Dividing In Lagrange basis when one of the points is zero - Generalised

Reference

The formulas were derived by reading the following academic article here

Problem

In the multipoint protocol, we had a polynomial of the form:

g (X) = r^{0} \frac{f_{0} (X) - y_{0}}{X - z_{0}} + r^{1} \frac{f_{1} (X) - y_{1}}{X - z_{1}} + \dots + r^{m - 1} \frac{f_{m - 1} (X) - y_{m - 1}}{X - z_{m - 1}}

In our context,

z_{i}

is an element in the domain, so naively we cannot compute this division in lagrange form. We also do not want to use monomial form, as we would need to interpolate our polynomials, which is exp

Simplifying the problem:

We have

\frac{f (X)}{g (X)} = \frac{f (X)}{X - x_{m}} = \sum_{i = 0}^{d - 1} f_{i} \frac{L_{i} (X)}{X - x_{m}}

In what follows, we re-derive all of the necessary formulas that will allows us to divide by a linear polynomial that vanishes on the domain in lagrange basis, where the domain can be arbitrary.

Lagrange polynomial

We briefly restate the formula for a lagrange polynomial:

L_{i} (X) = \prod_{j \neq i, j = 0} \frac{X - x_{j}}{x_{i} - x_{j}}

The i'th lagrange polynomial evaluated at
$x_{i}$ is 1 and 0 everywhere else on the domain

First form of the barycentric interpolation formula

We introduce the polynomial

A (X) = (X - x_{0}) (X - x_{1}) . . . (X - x_{n})

We also introduce the derivative of

A^{'} (X) = \sum_{j = 0}^{d - 1} \prod_{i \neq j} (X - x_{i})

You can derive this yourself by generalising the product rule: https://en.wikipedia.org/wiki/Product_rule#Product_of_more_than_two_factors

In general this derivative does not have a succinct/sparse form. We do however have a succinct form if the domain is the roots of unity!

Now note that

A^{'} (x_{j}) = \prod_{i = 0, i \neq j} (x_{j} - x_{i})

If we plug in
$x_{k}$ into
$A^{'} (X)$ all the terms with
$X - x_{k}$ will vanish, this is why the sum disappears into a single product.

We can use

A

and

A^{'}

to re-define our lagrange polynomial as :

L_{i} (X) = \frac{A (X)}{A^{'} (x_{i}) (X - x_{i})}

Looking at the original lagrange formula,
$A^{'} (x_{i})$ is the denominator and
$\frac{A (X)}{X - x_{i}}$ is the numerator.

The first barycentric form for a polynomial

f (X)

can now be defined as :

f (X) = \sum_{i = 0}^{d - 1} \frac{A (X)}{A^{'} (x_{i}) (X - x_{i})} f_{i}

Remarks

$A (X)$ is not dependent on the values of
$f_{i}$ and so can be brought out of the summation.
$A^{'} (X)$ is only dependent on the domain, so it can be precomputed, along with
$A (X)$

Re-defining the quotient

Note that our original problem was that the polynomial:

\sum_{i = 0}^{d - 1} f_{i} \frac{L_{i} (X)}{X - x_{m}}

Had a

X - x_{m}

term in the denominator. We will use the first barycentric form as a way to get rid of this.

First we rewrite

\frac{L_{i} (X)}{X - x_{m}}

using the first form:

\frac{L_{i} (X)}{X - x_{m}} = \frac{A (X)}{A^{'} (x_{i}) (X - x_{i}) (X - x_{m})}

We then note that:

A (X) = L_{m} (X) \cdot A^{'} (x_{m}) \cdot (X - x_{m})

I just re-arranged the formula for the first form to equal
$A (X)$ for
$L_{m} (X)$

We can hence plug this into our previous equation:

\frac{L_{i} (X)}{X - x_{m}} = \frac{L_{m} (X) \cdot A^{'} (x_{m}) \cdot (X - x_{m})}{A^{'} (x_{i}) (X - x_{i}) (X - x_{m})}

Simplifying since we have a

X - x_{m}

in the numerator and denominator:

\frac{L_{i} (X)}{X - x_{m}} = \frac{A^{'} (x_{m}) \cdot L_{m} (X)}{A^{'} (x_{i}) \cdot (X - x_{i})}

Note that when the elements in the domain are roots of unity;
$A^{'} (x_{k}) = d (x^{k})^{d - 1} = d x^{- k}$

The nice simplification here is due to two reasons: roots of unity form a cyclic group, and we can succinctly represent the d'th roots of unity in a sparse equation
$X^{d} - 1$ which is nice to derivate.

We have now re-defined

q (X)

to not include

X - x_{m}

We now summarise and state that:

q (X) = \sum_{i = 0}^{d - 1} f_{i} \frac{L_{i} (X)}{X - x_{m}} = f_{i} \frac{A^{'} (x_{m}) \cdot L_{m} (X)}{A^{'} (x_{i}) \cdot (X - x_{i})}

Explicit formulas for each case

Computing
$q_{m}$

When dealing with the point which vanishes on zero, the above formula becomes:

Note:
$L_{m} (x_{m}) = 1$

q_{m} = q (x_{m}) = \sum_{i = 0}^{d - 1} \frac{A^{'} (x_{m})}{A^{'} (x_{i})} \frac{f_{i}}{x_{m} - x_{i}}

Computing
$q_{j}$

For the case that the evaluation does not vanish on the domain, we can use the original formula.

For all

j \neq m

q_{j} = q (x_{j}) = \sum_{i = 0}^{d - 1} f_{i} \frac{L_{i} (x_{j})}{x_{j} - x_{m}}

We note that the terms of the sum are zero, except for when

i = j

from the definition of the lagrange polynomial , hence we can simplify this to be:

q_{j} = \frac{f_{j}}{x_{j} - x_{m}}

Optimisations

If we use the formulas as shown above,

q_{m}

will take

d

steps due to the sum, and

q_{j}

will take

d - 1

steps. We describe a way to reduce this complexity in the code.

1. Rewrite
$q_{m}$ in terms of
$q_{j}$

Note that if we multiply

q_{m}

\frac{- 1}{- 1}

we get:

q_{m} = q (x_{m}) = - \sum_{i = 0}^{d - 1} \frac{A^{'} (x_{m})}{A^{'} (x_{i})} \frac{f_{i}}{x_{i} - x_{m}}

We can now substite in

q_{i}

q_{m} = q (x_{m}) = - \sum_{i = 0}^{d - 1} \frac{A^{'} (x_{m})}{A^{'} (x_{i})} q_{i}

2. Removing field inversions in
$q_{j}$

Note that

q_{j}

has a division which is many times more expensive than a field multiplication. We now show a way to precompute in such a way that we do not need to invert elements.

With the roots of unity, we were able to use the fact that they formed a group.

Again note that:

q_{j} = \frac{f_{j}}{x_{j} - x_{m}}

The expensive division occurs here

\frac{1}{x_{j} - x_{m}}

. In our particular case, we note that the domain is the discrete interval

[0, 255]

this means we need only to precompute

\frac{1}{x_{i}}

for

x_{i} \in [- 255, 255]

. This is 510 values, so we would store

510 * 32 = 16 K b

. If this is too much space, one could halve the storage by not storing the negated points.

How would I lookup and store these values in practice?

First we imagine that we have stored the values in an array as such:

[\frac{1}{1}, \frac{1}{2}, \frac{1}{3}, \frac{1}{4} . . . \frac{1}{255}, \frac{1}{- 1}, \frac{1}{- 2}, . . . \frac{1}{- 255}]

We first note that we can easily get from

\frac{1}{k}

\frac{1}{- k}

in the array by jumping forward 255 indices. Our strategy will be to find

\frac{1}{k}

then jump to

\frac{1}{- k}

if we need to.

Example

We want to compute

\frac{1}{0 - 255}

Compute the
$a b s (0 - 255) = 255 = i$

In practice, we can use an if statement to check whether 255 or 0 is larger, and subtract accordingly.

Note that
$\frac{1}{i}$ is at index
$i - 1$
Since our original computation was
$0 - 255$ which is negative, we need to get the element at index:
$(i - 1) + 255$ where
$i = 255$ .

3. Precompute
$\frac{A^{'} (x_{m})}{A^{'} (x_{i})}$

With the roots of unity, we did not need this optimisation as
$\frac{A^{'} (x_{m})}{A^{'} (x_{i})}$ equaled
$\frac{ω^{i}}{ω^{m}}$ which was trivial to fetch from the domain due to the roots of unity forming a domain.

For our case, we will need to store precomputed values, if we want to efficiently compute

q_{m}

O (d)

steps, and to also avoid inversions.

The strategy is that, we precompute

A^{'} (x_{i})

and

\frac{1}{A^{'} (x_{i})}

. Given that we have 256 points in the domain. This will cost us

256 * 2 * 32 bytes = 16 k B

How would I lookup and store these values in practice?

Similar to the previous optimisation, we store

A^{'} (x_{i})

in an array as such:

[A^{'} (0), A^{'} (1), A^{'} (2), A^{'} (3) . . . A^{'} (255), \frac{1}{A^{'} (0)}, \frac{1}{A^{'} (1)}, \frac{1}{A^{'} (2)}, . . . \frac{1}{A^{'} (255)}]

Example

We want to compute

\frac{A^{'} (0)}{A^{'} (5)}

We can fetch
$A^{'} (0)$ by looking up the element at index
$0$ in the array.
We can fetch
$\frac{1}{A^{'} (5)}$ by looking up the element at index 5, then jumping forward 256 positions.

In general:

To fetch
$A (x_{i})$ we need to fetch the element at index
$i$
To fetch
$\frac{1}{A (x_{i})}$ we need to fetch the element at index
$i + 256$

Gotcha: You may produce an off by one error, by not realising that the second optimisation skips ahead 255 points for negative values, while the third optimisation skips ahead 256. This is because the second optimisation omits the value
$\frac{1}{0}$ .

Evaluate polynomial in evaluation form on a point outside of the domain

Suppose

z

is a point outside of the domain.

f (z) = \sum_{i = 0}^{d - 1} f_{i} L_{i} (z) = \sum_{i = 0}^{d - 1} \frac{A (z)}{A^{'} (x_{i}) (z - x_{i})} f_{i} = A (z) \sum_{i = 0}^{d - 1} \frac{f_{i}}{A^{'} (x_{i}) (z - x_{i})}

Optimising:

We already store precomputations for
$\frac{1}{A^{'} (x_{i})}$
We should compute
$z - x_{i}$ separately, then batch invert using the montgomery trick, so that we only pay for one inversion.

Dividing In Lagrange basis when one of the points is zero - Generalised

Reference

Problem

Lagrange polynomial

First form of the barycentric interpolation formula

Remarks

Re-defining the quotient

Explicit formulas for each case

Computing qm

Computing qj

Optimisations

1. Rewrite qm in terms of qj

2. Removing field inversions in qj

3. Precompute A′(xm)A′(xi)

Evaluate polynomial in evaluation form on a point outside of the domain

Read more

Hardware Requirements

kev@kev-Venus-series:~/Documen

KZG - Is Zero Quotient Okay?

Fully non-deterministic Noir

Computing
$q_{m}$

Computing
$q_{j}$

1. Rewrite
$q_{m}$ in terms of
$q_{j}$

2. Removing field inversions in
$q_{j}$

3. Precompute
$\frac{A^{'} (x_{m})}{A^{'} (x_{i})}$