An Extensive Study of Flexible Design Methods for the Number Theoretic Transform

Abstract

Efficient lattice-based cryptosystems operate with polynomial rings with the Number Theoretic Transform (NTT) to reduce the computational complexity of polynomial multiplication. NTT has therefore become a major arithmetic component (thus computational bottleneck) in various cryptographic constructions like hash functions, key-encapsulation mechanisms, digital signatures, and homomorphic encryption. Although there exist several hardware designs in prior work for NTT, they all are isolated design instances fixed for specific NTT parameters or parallelization level. This article provides an extensive study of flexible design methods for NTT implementation. To that end, we evaluate three cases: (1) parametric hardware design, (2) high-level synthesis (HLS) design approach, and (3) design for software implementation compiled on soft-core processors, where all are targeted on reconfigurable hardware devices. We evaluate the designs that implement multiple NTT parameters and/or processing elements, demonstrate the design details for each case, and provide a fair comparison with each other and prior work. On a Xilinx Virtex-7 FPGA, compared to HLS and processor-based methods, the results show that the parametric hardware design is on average <inline-formula><tex-math notation="LaTeX">$4.4\times$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">$73.9\times$</tex-math></inline-formula> smaller and <inline-formula><tex-math notation="LaTeX">$22.5\times$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">$19.3\times$</tex-math></inline-formula> faster, respectively. Surprisingly, HLS tools can yield less efficient solutions than processor-based approaches in some cases.