Towards Efficient Arithmetic for Lattice-Based Cryptography on Reconfigurable Hardware

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7533)


In recent years lattice-based cryptography has emerged as quantum secure and theoretically elegant alternative to classical cryptographic schemes (like ECC or RSA). In addition to that, lattices are a versatile tool and play an important role in the development of efficient fully or somewhat homomorphic encryption (SHE/FHE) schemes. In practice, ideal lattices defined in the polynomial ring ℤ p [x]/〈x n  + 1〉 allow the reduction of the generally very large key sizes of lattice constructions. Another advantage of ideal lattices is that polynomial multiplication is a basic operation that has, in theory, only quasi-linear time complexity of \({\mathcal O}(n \log{n})\) in ℤ p [x]/〈x n  + 1〉. However, few is known about the practical performance of the FFT in this specific application domain and whether it is really an alternative. In this work we make a first step towards efficient FFT-based arithmetic for lattice-based cryptography and show that the FFT can be implemented efficiently on reconfigurable hardware. We give instantiations of recently proposed parameter sets for homomorphic and public-key encryption. In a generic setting we are able to multiply polynomials with up to 4096 coefficients and a 17-bit prime in less than 0.5 milliseconds. For a parameter set of a SHE scheme (n=1024,p=1061093377) our implementation performs 9063 polynomial multiplications per second on a mid-range Spartan-6.


Lattice-Based Cryptography Ideal Lattices FFT NTT FPGA Implementation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agarwal, R., Burrus, C.: Fast convolution using fermat number transforms with applications to digital filtering. IEEE Transactions on Acoustics, Speech and Signal Processing 22(2), 87–97 (1974)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)Google Scholar
  3. 3.
    Arbitman, Y., Dogon, G., Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFTX: A proposal for the SHA-3 standard. Submission to NIST (2008)Google Scholar
  4. 4.
    Atici, A.C., Batina, L., Fan, J., Verbauwhede, I., Yalcin, S.B.O.: Low-cost implementations of NTRU for pervasive security. In: International Conference on Application-Specific Systems, Architectures and Processors, ASAP 2008, pp. 79–84. IEEE (2008)Google Scholar
  5. 5.
    Bailey, D.V., Coffin, D., Elbirt, A., Silverman, J.H., Woodbury, A.D.: NTRU in Constrained Devices. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 262–272. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Baktir, S., Kumar, S., Paar, C., Sunar, B.: A state-of-the-art elliptic curve cryptographic processor operating in the frequency domain. Mob. Netw. Appl. 12(4), 259–270 (2007)CrossRefGoogle Scholar
  7. 7.
    Baktir, S., Sunar, B.: Achieving efficient polynomial multiplication in fermat fields using the fast fourier transform. In: Proceedings of the 44th Annual Southeast Regional Conference, ACM-SE 44, pp. 549–554. ACM, New York (2006)CrossRefGoogle Scholar
  8. 8.
    Bergland, G.: Fast fourier transform hardware implementations–an overview. IEEE Transactions on Audio and Electroacoustics 17(2), 104–108 (1969)CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J.: Fast multiplication and its applications. Algorithmic Number Theory 44, 325–384 (2008)Google Scholar
  10. 10.
    Blahut, R.E.: Fast Algorithms for Signal Processing. Cambridge University Press (2010)Google Scholar
  11. 11.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 18, p. 111 (2011)Google Scholar
  12. 12.
    Buchmann, J., May, A., Vollmer, U.: Perspectives for cryptographic long-term security. Communications of the ACM 49(9), 50–55 (2006)CrossRefGoogle Scholar
  13. 13.
    Buchmann, J., Lindner, R.: Secure Parameters for SWIFFT. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Cheng, L.S., Miri, A., Yeap, T.H.: Efficient FPGA implementation of FFT based multipliers. In: Canadian Conference on Electrical and Computer Engineering, pp. 1300–1303. IEEE (2005)Google Scholar
  15. 15.
    Cooley, J.W., Tukey, J.W.: An algorithm for the machine calculation of complex fourier series. Math. Comput 19(90), 297–301 (1965)MathSciNetzbMATHCrossRefGoogle Scholar
  16. 16.
    Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. The MIT Press (July 2009)Google Scholar
  17. 17.
    Corona, C.C., Moreno, E.F., Henriquez, F.R., et al.: Hardware design of a 256-bit prime field multiplier suitable for computing bilinear pairings. In: 2011 International Conference on Reconfigurable Computing and FPGAs (ReConFig), pp. 229–234. IEEE (2011)Google Scholar
  18. 18.
    Deschamps, J.P., Sutter, G.: Comparison of FPGA implementation of the mod M reduction. Latin American Applied Research 37(1), 93–97 (2007)Google Scholar
  19. 19.
    Dreschmann, M., Meyer, J., Huebner, M., Schmogrow, R., Hillerkuss, D., Becker, J., Leuthold, J., Freude, W.: Implementation of an Ultra-High Speed 256-Point FFT for Xilinx Virtex-6 Devices. In: 2011 9th IEEE International Conference on Industrial Informatics (INDIN), pp. 829–834 (July 2011)Google Scholar
  20. 20.
    Emeliyanenko, P.: Efficient Multiplication of Polynomials on Graphics Hardware. In: Dou, Y., Gruber, R., Joller, J.M. (eds.) APPT 2009. LNCS, vol. 5737, pp. 134–149. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Frederiksen, T.K.: A practical implementation of Regev’s LWE-based cryptosystem (2010),
  22. 22.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Proceedings of the Theory and Applications of Cryptographic Techniques 27th Annual International Conference on Advances in Cryptology, pp. 31–51. Springer (2008)Google Scholar
  23. 23.
    Gautam, V., Ray, K.C., Haddow, P.: Hardware efficient design of variable length FFT processor. In: 2011 IEEE 14th International Symposium on Design and Diagnostics of Electronic Circuits Systems (DDECS), pp. 309–312 (April 2011)Google Scholar
  24. 24.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 169–178. ACM (2009)Google Scholar
  25. 25.
    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. IACR Cryptology ePrint Archive, 2012:99 (2012)Google Scholar
  26. 26.
    Göttert, N., Feller, T., Schneider, M., Huss, S.A., Buchmann, J.: On the design of hardware building blocks for modern lattice-based encryption schemes. In: Cryptographic Hardware and Embedded Systems–CHES 2012 (2012)Google Scholar
  27. 27.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: A signature scheme for embedded systems. In: Cryptographic Hardware and Embedded Systems–CHES 2012 (2012)Google Scholar
  28. 28.
    Güneysu, T., Paar, C.: Ultra High Performance ECC over NIST Primes on Commercial FPGAs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 62–78. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Györfi, T., Cret, O., Hanrot, G., Brisebarre, N.: High-throughput hardware architecture for the SWIFFT / SWIFFTX hash functions. In: IACR Cryptology ePrint Archive, 2012:343 (2012)Google Scholar
  30. 30.
    Hoffstein, J., Pipher, J., Silverman, J.: NTRU: A ring-based public key cryptosystem. Algorithmic Number Theory, 267–288 (1998)Google Scholar
  31. 31.
    Kamal, A.A., Youssef, A.M.: An FPGA implementation of the NTRUEncrypt cryptosystem. In: 2009 International Conference on Microelectronics (ICM), pp. 209–212. IEEE (2009)Google Scholar
  32. 32.
    Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. Soviet Physics Doklady 7, 595 (1963)Google Scholar
  33. 33.
    Lindner, R., Peikert, C.: Better Key Sizes (and Attacks) for LWE-Based Encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  34. 34.
    Lyubashevsky, V.: Lattice-Based Identification Schemes Secure Under Active Attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  35. 35.
    Lyubashevsky, V., Micciancio, D.: Generalized Compact Knapsacks Are Collision Resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  36. 36.
    Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  37. 37.
    Lyubashevsky, V.: Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  38. 38.
    Lyubashevsky, V.: Lattice Signatures without Trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  39. 39.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: A Modest Proposal for FFT Hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  40. 40.
    Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. 41.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16(4), 365–411 (2007)MathSciNetzbMATHCrossRefGoogle Scholar
  42. 42.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191 (2009)Google Scholar
  43. 43.
    Naehrig, M., Lauter, K., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop, CCSW 2011, pp. 113–124. ACM, New York (2011)CrossRefGoogle Scholar
  44. 44.
    Pease, M.C.: An adaptation of the fast fourier transform for parallel processing. J. ACM 15(2), 252–264 (1968)zbMATHCrossRefGoogle Scholar
  45. 45.
    Percival, C.: Rapid multiplication modulo the sum and difference of highly composite numbers. Mathematics of Computation 72(241), 387–396 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  46. 46.
    Pollard, J.M.: The fast fourier transform in a finite field. Mathematics of Computation 25(114), 365–374 (1971)MathSciNetzbMATHCrossRefGoogle Scholar
  47. 47.
    Rader, C.M.: Discrete convolutions via mersenne transforms. IEEE Transactions on Computers 100(12), 1269–1273 (1972)MathSciNetCrossRefGoogle Scholar
  48. 48.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, USA, May 22-24, p. 84. ACM Press (2005)Google Scholar
  49. 49.
    Regev, O.: The learning with errors problem. Invited Survey in CCC (2010)Google Scholar
  50. 50.
    Rückert, M., Schneider, M.: Estimating the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2010/137 (2010),
  51. 51.
    Schönhage, A., Strassen, V.: Schnelle Multiplikation Grosser Zahlen. Computing 7(3), 281–292 (1971)zbMATHCrossRefGoogle Scholar
  52. 52.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 1994 Proceedings of 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE Computer Society Press, Los Alamitos (1994)CrossRefGoogle Scholar
  53. 53.
    Shoup, V.: NTL: A library for doing number theory (2001)Google Scholar
  54. 54.
    Stehlé, D., Steinfeld, R.: Making NTRU as Secure as Worst-Case Problems Over Ideal Lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  55. 55.
    Suleiman, A., Saleh, H., Hussein, A., Akopian, D.: A family of scalable FFT architectures and an implementation of 1024-point radix-2 FFT for real-time communications. In: IEEE International Conference on Computer Design, ICCD 2008, pp. 321–327 (October 2008)Google Scholar
  56. 56.
    von zur Gathen, J., Shokrollahi, J.: Efficient FPGA-based Karatsuba multipliers for polynomials over \(\mathbb{F}_2\). In: Selected Areas in Cryptography, pp. 359–369. Springer (2006)Google Scholar
  57. 57.
    Weimerskirch, A., Paar, C.: Generalizations of the Karatsuba algorithm for polynomial multiplication (2003)Google Scholar
  58. 58.
    Wey, C.-L., Lin, S.-Y., Tang, W.-C.: Efficient memory-based FFT processors for OFDM applications. In: 2007 IEEE International Conference on Electro/Information Technology, pp. 345–350 (May 2007)Google Scholar
  59. 59.
    Winkler, F.: Polynomial Algorithms in Computer Algebra (Texts and Monographs in Symbolic Computation), 1st edn. Springer (August 1996)Google Scholar
  60. 60.
    Xilinx. Smartxplorer for ISE project navigator users, Version 12.1 (2010),
  61. 61.
    Yao, Y., Huang, J., Khanna, S., Shelat, A., Calhoun, B.H., Lach, J., Evans, D.: A sub-0.5V lattice-based public-key encryption scheme for RFID platforms in 130nm CMOS. In: Workshop on RFID Security (RFIDsec 2011 Asia), Cryptology and Information Security, pp. 96–113. IOS Press (April 2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT-SecurityRuhr-University BochumGermany

Personalised recommendations