longfellow 0.1.0

data/vendor/longfellow-zk/lib/algebra/fft_test.cc

@@ -0,0 +1,257 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "algebra/fft.h"
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <vector>
+
+#include "algebra/bogorng.h"
+#include "algebra/fp.h"
+#include "algebra/fp2.h"
+#include "algebra/fp_p128.h"
+#include "algebra/fp_p256.h"
+#include "benchmark/benchmark.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+typedef Fp<4> Field;
+static const Field F(
+    "21888242871839275222246405745257275088548364400416034343698204186575808495"
+    "617");
+typedef Field::Elt Elt;
+Bogorng<Field> rng(&F);
+
+// root of unity in F
+Elt omega = F.of_string(
+    "19103219067921713944291392827692070036145651957329286315305642004821462161"
+    "904");
+size_t omega_order = 1 << 28;
+constexpr size_t N = 1 << 16;
+
+static Elt reroot(const Elt& omega_n, size_t n, size_t r, const Field& FF) {
+  Elt omega_r = omega_n;
+  while (r < n) {
+    FF.mul(omega_r, omega_r);
+    r += r;
+  }
+  return omega_r;
+}
+
+TEST(FFT, Inverse) {
+  size_t n = N;
+  std::vector<Elt> A(n);
+  for (size_t i = 0; i < n; ++i) {
+    A[i] = rng.next();
+  }
+  std::vector<Elt> B(A);
+  FFT<Field>::fftf(&A[0], n, omega, omega_order, F);
+  FFT<Field>::fftb(&A[0], n, omega, omega_order, F);
+  for (size_t i = 0; i < n; ++i) {
+    F.mul(A[i], F.invertf(F.of_scalar(n)));
+  }
+  for (size_t i = 0; i < n; ++i) {
+    EXPECT_EQ(A[i], B[i]);
+  }
+}
+
+TEST(FFT, Linear) {
+  size_t n = N;
+  std::vector<Elt> A(n);
+  std::vector<Elt> B(n);
+  std::vector<Elt> C(n);
+  auto k0 = rng.next();
+  auto k1 = rng.next();
+  for (size_t i = 0; i < n; ++i) {
+    A[i] = rng.next();
+    B[i] = rng.next();
+    C[i] = F.addf(F.mulf(k0, A[i]), F.mulf(k1, B[i]));
+  }
+  FFT<Field>::fftf(&A[0], n, omega, omega_order, F);
+  FFT<Field>::fftf(&B[0], n, omega, omega_order, F);
+  FFT<Field>::fftf(&C[0], n, omega, omega_order, F);
+  for (size_t i = 0; i < n; ++i) {
+    EXPECT_EQ(C[i], F.addf(F.mulf(k0, A[i]), F.mulf(k1, B[i])));
+  }
+}
+
+TEST(FFT, Impulse) {
+  size_t n = N;
+  std::vector<Elt> A(n);
+  std::vector<Elt> B(n);
+  std::vector<Elt> C(n);
+  Elt k0 = rng.next();
+  Elt k1 = rng.next();
+
+  for (size_t i = 0; i < n; ++i) {
+    A[i] = i == 0 ? F.zero() : F.one();
+    B[i] = rng.next();
+    C[i] = F.addf(F.mulf(k0, A[i]), F.mulf(k1, B[i]));  // k0 * A[i] + k1 * B[i]
+  }
+
+  FFT<Field>::fftf(&A[0], n, omega, omega_order, F);
+  FFT<Field>::fftf(&B[0], n, omega, omega_order, F);
+  FFT<Field>::fftf(&C[0], n, omega, omega_order, F);
+  for (size_t i = 0; i < n; ++i) {
+    EXPECT_EQ(C[i], F.addf(F.mulf(k0, A[i]), F.mulf(k1, B[i])));
+  }
+}
+
+TEST(FFT, RootOfUnity) {
+  Elt one = reroot(omega, omega_order, 1, F);
+  Elt one1 = F.one();
+  EXPECT_EQ(one, one1);
+}
+
+TEST(FFT, Shift) {
+  size_t n = N;
+  std::vector<Elt> A(n);
+  std::vector<Elt> B(n);
+  std::vector<Elt> C(n);
+  Elt omega_n = reroot(omega, omega_order, n, F);
+  Elt k0 = rng.next();
+  Elt k1 = rng.next();
+
+  for (size_t i = 0; i < n; ++i) {
+    A[i] = rng.next();
+    B[i] = rng.next();
+  }
+  for (size_t i = 0; i < n; ++i) {
+    // k0 * A[(i + 1) % n] + k1 * B[i]
+    C[i] = F.addf(F.mulf(k0, A[(i + 1) % n]), F.mulf(k1, B[i]));
+  }
+
+  FFT<Field>::fftb(&A[0], n, omega, omega_order, F);
+  FFT<Field>::fftb(&B[0], n, omega, omega_order, F);
+  FFT<Field>::fftb(&C[0], n, omega, omega_order, F);
+  Elt w = F.one();
+  EXPECT_EQ(w, reroot(omega_n, n, 1, F));
+  for (size_t i = 0; i < n; ++i) {
+    EXPECT_EQ(F.addf(F.mulf(k0, A[i]), F.mulf(F.mulf(k1, B[i]), w)),
+              F.mulf(w, C[i]));  // k0 * A[i] + k1 * B[i] * w =  C[i] * w
+    F.mul(w, omega_n);
+  }
+}
+}  // namespace
+
+// ================ Benchmarking ==============================================
+
+// benchmark the FFT over a P256^2 with a real root of unity
+namespace bench {
+void BM_FFT_Fp256_2(benchmark::State& state) {
+  using BaseField = Fp256<true>;
+  using Field = Fp2<BaseField>;
+
+  using Elt = Field::Elt;
+  const BaseField F0;
+  const Field F(F0);
+  const Elt OMEGA31 = F.of_string(
+      "112649224146410281873500457609690258373018840430489408729223714171582664"
+      "680802",
+      "840879943585409076957404614278186605601821689971823787493130182544504602"
+      "12908");
+  Bogorng<BaseField> rng(&F0);
+  size_t N = state.range(0);
+  std::vector<Elt> A(N);
+  for (size_t i = 0; i < N; ++i) {
+    A[i] = F.of_scalar(rng.next());
+  }
+  for (auto _ : state) {
+    FFT<Field>::fftb(&A[0], N, OMEGA31, 1u << 31, F);
+  }
+}
+BENCHMARK(BM_FFT_Fp256_2)
+    ->RangeMultiplier(4)
+    ->Range(1024, (1 << 22));
+
+void BM_FFT_Fp128(benchmark::State& state) {
+  using Field = Fp128<>;
+  using Elt = Field::Elt;
+  Field F;
+  Bogorng<Field> rng(&F);
+  // bogus root of unit, doesn't matter for benchmark purposes since
+  // we are transforming zeroes anyway
+  auto omega = F.two();
+  size_t N = state.range(0);
+  std::vector<Elt> A(N);
+  for (size_t i = 0; i < N; ++i) {
+    A[i] = rng.next();
+  }
+  for (auto _ : state) {
+    FFT<Field>::fftb(&A[0], N, omega, omega_order, F);
+  }
+}
+
+BENCHMARK(BM_FFT_Fp128)
+    ->RangeMultiplier(4)
+    ->Range(1024, (1 << 22));
+
+void BM_FFT_F64_2(benchmark::State& state) {
+  using BaseField = Fp<1>;
+  using Field = Fp2<BaseField>;
+
+  const BaseField F("18446744069414584321");
+  const Field F2(F);
+  using Elt = Field::Elt;
+  static constexpr char kSmallRoot[] = "2752994695033296049";
+  static constexpr uint64_t kSmallOrder = 1ull << 32;
+
+  const Elt omega = F2.of_string(kSmallRoot);
+  Bogorng<BaseField> rng(&F);
+
+  size_t N = state.range(0);
+  std::vector<Elt> A(N);
+  for (size_t i = 0; i < N; ++i) {
+    A[i] = F2.of_scalar(rng.next());
+  }
+
+  for (auto _ : state) {
+    FFT<Field>::fftb(&A[0], N, omega, kSmallOrder, F2);
+  }
+}
+
+BENCHMARK(BM_FFT_F64_2)
+    ->RangeMultiplier(4)
+    ->Range(1024, (1 << 22));
+
+void BM_FFT_F64(benchmark::State& state) {
+  using Field = Fp<1>;
+  const Field F("18446744069414584321");
+  using Elt = Field::Elt;
+  static constexpr char kSmallRoot[] = "2752994695033296049";
+  static constexpr uint64_t kSmallOrder = 1ull << 32;
+  const Elt omega = F.of_string(kSmallRoot);
+  Bogorng<Field> rng(&F);
+
+  size_t N = state.range(0);
+  std::vector<Elt> A(N);
+  for (size_t i = 0; i < N; ++i) {
+    A[i] = rng.next();
+  }
+
+  for (auto _ : state) {
+    FFT<Field>::fftb(&A[0], N, omega, kSmallOrder, F);
+  }
+}
+
+BENCHMARK(BM_FFT_F64)
+    ->RangeMultiplier(4)
+    ->Range(1024, (1 << 22));
+
+}  // namespace bench
+}  // namespace proofs

data/vendor/longfellow-zk/lib/algebra/fp.h

@@ -0,0 +1,59 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_FP_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_FP_H_
+
+#include <cstddef>
+
+#include "algebra/fp_generic.h"
+#include "algebra/sysdep.h"
+
+namespace proofs {
+
+/*
+The FpReduce structure factors out the main routine for performing modular
+reduction wrt to a Montgomery-represented field element in the FpGeneric
+class. This struct contains a generic reduction step that always works,
+but it can be specialized for certain primes to achieve better efficiency as
+done with our 128- and 256- bit fields.
+*/
+struct FpReduce {
+  template <class limb_t, class N>
+  static inline void reduction_step(limb_t a[], limb_t mprime, const N& m) {
+    constexpr size_t kLimbs = N::kLimbs;
+    if (kLimbs == 1) {
+      // The general case (below) represents the (kLimbs+1)-word product as
+      // L+(H<<64), where in general L and H overlap, requiring
+      // two additions.  For kLimbs==1, L and H do not overlap, and we can
+      // interpret [L, H] as a single double-precision number.
+      limb_t lh[2];
+      limb_t r = mprime * a[0];
+      mulhl(1, lh, lh + 1, r, m.limb_);
+      accum(3, a, 2, lh);
+    } else {
+      limb_t l[kLimbs], h[kLimbs];
+      limb_t r = mprime * a[0];
+      mulhl(kLimbs, l, h, r, m.limb_);
+      accum(kLimbs + 2, a, kLimbs, l);
+      accum(kLimbs + 1, a + 1, kLimbs, h);
+    }
+  }
+};
+
+template <size_t W, bool optimized_mul = false>
+using Fp = FpGeneric<W, optimized_mul, FpReduce>;
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_FP_H_

data/vendor/longfellow-zk/lib/algebra/fp2.h

@@ -0,0 +1,240 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_ALGEBRA_FP2_H_
+#define PRIVACY_PROOFS_ZK_LIB_ALGEBRA_FP2_H_
+
+#include <stddef.h>
+
+#include <cstdint>
+#include <functional>
+#include <optional>
+
+#include "util/panic.h"
+
+namespace proofs {
+// Fields of the form a+sqrt(r)*b where a, b \in Fp and
+// r is a quadratic nonresidue in Fp.  The special "complex"
+// case r = -1 allows for a faster implementation of multiplication.
+//
+// With slight abuse of terminology, we call "a" the "real" part and
+// "b" the "imaginary" part, and we call the sqrt(r) "i" even when
+// r != -1.
+template <class Field, bool nonresidue_is_mone = true>
+class Fp2 {
+ public:
+  using Scalar = typename Field::Elt;
+  using BaseField = Field;
+  using TypeTag = typename Field::TypeTag;
+
+  // size of the serialization into bytes
+  static constexpr size_t kBytes = 2 * Field::kBytes;
+  static constexpr size_t kBits = 2 * Field::kBits;
+  static constexpr size_t kSubFieldBytes = Field::kBytes;
+  static constexpr bool kCharacteristicTwo = false;
+  const Field& f_;
+
+  struct Elt {
+    Scalar re, im;
+    bool operator==(const Elt& y) const { return re == y.re && im == y.im; }
+    bool operator!=(const Elt& y) const { return !operator==(y); }
+  };
+
+  explicit Fp2(const Field& F, const Scalar& nonresidue)
+      : f_(F), nonresidue_(nonresidue) {
+    if (nonresidue_is_mone) {
+      check(nonresidue == F.mone(), "nonresidue == F.mone()");
+    } else {
+      check(nonresidue != F.mone(), "nonresidue != F.mone()");
+    }
+
+    i_ = Elt{f_.zero(), f_.one()};
+    for (uint64_t i = 0; i < sizeof(k_) / sizeof(k_[0]); ++i) {
+      k_[i] = of_scalar(i);
+    }
+    khalf_ = Elt{f_.half(), f_.zero()};
+    kmone_ = Elt{f_.mone(), f_.zero()};
+  }
+  explicit Fp2(const Field& F) : Fp2(F, F.mone()) {}
+
+  Fp2(const Fp2&) = delete;
+  Fp2& operator=(const Fp2&) = delete;
+
+  const Field& base_field() const { return f_; }
+
+  Scalar real(const Elt& e) const { return e.re; }
+  bool is_real(const Elt& e) const { return e.im == f_.zero(); }
+
+  void add(Elt& a, const Elt& y) const {
+    f_.add(a.re, y.re);
+    f_.add(a.im, y.im);
+  }
+  void sub(Elt& a, const Elt& y) const {
+    f_.sub(a.re, y.re);
+    f_.sub(a.im, y.im);
+  }
+  void mul(Elt& a, const Elt& y) const {
+    auto p0 = f_.mulf(a.re, y.re);
+    auto p1 = f_.mulf(a.im, y.im);
+    auto a01 = f_.addf(a.re, a.im);
+    auto y01 = f_.addf(y.re, y.im);
+    if (nonresidue_is_mone) {
+      a.re = f_.subf(p0, p1);
+    } else {
+      a.re = f_.addf(p0, f_.mulf(p1, nonresidue_));
+    }
+    f_.mul(a01, y01);
+    f_.sub(a01, p0);
+    f_.sub(a01, p1);
+    a.im = a01;
+  }
+  void mul(Elt& a, const Scalar& y) const {
+    f_.mul(a.re, y);
+    f_.mul(a.im, y);
+  }
+  void neg(Elt& x) const {
+    Elt y(k_[0]);
+    sub(y, x);
+    x = y;
+  }
+  void conj(Elt& x) const { f_.neg(x.im); }
+  void invert(Elt& x) const {
+    Scalar denom;
+    if (nonresidue_is_mone) {
+      denom = f_.addf(f_.mulf(x.re, x.re), f_.mulf(x.im, x.im));
+    } else {
+      denom = f_.subf(f_.mulf(x.re, x.re),
+                      f_.mulf(nonresidue_, f_.mulf(x.im, x.im)));
+    }
+    f_.invert(denom);
+    conj(x);
+    mul(x, denom);
+  }
+
+  // functional interface
+  Elt addf(Elt a, const Elt& y) const {
+    add(a, y);
+    return a;
+  }
+  Elt subf(Elt a, const Elt& y) const {
+    sub(a, y);
+    return a;
+  }
+  Elt mulf(Elt a, const Elt& y) const {
+    mul(a, y);
+    return a;
+  }
+  Elt mulf(Elt a, const Scalar& y) const {
+    mul(a, y);
+    return a;
+  }
+  Elt negf(Elt a) const {
+    neg(a);
+    return a;
+  }
+  Elt invertf(Elt a) const {
+    invert(a);
+    return a;
+  }
+  Elt conjf(Elt a) const {
+    conj(a);
+    return a;
+  }
+
+  Elt of_scalar(uint64_t a) const { return of_scalar_field(a); }
+  Elt of_scalar(const Scalar& e) const { return of_scalar_field(e); }
+
+  Elt of_scalar_field(const Scalar& e) const { return Elt{e, f_.zero()}; }
+  Elt of_scalar_field(uint64_t a) const {
+    return Elt{f_.of_scalar(a), f_.zero()};
+  }
+  Elt of_scalar_field(uint64_t ar, uint64_t ai) const {
+    return Elt{f_.of_scalar(ar), f_.of_scalar(ai)};
+  }
+
+  template <size_t N>
+  Elt of_string(const char (&s)[N]) const {
+    return Elt{f_.of_string(s), f_.zero()};
+  }
+
+  template <size_t NR, size_t NI>
+  Elt of_string(const char (&sr)[NR], const char (&si)[NI]) const {
+    return Elt{f_.of_string(sr), f_.of_string(si)};
+  }
+
+  std::optional<Elt> of_bytes_field(const uint8_t ab[/* kBytes */]) const {
+    if (auto re = f_.of_bytes_field(ab)) {
+      if (auto im = f_.of_bytes_field(ab + Field::kBytes)) {
+        return Elt{re.value(), im.value()};
+      }
+    }
+    return std::nullopt;
+  }
+
+  Elt sample(
+      const std::function<void(size_t n, uint8_t buf[])>& fill_bytes) const {
+    auto re = f_.sample(fill_bytes);
+    auto im = f_.sample(fill_bytes);
+    return Elt{re, im};
+  }
+
+  Elt sample_subfield(
+      const std::function<void(size_t n, uint8_t buf[])>& fill_bytes) const {
+    auto re = f_.sample(fill_bytes);
+    return of_scalar_field(re);
+  }
+
+  void to_bytes_field(uint8_t ab[/* kBytes */], const Elt& x) const {
+    f_.to_bytes_field(ab, x.re);
+    f_.to_bytes_field(ab + Field::kBytes, x.im);
+  }
+
+  bool in_subfield(const Elt& e) const { return is_real(e); }
+
+  std::optional<Elt> of_bytes_subfield(
+      const uint8_t ab[/* kSubFieldBytes */]) const {
+    if (auto re = f_.of_bytes_subfield(ab)) {
+      return of_scalar(re.value());
+    }
+    return std::nullopt;
+  }
+
+  void to_bytes_subfield(uint8_t ab[/* kSubFieldBytes */], const Elt& x) const {
+    check(in_subfield(x), "x not in subfield");
+    f_.to_bytes_subfield(ab, x.re);
+  }
+
+  const Elt& zero() const { return k_[0]; }
+  const Elt& one() const { return k_[1]; }
+  const Elt& two() const { return k_[2]; }
+  const Elt& half() const { return khalf_; }
+  const Elt& mone() const { return kmone_; }
+  const Elt& i() const { return i_; }
+  Elt poly_evaluation_point(size_t i) const {
+    return of_scalar(f_.poly_evaluation_point(i));
+  }
+  Elt newton_denominator(size_t k, size_t i) const {
+    return of_scalar(f_.newton_denominator(k, i));
+  }
+
+ private:
+  Scalar nonresidue_;
+  Elt k_[3];  // small constants
+  Elt i_;     // i^2 = -1
+  Elt khalf_;
+  Elt kmone_;
+};
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_ALGEBRA_FP2_H_