Additive NTT Algorithm (Algorithm 2, LCH14)

This file defines the FRI-Binius ([DP24]) variant of the Additive NTT algorithm originally introduced in [LCH14]. This variant adopts concrete optimizations and a different proof strategy, making it highly suitable for the FRI-Binius proof system, while still fully complying with the original algorithm in [LCH14] through a different interpretation.

Main Definitions

• sDomain: The intermediate evaluation domain S⁽ⁱ⁾ for the round i in the Additive NTT algorithm

• qMap: The quotient map q⁽ⁱ⁾(X) that relates successive domains

• intermediateNormVpoly: The i-th order subspace vanishing polynomials Ŵₖ⁽ⁱ⁾ over domain S⁽ⁱ⁾

• intermediateNovelBasisX: The intermediate novel basis Xⱼ⁽ⁱ⁾ for the round i in the Additive NTT algorithm

• intermediateEvaluationPoly: The intermediate evaluation polynomial P⁽ⁱ⁾(X) for the round i in the Additive NTT algorithm

• additiveNTT: The main implementation of the Additive NTT encoding algorithm.

• NTTStage: The main implementation of each NTT stage in the Additive NTT encoding algorithm.

• additiveNTT_correctness: Main correctness statement of the encoding algorithm.

• additiveNTTInvariant: Describes the invariant for each loop in the algorithm, which states whether the result of an encoding round is correct

• NTTStage_correctness: Main correctness statement of each NTT stage in the encoding algorithm, this proves that if the previous round satisfies the invariant, then the current round also

References

• [Diamond, B.E. and Posen, J., Polylogarithmic proofs for multilinears over binary towers][DP24]
• [Lin, S., Chung, W., and Han, Y.S., Novel polynomial basis and its application to reed-solomon erasure codes][LCH14]
• [Von zur Gathen, J. and Gerhard, J., Arithmetic and factorization of polynomial over F2 (extended abstract)][GGJ96]

TODOs

• Define computable additive NTT and transfer correctness proof to it

theorem AdditiveNTT.𝔽q_element_eq_zero_or_eq_one (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [DecidableEq 𝔽q] [hF₂ : Fact (Fintype.card 𝔽q = 2)] (c : 𝔽q) : c = 0 ∨ c = 1

1. Intermediate Structures: Domains, Maps, and Bases

This section defines the intermediate evaluation domains, quotient maps, and the structure of the subspace vanishing polynomials and their bases. These are the core algebraic objects underlying the Additive NTT algorithm.

noncomputable def AdditiveNTT.sDomain {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) : Subspace 𝔽q L

The intermediate evaluation domain S⁽ⁱ⁾, defined as the image of the full evaluation space under the normalized subspace vanishing polynomial Ŵᵢ(X). ∀ i ∈ {0, ..., r-1}, we define Uᵢ:= <β₀, ..., βᵢ₋₁>_{𝔽q}, note that Uᵣ is not used. ∀ i ∈ {0, ..., r-1}, S⁽ⁱ⁾ is the image of the subspace U_{ℓ+R} under the 𝔽q-linear map x ↦ Ŵᵢ(x).

noncomputable def AdditiveNTT.qMap {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) (i : Fin r) : Polynomial L

The quotient map q⁽ⁱ⁾(X) that relates successive domains. q⁽ⁱ⁾(X) := (Wᵢ(βᵢ)^q / Wᵢ₊₁(βᵢ₊₁)) * ∏_{c ∈ 𝔽q} (X - c). Usable range is ∀ i ∈ {0, ..., r-2}

theorem AdditiveNTT.qMap_eval_𝔽q_eq_0 {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) (i : Fin r) (c : 𝔽q) : Polynomial.eval ((algebraMap 𝔽q L) c) (qMap 𝔽q β i) = 0

theorem AdditiveNTT.qMap_comp_normalizedW {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] (i : Fin r) (h_i_add_1 : ↑i + 1 < r) : (qMap 𝔽q β i).comp (normalizedW 𝔽q β i) = normalizedW 𝔽q β (i + 1)

Lemma 4.2. The quotient maps compose with the Ŵ polynomials. q⁽ⁱ⁾ ∘ Ŵᵢ = Ŵᵢ₊₁, ∀ i ∈ {0, ..., r-2}.

theorem AdditiveNTT.qMap_is_linear_map {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) (i : Fin r) : IsLinearMap 𝔽q fun (inner_p : Polynomial L) => (qMap 𝔽q β i).comp inner_p

The evaluation of the quotient map q⁽ⁱ⁾(X) is an 𝔽q-linear map. Usable range is ∀ i ∈ {0, ..., r-2}.

theorem AdditiveNTT.qMap_maps_sDomain {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i_add_1 : ↑i + 1 < r) : have q_comp_linear_map := ⋯; have q_eval_linear_map := ⋯; have q_i_map := polyEvalLinearMap (qMap 𝔽q β i) q_eval_linear_map; have S_i := sDomain 𝔽q β h_ℓ_add_R_rate i; have S_i_plus_1 := sDomain 𝔽q β h_ℓ_add_R_rate (i + 1); Submodule.map q_i_map S_i = S_i_plus_1

Theorem 4.3. The quotient map q⁽ⁱ⁾ maps the domain S⁽ⁱ⁾ to S⁽ⁱ⁺¹⁾. Usable range is ∀ i ∈ {0, ..., r-2}.

@[irreducible]

noncomputable def AdditiveNTT.qCompositionChain {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (i : Fin r) : Polynomial L

The composition q⁽ⁱ⁻¹⁾ ∘ ... ∘ q⁽⁰⁾ ∘ X.

theorem AdditiveNTT.qCompositionChain_eq_foldl {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (i : Fin r) : qCompositionChain 𝔽q β i = Fin.foldl (↑i) (fun (acc : Polynomial L) (j : Fin ↑i) => (qMap 𝔽q β ⟨↑j, ⋯⟩).comp acc) Polynomial.X

Prove the equality between the recursive definition of qCompositionChain and the Fin.foldl form.

theorem AdditiveNTT.normalizedW_eq_qMap_composition {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] (ℓ R_rate : ℕ) (i : Fin r) : normalizedW 𝔽q β i = qCompositionChain 𝔽q β i

Corollary 4.4. For each i ∈ {0, ..., r-1}, we have Ŵᵢ = q⁽ⁱ⁻¹⁾ ∘ ... ∘ q⁽⁰⁾ (with the convention that for i = 0, this is just X).

noncomputable def AdditiveNTT.sDomainBasisVectors {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) : Fin (ℓ + R_rate - ↑i) → L

The vectors y_j^{(i)} = Ŵᵢ(β_j) for j ∈ {i, ..., ℓ+R-1}.

theorem AdditiveNTT.sDomainBasisVectors_mem_sDomain {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (k : Fin (ℓ + R_rate - ↑i)) : sDomainBasisVectors 𝔽q β h_ℓ_add_R_rate i k ∈ sDomain 𝔽q β h_ℓ_add_R_rate i

The vectors sDomainBasisVectors are indeed elements of the subspace sDomain, ∀ i ∈ {0, ..., r-1}.

def AdditiveNTT.sBasis {r : ℕ} {L : Type u} (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : Fin (ℓ + R_rate - ↑i) → L

The S basis

theorem AdditiveNTT.sBasis_range_eq {r : ℕ} {L : Type u} (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : β '' Set.Ico i ⟨ℓ + R_rate, h_ℓ_add_R_rate⟩ = Set.range (sBasis β h_ℓ_add_R_rate i h_i)

theorem AdditiveNTT.sDomain_eq_image_of_upper_span {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : have V_i := Submodule.span 𝔽q (Set.range (sBasis β h_ℓ_add_R_rate i h_i)); have W_i_map := polyEvalLinearMap (normalizedW 𝔽q β i) ⋯; sDomain 𝔽q β h_ℓ_add_R_rate i = Submodule.map W_i_map V_i

S⁽ⁱ⁾ is the image over Wᵢ(X) of the the subspace spanned by {βᵢ, ..., β_{ℓ+R-1}}. Usable range is ∀ i ∈ {0, ..., ℓ+R-1}.

noncomputable def AdditiveNTT.sDomain_basis {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : Module.Basis (Fin (ℓ + R_rate - ↑i)) 𝔽q ↥(sDomain 𝔽q β h_ℓ_add_R_rate i)

Corollary 4.5. The set {Ŵᵢ(βᵢ), ..., Ŵᵢ(β_{ℓ+R-1})} is an 𝔽q-basis for S⁽ⁱ⁾.

theorem AdditiveNTT.get_sDomain_basis {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) (k : Fin (ℓ + R_rate - ↑i)) : ↑((sDomain_basis 𝔽q β h_ℓ_add_R_rate i h_i) k) = Polynomial.eval (β ⟨↑i + ↑k, ⋯⟩) (normalizedW 𝔽q β i)

theorem AdditiveNTT.get_sDomain_first_basis_eq_1 {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : ↑((sDomain_basis 𝔽q β h_ℓ_add_R_rate i h_i) ⟨0, ⋯⟩) = 1

noncomputable instance AdditiveNTT.fintype_sDomain {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) : Fintype ↥(sDomain 𝔽q β h_ℓ_add_R_rate i)

theorem AdditiveNTT.sDomain_card {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : Fintype.card ↥(sDomain 𝔽q β h_ℓ_add_R_rate i) = Fintype.card 𝔽q ^ (ℓ + R_rate - ↑i)

Domain-Index Bijections

Bijections between elements in S^(i) and Fin (2^(ℓ + R_rate - i)) for use in Binary Basefold protocol implementations.

def AdditiveNTT.splitPointIntoCoeffs {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [DecidableEq 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate i)) : Fin (ℓ + R_rate - ↑i) → ℕ

noncomputable def AdditiveNTT.sDomainToFin {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [DecidableEq 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate i)) : Fin (2 ^ (ℓ + R_rate - ↑i))

Convert an element of S^(i) to its index in Fin (2^(ℓ + R_rate - i)). This uses the basis representation of elements in the domain. This requires 𝔽q = 𝔽₂ for the bijection to work.

def AdditiveNTT.finToBinaryCoeffs {r : ℕ} (𝔽q : Type u) [Field 𝔽q] {ℓ R_rate : ℕ} (i : Fin r) (idx : Fin (2 ^ (ℓ + R_rate - ↑i))) : Fin (ℓ + R_rate - ↑i) → 𝔽q

theorem AdditiveNTT.finToBinaryCoeffs_sDomainToFin {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [DecidableEq 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [hF₂ : Fact (Fintype.card 𝔽q = 2)] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate i)) : have pointFinIdx := sDomainToFin 𝔽q β h_ℓ_add_R_rate i h_i x; finToBinaryCoeffs 𝔽q i pointFinIdx = ⇑((sDomain_basis 𝔽q β h_ℓ_add_R_rate i h_i).repr x)

noncomputable def AdditiveNTT.finToSDomain {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) (idx : Fin (2 ^ (ℓ + R_rate - ↑i))) : ↥(sDomain 𝔽q β h_ℓ_add_R_rate i)

Convert an index in Fin (2 ^ (ℓ + R_rate - i)) to an element of S^(i). This is the inverse of sDomainToFin.

noncomputable def AdditiveNTT.sDomainFinEquiv {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [DecidableEq 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [hF₂ : Fact (Fintype.card 𝔽q = 2)] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : ↥(sDomain 𝔽q β h_ℓ_add_R_rate i) ≃ Fin (2 ^ (ℓ + R_rate - ↑i))

The bijection between S^(i) and Fin (2^(ℓ + R_rate - i)). This requires 𝔽q = 𝔽₂ for the bijection to work properly.

theorem AdditiveNTT.sDomainFin_bijective {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [DecidableEq 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [hF₂ : Fact (Fintype.card 𝔽q = 2)] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin r) (h_i : ↑i < ℓ + R_rate) : Function.Bijective ⇑(sDomainFinEquiv 𝔽q β h_ℓ_add_R_rate i h_i)

2. Intermediate Novel Polynomial Bases Xⱼ⁽ⁱ⁾ and evaluation polynomials P⁽ⁱ⁾

noncomputable def AdditiveNTT.intermediateNormVpoly {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin (ℓ + 1)) (k : Fin (ℓ - ↑i + 1)) : Polynomial L

∀ i ∈ {0, ..., ℓ}, The i-th order subspace vanishing polynomials Ŵₖ⁽ⁱ⁾, Ŵₖ⁽ⁱ⁾ := q⁽ⁱ⁺ᵏ⁻¹⁾ ∘ ⋯ ∘ q⁽ⁱ⁾ for k ∈ {1, ..., ℓ - i -1}, and X for k = 0. -- k ∈ {0, ..., ℓ-i-1}. Note that when i = ℓ, k ∈ Fin 0 does not exists.

theorem AdditiveNTT.intermediateNormVpoly_eval_is_linear_map {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin (ℓ + 1)) (k : Fin (ℓ - ↑i + 1)) : IsLinearMap 𝔽q fun (x : L) => Polynomial.eval x (intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate i k)

theorem AdditiveNTT.base_intermediateNormVpoly {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (k : Fin (ℓ + 1)) : intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨0, ⋯⟩ ⟨↑k, ⋯⟩ = normalizedW 𝔽q β ⟨↑k, ⋯⟩

theorem AdditiveNTT.Polynomial.foldl_comp {L : Type u} [Field L] (n : ℕ) (f : Fin n → Polynomial L) (initInner initOuter : Polynomial L) : Fin.foldl n (fun (acc : Polynomial L) (j : Fin n) => (f j).comp acc) (initOuter.comp initInner) = (Fin.foldl n (fun (acc : Polynomial L) (j : Fin n) => (f j).comp acc) initOuter).comp initInner

theorem AdditiveNTT.Polynomial.comp_same_inner_eq_if_same_outer {L : Type u} [Field L] (f g : Polynomial L) (h_f_eq_g : f = g) (x : Polynomial L) : f.comp x = g.comp x

theorem AdditiveNTT.intermediateNormVpoly_comp_qmap {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (k : Fin (ℓ - ↑i - 1)) : intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑k + 1, ⋯⟩ = (intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩ ⟨↑k, ⋯⟩).comp (qMap 𝔽q β ⟨↑i, ⋯⟩)

theorem AdditiveNTT.intermediateNormVpoly_comp {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (k : Fin (ℓ - ↑i + 1)) (l : Fin (ℓ - (↑i + ↑k) + 1)) : intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑k + ↑l, ⋯⟩ = (intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨↑i + ↑k, ⋯⟩ ⟨↑l, ⋯⟩).comp (intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑k, ⋯⟩)

noncomputable def AdditiveNTT.iteratedQuotientMap {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (k : ℕ) (h_bound : ↑i + k ≤ ℓ) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩)) : ↥(sDomain 𝔽q β h_ℓ_add_R_rate ⟨↑i + k, ⋯⟩)

Iterated quotient map W_k⁽ⁱ⁾: Maps a point from S⁽ⁱ⁾ to S⁽ⁱ⁺ᵏ⁾ by evaluating the intermediate norm vanishing polynomial at that point. This one mainly proves that the intermediateNormVpoly works with points in the restricted sDomains, instead of the whole field L.

theorem AdditiveNTT.qMap_eval_mem_sDomain_succ {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (h_i_add_1 : ↑i + 1 ≤ ℓ) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩)) : Polynomial.eval (↑x) (qMap 𝔽q β ⟨↑i, ⋯⟩) ∈ sDomain 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩

The evaluation of qMap on an element from sDomain i belongs to sDomain (i+1). This is a key property that qMap maps between successive domains.

theorem AdditiveNTT.iteratedQuotientMap_k_eq_1_is_qMap {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (h_i_add_1 : ↑i + 1 ≤ ℓ) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩)) : iteratedQuotientMap 𝔽q β h_ℓ_add_R_rate i 1 h_i_add_1 x = ⟨Polynomial.eval (↑x) (qMap 𝔽q β ⟨↑i, ⋯⟩), ⋯⟩

When k = 1, iteratedQuotientMap reduces to evaluating qMap directly. This shows that iteratedQuotientMap with k = 1 is equivalent to the single-step quotient map.

theorem AdditiveNTT.getSDomainBasisCoeff_of_sum_repr {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) [NeZero R_rate] (i : Fin (ℓ + 1)) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩)) (x_coeffs : Fin (ℓ + R_rate - ↑i) → 𝔽q) (hx : ↑x = ∑ j_x : Fin (ℓ + R_rate - ↑i), x_coeffs j_x • ↑((sDomain_basis 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⋯) j_x)) (j : Fin (ℓ + R_rate - ↑i)) : ((sDomain_basis 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⋯).repr x) j = x_coeffs j

theorem AdditiveNTT.getSDomainBasisCoeff_of_iteratedQuotientMap {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) [NeZero R_rate] (i : Fin ℓ) (k : ℕ) (h_bound : ↑i + k ≤ ℓ) (x : ↥(sDomain 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩)) : have y := iteratedQuotientMap 𝔽q β h_ℓ_add_R_rate i k h_bound x; ∀ (j : Fin (ℓ + R_rate - (↑i + k))), ((sDomain_basis 𝔽q β h_ℓ_add_R_rate ⟨↑i + k, ⋯⟩ ⋯).repr y) j = ((sDomain_basis 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⋯).repr x) ⟨↑j + k, ⋯⟩

noncomputable def AdditiveNTT.sDomain.lift {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i j : Fin r) (h_j : ↑j < ℓ + R_rate) (h_le : i ≤ j) (y : ↥(sDomain 𝔽q β h_ℓ_add_R_rate j)) : ↥(sDomain 𝔽q β h_ℓ_add_R_rate i)

Lifts a point y from a higher-indexed domain sDomain j to the canonical base point of its fiber in a lower-indexed domain sDomain i, by retaining all coeffs for the corresponding basis elements

theorem AdditiveNTT.basis_repr_of_sDomain_lift {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i j : Fin r) (h_j : ↑j < ℓ + R_rate) (h_le : i ≤ j) (y : ↥(sDomain 𝔽q β h_ℓ_add_R_rate j)) : have x₀ := sDomain.lift 𝔽q β h_ℓ_add_R_rate i j h_j h_le y; ∀ (k : Fin (ℓ + R_rate - ↑i)), ((sDomain_basis 𝔽q β h_ℓ_add_R_rate i ⋯).repr x₀) k = if hk : ↑k < ↑j - ↑i then 0 else ((sDomain_basis 𝔽q β h_ℓ_add_R_rate j h_j).repr y) ⟨↑k - (↑j - ↑i), ⋯⟩

Applying the forward map to a lifted point returns the original point.

theorem AdditiveNTT.intermediateNormVpoly_comp_qmap_helper {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (k : Fin (ℓ - (↑i + 1))) : (intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩ ⟨↑k, ⋯⟩).comp (qMap 𝔽q β ⟨↑i, ⋯⟩) = intermediateNormVpoly 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑k + 1, ⋯⟩

noncomputable def AdditiveNTT.intermediateNovelBasisX {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin (ℓ + 1)) (j : Fin (2 ^ (ℓ - ↑i))) : Polynomial L

∀ i ∈ {0, ..., ℓ}, The i-th order novel polynomial basis Xⱼ⁽ⁱ⁾. Xⱼ⁽ⁱ⁾ := Π_{k=0}^{ℓ-i-1} (Ŵₖ⁽ⁱ⁾)^{jₖ}, ∀ j ∈ {0, ..., 2^(ℓ-i)-1}

theorem AdditiveNTT.base_intermediateNovelBasisX {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (j : Fin (2 ^ ℓ)) : intermediateNovelBasisX 𝔽q β h_ℓ_add_R_rate ⟨0, ⋯⟩ j = Xⱼ 𝔽q β ℓ ⋯ j

theorem AdditiveNTT.intermediateNovelBasisX_zero_eq_one {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin (ℓ + 1)) : intermediateNovelBasisX 𝔽q β h_ℓ_add_R_rate i ⟨0, ⋯⟩ = 1

theorem AdditiveNTT.even_index_intermediate_novel_basis_decomposition {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (j : Fin (2 ^ (ℓ - ↑i - 1))) : intermediateNovelBasisX 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑j * 2, ⋯⟩ = (intermediateNovelBasisX 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩ ⟨↑j, ⋯⟩).comp (qMap 𝔽q β ⟨↑i, ⋯⟩)

X₂ⱼ⁽ⁱ⁾ = Xⱼ⁽ⁱ⁺¹⁾(q⁽ⁱ⁾(X)) ∀ j ∈ {0, ..., 2^(ℓ-i)-1}, ∀ i ∈ {0, ..., ℓ-1}

theorem AdditiveNTT.odd_index_intermediate_novel_basis_decomposition {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (j : Fin (2 ^ (ℓ - ↑i - 1))) : intermediateNovelBasisX 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑j * 2 + 1, ⋯⟩ = Polynomial.X * (intermediateNovelBasisX 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩ ⟨↑j, ⋯⟩).comp (qMap 𝔽q β ⟨↑i, ⋯⟩)

X₂ⱼ₊₁⁽ⁱ⁾ = X * (Xⱼ⁽ⁱ⁺¹⁾(q⁽ⁱ⁾(X))) ∀ j ∈ {0, ..., 2^(ℓ-i)-1}, ∀ i ∈ {0, ..., ℓ-1}

noncomputable def AdditiveNTT.intermediateEvaluationPoly {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin (ℓ + 1)) (coeffs : Fin (2 ^ (ℓ - ↑i)) → L) : Polynomial L

∀ i ∈ {0, ..., ℓ}, The i-th order evaluation polynomial P⁽ⁱ⁾(X) := ∑_{j=0}^{2^(ℓ-i)-1} coeffsⱼ ⋅ Xⱼ⁽ⁱ⁾(X) over the domain S⁽ⁱ⁾. where the polynomial P⁽⁰⁾(X) over the domain S⁽⁰⁾ is exactly the original polynomial P(X) we need to evaluate, and coeffs is the list of 2^(ℓ-i) coefficients of the polynomial.

noncomputable def AdditiveNTT.evenRefinement {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (coeffs : Fin (2 ^ (ℓ - ↑i)) → L) : Polynomial L

The even and odd refinements of P⁽ⁱ⁾(X) which are polynomials in the (i+1)-th basis. P₀⁽ⁱ⁺¹⁾(Y) = ∑_{j=0}^{2^{ℓ-i-1}-1} a_{2j} ⋅ Xⱼ⁽ⁱ⁺¹⁾(Y) P₁⁽ⁱ⁺¹⁾(Y) = ∑_{j=0}^{2^{ℓ-i-1}-1} a_{2j+1} ⋅ Xⱼ⁽ⁱ⁺¹⁾(Y)

noncomputable def AdditiveNTT.oddRefinement {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (coeffs : Fin (2 ^ (ℓ - ↑i)) → L) : Polynomial L

theorem AdditiveNTT.evaluation_poly_split_identity {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (coeffs : Fin (2 ^ (ℓ - ↑i)) → L) : have P_i := intermediateEvaluationPoly 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ coeffs; have P_even_i_plus_1 := evenRefinement 𝔽q β h_ℓ_add_R_rate i coeffs; have P_odd_i_plus_1 := oddRefinement 𝔽q β h_ℓ_add_R_rate i coeffs; have q_i := qMap 𝔽q β ⟨↑i, ⋯⟩; P_i = P_even_i_plus_1.comp q_i + Polynomial.X * P_odd_i_plus_1.comp q_i

Key Polynomial Identity (Equation 39). This identity is the foundation for the butterfly operation in the Additive NTT. It relates a polynomial in the i-th basis to its even and odd parts expressed in the (i+1)-th basis via the quotient map q⁽ⁱ⁾. ∀ i ∈ {0, ..., ℓ-1}, P⁽ⁱ⁾(X) = P₀⁽ⁱ⁺¹⁾(q⁽ⁱ⁾(X)) + X ⋅ P₁⁽ⁱ⁺¹⁾(q⁽ⁱ⁾(X))

theorem AdditiveNTT.intermediate_poly_P_base {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (h_ℓ : ℓ ≤ r) (coeffs : Fin (2 ^ ℓ) → L) : intermediateEvaluationPoly 𝔽q β h_ℓ_add_R_rate ⟨0, ⋯⟩ coeffs = polynomialFromNovelCoeffs 𝔽q β ℓ h_ℓ coeffs

2. The Additive NTT Algorithm and Correctness

This section describes the construction of the evaluation points, the tiling of coefficients, the main loop invariant, and the final correctness theorem for the Additive NTT algorithm.

noncomputable def AdditiveNTT.evaluationPointω {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin (ℓ + 1)) (x : Fin (2 ^ (ℓ + R_rate - ↑i))) : L

Constructs an evaluation point ω in the domain S⁽ⁱ⁾ from a Nat.getBit representation. This uses the 𝔽q-basis of S⁽ⁱ⁾ from sDomain_basis. ω_{u,b,i} = b⋅Ŵᵢ(βᵢ) + ∑_{k=0}^{|u|-1} uₖ ⋅ Ŵᵢ(β_{i+1+k}) where (u,b) is a Nat.getBit string of length ℓ + R - i. Computes the twiddle factor t for a given stage i and high-order bits u. t := Σ_{k=0}^{ℓ+R-i-1} u_k ⋅ Ŵᵢ(β_{i+k}). This corresponds to the x₀ term in the recursive butterfly identity.

noncomputable def AdditiveNTT.twiddleFactor {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (u : Fin (2 ^ (ℓ + R_rate - ↑i - 1))) : L

The twiddle factor

theorem AdditiveNTT.evaluationPointω_eq_twiddleFactor_of_div_2 {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (x : Fin (2 ^ (ℓ + R_rate - ↑i))) : evaluationPointω 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ x = twiddleFactor 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑x / 2, ⋯⟩ + ↑(↑x % 2) * Polynomial.eval (β ⟨↑i, ⋯⟩) (normalizedW 𝔽q β ⟨↑i, ⋯⟩)

theorem AdditiveNTT.eval_point_ω_eq_next_twiddleFactor_comp_qmap {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (x : Fin (2 ^ (ℓ + R_rate - (↑i + 1)))) : evaluationPointω 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩ x = Polynomial.eval (twiddleFactor 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ ⟨↑x, ⋯⟩) (qMap 𝔽q β ⟨↑i, ⋯⟩)

def AdditiveNTT.tileCoeffs {L : Type u} {ℓ R_rate : ℕ} (a : Fin (2 ^ ℓ) → L) : Fin (2 ^ (ℓ + R_rate)) → L

The 2^R_rate-fold tiling of coefficients a into the initial buffer b. b(v) = aⱼ, where j are the ℓ LSBs of v.

noncomputable def AdditiveNTT.NTTStage {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (b : Fin (2 ^ (ℓ + R_rate)) → L) : Fin (2 ^ (ℓ + R_rate)) → L

A single stage of the Additive NTT for a given i. It takes the buffer b from the previous stage and applies the butterfly operations. This function implements one step of the for i from ℓ-1 down to 0 loop.

noncomputable def AdditiveNTT.additiveNTT {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (a : Fin (2 ^ ℓ) → L) : Fin (2 ^ (ℓ + R_rate)) → L

The Additive NTT Algorithm (Algorithm 2)

Computes the Additive NTT on a given set of coefficients from the novel basis.

• a: The initial coefficient array (a₀, ..., a_{2^ℓ-1}).

def AdditiveNTT.coeffsBySuffix {r : ℕ} {L : Type u} {ℓ R_rate : ℕ} (a : Fin (2 ^ ℓ) → L) (i : Fin (ℓ + 1)) (v : Fin (2 ^ ↑i)) : Fin (2 ^ (ℓ - ↑i)) → L

theorem AdditiveNTT.base_coeffsBySuffix {r : ℕ} {L : Type u} {ℓ R_rate : ℕ} (a : Fin (2 ^ ℓ) → L) : coeffsBySuffix a 0 0 = a

theorem AdditiveNTT.evenRefinement_eq_novel_poly_of_0_leading_suffix {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (v : Fin (2 ^ ↑i)) (original_coeffs : Fin (2 ^ ℓ) → L) : have h_v := ⋯; evenRefinement 𝔽q β h_ℓ_add_R_rate i (coeffsBySuffix original_coeffs ⟨↑i, ⋯⟩ v) = intermediateEvaluationPoly 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩ (coeffsBySuffix original_coeffs ⟨↑i + 1, ⋯⟩ ⟨↑v, h_v⟩)

P₀, ₍ᵥ₎⁽ⁱ⁺¹⁾(X) = P₍₀ᵥ₎⁽ⁱ⁺¹⁾(X), where v consists of exactly i bits Note that the even refinement P₀, ₍ᵥ₎⁽ⁱ⁺¹⁾(X) is constructed from the view of stage i, while the novel polynomial P₍₀ᵥ₎⁽ⁱ⁺¹⁾(X) is constructed from the view of stage i+1.

theorem AdditiveNTT.oddRefinement_eq_novel_poly_of_1_leading_suffix {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (v : Fin (2 ^ ↑i)) (original_coeffs : Fin (2 ^ ℓ) → L) : have h_v := ⋯; oddRefinement 𝔽q β h_ℓ_add_R_rate i (coeffsBySuffix original_coeffs ⟨↑i, ⋯⟩ v) = intermediateEvaluationPoly 𝔽q β h_ℓ_add_R_rate ⟨↑i + 1, ⋯⟩ (coeffsBySuffix original_coeffs ⟨↑i + 1, ⋯⟩ ⟨↑v ||| 1 <<< ↑i, h_v⟩)

P₁, ₍ᵥ₎⁽ⁱ⁺¹⁾(X) = P₍₁ᵥ₎⁽ⁱ⁺¹⁾(X), where v consists of exactly i bits Note that the odd refinement P₁,₍ᵥ₎⁽ⁱ⁺¹⁾(X) is constructed from the view of stage i, while the novel polynomial P₍₁ᵥ₎⁽ⁱ⁺¹⁾(X) is constructed from the view of stage i+1.

def AdditiveNTT.additiveNTTInvariant {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [Algebra 𝔽q L] (β : Fin r → L) {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (evaluation_buffer : Fin (2 ^ (ℓ + R_rate)) → L) (original_coeffs : Fin (2 ^ ℓ) → L) (i : Fin (ℓ + 1)) : Prop

The main loop invariant for the additiveNTT algorithm: the evaluation buffer b at the end of stage i (i ∈ {0, ..., ℓ}, i=ℓ means the initial tiled buffer) holds the value P⁽ⁱ⁾(ω_{u, b, v}) for all Nat.getBit mask index (u||b||v) ∈ {0, ..., 2^(ℓ+R_rate)-1}, where the points ω_{u, b, v} are in the domain S⁽ⁱ⁾.

Main statement: After round i ∈ {ℓ-1, ℓ-2, ..., 0}: the buffer b at index j (which can be decomposed as j = (u || b || v) in little-endian order, where

• u is a bitstring of length ℓ + R_rate - i - 1,
• b is a single Nat.getBit (the LSB of the high bits),
• v is a bitstring of length i (the LSBs), holds the value P⁽ⁱ⁾(ω_{u, b, i}), where:
  • P⁽ⁱ⁾ is the intermediate polynomial at round i (in the novel basis),
  • ω_{u, b, i} is the evaluation point in the subspace S⁽ⁱ⁾ constructed as a linear combination of the basis elements of S⁽ⁱ⁾:
    • the Nat.getBit b is the coefficient for Ŵᵢ(βᵢ) (the LSB),
    • the LSB of u is the coefficient for Ŵᵢ(β_{i+1}), ..., the MSB of u is the coefficient for Ŵᵢ(β_{ℓ+R_rate-1}).
  • The value is replicated 2^i times for each v (i.e., the last i bits do not affect the value).

More precisely, for all j : Fin (2^(ℓ + R_rate)), let u_b_v := j.val (as a natural number),

• let v := u_b_v % 2^i (the i LSBs),
• let u_b := u_b_v / 2^i (the high bits),
• let b := u_b % 2 (the LSB of the high bits),
• let u := u_b / 2 (the remaining high bits), then: b j = P⁽ⁱ⁾(ω_{u, b, i})

theorem AdditiveNTT.initial_tiled_coeffs_correctness {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (h_ℓ : ℓ ≤ r) (a : Fin (2 ^ ℓ) → L) : have b := tileCoeffs a; additiveNTTInvariant 𝔽q β h_ℓ_add_R_rate b a ⟨ℓ, ⋯⟩

theorem AdditiveNTT.NTTStage_correctness {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (i : Fin ℓ) (input_buffer : Fin (2 ^ (ℓ + R_rate)) → L) (original_coeffs : Fin (2 ^ ℓ) → L) : additiveNTTInvariant 𝔽q β h_ℓ_add_R_rate input_buffer original_coeffs ⟨↑i + 1, ⋯⟩ → additiveNTTInvariant 𝔽q β h_ℓ_add_R_rate (NTTStage 𝔽q β h_ℓ_add_R_rate ⟨↑i, ⋯⟩ input_buffer) original_coeffs ⟨↑i, ⋯⟩

The correctness theorem for the NTTStage function. This is the inductive step in the main proof. It asserts that if the invariant holds for i+1, then after applying NTTStage i, the invariant holds for i ∈ {0, ..., ℓ-1}.

theorem AdditiveNTT.foldl_NTTStage_inductive_aux {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (h_ℓ : ℓ ≤ r) (k : Fin (ℓ + 1)) (original_coeffs : Fin (2 ^ ℓ) → L) : additiveNTTInvariant 𝔽q β h_ℓ_add_R_rate (Fin.foldl (↑k) (fun (current_b : Fin (2 ^ (ℓ + R_rate)) → L) (i : Fin ↑k) => NTTStage 𝔽q β h_ℓ_add_R_rate ⟨ℓ - ↑i - 1, ⋯⟩ current_b) (tileCoeffs original_coeffs)) original_coeffs ⟨ℓ - ↑k, ⋯⟩

theorem AdditiveNTT.additiveNTT_correctness {r : ℕ} [NeZero r] {L : Type u} [Field L] [Fintype L] [DecidableEq L] (𝔽q : Type u) [Field 𝔽q] [Fintype 𝔽q] [h_Fq_char_prime : Fact (Nat.Prime (ringChar 𝔽q))] [Algebra 𝔽q L] (β : Fin r → L) [hβ_lin_indep : Fact (LinearIndependent 𝔽q β)] [h_β₀_eq_1 : Fact (β 0 = 1)] {ℓ R_rate : ℕ} (h_ℓ_add_R_rate : ℓ + R_rate < r) (h_ℓ : ℓ ≤ r) (original_coeffs : Fin (2 ^ ℓ) → L) (output_buffer : Fin (2 ^ (ℓ + R_rate)) → L) (h_alg : output_buffer = additiveNTT 𝔽q β h_ℓ_add_R_rate original_coeffs) : have P := polynomialFromNovelCoeffs 𝔽q β ℓ h_ℓ original_coeffs; ∀ (j : Fin (2 ^ (ℓ + R_rate))), output_buffer j = Polynomial.eval (evaluationPointω 𝔽q β h_ℓ_add_R_rate ⟨0, ⋯⟩ j) P

Main Correctness Theorem for Additive NTT If b is the output of additiveNTT on input a, then for all j, b j is the evaluation of the polynomial P (from the novel basis coefficients a) at the evaluation point ω_{0, j} in the domain S⁰.