longfellow 0.1.0

data/vendor/longfellow-zk/lib/gf2k/lch14.h

@@ -0,0 +1,242 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_GF2K_LCH14_H_
+#define PRIVACY_PROOFS_ZK_LIB_GF2K_LCH14_H_
+
+#include <stdio.h>
+
+#include <vector>
+
+#include "util/panic.h"
+
+// The algorithm from [LCH14] following [DP24, Algorithm 2]
+//
+// [LCH14] Sian-Jheng Lin, Wei-Ho Chung, and Yunghsiang S. Han: Novel
+// Polynomial Basis and Its Application to Reed-Solomon Erasure Codes,
+// https://arxiv.org/pdf/1404.3458
+
+// [DP24] Benjamin E. Diamond and Jim Posen, Polylogarithmic Proofs
+// for Multilinears over Binary Towers, https://eprint.iacr.org/2024/504
+
+namespace proofs {
+
+template <class Field>
+class LCH14 {
+  using Elt = typename Field::Elt;
+
+  // only works in binary fields
+  static_assert(Field::kCharacteristicTwo);
+
+ public:
+  static constexpr size_t kSubFieldBits = Field::kSubFieldBits;
+
+  explicit LCH14(const Field &F) : f_(F) {
+    // Compute W_i(\beta_j) for all i, j.
+
+    // We store the unnormalized W_[i][j] = W_i(\beta_j)
+    // in the same memory as the normalized \hat{W}_i(\beta_j), since
+    // the unnormalized values are not needed after normalization.
+
+    // In an attempt to improve clarity, we syntactically distinguish
+    // the unnormalized array W from the normalized array w_hat_,
+    // but one must be mindful that the two names alias to the
+    // same memory locations.
+    auto W = w_hat_;
+
+    // Base case: W_0(X) = X
+    for (size_t j = 0; j < kSubFieldBits; ++j) {
+      W[0][j] = f_.beta(j);
+    }
+
+    // Inductive case: W_{i+1}(X) = W_i(X)(W_i(X)+W_i(\beta_i))
+    for (size_t i = 0; i + 1 < kSubFieldBits; ++i) {
+      for (size_t j = 0; j < kSubFieldBits; ++j) {
+        W[i + 1][j] = f_.mulf(W[i][j], f_.addf(W[i][j], W[i][i]));
+      }
+    }
+
+    // normalized \hat{W}_i(\beta j)
+    for (size_t i = 0; i < kSubFieldBits; ++i) {
+      Elt scale = f_.invertf(W[i][i]);
+      for (size_t j = 0; j < kSubFieldBits; ++j) {
+        w_hat_[i][j] = f_.mulf(scale, W[i][j]);
+      }
+    }
+  }
+
+  // Computation of a single twiddle factor.
+  // Implicit in [LCH14, III.E], explicit in [DP24, Algorithm 2].
+  Elt twiddle(size_t i, size_t u) const {
+    Elt t = f_.zero();
+    for (size_t k = 0; u != 0; ++k, u >>= 1) {
+      if (u & 1) {
+        f_.add(t, w_hat_[i][k]);
+      }
+    }
+    return t;
+  }
+
+  // linear-time computation of all twiddles at the same time
+  void twiddles(size_t i, size_t l, size_t coset, Elt tw[]) const {
+    tw[0] = twiddle(i, coset);
+    for (size_t k = 0; (i + 1) + k < l; ++k) {
+      Elt shift = w_hat_[i][(i + 1) + k];
+      for (size_t u = 0; u < (k1 << k); ++u) {
+        tw[u + (k1 << k)] = f_.addf(tw[u], shift);
+      }
+    }
+  }
+
+  size_t ntwiddles(size_t l) const { return k1 << (l - 1); }
+
+  // Notation from [DP24, Algorithm 2], except that we hardcode R=0
+  // and add the coset parameter.
+  void FFT(size_t l, size_t coset, Elt B[/* n = (1 << l) */]) const {
+    check(l <= kSubFieldBits, "l <= kSubFieldBits");
+
+    if (l > 0) {
+      // space for twiddle factors
+      std::vector<Elt> tw(ntwiddles(l));
+
+      for (size_t i = l; i-- > 0;) {
+        size_t s = k1 << i;
+        twiddles(i, l, coset, &tw[0]);
+        for (size_t u = 0; (u << (i + 1)) < (k1 << l); ++u) {
+          Elt twu = tw[u];
+          for (size_t v = 0; v < s; ++v) {
+            butterfly_fwd(B, (u << (i + 1)) + v, s, twu);
+          }
+        }
+      }
+    }
+  }
+
+  void IFFT(size_t l, size_t coset, Elt B[/* n = (1 << l) */]) const {
+    check(l <= kSubFieldBits, "l <= kSubFieldBits");
+
+    if (l > 0) {
+      // space for twiddle factors
+      std::vector<Elt> tw(ntwiddles(l));
+
+      for (size_t i = 0; i < l; ++i) {
+        size_t s = k1 << i;
+        twiddles(i, l, coset, &tw[0]);
+        for (size_t u = 0; (u << (i + 1)) < (k1 << l); ++u) {
+          Elt twu = tw[u];
+          for (size_t v = 0; v < s; ++v) {
+            butterfly_bwd(B, (u << (i + 1)) + v, s, twu);
+          }
+        }
+      }
+    }
+  }
+
+  void BidirectionalFFT(size_t l, size_t k, Elt B[/* n = (1 << l) */]) const {
+    check(l <= kSubFieldBits, "l <= kSubFieldBits");
+    bidir_recur(/*i=*/l, /*coset=*/0, k, B);
+  }
+
+  // debug access to w_hat_
+  Elt WHat_DEBUG(size_t i, size_t j) const { return w_hat_[i][j]; }
+
+ private:
+  // avoid writing static_cast<size_t>(1) all the time.
+  static constexpr size_t k1 = 1;
+
+  const Field &f_;
+
+  // precomputed [i][j] -> \hat{W}(\beta_j)
+  Elt w_hat_[kSubFieldBits][kSubFieldBits];
+
+  // The algorithm described in Joris van der Hoeven, "The Truncated
+  // Fourier Transform and Applications".  This implementation is
+  // based on the pseudo-code from the followup paper "Notes on the
+  // Truncated Fourier Transform", also by Joris van der Hoeven.
+  //
+  // Van der Hoeven considers the classic multiplicative FFT;
+  // here we port the algorithm to the [LCH14] adaptive FFT.
+
+  // Here we call the algorithm the "Bidirectional FFT", because
+  // the algorithm takes a set of points in the "time" domain
+  // and the complementary set of points in the "frequency" domain,
+  // and it flips time and frequency, so the algorithm can be
+  // used to compute the forward and backward transforms, as well
+  // as combinations of the two.
+  //
+  // The literature on the truncated Fourier transforms assumes that
+  // the complementary set of points are implicitly set to zero, and
+  // the main problem is how to avoid storing the zeroes.  Our main
+  // problem is not time or space efficiency, but polynomial
+  // interpolation.  Given k evaluations of a polynomial of degree <k,
+  // compute the other evaluations up to n=2^l.  So we care about both
+  // the unknown nonzero coefficients and the unknown n-k evaluations.
+  void bidir_recur(size_t i, size_t coset, size_t k,
+                   Elt B[/* n = (1 << i) */]) const {
+    if (i-- > 0) {
+      size_t s = k1 << i;
+      Elt twu = twiddle(i, coset);
+
+      if (k < s) {
+        for (size_t uv = k; uv < s; ++uv) {
+          butterfly_fwd(B, uv, s, twu);
+        }
+
+        bidir_recur(i, coset, k, B);
+
+        for (size_t uv = 0; uv < k; ++uv) {
+          butterfly_diag(B, uv, s, twu);
+        }
+
+        FFT(i, coset + s, B + s);
+      } else /* k >= s */ {
+        IFFT(i, coset, B);
+
+        for (size_t uv = k - s; uv < s; ++uv) {
+          butterfly_diag(B, uv, s, twu);
+        }
+
+        bidir_recur(i, coset + s, k - s, B + s);
+
+        for (size_t uv = 0; uv < k - s; ++uv) {
+          butterfly_bwd(B, uv, s, twu);
+        }
+      }
+    }
+  }
+
+  inline void butterfly_fwd(Elt B[], size_t uv, size_t s,
+                            const Elt &twu) const {
+    f_.add(B[uv], f_.mulf(twu, B[uv + s]));
+    f_.add(B[uv + s], B[uv]);
+  }
+
+  inline void butterfly_bwd(Elt B[], size_t uv, size_t s,
+                            const Elt &twu) const {
+    f_.sub(B[uv + s], B[uv]);
+    f_.sub(B[uv], f_.mulf(twu, B[uv + s]));
+  }
+
+  // forward at [uv + s], backward at [uv]
+  inline void butterfly_diag(Elt B[], size_t uv, size_t s,
+                             const Elt &twu) const {
+    Elt b1 = B[uv + s];
+    f_.add(B[uv + s], B[uv]);
+    f_.sub(B[uv], f_.mulf(twu, b1));
+  }
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_GF2K_LCH14_H_

data/vendor/longfellow-zk/lib/gf2k/lch14_bench.cc

@@ -0,0 +1,75 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstddef>
+#include <vector>
+
+#include "gf2k/gf2_128.h"
+#include "gf2k/lch14.h"
+#include "third_party/benchmark/include/benchmark/benchmark.h"
+
+namespace proofs {
+using Field = GF2_128<5>;  // use 32-bit subfield for large FFTs
+using Elt = Field::Elt;
+static const Field F;
+static const LCH14<Field> FFT(F);
+
+void BM_LCH14_FFT(benchmark::State& state) {
+  size_t l = state.range(0);
+  size_t N = 1 << l;
+  std::vector<Elt> A(N);
+  for (size_t i = 0; i < N; ++i) {
+    A[i] = F.x();
+  }
+
+  for (auto _ : state) {
+    FFT.FFT(l, /*coset=*/0, A.data());
+  }
+}
+
+BENCHMARK(BM_LCH14_FFT)->DenseRange(2, 20);
+
+void BM_LCH14_IFFT(benchmark::State& state) {
+  size_t l = state.range(0);
+  size_t N = 1 << l;
+  std::vector<Elt> A(N);
+  for (size_t i = 0; i < N; ++i) {
+    A[i] = F.x();
+  }
+
+  for (auto _ : state) {
+    FFT.IFFT(l, /*coset=*/0, A.data());
+  }
+}
+
+BENCHMARK(BM_LCH14_IFFT)->DenseRange(2, 20);
+
+void BM_LCH14_BidirectionalFFT(benchmark::State& state) {
+  size_t l = state.range(0);
+  size_t N = 1 << l;
+  std::vector<Elt> A(N);
+  for (size_t i = 0; i < N; ++i) {
+    A[i] = F.x();
+  }
+
+  for (auto _ : state) {
+    FFT.BidirectionalFFT(l, /*k=*/N - 1, A.data());
+  }
+}
+
+BENCHMARK(BM_LCH14_BidirectionalFFT)->DenseRange(2, 20);
+
+}  // namespace proofs
+
+BENCHMARK_MAIN();

data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon.h

@@ -0,0 +1,127 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_GF2K_LCH14_REED_SOLOMON_H_
+#define PRIVACY_PROOFS_ZK_LIB_GF2K_LCH14_REED_SOLOMON_H_
+
+#include <stdio.h>
+
+#include <algorithm>
+#include <memory>
+#include <vector>
+
+#include "gf2k/lch14.h"
+
+namespace proofs {
+
+template <class Field>
+class LCH14ReedSolomon {
+  using Elt = typename Field::Elt;
+
+  // only works in binary fields
+  static_assert(Field::kCharacteristicTwo);
+
+ public:
+  // We interpolate N points, assumed to be the evaluations at
+  // F.of_scalar(i), 0 <= i < N, of a polynomial of degree <N, to M
+  // points 0 <= i < M.  (Thus, the M points include the N points
+  // we started with.)
+  //
+  // In principle we don't need to know N and M at construction time,
+  // but we require N and M for compatibility of the interface with
+  // the ReedSolomon class over prime fields.
+  LCH14ReedSolomon(size_t n, size_t m, const Field& F)
+      : f_(F), n_(n), m_(m), fft_(F) {}
+
+  // Y[i] is expected to be defined for 0 <= i < N, and this
+  // routine fills it for 0 <= i < M
+  void interpolate(Elt y[/*m*/]) const {
+    // determine the FFT size
+    size_t l = 0;
+    size_t fftn = 1;
+    while (fftn < n_) {
+      fftn <<= 1;
+      ++l;
+    }
+
+    // "coefficients" in the LCH14 novel polynomial basis
+    std::vector<Elt> C(fftn);
+
+    // compute the "coefficients" under the assumption
+    // that we know n_ evaluations and that the higher-order
+    // (fftn - n_) "coefficients" are zero.
+    for (size_t i = 0; i < n_; ++i) {
+      C[i] = y[i];
+    }
+    for (size_t i = n_; i < fftn; ++i) {
+      C[i] = f_.zero();
+    }
+    fft_.BidirectionalFFT(l, /*k=*/n_, &C[0]);
+
+    // fill in the missing evaluations in the first coset, since we
+    // already have the missing evaluations in C[[n_, (1<<l))]
+    for (size_t i = n_; i < std::min(m_, fftn); ++i) {
+      y[i] = C[i];
+    }
+
+    // revert C to pure coefficients for later use
+    for (size_t i = n_; i < fftn; ++i) {
+      C[i] = f_.zero();
+    }
+
+    // all remaining cosets:
+    for (size_t coset = 1; (coset << l) < m_; ++coset) {
+      size_t b = (coset << l);
+      if (b + fftn <= m_) {
+        // if the coset fits completely within Y[],
+        // copy the coefficients into Y and transform in place
+        for (size_t i = 0; i < fftn; ++i) {
+          y[i + b] = C[i];
+        }
+        fft_.FFT(l, b, &y[b]);
+      } else {
+        // Partial fit.  Transform C and copy the output.
+        fft_.FFT(l, b, &C[0]);
+        for (size_t i = 0; i + b < m_; ++i) {
+          y[i + b] = C[i];
+        }
+        // Now we have destroyed C, but this is ok because
+        // this is the last iteration
+      }
+    }
+  }
+
+ private:
+  const Field& f_;
+  size_t n_;
+  size_t m_;
+  LCH14<Field> fft_;
+};
+
+template <class Field>
+class LCH14ReedSolomonFactory {
+ public:
+  explicit LCH14ReedSolomonFactory(const Field& f) : f_(f) {}
+
+  std::unique_ptr<LCH14ReedSolomon<Field>> make(size_t n, size_t m) const {
+    return std::make_unique<LCH14ReedSolomon<Field>>(n, m, f_);
+  }
+
+ private:
+  const Field& f_;
+};
+
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_GF2K_LCH14_REED_SOLOMON_H_

data/vendor/longfellow-zk/lib/gf2k/lch14_reed_solomon_test.cc

@@ -0,0 +1,110 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "gf2k/lch14_reed_solomon.h"
+
+#include <cstddef>
+#include <vector>
+
+#include "algebra/bogorng.h"
+#include "gf2k/gf2_128.h"
+#include "benchmark/benchmark.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+using Field = GF2_128<5>;
+using Elt = Field::Elt;
+static const Field F;
+
+// slow evaluation in the monomial basis
+static Elt eval_monomial(size_t n, const Elt M[/*n*/], const Elt& x) {
+  Elt e{};
+
+  for (size_t i = n; i-- > 0;) {
+    e = F.addf(M[i], F.mulf(e, x));
+  }
+  return e;
+}
+
+TEST(LCH14, ReedSolomon) {
+  std::vector<size_t> test_m = {1, 7, 8, 9, 63, 64, 65, 99, 128};
+  LCH14ReedSolomonFactory<Field> rs_factory(F);
+
+  for (size_t m : test_m) {
+    for (size_t n = 1; n < m; ++n) {
+      auto rs = rs_factory.make(n, m);
+      std::vector<Elt> M(n);  // monomial basis
+      std::vector<Elt> Y(m);
+
+      for (size_t i = 0; i < n; ++i) {
+        M[i] = F.of_scalar(i * i + 42 + (m + 11) * (n + 22));
+      }
+
+      // produce N points
+      for (size_t i = 0; i < n; ++i) {
+        Y[i] = eval_monomial(n, &M[0], F.of_scalar(i));
+      }
+
+      rs->interpolate(&Y[0]);
+
+      for (size_t i = 0; i < m; ++i) {
+        EXPECT_EQ(Y[i], eval_monomial(n, &M[0], F.of_scalar(i)));
+      }
+    }
+  }
+}
+}  // namespace
+
+namespace bench {
+void BM_ReedSolomon_gf128(benchmark::State& state) {
+  size_t n = state.range(0);
+  if (4 * n < 1 << 16) {
+    using Field = GF2_128<4>;
+    using Elt = Field::Elt;
+    static const Field F;
+    LCH14ReedSolomonFactory<Field> rs_factory(F);
+    Bogorng<Field> rng(&F);
+    auto rs = rs_factory.make(n, n * 4);
+
+    std::vector<Elt> L2(n + n * 4);
+    for (size_t i = 0; i < n; ++i) {
+      L2[i] = rng.next();
+    }
+    for (auto _ : state) {
+      rs->interpolate(&L2[0]);
+    }
+  } else {
+    using Field = GF2_128<5>;
+    using Elt = Field::Elt;
+    static const Field F;
+    LCH14ReedSolomonFactory<Field> rs_factory(F);
+    Bogorng<Field> rng(&F);
+    auto rs = rs_factory.make(n, n * 4);
+
+    std::vector<Elt> L2(n + n * 4);
+    for (size_t i = 0; i < n; ++i) {
+      L2[i] = rng.next();
+    }
+    for (auto _ : state) {
+      rs->interpolate(&L2[0]);
+    }
+  }
+}
+
+BENCHMARK(BM_ReedSolomon_gf128)->RangeMultiplier(4)->Range(1 << 10, 1 << 20);
+
+}  // namespace bench
+}  // namespace proofs