VDAF-18 test vecs and Rhizomes math (#1400)

* use draft-irtf-cfrg-vdaf-18 test vectors

- update test vectors paths from "/15/" to "/18"
- change various variable names, field names from "prep", "prepare" to
  "verifier", "verify"

We still have lots and lots of things throughout the crate called
"prepare" that should be "verify". This commit deliberately only deals
with the test vector code to keep the diff smaller.

* `flp`: Maintain polynomials in Lagrange basis

Update the implementation of fully linear proofs to do polynomial
multiplications and evaluations in the Lagrange basis, using algorithms
from Faz25 ([1]), as specified in draft-irtf-cfrg-vdaf-18 ([2]).

The most important changes are in:

- `flp::Flp::{prove, query, decide}`
- `flp::ProveShimGadget`
- `flp::QueryShimGadget`
- `flp::gadgets::Mul`
- `flp::gadgets::PolyEval`

Since we no longer need to precompute a multiplicative inverse,
`flp::Gadgets::Mul` is no longer generic over `FieldElement`, and
removing that generic parameter is reflected in a number of places in
the codebase.

Finally, in order to avoid an unnecessary copy, we make minor changes to
the interfaces in `mod polynomial`:

- `poly_mul_lagrange` now writes output to a provided output buffer
  instead of allocating and returning `Vec<F>`
- `double_evaluations` (which returns its output as `Vec<F>`) is renamed
  `get_double_evaluations` (matching the convention set in `mod ntt`)
  and we add `double_evaluations` which writes output to a provided
  buffer.

[1]: https://eprint.iacr.org/2025/1727.pdf
[2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-vdaf-18#name-polynomial-evaluation

Closes #1394

Author: tgeoghegan

benches/speed_tests.rs

@@ -20,9 +20,7 @@ use prio::vdaf::prio2::Prio2;
 #[cfg(feature = "experimental")]
 use prio::vidpf::VidpfServerId;
 use prio::{
-    benchmarked::*,
     field::{Field128 as F, FieldElement},
-    flp::gadgets::Mul,
     vdaf::{prio3::Prio3, Aggregator, Client},
 };
 #[cfg(feature = "experimental")]
@@ -81,44 +79,6 @@ pub fn dp_noise(c: &mut Criterion) {
     group.finish();
 }
 
-/// The asymptotic cost of polynomial multiplication is `O(n log n)` using NTT and `O(n^2)` using
-/// the naive method. This benchmark demonstrates that the latter has better concrete performance
-/// for small polynomials. The result is used to pick the `NTT_THRESHOLD` constant in
-/// `src/flp/gadgets.rs`.
-fn poly_mul(c: &mut Criterion) {
-    let test_sizes = [1_usize, 30, 60, 90, 120, 150, 255];
-
-    let mut group = c.benchmark_group("poly_mul");
-    for size in test_sizes {
-        group.bench_with_input(BenchmarkId::new("ntt", size), &size, |b, size| {
-            let m = (size + 1).next_power_of_two();
-            let mut g: Mul<F> = Mul::new(*size);
-            let mut outp = vec![F::zero(); 2 * m];
-            let mut inp = vec![];
-            inp.push(F::random_vector(m));
-            inp.push(F::random_vector(m));
-
-            b.iter(|| {
-                benchmarked_gadget_mul_call_poly_ntt(&mut g, &mut outp, &inp).unwrap();
-            })
-        });
-
-        group.bench_with_input(BenchmarkId::new("direct", size), &size, |b, size| {
-            let m = (size + 1).next_power_of_two();
-            let mut g: Mul<F> = Mul::new(*size);
-            let mut outp = vec![F::zero(); 2 * m];
-            let mut inp = vec![];
-            inp.push(F::random_vector(m));
-            inp.push(F::random_vector(m));
-
-            b.iter(|| {
-                benchmarked_gadget_mul_call_poly_direct(&mut g, &mut outp, &inp).unwrap();
-            })
-        });
-    }
-    group.finish();
-}
-
 /// Benchmark prio2.
 #[cfg(feature = "experimental")]
 fn prio2(c: &mut Criterion) {
@@ -1022,8 +982,8 @@ fn vidpf(c: &mut Criterion) {
 }
 
 #[cfg(feature = "experimental")]
-criterion_group!(benches, poplar1, prio3, prio2, poly_mul, prng, idpf, dp_noise, vidpf);
+criterion_group!(benches, poplar1, prio3, prio2, prng, idpf, dp_noise, vidpf);
 #[cfg(not(feature = "experimental"))]
-criterion_group!(benches, prio3, prng, poly_mul);
+criterion_group!(benches, prio3, prng);
 
 criterion_main!(benches);