flp: Maintain polynomials in Lagrange basis

Update the implementation of fully linear proofs to do polynomial
multiplications and evaluations in the Lagrange basis, using algorithms
from Faz25 ([1]), as specified in draft-irtf-cfrg-vdaf-18 ([2]).

The most important changes are in:

- `flp::Flp::{prove, query, decide}`
- `flp::ProveShimGadget`
- `flp::QueryShimGadget`
- `flp::gadgets::Mul`
- `flp::gadgets::PolyEval`

Since we no longer need to precompute a multiplicative inverse,
`flp::Gadgets::Mul` is no longer generic over `FieldElement`, and
removing that generic parameter is reflected in a number of places in
the codebase.

Finally, in order to avoid an unnecessary copy, we make minor changes to
the interfaces in `mod polynomial`:

- `poly_mul_lagrange` now writes output to a provided output buffer
  instead of allocating and returning `Vec<F>`
- `double_evaluations` (which returns its output as `Vec<F>`) is renamed
  `get_double_evaluations` (matching the convention set in `mod ntt`)
  and we add `double_evaluations` which writes output to a provided
  buffer.

[1]: https://eprint.iacr.org/2025/1727.pdf
[2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-vdaf-18#name-polynomial-evaluation

Closes #1394

Author: tgeoghegan

benches/speed_tests.rs

@@ -20,9 +20,7 @@ use prio::vdaf::prio2::Prio2;
 #[cfg(feature = "experimental")]
 use prio::vidpf::VidpfServerId;
 use prio::{
-    benchmarked::*,
     field::{Field128 as F, FieldElement},
-    flp::gadgets::Mul,
     vdaf::{prio3::Prio3, Aggregator, Client},
 };
 #[cfg(feature = "experimental")]
@@ -81,44 +79,6 @@ pub fn dp_noise(c: &mut Criterion) {
     group.finish();
 }
 
-/// The asymptotic cost of polynomial multiplication is `O(n log n)` using NTT and `O(n^2)` using
-/// the naive method. This benchmark demonstrates that the latter has better concrete performance
-/// for small polynomials. The result is used to pick the `NTT_THRESHOLD` constant in
-/// `src/flp/gadgets.rs`.
-fn poly_mul(c: &mut Criterion) {
-    let test_sizes = [1_usize, 30, 60, 90, 120, 150, 255];
-
-    let mut group = c.benchmark_group("poly_mul");
-    for size in test_sizes {
-        group.bench_with_input(BenchmarkId::new("ntt", size), &size, |b, size| {
-            let m = (size + 1).next_power_of_two();
-            let mut g: Mul<F> = Mul::new(*size);
-            let mut outp = vec![F::zero(); 2 * m];
-            let mut inp = vec![];
-            inp.push(F::random_vector(m));
-            inp.push(F::random_vector(m));
-
-            b.iter(|| {
-                benchmarked_gadget_mul_call_poly_ntt(&mut g, &mut outp, &inp).unwrap();
-            })
-        });
-
-        group.bench_with_input(BenchmarkId::new("direct", size), &size, |b, size| {
-            let m = (size + 1).next_power_of_two();
-            let mut g: Mul<F> = Mul::new(*size);
-            let mut outp = vec![F::zero(); 2 * m];
-            let mut inp = vec![];
-            inp.push(F::random_vector(m));
-            inp.push(F::random_vector(m));
-
-            b.iter(|| {
-                benchmarked_gadget_mul_call_poly_direct(&mut g, &mut outp, &inp).unwrap();
-            })
-        });
-    }
-    group.finish();
-}
-
 /// Benchmark prio2.
 #[cfg(feature = "experimental")]
 fn prio2(c: &mut Criterion) {
@@ -1022,8 +982,8 @@ fn vidpf(c: &mut Criterion) {
 }
 
 #[cfg(feature = "experimental")]
-criterion_group!(benches, poplar1, prio3, prio2, poly_mul, prng, idpf, dp_noise, vidpf);
+criterion_group!(benches, poplar1, prio3, prio2, prng, idpf, dp_noise, vidpf);
 #[cfg(not(feature = "experimental"))]
-criterion_group!(benches, prio3, prng, poly_mul);
+criterion_group!(benches, prio3, prng);
 
 criterion_main!(benches);