Frobenius Additive Fast Fourier Transform Wen-Ding Li Research - PowerPoint PPT Presentation

Frobenius Additive Fast Fourier Transform Wen-Ding Li Research Center for Information Technology Innovation, Academia Sinica, Taiwan July 19, 2018 ISSAC 2018, New York, USA Joint work with Ming-Shing Chen, Po-Chun Kuo, Chen-Mou Cheng, Bo-Yin Yang

Polynomial Multiplication over F 2 • Schoolbook : O ( n 2 ) • Karatsuba or Toom-Cook : O ( n ω ) , 1 < ω < 2 • Fast Fourier Transform (FFT) : � O ( n ) 1

Multiplication with FFT Fourier transform of f ∈ F [ x ] : Evaluation of f in some zero set Z ⊂ F . 2

Multiplication with FFT Fourier transform of f ∈ F [ x ] : Evaluation of f in some zero set Z ⊂ F . How do we multiply h = f · g in F [ x ] ? 2

Multiplication with FFT Fourier transform of f ∈ F [ x ] : Evaluation of f in some zero set Z ⊂ F . How do we multiply h = f · g in F [ x ] ? • Evaluate f and g at points of some zero set Z ⊂ F • Multiply pointwise to obtain { f ( α ) · g ( α ) , α ∈ Z } • Interpolate: recover h from { f ( α ) · g ( α ) , α ∈ Z } 2

Multiplication with FFT Fourier transform of f ∈ F [ x ] : Evaluation of f in some zero set Z ⊂ F . How do we multiply h = f · g in F [ x ] ? • Evaluate f and g at points of some zero set Z ⊂ F • Multiply pointwise to obtain { f ( α ) · g ( α ) , α ∈ Z } • Interpolate: recover h from { f ( α ) · g ( α ) , α ∈ Z } Multiplication in F 2 [ x ] • Not many evaluation points in F 2 ⇒ work in an extension field • Naive method: F 2 [ x ] � F 2 d [ x ] 2

Multiplication with FFT Fourier transform of f ∈ F [ x ] : Evaluation of f in some zero set Z ⊂ F . How do we multiply h = f · g in F [ x ] ? • Evaluate f and g at points of some zero set Z ⊂ F • Multiply pointwise to obtain { f ( α ) · g ( α ) , α ∈ Z } • Interpolate: recover h from { f ( α ) · g ( α ) , α ∈ Z } Multiplication in F 2 [ x ] • Not many evaluation points in F 2 ⇒ work in an extension field • Naive method: F 2 [ x ] � F 2 d [ x ] ⇒ incurs d -times penalty. 2

The Kronecker segmentation • Sch¨ onhage’s ternary FFT (GF2x: Brent, Gaudry, Thome, Zimmermann) F 2 [ x ] � F 2 [ x ] <M [ y ] � F 2 [ x ] / ( x 2 L + x L + 1)[ y ] , y = x M , L > = M • Mixed Radix FFT over F 2 60 (ISSAC 2016: Harvey, van der Hoeven, Lecerf) F 2 [ x ] � F 2 [ x ] < 30 [ y ] � F 2 60 [ y ] , y = x 30 • Additive FFT over F 2 256 (Chen, Cheng, Kuo, Li, Yang - 2017) F 2 [ x ] � F 2 [ x ] < 128 [ y ] � F 2 256 [ y ] , y = x 128 Pack half as many bits in each coefficients as the extension field 6

The Kronecker segmentation • Sch¨ onhage’s ternary FFT (GF2x: Brent, Gaudry, Thome, Zimmermann) F 2 [ x ] � F 2 [ x ] <M [ y ] � F 2 [ x ] / ( x 2 L + x L + 1)[ y ] , y = x M , L > = M • Mixed Radix FFT over F 2 60 (ISSAC 2016: Harvey, van der Hoeven, Lecerf) F 2 [ x ] � F 2 [ x ] < 30 [ y ] � F 2 60 [ y ] , y = x 30 • Additive FFT over F 2 256 (Chen, Cheng, Kuo, Li, Yang - 2017) F 2 [ x ] � F 2 [ x ] < 128 [ y ] � F 2 256 [ y ] , y = x 128 Pack half as many bits in each coefficients as the extension field Factor-of-two loss! 6

The Frobenius Fourier transform - ISSAC 2017 Directly compute Fourier transform of a polynomial f in F 2 [ x ] <n : { f (1) , f ( ω ) , f ( ω 2 ) , . . . , f ( ω n − 1 ) } where ω ∈ F 2 d primitive root of unity. 7

The Frobenius Fourier transform - ISSAC 2017 Directly compute Fourier transform of a polynomial f in F 2 [ x ] <n : { f (1) , f ( ω ) , f ( ω 2 ) , . . . , f ( ω n − 1 ) } where ω ∈ F 2 d primitive root of unity. Save some computation by using the Frobenius automorphism: f ( w 2 ) = f ( φ ( w )) = φ ( f ( w )) = ( f ( w )) 2 ⇒ For each orbit w , φ ( w ) , φ ◦ 2 ( w ) , φ ◦ 3 ( w ) , . . . , we only need to compute at one point: f ( w ) and all other values φ ◦ 2 ( f ( w )) , φ ◦ 3 ( f ( w )) , . . . are determined. 7

The Frobenius Fourier transform - ISSAC 2017 Directly compute Fourier transform of a polynomial f in F 2 [ x ] <n : { f (1) , f ( ω ) , f ( ω 2 ) , . . . , f ( ω n − 1 ) } where ω ∈ F 2 d primitive root of unity. Save some computation by using the Frobenius automorphism: f ( w 2 ) = f ( φ ( w )) = φ ( f ( w )) = ( f ( w )) 2 ⇒ For each orbit w , φ ( w ) , φ ◦ 2 ( w ) , φ ◦ 3 ( w ) , . . . , we only need to compute at one point: f ( w ) and all other values φ ◦ 2 ( f ( w )) , φ ◦ 3 ( f ( w )) , . . . are determined. Result: d -times faster than naive method. 7

Cantor’s FFT and its derivatives • Cantor give an “analogue of the fast Fourier transform” which efficiently evaluates a polynomial on some additive subgroup Z of F p pk in O ( n (log n ) 2 ) time for n = | Z | . • Based on a tower F p , F p p , F p p 2 , . . . of Artin-Schreier extensions of F p • Gao and Mateer improved it to O ( n log n log(log n )) when p = 2 and f ∈ F 2 2 k [ x ] • We showed that van der Hoeven and Larrieu’s idea of using Frobenius automorphism to accelerate polynomial multiplication beautifully generalizes to Cantor-Gao-Mateer-FFT 9

Additive FFT Let s ( x ) = x 2 + x , s 0 ( x ) = x and ( x ) · · · )) = s ◦ i ( x ) s i ( x ) := s ( s ( · · · s � �� � i times • Let W i be the zero set of s i ( x ) = � ω ∈ W i ( x − ω ) , then F 2 = W 1 ⊂ W 2 ⊂ · · · ⊂ � F 2 • Since s i ’s are linear, W i ’s are vector spaces over F 2 • Since s 2 k = x 2 2 k + x , W 2 k is a field F 2 2 k . e.g. W 1 = F 2 , W 2 = F 2 2 , W 4 = F 2 4 , W 8 = F 2 8 ,... • Cantor showed that there is a basis ( v 0 , v 1 , v 2 , . . . , ) such that W i = span { v 0 , v 1 , . . . , v i − 1 } and s ( v i ) = v 2 i + v i = v i − 1 • We’ll denote a 0 v 0 + a 1 v 1 + . . . + a d − 1 v d as a d − 1 a d − 1 . . . a 0 . e.g. 1101 is v 3 + v 2 + v 0 . 11

Additive FFT - Subproduct Tree s k ( x ) + α can be written as the product of s k − 1 ( x ) + β and s k − 1 ( x ) + β + 1 , where β 2 + β = α . s k ( x ) + α s k − 1 ( x ) + β s k − 1 ( x ) + β + 1 right child = left child +1 12

Additive FFT s 3 ( x ) s 2 ( x ) s 2 ( x ) + 1 s 1 ( x ) s 1 ( x ) + 1 s 1 ( x ) + v 1 s 1 ( x ) + v 1 + 1 x x + 1 x + v 1 x + v 1 + 1 x + v 2 x + v 2 + 1 x + v 2 + v 1 x + v 2 + v 1 + 1 13

Additive FFT The roots of polynomial in subproduct tree. The “X” means it could take 0 or 1. XXX 0 XX 1 XX 00 X 01 X 10 X 11 X 000 001 010 011 100 101 110 111 14

Additive FFT f ( x ) mod s 3 ( x ) f ( x ) mod s 2 ( x ) f ( x ) mod s 2 ( x ) + 1 f ( x ) mod s 1 ( x ) f ( x ) mod s 1 ( x ) + 1 f ( x ) mod . . . f ( x ) mod . . . f (0) f (1) f ( v 1 ) f ( v 1 + 1) f ( v 2 ) f ( v 2 + 1) f ( v 2 + v 1 ) f ( v 2 + v 1 + 1) 15

Additive FFT � � Let f ( x ) mod s n ( x ) + α = P ( x ) s n − 1 ( x ) + Q ( x ) [Gao-Mateer], then f ( x ) mod s n ( x ) + α f ( x ) mod s n − 1 ( x ) + β f ( x ) mod s n − 1 ( x ) + β + 1 = Q ( x ) + βP ( x ) = Q ( x ) + βP ( x ) + P ( x ) Let the left child be f 0 ( x ) and the right child be f 1 ( x ) , then f 0 ( x ) = Q ( x ) + βP ( x ) f 1 ( x ) = P ( x ) + f 0 ( x ) By applying this recursively, we get { f ( x ) mod x + ω | s n ( ω ) = α } = { f ( ω ) | ω ∈ W i + γ } where s n ( γ ) = α 16

Frobenius Additive FFT Question: Given d a power of two, when computing additive FFT of f in F 2 d [ x ] , can we achieve d -times speedup if f actually admits only coefficients in F 2 ? 17

Frobenius Additive FFT Question: Given d a power of two, when computing additive FFT of f in F 2 d [ x ] , can we achieve d -times speedup if f actually admits only coefficients in F 2 ? Save some computation by using the Frobenius automorphism: f ( w 2 ) = ( f ( w )) 2 17

Frobenius Additive FFT Question: Given d a power of two, when computing additive FFT of f in F 2 d [ x ] , can we achieve d -times speedup if f actually admits only coefficients in F 2 ? Save some computation by using the Frobenius automorphism: f ( w 2 ) = ( f ( w )) 2 ⇒ If we have f ( w ) , f ( w 2 ) can be obtained efficiently. Only need to evaluate a subset of the original points 17

Orbits under the action of φ : x �→ x 2 Denote the Orbit of w under the action φ be Orb w = { w, φ ( w ) , φ ◦ 2 ( w ) , φ ◦ 3 ( w ) , φ ◦ 4 ( w ) , . . . } = { w, w 2 , w 4 , w 8 , w 16 , . . . } • For w ∈ W i +1 \ W i , | Orb w | = 2 ⌊ lg i ⌋ +1 • How the action affect the points: φ ◦ 2 k ( x ) = s 2 k ( x ) + x Change the position whose distance is 2 k from most significant bits 18

Main Result: the Cross section of the orbit Let Σ 0 = { 0 } , and ∀ k > 0 , let � � v k − 1 + j 1 v k − 2 + · · · + j k − 1 v 0 : j i = 0 if i is a power of 2, Σ k = j i ∈ { 0 , 1 } otherwise. = 100 X 0 XXX 0 XXXXXXX 0 XX . . . Theorem Σ k is a cross section of W k \ W k − 1 . That is, ∀ k > 0 , ∀ w ∈ W k \ W k − 1 , there exists exactly one σ ∈ Σ k such that φ ◦ j ( σ ) = w for some j . 19

Main Result: the Cross section of the orbit Let Σ 0 = { 0 } , and ∀ k > 0 , let � � v k − 1 + j 1 v k − 2 + · · · + j k − 1 v 0 : j i = 0 if i is a power of 2, Σ k = j i ∈ { 0 , 1 } otherwise. = 100 X 0 XXX 0 XXXXXXX 0 XX . . . Theorem Σ k is a cross section of W k \ W k − 1 . That is, ∀ k > 0 , ∀ w ∈ W k \ W k − 1 , there exists exactly one σ ∈ Σ k such that φ ◦ j ( σ ) = w for some j . A cross section of W m is Σ 0 ∪ Σ 1 ∪ Σ 2 ∪ . . . ∪ Σ m . . 19