A General-Purpose Number Theoretic Transform Algorithm for Compact RLWE Cryptoprocessors

Abstract

Ring learning with errors (RLWE) is a commonly-used primitive in the construction of lattice-based cryptography, which is widely adopted in the design of post-quantum cryptographic algorithms and homomorphic encryption schemes. The cryptosystems based on RLWE are usually defined on a polynomial quotient ring with addition and multiplication operations. The polynomial multiplication is expensive in both time and space, hence optimizations are needed in order to achieve practical RLWE implementations. Number theoretic transform (NTT) is a technique widely used to speed up polynomial multiplications. In this paper we propose a general-purpose NTT algorithm that can support different RLWE parameters. Unlike the NTT optimizations which need significant amount of space to store the NTT parameters for each different RLWE setting, this algorithm trades a small amount of time for the elimination of most pre-computed NTT parameters. This is particularly helpful for implementations which have tight area or storage budget. For the Fan-Vercauteren fully-homomorphic encryption scheme with 192-bit classical security, our implementation of all the NTT components requires 612 bytes of read-only data on a STM32 microcontroller, while a conventional implementation requires 96 KB.