Polynomial multiplier
By designing a polynomial multiplier and utilizing NTT operations to reduce the complexity of polynomial multiplication and optimizing the choice of modulus, the problem of low efficiency of polynomial multiplication in hardware implementation of lattice-based cryptography algorithms is solved, achieving efficient utilization of hardware resources and stable output of results.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- TSINGHUA UNIVERSITY
- Filing Date
- 2026-03-12
- Publication Date
- 2026-06-30
AI Technical Summary
Existing lattice-based cryptographic algorithms have high computational complexity for polynomial multiplication operations in hardware implementation, resulting in low execution efficiency. There is a lack of polynomial multipliers that can select the smallest possible modulus and achieve efficient modulo cutting.
A polynomial multiplier is designed, including a preprocessing module, an NTT operation module, a term-by-term product calculation module, an INTT operation module, and a postprocessing module. The NTT operation reduces the complexity of polynomial multiplication, optimizes the choice of modulus, reduces hardware resource consumption, and adapts to large-scale high-concurrency operations.
It significantly improves the processing speed of polynomial multiplication, reduces hardware resource consumption, adapts to embedded devices, ensures result reliability, and is suitable for hardware implementations of post-quantum cryptography, RSA, and elliptic curve cryptography.
Smart Images

Figure CN122308784A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of hardware implementation technology, and in particular to a polynomial multiplier. Background Technology
[0002] This section is intended to provide background or context for the embodiments of the invention set forth in the claims. The description herein is not an admission that it is prior art simply because it is included in this section.
[0003] Existing encryption algorithms effectively protect information security in traditional computing environments, but with the rapid development of quantum computing technology, the security of existing cryptographic algorithms is facing severe challenges. To address this challenge, post-quantum cryptography (PQC) has become a research hotspot. Among them, lattice-based cryptography (LBC), while resistant to quantum computers, boasts advantages such as high execution speed and small key size, making it the current mainstream research direction.
[0004] However, the LBC algorithm involves a large number of polynomial multiplication operations, resulting in high computational complexity and low hardware execution efficiency, thus creating a performance bottleneck. To address this issue, several efficient multiplication algorithms exist, such as the Karatsuba algorithm, the TOOM-COOK algorithm, and the NTT algorithm, to reduce the number of multiplications. Among these algorithms, the Number Theory Transformation (NTT) algorithm, with its superior performance under the specific mathematical structures of lattice-based cryptography, has become the preferred solution for accelerating LBC polynomial multiplication. Its advantage lies in its optimal computational complexity, reducing the complexity of polynomial multiplication from O(n²) to O(nlogn). This is significantly better than Karatsuba (which has a complexity of O(n²)) when dealing with large-scale polynomials common in lattice-based cryptography. 1.585 TOOM-COOK (with a complexity of O(n)) 1.465 Algorithms such as NTT have a significant speed advantage. More importantly, NTT's mathematical foundation is naturally compatible with lattice-based cryptography; the operations of algorithms such as Kyber, Dilithium, and LAC are all defined on a polynomial ring. Therefore, NWC-NTT technology can be used to avoid doubling the number of NTT points and additional modular polynomial operation overhead, making it a good hardware implementation solution.
[0005] The use of NTT in polynomial multiplication requires the selection of an appropriate modulus. Modulus The number of bits directly affects the resource consumption during hardware computation. How to select the smallest possible value based on the characteristics of the input polynomial is crucial. This is a key design focus, involving preprocessing methods for the input of the polynomial multiplication module. Simultaneously, the algorithm's operations are defined within the prime number field. Above, in completing the prime number field After performing polynomial multiplication based on NWC-NTT, it is necessary to convert back to the prime field, in the smallest possible way. The die-cutting method under the proposed scheme is also a key design focus.
[0006] In summary, there is currently a lack of a polynomial multiplier that can select the smallest possible modulus and achieve efficient modulus cutting. Summary of the Invention
[0007] This invention provides a polynomial multiplier, implemented in hardware, which can select the smallest possible modulus, reduce hardware resource consumption, and still output stable results and achieve efficient modulus cutting in large-scale, high-concurrency operations. The multiplier includes: The preprocessing module is used to obtain the input first polynomial randomized over the prime number field and the second polynomial whose coefficients in the prime number field satisfy a preset condition. The coefficients of the second polynomial are converted from the prime number field to the modulus field corresponding to the NTT operation to obtain the converted second polynomial. The first polynomial is adapted to the modulus field to obtain the first processed polynomial. The converted second polynomial is verified to adapt to the NTT operation to obtain the second processed polynomial. The NTT operation module is used to perform NTT operations on the first processing polynomial and the second processing polynomial respectively to obtain the corresponding first transformation vector and second transformation vector. The term-by-term product calculation module is used to perform term-by-term multiplication on the first transformation vector and the second transformation vector to obtain the product vector. The INTT operation module is used to perform an inverse number theory transformation on the product vector to obtain the INTT output vector. The post-processing module is used to convert the INTT output vector into a prime number field to obtain the polynomial multiplication result.
[0008] The polynomial multiplier proposed in this invention reduces the complexity of polynomial multiplication from O(n²) to O(n log n) by leveraging NTT operations, significantly reducing the computational load. Combined with a parallel multiplication design involving term-by-term product, it significantly improves processing speed and adapts to large-scale polynomial operation scenarios. Preprocessing is optimized for the coefficient preset conditions of the second polynomial, relaxing the NTT modulus constraint, reducing the number of bits occupied by the modulus, and lowering the consumption of hardware resources such as registers and multipliers, making it suitable for resource-constrained devices such as embedded systems. The preprocessing module verifies the adaptability of the second polynomial, and the postprocessing module performs targeted prime field conversion to ensure reliable results. The modules collaborate in a streamlined manner, and the operations are based on deterministic number theory transformation logic, requiring no additional computational assumptions, reducing the impact of interference factors, and ensuring stable output results even in large-scale, high-concurrency operations. Attached Figure Description
[0009] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort. In the drawings: Figure 1 This is a schematic diagram of the structure of the polynomial multiplier in an embodiment of the present invention; Figure 2 This is a comparison diagram of the polynomial multiplication of the traditional scheme and the scheme in this embodiment of the invention in the NTT scenario; Figure 3 This is a comparison diagram of the polynomial multiplication of the traditional scheme and the scheme in this embodiment of the invention in the NWC-NTT scenario; Figure 4 This is a schematic diagram of the post-processing module in an embodiment of the present invention; Figure 5 This is another schematic diagram of the polynomial multiplier in an embodiment of the present invention. Detailed Implementation
[0010] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings. Here, the illustrative embodiments of the present invention and their descriptions are used to explain the present invention, but are not intended to limit the present invention.
[0011] Figure 1 This is a schematic diagram of the structure of a polynomial multiplier in an embodiment of the present invention. The polynomial multiplier includes: The preprocessing module 101 is used to obtain a first polynomial randomly generated in the prime number field and a second polynomial whose coefficients in the prime number field satisfy a preset condition, convert the coefficients of the second polynomial from the prime number field to the modulus field corresponding to the NTT operation, and obtain the converted second polynomial. The first polynomial is adapted to the modulus field to obtain a first processed polynomial, and the converted second polynomial is adapted to the NTT operation for verification to obtain a second processed polynomial. NTT operation module 102 is used to perform NTT operation on the first processing polynomial and the second processing polynomial respectively to obtain the corresponding first transformation vector and second transformation vector. The term-by-term product calculation module 103 is used to perform a term-by-term multiplication operation on the first transformation vector and the second transformation vector to obtain a product vector. INTT operation module 104 is used to perform inverse number theory transformation on the product vector to obtain INTT output vector; The post-processing module 105 is used to convert the INTT output vector into a prime number field to obtain the polynomial multiplication result.
[0012] In this embodiment of the invention, the complexity of polynomial multiplication is reduced from O(n²) to O(nlog n) by leveraging NTT operations, significantly reducing the amount of computation. Combined with a parallel multiplication design for term-by-term product, this significantly improves processing speed and adapts to large-scale polynomial operation scenarios. Preprocessing is optimized for the coefficient preset conditions of the second polynomial, relaxing the NTT modulus constraint, reducing the number of bits occupied by the modulus, and lowering the consumption of hardware resources such as registers and multipliers, making it suitable for resource-constrained devices such as embedded systems. The preprocessing module verifies the adaptability of the second polynomial, and the postprocessing module performs targeted prime field conversion to ensure reliable results. The modules collaborate in a streamlined manner, and the operations are based on deterministic number theory transformation logic, requiring no additional computational assumptions, reducing the impact of interference factors, and ensuring stable output results even in large-scale, high-concurrency operations.
[0013] In one embodiment, the preset condition is that the absolute value of the coefficient is only a preset number of discrete values.
[0014] In this embodiment of the invention, considering the characteristics of the input polynomial, if it is known that the coefficients of a certain polynomial are in its prime field... If the absolute value is very small, then The constraints can be further relaxed.
[0015] In one embodiment, the range of values for each coefficient of the first polynomial over the prime field is: ,in , q is the modulus of the prime field; The second polynomial has a coefficient range of 1 / 2 in the prime field. ,in .
[0016] In one embodiment, in the NTT scenario, the modulus of the modulus field is the minimum value that satisfies the following condition:
[0017] in, Let q be the modulus of the modulus field, n be the order of the polynomial, and q be the modulus of the prime field.
[0018] In the NTT scenario, let the prime field of the algorithm itself be... The first polynomial coefficient of each term in the prime field Where n is the order of the polynomial, and q is the modulus of the prime field, , The upper bound of the absolute value of the coefficients of the first polynomial, and the upper bound of the second polynomial. Each term in the prime field ,in , This represents the upper bound of the absolute values of the coefficients of the second polynomial. Therefore, without using the NWC technique, after preprocessing the two input polynomials, the modulus of the modulus field chosen by NTT satisfies... That's all, among which , Compared to the lower bound of existing theories It is smaller. Therefore, using this value for subsequent hardware calculations can consume fewer resources. Figure 2 This is a comparison diagram of the polynomial multiplication of the traditional scheme and the scheme proposed in the NTT scenario of this invention, taking the 1024th order LAC algorithm as an example. , It's normal. The polynomial under the following conditions ; It only contains three values: 0, 1, and 250 (in The lowercase letters are equivalent to 0, 1, -1, that is... Therefore, the modulus satisfies the condition. That's it (choose the smallest one) (20 bits). If the traditional method is followed, because... , Both polynomials are Down, (Choose the smallest) It is 26 bits, which is 6 bits more than the solution in this application. Therefore, the solution proposed in this embodiment of the invention can effectively save hardware resources. Since NTT is in the analog-digital domain... Therefore, the polynomial needs to be... The coefficients from the prime field (i.e., the three values 0, 1, and -1) Transform to the modulo field Below, that is, through molding The corresponding values obtained are 0, 1, Then, performing an NTT operation on the preprocessed polynomial will yield the correct result.
[0019] In one embodiment, in the NTT-NWC scenario, the modulus of the modulus field is the minimum value that satisfies the following condition:
[0020] in, Let q be the modulus of the modulus field, n be the order of the polynomial, and q be the modulus of the prime field.
[0021] In the NWC-NTT scenario, that is, if polynomial multiplication is defined on the polynomial ring... The above can be achieved by using NWC-NTT technology to reduce The lower bound of the existing theory is... This solution can also be applied in this scenario, by relaxing the lower bound to obtain a smaller value. Value, let the prime field of the algorithm itself be . polynomial Each term in the prime field ,in polynomial coefficient of each term in the prime field ,in Similarly, as long as the input polynomial is preprocessed, the modulus of the modulus field taken by NTT satisfies That's all, among which , Compared to the lower bound of existing theories Smaller. Using this value for subsequent hardware calculations can consume fewer resources.
[0022] Because the LAC algorithm is defined on a polynomial ring... The above example still uses the 1024th order LAC algorithm. The input is , Two polynomials, It's normal. The polynomial under the following conditions ; It only contains three values: 0, 1, and 250 (in The lowercase letters are equivalent to 0, 1, -1, that is... Therefore, the modulus satisfies the condition. That's it (choose the smallest one) (19 bits). Figure 3 This diagram compares the polynomial multiplication of the traditional scheme and the proposed scheme in the NWC-NTT scenario of this invention. Taking the NWC-NTT polynomial multiplication of the 1024th order LAC algorithm as an example, if the traditional scheme is followed, since... , Both polynomials are Down, (Choose the smallest) The proposed method uses 25 bits (6 bits more than the previous method). Therefore, our proposed method can effectively save hardware resources in NWC-NTT scenarios.
[0023] The preprocessing module performs the same conversion for NWC-NTT scenarios as described above.
[0024] In one embodiment, the preprocessing module is used for: Determine whether the coefficients of the transformed second polynomial belong to the modulus field. If yes, the verification is successful. If not, re-transform the coefficients of the second polynomial from the prime field to the modulus field corresponding to the NTT operation.
[0025] The term-by-term product calculation module performs term-by-term multiplication on the first and second transformation vectors to obtain the product vector. It is necessary to ensure that the product vector falls within [0, Q'-1] without additional pruning.
[0026] Figure 4 This is another structural schematic diagram of the post-processing module in an embodiment of the present invention. In one embodiment, the post-processing module includes a first post-processing module 401, used for: In the NTT scenario, modulo operations on the prime field are performed on each element of the INTT output vector to obtain the polynomial multiplication result.
[0027] In one embodiment, the post-processing module includes a second post-processing module 402, used for: In the NWC-NTT scenario, determine whether each element in the INTT output vector is greater than half the modulus of the modulus field. If so, calculate the result of taking the modulus of the modulus field modulo the modulus of the prime field, and subtract the result from the element. If not, keep the element unchanged to obtain the corrected INTT output vector. Perform prime field modulo operation on each element of the corrected INTT output vector to obtain the polynomial multiplication result.
[0028] In this embodiment of the invention, the NWC-NTT-based polynomial multiplication, compared to conventional NTT polynomial multiplication, reduces the modular polynomial step, and the post-processing of the modular switching is different. The polynomial multiplication operation is defined in... Finally, the result needs to be transferred to the algorithm. Because NWC-NTT involves a negative folding process, the output mode of INTT is directly converted... There is an offset from the final polynomial multiplication result. Therefore, the INTT output needs to be corrected before modulo multiplication. Therefore, the post-processing steps are as follows: (1) Determine whether each element of the INTT output vector is greater than 1. (2) If it is greater than, then subtract the element. Otherwise, keep the original value; (3) make each element in the vector modulo This yields the polynomial multiplication result. In this embodiment of the invention, post-processing... use This alternative reduces the hardware resource consumption of post-processing.
[0029] The result of polynomial multiplication must satisfy: 0 ≤ result of polynomial multiplication < q.
[0030] Figure 5 This is a schematic diagram of the structure of a polynomial multiplier in an embodiment of the present invention. In one embodiment, the polynomial multiplier further includes an optimization module 501, used for: Select multiple subprime numbers, such that the product of all subprime numbers is greater than the modulus of the modulus field; Perform polynomial multiplication on the modulus field corresponding to each subprime to obtain the subpolynomial multiplication result; Combine the results of all subpolynomial multiplications to obtain the polynomial multiplication result.
[0031] In this embodiment of the invention, the modulus The selected scheme can be adapted to other optimization methods. Taking the CRT method as an example, the selected scheme can be adapted to other methods. Based on this, a series of subprime numbers are set. , making All subprime numbers are distinct. Then, polynomial multiplication is performed on each subprime number, as shown in the following expression:
[0032] Let the prime field of the algorithm itself be... .
[0033] In one embodiment, the following formula is used to combine all the results of sub-polynomial multiplication to obtain the polynomial multiplication result:
[0034] in, This is the result of polynomial multiplication. The result of multiplying the i-th subpolynomial. The modulus of the prime field. It is a prime number.
[0035] In this embodiment of the invention, the polynomial multiplier is applied to the hardware implementation of post-quantum cryptography schemes, the hardware design of RSA large number multiplication, or the hardware design of elliptic curve cryptography (ECC) polynomial multiplication. The post-quantum cryptography schemes include the LAC scheme and the SABER scheme.
[0036] In summary, by leveraging NTT operations, the complexity of polynomial multiplication is reduced from O(n²) to O(n log n), significantly reducing computational load. Combined with a parallel multiplication design involving term-by-term product, processing speed is significantly improved, making it suitable for large-scale polynomial operations. Preprocessing is optimized for the coefficients of the second polynomial, relaxing the NTT modulus constraint, reducing the number of bits used in the modulus, and lowering hardware resource consumption such as registers and multipliers, making it suitable for resource-constrained devices such as embedded systems. The preprocessing module verifies the compatibility of the second polynomial, and the postprocessing module performs prime field conversion specifically for this purpose. In the NWC-NTT scenario, offset correction is also performed to avoid intermediate process errors and ensure reliable results. The modular hardware design supports switching between NTT and NWC-NTT scenarios, adapting to different polynomial operation requirements and being compatible with hardware implementations of various algorithms such as post-quantum cryptography and RSA, resulting in a wide range of applications. The modules collaborate in a streamlined manner, and the operations are based on deterministic number theory transformation logic, requiring no additional computational assumptions, reducing the impact of interference factors, and ensuring stable output results even in large-scale, high-concurrency operations.
[0037] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above descriptions are merely specific embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. A polynomial multiplier, comprising: Hardware-based implementation, including: The preprocessing module is used to obtain the input first polynomial randomized over the prime number field and the second polynomial whose coefficients in the prime number field satisfy a preset condition. The coefficients of the second polynomial are converted from the prime number field to the modulus field corresponding to the NTT operation to obtain the converted second polynomial. The first polynomial is adapted to the modulus field to obtain the first processed polynomial. The converted second polynomial is verified to adapt to the NTT operation to obtain the second processed polynomial. The NTT operation module is used to perform NTT operations on the first processing polynomial and the second processing polynomial respectively to obtain the corresponding first transformation vector and second transformation vector. The term-by-term product calculation module is used to perform term-by-term multiplication on the first transformation vector and the second transformation vector to obtain the product vector. The INTT operation module is used to perform an inverse number theory transformation on the product vector to obtain the INTT output vector. The post-processing module is used to convert the INTT output vector into a prime number field to obtain the polynomial multiplication result.
2. The polynomial multiplier as described in claim 1, characterized in that, The preset condition is that the absolute value of the coefficient is only a preset number of discrete values.
3. The polynomial multiplier as described in claim 1, characterized in that, The first polynomial has a coefficient range of 1 / 2 in the prime field. ,in , q is the modulus of the prime field; The second polynomial has a coefficient range of 1 / 2 in the prime field. ,in .
4. The polynomial multiplier as described in claim 1, characterized in that, The preprocessing module is used for: Determine whether the coefficients of the transformed second polynomial belong to the modulus field. If yes, the verification is successful. If not, re-transform the coefficients of the second polynomial from the prime field to the modulus field corresponding to the NTT operation.
5. The polynomial multiplier as described in claim 1, characterized in that, In the NTT scenario, the modulus of the modulus field is the minimum value that satisfies the following condition: in, Let q be the modulus of the modulus field, n be the order of the polynomial, and q be the modulus of the prime field.
6. The polynomial multiplier as described in claim 1, characterized in that, In the NTT-NWC scenario, the modulus of the modulus field is the minimum value that satisfies the following condition: in, Let q be the modulus of the modulus field, n be the order of the polynomial, and q be the modulus of the prime field.
7. The polynomial multiplier as described in claim 1, characterized in that, The post-processing module includes a first post-processing module, used for: In the NTT scenario, modulo operations on the prime field are performed on each element of the INTT output vector to obtain the polynomial multiplication result.
8. The polynomial multiplier as described in claim 1, characterized in that, The post-processing module includes a second post-processing module, used for: In the NWC-NTT scenario, determine whether each element in the INTT output vector is greater than half the modulus of the modulus field. If so, calculate the result of taking the modulus of the modulus field modulo the modulus of the prime field, and subtract the result from the element. If not, keep the element unchanged to obtain the corrected INTT output vector. Perform prime field modulo operation on each element of the corrected INTT output vector to obtain the polynomial multiplication result.
9. The polynomial multiplier as described in claim 1, characterized in that, It also includes an optimization module for: Select multiple subprime numbers, such that the product of all subprime numbers is greater than the modulus of the modulus field; Perform polynomial multiplication on the modulus field corresponding to each subprime to obtain the subpolynomial multiplication result; Combine the results of all subpolynomial multiplications to obtain the polynomial multiplication result.
10. The polynomial multiplier as described in claim 9, characterized in that, The optimization module is used for: The following formula is used to combine all the results of the sub-polynomial multiplications to obtain the polynomial multiplication result: in, This is the result of polynomial multiplication. The result of multiplying the i-th subpolynomial. The modulus of the prime field. It is a prime number.