Circle FFT and its implementation

Abstract: This paper primarily examines the work of Ulrich Haböck et al. titled "Circle STARKs," interpreting Circle FFT and its implementation aspects. The analysis focuses on three main areas: 1) the foundation for accelerating basic operations with CFFT; 2) the implementation of CFFT calculations; and 3) the coding implementation of CFFT.

1. Introduction

In traditional STARKs, Fast Fourier Transform (FFT) is used to efficiently perform interpolation and write adjacent row constraints. To utilize FFT for fundamental polynomial operations, the finite field

F_{p}

must possess a smooth-order root of unity. Besides the FFT itself, the choice of finite field

p

directly influences the complexity of arithmetic operations, thereby impacting the efficiency of STARKs. The most effective field for arithmetic operations is the Mersenne prime field, specifically

p = 2^{e} - 1

. Notably,

p = 2^{31} - 1

allows for highly efficient arithmetic operations on 32-bit computers. For these reasons, traditional FFT is inadequate in meeting the efficiency demands of STARKs. In reference [1], the authors continue the ECFFT [2][3] approach, constructing Circle STARKs based on the Mersenne prime

p = 2^{31} - 1

on the circle defined by the equation

x^{2} + y^{2} = 1

. The core innovation lies in the introduction of Circle FFT (CFFT) within STARKs.

2. Circle FFT

2.1 Fundamentals of CFFT

The choice of field significantly affects the efficiency of FFT acceleration and the feasibility of using FFT for this purpose. A prime

p

that is friendly to CFFT possesses the property

p \equiv 3 mod 4

. The set of

p + 1

points on the curve

C = C (F p)

forms a group, defined by the group operation

(x 0, y 0) \cdot (x 1, y 1) := (x 0 x 1 - y 0 y 1, x 0 y 1 + x 1 y 0)

, where the circular group

C (F p)

is a cyclic group. Additionally, we define the rotation operation

T_{P} (x, y) := P \cdot (x, y)

, the squaring map

π (x, y) := (x, y) \cdot (x, y)

, and the group inverse

J (x, y) := (x, - y)

When using FFT acceleration, the length of the coefficients to be computed must be

2^{n} (n \geq 1)

. For CFFT, we define a double coset of size

N = 2^{n}

D = Q \cdot G n - 1 \cup Q^{- 1} \cdot G n - 1

. Here,

G n - 1

is a subgroup of size

2^{n - 1}

C (F p)

, and

Q \in C (F p)

. When the prime

p \equiv 3 mod 4

, we have

D = Q \cdot G n = Q \cdot G n - 1 \cup Q^{- 1} \cdot G n - 1

. When

D

is a coset of the subgroup

G n

, it is the standard position coset of size

N

. Furthermore, under the squaring map, the set

π (D)

of size

N / 2

shares the same properties as

D

, meaning it is also a double coset or standard coset. The standard position coset is illustrated in Figure 1, where the elements are evenly distributed along the circle, corresponding to the binary size of the set. For

n \geq 1

，

π^{n - 1} (D) = {(x_{D}, y_{D})}

contains only two elements.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 1: Diagram of the three minimal standard position cosets in the affine plane over

F_{p}

In Circle STARKs, prior to CFFT acceleration, we first define the space of bivariate polynomials whose coefficients belong to the extension field

F

\begin{matrix} (1) & L_{N} (F) = {p (x, y) \in F [x, y] / (x^{2} + y^{2} - 1) : \deg p \leq \frac{N}{2}} \end{matrix}

where

N

is an even number. The space

L N (F)

has rotational invariance and good separability. These key properties are necessary for efficient encoding. By repeatedly substituting

y^{2} = 1 - x^{2}

into the polynomial

p (x, y)

derived from

L N (F)

, we obtain

\begin{matrix} (2) & p (x, y) = p_{0} (x) + y \cdot p_{1} (x) \end{matrix}

，
where

p 0 (x) \in F {[x]}^{\leq N / 2}

and

p 1 (x) \in F {[x]}^{\leq N / 2 - 1}

. Equation

(2)

is referred to as the canonical form of the polynomial derived from

L_{N} (F)

. The canonical form indicates that the set of monomials

\begin{matrix} (3) & 1, x, \dots, x^{\frac{N}{2}}, y, y \cdot x, \dots, y \cdot x^{\frac{N}{2} - 1} \end{matrix}

spans the space

L N (F)

. Based on the dimension of

L N (F)

, the canonical form must be a basis, specifically a monomial basis. Additionally, for details on the cyclic code, refer to reference [1].

For the double coset

D = Q \cdot G n - 1 \cup Q^{- 1} \cdot G n - 1

, with

Q \in C (F p) ∖ G n

, CFFT completes the interpolation of functions derived from

F^{D}

by calculating the coefficients corresponding to the basis of Circle FFT

B_{n}

. The basis for Circle FFT consists of N-dimensional polynomial bases that depend solely on the size of the field. We define the

n

-th order FFT basis as

\begin{matrix} (4) & b_{j}^{(n)} (x, y) := y^{j_{0}} \cdot v_{1} {(x)}^{j_{1}} \cdot \dots v_{n - 1}^{j_{n - 1}} (x), 0 \leq j \leq 2^{n} - 1 \end{matrix}

where

0 \leq j \leq 2^{n} - 1

and

j = j_{0} + j_{1} \cdot 2 + \dots + j_{n - 1} \cdot 2^{n - 1} ((j_{0}, \dots, j_{n - 1}) \in {0, 1}^{n})

;

v k (x)

is the vanishing polynomial of the standard position coset of size

2^{k}

[1]. The family formed by

b_{j}^{(n)}

constitutes the set

B n \in L N (F)

According to the definitions above, the double coset

D

exhibits invariance under the wrapping operation

J

, and each

J

-orbit in

D

contains only two points. Consequently, the quotient mapping

\begin{matrix} (5) & ϕ_{J} : D \to D / J, P \mapsto {P, J (P)} \end{matrix}

is a two-to-one mapping. The double coset obtained through recursion is given by

D j = π (D j + 1)

, for

j = n - 1, \dots, 1

, corresponding to the descending chain of subgroups

G n - 1 \supset G n - 2 \supset \dots \supset G_{0}

. Since the operations

J

and

π

are commutative, we can obtain the commutative diagram:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 2: Commutative diagram of the J and
𝜋 mappings: each mapping is two-to-one, and the coset size is halved.

Alternatively, the quotient

S j = D j / J

can be considered as a subset of the x-axis, and

ϕ J = π x

serves as the projection onto the x-axis. Thus, the commutative diagram can be transformed into

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 3: Transformed commutative diagram.

In the diagram, the squaring homomorphism mapping

π : S j \to S j - 1

is a two-to-one mapping given by

x \mapsto 2 \cdot x^{2} - 1

2.2 Mathematical Description of CFFT

Given a double coset of size

2^{n}

, FFT is a divide-and-conquer algorithm that iteratively simplifies the interpolation problem for

f \in F^{D}

along the projection chain:

\begin{matrix} (6) & D = D_{n} \overset{ϕ_{J} = π_{x}}{\to} S_{n} \overset{π}{\to} S_{n - 1} \overset{π}{\to} \dots \overset{π}{\to} S_{1} \end{matrix}

From the projection chain, it is evident that the entire chain is divided into two stages.

In the first stage, we use

t 0 (x, y) = y

as the "reference odd function" to decompose

f \in F^{D}

into "odd" and "even" parts according to the wrapping function

J

, resulting in two unique functions

f 0

and

f_{1} \in F^{S_{n}}

defined on the univariate domain

S_{n}

, specifically:

\begin{matrix} (7) & f_{0} (x) = \frac{f (x, y) + f (x, - y)}{2} \end{matrix}

\begin{matrix} (8) & f_{1} (x) = \frac{f (x, y) - f (x, - y)}{2 y} \end{matrix}

and

\begin{matrix} (9) & f (x, y) = f_{0} (x) + y \cdot f_{1} (x) \end{matrix}

If we factor out the coefficient

\frac{1}{2}

from equations (7) and (8) and consider

y^{'} = y^{- 1}

as the rotation factor, this decomposition is quite similar to the butterfly operation in traditional FFT.

In the second stage, we select

t 1 (x, y) = y

as the "reference odd function." On the projection domain

S j - 1 = π (S_{j})

, the iterative decomposition yields:

\begin{matrix} (10) & f_{0} (π (x)) = \frac{f (x) + f (- x)}{2} \end{matrix}

\begin{matrix} (11) & f_{1} (π (x)) = \frac{f (x) - f (- x)}{2 \cdot x} \end{matrix}

and

\begin{matrix} (12) & f (x) = f_{0} (π (x)) + x \cdot f_{1} (π (x)) \end{matrix}

where

π (x) = 2 \cdot x^{2} - 1

. This decomposition process continues until the projection domain reduces to the single point

S_{1}

The output of the CFFT algorithm is a constant

c k = f k 0, \dots, k n - j \in F

, where

0 \leq k \leq 2^{n} - 1

and

k 0, \dots, k n - 1

are the binary representation bits of

k

. Thus, for a given basis space

B j^{(0)} \subseteq B j

\begin{matrix} (13) & B_{j}^{(0)} = {b_{2 k}^{(j)} : 0 \leq k \leq 2^{j - 1} - 1}, 1 \leq j \leq n \end{matrix}

We have:

\begin{matrix} (14) & f (x) = \sum_{k^{'} = 0}^{2^{j} - 1} c_{k^{'}} \cdot b_{2 \cdot k^{'}}^{(j + 1)} (x) \end{matrix}

When

j = n

c_{k^{'}}

represents the output of the CFFT.

3. CFFT Implementation

In Algorithm [1], the authors provide the algorithm's pseudocode.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

From the pseudocode, it is evident that the entire algorithm is divided into two stages: 1) operations at the first level; and 2) operations in the subsequent layers. The primary difference lies in the calculation of the rotation factors.

3.1 Calculation of Rotation Factors

As seen in the pseudocode, although the implementation of CFFT differs between the first layer and the subsequent layers, the inconsistency mainly arises from the calculation of rotation factors, while the butterfly operation remains consistent. In the RUST implementation, the calculation of rotation factors is

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

From lines 132 to 142 of the code, it can be observed that the calculation of rotation factors distinguishes between the first layer and the remaining layers. It is necessary to differentiate between the first step and the second step, which are completed in init_domain and working_domain, respectively. This represents a significant difference from the calculation of rotation factors in traditional FFT. The generation of the initial domain is accomplished by calling the cfft_domain function.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

3.2 Butterfly Operator

In the implementation code, the butterfly operators for the forward and inverse transformations are as follows:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

and

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

It can be seen that in the implementation, the butterfly operator of CFFT is essentially consistent with that of traditional FFT.

3.3 Basic Implementation of CFFT

After the rotation factors have been precomputed, CFFT can be implemented directly based on the pseudocode.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

In the implementation, the butterfly operation is realized using direct code. Alternatively, it can be called directly using fn butterfly_cfft().

References:
[1] Ulrich Haböck and David Levit and Shahar Papini. Circle STARKs. In Cryptology ePrint Archive, Paper 2024/278, 2024. https://eprint.iacr.org/2024/278
[2] Eli Ben-Sasson, Dan Carmon, Swastik Kopparty, and David Levit. Elliptic Curve Fast Fourier Transform (ECFFT) Part I: Fast polynomial algorithms over all finite fields. In Electronic Colloquium on Computational Complexity, volume TR21-103, 2021. https: //eccc.weizmann.ac.il/report/2021/103/.
[3] Eli Ben-Sasson, Dan Carmon, Swastik Kopparty, and David Levit. Scalable and transparent proofs over all large fields, via elliptic curves (ECFFT part II). In IACR preprint archive, 2022. https://eprint.iacr.org/2022/1542.
[4] GitHub - Plonky3/Plonky3 at Circle-Fast-Fourier-Transform. https://github.com/Plonky3/Plonky3

Circle FFT and its implementation

1. Introduction

2. Circle FFT

2.1 Fundamentals of CFFT

2.2 Mathematical Description of CFFT

3. CFFT Implementation

3.1 Calculation of Rotation Factors

3.2 Butterfly Operator

3.3 Basic Implementation of CFFT

Read more

Babylon: An Extremely Appealing Protocol Scaling Bitcoin to Secure PoS Chains

Onis Litepaper of Ola

A basic of Binius: Towers of Binary Fields

Babylon+Ola