Faster polynomial evaluation in Lagrange basis with rhizomes algorithm.

Faster polynomial evaluation on flp.Query.
Polynomials are directly evaluated in the Lagrange basis.
Uses the batched algorithm from the rhizomes paper (https://ia.cr/2025/1727).

Author: armfazh

src/field.rs

@@ -109,6 +109,9 @@ pub trait FieldElement:
     /// Modular inversion, i.e., `self^-1 (mod p)`. If `self` is 0, then the output is undefined.
     fn inv(&self) -> Self;
 
+    /// Returns 1/2.
+    fn half() -> Self;
+
     /// Interprets the next [`Self::ENCODED_SIZE`] bytes from the input slice as an element of the
     /// field. Any of the most significant bits beyond the bit length of the modulus will be
     /// cleared, in order to minimize the amount of rejection sampling needed.
@@ -740,6 +743,10 @@ macro_rules! make_field {
             fn one() -> Self {
                 Self($fp::ROOTS[0])
             }
+
+            fn half() -> Self {
+                Self($fp::HALF)
+            }
         }
 
         impl FieldElementWithInteger for $elem {
@@ -1001,6 +1008,7 @@ pub(crate) mod test_utils {
         let int_one = F::TestInteger::try_from(1).unwrap();
         let zero = F::zero();
         let one = F::one();
+        let half = F::half();
         let two = F::from(F::TestInteger::try_from(2).unwrap());
         let four = F::from(F::TestInteger::try_from(4).unwrap());
 
@@ -1045,6 +1053,7 @@ pub(crate) mod test_utils {
         // mul
         assert_eq!(two * two, four);
         assert_eq!(two * one, two);
+        assert_eq!(two * half, one);
         assert_eq!(two * zero, zero);
         assert_eq!(one * F::from(int_modulus.clone()), zero);
 

src/field/field255.rs

@@ -309,6 +309,16 @@ impl FieldElement for Field255 {
     fn one() -> Self {
         Field255(fiat_25519_tight_field_element([1, 0, 0, 0, 0]))
     }
+
+    fn half() -> Self {
+        Field255(fiat_25519_tight_field_element([
+            2251799813685239,
+            2251799813685247,
+            2251799813685247,
+            2251799813685247,
+            1125899906842623,
+        ]))
+    }
 }
 
 impl Default for Field255 {

src/flp.rs

@@ -51,7 +51,7 @@ use crate::dp::DifferentialPrivacyStrategy;
 use crate::field::{FieldElement, FieldElementWithInteger, FieldError, NttFriendlyFieldElement};
 use crate::fp::log2;
 use crate::ntt::{ntt, ntt_inv_finish, NttError};
-use crate::polynomial::poly_eval;
+use crate::polynomial::{nth_root_powers, poly_eval, poly_eval_batched};
 use std::any::Any;
 use std::convert::TryFrom;
 use std::fmt::Debug;
@@ -466,16 +466,13 @@ pub trait Flp: Sized + Eq + Clone + Debug {
             // Reconstruct the wire polynomials `f[0], ..., f[g_arity-1]` and evaluate each wire
             // polynomial at query randomness value.
             let m = (1 + gadget.calls()).next_power_of_two();
-            let m_inv = Self::Field::from(
-                <Self::Field as FieldElementWithInteger>::Integer::try_from(m).unwrap(),
-            )
-            .inv();
-            let mut f = vec![Self::Field::zero(); m];
-            for wire in 0..gadget.arity() {
-                ntt(&mut f, &gadget.f_vals[wire], m)?;
-                ntt_inv_finish(&mut f, m, m_inv);
-                verifier.push(poly_eval(&f, *query_rand_val));
-            }
+
+            // Evaluates a batch of polynomials in the Lagrange basis.
+            // This avoids using NTTs to convert them to the monomial basis.
+            let roots = nth_root_powers(m);
+            let polynomials = &gadget.f_vals[..gadget.arity()];
+            let mut evals = poly_eval_batched(polynomials, &roots, *query_rand_val);
+            verifier.append(&mut evals);
 
             // Add the value of the gadget polynomial evaluated at the query randomness value.
             verifier.push(gadget.p_at_r);

src/fp.rs

@@ -30,6 +30,7 @@ impl FieldParameters<u32> for FP32 {
         1534972560, 3732920810, 3229320047, 2836564014, 2170197442, 3760663902, 2144268387,
         3849278021, 1395394315, 574397626, 125025876, 3755041587, 2680072542, 3903828692,
     ];
+    const HALF: u32 = 2147483648;
     #[cfg(test)]
     const LOG2_BASE: usize = 32;
     #[cfg(test)]
@@ -72,6 +73,7 @@ impl FieldParameters<u64> for FP64 {
         10135969988448727187,
         6815045114074884550,
     ];
+    const HALF: u64 = 9223372036854775808;
     #[cfg(test)]
     const LOG2_BASE: usize = 64;
     #[cfg(test)]
@@ -114,6 +116,7 @@ impl FieldParameters<u128> for FP128 {
         258279638927684931537542082169183965856,
         148221243758794364405224645520862378432,
     ];
+    const HALF: u128 = 170141183460469231731687303715884105728;
     #[cfg(test)]
     const LOG2_BASE: usize = 64;
     #[cfg(test)]

src/fp/ops.rs

@@ -64,6 +64,8 @@ pub trait FieldParameters<W: Word> {
     /// `ROOTS[l]` has order `2^l` in the multiplicative group.
     /// `ROOTS[0]` is equal to one by definition.
     const ROOTS: [W; MAX_ROOTS + 1];
+    /// The multiplicative inverse of 2.
+    const HALF: W;
     /// The log2(base) for the base used for multiprecision arithmetic.
     /// So, `LOG2_BASE ≤ 64` as processors have at most a 64-bit
     /// integer multiplier.

src/polynomial.rs

@@ -3,9 +3,12 @@
 
 //! Functions for polynomial interpolation and evaluation
 
-use crate::field::NttFriendlyFieldElement;
 #[cfg(all(feature = "crypto-dependencies", feature = "experimental"))]
 use crate::ntt::{ntt, ntt_inv_finish};
+use crate::{
+    field::{FieldElement, NttFriendlyFieldElement},
+    fp::log2,
+};
 
 use std::convert::TryFrom;
 
@@ -60,6 +63,90 @@ pub fn poly_interpret_eval<F: NttFriendlyFieldElement>(
     poly_eval(&tmp_coeffs[..points.len()], eval_at)
 }
 
+/// Returns the element `1/n` on `F`, where `n` must be a power of two.
+#[inline]
+fn inv_pow2<F: FieldElement>(n: usize) -> F {
+    let log2_n = usize::try_from(log2(n as u128)).unwrap();
+    assert_eq!(n, 1 << log2_n);
+
+    let half = F::half();
+    let mut x = F::one();
+    for _ in 0..log2_n {
+        x *= half
+    }
+    x
+}
+
+/// Evaluates multiple polynomials given in the Lagrange basis.
+///
+/// This is Algorithm 7 of rhizomes paper.
+/// <https://eprint.iacr.org/2025/1727>.
+pub(crate) fn poly_eval_batched<F: FieldElement>(
+    polynomials: &[Vec<F>],
+    roots: &[F],
+    x: F,
+) -> Vec<F> {
+    let mut l = F::one();
+    let mut u = Vec::with_capacity(polynomials.len());
+    u.extend(polynomials.iter().map(|poly| poly[0]));
+    let mut d = roots[0] - x;
+    for (i, wn_i) in (1..).zip(&roots[1..]) {
+        l *= d;
+        d = *wn_i - x;
+        let t = l * *wn_i;
+        for (u_j, poly) in u.iter_mut().zip(polynomials) {
+            *u_j *= d;
+            if let Some(yi) = poly.get(i) {
+                *u_j += t * *yi;
+            }
+        }
+    }
+
+    if roots.len() > 1 {
+        let num_roots_inv = -inv_pow2::<F>(roots.len());
+        u.iter_mut().for_each(|u_j| *u_j *= num_roots_inv);
+    }
+
+    u
+}
+
+/// Generates the powers of the primitive n-th root of unity.
+///
+/// Returns
+///   roots\[i\] = w_n^i for 0 ≤ i < n,
+/// where
+///   w_n is the primitive n-th root of unity in `F`, and
+///   `n` must be a power of two.
+pub(crate) fn nth_root_powers<F: NttFriendlyFieldElement>(n: usize) -> Vec<F> {
+    let log2_n = usize::try_from(log2(n as u128)).unwrap();
+    assert_eq!(n, 1 << log2_n);
+
+    let mut roots = vec![F::zero(); n];
+    roots[0] = F::one();
+    if n > 1 {
+        roots[1] = -F::one();
+        for i in 2..=log2_n {
+            let mid = 1 << (i - 1);
+            // Due to w_{2n}^{2j} = w_{n}^j
+            for j in (1..mid).rev() {
+                roots[j << 1] = roots[j]
+            }
+
+            let wn = F::root(i).unwrap();
+            roots[1] = wn;
+            roots[1 + mid] = -wn;
+
+            // Due to w_{n}^{j} = -w_{n}^{j+n/2}
+            for j in (3..mid).step_by(2) {
+                roots[j] = wn * roots[j - 1];
+                roots[j + mid] = -roots[j]
+            }
+        }
+    }
+
+    roots
+}
+
 /// Returns a polynomial that evaluates to `0` if the input is in range `[start, end)`. Otherwise,
 /// the output is not `0`.
 pub(crate) fn poly_range_check<F: NttFriendlyFieldElement>(start: usize, end: usize) -> Vec<F> {
@@ -74,9 +161,14 @@ pub(crate) fn poly_range_check<F: NttFriendlyFieldElement>(start: usize, end: us
 
 #[cfg(test)]
 mod tests {
+    #[cfg(all(feature = "crypto-dependencies", feature = "experimental"))]
+    use crate::polynomial::poly_interpret_eval;
     use crate::{
         field::{Field64, FieldElement, FieldPrio2, NttFriendlyFieldElement},
-        polynomial::{poly_deg, poly_eval, poly_mul, poly_range_check},
+        fp::log2,
+        polynomial::{
+            nth_root_powers, poly_deg, poly_eval, poly_eval_batched, poly_mul, poly_range_check,
+        },
     };
     use std::convert::TryFrom;
 
@@ -154,4 +246,75 @@ mod tests {
         let y = poly_eval(&p, x);
         assert_ne!(y, Field64::zero());
     }
+
+    /// Generates the powers of the primitive n-th root of unity.
+    ///
+    /// Returns
+    ///   roots\[i\] = w_n^i for 0 ≤ i < n,
+    /// where
+    ///   w_n is the primitive n-th root of unity in `F`, and
+    ///   `n` must be a power of two.
+    ///
+    /// This is the iterative method.
+    fn nth_root_powers_slow<F: NttFriendlyFieldElement>(n: usize) -> Vec<F> {
+        let log2_n = usize::try_from(log2(n as u128)).unwrap();
+        let wn = F::root(log2_n).unwrap();
+        core::iter::successors(Some(F::one()), |&x| Some(x * wn))
+            .take(n)
+            .collect()
+    }
+
+    #[test]
+    fn test_nth_root_powers() {
+        for i in 0..8 {
+            assert_eq!(
+                nth_root_powers::<Field64>(1 << i),
+                nth_root_powers_slow::<Field64>(1 << i)
+            );
+        }
+    }
+
+    #[cfg(all(feature = "crypto-dependencies", feature = "experimental"))]
+    #[test]
+    fn test_poly_eval_batched_arbitrary() {
+        // Single polynomial with constant terms
+        test_poly_eval_batched(&[1]);
+        // Constant terms
+        test_poly_eval_batched(&[1, 1]);
+        // Powers of two
+        test_poly_eval_batched(&[1, 2, 4, 16, 64]);
+        // arbitrary
+        test_poly_eval_batched(&[1, 6, 3, 9]);
+    }
+
+    #[cfg(all(feature = "crypto-dependencies", feature = "experimental"))]
+    fn test_poly_eval_batched(lengths: &[usize]) {
+        let sizes = lengths
+            .iter()
+            .map(|s| s.next_power_of_two())
+            .collect::<Vec<_>>();
+
+        let polynomials = sizes
+            .iter()
+            .map(|&size| Field64::random_vector(size))
+            .collect::<Vec<_>>();
+        let x = Field64::random_vector(1)[0];
+
+        let &n = sizes.iter().max().unwrap();
+        let mut ntt_mem = vec![Field64::zero(); n];
+        let roots = nth_root_powers(n);
+
+        // Evaluates several polynomials converting them to the monomial basis (iteratively).
+        let want = polynomials
+            .iter()
+            .map(|poly| {
+                let extended_poly = [poly.clone(), vec![Field64::zero(); n - poly.len()]].concat();
+                poly_interpret_eval(&extended_poly, x, &mut ntt_mem)
+            })
+            .collect::<Vec<_>>();
+
+        // Simultaneouly evaluates several polynomials directly in the Lagrange basis (batched).
+        let got = poly_eval_batched(&polynomials, &roots, x);
+        assert_eq!(got, want, "sizes: {sizes:?} x: {x} P: {polynomials:?}");
+    }
 }