Algorithmic Views of Vectorized Polynomial Multipliers – NTRU

Abstract

The lattice-based post-quantum cryptosystem NTRU is used by Google for protecting Google’s internal communication. In NTRU, polynomial multiplication is one of bottleneck. In this paper, we explore the interactions between polynomial multiplications, Toeplitz matrix-vector products, and vectorization with architectural insights. For a unital commutative ring R, a positive integer n, and an element \(\zeta \in R\), we reveal the benefit of vector-by-scalar multiplication instructions while multiplying in \( \left. {R[x]} / {\left\langle {x^n - \zeta } \right\rangle } \right. \).

We aim at designing an algorithm exploiting no algebraic and number–theoretic properties of n and \(\zeta \). An obvious way is to multiply in R[x] and reduce modulo \(x^n - \zeta \). Since the product in R[x] is a polynomial of degree at most \(2n - 2\), one usually chooses a polynomial modulus \(\boldsymbol{g}\) such that (i) \(\text {deg}(\boldsymbol{g}) \ge 2n - 1\), and (ii) there exists a well-studied fast polynomial multiplication algorithm f for multiplying in \( \left. {R[x]} / {\left\langle {\boldsymbol{g}} \right\rangle } \right. \).

We deviate from common approaches and point out a novel insight with dual modules and vector-by-scalar multiplications. Conceptually, we relate the module-theoretic duals of \( \left. {R[x]} / {\left\langle {x^n - \zeta } \right\rangle } \right. \) and \( \left. {R[x]} / {\left\langle {\boldsymbol{g}} \right\rangle } \right. \) with Toeplitz matrix-vector products, and demonstrate the benefit of Toeplitz matrix-vector products with vector-by-scalar multiplication instructions. It greatly reduces the register pressure, and allows us to multiply with essentially no permutation instructions that are commonly used in vectorized implementation.

We implement the ideas for the NTRU parameter sets ntruhps2048677 and ntruhrss701 on a Cortex-A72 implementing the Armv8.0-A architecture with the single-instruction-multiple-data (SIMD) technology Neon. For polynomial multiplications, our implementation is \(2.18 \times \) and \(2.23 \times \) for ntruhps2048677 and ntruhrsss701 than the state-of-the-art optimized implementation. We also vectorize the polynomial inversions and sorting network by employing existing techniques and translating AVX2-optimized implementations into Neon. Compared to the state-of-the-art optimized implementation, our key generation, encapsulation, and decapsulation for ntruhps2048677 are \(7.67 \times \), \(2.48 \times \), and \(1.77 \times \) faster, respectively. For ntruhrss701, our key generation, encapsulation, and decapsulation are \(7.99 \times \), \(1.47 \times \), and \(1.56 \times \) faster, respectively.

Appendices

A Proof for the Toeplitz Transformation

For an algebra homomorphism \(f: R[x]_{<n} \rightarrow S\) with \(f_k {:}{=}f|_{R[x]_{<k}}\) a monomorphism, and module homomorphism \((\boldsymbol{a}, -) = {\left\{ \begin{array}{ll} {R^k \rightarrow R^n} \\ \boldsymbol{b}\mapsto \boldsymbol{a}\boldsymbol{b}\end{array}\right. }\) where \(n \ge 2k - 1\), we have

$$ \left( {{\textbf {Toeplitz}}}_{k \times k}(-) \right) (\boldsymbol{a}) = \text {rev}_{k \times k} \circ f_k^* \circ (f_k(\boldsymbol{a}), -)^* \circ (f^{-1})^* \circ \text {id}_{(2k - 1) \rightarrow n}. $$

Proof

Observe \((\boldsymbol{a}, -)^* = f_k^* \circ \left( f_k(\boldsymbol{a}), - \right) ^* \circ \left( f^{-1} \right) ^* \circ \text {id}_{(2k - 1) \rightarrow n}\), it remains to show \(\left( {{\textbf {Toeplitz}}}_{k \times k}(-)\right) (\boldsymbol{a}) = \text {rev}_{k \times k} \circ (\boldsymbol{a}, -)^*\). Let \(\boldsymbol{z}= (z_0, \dots , z_{2k - 2})\), \([k] = \left\{ {0, \dots , k - 1} \right\} \), and \(\boldsymbol{0}_{m_0, m_1}\) the \(m_0 \times m_1\) matrix of zeros. We have:

Applying \(\text {rev}_{k \times k}\) from the left finishes the proof (cf. [18, Theorem 6]).

B Examples of Toeplitz Transformations

We give some examples of f’s implementing \(\begin{pmatrix} z_1 &{} z_2 \\ z_0 &{} z_1 \end{pmatrix} \begin{pmatrix} a_1 \\ a_0 \end{pmatrix}\):

where \({\textbf {F}}_k^{-1} = \left( {\textbf {F}}_k^{-1} \right) ^T\) is the inverse of the cyclic size-k FFT.