Fast and Error-Free Negacyclic Integer Convolution Using Extended Fourier Transform

Abstract

With the rise of lattice cryptography, (negacyclic) convolution has received increased attention. E.g., the NTRU scheme internally employs cyclic polynomial multiplication, which is equivalent to the standard convolution, on the other hand, many Ring-LWE-based cryptosystems perform negacyclic polynomial multiplication. A method by Crandall implements an efficient negacyclic convolution over a finite field of prime order using an extended Discrete Galois Transform (DGT) – a finite field analogy to Discrete Fourier Transform (DFT). Compared to DGT, the classical DFT runs faster by an order of magnitude, however, it suffers from inevitable rounding errors due to finite floating-point number representation. In a recent Fully Homomorphic Encryption (FHE) scheme by Chillotti et al. named TFHE, small errors are acceptable (although not welcome), therefore we decided to investigate the application of DFT for negacyclic convolution.

The primary goal of this paper is to suggest a method for fast negacyclic convolution over integer coefficients using an extended DFT. The key contribution is a thorough analysis of error propagation, as a result of which we derive parameter bounds that can guarantee even error-free results. We also suggest a setup that admits rare errors, which allows to increase the degree of the polynomials and/or their maximum norm at a fixed floating-point precision. Finally, we run benchmarks with parameters derived from a practical \(\mathsf {TFHE}\) setup. We achieve around \(24{\times }\) better times than the generic NTL library (comparable to Crandall’s method) and around \(4{\times }\) better times than a naïve approach with DFT, with no errors.

This work was supported by the Grant Agency of CTU in Prague, grant No. SGS21/160/OHK3/3T/13.

Appendices

Appendix

A Proof of Proposition 1

Proof

Let us begin with the cyclic convolution. By (30) and Lemma 1 and 2, we have

(42)

(43)

which we apply as the initial error and variance bound to (22) and (23), respectively, together with multiplication by \(\nicefrac {1}{N} = 2^{-\nu }\), which poses the only difference between \(\mathsf {FFT}^{-1}\) and \(\mathsf {FFT}\) from the error point of view. We neglect other than leading terms and we get

(44)

(45)

and the cyclic results follow.

For the negacyclic convolution, we feed DFT with a folded and twisted input vector; cf. (31). It enters DFT with error bounded as

$$\begin{aligned} \Vert \mathsf {Err}(\mathbf{f}'')\Vert _\infty \lessapprox (1 \cdot 0 + 2^{\varphi _0 + \nicefrac {1}{2}} \cdot 2^{-\chi -1}) \cdot \sqrt{2} = 2^{\varphi _0-\chi }. \end{aligned}$$

(46)

Regarding variance, it shows that the term with \(\mathsf {Var}\bigl (\mathsf {Err}(\mathbf{f}'')\bigr )\) will be neglected. Next, we precompute

$$\begin{aligned} c_H^{(\mathbf{f}'')}&= 2 (\sqrt{2}-1) \cdot \Vert \mathsf {Err}(\mathbf{f}'')\Vert _\infty + (2 - \sqrt{2}) \cdot 2^{\varphi _0 + \nicefrac {1}{2} - \chi + 1} \nonumber \\&\lessapprox 6 (\sqrt{2}-1) \cdot 2^{\varphi _0 - \chi } , \quad \text {and} \end{aligned}$$

(47)

$$\begin{aligned} d_N^{(\mathbf{f}'')}&= \nicefrac {1}{6} \, 2^{2(\varphi _0+\nicefrac {1}{2})-2\chi } , \end{aligned}$$

(48)

and apply into

(49)

(50)

Next, we apply these estimates as the initial error and variance bound into (22) and (23), respectively, together with multiplication by \(\nicefrac {2}{N} = 2^{-\nu +1}\). We have

(51)

(52)

while in (52), it has shown that the term with \(V_{\bar{\mathbf{H}}}\) was not the leading term, hence it was neglected. By (31) it remains to untwist and unfold, we have

(53)

(54)

Since the unfolding operation does not change the error, the negacyclic results follow.    \(\square \)