+1
∘𝜓i
)
● Li
= RR(Di
), Dn
= 0, Di
= 𝜓i,x
*
(Di+1
) + [Pi
], D0
= x*
(D1
) + [P0
] + [P∞
]
● 𝜑0
: (x, y) ⟼ x, 𝜑i+1
= 𝜓i,x
: x ⟼ x - 2 bi
+ bi
2
/x

23. EC-FFT
Choose: 𝜉i+1
= (x + bi
) / (x - bi
)
𝜉i+1
has a pole at bi
which is the x coordinate of a point of order 4 in Ei
.
Dn
= 0, Di
= 𝜓i,x
*
(Di+1
) + [bi
], D0
= x*
(D1
) + [P0
] + [P∞
]
The result: D0
= 𝛴P∊<g>
[P] (sum over all points in a cyclic group of size
2n
)