Fast polynomial arithmetic for Somewhat Homomorphic Encryption operations in hardware with Karatsuba algorithm

International audienceMost practical Somewhat Homomorphic Encryption (SHE) schemes require the implementation of fast polynomial arithmetic in the ring Zq[X]/f (X), for a given modulus q and an irreducible polynomial f (X). That is why hardware accelerators usually target the FFT/NTT algorithm, which has the smallest complexity asymptotically. Unlike standard approaches, this paper proposes a Karatsuba-based accelerator. Karatsuba implementation requires 3 steps: Pre-recursions producing several subpolynomials, a term by term multiplication of sub-polynomials, and post-computations to reconstruct the output polynomial. Compared to FFT/NTT, Karatsuba can address various size of polynomials, and is sufficiently flexible to be adapted to specific operations required by SHE schemes. In this paper, we propose a hardware/software co-design where several Karatsuba recursions are made in software, and the remaining ones plus the subpolynomial multiplication are made in hardware. We provide 3 different hardware approaches: An area efficient approach with 3 Karatsuba recursions in hardware, an intermediate design with 4 recursions, and a performance-oriented one with 5 recursions. The study evaluates proposed hardware accelerators for 3 FPGA platforms, the SoCkit and the DE5-net platforms from Terasic, and the Catapult platform from Microsoft. The area efficient approach can evaluate a degree-2559 polynomial multiplication in 2.44 ms and a relinearization/key switching evaluation in 2.29 ms, with an important save of hardware resources compared to FFT/NTT implementations. Compared to [1], our lightweight approach saves 57% of ALM resources, 46% of registers, 99.95% of embedded memory and 30% of DSPs. For the performanceoriented design, the accelerator can evaluate a degree-2559 polynomial multiplication in 1.24 ms and a relinearization/key switching evaluation in 1.1 ms

On Large Polynomial Multiplication in Certain Rings

Multiplication of polynomials with large integer coefficients and very high degree is used in cryptography. Residue number system (RNS) helps distribute a very large integer over a set of smaller integers, which makes the computations faster. In this thesis, multiplication of polynomials in ring Z_p/(x^n + 1) where n is a power of two is analyzed using the Schoolbook method, Karatsuba algorithm, Toeplitz matrix vector product (TMVP) method and Number Theoretic Transform (NTT) method. All coefficients are residues of p which is a 30-bit integer that has been selected from the set of 30-bit moduli for RNS in NFLlib. NTT has a computational complexity of O(n log n) and hence, it has the best performance among all these methods for the multiplication of large polynomials. NTT method limits applications in ring Z_p/(x^n + 1). This restricts size of the polynomials to only powers of two. We consider multiplication in other cyclotomic rings using TMVP method which has a subquadratic complexity of O(n log_2 3). An attempt is made to improve the performance of TMVP method by designing a hybrid method that switches to schoolbook method when n reaches a certain low value. It is first implemented in Zp/(x^n + 1) to improve the performance of TMVP for large polynomials. This method performs almost as good as NTT for polynomials of size 2^(10). TMVP method is then exploited to design multipliers in other rings Z_p/Φ_k where Φ_k is a cyclotomic trinomial. Similar hybrid designs are analyzed to improve performance in the trinomial rings. This allows a wider range of polynomials in terms of size to work with and helps avoid unnecessary use of larger key size that might slow down computations