longfellow 0.1.0

data/vendor/longfellow-zk/lib/algebra/poly_test.cc

@@ -0,0 +1,123 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/poly.h"
+
+#include <cstddef>
+
+#include "algebra/blas.h"
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "algebra/static_string.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+static const StaticString primes[] = {
+    StaticString("18446744073709551557"),
+    StaticString("340282366920938463463374607431768211297"),
+    StaticString("6277101735386680763835789423207666416102355444464034512659"),
+    StaticString("1157920892373161954235709850086879078532699846656405640394575"
+                 "84007913129639747"),
+    StaticString("2135987035920910082395021706169552114602704522356652769947041"
+                 "607822219725780640550022962086936379"),
+    StaticString("3940200619639447921227904010014361380507973927046544666794829"
+                 "3404245721771497210611414266254884915640806627990306499"),
+};
+
+template <size_t N, size_t W>
+void one_test_eval_lagrange() {
+  using Field = Fp<W>;
+  using T = Poly<N, Field>;
+  using Elt = typename Field::Elt;
+  const Field F(primes[W - 1]);
+  Bogorng<Field> rng(&F);
+  const typename T::dot_interpolation dot_interp(F);
+
+  T C, L;
+  for (size_t iter = 0; iter < 10; ++iter) {
+    for (size_t i = 0; i < N; ++i) {
+      C[i] = rng.next();
+    }
+
+    for (size_t i = 0; i < N; ++i) {
+      // Lagrange basis
+      L[i] = C.eval_monomial(F.poly_evaluation_point(i), F);
+    }
+
+    for (size_t iter1 = 0; iter1 < 10; iter1++) {
+      auto r = rng.next();
+      Elt got_val = L.eval_lagrange(r, F);
+      Elt want_val = C.eval_monomial(r, F);
+      EXPECT_EQ(got_val, want_val);
+
+      T coef = dot_interp.coef(r, F);
+      Elt got_dot = Blas<Field>::dot(N, &coef[0], 1, &L[0], 1, F);
+      EXPECT_EQ(got_dot, want_val);
+    }
+  }
+}
+
+template <size_t N, size_t W>
+void one_test_extend() {
+  using Field = Fp<W>;
+  using T2 = Poly<2, Field>;
+  using FT = Poly<N, Field>;
+  using Elt = typename Field::Elt;
+  const Field F(primes[W - 1]);
+  Bogorng<Field> rng(&F);
+
+  // Test the linear extension.  Start with a polynomial
+  // L2 of degree <2, and extend it to a polynomial L
+  // of degree <N, then evaluate both at random points.
+  for (size_t iter = 0; iter < 10; ++iter) {
+    T2 L2;
+    L2[0] = rng.next();
+    L2[1] = rng.next();
+
+    FT L = FT::extend(L2, F);
+
+    for (size_t iter1 = 0; iter1 < 10; iter1++) {
+      auto r = rng.next();
+      Elt got = L.eval_lagrange(r, F);
+      Elt got2 = L2.eval_lagrange(r, F);
+      EXPECT_EQ(got, got2);
+    }
+  }
+}
+
+template <size_t W>
+void oneW() {
+  one_test_eval_lagrange<2, W>();
+  one_test_eval_lagrange<3, W>();
+  one_test_eval_lagrange<4, W>();
+  one_test_eval_lagrange<5, W>();
+  one_test_eval_lagrange<6, W>();
+  one_test_extend<2, W>();
+  one_test_extend<3, W>();
+  one_test_extend<4, W>();
+  one_test_extend<5, W>();
+  one_test_extend<6, W>();
+}
+
+TEST(Poly, All) {
+  oneW<1>();
+  oneW<2>();
+  oneW<3>();
+  oneW<4>();
+  oneW<5>();
+  oneW<6>();
+}
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/algebra/reed_solomon.h

@@ -0,0 +1,150 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_REED_SOLOMON_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_REED_SOLOMON_H_
+
+#include <stddef.h>
+
+#include <memory>
+#include <vector>
+
+#include "algebra/utility.h"
+
+namespace proofs {
+
+/*
+The ReedSolomon class interpolates a polynomial given as input in point-eval
+form at a set of different points, thereby computing a form of RS encoding.
+Specifically, the input polynomial of degree d=n-1 is given as evaluations
+at 0, 1, 2, ..., n-1, and the output is the values at n, n+1, n+2, ..., n+m-1.
+The algorithm uses the following relation:
+
+  p(k) = (-1)^d (k-d)(k choose d) sum_{j=0}^{d} (1/k-j)(-1)^j (d choose j)p(j)
+
+which can be efficiently computed using a convolution, whose implementation
+is provided by a ConvolutionFactory for the field.
+
+The const Field& objects that are passed have lifetimes that exceed the call
+durations and can be safely passed by const reference.
+
+*/
+template <class Field, class ConvolutionFactory>
+class ReedSolomon {
+  using Elt = typename Field::Elt;
+  using Convolver = typename ConvolutionFactory::Convolver;
+
+ public:
+  // n is the number of points provided
+  // m is the total number of points output (including the initial n points)
+  ReedSolomon(size_t n, size_t m, const Field& F,
+              const ConvolutionFactory& factory)
+      : f_(F),  // could grab this from the factory
+        degree_bound_(n - 1),
+        m_(m),
+        leading_constant_(m - n + 1),
+        binom_i_(n) {
+    // inverses[i]: inverses[i] = 1/i from i = 1 to m-1 (inverses[0] = 0)
+    std::vector<Elt> inverses(m_);
+    AlgebraUtil<Field>::batch_inverse_arithmetic(m, &inverses[0], F);
+    c_ = factory.make(n, m, &inverses[0]);
+    leading_constant_[0] = F.one();
+    binom_i_[0] = F.one();
+    // Set leading_constant_[i] = (i+degree_bound_) choose degree_bound_
+    // (from i=0 to i=m)
+    for (size_t i = 1; i + degree_bound_ < m; ++i) {
+      leading_constant_[i] =
+          F.mulf(leading_constant_[i - 1],
+                 F.mulf(F.of_scalar(degree_bound_ + i), inverses[i]));
+    }
+    // Finish computing the leading constants:
+    // (-1)^degree_bound_ (k-degree_bound_) \binom{k}{degree_bound_}
+    for (size_t k = degree_bound_; k < m; ++k) {
+      F.mul(leading_constant_[k - degree_bound_],
+            F.of_scalar(k - degree_bound_));
+      if (degree_bound_ % 2 == 1) {
+        F.neg(leading_constant_[k - degree_bound_]);
+      }
+    }
+
+    for (size_t i = 1; i < n; ++i) {
+      binom_i_[i] =
+          F.mulf(binom_i_[i - 1], F.mulf(F.of_scalar(n - i), inverses[i]));
+    }
+    for (size_t i = 1; i < n; i += 2) {
+      F.neg(binom_i_[i]);
+    }
+  }
+
+  // Given the values of a polynomial of degree at most n at 0, 1, 2, ..., n-1,
+  // this computes the values at n, n+1, n+2, ..., m-1.
+  // (n points go in, m points come out)
+  void interpolate(Elt y[/*m*/]) const {
+    // shorthands
+    const Field& F = f_;
+    size_t n = degree_bound_ + 1;  // number of points input
+
+    // Define x[i] = (-1)^i \binom{n}{i} p(i) for i=0 through i=n
+    std::vector<Elt> x(n);
+    for (size_t i = 0; i < n; i++) {
+      x[i] = F.mulf(binom_i_[i], y[i]);
+    }
+
+    std::vector<Elt> T(m_);
+    c_->convolution(&x[0], &T[0]);
+    // Multiply the leading constants by the convolution
+    for (size_t i = n; i < m_; ++i) {
+      y[i] = F.mulf(leading_constant_[i - degree_bound_], T[i]);
+    }
+  }
+
+ private:
+  const Field& f_;
+
+  // n is the number of points input, and degree_bound = n + 1.
+  // degree_bound_ is useful since the LaTeX math is written in terms of it
+  const size_t degree_bound_;  // degree bound, i.e., n - 1
+  // total number of points output (points in + new points out)
+  const size_t m_;
+
+  std::unique_ptr<const Convolver> c_;
+
+  // leading_constant_[i] = \binom{i+degree_bound_}{degree_bound_} *
+  // (-1)^{degree_bound_} (i+degree_bound_ - degree_bound_) (from i=0 to i=m-n)
+  // i.e., the leading constant \binom{k}{degree_bound_} *
+  // (-1)^degree_bound_ (k - degree_bound_), shifted left by degree_bound_
+  std::vector<Elt> leading_constant_;
+  // (-1)^i (degree_bound_ choose i) from i=0 to i=degree_bound_
+  std::vector<Elt> binom_i_;
+};
+
+template <class Field, class ConvolutionFactory>
+class ReedSolomonFactory {
+ public:
+  ReedSolomonFactory(const ConvolutionFactory& factory, const Field& f)
+      : factory_(factory), f_(f) {}
+
+  std::unique_ptr<ReedSolomon<Field, ConvolutionFactory>> make(size_t n,
+                                                               size_t m) const {
+    return std::make_unique<ReedSolomon<Field, ConvolutionFactory>>(n, m, f_,
+                                                                    factory_);
+  }
+
+ private:
+  const ConvolutionFactory& factory_;
+  const Field& f_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_REED_SOLOMON_H_

data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension.h

@@ -0,0 +1,108 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_REED_SOLOMON_EXTENSION_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_REED_SOLOMON_EXTENSION_H_
+
+#include <stddef.h>
+
+#include <memory>
+#include <utility>
+#include <vector>
+
+#include "algebra/crt.h"
+#include "algebra/crt_convolution.h"
+#include "algebra/fp24.h"
+#include "algebra/fp24_6.h"
+#include "algebra/reed_solomon.h"
+
+namespace proofs {
+
+/*
+The ReedSolomonExtension6 class implements a form of RS encoding when the
+evaluation points belong to a base field, but the message is defined over
+a degree 6 extension field.  In this case, the RS encoding can be viewed as the
+encoding each of the components of the message separately using the base
+field, and then combining the results.
+
+This implementation only works for Fp24_6.
+*/
+class ReedSolomonExtension6 {
+  using BaseField = Fp24;
+  using Elt = typename BaseField::Elt;
+  using ExtElt = typename Fp24_6::Elt;
+
+  CrtConvolutionFactory<CRT<1, Fp24>, Fp24> crt_convolution_factory_;
+  using RSF =
+      ReedSolomonFactory<Fp24, CrtConvolutionFactory<CRT<1, Fp24>, Fp24>>;
+  RSF rsf_;
+
+ public:
+  // n is the number of points input
+  // m is the total number of points output (including the initial n points)
+  ReedSolomonExtension6(size_t n, size_t m, const BaseField& f)
+      : crt_convolution_factory_(f),
+        rsf_(crt_convolution_factory_, f),
+        rs_(rsf_.make(n, m)),
+        degree_bound_(n - 1),
+        m_(m) {}
+
+  // Given the values of a polynomial of degree at most n at 0, 1, 2, ..., n-1,
+  // this computes the values at n, n+1, n+2, ..., m-1.
+  // (n points go in, m points come out)
+  void interpolate(ExtElt y[/*m*/]) const {
+    // shorthands
+    size_t n = degree_bound_ + 1;  // number of points input
+
+    // Compute the RS encoding of each of the components of the message
+    // separately.
+    std::vector<Elt> T(m_);
+    for (size_t d = 0; d < 6; ++d) {
+      // copy inputs to T
+      for (size_t i = 0; i < n; ++i) {
+        T[i] = y[i].e[d];
+      }
+      rs_->interpolate(&T[0]);
+      // copy output to y
+      for (size_t i = n; i < m_; ++i) {
+        y[i].e[d] = T[i];
+      }
+    }
+  }
+
+ private:
+  decltype(std::declval<const RSF&>().make(1, 1)) rs_;
+
+  const size_t degree_bound_;  // degree bound, i.e., n - 1
+  // total number of points output (points in + new points out)
+  const size_t m_;
+};
+
+class ReedSolomonExtensionFactory {
+  using BaseField = Fp24;
+
+ public:
+  explicit ReedSolomonExtensionFactory(const BaseField& f) : base_field_(f) {}
+
+  std::unique_ptr<ReedSolomonExtension6> make(size_t n, size_t m) const {
+    return std::make_unique<ReedSolomonExtension6>(n, m, base_field_);
+  }
+
+ private:
+  const BaseField& base_field_;
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_REED_SOLOMON_EXTENSION_H_

data/vendor/longfellow-zk/lib/algebra/reed_solomon_extension_test.cc

@@ -0,0 +1,76 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/reed_solomon_extension.h"
+
+#include <cstddef>
+#include <memory>
+
+#include "algebra/fp24.h"
+#include "algebra/fp24_6.h"
+#include "algebra/interpolation.h"
+#include "algebra/poly.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+static constexpr size_t N = 10;
+static constexpr size_t M = 30;
+
+TEST(ReedSolomonExtensionTest, Extension6) {
+  using BaseField = Fp24;
+  using ExtField = Fp24_6;
+  using BaseElt = BaseField::Elt;
+  using ExtElt = ExtField::Elt;
+
+  const BaseField base(8380417);
+  const ExtField ext(base, 7);
+
+  using Poly = Poly<N, BaseField>;
+  using Interpolation = Interpolation<N, BaseField>;
+  using RSExtFactory = ReedSolomonExtensionFactory;
+
+  Poly P[6];
+  for (size_t d = 0; d < 6; ++d) {
+    for (size_t i = 0; i < N; ++i) {
+      P[d][i] = base.of_scalar(i * i * i + d * i + (i ^ (i << 2)));
+    }
+  }
+
+  ExtElt L[M];
+  for (size_t i = 0; i < M; ++i) {
+    BaseElt x = base.of_scalar(i);
+    for (size_t d = 0; d < 6; ++d) {
+      L[i].e[d] = Interpolation::eval_monomial(P[d], x, base);
+    }
+  }
+
+  ExtElt L2[M];
+  for (size_t i = 0; i < N; ++i) {
+    L2[i] = L[i];
+  }
+
+  RSExtFactory rs_ext_factory(base);
+
+  auto r = rs_ext_factory.make(N, M);
+  r->interpolate(L2);
+
+  for (size_t i = 0; i < M; ++i) {
+    EXPECT_EQ(L2[i], L[i]);
+  }
+}
+
+}  // namespace
+}  // namespace proofs