Elliptic Curve Fast Fourier Transform

Mihir Jayesh Vahanwala, Sankalp Gambhir

November 3, 2021

1 Introduction
The Fast Fourier Transform (FFT) is at the core of efficient modern day algorithms for polynomial
algebra. The original FFT algorithm is a divide and conquer algorithm that runs over C. It
takes as input the coefficient representation of a polynomial of degree at most n − 1, and takes
O(n log n) arithmetic operations over C to output the evaluation of the polynomial at the nth
roots of unity.
Since the FFT and its inverse are very closely related, this immediately allows us to multiply
degree < n/2 polynomials in C[X] in O(n log n) time: evaluate the polynomials at the nth roots of
unity, multiply the evaluations pointwise, and then use the inverse FFT to retrieve the coefficient
representation of the product polynomial.
Polynomial Multiplication is the cornerstone of a wide variety of algorithms in computer algebra,
especially modern ones over finite fields Fq .
Definition 1.1. Define Mq (n) to be the minimum number of arithmetic operations over Fq needed
to output the coefficient representation of the product of two polynomials of degree < n, given their
coefficient representations as input.
If the FFT approach generalised to all finite fields as it were, Mq (n) = O(n log n) for all n.
However, FFT hinges on the existence of the nth roots of unity, which most finite fields do not
∗
guarantee. Most recently, it has been shown that Mq (n) = O(n log n · 2log n ). However, the open
question remains:
Open Question 1. Does Mq = O(n log n) hold for all prime powers q and all n?
The results [1] we present in this report are closely related to the discussion, but subtly different.
However this does not take anything away from how remarkable they are. It is proposed that
polynomials over finite fields Fq be represented as evaluation tables over carefully chosen subsets
of Fq . For polynomials of degree less than n, where n < q O(1) , this representation allows us to do
the following operations in O(n log n) time:
• Polynomial addition (trivial, linear time)
• Polynomial multiplication
• Degree computation (non-trivial, since the representation differs from coefficient represen-
tation)
The subtlety lies in the fact that the interconversion between the proposed representation and the
standard monomial representation takes O(n log2 n) time.

1
Organisation
After defining some notational preliminaries in Section 2, we describe the parallels between FFT
and our approach in Section 3. In the spirit of algebra, we introduce the FFTree, a data struc-
ture that abstracts out the framework an FFT-like approach requires. In section 4, we briefly
survey some deep mathematical properties of elliptic curves that enable us to construct FFTrees
over Fq . Finally, in Section 5, we reap the rewards of this ingenuity and present some efficient
algorithms.

2 Notation
2.1 Functions and Polynomials
Definition 2.1 (Pre-image and Image). Let g : D → R be a function. For R0 ⊂ R, define
g −1 (R0 ) = {x : g(x) ∈ R0 }. For r ∈ R, define g −1 (r) = g −1 ({r}). Likewise, for D0 ⊂ D, define
g(D0 ) = {g(x) : x ∈ D0 }
Definition 2.2 (Vanishing polynomial). For a set A ∈ Fq , we define the vanishing polynomial of
A to be the polynomial ZA ∈ Fq [X] given by
Y
ZA (X) = (X − α)
α∈A

2.2 Projective Space

P (Fq ) or Pn denotes the the n-dimensional projective space over Fq . Only P1 and P2 are relevant
n

to us. Points in Pn are given by homogenised coordinates [x1 : x2 : · · · : xn+1 ] where at least one
xi is nonzero, and
[x1 : x2 : · · · : xn+1 ] ≡ [cx1 : cx2 : cxn+1 ]
for all nonzero c. For a point in the affine space Fnq , we have

(x1 , x2 , . . . , xn ) = [x1 : x2 : · · · : xn : 1]

Pn is a disjoint union of the affine space Fnq (xn+1 6= 0) and a copy of Pn−1 “at infinity” (xn+1 = 0).
In particular, P1 = Fq ∪ {∞} where ∞ denotes the unique point [1 : 0] at infinity.

2.3 Rational Functions

Rational functions over Fq are quotients ψ(X) = u(X)
v(X) where u and v are coprime polynomials in
Fq [X] and v is nonzero. Rational functions form a field, denoted by Fq (X).
Rational functions can be viewed as maps from P1 to itself. The points mapped to ∞ are called
poles. These include the zeroes of v. Depending on whether deg(u) − deg(v) is positive, negative
or zero, ∞ is respectively mapped to ∞ (a pole of ψ), 0 (a zero of ψ) or the ratio of leading
coefficients, which is in Fq \{0}.
u(X)
Definition 2.3 (Rational function degree). The degree of rational function ψ(X) = v(X) is
defined as max(deg(u), deg(v))
The degree of a rational function is equal to both the total number of zeroes and the total number
of poles, counted with multiplicity.

3 Adapting Fast Fourier Transform

2
For this section, assume d is even. Let Vd be the Fq -linear subspace
of Fq [X] consisting of polynomials of degree strictly less than d. Figure 1: FFT structure.
The Usually, ψ (i) (X) = X 2 , but
P crux iof FFT lies in the following representation of P (X) =
i<d ai X ∈ Vd :
over finite fields, this needs
    more work.
u
X X ψ (1) ψ (1)
P (X) =  a2i (X 2 )i  + X ·  a2i+1 (X 2 )i 
i<d/2 i<d/2 v0 v1
ψ (0) ψ (0) ψ (0) ψ (0)
th th
Squaring is a 2-to-1 map from the d roots of unity to the (d/2) ω0 ω1 ω2 ω3
roots of unity. The divide and conquer approach works because
given a problem of size d, we can break it down into two subprob-
lems of size d/2, and combine their solutions in linear time.
To abstract this out further, an FFT like approach works as fol-
lows. For a set S of size n, we identify a set T and a 2-to-1 map from S to T . In order to evaluate
a function on all of S in O(n log n) time, we evaluate two smaller, related functions on all of T ,
and get our desired output through post-processing that takes O(n) time.
The key is to realise that given an S, we have the freedom to choose T and the 2-to-1 map that
makes these manipulations tractable.
The claims in the next subsection generalise to higher degrees as well, but we stick to degree 2 for
simplicity and relevance.

3.1 Rational maps

We first present an alternate way of decomposing polynomials, i.e. creating smaller subprob-
lems.
u(X)
Lemma 3.1 (Decomposition). Let ψ(X) = ∈ Fq (X) be a rational map of degree 2. Then
v(X)

2
for every P (X) ∈ Vd , there exists a unique tuple (P0 (X), P1 (X)) ∈ V(d/2) such that
d
P (X) = v(X) 2 −1 · (P0 (ψ(X)) + X · P1 (ψ(X)))

Next, we observe that at a local level if ψ satisfies certain conditions, this decomposition is
invertible.
Lemma 3.2 (Locality and invertibility). Let t ∈ Fq . Suppose ψ −1 (t) = {s0 , s1 } is a set of
cardinality exactly 2. Then the transformation Mt : F2q → F2q , Mt (P (s0 ), P (s1 )) 7→ (P0 (t), P1 (t))
is linear and invertible.

Proof. Since t ∈ Fq , t 6= ∞, and hence v(si ) 6= 0. We have

" d
#
v(s0 ) 2 −1
   
0 1 s0 P0 (t) P (s0 )
d =
0 v(s1 ) 2 −1 1 s1 P1 (t) P (s1 )

Invertibility follows because the diagonal matrix has nonzero entries and the other 2 × 2 matrix
is Vandermonde, s0 6= s1 .

3.2 FFTrees
Having found maps that potentially support decomposition of the problem for a divide and conquer
strategy, we will now introduce a data structure that uses these maps, and is sufficient to simulate
an FFT-like algorithm.

3
Definition 3.3 (FFTree). Let q be a prime power, and let k be an integer. An FFTree of depth
k over Fq is a collection of subsets L(0) , L(1) , . . . , L(k) ⊆ Fq along with degree 2 rational functions
ψ (0) , . . . , ψ (k−1) such that:
• |L(i) | = 2k−i
• ψ (i) is a 2-to-1 map from L(i) to L(i+1)
The tree itself is a rooted, layered, full binary tree: the root is the element of L(k) , the leaves are
the elements of L(0) . For a node s in L(i) , its parent is ψ (i) (s).
As we’ve mentioned before, polynomials will be represented by evaluations at specific subsets of
Fq . This, specifically, is how we will use FFTrees. We will fix an FFTree. Polynomials of degree less
than n will be represented by their evaluation at an O(n) sized subset of L(0) . Thus, an FFTree
of depth k can represent polynomials of degree up to 2k .
Hence, it is beneficial to find as big FFTrees as we can: we use elliptic curves to show the existence of
FFTrees over Fq of depth Ω(log q), i.e. capable of representing polynomials of degree q O(1) .

4 FFTrees from Elliptic Curves

An elliptic curve E is a smooth, projective algebraic curve defined
over a field. We consider elliptic curves defined over Fq , its points
reside in P2 (Fq ). Figure 2: Visualising elliptic
curve, and group operation
Fact 4.1. Every elliptic curve can be presented in extended Weier-
strass form as
• The set of planar points (x, y) ∈ Fq (which is [x : y : 1] ∈ P2 )
satisfying the cubic equation

F (X, Y ) := Y 2 + a1 XY + a3 Y − X 3 − a2 X 2 − a4 X − a6 = 0

• The special marked point O = [0 : 1 : 0] ∈ P2 , called its point

at infinity.
Fact 4.2. With an appropriately defined + operation, points on
an elliptic curve E form an abelian group. The marked point O at
infinity is the group identity.
Definition 4.3 (Projection). The projection map π : E → P1 is
defined as follows: π(O) = ∞, π([x : y : 1]) = x ∈ Fq .
Remark 4.1. For P, Q ∈ E, π(P ) = π(Q) if and only if P =
±Q. Given a set C, define the set −C = {−P : P ∈ C}. If C
and −C are disjoint, then the mapping from C to π(C) is 1-to-1.
Further, C does not contain O, hence π(C) ⊆ Fq . This is a crucial
observation in order to construct FFTrees from elliptic curves.
Proposition 4.4 (Isogenies). Let φ : E → E 0 be an isogeny be-
tween two elliptic curves over Fq in extended Weierstrass form.
Let π, π 0 be their respective x-projection maps onto P1 . Then
• φ is a group homomorphism.

4
 • There exists a unique rational function ψ such that the dia-
gram
φ
E E0
π π0
ψ
P1 P1
is commutative.
• If the formal derivative of ψ is nonzero, then | ker(φ)| =
deg(ψ) = d and the isogeny is said to be d-separable or a
d-isogeny.
Proposition 4.5 (Isogenies, constructive). Let E be an elliptic curve and let H < E be a finite
subgroup. There exists a unique elliptic curve E 0 and |H|-isogeny φ such that ker(φ) = H.
We’ve begun relating elliptic curves with rational maps. In order to argue that this is a method to
construct viable FFTrees, we must first argue that large enough elliptic curves of tractable order
over Fq indeed exist.
Proposition 4.6. Let k be an integer, k = O(log q). There exists an elliptic curve E0 over Fq
such that 2k divides |E0 | and |E0 | > 2k+1 .
Remark 4.2. Due to these conditions, it can be shown that E0 has a subgroup G0 of order 2k , and
a coset C0 of G0 such that C0 6= −C0 (as members of the quotient group E0 /G0 ). Recall Remark
4.1 to see why this is significant. Thus begins our construction of an FFTree of depth k.
Recall the Definition 3.3 of an FFTree. We now prove that it can be met.
Theorem 4.7 (Existence of large FFTree). Let q be a prime power, and let k be an integer,
k = O(log q). There exist subsets L(0) , L(1) , . . . , L(k) ⊆ Fq , and degree 2 rational functions
ψ (0) , . . . , ψ (k−1) such that:
• |L(i) | = 2k−i
• ψ (i) is a 2-to-1 map from L(i) to L(i+1)

Proof. Starting from i = 0 for which we have E0 , G0 , C0 , we inductively do the following. We

take an order-2 subgroup Hi that is contained in Gi . We apply Proposition 4.5 to identify curve
Ei+1 , 2-isogeny φi and rational map ψ (i) . We then define Gi+1 as φi (Gi ), and we have that
|Gi | = 2|Gi+1 |
Note that by the first isomorphism theorem, we have that Gi /Hi is isomorphic to Gi+1 , and Ei /Hi
is embedded in Ei+1 . By the third isomorphism theorem, we also have that (Ei /Hi )/(Gi /Hi ) is
isomorphic to Ei /Gi . We can apply this reasoning inductively to the composition of isomorphisms
to argue that E0 /G0 is embedded in Ei /Gi for all i.
This means that for all i, distinct cosets of G0 are mapped to distinct cosets of Gi . We have
C0 ; we inductively define Ci+1 = φ(Ci ) and we argue that Ci 6= −Ci . Define L(i) = π(Ci ). By
Remark 4.1, this map is bijective, and L(i) ⊆ Fq .
Now by construction and Proposition 4.4, we also have the following commutative diagram:

φ0 φ1 φk−1
E0 E1 ... Ek
π0 π1 πk
ψ (0) ψ (1) ψ (k−1)
P1 P1 ... P1

5
Since φi is a 2-to-1 map from Ci to Ci+1 , from the commutative diagram, we conclude that ψ (i)
is a 2-to-1 map from L(i) to L(i+1) .

5 Algorithms
We represent polynomials over Fq by evaluation ta-
bles on carefully chosen subsets of Fq . An evalua-
tion table is specified by a set S ⊆ Fq and a function Figure 3: FFTree of depth 3
f : S → Fq . The associated evaluation table is de- ψ (2)
u
ψ (2)
noted as hf o Si, and read as “f on S”. v0 v1
ψ (1) ψ (1) ψ (1) ψ (1)
What subsets are good for evaluation tables? We
t0 t1 t2 t3
turn to the FFTree we fixed during preprocessing. ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0) ψ (0)

Recall that it is a rooted, layered, full binary tree: s0 s1 s2 s3 s4 s5 s6 s7

the root is the element of L(k) , the leaves are the

elements of L(0) . For a node s in L(i) , its parent is
ψ (i) (s).
Definition 5.1 (Basic Sets). A set S is basic if
• S ⊆ L(j) for some j
• There exists integer ` such that |S| = 2`
• All the elements of S have a common ancestor t in L(j+`)
Further if ` > 0, then S can be partitioned into two moieties S0 and S1 , which are also basic sets.
The common ancestor S0 is one of the children of t, the common ancestor of S1 is its sibling.
We use basic sets to build evaluation tables. A basic set of size n suffices to represent any
polynomial whose degree is less than n. The largest basic set has size 2k , where k is the depth of
the FFTree.
We present the analogue of FFT for our novel representation of polynomials: the quintessential
FFTree algorithm, and a subroutine in almost every operation.
Theorem 5.2 (Low degree extension). For any two basic sets S, S 0 ⊆ Fq with |S| = |S 0 | = n,
there is an algorithm that runs in time O(n log n), denoted EXTENDS,S 0 , which, when given as
input hP o Si, where P (X) ∈ Fq [X] with deg(P ) < n and outputs hP o S 0 i

Proof. Base Case: n = 1. In this case P is a constant polynomial, and the evaluation of P on
the singleton element of S 0 is the same as that on the singleton element of S.
0
Recursive Step: Let S ⊆ L(j) and S 0 ⊆ L(j ) . Consider the basic sets T and T 0 “above” S and
0
S 0 : T = ψ (j) (S), T 0 = ψ (j ) S 0
Each t ∈ T has two children s0 , s1 ∈ S, i.e. exactly two preimages under ψ (j) . Use Lemma 3.2 to
construct hP0 o T i and hP1 o T i from hP o Si in O(n) time.
Now, call EXTENDT,T 0 twice: once with input hP0 o T i, and then with input hP1 o T i.
We know have hP0 o T 0 i and hP1 o T 0 i. Each t0 ∈ T 0 also has precisely two children s00 , s01 ∈ S 0 , i.e.
0
preimages under ψ (j ) . We use the expression from Lemma 3.1 to compute hP o S 0 i in O(n) time.
The running time of O(n log n) follows from the recurrence runtime(n) = O(n)+2·runtime(n/2)

Corollary 5.3 (Polynomial Multiplication). Let S be a basic set with |S| = n. Let S0 be a moiety
of S. There is an algorithm MULTS,S0 , which when given as input
• hP o S0 i, where P (X) ∈ Fq [X] with deg(P ) < n/2

6
 • hQ o S0 i, where Q(X) ∈ Fq [X] with deg(Q) < n/2
runs in time O(n log n) and outputs hP · Q o Si

Proof. Let S1 be the other moiety of S. The algorithm is immediate, given access to EXTENDS0 ,S1 .
We invoke it twice, to get the evaluations of P and Q on the entirety of S. These invocations
take O(n log n) time. We then simply do n pointwise multiplications to evaluate the polynomial
product P · Q on S.

Remark 5.1. The subtlety here is that the O(n log n) runtime is somewhat attributed to the novelty
of the representation. Entering from and exiting to the standard monomial representation take
O(n log2 n) time. For instance, the idea to enter: polynomial P (X) of degree less than n can be
written as A(X) + X n/2 · B(X). This recursive strategy entails two n/2 calls to the enter routine,
and subsequent extend calls, finishing off with pointwise combination with hX n/2 o Si, which is
fixed, and hence taken as advice.

References
[1] Eli Ben-Sasson, Dan Carmon, Swastik Kopparty, and David Levit. Elliptic curve fast fourier
transform (ecfft) part i: Fast polynomial algorithms over all finite fields, 2021. arXiv:2107.
08473.