feat(poly): impl MontMul based NTT

Author: batzor

benchmark/ntt/ntt_benchmark.mlir

@@ -6,6 +6,10 @@
 #root_elem = #field.pf_elem<17220337697351015657950521176323262483320249231368149235373741788599650842711:i256> : !coeff_ty
 #root = #poly.primitive_root<root=#root_elem, degree=1048576:i256>
 
+!mod = !mod_arith.int<21888242871839275222246405745257275088548364400416034343698204186575808495617 : i256>
+#mont = #mod_arith.montgomery<!mod>
+#root_mont = #poly.primitive_root<root=#root_elem, degree=1048576:i256, montgomery=#mont>
+
 func.func @input_generation() -> !poly_ty attributes { llvm.emit_c_interface } {
   %c42 = arith.constant 6420 : i256
   %full = tensor.splat %c42 : !intt_ty
@@ -25,3 +29,15 @@ func.func @intt(%arg0 : !intt_ty) -> !poly_ty attributes { llvm.emit_c_interface
   %1 = poly.intt %0 {root=#root} : !coefft_ty -> !poly_ty
   return %1 :!poly_ty
 }
+
+func.func @ntt_mont(%arg0 : !poly_ty) -> !intt_ty attributes { llvm.emit_c_interface } {
+  %0 = poly.ntt %arg0 {root=#root_mont} : !poly_ty -> !coefft_ty
+  %1 = field.pf.extract %0 : !coefft_ty -> !intt_ty
+  return %1 : !intt_ty
+}
+
+func.func @intt_mont(%arg0 : !intt_ty) -> !poly_ty attributes { llvm.emit_c_interface } {
+  %0 = field.pf.encapsulate %arg0 : !intt_ty -> !coefft_ty
+  %1 = poly.intt %0 {root=#root_mont} : !coefft_ty -> !poly_ty
+  return %1 :!poly_ty
+}

benchmark/ntt/ntt_benchmark_test.cc

@@ -17,6 +17,11 @@ extern "C" void _mlir_ciface_input_generation(Memref<i256> *output);
 extern "C" void _mlir_ciface_ntt(Memref<i256> *output, Memref<i256> *input);
 extern "C" void _mlir_ciface_intt(Memref<i256> *output, Memref<i256> *input);
 
+extern "C" void _mlir_ciface_ntt_mont(Memref<i256> *output,
+                                      Memref<i256> *input);
+extern "C" void _mlir_ciface_intt_mont(Memref<i256> *output,
+                                       Memref<i256> *input);
+
 void BM_ntt_benchmark(::benchmark::State &state) {
   Memref<i256> input(1, DEGREE);
   _mlir_ciface_input_generation(&input);
@@ -61,6 +66,50 @@ void BM_intt_benchmark(::benchmark::State &state) {
 // modifying the input. But I am not sure why ;(
 BENCHMARK(BM_intt_benchmark)->Iterations(1)->Unit(::benchmark::kSecond);
 
+void BM_ntt_mont_benchmark(::benchmark::State &state) {
+  Memref<i256> input(1, DEGREE);
+  _mlir_ciface_input_generation(&input);
+
+  Memref<i256> ntt(1, DEGREE);
+  for (auto _ : state) {
+    _mlir_ciface_ntt_mont(&ntt, &input);
+  }
+
+  Memref<i256> intt(1, DEGREE);
+  _mlir_ciface_intt_mont(&intt, &ntt);
+
+  for (int i = 0; i < DEGREE; i++) {
+    for (int j = 0; j < 4; j++) {
+      EXPECT_EQ(intt.pget(0, i)->limbs[j], input.pget(0, i)->limbs[j]);
+    }
+  }
+}
+
+BENCHMARK(BM_ntt_mont_benchmark)->Unit(::benchmark::kSecond);
+
+void BM_intt_mont_benchmark(::benchmark::State &state) {
+  Memref<i256> input(1, DEGREE);
+  _mlir_ciface_input_generation(&input);
+
+  Memref<i256> ntt(1, DEGREE);
+  _mlir_ciface_ntt_mont(&ntt, &input);
+
+  Memref<i256> intt(1, DEGREE);
+  for (auto _ : state) {
+    _mlir_ciface_intt_mont(&intt, &ntt);
+  }
+
+  for (int i = 0; i < DEGREE; i++) {
+    for (int j = 0; j < 4; j++) {
+      EXPECT_EQ(intt.pget(0, i)->limbs[j], input.pget(0, i)->limbs[j]);
+    }
+  }
+}
+
+// FIXME(batzor): It fails for more than 1 iteration so it seems like it is
+// modifying the input. But I am not sure why ;(
+BENCHMARK(BM_intt_mont_benchmark)->Iterations(1)->Unit(::benchmark::kSecond);
+
 }  // namespace
 }  // namespace zkir
 
@@ -69,9 +118,11 @@ BENCHMARK(BM_intt_benchmark)->Iterations(1)->Unit(::benchmark::kSecond);
 // L1 Data 64 KiB
 // L1 Instruction 128 KiB
 // L2 Unified 4096 KiB (x14)
-// Load Average: 22.54, 38.87, 26.62
-// -------------------------------------------------------------------------
-// Benchmark                               Time             CPU   Iterations
-// -------------------------------------------------------------------------
-// BM_ntt_benchmark                    0.321 s         0.320 s             2
-// BM_intt_benchmark/iterations:1      0.475 s         0.473 s             1
+// Load Average: 9.50, 8.31, 8.95
+// ------------------------------------------------------------------------------
+// Benchmark                                    Time             CPU Iterations
+// ------------------------------------------------------------------------------
+// BM_ntt_benchmark                         0.339 s         0.333 s 2
+// BM_intt_benchmark/iterations:1           0.501 s         0.493 s 1
+// BM_ntt_mont_benchmark                    0.379 s         0.372 s 2
+// BM_intt_mont_benchmark/iterations:1      0.510 s         0.504 s 1

zkir/Dialect/Poly/Conversions/PolyToField/PolyToField.cpp

@@ -202,19 +202,31 @@ struct ConvertFromTensor : public OpConversionPattern<FromTensorOp> {
 
 // Butterfly : Cooley-Tukey
 static std::pair<Value, Value> bflyCT(ImplicitLocOpBuilder &b, Value A, Value B,
-                                      Value root) {
-  auto rootB = b.create<field::MulOp>(B, root);
+                                      Value root,
+                                      mod_arith::MontgomeryAttr montAttr) {
+  Value rootB;
+  if (montAttr != mod_arith::MontgomeryAttr()) {
+    rootB = b.create<field::MontMulOp>(B, root, montAttr);
+  } else {
+    rootB = b.create<field::MulOp>(B, root);
+  }
   auto ctPlus = b.create<field::AddOp>(A, rootB);
   auto ctMinus = b.create<field::SubOp>(A, rootB);
   return {std::move(ctPlus), std::move(ctMinus)};
 }
 
 // Butterfly : Gentleman-Sande
 static std::pair<Value, Value> bflyGS(ImplicitLocOpBuilder &b, Value A, Value B,
-                                      Value root) {
+                                      Value root,
+                                      mod_arith::MontgomeryAttr montAttr) {
   auto gsPlus = b.create<field::AddOp>(A, B);
   auto gsMinus = b.create<field::SubOp>(A, B);
-  auto gsMinusRoot = b.create<field::MulOp>(gsMinus, root);
+  Value gsMinusRoot;
+  if (montAttr != mod_arith::MontgomeryAttr()) {
+    gsMinusRoot = b.create<field::MontMulOp>(gsMinus, root, montAttr);
+  } else {
+    gsMinusRoot = b.create<field::MulOp>(gsMinus, root);
+  }
   return {std::move(gsPlus), std::move(gsMinusRoot)};
 }
 
@@ -429,8 +441,10 @@ static Value fastNTT(ImplicitLocOpBuilder &b, PrimitiveRootAttr rootAttr,
                     // (bflyGS) variant, depending on whether we are performing
                     // an inverse transform.
                     // ---------------------------------------------------------
-                    auto bflyResult = kInverse ? bflyGS(b, A, B, root)
-                                               : bflyCT(b, A, B, root);
+                    auto bflyResult =
+                        kInverse
+                            ? bflyGS(b, A, B, root, rootAttr.getMontgomery())
+                            : bflyCT(b, A, B, root, rootAttr.getMontgomery());
 
                     // Write the results back into the coefficient array.
                     // Insert the "plus" result into `indexA` and the "minus"

zkir/Dialect/Poly/IR/BUILD.bazel

@@ -25,6 +25,7 @@ cc_library(
         ":ops_inc_gen",
         ":types_inc_gen",
         "//zkir/Dialect/Field/IR:Field",
+        "//zkir/Dialect/ModArith/IR:ModArith",
         "//zkir/Utils:APIntUtils",
         "@llvm-project//llvm:Support",
         "@llvm-project//mlir:ArithDialect",

zkir/Dialect/Poly/IR/PolyAttributes.cpp

@@ -12,7 +12,8 @@ namespace mlir::zkir::poly {
 // Compute the first degree powers of root modulo mod.
 static void precomputeRoots(APInt root, const APInt &mod, unsigned degree,
                             SmallVector<APInt> &roots,
-                            SmallVector<APInt> &invRoots) {
+                            SmallVector<APInt> &invRoots,
+                            std::optional<IntegerAttr> montgomeryR) {
   unsigned kBitWidth = llvm::bit_width(degree);
 
   // Precompute powers-of-two: `powerOfTwo[k]` = `root^(2^k)` mod `mod`.
@@ -22,11 +23,17 @@ static void precomputeRoots(APInt root, const APInt &mod, unsigned degree,
     powerOfTwo[k] = mulMod(powerOfTwo[k - 1], powerOfTwo[k - 1], mod);
   }
 
+  // Coset factor
+  APInt coset(mod.getBitWidth(), 1);
+  if (montgomeryR) {
+    coset = montgomeryR->getValue();
+  }
+
   // Prepare the result vector.
   roots.resize(degree);
   invRoots.resize(degree);
-  roots[0] = APInt(root.getBitWidth(), 1);     // Identity element.
-  invRoots[0] = APInt(root.getBitWidth(), 1);  // Identity element.
+  roots[0] = coset;
+  invRoots[0] = coset;
 
   llvm::StdThreadPool pool(llvm::hardware_concurrency());
 
@@ -42,8 +49,9 @@ static void precomputeRoots(APInt root, const APInt &mod, unsigned degree,
         exp >>= 1;
         bit++;
       }
-      roots[i] = result;
-      invRoots[degree - i] = result;
+
+      roots[i] = mulMod(coset, result, mod);
+      invRoots[degree - i] = mulMod(coset, result, mod);
     });
   }
 
@@ -73,13 +81,18 @@ DenseElementsAttr PrimitiveRootAttr::getInvRoots() const {
   return getImpl()->invRoots;
 }
 
+zkir::mod_arith::MontgomeryAttr PrimitiveRootAttr::getMontgomery() const {
+  return getImpl()->montgomery;
+}
+
 namespace detail {
 
 PrimitiveRootAttrStorage *PrimitiveRootAttrStorage::construct(
     AttributeStorageAllocator &allocator, KeyTy &&key) {
   // Extract the root and degree from the key.
   zkir::field::PrimeFieldAttr root = std::get<0>(key);
   IntegerAttr degree = std::get<1>(key);
+  zkir::mod_arith::MontgomeryAttr montgomery = std::get<2>(key);
 
   APInt mod = root.getType().getModulus().getValue();
   APInt rootVal = root.getValue().getValue();
@@ -94,8 +107,11 @@ PrimitiveRootAttrStorage *PrimitiveRootAttrStorage::construct(
 
   // Compute the exponent table.
   SmallVector<APInt> roots, invRoots;
-  precomputeRoots(rootVal, mod, degree.getInt(), roots, invRoots);
-
+  std::optional<IntegerAttr> montgomeryR;
+  if (montgomery != zkir::mod_arith::MontgomeryAttr()) {
+    montgomeryR = montgomery.getR();
+  }
+  precomputeRoots(rootVal, mod, degree.getInt(), roots, invRoots, montgomeryR);
   // Create a ranked tensor type for the exponents attribute.
   auto tensorType = RankedTensorType::get(
       {degree.getInt()}, root.getType().getModulus().getType());
@@ -106,7 +122,8 @@ PrimitiveRootAttrStorage *PrimitiveRootAttrStorage::construct(
   return new (allocator.allocate<PrimitiveRootAttrStorage>())
       PrimitiveRootAttrStorage(std::move(degree), std::move(invDegree),
                                std::move(root), std::move(invRoot),
-                               std::move(rootsAttr), std::move(invRootsAttr));
+                               std::move(rootsAttr), std::move(invRootsAttr),
+                               std::move(montgomery));
 }
 
 }  // namespace detail

zkir/Dialect/Poly/IR/PolyAttributes.h

@@ -6,31 +6,38 @@
 
 #include "mlir/Dialect/Polynomial/IR/PolynomialAttributes.h"
 #include "zkir/Dialect/Field/IR/FieldAttributes.h"
+#include "zkir/Dialect/ModArith/IR/ModArithAttributes.h"
 #include "zkir/Dialect/Poly/IR/PolyDialect.h"
 #include "zkir/Dialect/Poly/IR/PolyTypes.h"
 
 namespace mlir::zkir::poly::detail {
 
 struct PrimitiveRootAttrStorage : public AttributeStorage {
-  using KeyTy = std::tuple<zkir::field::PrimeFieldAttr, IntegerAttr>;
+  using KeyTy = std::tuple<zkir::field::PrimeFieldAttr, IntegerAttr,
+                           mod_arith::MontgomeryAttr>;
   PrimitiveRootAttrStorage(IntegerAttr degree,
                            zkir::field::PrimeFieldAttr invDegree,
                            zkir::field::PrimeFieldAttr root,
                            zkir::field::PrimeFieldAttr invRoot,
-                           DenseElementsAttr roots, DenseElementsAttr invRoots)
+                           DenseElementsAttr roots, DenseElementsAttr invRoots,
+                           zkir::mod_arith::MontgomeryAttr montgomery)
       : degree(std::move(degree)),
         invDegree(std::move(invDegree)),
         root(std::move(root)),
         invRoot(std::move(invRoot)),
         roots(std::move(roots)),
-        invRoots(std::move(invRoots)) {}
+        invRoots(std::move(invRoots)),
+        montgomery(std::move(montgomery)) {}
 
-  KeyTy getAsKey() const { return KeyTy(root, degree); }
+  KeyTy getAsKey() const { return KeyTy(root, degree, montgomery); }
 
-  bool operator==(const KeyTy &key) const { return key == KeyTy(root, degree); }
+  bool operator==(const KeyTy &key) const {
+    return key == KeyTy(root, degree, montgomery);
+  }
 
   static llvm::hash_code hashKey(const KeyTy &key) {
-    return llvm::hash_combine(std::get<0>(key), std::get<1>(key));
+    return llvm::hash_combine(std::get<0>(key), std::get<1>(key),
+                              std::get<2>(key));
   }
 
   static PrimitiveRootAttrStorage *construct(
@@ -42,6 +49,7 @@ struct PrimitiveRootAttrStorage : public AttributeStorage {
   zkir::field::PrimeFieldAttr invRoot;
   DenseElementsAttr roots;
   DenseElementsAttr invRoots;
+  zkir::mod_arith::MontgomeryAttr montgomery;
 };
 
 }  // namespace mlir::zkir::poly::detail

zkir/Dialect/Poly/IR/PolyAttributes.td

@@ -59,7 +59,7 @@ def Poly_PrimitiveRootAttr: Poly_Attr<"PrimitiveRoot", "primitive_root"> {
     DenseElementsAttr getRoots() const;
     DenseElementsAttr getInvRoots() const;
   }];
-  let parameters = (ins Field_PrimeFieldAttr:$root, "IntegerAttr":$degree);
+  let parameters = (ins Field_PrimeFieldAttr:$root, "IntegerAttr":$degree, OptionalParameter<"mod_arith::MontgomeryAttr">:$montgomery);
   let assemblyFormat = "`<` struct(params) `>`";
   let genStorageClass = 0;
 }