diff --git a/posts/circlestarks.md b/posts/circlestarks.md index 5120a070..a4b56f3f 100644 --- a/posts/circlestarks.md +++ b/posts/circlestarks.md @@ -68,7 +68,7 @@ To do this domain reduction, we needed a _two-to-one map_: $\{x, -x\} \rightarro You can think of this as being an operation of taking a line that goes around a circle, and stretching that line until it makes two rotations along that circle. A point at x degrees becomes a point at 2x degrees. Each point from 0...179 degrees has a corresponding point at 180...359 degrees that it ends up overlapping with. And you can repeat this procedure again and again. -For this to work, you need the original multiplicative subgroup to have a size with a large power of 2 as a product. BabyBear has modulus $15 * 2^{27} + 1$, and so the largest possible subgroup is all nonzero values - hence, size $15 * 2^{27}$. This is very friendly to the above technique. You could take a subgroup of size $2^{27}$, or you could just take that full set, do the FRI to reduce the polynomial all the way down to degree 15, and then check tthe degree directly at the end. Mersenne31, however, does not work in this way. The modulus is $2^{31} - 1$, and so the multiplicative subgroup has size $2^{31} - 2$. This can be divided by 2 only once. From there forward, we have no way to do an FFT - at least not using the technique above. +For this to work, you need the original multiplicative subgroup to have a size with a large power of 2 as a product. BabyBear has modulus $15 * 2^{27} + 1$, and so the largest possible subgroup is all nonzero values - hence, size $15 * 2^{27}$. This is very friendly to the above technique. You could take a subgroup of size $2^{27}$, or you could just take that full set, do the FRI to reduce the polynomial all the way down to degree 15, and then check the degree directly at the end. Mersenne31, however, does not work in this way. The modulus is $2^{31} - 1$, and so the multiplicative subgroup has size $2^{31} - 2$. This can be divided by 2 only once. From there forward, we have no way to do an FFT - at least not using the technique above. This is a tragedy, because Mersenne31 is a _super-convenient_ field to do arithmetic in using existing 32-bit CPU/GPU operations. If you add two numbers, the result may be above $2^{31}-1$, but you can reduce it by doing $x \rightarrow x + (x >> 31)$, where $>>$ is a bit shift. For multiplication, you can do something similar, though you need to use a special (but commonly available) opcode that returns the "high-order bits" of a multiplication result (ie. $floor(\frac{xy}{2^{32}})$). This allows arithmetic to be around 1.3x more efficient than BabyBear. If we _could_ do FRI over Mersenne31, it would make things significantly better for us.