TY - GEN
T1 - Elliptic Curve Fast Fourier Transform (ECFFT) Part I
T2 - 34th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2023
AU - Ben-Sasson, Eli
AU - Carmon, Dan
AU - Kopparty, Swastik
AU - Levit, David
N1 - Publisher Copyright:
Copyright © 2023 by SIAM.
PY - 2023
Y1 - 2023
N2 - Given disjoint sets S, S′ ⊆ Fq of size n and a function f : S → Fq, where Fq is a finite field, the low-degree extension (LDE) of f to S′ is the function f′ : S′ → Fq obtained by restricting the interpolating polynomial of f to S′. LDE computation is a fundamental primitive of modern algebraic coding theory and cryptography. The best asymptotic running time for LDE with parameter n is O(n log n) arithmetic operations over Fq - when q and the sets S, S′ are special. This running time is achieved via the Fast Fourier Transform (FFT), and requires Fq to contain a multiplicative subgroup of smooth order ≥ n (smoothness means being the product of small primes). Another variant uses an additive subgroup of smooth order ≥ n. Most finite fields do not contain such a subgroup, which raises the question of computing the LDE in time O(n · log n) over general finite fields, for some disjoint pair of sets S, S′ of size n. The main result of this paper is a positive answer to this question, presenting O(n log n)-time LDE for special S, S′ shown to exist over all fields, as long as q = Ω(n2). This result is achieved by introducing a new FFT-like transform, the Elliptic Curve Fast Fourier Transform (ECFFT), which gives an approach to fast algorithms (using preprocessing) for polynomial operations over all large finite fields. The key idea is to replace the group of roots of unity with a set of points L ⊂ Fq suitably related to a well-chosen elliptic curve group over Fq (the set L itself is not a group). The key advantage of this approach is that elliptic curve groups can be of any size in the Hasse-Weil interval [q ±2 √q + 1] and thus can have subgroups of large, smooth order, which an FFT-like divide and conquer algorithm can exploit. Compare this with multiplicative subgroups over Fq whose order must divide q - 1. By analogy, our method extends the standard, multiplicative FFT in a similar way to how Lenstra's elliptic curve method [Len87] extended Pollard's p - 1 algorithm [Pol74] for factoring integers. Representing polynomials by their evaluation over (well-chosen) subsets of L, we use the ECFFT to compute the LDE in time O(n log n). We also give small arithmetic circuits for polynomial multiplication, division, degree-computation, interpolation, evaluation and Reed-Solomon encoding (also known as low-degree extension) with fixed evaluation points, matching the circuit size of classical FFT-based algorithms when the field size q is special. For the classical problems (in the standard representation) of low degree extension with chosen evaluation points, and evaluating elementary symmetric polynomials, this yields the asymptotically smallest known arithmetic circuits. The efficiency of the classical FFT follows from using the 2-to-1 squaring map to reduce the evaluation set of roots of unity of order 2k to similar groups of size 2k-i, i > 0. Our algorithms operate similarly, using isogenies of elliptic curves with kernel size 2 as 2-to-1 maps to reduce L of size 2k to sets of size 2k-i that are, like L, suitably related to elliptic curves, albeit different ones.
AB - Given disjoint sets S, S′ ⊆ Fq of size n and a function f : S → Fq, where Fq is a finite field, the low-degree extension (LDE) of f to S′ is the function f′ : S′ → Fq obtained by restricting the interpolating polynomial of f to S′. LDE computation is a fundamental primitive of modern algebraic coding theory and cryptography. The best asymptotic running time for LDE with parameter n is O(n log n) arithmetic operations over Fq - when q and the sets S, S′ are special. This running time is achieved via the Fast Fourier Transform (FFT), and requires Fq to contain a multiplicative subgroup of smooth order ≥ n (smoothness means being the product of small primes). Another variant uses an additive subgroup of smooth order ≥ n. Most finite fields do not contain such a subgroup, which raises the question of computing the LDE in time O(n · log n) over general finite fields, for some disjoint pair of sets S, S′ of size n. The main result of this paper is a positive answer to this question, presenting O(n log n)-time LDE for special S, S′ shown to exist over all fields, as long as q = Ω(n2). This result is achieved by introducing a new FFT-like transform, the Elliptic Curve Fast Fourier Transform (ECFFT), which gives an approach to fast algorithms (using preprocessing) for polynomial operations over all large finite fields. The key idea is to replace the group of roots of unity with a set of points L ⊂ Fq suitably related to a well-chosen elliptic curve group over Fq (the set L itself is not a group). The key advantage of this approach is that elliptic curve groups can be of any size in the Hasse-Weil interval [q ±2 √q + 1] and thus can have subgroups of large, smooth order, which an FFT-like divide and conquer algorithm can exploit. Compare this with multiplicative subgroups over Fq whose order must divide q - 1. By analogy, our method extends the standard, multiplicative FFT in a similar way to how Lenstra's elliptic curve method [Len87] extended Pollard's p - 1 algorithm [Pol74] for factoring integers. Representing polynomials by their evaluation over (well-chosen) subsets of L, we use the ECFFT to compute the LDE in time O(n log n). We also give small arithmetic circuits for polynomial multiplication, division, degree-computation, interpolation, evaluation and Reed-Solomon encoding (also known as low-degree extension) with fixed evaluation points, matching the circuit size of classical FFT-based algorithms when the field size q is special. For the classical problems (in the standard representation) of low degree extension with chosen evaluation points, and evaluating elementary symmetric polynomials, this yields the asymptotically smallest known arithmetic circuits. The efficiency of the classical FFT follows from using the 2-to-1 squaring map to reduce the evaluation set of roots of unity of order 2k to similar groups of size 2k-i, i > 0. Our algorithms operate similarly, using isogenies of elliptic curves with kernel size 2 as 2-to-1 maps to reduce L of size 2k to sets of size 2k-i that are, like L, suitably related to elliptic curves, albeit different ones.
UR - http://www.scopus.com/inward/record.url?scp=85160313112&partnerID=8YFLogxK
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85160313112
T3 - Proceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms
SP - 700
EP - 737
BT - 34th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2023
PB - Association for Computing Machinery
Y2 - 22 January 2023 through 25 January 2023
ER -