longfellow 0.1.0

data/vendor/longfellow-zk/lib/algebra/convolution.h

@@ -0,0 +1,219 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CONVOLUTION_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CONVOLUTION_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <memory>
+#include <vector>
+
+#include "algebra/blas.h"
+#include "algebra/fft.h"
+#include "algebra/rfft.h"
+
+/*
+All of the classes in this package compute convolutions.
+That is, given inputs arrays of field elements x, y, with |x|=n, |y|=m,
+these methods compute the first m entries of
+
+   z[k] = \sum_{i=0}^{n-1} x[i] y[k-i]
+
+SlowConvolution uses an O(n*m) method for testing validation.
+
+FFTConvolution and FFTExtConvolution first pad y to length n and use advanced
+FFT algorithms to compute the same in O(nlogn) time.
+
+The const Field& objects that are passed have lifetimes that exceed the call
+durations and can be safely passed by const reference.
+*/
+
+namespace proofs {
+
+// Returns the smallest power of 2 that is at least n.
+static size_t choose_padding(const size_t n) {
+  size_t p = 1;
+  while (p < n) {
+    p *= 2;
+  }
+  return p;
+}
+
+template <class Field>
+class FFTConvolution {
+  using Elt = typename Field::Elt;
+
+ public:
+  FFTConvolution(size_t n, size_t m, const Field& f, const Elt omega,
+                 uint64_t omega_order, const Elt y[/*m*/])
+      : f_(f),
+        omega_(omega),
+        omega_order_(omega_order),
+        n_(n),
+        m_(m),
+        padding_(choose_padding(m)),
+        y_fft_(padding_, f_.zero()) {
+    Blas<Field>::copy(m, &y_fft_[0], 1, y, 1);
+    FFT<Field>::fftf(&y_fft_[0], padding_, omega_, omega_order_, f_);
+
+    // Pre-scale Y by 1/N to compensate for the scaling in FFTB(FFTF(.))
+    Blas<Field>::scale(padding_, &y_fft_[0], 1,
+                       f_.invertf(f_.of_scalar(padding_)), f_);
+  }
+
+  // Computes (first m entries of) convolution of x with y, outputs in z:
+  // z[k] = \sum_{i=0}^{n-1} x[i] y[k-i].
+  // Note that y has already been FFT'd and divided by padding_ in constructor
+  void convolution(const Elt x[/*n_*/], Elt z[/*m_*/]) const {
+    std::vector<Elt> x_fft(padding_, f_.zero());
+    Blas<Field>::copy(n_, &x_fft[0], 1, x, 1);
+    FFT<Field>::fftf(&x_fft[0], padding_, omega_, omega_order_, f_);
+    // Pointwise multiplication.
+    for (size_t i = 0; i < padding_; ++i) {
+      f_.mul(x_fft[i], y_fft_[i]);
+    }
+    // Backward fft.
+    FFT<Field>::fftb(&x_fft[0], padding_, omega_, omega_order_, f_);
+    Blas<Field>::copy(m_, z, 1, &x_fft[0], 1);
+  }
+
+ private:
+  const Field& f_;
+  const Elt omega_;
+  const uint64_t omega_order_;
+
+  // n is the number of points input
+  size_t n_;
+  size_t m_;  // total number of points output (points in + new points out)
+  size_t padding_;
+
+  // fft(y[i]) / padding
+  // padded with zeroes to the next power of 2 at least m.
+  std::vector<Elt> y_fft_;
+};
+
+template <class Field>
+class FFTConvolutionFactory {
+  using Elt = typename Field::Elt;
+
+ public:
+  using Convolver = FFTConvolution<Field>;
+  FFTConvolutionFactory(const Field& f, const Elt omega, uint64_t omega_order)
+      : f_(f), omega_(omega), omega_order_(omega_order) {}
+
+  std::unique_ptr<const Convolver> make(size_t n, size_t m,
+                                        const Elt y[/*m*/]) const {
+    return std::make_unique<const Convolver>(n, m, f_, omega_, omega_order_, y);
+  }
+
+ private:
+  const Field& f_;
+  const Elt omega_;
+  const uint64_t omega_order_;
+};
+
+template <class Field, class FieldExt>
+class FFTExtConvolution {
+  using Elt = typename Field::Elt;
+  using EltExt = typename FieldExt::Elt;
+
+ public:
+  FFTExtConvolution(size_t n, size_t m, const Field& f, const FieldExt& f_ext,
+                    const EltExt omega, uint64_t omega_order,
+                    const Elt y[/*m*/])
+      : f_(f),
+        f_ext_(f_ext),
+        omega_(omega),
+        omega_order_(omega_order),
+        n_(n),
+        m_(m),
+        padding_(choose_padding(m)),
+        y_fft_(padding_, f_.zero()) {
+    Blas<Field>::copy(m, &y_fft_[0], 1, y, 1);
+    RFFT<FieldExt>::r2hc(&y_fft_[0], padding_, omega_, omega_order_, f_ext_);
+
+    // Pre-scale Y by 1/N to compensate for the scaling in HC2R(R2HC(.))
+    Blas<Field>::scale(padding_, &y_fft_[0], 1,
+                       f_.invertf(f_.of_scalar(padding_)), f_);
+  }
+
+  // Computes (first m entries of) convolution of x with y, stores in z:
+  // z[k] = \sum_{i=0}^{n-1} x[i] y[k-i].
+  // Note that y has already been FFT'd and divided by padding_ in constructor
+  void convolution(const Elt x[/*n_*/], Elt z[/*m_*/]) const {
+    std::vector<Elt> x_fft(padding_, f_.zero());
+    Blas<Field>::copy(n_, &x_fft[0], 1, x, 1);
+    RFFT<FieldExt>::r2hc(&x_fft[0], padding_, omega_, omega_order_, f_ext_);
+
+    // Pointwise multiplication
+    {
+      size_t i;
+      f_.mul(x_fft[0], y_fft_[0]);  // DC is real
+      for (i = 1; i + i < padding_; ++i) {
+        RFFT<FieldExt>::cmul(&x_fft[i], &x_fft[padding_ - i], y_fft_[i],
+                             y_fft_[padding_ - i], f_);
+      }
+      f_.mul(x_fft[i], y_fft_[i]);  // Nyquist is real
+    }
+
+    // Backward FFT.
+    RFFT<FieldExt>::hc2r(&x_fft[0], padding_, omega_, omega_order_, f_ext_);
+    Blas<Field>::copy(m_, z, 1, &x_fft[0], 1);
+  }
+
+ private:
+  const Field& f_;
+  const FieldExt& f_ext_;
+  const EltExt omega_;
+  const uint64_t omega_order_;
+
+  // n is the number of points input in x
+  size_t n_;
+  size_t m_;  // total number of points output in convolution
+  size_t padding_;
+
+  // fft(y[i]) / padding
+  // padded with zeroes to the next power of 2 at least m.
+  std::vector<Elt> y_fft_;
+};
+
+template <class Field, class FieldExt>
+class FFTExtConvolutionFactory {
+  using Elt = typename Field::Elt;
+  using EltExt = typename FieldExt::Elt;
+
+ public:
+  using Convolver = FFTExtConvolution<Field, FieldExt>;
+
+  FFTExtConvolutionFactory(const Field& f, const FieldExt& f_ext,
+                           const EltExt omega, uint64_t omega_order)
+      : f_(f), f_ext_(f_ext), omega_(omega), omega_order_(omega_order) {}
+
+  std::unique_ptr<const Convolver> make(size_t n, size_t m,
+                                        const Elt y[/*m*/]) const {
+    return std::make_unique<const Convolver>(n, m, f_, f_ext_, omega_,
+                                             omega_order_, y);
+  }
+
+ private:
+  const Field& f_;
+  const FieldExt& f_ext_;
+  const EltExt omega_;
+  const uint64_t omega_order_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CONVOLUTION_H_

data/vendor/longfellow-zk/lib/algebra/crt.cc

@@ -0,0 +1,42 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/crt.h"
+
+#include <cstdint>
+
+namespace proofs {
+namespace crt {
+
+// ==========================================
+// 17 primes for a CRT representation that can support p521.
+// 9 or 13 can be used for smaller fields. Primes are in sorted order.
+const uint64_t kPrimes17[kBasisSize] = {
+    18446744072195407873ull, 18446744072237350913ull, 18446744072245739521ull,
+    18446744072325431297ull, 18446744072589672449ull, 18446744072623226881ull,
+    18446744072790999041ull, 18446744073113960449ull, 18446744073290121217ull,
+    18446744073327869953ull, 18446744073332064257ull, 18446744073344647169ull,
+    18446744073420144641ull, 18446744073457893377ull, 18446744073516613633ull,
+    18446744073520807937ull, 18446744073692774401ull};
+
+const uint64_t kOmega17[kBasisSize] = {
+    436037131817ull,   2773676930123ull, 2768111518080ull,  34106487772798ull,
+    1302264167001ull,  5572414085664ull, 4170236488818ull,  10930506752996ull,
+    13447610733542ull, 366878793395ull,  10535270759408ull, 2630106726088ull,
+    2766923619799ull,  6957320847870ull, 10540913985379ull, 15095618916269ull,
+    3150424293220ull,
+};
+
+}  // namespace crt
+}  // namespace proofs

data/vendor/longfellow-zk/lib/algebra/crt.h

@@ -0,0 +1,299 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CRT_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CRT_H_
+
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+
+#include "algebra/fp.h"
+#include "algebra/nat.h"
+#include "util/panic.h"
+
+// The idea behind this class is to mimic the Field interface for F_p with
+// an underlying CRT implementation over a basis of primes. Then a
+// convolution template can be instantiated with this class instead of an
+// F_p field, and this convolution can be used by ReedSolomon.
+
+namespace proofs {
+
+// Every prime field of 1-64b word has the same type, but are different classes.
+using BaseField = Fp<1, false>;
+using BaseNat = typename BaseField::N;
+using BaseElt = typename BaseField::Elt;
+
+// constants
+namespace crt {
+static constexpr size_t kBasisSize = 17;
+static constexpr uint64_t kOmegaOrder = 1ull << 22;
+
+extern const uint64_t kPrimes17[kBasisSize];
+extern const uint64_t kOmega17[kBasisSize];
+}  // namespace crt
+
+// ==========================================
+
+// Fp_crt implementation of field Field. This implementation works as long
+// as the sequence of field operations that are performed on elements before
+// the from_crt method is called can be range-bounded by the max value that can
+// be represented using the CRT basis formed by the first VS primes defined in
+// kBasis.
+// The initialize of this class computes the auxiliary information needed to
+// efficiently move into and out of the CRT representation. Therefore, this
+// class can be instantiated once and used for many convolutions/etc.
+template <size_t VS, class Field>
+class CRT {
+  static constexpr size_t kWField = Field::kU64;
+
+ public:
+  static constexpr size_t kVS = VS;
+  const Field& f_;
+
+  struct Elt {
+    BaseElt r[VS];
+    bool operator==(const Elt& y) const {
+      bool res = true;
+      for (size_t i = 0; i < VS; ++i) {
+        res = res && (r[i] == y.r[i]);
+      }
+      return res;
+    }
+    bool operator!=(const Elt& y) const { return !operator==(y); }
+  };
+
+  explicit CRT(const Field& f) : f_(f) {
+    check(VS <= crt::kBasisSize, "VS <= crt::kBasisSize");
+
+    for (size_t b = 0; b < VS; ++b) {
+      bf_[b] = std::make_unique<BaseField>(BaseNat(crt::kPrimes17[b]));
+    }
+
+    for (size_t b = 0; b < VS; ++b) {
+      k_[0].r[b] = bf_[b]->zero();
+      k_[1].r[b] = bf_[b]->one();
+      k_[2].r[b] = bf_[b]->two();
+      reduce_scale_[b] = bf_[b]->template reduce_scale<kWField>();
+    }
+
+    if (VS == 1) {
+      // ignore the Garner reduction constants, and do not
+      // require the field to support dot products.
+    } else {
+      // Standard CRT integer conversion requires computing a dot-product
+      // between the CRT representation and a vector of constants. The
+      // reconstruction pre-processing is to compute:
+      // 1. Compute P_i = prod_{j neq i} prime_j  and
+      //              P = prod_{j} prime_j
+      // 2. Compute inv_i such that inv_i * P_i = 1 mod prime_i
+      // The online reconstruction step is then:
+      // a. v = (sum_{i} r_i * recon_i) (mod  P)) mod f_p
+      // for (size_t i = 0; i < VS; ++i) {
+      //   recon_[i] = ring_.of_string(kRecon[i]);
+      // }
+      // However, we use the Garner method which requires more pre-processed
+      // elements, but produces a result that is guaranteed to be in [0,m] and
+      // does so using smaller operations.
+
+      // garner_[i] are terms prod p_k in CRT formula, prepared for
+      // optimized FMA operations by 64-bit scalar vi[i] in to_field.
+      for (size_t i = 0; i < VS; ++i) {
+        auto g = f.one();
+        for (size_t j = 0; j < i; ++j) {
+          Nat<1> n(crt::kPrimes17[j]);
+          f.mul(g, f.reduce(n));
+        }
+        garner_[i] = f.prescale_for_dot(g);
+      }
+
+      // Initialize Garner constants Cij.
+      for (size_t i = 0; i < VS; ++i) {
+        for (size_t j = 0; j < i; ++j) {
+          cij_[i][j] = bf_[i]->invertf(bf_[i]->of_scalar(crt::kPrimes17[j]));
+        }
+      }
+    }
+  }
+
+  CRT(const CRT&) = delete;
+  CRT& operator=(const CRT&) = delete;
+
+  Elt to_crt(const typename Field::Elt& e) const {
+    Elt r;
+    auto n = f_.from_montgomery(e);
+    for (size_t b = 0; b < VS; ++b) {
+      r.r[b] = bf_[b]->reduce(n, reduce_scale_[b]);
+    }
+    return r;
+  }
+
+  // The standard CRT reconstruction algorithm to convert
+  // from the CRT representation to the BigRing representation involves
+  // several operations between "ring-element"-sized values and prime-element
+  // sized values. This method is slower, and it produces a result that must
+  // also be reduced modulo the ring.
+  //
+  // result = (sum_{i} x_i * recon_i) (mod  P_))
+  // CRTRing::Elt from_crt(const Elt& x) const {
+  //   typename CRTRing::Elt r = ring_.zero();
+  //   for (size_t i = 0; i < VS; ++i) {
+  //     Nat<1> xi = kBasis[i].from_montgomery(x.r[i]);
+  //     ring_.add(r, ring_.mulf(recon_[i], ring_.of_scalar(xi.limb_[0])));
+  //   }
+  //   return r;
+  // }
+  // BM_FromCRT     2.482µ ± ∞ ¹
+  // BM_FromCRT     22.08k ± ∞ ¹ (instructions)
+  // Instead, we use Garner's method, which can also reduce the returned value
+  // by the Field modulus in the same step. This method is roughly 4x faster.
+  //
+  // BM_ToField     729.6n ± ∞ ¹
+  // BM_ToField     6.282k ± ∞ ¹ (instructions)
+  //
+  // The Garner CRT reconstruction produces a result that lies in 0..m, and
+  // only uses single-word arithmetic to produce the intermediate values
+  // v1..vn.
+  // If the eventual goal is to reconstruct an element in Fp, then the last
+  // reconstruction step can be done in Fp, thereby requiring no arithmetic
+  // in the Bigring.
+  typename Field::Elt to_field(const Elt& x) const {
+    if (VS == 1) {
+      return f_.reduce(bf_[0]->from_montgomery(x.r[0]));
+    } else {
+      // Let cij be s.t. c_ij.pi = 1 mod pj
+      // v1 = x1
+      // v2 = (x2 - v1).c12 mod p2
+      // v3 = ((x3 - v1).c13 - v2).c23 mod p3
+      // v4 = (((x4 - v1).c14 - v2).c24 - v3).c34 mod p4
+      // ...
+      // u = vr.p_{r-1}p_{r-2}...p_1 + ... + v4.p3.p2.p1 + v3.p2.p1 + ... + v1
+      //   Because the goal is to compute u mod F_p, it suffices to maintain
+      //   each of the p_{r-j}...p1 products modulo F_p.
+      BaseNat vi[VS];
+      // This inner loop breaks our field abstraction. Instead of maintaining
+      // vi in Montgomery form, it is kept as a natural in [0,p-1].
+      // The F.sub method works in this form, and because cij_ is in
+      // Montgomery form, the last mul operation returns a result that is also
+      // "natural." This maneuver saves an of_scalar and a from_montgomery
+      // call in the inner-loop.
+      for (size_t j = 0; j < VS; ++j) {
+        vi[j] = bf_[j]->from_montgomery(x.r[j]);
+      }
+
+      // Change the order of operations to exploit data (in)dependencies. The
+      // subtractions and mults can all issue in parallel.
+      for (size_t j = 1; j < VS; ++j) {
+        for (size_t i = j; i < VS; ++i) {
+          const BaseField* Fi = bf_[i].get();
+          Fi->sub(vi[i], vi[j - 1]);
+          Fi->mul(vi[i], cij_[i][j - 1]);
+        }
+      }
+
+      return f_.dot(VS, vi, garner_);
+    }
+  }
+
+  // Returns a root of unity consisting of a root of unity of the same degree
+  // for each base prime.
+  Elt omega() const {
+    Elt r;
+    for (size_t b = 0; b < VS; ++b) {
+      r.r[b] = bf_[b]->of_scalar(crt::kOmega17[b]);
+    }
+    return r;
+  }
+  uint64_t omega_order() const { return crt::kOmegaOrder; }
+
+  // x += y
+  void add(Elt& x, const Elt& y) const {
+    for (size_t i = 0; i < VS; ++i) {
+      bf_[i]->add(x.r[i], y.r[i]);
+    }
+  }
+  // x -= y
+  void sub(Elt& x, const Elt& y) const {
+    for (size_t i = 0; i < VS; ++i) {
+      bf_[i]->sub(x.r[i], y.r[i]);
+    }
+  }
+
+  // x *= y, Montgomery
+  void mul(Elt& x, const Elt& y) const {
+    for (size_t i = 0; i < VS; ++i) {
+      bf_[i]->mul(x.r[i], y.r[i]);
+    }
+  }
+
+  void neg(Elt& x) const {
+    for (size_t i = 0; i < VS; ++i) {
+      bf_[i]->neg(x.r[i]);
+    }
+  }
+
+  void invert(Elt& x) const {
+    for (size_t i = 0; i < VS; ++i) {
+      check(x.r[i] != bf_[i]->zero(), "Non-invertible element");
+      bf_[i]->invert(x.r[i]);
+    }
+  }
+
+  // functional interface
+  Elt addf(Elt a, const Elt& y) const {
+    add(a, y);
+    return a;
+  }
+  Elt subf(Elt a, const Elt& y) const {
+    sub(a, y);
+    return a;
+  }
+  Elt mulf(Elt a, const Elt& y) const {
+    mul(a, y);
+    return a;
+  }
+  Elt negf(Elt a) const {
+    neg(a);
+    return a;
+  }
+
+  Elt invertf(Elt a) const {
+    invert(a);
+    return a;
+  }
+
+  const Elt& zero() const { return k_[0]; }
+  const Elt& one() const { return k_[1]; }
+  const Elt& two() const { return k_[2]; }
+
+ private:
+  std::unique_ptr<BaseField> bf_[VS];
+  Elt k_[3];  // small constants
+  BaseField::template ScaleElt<kWField> reduce_scale_[VS];
+  typename Field::NatScaledForDot garner_[VS];
+  BaseElt cij_[VS][VS];
+};
+
+template <class Field>
+using CRT256 = CRT<9, Field>;
+
+template <class Field>
+using CRT384 = CRT<13, Field>;
+
+template <class Field>
+using CRT521 = CRT<17, Field>;
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CRT_H_

data/vendor/longfellow-zk/lib/algebra/crt_convolution.h

@@ -0,0 +1,114 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CRT_CONVOLUTION_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CRT_CONVOLUTION_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <memory>
+#include <vector>
+
+#include "algebra/convolution.h"
+#include "algebra/fft.h"
+
+namespace proofs {
+
+// Uses a fixed basis of primes to compute a convolution for 64--521 bit values.
+// The CRT class must use the same Field in its definition.
+template <class CRT, class Field>
+class CRTConvolution {
+  using Elt = typename Field::Elt;
+  using CRTElt = typename CRT::Elt;
+
+ public:
+  CRT crt_;
+
+  CRTConvolution(size_t n, size_t m, const Field& f, const Elt y[/*m*/])
+      : crt_(f),
+        f_(f),
+        n_(n),
+        m_(m),
+        padding_(choose_padding(m)),
+        y_fft_(padding_, crt_.zero()),
+        omega_order_(crt_.omega_order()),
+        omega_(crt_.omega()) {
+    // Pre-compute the y coefficients in crt form.
+    // Pre-scale Y by 1/N to compensate for the scaling in FFTB(FFTF(.))
+    auto pni = crt_.invertf(crt_.to_crt(f.of_scalar(padding_)));
+    for (size_t i = 0; i < m; ++i) {
+      y_fft_[i] = crt_.mulf(pni, crt_.to_crt(y[i]));
+    }
+
+    FFT<CRT>::fftf(&y_fft_[0], padding_, omega_, omega_order_, crt_);
+  }
+
+  // Computes (first m entries of) convolution of x with y, outputs in z:
+  // z[k] = \sum_{i=0}^{n-1} x[i] y[k-i].
+  // Note that y has already been FFT'd and divided by padding_ in constructor
+  void convolution(const Elt x[/*n_*/], Elt z[/*m_*/]) const {
+    std::vector<CRTElt> x_fft(padding_, crt_.zero());
+    for (size_t i = 0; i < n_; ++i) {
+      x_fft[i] = crt_.to_crt(x[i]);
+    }
+
+    FFT<CRT>::fftf(&x_fft[0], padding_, omega_, omega_order_, crt_);
+
+    // Pointwise multiplication.
+    for (size_t i = 0; i < padding_; ++i) {
+      crt_.mul(x_fft[i], y_fft_[i]);
+    }
+
+    // Backward fft.
+    FFT<CRT>::fftb(&x_fft[0], padding_, omega_, omega_order_, crt_);
+
+    // Convert back to field form
+    for (size_t i = 0; i < m_; ++i) {
+      z[i] = crt_.to_field(x_fft[i]);
+    }
+  }
+
+ private:
+  const Field& f_;
+
+  // n is the number of points input
+  size_t n_;
+  size_t m_;  // total number of points output (points in + new points out)
+  size_t padding_;
+  std::vector<CRTElt> y_fft_;
+  uint64_t omega_order_;
+  CRTElt omega_;
+};
+
+template <class CRT, class Field>
+class CrtConvolutionFactory {
+  using Elt = typename Field::Elt;
+
+ public:
+  using Convolver = CRTConvolution<CRT, Field>;
+  explicit CrtConvolutionFactory(const Field& f) : f_(f) {}
+
+  std::unique_ptr<const Convolver> make(size_t n, size_t m,
+                                        const Elt y[/*m*/]) const {
+    return std::make_unique<const Convolver>(n, m, f_, y);
+  }
+
+ private:
+  const Field& f_;
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_CRT_CONVOLUTION_H_