plonky2/src/field/field.rs

use std::fmt::{Debug, Display};
use std::hash::Hash;
use std::iter::{Product, Sum};
use std::ops::{Add, AddAssign, Div, DivAssign, Mul, MulAssign, Neg, Sub, SubAssign};

use rand::rngs::OsRng;
use rand::Rng;

use crate::util::bits_u64;

/// A finite field with prime order less than 2^64.
pub trait Field:
    'static
    + Copy
    + Eq
    + Hash
    + Neg<Output = Self>
    + Add<Self, Output = Self>
    + AddAssign<Self>
    + Sum
    + Sub<Self, Output = Self>
    + SubAssign<Self>
    + Mul<Self, Output = Self>
    + MulAssign<Self>
    + Product
    + Div<Self, Output = Self>
    + DivAssign<Self>
    + Debug
    + Display
    + Send
    + Sync
{
    const ZERO: Self;
    const ONE: Self;
    const TWO: Self;
    const NEG_ONE: Self;

    const ORDER: u64;
    const TWO_ADICITY: usize;

    /// Generator of the entire multiplicative group, i.e. all non-zero elements.
    const MULTIPLICATIVE_GROUP_GENERATOR: Self;
    /// Generator of a multiplicative subgroup of order `2^TWO_ADICITY`.
    const POWER_OF_TWO_GENERATOR: Self;

    fn is_zero(&self) -> bool {
        *self == Self::ZERO
    }

    fn is_nonzero(&self) -> bool {
        *self != Self::ZERO
    }

    fn is_one(&self) -> bool {
        *self == Self::ONE
    }

    fn square(&self) -> Self {
        *self * *self
    }

    fn cube(&self) -> Self {
        *self * *self * *self
    }

    /// Compute the multiplicative inverse of this field element.
    fn try_inverse(&self) -> Option<Self>;

    fn inverse(&self) -> Self {
        self.try_inverse().expect("Tried to invert zero")
    }

    fn batch_multiplicative_inverse(x: &[Self]) -> Vec<Self> {
        // This is Montgomery's trick. At a high level, we invert the product of the given field
        // elements, then derive the individual inverses from that via multiplication.

        let n = x.len();
        if n == 0 {
            return Vec::new();
        }

        let mut a = Vec::with_capacity(n);
        a.push(x[0]);
        for i in 1..n {
            a.push(a[i - 1] * x[i]);
        }

        let mut a_inv = vec![Self::ZERO; n];
        a_inv[n - 1] = a[n - 1].try_inverse().expect("No inverse");
        for i in (0..n - 1).rev() {
            a_inv[i] = x[i + 1] * a_inv[i + 1];
        }

        let mut x_inv = Vec::with_capacity(n);
        x_inv.push(a_inv[0]);
        for i in 1..n {
            x_inv.push(a[i - 1] * a_inv[i]);
        }
        x_inv
    }

    fn primitive_root_of_unity(n_log: usize) -> Self {
        assert!(n_log <= Self::TWO_ADICITY);
        let base = Self::POWER_OF_TWO_GENERATOR;
        // TODO: Just repeated squaring should be a bit faster, to avoid conditionals.
        base.exp(Self::from_canonical_u64(
            1u64 << (Self::TWO_ADICITY - n_log),
        ))
    }

    /// Computes a multiplicative subgroup whose order is known in advance.
    fn cyclic_subgroup_known_order(generator: Self, order: usize) -> Vec<Self> {
        let mut subgroup = Vec::with_capacity(order);
        let mut current = Self::ONE;
        for _i in 0..order {
            subgroup.push(current);
            current *= generator;
        }
        subgroup
    }

    fn cyclic_subgroup_unknown_order(generator: Self) -> Vec<Self> {
        let mut subgroup = Vec::new();
        for power in generator.powers() {
            if power.is_one() && !subgroup.is_empty() {
                break;
            }
            subgroup.push(power);
        }
        subgroup
    }

    fn generator_order(generator: Self) -> usize {
        generator.powers().skip(1).position(|y| y.is_one()).unwrap() + 1
    }

    /// Computes a coset of a multiplicative subgroup whose order is known in advance.
    fn cyclic_subgroup_coset_known_order(generator: Self, shift: Self, order: usize) -> Vec<Self> {
        let subgroup = Self::cyclic_subgroup_known_order(generator, order);
        subgroup.into_iter().map(|x| x * shift).collect()
    }

    fn to_canonical_u64(&self) -> u64;

    fn from_canonical_u64(n: u64) -> Self;

    fn from_canonical_usize(n: usize) -> Self {
        Self::from_canonical_u64(n as u64)
    }

    fn bits(&self) -> usize {
        bits_u64(self.to_canonical_u64())
    }

    fn exp(&self, power: Self) -> Self {
        let mut current = *self;
        let mut product = Self::ONE;

        for j in 0..power.bits() {
            if (power.to_canonical_u64() >> j & 1) != 0 {
                product *= current;
            }
            current = current.square();
        }
        product
    }

    fn exp_usize(&self, power: usize) -> Self {
        self.exp(Self::from_canonical_usize(power))
    }

    fn kth_root(&self, k: usize) -> Self {
        let p_minus_1 = Self::ORDER - 1;
        debug_assert!(p_minus_1 % k as u64 != 0, "Not a permutation in this field");
        todo!()
    }

    fn cube_root(&self) -> Self {
        self.kth_root(3)
    }

    fn powers(&self) -> Powers<Self> {
        Powers {
            base: *self,
            current: Self::ONE,
        }
    }

    fn rand_from_rng<R: Rng>(rng: &mut R) -> Self {
        Self::from_canonical_u64(rng.gen_range(0, Self::ORDER))
    }

    fn rand() -> Self {
        Self::rand_from_rng(&mut OsRng)
    }
}

/// An iterator over the powers of a certain base element `b`: `b^0, b^1, b^2, ...`.
pub struct Powers<F: Field> {
    base: F,
    current: F,
}

impl<F: Field> Iterator for Powers<F> {
    type Item = F;

    fn next(&mut self) -> Option<F> {
        let result = self.current;
        self.current *= self.base;
        Some(result)
    }
}
Progress on FRI 2021-04-21 22:31:45 +02:00			`use std::fmt::{Debug, Display};`
Validate that the cosets for Plonk's permutation argument are disjoint When we had a large field, we could just pick random shifts, and get disjoint cosets with high probability. With a 64-bit field, I think the probability of a collision is non-negligible (something like 1 in a million), so we should probably verify that the cosets are disjoint. If there are any concerns with this method (or if it's just confusing), I think it would also be reasonable to use the brute force approach of explicitly computing the cosets and checking that they're disjoint. I coded that as well, and it took like 80ms, so not really a big deal since it's a one-time preprocessing cost. Also fixes some overflow bugs in the inversion code. 2021-04-04 11:35:58 -07:00			`use std::hash::Hash;`
Interpolants of arbitrary (point, value) lists Closes #10. This combines Lagrange interpolation with FFTs as mentioned there. I was previously thinking that all our polynomial encodings might as well just use power-of-two length vectors, so they'll be "FFT-ready", with no need to trim/pad. This sort of breaks that assumption though, as e.g. I think we'll want to compute interpolants with three coefficients in the batch opening argument. I think we can still skip trimming/padding in most cases, since it the majority of our polynomials will have power-of-two-minus-1 degrees with high probability. But we'll now have one or two uses where that's not the case. 2021-04-23 10:26:57 -07:00			`use std::iter::{Product, Sum};`
Progress on FRI 2021-04-21 22:31:45 +02:00			`use std::ops::{Add, AddAssign, Div, DivAssign, Mul, MulAssign, Neg, Sub, SubAssign};`
Initial commit 2021-02-09 21:25:21 -08:00
Interpolants of arbitrary (point, value) lists Closes #10. This combines Lagrange interpolation with FFTs as mentioned there. I was previously thinking that all our polynomial encodings might as well just use power-of-two length vectors, so they'll be "FFT-ready", with no need to trim/pad. This sort of breaks that assumption though, as e.g. I think we'll want to compute interpolants with three coefficients in the batch opening argument. I think we can still skip trimming/padding in most cases, since it the majority of our polynomials will have power-of-two-minus-1 degrees with high probability. But we'll now have one or two uses where that's not the case. 2021-04-23 10:26:57 -07:00			`use rand::rngs::OsRng;`
			`use rand::Rng;`

			`use crate::util::bits_u64;`

Initial commit 2021-02-09 21:25:21 -08:00			`/// A finite field with prime order less than 2^64.`
Progress on FRI 2021-04-21 22:31:45 +02:00			`pub trait Field:`
			`'static`
			`+ Copy`
			`+ Eq`
			`+ Hash`
			`+ Neg<Output = Self>`
			`+ Add<Self, Output = Self>`
			`+ AddAssign<Self>`
Interpolants of arbitrary (point, value) lists Closes #10. This combines Lagrange interpolation with FFTs as mentioned there. I was previously thinking that all our polynomial encodings might as well just use power-of-two length vectors, so they'll be "FFT-ready", with no need to trim/pad. This sort of breaks that assumption though, as e.g. I think we'll want to compute interpolants with three coefficients in the batch opening argument. I think we can still skip trimming/padding in most cases, since it the majority of our polynomials will have power-of-two-minus-1 degrees with high probability. But we'll now have one or two uses where that's not the case. 2021-04-23 10:26:57 -07:00			`+ Sum`
Progress on FRI 2021-04-21 22:31:45 +02:00			`+ Sub<Self, Output = Self>`
			`+ SubAssign<Self>`
			`+ Mul<Self, Output = Self>`
			`+ MulAssign<Self>`
Interpolants of arbitrary (point, value) lists Closes #10. This combines Lagrange interpolation with FFTs as mentioned there. I was previously thinking that all our polynomial encodings might as well just use power-of-two length vectors, so they'll be "FFT-ready", with no need to trim/pad. This sort of breaks that assumption though, as e.g. I think we'll want to compute interpolants with three coefficients in the batch opening argument. I think we can still skip trimming/padding in most cases, since it the majority of our polynomials will have power-of-two-minus-1 degrees with high probability. But we'll now have one or two uses where that's not the case. 2021-04-23 10:26:57 -07:00			`+ Product`
Progress on FRI 2021-04-21 22:31:45 +02:00			`+ Div<Self, Output = Self>`
			`+ DivAssign<Self>`
			`+ Debug`
			`+ Display`
			`+ Send`
			`+ Sync`
			`{`
Initial commit 2021-02-09 21:25:21 -08:00			`const ZERO: Self;`
			`const ONE: Self;`
Gate infra 2021-02-26 13:18:41 -08:00			`const TWO: Self;`
Initial commit 2021-02-09 21:25:21 -08:00			`const NEG_ONE: Self;`

Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00			`const ORDER: u64;`
Move some stuff into Field 2021-04-02 19:04:26 -07:00			`const TWO_ADICITY: usize;`

			`/// Generator of the entire multiplicative group, i.e. all non-zero elements.`
			`const MULTIPLICATIVE_GROUP_GENERATOR: Self;`
			/// Generator of a multiplicative subgroup of order `2^TWO_ADICITY`.
			`const POWER_OF_TWO_GENERATOR: Self;`
Refactor polynomial code 2021-03-30 13:30:31 -07:00
Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00			`fn is_zero(&self) -> bool {`
			`*self == Self::ZERO`
			`}`

Interpolants of arbitrary (point, value) lists Closes #10. This combines Lagrange interpolation with FFTs as mentioned there. I was previously thinking that all our polynomial encodings might as well just use power-of-two length vectors, so they'll be "FFT-ready", with no need to trim/pad. This sort of breaks that assumption though, as e.g. I think we'll want to compute interpolants with three coefficients in the batch opening argument. I think we can still skip trimming/padding in most cases, since it the majority of our polynomials will have power-of-two-minus-1 degrees with high probability. But we'll now have one or two uses where that's not the case. 2021-04-23 10:26:57 -07:00			`fn is_nonzero(&self) -> bool {`
			`*self != Self::ZERO`
			`}`

Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00			`fn is_one(&self) -> bool {`
			`*self == Self::ONE`
			`}`

More tests, ported from plonky1 2021-04-02 17:49:51 -07:00			`fn square(&self) -> Self {`
Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00			`self *self`
			`}`
Initial commit 2021-02-09 21:25:21 -08:00
Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00			`fn cube(&self) -> Self {`
			`self self *self`
			`}`
Initial commit 2021-02-09 21:25:21 -08:00
			`/// Compute the multiplicative inverse of this field element.`
Add some FRI params & clean up FFT a bit 2021-02-17 22:19:18 -08:00			`fn try_inverse(&self) -> Option<Self>;`

			`fn inverse(&self) -> Self {`
			`self.try_inverse().expect("Tried to invert zero")`
			`}`
Initial commit 2021-02-09 21:25:21 -08:00
Refactor polynomial code 2021-03-30 13:30:31 -07:00			`fn batch_multiplicative_inverse(x: &[Self]) -> Vec<Self> {`
			`// This is Montgomery's trick. At a high level, we invert the product of the given field`
			`// elements, then derive the individual inverses from that via multiplication.`

			`let n = x.len();`
			`if n == 0 {`
			`return Vec::new();`
			`}`

			`let mut a = Vec::with_capacity(n);`
			`a.push(x[0]);`
			`for i in 1..n {`
			`a.push(a[i - 1] * x[i]);`
			`}`

			`let mut a_inv = vec![Self::ZERO; n];`
			`a_inv[n - 1] = a[n - 1].try_inverse().expect("No inverse");`
			`for i in (0..n - 1).rev() {`
			`a_inv[i] = x[i + 1] * a_inv[i + 1];`
			`}`

			`let mut x_inv = Vec::with_capacity(n);`
			`x_inv.push(a_inv[0]);`
			`for i in 1..n {`
			`x_inv.push(a[i - 1] * a_inv[i]);`
			`}`
			`x_inv`
			`}`

Interpolants of arbitrary (point, value) lists Closes #10. This combines Lagrange interpolation with FFTs as mentioned there. I was previously thinking that all our polynomial encodings might as well just use power-of-two length vectors, so they'll be "FFT-ready", with no need to trim/pad. This sort of breaks that assumption though, as e.g. I think we'll want to compute interpolants with three coefficients in the batch opening argument. I think we can still skip trimming/padding in most cases, since it the majority of our polynomials will have power-of-two-minus-1 degrees with high probability. But we'll now have one or two uses where that's not the case. 2021-04-23 10:26:57 -07:00			`fn primitive_root_of_unity(n_log: usize) -> Self {`
			`assert!(n_log <= Self::TWO_ADICITY);`
Move some stuff into Field 2021-04-02 19:04:26 -07:00			`let base = Self::POWER_OF_TWO_GENERATOR;`
Simplify as per William's comment 2021-04-04 15:26:38 -07:00			`// TODO: Just repeated squaring should be a bit faster, to avoid conditionals.`
Progress on FRI 2021-04-21 22:31:45 +02:00			`base.exp(Self::from_canonical_u64(`
Interpolants of arbitrary (point, value) lists Closes #10. This combines Lagrange interpolation with FFTs as mentioned there. I was previously thinking that all our polynomial encodings might as well just use power-of-two length vectors, so they'll be "FFT-ready", with no need to trim/pad. This sort of breaks that assumption though, as e.g. I think we'll want to compute interpolants with three coefficients in the batch opening argument. I think we can still skip trimming/padding in most cases, since it the majority of our polynomials will have power-of-two-minus-1 degrees with high probability. But we'll now have one or two uses where that's not the case. 2021-04-23 10:26:57 -07:00			`1u64 << (Self::TWO_ADICITY - n_log),`
Progress on FRI 2021-04-21 22:31:45 +02:00			`))`
Move some stuff into Field 2021-04-02 19:04:26 -07:00			`}`
Initial commit 2021-02-09 21:25:21 -08:00
Validate that the cosets for Plonk's permutation argument are disjoint When we had a large field, we could just pick random shifts, and get disjoint cosets with high probability. With a 64-bit field, I think the probability of a collision is non-negligible (something like 1 in a million), so we should probably verify that the cosets are disjoint. If there are any concerns with this method (or if it's just confusing), I think it would also be reasonable to use the brute force approach of explicitly computing the cosets and checking that they're disjoint. I coded that as well, and it took like 80ms, so not really a big deal since it's a one-time preprocessing cost. Also fixes some overflow bugs in the inversion code. 2021-04-04 11:35:58 -07:00			`/// Computes a multiplicative subgroup whose order is known in advance.`
Move some stuff into Field 2021-04-02 19:04:26 -07:00			`fn cyclic_subgroup_known_order(generator: Self, order: usize) -> Vec<Self> {`
Validate that the cosets for Plonk's permutation argument are disjoint When we had a large field, we could just pick random shifts, and get disjoint cosets with high probability. With a 64-bit field, I think the probability of a collision is non-negligible (something like 1 in a million), so we should probably verify that the cosets are disjoint. If there are any concerns with this method (or if it's just confusing), I think it would also be reasonable to use the brute force approach of explicitly computing the cosets and checking that they're disjoint. I coded that as well, and it took like 80ms, so not really a big deal since it's a one-time preprocessing cost. Also fixes some overflow bugs in the inversion code. 2021-04-04 11:35:58 -07:00			`let mut subgroup = Vec::with_capacity(order);`
Move some stuff into Field 2021-04-02 19:04:26 -07:00			`let mut current = Self::ONE;`
			`for _i in 0..order {`
			`subgroup.push(current);`
Address some clippy warnings 2021-04-23 12:35:19 -07:00			`current *= generator;`
Move some stuff into Field 2021-04-02 19:04:26 -07:00			`}`
			`subgroup`
			`}`
Initial commit 2021-02-09 21:25:21 -08:00
A few more tests, ported (with some adaptations) from plonky1 2021-04-22 21:12:34 -07:00			`fn cyclic_subgroup_unknown_order(generator: Self) -> Vec<Self> {`
			`let mut subgroup = Vec::new();`
			`for power in generator.powers() {`
			`if power.is_one() && !subgroup.is_empty() {`
			`break;`
			`}`
			`subgroup.push(power);`
			`}`
			`subgroup`
			`}`

			`fn generator_order(generator: Self) -> usize {`
Better generator_order per William's comment 2021-04-22 23:59:37 -07:00			`generator.powers().skip(1).position(\|y\| y.is_one()).unwrap() + 1`
A few more tests, ported (with some adaptations) from plonky1 2021-04-22 21:12:34 -07:00			`}`

Validate that the cosets for Plonk's permutation argument are disjoint When we had a large field, we could just pick random shifts, and get disjoint cosets with high probability. With a 64-bit field, I think the probability of a collision is non-negligible (something like 1 in a million), so we should probably verify that the cosets are disjoint. If there are any concerns with this method (or if it's just confusing), I think it would also be reasonable to use the brute force approach of explicitly computing the cosets and checking that they're disjoint. I coded that as well, and it took like 80ms, so not really a big deal since it's a one-time preprocessing cost. Also fixes some overflow bugs in the inversion code. 2021-04-04 11:35:58 -07:00			`/// Computes a coset of a multiplicative subgroup whose order is known in advance.`
			`fn cyclic_subgroup_coset_known_order(generator: Self, shift: Self, order: usize) -> Vec<Self> {`
			`let subgroup = Self::cyclic_subgroup_known_order(generator, order);`
Progress on FRI 2021-04-21 22:31:45 +02:00			`subgroup.into_iter().map(\|x\| x * shift).collect()`
Validate that the cosets for Plonk's permutation argument are disjoint When we had a large field, we could just pick random shifts, and get disjoint cosets with high probability. With a 64-bit field, I think the probability of a collision is non-negligible (something like 1 in a million), so we should probably verify that the cosets are disjoint. If there are any concerns with this method (or if it's just confusing), I think it would also be reasonable to use the brute force approach of explicitly computing the cosets and checking that they're disjoint. I coded that as well, and it took like 80ms, so not really a big deal since it's a one-time preprocessing cost. Also fixes some overflow bugs in the inversion code. 2021-04-04 11:35:58 -07:00			`}`

Initial commit 2021-02-09 21:25:21 -08:00			`fn to_canonical_u64(&self) -> u64;`

			`fn from_canonical_u64(n: u64) -> Self;`

			`fn from_canonical_usize(n: usize) -> Self {`
			`Self::from_canonical_u64(n as u64)`
			`}`

			`fn bits(&self) -> usize {`
More tests, ported from plonky1 2021-04-02 17:49:51 -07:00			`bits_u64(self.to_canonical_u64())`
Initial commit 2021-02-09 21:25:21 -08:00			`}`

			`fn exp(&self, power: Self) -> Self {`
			`let mut current = *self;`
			`let mut product = Self::ONE;`

			`for j in 0..power.bits() {`
			`if (power.to_canonical_u64() >> j & 1) != 0 {`
Address some clippy warnings 2021-04-23 12:35:19 -07:00			`product *= current;`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
More tests, ported from plonky1 2021-04-02 17:49:51 -07:00			`current = current.square();`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
			`product`
			`}`

			`fn exp_usize(&self, power: usize) -> Self {`
			`self.exp(Self::from_canonical_usize(power))`
			`}`
Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00
Make Rescue a bit faster ... by switching to Rescue Prime (which has a smaller security margin), and precomputing an addition chain for the exponent used in the cubic root calculation. Also adds a benchmark. 2021-04-10 14:52:34 -07:00			`fn kth_root(&self, k: usize) -> Self {`
			`let p_minus_1 = Self::ORDER - 1;`
			`debug_assert!(p_minus_1 % k as u64 != 0, "Not a permutation in this field");`
			`todo!()`
			`}`

			`fn cube_root(&self) -> Self {`
			`self.kth_root(3)`
			`}`

Avoid separate exp calls 2021-04-05 11:39:16 -07:00			`fn powers(&self) -> Powers<Self> {`
Progress on FRI 2021-04-21 22:31:45 +02:00			`Powers {`
			`base: *self,`
			`current: Self::ONE,`
			`}`
Avoid separate exp calls 2021-04-05 11:39:16 -07:00			`}`

Add Z terms in vanishing poly 2021-03-30 23:12:47 -07:00			`fn rand_from_rng<R: Rng>(rng: &mut R) -> Self {`
			`Self::from_canonical_u64(rng.gen_range(0, Self::ORDER))`
			`}`
Minor 2021-04-02 14:00:26 -07:00
			`fn rand() -> Self {`
			`Self::rand_from_rng(&mut OsRng)`
			`}`
Initial commit 2021-02-09 21:25:21 -08:00			`}`
Avoid separate exp calls 2021-04-05 11:39:16 -07:00
			/// An iterator over the powers of a certain base element `b`: `b^0, b^1, b^2, ...`.
			`pub struct Powers<F: Field> {`
			`base: F,`
			`current: F,`
			`}`

			`impl<F: Field> Iterator for Powers<F> {`
			`type Item = F;`

			`fn next(&mut self) -> Option<F> {`
			`let result = self.current;`
			`self.current *= self.base;`
			`Some(result)`
			`}`
			`}`