feat: refactor and add new lagrange polynomial primitives

mratsim · Jun 10, 2024 · 73b2b8a · 73b2b8a
1 parent 9b7bc95
commit 73b2b8a
Show file tree

Hide file tree

Showing 7 changed files with 343 additions and 100 deletions.
diff --git a/constantine/commitments/kzg_polynomial_commitments.nim b/constantine/commitments/kzg_polynomial_commitments.nim
@@ -193,7 +193,7 @@ func kzg_prove*[N: static int, C: static Curve](
 
   # Note:
   #   The order of inputs in
-  #  `kzg_prove`, `evalPolyAt`, `differenceQuotientEvalOffDomain`, `differenceQuotientEvalInDomain`
+  #  `kzg_prove`, `evalPolyOffDomainAt`, `differenceQuotientEvalOffDomain`, `differenceQuotientEvalInDomain`
   #  minimizes register changes when parameter passing.
   #
   # z = challenge in the following code
@@ -203,13 +203,14 @@ func kzg_prove*[N: static int, C: static Curve](
 
   # Compute 1/(ωⁱ - z) with ω a root of unity, i in [0, N).
   # zIndex = i if ωⁱ - z == 0 (it is the i-th root of unity) and -1 otherwise.
-  let zIndex = invRootsMinusZ[].inverseRootsMinusZ_vartime(
-                                  domain, challenge,
+  let zIndex = invRootsMinusZ[].inverseDifferenceArrayZ(
+                                  domain.rootsOfUnity, challenge,
+                                  differenceKind = kArrayMinusZ,
                                   earlyReturnOnZero = false)
 
   if zIndex == -1:
     # p(z)
-    eval_at_challenge.evalPolyAt(
+    eval_at_challenge.evalPolyOffDomainAt(
       poly, challenge,
       invRootsMinusZ[],
       domain)

diff --git a/constantine/commitments/kzg_polynomial_commitments_parallel.nim b/constantine/commitments/kzg_polynomial_commitments_parallel.nim
@@ -58,7 +58,7 @@ proc kzg_prove_parallel*[N: static int, C: static Curve](
   ## Parallelism: This only returns when computation is fully done
   # Note:
   #   The order of inputs in
-  #  `kzg_prove`, `evalPolyAt`, `differenceQuotientEvalOffDomain`, `differenceQuotientEvalInDomain`
+  #  `kzg_prove`, `evalPolyOffDomainAt`, `differenceQuotientEvalOffDomain`, `differenceQuotientEvalInDomain`
   #  minimizes register changes when parameter passing.
   #
   # z = challenge in the following code
@@ -68,13 +68,14 @@ proc kzg_prove_parallel*[N: static int, C: static Curve](
 
   # Compute 1/(ωⁱ - z) with ω a root of unity, i in [0, N).
   # zIndex = i if ωⁱ - z == 0 (it is the i-th root of unity) and -1 otherwise.
-  let zIndex = invRootsMinusZ[].inverseRootsMinusZ_vartime(
-                                  domain[], challenge[],
+  let zIndex = invRootsMinusZ[].inverseDifferenceArrayZ(
+                                  domain.rootsOfUnity, challenge[],
+                                  differenceKind = kArrayMinusZ,
                                   earlyReturnOnZero = false)
 
   if zIndex == -1:
     # p(z)
-    tp.evalPolyAt_parallel(
+    tp.evalPolyOffDomainAt_parallel(
       eval_at_challenge,
       poly, challenge,
       invRootsMinusZ,

diff --git a/constantine/ethereum_eip4844_kzg.nim b/constantine/ethereum_eip4844_kzg.nim
@@ -448,14 +448,15 @@ func verify_blob_kzg_proof*(
     # ------------------------------
     # 1. Compute 1/(ωⁱ - z) with ω a root of unity, i in [0, N).
     #    zIndex = i if ωⁱ - z == 0 (it is the i-th root of unity) and -1 otherwise.
-    let zIndex = invRootsMinusZ[].inverseRootsMinusZ_vartime(
-                                    ctx.domain, challengeFr,
+    let zIndex = invRootsMinusZ[].inverseDifferenceArrayZ(
+                                    ctx.domain.rootsOfUnity, challengeFr,
+                                    differenceKind = kArrayMinusZ,
                                     earlyReturnOnZero = true)
 
     # 2. Actual evaluation
     if zIndex == -1:
       var eval_at_challenge_fr{.noInit.}: Fr[BLS12_381]
-      eval_at_challenge_fr.evalPolyAt(
+      eval_at_challenge_fr.evalPolyOffDomainAt(
         poly[], challengeFr,
         invRootsMinusZ[],
         ctx.domain)
@@ -520,13 +521,14 @@ func verify_blob_kzg_proof_batch*(
       # ------------------------------
       # 1. Compute 1/(ωⁱ - z) with ω a root of unity, i in [0, N).
       #    zIndex = i if ωⁱ - z == 0 (it is the i-th root of unity) and -1 otherwise.
-      let zIndex = invRootsMinusZ[].inverseRootsMinusZ_vartime(
-                                      ctx.domain, challenges[i],
+      let zIndex = invRootsMinusZ[].inverseDifferenceArrayZ(
+                                      ctx.domain.rootsOfUnity, challenges[i],
+                                      differenceKind = kArrayMinusZ,
                                       earlyReturnOnZero = true)
       # 2. Actual evaluation
       if zIndex == -1:
         var eval_at_challenge_fr{.noInit.}: Fr[BLS12_381]
-        eval_at_challenge_fr.evalPolyAt(
+        eval_at_challenge_fr.evalPolyOffDomainAt(
           poly[], challenges[i],
           invRootsMinusZ[],
           ctx.domain)

diff --git a/constantine/ethereum_eip4844_kzg_parallel.nim b/constantine/ethereum_eip4844_kzg_parallel.nim
@@ -281,8 +281,9 @@ proc verify_blob_kzg_proof_parallel*(
     # ------------------------------
     # 1. Compute 1/(ωⁱ - z) with ω a root of unity, i in [0, N).
     #    zIndex = i if ωⁱ - z == 0 (it is the i-th root of unity) and -1 otherwise.
-    let zIndex = invRootsMinusZ[].inverseRootsMinusZ_vartime(
-                                    ctx.domain, challengeFr,
+    let zIndex = invRootsMinusZ[].inverseDifferenceArrayZ(
+                                    ctx.domain.rootsOfUnity, challengeFr,
+                                    differenceKind = kArrayMinusZ,
                                     earlyReturnOnZero = true)
 
     # Await conversion to field polynomial
@@ -291,7 +292,7 @@ proc verify_blob_kzg_proof_parallel*(
     # 2. Actual evaluation
     if zIndex == -1:
       var eval_at_challenge_fr{.noInit.}: Fr[BLS12_381]
-      tp.evalPolyAt_parallel(
+      tp.evalPolyOffDomainAt_parallel(
         eval_at_challenge_fr,
         poly, challengeFr.addr,
         invRootsMinusZ,
@@ -377,13 +378,14 @@ proc verify_blob_kzg_proof_batch_parallel*(
           # ------------------------------
           # 1. Compute 1/(ωⁱ - z) with ω a root of unity, i in [0, N).
           #    zIndex = i if ωⁱ - z == 0 (it is the i-th root of unity) and -1 otherwise.
-          let zIndex = invRootsMinusZs[i].inverseRootsMinusZ_vartime(
-                                          ctx.domain, challenges[i],
+          let zIndex = invRootsMinusZs[i].inverseDifferenceArrayZ(
+                                          ctx.domain.rootsOfUnity, challenges[i],
+                                          differenceKind = kArrayMinusZ,
                                           earlyReturnOnZero = true)
           # 2. Actual evaluation
           if zIndex == -1:
             var eval_at_challenge_fr{.noInit.}: Fr[BLS12_381]
-            tp.evalPolyAt_parallel(
+            tp.evalPolyOffDomainAt_parallel(
               eval_at_challenge_fr,
               polys[i].addr, challenges[i].addr,
               invRootsMinusZs[i].addr,

diff --git a/constantine/math/polynomials/README.md b/constantine/math/polynomials/README.md
@@ -0,0 +1,10 @@
+# Polynomials
+
+This implements primitives to work with polynomials
+in coefficient form and in Lagrange form.
+
+No currently implemented protocol requires constant-time operations or use a secret key with polynomials.
+Hence the _vartime suffix is not used even for vartime operations.
+
+This will be revisited when secret polynomials are needed
+for example for Shamir Secret Sharing or hiding polynomials in ZK proof systems.