Calculating root of unity (R, R^2)

Question

Calculating root of unity (R, R^2)

jayavanth opened this issue a year ago · comments

I'm trying to use https://github.com/zkcrypto/ff in Winterfell for an experiment and I wanted to define R and R^2 in it. How do I determine those values with the f128 field (2^128 - 45 * 2^40 + 1) defined in Winterfell?

I'm just trying the fib_small example right now. I tried using R = 2^128 (mod p) but that doesn't seem to work when I do operations on them

Robin Salen · Answer 1 · Tue May 09 2023 17:02:37 GMT+0800 (China Standard Time)

I think you're referring by R and R2 to the values to be used for Montgomery representation (usually powers of two with exponent multiple of 32 or 64 larger than the field modulus). So using R = 2^128 (mod p) would be correct BUT the Winterfell codebase does not use Montgomery representation for f128 but Barret reduction, so the discrepancies you're observing are to be expected.

Jay · Answer 2 · Wed May 10 2023 01:48:08 GMT+0800 (China Standard Time)

@Nashtare Thanks! Are they easily modifyable to use Montgomery representation?
Also, how would I go about changing the field to 64 instead of 128? I tried replacing a bunch of them but I'm getting a lot of errors. Specifically trying to do it for fib_small, and rescue examples

Robin Salen · Answer 3 · Wed May 10 2023 19:34:37 GMT+0800 (China Standard Time)

Are they easily modifyable to use Montgomery representation?

Well, if you want to have Montgomery representation for f128, you'd need to change the Winterfell implementation, which may involve some work to be done. You can have a look at how this is done in f64, or in bls_12_381 Fp implementation for an example on a larger field.

how would I go about changing the field to 64 instead of 128?

Depending on which example you want to run, you may end up having significant changes to do. For example changing the basefield of Rescue would impact all the round constants, the MDS matrix, the degree of the permutations (forward and backward), the size of the state, etc...

Specifically trying to do it for fib_small

For this one you mean moving from f64 to f128 right? Changes to be done would be lighter, though you'd need to remove support for the hash functions specifically working on f64 (RP & Griffin at the moment) as they wouldn't work there.

Jay · Answer 4 · Wed May 10 2023 22:53:18 GMT+0800 (China Standard Time)

Thank you! For now I just ended up deleting the examples to make it work with f64