Introduction
For a function , the Fast Fourier Transform(FFT) enables us to interpolate and evaluate over the smooth-multiplicative sub-group .
This simple sounding operation underlies a vast number of modern computer algorithms. In fact, the FFT is one of the cornerstone mathematical tools upon which the digital world is built. FFTs are vital for encoding and decoding error-correcting codes, where the primary operations often involve evaluating a polynomial at some set of points, and then interpolating the result back after some transformation.
Definitions
Groups
A Fourier transform group is a set of elements under multiplication, satisfying:
for .
Polynomials
We define a univeriate polynomial as , where .
polynomials can be evaluated. Given a number of points , we can represent the polynomial as a vector . Here which is the evaluation of on .
Polynomials can either be represented in coefficient form or evaluation form. When we wish to represent a polynomial in evaluation form for the domain we write .
Most of the time when working with polynomials, we will be working with polynomials over a field. The central theorem for polynomials over a field is this:
Theorem: Any non-trivial polynomial over a field of degree at most has at most roots.
Definitions:
- A non-trivial polynomial is a polynomial that is not identically zero.
- A root of a polynomial is a value such that .
Roots of Unity
For an element , if then we say that is the -th root of unity. If generates distinct elements then we call the primitive root of unity.
Master Theorem
The Master Theorem helps in analyzing the recursive time complexity of divide-and-conquer algorithms like the Fast Fourier Transform.
Given an algorithm where is the input size, we denote the runtime of the algorithm by the following relation:
Here is the time to create the subproblems, is the size of each subproblem, and is the number of child nodes.
Applying the Master Theorem:
For a recurrence of the form:
Where,
Compare against :
According to the Master Theorem, if , then the recurrence .
Thus, for FFT:
This illustrates why the FFT is efficient, with a complexity of compared to a naive approach.
Polynomial Isomorphism
One of the most powerful results in modern computer science is Shamir’s Secret Sharing Scheme, which enables a secret to be split and shared across a number of parties. Understanding the intuition behind this scheme helps explain why polynomial evaluations and interpolations are such a vital part of modern zero-knowledge proofs.
Central to this scheme is the concept of polynomial isomorphism.
Polynomial isomorphism is a bijective polynomial homomorphism between the polynomial rings and that also has an inverse such that:
- Addition:
- Multiplication:
- Identity:
- Bijectivity: There exists an inverse satisfying and
where .
Here are the steps we use to conduct the Secret Sharing Scheme.
-
Polynomial Construction:
- A secret is represented as the constant term of a polynomial of degree over a finite field .
- The polynomial has the form: where is the secret , and are random coefficients from .
-
Creating Shares:
- Shares are created by evaluating at distinct points in .
- Each share is a pair .
-
Secret Reconstruction:
- To reconstruct the secret , at least shares are required.
- Use Lagrange interpolation to find the polynomial that fits these points.
- The Lagrange interpolation polynomial is given by:
- The secret is the constant term of this polynomial, i.e., .
Here we can see how shares are obtained by evaluating the polynomial at distinct points. FFTs can efficiently evaluate polynomials at multiple points. This is particularly useful if the points are roots of unity in a finite field, where the FFT complexity significantly improves over naive evaluation.
On the other hand, recovering the secret from shares involves polynomial interpolation. The Inverse FFT (IFFT) can efficiently compute polynomial interpolation by transforming frequency domain evaluations into time domain coefficients.
We will see this same principle applied again and again in zero knowledge cryptography.
Theorem
Given a polynomial of , assuming is a power of 2, we use a divide and conquer algorithm to recursivley split the polynomial.
Where and are polynomials composed of the even and odd coefficients of of degree at most .
Here we run into a problem, for our algorithm we want to compute all evaluations of both and , not just evaluations. To solve this problem, we will use the primitive root of unity of our domain.
Because there is a two-to-one correspondence within our domain( and are both part of our domain ), and will always have the same square.
Now observe that:
This means that when we repeat the evaluations of the root a second time we arrive at all the evaluations of squares for the roots. By recursivley evaluating half the domain of a cyclic group, we end up evaluating all the values of the group!
Radix-2 Algorithm
Radix-2 is a divide and conquer algorithm that breaks each problem into progressively smaller subproblems. The two main methods for defining the subproblems are called Decimation in Time(DIT) and Decimation in Frequency(DIF).
Decimation in Time(DIT)
In DIT, the idea is to decouple the polynomial into its even and odd indexed terms:
- : Contains the coefficients of the even-indexed terms of the original polynomial.
- : Contains the coefficients of the odd-indexed terms of the original polynomial, scaled by .
Decimation in Frequency(DIF)
In DIF, we split the polynomial differently—into sums of the first half and the second half after shifting terms:
- : Sum of terms from the first half of the polynomial.
- : Sum of terms from the second half of the polynomial, shifted by .
Implementation
Now let’s see how this algorithm is actually implemented. Here we have two examples in pseudocode for both a DIF and DIT FFT.
Here the FFT is decimated in time.
And Here the FFT is decimated in time.
Bit-Reversal
When implementing the Radix-2 Algorithm, the area which seems to give people by far the most trouble is the idea of bit-reversal. However, the idea itself it actually quite simple. Bit reversal enables us to split the FFT input into even and odd parts without additional data shuffling during the computation.
This ensures that the structure of the computation follows the necessary order to achieve optimal complexity ).
Here is an illustratration of how it works in practice.
Visualization
Original Indices and Binary Representation:
Bit-Reversed Indices:
Reverse the binary representation of each index:
Data Reordered According to Bit-Reversed Indices:
If original data points were [x0, x1, x2, x3, x4, x5, x6, x7]
, after bit-reversal:
FFT Stages with Pre-Arranged Data:
Stage 1: Intermediate DFT of size 2:
Stage 2: Intermediate DFT of size 4:
Stage 3: Final DFT of size 8:
A key difference to note:
- DIT: Bit reversal is used before FFT computation to rearrange input data.
- DIF: Bit reversal is used after FFT computation to rearrange the final output.
Reference
[SHA79] Shamir, Adi. “How to Share a Secret.” Communications of the ACM 22 , no. 11 (1979): 612-613. https://dl.acm.org/doi/pdf/10.1145/359168.359176
[CT65] Cooley, James W. and John W. Tukey. “An algorithm for the machine calculation of complex Fourier series.” Mathematics of Computation 19 (1965): 297-301.
[CG00] Eleanor Chu, and Alan George. “Inside the FFT Black Box: Serial and Parallel Fast Fourier Transform Algorithms.” CRC Press (2000). https://dsp-book.narod.ru/FFTBB/0270_PDF_TOC.pdf
[A23] Ittai Abraham “The Fast Fourier Transform over finite fields” (2023) https://decentralizedthoughts.github.io/2023-09-01-FFT/
[V19] Vitalik Buterin “Fast Fourier Transforms” (2019) https://vitalik.eth.limo/general/2019/05/12/fft.html