Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Elliptic Curve Fast Fourier Transform

Eli Ben-Sasson, Dan Carmon, Swastik Kopparty, David Levit
CS711 Course Project

Mihir Jayesh Vahanwala 1 Sankalp Gambhir 1

1 Indian Institute of Technology, Bombay

November 5, 2021

1/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Outline

Introduction

The Notion of FFT

FFTrees from Elliptic Curves

Algorithms

2/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Polynomial Multiplication
Given the coefficient representation of polynomials P, Q ∈ Fq [X ] of degree < n, define
Mq (n) to be the number of arithmetic operations over Fq needed to compute the
coefficient representation of P · Q.
∗
The best known result is Mq (n) = O(n log n · 2log n )
The Open Question: Is Mq (n) = O(n log n)?

3/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

The results we present

• Following [1], we represent polynomials in Fq [X ] by their evaluation on carefully

chosen subsets of Fq .

• Given this representation of polynomials of degree less than n = q O(1) , the

following operations can be done in O(n log n) time
• Polynomial addition (trivial, O(n) time)
• Polynomial multiplication
• Chinese Remaindering, et cetera.

4/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Polynomial multiplication
Starting with two polynomials in C[x]

X
f (x) = ai x i ,
i
X
g (x) = bi x i ,
i

we have

X X
f · g (x) = ai bj x k .
k i+j=k

Computational nightmare, we suggested moving to evaluations.

5/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Evaluation representation

Choose 2n + 1 and evaluate f and g on them, where n = max(deg(f ), deg(g ))

 
f (x) : f (x1 ), f (x2 ), . . . , f (x2n+1 ) ,
 
g (x) : g (x1 ), g (x2 ), . . . , g (x2n+1 ) ,

and we can easily write

 
f · g (x) : f (x1 ) · g (x1 ), f (x2 ) · g (x2 ), . . . , f (x2n+1 ) · g (x2n+1 ) .

The evaluations on 2n + 1 points uniquely determine the product polynomial.

6/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Evaluation

New solution, but new nightmare. Evaluation is hard too. Need to calculate x n etc.

Consider
2
f (x) = x 2 .

1
Consider x = ±1. Compute f (1). Do we
need to compute f (−1) now?
So we are capable of choosing points such
0
that our computation is significantly
−1 0 1 reduced.

7/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Divide and Conquer

Extending this further, we did it for polynomials that weren’t even or odd

f (x) = x 5 + 3x 4 + 2x + 6 ,
f (x) = (3x 4 + 6) + x · (x 4 + 2) , f (x) = f1 (x 2 ) + x · f2 (x 2 ) .

We can split the polynomial into two halves, and evaluating the individual halves on a
single point (1) gives us instead the evaluations on two points (±1).

8/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Choosing points

f (x) = x 5 + 3x 4 + 2x + 6

Evaluation points (rounded up to closest power of 2)

x1 x2 x3 x4 x5 x6 x7 x8

But we can constrain these. We chose to split into even functions, and consequently
want x2i−1 = −x2i .

9/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Choosing points

f (x) = x 5 + 3x 4 + 2x + 6

x1 x2 x3 x4 x5 x6 x7 x8

x12 x32 x52 x72

x14 x54

x18

The choice is up to us, so choose the root node x18 = 1.

10/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Choosing points

f (x) = x 5 + 3x 4 + 2x + 6

2πi·1 2πi·2 2πi·3 2πi·4 2πi·5 2πi·6 2πi·7 2πi·8

e 8 e 8 e 8 e 8 e 8 e 8 e 8 e 8

2πi·1 2πi·2 2πi·3 2πi·4

e 4 e 4 e 4 e 4

1 −1

1
11/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Choosing points

f (x) = x 5 + 3x 4 + 2x + 6

ω80 ω81 ω82 ω83 ω84 ω85 ω86 ω87 Is there a particular structure here that the
roots of unity are specific to?
• Layers of sets of size 2k
ω40 ω41 ω42 3
ω4
• 2-to-1 maps between successive layers
• ????
ω20 ω21
• Profit
ω1
12/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Choosing points

f (x) = x 5 + 3x 4 + 2x + 6

Is there a particular structure here that the

roots of unity are specific to?
• Layers of sets of size 2k
x2 x2 x2 • 2-to-1 maps between successive layers
Ω8 Ω4 Ω2 Ω1
• ????
• Profit

13/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Roots of Unity
Roots of unity arose here simply due to our assumption that x18 = 1. The roots of
unity needn’t exist in every field.
Are there other sets of field elements that satisfy this property? What was the limiting
factor?
Perhaps x 2 is not a great 2-to-1 map to ask for. What if we had an arbitrary map for
the layers?

f (x) = f1 (ψ(x)) + x · f2 (ψ(x)) ,

ψ(x2n−1 ) = ψ(x2n ) .

ψ ψ ψ
Ω8 Ω4 Ω2 Ω1

14/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Freedom

However, each layer’s evaluation was independent of the previous, that is, after all, the
idea behind the divide-and-conquer approach.
So, we can extend our choice of maps further to vary between layers

ψ (0) ψ (1) ψ (2)

Ω8 Ω4 Ω2 Ω1

In essence, we have not violated any of the key features of the FFT approach. So,
where can we find these sets, and these maps between them?

15/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Rational Functions

• Rational functions over Fq are quotients ψ(X ) = vu(X )

(X ) where u and v are coprime
polynomials in Fq [X ] and v is nonzero. Rational functions form a field, denoted
by Fq (X ).

• Rational functions can be viewed as maps from P1 to itself. The points mapped
to ∞ are called poles. These include the zeroes of v .

u(X )
• The degree of rational function ψ(X ) = v (X ) is defined as max(deg(u), deg(v )).

16/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Decomposing polynomials with Rational Maps

Lemma (Decomposition)
Assume d is even. Let Vd be the Fq -linear subspace of Fq [X ] consisting of polynomials
of degree strictly less than d. Let ψ(X ) = vu(X )
(X ) ∈ Fq (X ) be a rational map of degree

2
2. Then for every P(X ) ∈ Vd , there exists a unique tuple (P0 (X ), P1 (X )) ∈ V(d/2)
such that
d
P(X ) = v (X ) 2 −1 · (P0 (ψ(X )) + X · P1 (ψ(X ))) .

• In order to make this decomposition a viable divide and conquer strategy, it must
be invertible efficiently enough.
• Fortunately, it is.

17/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Invertibility
Lemma (Locality and invertibility)
Let t ∈ Fq . Suppose ψ −1 (t) = {s0 , s1 } is a set of cardinality exactly 2. Then the
transformation Mt : F2q → F2q , Mt (P(s0 ), P(s1 )) 7→ (P0 (t), P1 (t)) is linear and
invertible.

Proof.
• Since t ∈ Fq , t =
6 ∞, and hence v (si ) 6= 0. We have
" d
#
v (s0 ) 2 −1
   
0 1 s0 P0 (t) P(s0 )
d =
0 v (s1 ) 2 −1 1 s1 P1 (t) P(s1 )

• Invertibility follows because the diagonal matrix has nonzero entries and the other
2 × 2 matrix is Vandermonde, s0 6= s1 .

18/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

The FFTree

Definition (FFTree)
Figure: FFTree of depth 2
Let q be a prime power, and let k be an integer. An FFTree
of depth k over Fq is a collection of subsets u
ψ (1) ψ (1)
L(0) , L(1) , . . . , L(k) ⊆ Fq along with degree 2 rational
functions ψ (0) , . . . , ψ (k−1) such that: v0 v1
ψ (0) ψ (0) ψ (0) ψ (0)
• |L(i) | = 2k−i .
ω0 ω1 ω2 ω3
• ψ (i) is a 2-to-1 map from L(i) to L(i+1) .
The tree itself is a rooted, layered, full binary tree: the root
is the element of L(k) , the leaves are the elements of L(0) .
For a node s in L(i) , its parent is ψ (i) (s).

19/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Projective Space
• Pn (Fq ) or Pn denotes the the n-dimensional projective space over Fq .
• Points in Pn are given by homogenised coordinates [x1 : x2 : · · · : xn+1 ] where at
least one xi is nonzero.
• For a point in the affine space Fnq , we map

(x1 , x2 , . . . , xn ) 7→ [x1 : x2 : · · · : xn : 1] .

• The space carries the equivalence structure

[x1 : x2 : · · · : xn+1 ] ≡ [cx1 : cx2 : cxn+1 ] .

• Pn is a disjoint union of the affine space Fnq (xn+1 6= 0) and a copy of Pn−1 “at
infinity” (xn+1 = 0). In particular, P1 = Fq ∪ {∞} where ∞ denotes the unique
point [1 : 0] at infinity.
20/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Elliptic Curves
• An elliptic curve E is a smooth, projective algebraic curve
defined over a field. We consider elliptic curves defined over
Fq , their points reside in P2 (Fq ).
• Every elliptic curve can be presented in extended Weierstrass
form as
• The set of planar points (x, y ) ∈ F2q (which is [x : y : 1] ∈ P2 )
satisfying the cubic equation

F (X , Y ) := Y 2 + a1 XY + a3 Y − X 3 − a2 X 2 − a4 X − a6 = 0

• The special marked point O = [0 : 1 : 0] ∈ P2 , called its point

at infinity.
• Points on an elliptic curve form an abelian group. O is the
group identity.

21/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Projection
Definition (Projection)
The projection map π : E → P1 is defined as follows: π(O) = ∞,
π([x : y : 1]) = x ∈ Fq .
• For P, Q ∈ E , π(P) = π(Q) if and only if P = ±Q.

• For a subset C ⊆ E , define −C = {−P : P ∈ C }. If C and

−C are disjoint, then the mapping from C to π(C ) is 1-to-1.
• Further, C does not contain O, hence π(C ) ⊆ Fq .

• Projection onto Fq from some (co-)set C being injective is

pivotal in the construction of FFTrees from elliptic curves

22/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Isogenies between Elliptic Curves

Proposition (Isogenies)
Let φ : E → E 0 be an isogeny between two elliptic curves over Fq in extended
Weierstrass form. Let π, π 0 be their respective x-projection maps onto P1 . Then
• φ is a group homomorphism.
• There exists a unique rational function ψ such that the diagram

φ
E E0
π π0
ψ
P1 P1

is commutative.
• If the formal derivative of ψ is nonzero, then | ker(φ)| = deg(ψ) = d and the
isogeny is said to be d-separable or a d-isogeny.
23/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Harnessing isogenies

Proposition (Isogenies, constructive)

Let E be an elliptic curve and let H < E be a finite subgroup. There exists a unique
elliptic curve E 0 and |H|-isogeny φ such that ker(φ) = H.
• With projections, we map a point on an elliptic curve to an element in Fq .

• With 2-isogenies, we get 2-to-1 maps between elliptic curves. They relate to
degree 2 rational maps between elements of Fq .

• We thus have the ingredients to build FFTrees.

• But how does this approach scale?

24/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Large, tractable Elliptic Curves

Proposition
Let k be an integer, k = O(log q). There exists an elliptic curve E0 over Fq such that
2k divides |E0 | and |E0 | > 2k+1 .
• We immediately see that E0 has a subgroup G0 of order 2k

• It can be shown that G0 has a coset C0 such that C0 6= −C0

• C0 is crucial, because projection is a one-one map from C0 to Fq

• This is our starting point to construct an FFTree of depth k over Fq .

25/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

The Construction

• Start with E0 , G0 , C0 , and inductively get Ei+1 , Gi+1 , Ci+1 from Ei , Gi , Ci , where
i = {0, 1, . . . , k − 1}

• Define the set L(i) to be πi (Ci ).

• Pick an order 2 subgroup Hi < Gi < Ei . Let φi be the 2-isogeny from Ei to Ei+1 ,
with kernel Hi . Let ψ (i) be its associated rational map.

• Gi+1 = φi (Gi ), and Ci+1 = φi (Ci ). Note the 2-to-1 correspondence, thanks to the
group homomorphism.

26/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Properties of the construction

• From the properties of elliptic curve isogenies, we know that the following
commutative diagram holds.

φ0 φ1 φk−1
E0 E1 ... Ek
π0 π1 πk
ψ (0) ψ (1) ψ (k−1)
P1 P1 ... P1

• We need to show that ψ (i) is 2-to-1 from L(i) to L(i+1) , so that the set L(i) can
serve as the i th layer of the FFTree.
• We already have that φi defines a 2-to-1 map from Ci to Ci+1 , and the diagram
commutes. The missing link is to show that πi is a bijection from Ci to L(i) , i.e.
Ci and −Ci are disjoint.
27/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Correctness
• We prove that cosets Ci , −Ci are distinct members of Ei /Gi , by induction on i.

• The base case i = 0 holds because of our choice of E0 , G0 , C0 .

• For the inductive step, assume that Ci 6= −Ci . Applying the first isomorphism
theorem to our construction using φi , we have that Ei /Hi ,→ Ei+1 and
Gi /Hi ∼
= Gi+1

• The third isomorphism theorem tells us that Ei /Gi ∼

= (Ei /Hi )/(Gi /Hi )

• Thus Ei /Gi ,→ Ei+1 /Gi+1 .

• In other words, φi maps distinct cosets of Gi to distinct cosets of Gi+1 , and thus,
if Ci and −Ci are distinct, so are Ci+1 and −Ci+1
28/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Representing Polynomials - The Plan

• We shall represent polynomials over Fq by
their evaluation on carefully chosen subsets Figure: FFTree of depth 3
of Fq .
u
• An evaluation table is specified by a subset ψ (2) ψ (2)

S ⊆ Fq and a function f : S → Fq . We ψ (1)

v0
ψ (1) ψ (1)
v1
ψ (1)

denote it as hf o Si. (read “f on S”) t0 t1 t2 t3

ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0)
• What subsets make evaluation tables
s0 s1 s2 s3 s4 s5 s6 s7
amenable to fast algorithms? We turn to
the FFTree.
• Our fast algorithms work on this novel
representation of polynomials as evaluation
tables, in a way highly reminiscent of FFT.

29/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Basic Sets

Definition (Basic Sets)

Figure: FFTree of depth 3
A set S is basic if
• S ⊆ L(j) for some j ψ (2)
u
ψ (2)

• There exists integer ` such that |S| = 2` v0 v1

ψ (1) ψ (1) ψ (1) ψ (1)

• All the elements of S have a common t0 t1 t2 t3

ancestor t in L(j+`) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0)

s0 s1 s2 s3 s4 s5 s6 s7
Further if ` > 0, then S can be partitioned into
two moieties S0 and S1 , which are also basic
sets. The common ancestor S0 is one of the
children of t, the common ancestor of S1 is its
sibling.

30/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Low degree extension

Theorem
Let S, S 0 be basic sets of size n. Given a Figure: FFTree of depth 3
polynomial P ∈ Fq [X ] of degree < n and u

hP o Si, we can compute hP o S 0 i in O(n log n) ψ (2) ψ (2)

v0 v1
time. ψ (1) ψ (1) ψ (1) ψ (1)

t0 t1 t2 t3
1. To formulate the problem as two smaller ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0)

subproblems, we recall the linear invertible s0 s1 s2 s3 s4 s5 s6 s7

Mt : F2q → F2q :

Mt (P(s0 ), P(s1 )) 7→ (P0 (t), P1 (t))

2. To construct the solution from those of

the subproblems (ψ = u/v ):
n
P(s 0 ) = v (s 0 ) 2 −1 · P0 (t 0 ) + s 0 · P1 (t 0 )

31/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Extension Algorithm

1. Base Case If n = 1, we have a constant

polynomial. Figure: FFTree of depth 3
2. Consider the basic sets T,T0 that u
0
respectively lie above S, S in the FFTree. ψ (2) ψ (2)

Use Mt to compute hP0 o T i and hP1 o T i ψ (1)

v0
ψ (1) ψ (1)
v1
ψ (1)

3. Call the extension algorithm to compute t0 t1 t2 t3

ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0)
hP0 o T 0 i and hP1 o T 0 i s0 s1 s2 s3 s4 s5 s6 s7

4. Use the decomposition (point 2 in previous

slide) to compute hP o S 0 i

32/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Multiplication Algorithm

Theorem
Let S be a basic set of size n, and let S0 , S1 be Figure: FFTree of depth 3
moieties of S. Let P, Q ∈ Fq [X ] have degree u
ψ (2) ψ (2)
< n/2. Given hP o S0 i and hQ o S0 i, we can
v0 v1
compute hP · Q o Si in O(n log n) time. ψ (1) ψ (1) ψ (1) ψ (1)

t0 t1 t2 t3
1. Call the extension algorithm to compute ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0)

hP o S1 i and hQ o S1 i. s0 s1 s2 s3 s4 s5 s6 s7

2. Join these tables to get hP o Si and hQ o Si

3. Perform pointwise multiplication to get
hP · Q o Si

33/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Further

• Degree computation has a recursive algorithm that runs in time O(n log n), given
an evaluation table of size n.

• The reference also demonstrates division and Chinese remaindering in O(n log n)
time.

• Reiterating subtle caveat: these operations are on evaluation tables, not the
standard coefficient representation. The reference gives an interconversion that
takes O(n log2 n) time.

34/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Bibliography

This presentation was based on [1]. Some presentation elements were inspired by [2].
Eli Ben-Sasson, Dan Carmon, Swastik Kopparty, and David Levit.
Elliptic curve fast fourier transform (ecfft) part i: Fast polynomial algorithms over
all finite fields, 2021.
arXiv:2107.08473.
Reducible.
The fast fourier transform (fft): Most ingenious algorithm ever?
URL: https://www.youtube.com/watch?v=h7apO7q16V0.

35/36
Introduction The Notion of FFT FFTrees from Elliptic Curves Algorithms

Thank you for your attention.

36/36