Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography

Conference paper

DOI: 10.1007/978-3-319-48965-0_8

Volume 10052 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Longa P., Naehrig M. (2016) Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography. In: Foresti S., Persiano G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science, vol 10052. Springer, Cham


The Number Theoretic Transform (NTT) provides efficient algorithms for cyclic and nega-cyclic convolutions, which have many applications in computer arithmetic, e.g., for multiplying large integers and large degree polynomials. It is commonly used in cryptographic schemes that are based on the hardness of the Ring Learning With Errors (R-LWE) problem to efficiently implement modular polynomial multiplication.

We present a new modular reduction technique that is tailored for the special moduli required by the NTT. Based on this reduction, we speed up the NTT and propose faster, multi-purpose algorithms. We present two implementations of these algorithms: a portable C implementation and a high-speed implementation using assembly with AVX2 instructions. To demonstrate the improved efficiency in an application example, we benchmarked the algorithms in the context of the R-LWE key exchange protocol that has recently been proposed by Alkim, Ducas, Pöppelmann and Schwabe. In this case, our C and assembly implementations compute the full key exchange 1.44 and 1.21 times faster, respectively. These results are achieved with full protection against timing attacks.


Post-quantum cryptography Number Theoretic Transform (NTT) Ring Learning With Errors (R-LWE) Fast modular reduction Efficient implementation 

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Microsoft ResearchRedmondUSA