zinc_uair/ideal/

rotation.rs

use crate::{
    ideal::{Ideal, IdealCheck, IdealCheckError},
    ideal_collector::IdealOrZero,
};
use crypto_primitives::{FromWithConfig, PrimeField, Semiring};
use num_traits::{Euclid, Zero};
use zinc_poly::{EvaluatablePolynomial, univariate::dynamic::over_field::DynamicPolynomialF};
use zinc_utils::from_ref::FromRef;

/// An ideal of `R[X]` generated by `X^W - generating_root`.
///
/// - `W = 1`: the ideal `(X - a)`, checked via point evaluation at `a`.
/// - `W > 1`: the ideal `(X^W - a)`, checked via polynomial reduction modulo
///   `X^W - a`.
///
/// The compile-time `W` parameter allows the membership check to
/// specialize: `W = 1` avoids allocating a remainder buffer and uses
/// Horner evaluation, while `W > 1` uses a chunk-based reduction.
#[derive(Clone, Copy, Debug)]
pub struct RotationIdeal<R: Semiring, const W: usize> {
    generating_root: R,
}

impl<R: Semiring, const W: usize> RotationIdeal<R, W> {
    /// Creates a new ideal of `R[X]` generated by `X^W - generating_root`.
    pub fn new(generating_root: R) -> Self {
        const { assert!(W >= 1, "Rotation ideal degree W must be at least 1") };
        Self { generating_root }
    }
}

impl<R: Semiring, const W: usize> FromRef<RotationIdeal<R, W>> for RotationIdeal<R, W> {
    #[inline(always)]
    fn from_ref(ideal: &RotationIdeal<R, W>) -> Self {
        ideal.clone()
    }
}

impl<R: Semiring, const W: usize> Ideal for RotationIdeal<R, W> {}

impl<F: PrimeField, const W: usize> RotationIdeal<F, W> {
    pub fn from_with_cfg<R>(ideal_over_ring: &RotationIdeal<R, W>, field_cfg: &F::Config) -> Self
    where
        R: Semiring,
        F: for<'a> FromWithConfig<&'a R>,
    {
        Self {
            generating_root: F::from_with_cfg(&ideal_over_ring.generating_root, field_cfg),
        }
    }
}

impl<F: PrimeField, const W: usize> IdealCheck<DynamicPolynomialF<F>>
    for IdealOrZero<RotationIdeal<F, W>>
{
    fn contains(&self, value: &DynamicPolynomialF<F>) -> Result<bool, IdealCheckError> {
        if value.is_zero() {
            return Ok(true);
        }

        match self {
            IdealOrZero::NonZero(RotationIdeal { generating_root }) => {
                if !value.coeffs.is_empty() {
                    // We could technically do the conversion here, but this is not expected
                    // to happen and likely signifies a bug.
                    let coeffs_modulus = value.coeffs[0].modulus();
                    if coeffs_modulus != generating_root.modulus() {
                        return Err(IdealCheckError(format!(
                            "Coefficient modulus {:?} doesn not match generating root modulus {:?}",
                            coeffs_modulus,
                            generating_root.modulus()
                        )));
                    }
                }

                if W == 1 {
                    Ok(F::is_zero(
                        &value
                            .evaluate_at_point(generating_root)
                            .expect("arithmetic overflow"),
                    ))
                } else {
                    Ok(remainder_is_zero::<F, W>(&value.coeffs, generating_root))
                }
            }
            IdealOrZero::Zero => Ok(value.is_zero()),
        }
    }
}

/// Checks whether the polynomial with the given `coeffs` lies in the ideal
/// `(X^W - a)`, i.e., whether `p(X) mod (X^W - a) == 0`.
///
/// Groups coefficients into chunks of `W` and folds from highest to lowest
/// using `rem = a * rem + chunk`, which is the Horner scheme applied to the
/// "base-`X^W`" representation of `p(X)`.
#[allow(clippy::arithmetic_side_effects)] // Was hand-checked to be correct.
fn remainder_is_zero<F: PrimeField, const W: usize>(coeffs: &[F], a: &F) -> bool {
    debug_assert!(W > 0, "Was pre-checked so this cannot fail");

    if coeffs.is_empty() {
        return true;
    }

    let cfg = coeffs[0].cfg();
    let zero = F::zero_with_cfg(cfg);
    let mut rem: [F; W] = std::array::from_fn(|_| zero.clone());

    let n = coeffs.len();
    let (num_full_chunks, partial_len) = n.div_rem_euclid(&W);

    if partial_len > 0 {
        let start = num_full_chunks * W;
        for (j, coeff) in coeffs[start..].iter().enumerate().take(partial_len) {
            rem[j] = coeff.clone();
        }
    }

    for chunk_idx in (0..num_full_chunks).rev() {
        let start = chunk_idx * W;
        for j in 0..W {
            rem[j] *= a;
            rem[j] += &coeffs[start + j];
        }
    }

    rem.iter().all(F::is_zero)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crypto_bigint::{U128, const_monty_params};
    use crypto_primitives::crypto_bigint_const_monty::ConstMontyField;
    use num_traits::{ConstZero, Euclid};

    const_monty_params!(Params, U128, "00000000b933426489189cb5b47d567f");
    type F = ConstMontyField<Params, { U128::LIMBS }>;

    fn poly(coeffs: &[i32]) -> DynamicPolynomialF<F> {
        DynamicPolynomialF::new(coeffs.iter().map(|&c| c.into()).collect::<Vec<_>>())
    }

    #[test]
    fn w1_ideal_contains_member() {
        // (X - 2): polynomial X - 2 should be in ideal (X-2) since eval at 2 is 0.
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 1>::new(F::from(2)));
        let p = poly(&[-2, 1]); // X - 2
        assert!(ideal.contains(&p).unwrap());
    }

    #[test]
    fn w1_ideal_rejects_nonmember() {
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 1>::new(F::from(2)));
        let p = poly(&[1, 1]); // X + 1, eval at 2 = 3 ≠ 0
        assert!(!ideal.contains(&p).unwrap());
    }

    #[test]
    fn w2_ideal_contains_generator() {
        // (X^2 - 1): the polynomial X^2 - 1 should be in this ideal.
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 2>::new(F::from(1)));
        let p = poly(&[-1, 0, 1]); // X^2 - 1
        assert!(ideal.contains(&p).unwrap());
    }

    #[test]
    fn w2_ideal_contains_multiple_of_generator() {
        // (X^2 - 1): X * (X^2 - 1) = X^3 - X should be in the ideal.
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 2>::new(F::from(1)));
        let p = poly(&[0, -1, 0, 1]); // X^3 - X
        assert!(ideal.contains(&p).unwrap());
    }

    #[test]
    fn w2_ideal_rejects_nonmember() {
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 2>::new(F::from(1)));
        let p = poly(&[1, 1]); // X + 1
        assert!(!ideal.contains(&p).unwrap());
    }

    #[test]
    fn w3_ideal_contains_member() {
        // (X^3 - 2): the polynomial X^3 - 2 should be in the ideal.
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 3>::new(F::from(2)));
        let p = poly(&[-2, 0, 0, 1]); // X^3 - 2
        assert!(ideal.contains(&p).unwrap());
    }

    #[test]
    fn w3_ideal_rejects_nonmember() {
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 3>::new(F::from(2)));
        let p = poly(&[1, 0, 0, 1]); // X^3 + 1 (not in (X^3 - 2))
        assert!(!ideal.contains(&p).unwrap());
    }

    #[test]
    fn zero_polynomial_always_in_ideal() {
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 4>::new(F::from(5)));
        assert!(ideal.contains(&DynamicPolynomialF::<F>::ZERO).unwrap());
    }

    #[test]
    fn zero_ideal_only_contains_zero() {
        let zero_ideal = IdealOrZero::<RotationIdeal<F, 2>>::zero();
        assert!(zero_ideal.contains(&DynamicPolynomialF::<F>::ZERO).unwrap());
        assert!(!zero_ideal.contains(&poly(&[1])).unwrap());
    }

    #[test]
    fn w2_reduction_cross_check_with_div_rem() {
        // Verify our specialized reduction matches generic Euclidean division.
        let ideal = IdealOrZero::NonZero(RotationIdeal::<F, 2>::new(F::from(3)));
        let divisor = poly(&[-3, 0, 1]); // X^2 - 3

        for p in [
            poly(&[1, 2, 3, 4, 5]),
            poly(&[0, 0, 0, 0, 6]),
            poly(&[-3, 0, 1]),        // X^2 - 3 itself
            poly(&[0, -3, 0, 1]),     // X * (X^2 - 3)
            poly(&[-9, 0, 6, 0, -1]), // -(X^2 - 3)^2 + some remainder
        ] {
            let (_, rem) = p.div_rem_euclid(&divisor);
            let mut rem_trimmed = rem;
            rem_trimmed.trim();
            let is_member_by_divrem = rem_trimmed.is_zero();
            assert_eq!(
                ideal.contains(&p).unwrap(),
                is_member_by_divrem,
                "Mismatch for polynomial: {p}"
            );
        }
    }
}