Public Key Compression and Fast Polynomial Multiplication for NTRU
using the Corrected Hybridized NTT-Karatsuba Method
Rohon Kundu
1 a
, Alessandro de Piccoli
2 b
and Andrea Visconti
2 c
1
Department of Electrical and Information Technology, Lund University, Box 118, 221 00 Lund, Sweden
2
Department of Computer Science “Giovanni Degli Antoni”, Universit
`
a degli Studi di Milano,
via Celoria 18, 20133 Milano MI, Italy
Keywords:
Post-Quantum Cryptography, Lattice-based Cryptography, Ring-learning with Errors Problem, NTRU
Algorithm, Number Theoretic Transformation, Hybridized NTT-Karatsuba Algorithm, Key Size.
Abstract:
NTRU is a lattice-based public-key cryptosystem that has been selected as one of the Round III finalists at
the NIST Post-Quantum Cryptography Standardization. Compressing the key sizes to increase efficiency has
been a long-standing open question for lattice-based cryptosystems. In this paper we provide a solution to
three seemingly opposite demands for NTRU cryptosystem: compress the key size, increase the security level,
optimize performance by implementing fast polynomial multiplications. We consider a specific variant of
NTRU known as NTRU-NTT. To perform polynomial optimization, we make use of the Number-Theoretic
Transformation (NTT) and hybridize it with the Karatsuba Algorithm. Previous work done in providing 2-part
Hybridized NTT-Karatsuba Algorithm contained some operational errors in the product expression, which
have been detected in this paper. Further, we conjectured the corrected expression and gave a detailed math-
ematical proof of correctness. In this paper, for the first time, we optimize NTRU-NTT using the corrected
Hybridized NTT-Karatsuba Algorithm. The significance of compressing the value of the prime modulus q
lies with decreasing the key sizes. We achieve a 128-bit post-quantum security level for a modulus value
of 83,969 which is smaller than the previously known modulus value of 1,061,093,377, while keeping n
constant at 2048.
1 INTRODUCTION
The abstract algebraic structure of a lattice plays
a vital role in developing post-quantum crypto-
graphic schemes. Lattice-based protocols are con-
sidered to be one of the most suitable candidates
against quantum threats. In December 2016, the
US National Institute of Standards and Technology
(NIST) initiated the PQC project intending to de-
velop, evaluate and standardize public-key encryp-
tion schemes for the quantum age. Among the NIST
Round II candidates (Alagic et al., 2019), five sub-
missions are based on lattice-based cryptography.
Among the Round III finalist announced on July 22,
2020, are NTRU (Chen et al., 2019), CRYSTAL-
KYBER (Avanzi et al., 2017) and, SABER (Kar-
makar et al., 2018) all of which are lattice-based
public-key encryption schemes.
a
https://orcid.org/0000-0002-4306-2637
b
https://orcid.org/0000-0002-6399-3164
c
https://orcid.org/0000-0001-5689-8575
In this paper, we focus on the NTRU, one of the
well known public-key cryptosystems. It was first in-
troduced by Hoffstein, Pipher, and Silverman (Hoff-
stein et al., 1998). The time complexity of the NTRU
algorithm depends on how fast we can multiply two
input polynomials. Both the encryption and the de-
cryption process rely on polynomial multiplications.
In reality, we deal with polynomials with a substan-
tially large degree like 1024, 2048, and 4096. To en-
sure a higher security level the input polynomial has
to be of a higher degree which in turn increases the
computational complexity, eventually resulting in de-
creasing efficiency of the algorithm.
Various optimization techniques like Karatsuba
Algorithm and Fast Fourier Transform (FFT) have
been proposed to improve the polynomial multiplica-
tion. In the case of FFT, the roots of unity belong
to the field of complex numbers C
n
. The R-LWE
ring structure is denoted by the finite ring quotient
R
q
= Z
q
[x]/
h
x
n
+ 1
i
, where n is a power of 2 and q
is the prime modulus. In this case, the n-th root of
Kundu, R., de Piccoli, A. and Visconti, A.
Public Key Compression and Fast Polynomial Multiplication for NTRU using the Corrected Hybridized NTT-Karatsuba Method.
DOI: 10.5220/0010881300003120
In Proceedings of the 8th International Conference on Information Systems Security and Privacy (ICISSP 2022), pages 145-153
ISBN: 978-989-758-553-1; ISSN: 2184-4356
Copyright
c
2022 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
145
unity ω belongs to the finite Galois Field GF(2
m
) also
denoted by F
2
m
, ∀m ∈ N. As a result, the analogous
concept of Number Theoretic Transformation (NTT)
is used to perform polynomial optimization over the
R-LWE ring. In the papers (Zhu et al., 2019; Zhou
et al., 2018) the concept of Hybridizing NTT with
Karatsuba has been proposed to optimize polynomial
multiplication over R-LWE ring. The generalized ring
structure of R
q
is given by Z
q
[x]/hΦ
m
(x)i. Where
Φ
m
(x) is a cyclotomic polynomial of degree n having
exactly m-th root of unity in Z
q
.
Depending on the adjoint cyclotomic polyno-
mial NTRU can be categorized into three main
types (Bernstein and Lange, 2017) : a) NTRU-Classic
b) NTRU-NTT and c) NTRU-Prime. The ring struc-
ture of NTRU considered in the NIST Round III fi-
nalist is that of NTRU-Classic, i.e, where Φ
m
(x) =
x
n
− 1 and n is prime. In this paper we only focus
on NTRU-NTT, i.e., where Φ
m
(x) = x
n
+ 1 and n is
a power of 2. There has been much work on opti-
mizing NTRU-Classic (H
¨
ulsing et al., 2017), but lit-
tle attention has been given to NTRU-NTT. Still, all
variants are assumed to be post-quantum secure. We
propose for the first time how to optimize the poly-
nomial multiplication for NTRU-NTT using the Hy-
bridized NTT-Karatsuba technique (Zhu et al., 2019).
We identify an error in the product expression men-
tioned in the paper (Zhu et al., 2019) for the 2-part
Hybridized NTT-Karatsuba. Further, we discuss the
consequences of the error and provide a new correct-
ness expression. A detailed mathematical proof of the
conjectured product formula is also provided. With
the corrected expression, we can calculate the appro-
priate time complexity and also use it to decrease the
value of the prime modulus q.
Next, we focus on the relevance of the parameter
q in the case of NTRU-NTT. The parameter q defines
the key size, but it also influences the efficiency of
the algorithm. Thus, a shorter key size would result
in a more efficient algorithm. However, the security
parameter of NTRU-NTT is given by n, and an im-
portant goal is to reduce q while keeping n large, i.e.,
2048 or 4096 bits.
Previous research shows that when we try to keep
the value of the security parameter n high (like 2048,
4096) the value of the prime modulus q increases sig-
nificantly (Chen et al., 2014), (Akleylek et al., 2015).
As a result, practical implementations were not feasi-
ble. Our calculation shows a substantial decrease in
the value of the prime modulus q by using the 2
α
-part
separation method.
2 PRELIMINARIES
2.1 R-LWE Problem
The Ring − LWE Problem is parameterized by
• n be a power of two i.e n = 2
m
,∀m ∈ Z
+
• q be a prime modulus satisfying q ≡ 1 mod 2n
• R
q
= Z
q
[x]/
h
x
n
+ 1
i
as the ring containing all
polynomials over the field Z
q
in which x
n
is iden-
tified with −1.
In Ring-LWE we are given samples of the form
(a,b = a · s + ε) ∈ R
q
× R
q
where s ∈ R
q
is a fixed
secret, a ∈ R
q
is chosen uniformly, and ε is an error
term chosen independently from some error distribu-
tion over R
q
.
The goal is to recover the secret key s from these
samples (for all s, with high probability). The above
concept can be can be extended to somewhat more
general cyclotomic polynomial Φ
m
(x) of degree n, but
in our paper we consider Φ
m
(x) = x
n
+ 1.
2.2 Number Theoretic Transformation
(NTT)
Number Theoretic Transform is a special case of Fast
Fourier Transform over finite fields, as defined by Pol-
lard in this paper (Pollard, 1971). In practice con-
structing algorithm based on FFT over finite field has
been a hard problem. For our case we consider the
the FFT over the finite Galois Field GF(2
m
) also de-
noted by F
2
m
, ∀m ∈ N (Pollard, 1971; Fedorenko and
Trifonov, 2002).
Before giving the definition of NTT of a vector,
we set the notation for the vector operations.
Definition 1 (Notation). Let a = (a
0
,a
1
,.. .,a
n−1
)
and b = (b
0
,b
1
,.. .,b
n−1
) be two elements of Z
n
q
, i.e.
two n-dimensional vectors. We indicate with +
q
and
◦
q
the component-wise operations between vectors,
namely:
• a +
q
b = (a
0
+ b
0
,a
1
+ b
1
,.. .,a
n−1
+ b
n−1
)
(mod q);
• a ◦
q
b = (a
0
· b
0
,a
1
· b
1
,.. .,a
n−1
· b
n−1
) (mod q).
Moreover, throughout the paper we will use the
two dots notation for integer intervals. For instance,
[1..n] means {1,2,3,. ..,n}.
Definition 2 (NTT). Let R
q
= Z
q
[x]/hx
n
+ 1i be the
truncated polynomial ring and x a root of x
n
+1. Here
n is a non trivial power of 2 i.e. n = 2
m
, m ≥ 1 and
q ≡ 1 (mod 2n). Let f ∈ R
q
, explicitly given as
f = a
0
+ a
1
x + ... + a
n−1
x
n−1
ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy
146
and define the n-dimensional vector F =
[a
0
,a
1
,.. .,a
n−1
]. Define ω as the n-th primitive
root of unity in Z
q
, such that ω
n
≡ 1 (mod q) and
ω
k
6≡ 1 (mod q), k ∈ [1..n − 1]. Then, the NTT of F
is a vector whose components are
NTT(F )
i
=
ˆ
F
i
=
n−1
∑
j=0
a
j
ω
i j
(mod q), i ∈ [0..n−1].
Definition 3 (NTT
−1
). The i-th component of the in-
verse transformation F = NTT
−1
(
ˆ
F ) is given by
F
i
= n
−1
n−1
∑
j=0
ˆ
F
j
· ω
−i j
(mod q)
where n
−1
and ω
−1
are the inverse in Z
q
.
In (Pollard, 1971), it has been shown that the prod-
uct h = f · g is given by
h = f · g = NTT
−1
(
ˆ
F ◦
q
ˆ
G) (mod x
n
+ 1)
where ◦
q
is the component-wise product (mod q).
Again, it is easy to prove (see lemma 1) that
NTT(F +
q
G) = NTT(F ) +
q
NTT(G)
and show (see the next example 1) that
NTT(F ◦
q
G) 6= NTT(F ) ◦
q
NTT(G).
Example 1. Consider the polynomial ring
R
q
= Z
q
[x]/hx
n
+ 1i, where n = 8 and q = 17. We
have
f = 1 + x + x
2
+ x
3
and g = 1 + x
3
So
F = [1,1, 1,1,0,0, 0,0] and G = [1,0, 0,1,0,0, 0,0]
therefore
F +
q
G = [2,1, 1,2,0,0, 0,0] and
F ◦
q
G = [1,0, 0,1,0,0, 0,0].
Also, we choose the value of ω = 2 as the 8-th root
of unity in Z
17
. Using the definition, we calculate the
NTT of the above vectors as
NTT(F ) = [4,15,0,7, 0, 12,0,4] and
NTT(G) = [2,9, 14, 3,0,10, 5, 16]
so
NTT(F )+
q
NTT(G) = [6,7, 14, 10,0,5, 5, 3]
NTT(F )◦
q
NTT(G) = [8,16, 0, 4,0,1, 0, 13]
but note that
NTT(F +
q
G) = [6,7, 14,10,0,5, 5,3]
NTT(F ◦
q
G) = [2,9, 14,3,0,10, 5,16].
Therefore NTT(F +
q
G) = NTT(F ) +
q
NTT(G)
is satisfied and it is clear that NTT(F ◦
q
G) 6=
NTT(F )◦
q
NTT(G).
2.3 Description of NTRU-NTT
As mentioned in the papers (Ducas et al., 2013;
Bayer-Fluckiger and Suarez, 2006) the arithmetic
of NTRU-NTT depends on two integer parameters
(n,q). Let Z
q
= Z/qZ denote the ring of integers
modulo q. The operations of NTRU-NTT took place
in the ring of truncated polynomials R
q
= Z
q
[x]/hx
n
+
1i. Where n is a power of 2 and q is a sufficiently large
prime such that q ∈ 1 + 2nZ.
2.4 Key Generation, Encryption and
Decryption Process
1. Key Generation
• Parameters: n is a power of 2. f (x) = x
n
+
1. We define the polynomial ring R as R =
Z[x]/h f (x)i and for sufficiently large prime q
we have R
q
= R/qR.
• Private Key: s, g ∈ R short polynomial, (i.e.
with small coefficients) such that s is invertible
(mod q) and (mod 2).
• Public Key: h = 2g × s
−1
∈ R
q
with g ∈ R
short polynomial.
2. Encryption
• Choose a short vector e ∈ R such that e
(mod 2) encodes the desired bit, choose r ∈ R
q
random and compute the ciphertext c = h × r +
e ∈ R
q
.
3. Decryption
• Multiply the ciphertext and the secret key to get
c × s = (2g × r) + (e × s) ∈ R
q
, lift it in R as
(2g × r) + (e × s) ∈ R
q
possible if g,r,e,s are
short enough compared to q and reduce it mod
2 obtaining e×s (mod 2) and therefore the ini-
tial bits.
2.5 Karatsuba Algorithm for 2
α
– Part
Separation
Let f , g ∈ R
q
, we want to split the given large polyno-
mial into 2
α
-parts. Here we have to impose one more
condition i.e.
n
2
α−1
| q − 1 . We can write the n-bit
polynomial in the following way:
f =
2
α
−1
∑
i=0
x
in
2
α
· f
i
and
g =
2
α
−1
∑
j=0
x
jn
2
α
.g
j
Public Key Compression and Fast Polynomial Multiplication for NTRU using the Corrected Hybridized NTT-Karatsuba Method
147
where f
i
and g
j
∀i, j = 0, ..., 2
α−1
are the primary
polynomials same as that of f
0
, f
1
,g
0
,g
1
for the case
of α = 1.
Then we have the polynomial multiplication as:
h = f · g
=
2
α
−1
∑
i=0
x
in
2
α
f
i
·
2
α
−1
∑
j=0
x
jn
2
α
g
j
=
2
α
−1
∑
i=0
2
α
−1
∑
j=0
x
(i+ j)n
2
α
f
i
· g
j
When α = 1, we have the Karatsuba algorithm for
2-part separation as follows:
f = f
0
+ x
n
2
f
1
, g = g
0
+ x
n
2
g
1
where f
0
, f
1
,g
0
,g
1
are the polynomials of lower de-
gree, called the primary polynomials. Then the prod-
uct of the two polynomials are given by:
h = f
0
· g
0
− f
1
· g
1
+ x
n
2
(( f
0
+ f
1
) · (g
0
+ g
1
)
− f
0
· g
0
− f
1
· g
1
)
2.6 Limitation of Karatsuba Algorithm
When is comes to polynomial optimization in NTRU
using Karatsuba, we face certain parametric limita-
tions. Karatsuba Algorithm that we have discussed so
far can only be applied on the NTRU Cryptosystem
for n ≤ 768. For further details one can refer to (Dai
et al., 2018, Section 4.2.5). This can be a major set-
back, as the security standard for the lattice based
cryptosystems like NTRU depends on the higher val-
ues of n i.e. the higher dimension lattices. In order
to overcome the parametric limitations we propose to
use the Hybridized NTT-Karatsuba Algorithm, to be
discussed in the next section.
3 HYBRIDIZED
NTT-KARATSUBA
MULTIPLICATION
The idea of combining both Number Theoretic Trans-
formation and Karatsuba Algorithm has been men-
tioned in the paper by (Zhu et al., 2019). Still now
the application of this approach is not available. Here
we propose to apply the Hybridized NTT-Karatsuba
Algorithm for optimizing NTRU-NTT Cryptosystem.
Also we will be providing various technical improve-
ment and practical example in order to implement the
Hybridized Algorithm in practice.
3.1 Why Hybridization Is Necessary?
• When it comes to optimizing NTRU polynomial
multiplication using Karatsuba there are some
limitations based on parameters. This algorithm
handles polynomial multiplications of degree less
than 768 as mentioned in the work (Dai et al.,
2018, Section 4.2.5). This limitation over the
parameter n can be overcome by using the hy-
bridized technique.
• While multiplying two polynomials using NTT
we know that the multiplication is given by
h = f · g = NTT
−1
(NTT(F )◦
q
NTT(G)). By hy-
bridizing with Karatsuba we only need to find the
NTT
−1
of NTT for the multiplication of primary
polynomials f
0
, f
1
,g
0
,g
1
. This could reduces the
time complexity of the algorithm. As we have
seen that Karatsuba algorithm breaks large degree
polynomials into combination of smaller degree
polynomial, this attribute to acceleration of com-
ponent wise multiplication of NTT once the Hy-
bridized technique is applied.
3.2 Hybridized NTT-Karatsuba
Algorithm for 2-Part Separation
Corresponding to α = 1
Let f ,g ∈ R
q
be any two of degree n, where n is a
power of 2 and n | q − 1. We can split the higher
degree polynomials into primary polynomials as fol-
lows:
f = f
0
+ x
n
2
f
1
, g = g
0
+ x
n
2
g
1
and we get the product as
h = f
0
· g
0
− f
1
· g
1
+ x
n
2
(( f
0
+ f
1
) · (g
0
+ g
1
)
− f
0
· g
0
− f
1
· g
1
)
By the definition of NTT in subsection we know that
h is given by
h = NTT
−1
(
ˆ
F ◦
q
ˆ
G) mod (x
n
+ 1)
where ◦
q
is the component-wise product, where
ˆ
F ,
ˆ
G
is the NTT of the n-dimensional vectors F ,G ∈ Z
n
q
.
Here also we apply same concept, but over each com-
ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy
148
ponent. Hence we have
h = f · g
=
f
0
+ x
n
2
f
1
·
g
0
+ x
n
2
g
1
= f
0
· g
0
− f
1
· g
1
+
x
n
2
(( f
0
+ f
1
) · (g
0
+ g
1
) − f
0
· g
0
− f
1
· g
1
))
= NTT
−1
(NTT( f
0
· g
0
− f
1
· g
1
+
x
n
2
(( f
0
+ f
1
) · (g
0
+ g
1
) − f
0
· g
0
− f
1
· g
1
)))
= NTT
−1
((NTT( f
0
· g
0
) − NTT( f
1
· g
1
)
+ NTT(x
n
2
)NTT(( f
0
+ f
1
) · (g
0
+ g
1
)
− ( f
0
· g
0
) − ( f
1
· g
1
))
= NTT
−1
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
+
c
x
n
2
◦ (
ˆ
F
0
+
ˆ
F
1
) ◦ (
ˆ
G
0
+
ˆ
G
1
) −
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
But the above reasoning claimed in (Zhu et al.,
2019, Section 3.1) is wrong and the counter example
in section 4.3 show us that the expression
h = NTT
−1
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
+
c
x
n
2
◦
ˆ
F
0
+
ˆ
F
1
◦
ˆ
G
0
+
ˆ
G
1
−
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
(1)
is not the correct formula as mentioned in (Zhu
et al., 2019) of section 3.1. We claim that the correct
formula is:
h = NTT
−1
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
+ x
n
2
· NTT
−1
ˆ
F
0
+
ˆ
F
1
◦
ˆ
G
0
+
ˆ
G
1
+
−
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
(2)
As will be shown in Section 4.1 , this correct ex-
pression will allow us to reduce the value of the pa-
rameter q, which in turn gives us much more efficient
encryption and decryption for NTRU-NTT.
3.3 Proof of Correctness
We first need a preliminary result.
Lemma 1. NTT is a (Z
n
q
;+
q
) group automorphism.
Proof. It is a simple check using definition 2.
• NTT([0,0,.. .,0]) = [0, 0, ... , 0]
• Let a = (a
0
,a
1
,.. .,a
n−1
) ∈ Z
n
q
. Its inverse is
−a = (−a
0
,−a
1
,.. .,−a
n−1
). For i = 0,.. .,n − 1,
it follows that
NTT(−a)
i
=
n−1
∑
j=0
−a
j
ω
i j
(mod q)
= −
n−1
∑
j=0
a
j
ω
i j
(mod q) = −NTT(a)
i
therefore NTT(−a) = −NTT(a).
• Let a = (a
0
,a
1
,.. .,a
n−1
) and b =
(b
0
,b
1
,.. .,b
n−1
) ∈ Z
n
q
. For i = 0,. . .,n − 1,
it follows that
NTT(a + b)
i
=
n−1
∑
j=0
(a
j
+ b
j
)ω
i j
(mod q)
=
n−1
∑
j=0
a
j
ω
i j
(mod q)+
n−1
∑
j=0
b
j
ω
i j
(mod q)
= NTT(a)
i
+ NTT(b)
i
therefore NTT(a + b) = NTT(a) + NTT(b).
This completes the proof for Lemma 1.
Lemma 2. NTT
−1
is a (Z
n
q
;+
q
) group automor-
phism.
Proof. The proof follows from Lemma 1 and defini-
tion 3.
• NTT
−1
([0,0,. ..,0]) = [0, 0,... ,0]
• Let a = (a
0
,a
1
,.. .,a
n−1
) ∈ Z
n
q
. Its inverse is
−a = (−a
0
,−a
1
,.. .,−a
n−1
). For i = 0,.. .,n − 1,
it follows that
NTT
−1
(−a)
i
= n
−1
n−1
∑
j=0
−a
j
ω
−i j
(mod q)
= −n
−1
n−1
∑
j=0
a
j
ω
−i j
(mod q)
= −NTT
−1
(a)
i
therefore NTT
−1
(−a) = −NTT
−1
(a).
• Let a = (a
0
,a
1
,.. .,a
n−1
) and b =
(b
0
,b
1
,.. .,b
n−1
) ∈ Z
n
q
. For i = 0,. . .,n − 1,
it follows that
NTT
−1
(a + b)
i
= n
−1
n−1
∑
j=0
(a
j
+ b
j
)ω
−i j
(mod q)
= n
−1
n−1
∑
j=0
a
j
ω
−i j
(mod q)
+ n
−1
n−1
∑
j=0
b
j
ω
−i j
(mod q)
= NTT
−1
(a)
i
+ NTT
−1
(b)
i
therefore NTT
−1
(a + b) = NTT
−1
(a) +
NTT
−1
(b).
Public Key Compression and Fast Polynomial Multiplication for NTRU using the Corrected Hybridized NTT-Karatsuba Method
149
This completes the proof for Lemma 2.
Proposition 1. Formula (2) correctly recovers the
product between two polynomials f ,g ∈ R
q
Proof. We simply need to prove that
NTT
−1
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
= f
0
g
0
− f
1
g
1
(3)
and
NTT
−1
ˆ
F
0
+
ˆ
F
1
◦
ˆ
G
0
+
ˆ
G
1
−
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
= ( f
0
+ f
1
) · (g
0
+ g
1
) − f
0
· g
0
− f
1
· g
1
(4)
We start by proving (3). Let
H
0
= NTT
−1
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
we have
H
0
= NTT
−1
ˆ
F
0
◦
ˆ
G
0
− NTT
−1
ˆ
F
1
◦
ˆ
G
1
= f
0
g
0
− f
1
g
1
,
where the first equality follows from Lemma 2 and the
second equality follows from (Pollard, 1971). Next
we need to show (4). Let
H
1
= NTT
−1
ˆ
F
0
+
ˆ
F
1
◦
ˆ
G
0
+
ˆ
G
1
−
ˆ
F
0
◦
ˆ
G
0
−
ˆ
F
1
◦
ˆ
G
1
we have
H
1
= NTT
−1
ˆ
F
0
+
ˆ
F
1
◦
ˆ
G
0
+
ˆ
G
1
− NTT
−1
ˆ
F
0
◦
ˆ
G
0
− NTT
−1
ˆ
F
1
◦
ˆ
G
1
= NTT
−1
NTT(F
0
+ F
1
) ◦ NTT(G
0
+ G
1
)
− NTT
−1
ˆ
F
0
◦
ˆ
G
0
− NTT
−1
ˆ
F
1
◦
ˆ
G
1
= ( f
0
+ f
1
) · (g
0
+ g
1
) − f
0
g
0
− f
1
g
1
where, again, the first equality follows from Lemma 2
and the third equality follows from (Pollard, 1971).
This completes the proof of proposition 1 and hence
the proof of correctness.
4 COMPRESSION OF PUBLIC
KEY (PARAMETER q) USING
HYBRIDIZED TECHNIQUE
In this section we will discuss about the significance
of the parameters n and q. Here n corresponds to the
security parameter which is the dimension of the lat-
tice under consideration and prime number q decide
how large the ring R
q
will be. If the value of the pa-
rameter q is large then the key size of the underlying
cipher text will also be large. This could result in in-
creasing bandwidth which in turn decreases the effi-
ciency of the algorithm (Akleylek et al., 2015; Chen
et al., 2014). Our aim of this section is to clearly ex-
plain the calculation of the parameter q to the reader
and illustrate how we can optimize the value of the
parameter q through specific examples. Here we use
the 2
α
-part separation technique introduced in (Zhu
et al., 2019) and calculate the value of q by varying the
value of α for a given value of n. We showed that by
using the 2
α
-part separation technique we could de-
crease the value of q by a substantial amount in com-
parison to the previous results (Akleylek et al., 2015;
Chen et al., 2014). We could conclude that these op-
timized value of the parameter q for large value of n
have significant positive effect in efficiency if imple-
mented correctly.
4.1 Calculation of q
Till now we have directly stated the case respective
values of q, required for the particular example. But
we have not stated the method of calculating the pa-
rameter q. As we already know that q is a sufficiently
large prime modulus and this parameter defines how
large the parent ring structure will be. In the crypto-
graphic language, the key size of the cipher depends
of the value of q. Larger the value of q the key size
will be more. But in order to develop a more efficient
post-quantum algorithm we need to decrease the size
of the ciphertext.
Now we give the condition for finding the value of
q for the following n-degree input polynomials:
f = a
0
+ a
1
x + ... + a
n−1
x
n−1
and
g = b
0
+ b
1
x + ... + b
n−1
x
n−1
.
Let max{a
i
,b
j
} ≤ d, ∀i, j = 0, 1,... ,n − 1. We
define the Maximum Modulus M = d
2
n, subsequently
we also define another parameter Q = M + 1. Then
the sufficiently large prime modulus should be q ≥
Q. With this condition we have to keep in mind the
original condition on q as n | q − 1.
In order to keep the value of q to be comparatively
small in our illustrated example 1 we have chosen the
coefficients a
i
,b
j
∈ Z
2
. But this is not always the
case, we can certainly have input polynomials with
larger coefficients.
Consider the following example. Let the value of
d = 9 and n = 512. Calculate the prime modulus q
ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy
150
for α = 1 and α = 3.
For α = 1:
We have 2-part hybridized NTT-Karatsuba algorithm
with the precondition that n | q − 1. Therefore
we have 512 | q − 1 =⇒ q = 512k + 1, ∀k ∈ N.
On the other hand Q = 512 · (9)
2
+ 1 = 41473
=⇒ q ≥ 41473. We need to find a least positive k s.t.
q = 512k + 1 and q ≥ 41473. Such a suitable value of
k is 89. The value the parameter q = 45569, which is
a prime.
For α = 3:
We have, 2
3
-part hybridized NTT-Karatsuba al-
gorithm with the precondition that
n
2
α−1
| q − 1
i.e
512
2
3−1
| q − 1. Therefore we have 128 | q − 1
=⇒ q = 128k + 1, ∀k ∈ N. On the other hand
Q = 512 · (9)
2
+ 1 = 41473 =⇒ q ≥ 41473. We
need to find a least positive k s.t. q = 128k + 1 and
q ≥ 41473. Such a suitable value of k is 326. The
value the parameter q = 41729, which is a prime.
We noticed that with the same input parameters,
but by increasing the value of α from 1 to α = 3, the
value of the parameter q decreases from q = 44569 to
q = 41479. Therefore, the hybridized 2
α
-part sepa-
ration method enhances the efficiency of the NTRU-
NTT algorithm by sufficiently reducing the key size
of the cipher text.
4.2 New Parametric Values for
NTRU-NTT
Till now there has been no NTRU-NTT algorithm for
n = 2048. As we have mentioned in the beginning
that our aim for implementing the hybridized NTT-
Karatsuba algorithm is to work on higher dimensional
lattices. In order to achieve higher bit security of
the improved NTRU-NTT (Lyubashevsky and Seiler,
2019) we need to increase the value of n. But one
of the main difficulty that the cryptographer may face
while working over such higher dimension lattices is
the substantial increase in the value of the prime mod-
ulus q, which results in the increase in the running
time of the algorithm. If the parameter q becomes too
large the key size of the ciphertext will be large too,
which will result in the decrease in the efficiency of
the algorithm.
So keeping in mind the security standard as well
as the computational complexity, we propose to use
the hybridized 2
α
-part separation method in order to
keep the value q considerably smaller than that of the
values mentioned in the papers (Akleylek et al., 2015;
Chen et al., 2014). More precisely,
• in (Chen et al., 2014, Section III) partial results
related to Homomorphic Encryption Scheme were
obtained: the value of the prime modulus q for
n = 1024 is 1061093377 and for n = 2048 is
2
57
+25 ·2
13
+1, which is significantly larger than
the improved prime modulus suggested earlier.
• in (Akleylek et al., 2015, Section 4) is mentioned
another result related to the value of the parameter
q: the value of the prime modulus q for n = 1024
is 8383489.
Our suggestions for q values are
i) NTRU-NTT for n = 1024
Let the value of the parameter d be 9 i.e. the max-
imum value of the coefficients of the input poly-
nomial is 9, therefore q ≥ 9
2
· 1024 + 1 =⇒ q ≥
82945. We know that the precondition must hold
n
2
α−1
| q − 1.
α = 2 =⇒
1024
2
2−1
q−1 =⇒ q = 512k +1, k ∈ N
The suitable value of a least positive k satisfying
both the condition is 164. Therefore the value of
the prime modulus q is 83969. Our value of q
for α = 2 is sufficiently smaller than the previous
results i.e. 1061093377 and 8383489. By using
this approach we can sufficiently reduce the key
size of the cipher.
ii) NTRU-NTT for n=2048
Let the value of the parameter d be 9 i.e. the max-
imum value of the coefficients of the input poly-
nomial is 9, therefore q ≥ 9
2
· 2048 + 1 =⇒ q ≥
165889. We know that the precondition must hold
n
2
α−1
| q − 1.
α = 2 =⇒
2048
2
2−1
q−1 =⇒ q = 1024k +1, k ∈ N
The suitable value of a least positive k satisfying
both the condition is 172. Therefore the value of
the prime modulus q is 176129. Again our value
of q for α = 2 is sufficiently smaller than the pre-
vious result i.e. 2
57
+ 25 · 2
13
+ 1.
By using this approach we can sufficiently reduce the
key size of the cipher. Also note that by using our re-
sult the key size of the cipher for n = 2048 is smaller
than the key size of the cipher for n = 1024 used in
previous papers. This clearly shows that our approach
could be beneficial in order to compress the public
key even if we are working on such higher dimen-
sional lattices like n = 2048. Further we can compress
the prime modulus q for n = 2048 by increasing the
value of α, resulting in some interesting parametric
values. As an example,
α = 3 =⇒
2048
2
3−1
q − 1 =⇒ q = 512k +1, k ∈ N
Public Key Compression and Fast Polynomial Multiplication for NTRU using the Corrected Hybridized NTT-Karatsuba Method
151
The suitable value of a least positive k satisfying both
the conditions is 329. Therefore the improved value
of the prime modulus q is 168449. As another exam-
ple,
α = 4 =⇒
2048
2
4−1
q − 1 =⇒ q = 256k +1, k ∈ N
The suitable value of a least positive k satisfying both
the condition is 651. Therefore another improved
value of the prime modulus q is 166657.
4.3 Hybridized Karatsuba-NTT: A
Complete Example
In this section, we give a practical example, show-
ing how the computations of the incorrect (1) and
correct (2) formulas are performed. In order to do
that, we choose the following two polynomials f , g ∈
R
17
= Z
17
[x]/hx
8
+ 1i:
f = 1 + x + x
2
+ x
3
+ x
4
+ x
5
+ x
6
+ x
7
g = 1 + x
3
+ x
6
+ x
7
therefore with parameters n = 8 and q = 17. More-
over, we choose ω ≡ 2 (mod 17) as a primitive 8-th
root of unity along with ω
−1
≡ 9 (mod 17). We can
split the polynomials f and g into 2 parts as follows:
f = (1 + x + x
2
+ x
3
) + x
4
(1 + x + x
2
+ x
3
)
g = (1 + 0 · x + 0 · x
2
+ 1 · x
3
)+
x
4
(0 + 0 · x + 1 · x
2
+ 1 · x
3
)
therefore we get
f
0
= 1 + x + x
2
+ x
3
=⇒ F
0
= [1, 1, 1,1,0, 0, 0,0]
f
1
= 1 + x + x
2
+ x
3
=⇒ F
1
= [1, 1, 1,1,0, 0, 0,0]
g
0
= 1 + x
3
=⇒ G
0
= [1, 0, 0,1,0, 0, 0,0]
g
1
= x
2
+ x
3
=⇒ G
1
= [0, 0, 1,1,0, 0, 0,0]
From definition 2, we have
ˆ
F
0
= NTT(F
0
) =
∑
7
j=0
a
j
ω
i j
(mod 17), ∀i = 0,. ..,7. We are going
to explicitly show how NTT(F
0
) is calculated, which
will help the reader to understand the calculation of
NTT for the other vectors. In particular we have
(
ˆ
F
0
)
0
= a
0
ω
0·0
+a
1
ω
0·1
+.. .+a
7
ω
0·7
(mod 17) = 4
and, analogously,
(
ˆ
F
0
)
1
= 15 (mod 17) (
ˆ
F
0
)
2
= 0 (mod 17)
(
ˆ
F
0
)
3
= 7 (mod 17) (
ˆ
F
0
)
4
= 7 (mod 17)
(
ˆ
F
0
)
5
= 12 (mod 17) (
ˆ
F
0
)
6
= 0 (mod 17)
(
ˆ
F
0
)
7
= 4 (mod 17)
Therefore we have
ˆ
F
0
=
ˆ
F
1
= [4, 15, 0,7,0, 12, 0,4]
and, similarly, we calculate
ˆ
G
0
= NTT(G
0
) = [2,9,14, 3,0,10,5, 16]
ˆ
G
1
= NTT(G
1
) = [2,12,12, 15,0,13,3, 11]
Let us now calculate some components using notation
in definition 1 and useful for formulas (1) and (2):
1.
ˆ
F
0
◦
q
ˆ
G
0
= [8, 16, 0,4,0, 1, 0,13]
2.
ˆ
F
1
◦
q
ˆ
G
1
= [8, 10, 0,3,0, 3, 0,10]
3.
ˆ
F
0
+
q
ˆ
F
1
= [8, 13, 0,14,0, 7, 0,8]
4.
ˆ
G
0
+
q
ˆ
G
1
= [4, 4, 9,1,0, 6, 8,10]
5.
ˆ
F
0
+
q
ˆ
F
1
◦
q
ˆ
G
0
+
q
ˆ
G
1
=
[15,1,0, 14,0,8,0, 12]
6. x
4
can be seen as the vector
[0,0,0, 0,1,0,0, 0], so NTT([0,0,0,0, 1,0,0,0]) =
[1,16,1, 16,1,16,1, 16] (being n = 8)
7.
ˆ
F
0
◦
q
ˆ
G
0
−
ˆ
F
1
◦
q
ˆ
G
1
= [0, 6, 0,1,0, 15, 0,3]
8.
ˆ
F
0
+
q
ˆ
F
1
◦
q
ˆ
G
0
+
q
ˆ
G
1
−
ˆ
F
0
◦
q
ˆ
G
0
−
ˆ
F
1
◦
q
ˆ
G
1
= [16, 9, 0,7,0, 4, 0,6]
It is now a straightforward check that formula (1)
gives
h = NTT
−1
([0,6,0, 1,0,15,0, 3]+
[16,8,0, 10,0,13,0, 11])
= NTT
−1
([16,14,0, 11,0,11,0, 14])
From definition 3, we have h = NTT
−1
(H ) =
n
−1
∑
7
j=0
a
j
ω
−i j
(mod 17), ∀i = 0, ..., 7. In partic-
ular we have
h
0
= 15
H
0
ω
−0·0
+ H
1
ω
−0·1
+ ... + H
7
ω
−0·7
= 4 (mod 17)
and, analogously,
h
1
= 4 (mod 17) h
2
= 2 (mod 17)
h
3
= 0 (mod 17) h
4
= 0 (mod 17)
h
5
= 0 (mod 17) h
6
= 2 (mod 17)
h
7
= 4 (mod 17)
Therefore we have
h = [4, 4,2,0,0, 0,2,4] → 4+4x+2x
2
+2x
6
+4x
7
The formula (2) gives
h = NTT
−1
([0,6,0, 1,0,15,0, 3])
+ x
4
· NTT
−1
([16,9,0, 7,0,4,0, 6])
= [1, 1, 0,0,16, 16, 0,0] + x
4
· [1,1,2, 4,3,3,2, 0]
= [15, 15, 15,0,0, 0, 2,4]
→ 15 + 15x + 15x
2
+ 2x
6
+ 4x
7
The latter is the correct result and can be checked with
the well known algorithm of the polynomial product.
ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy
152
5 CONCLUSION AND FUTURE
WORK
In this paper we have provided an improved polyno-
mial optimization technique for the NTRU-NTT cryp-
tosystem. The corrected hybridized product formula
could provide optimized result for the existing NTRU
algorithm when implemented. The application of the
2
α
-part separation method in decreasing the value of
the prime modulus q while keeping the value of the
security parameter n considerably high has been in-
troduced in the paper for the first time. We have suc-
cessfully shown that for n = 1024 the value of the
parameter q has been decreased from 1061093377 to
83969 and for n = 2048 the value of q has been de-
creased from 2
57
+ 25 · 2
13
+ 1 to 166657. This could
be considered a substantial improvement in terms of
decreasing the key sizes. As a part of future work,
it would be interesting to generalize the concept and
provide a similar mathematical proof for higher val-
ues of α i.e. for any 2
α
-part separation. The theoret-
ical compression in the value of the prime modulus q
corresponding to some specific values of n has been
shown in the paper. It would also be very interest-
ing to implement these parametric values and check
the difference in the time complexity for the NTRU
cryptosystem.
ACKNOWLEDGEMENTS
This work was in part financially supported by the
Swedish Foundation for Strategic Research, grant
RIT17-0035. We would like to sincerely thank Prof.
Martin Hell and Prof. Elena Pagnin from the Depart-
ment of Electrical and Information Technology, Lund
University for their valuable insights and discussions
in order to successfully complete the work.
REFERENCES
Akleylek, S., Da
˘
gdelen,
¨
O., and Tok, Z. Y. (2015). On
the efficiency of polynomial multiplication for lattice-
based cryptography on GPUs using CUDA. In Inter-
national Conference on Cryptography and Informa-
tion Security in the Balkans, pages 155–168. Springer.
Alagic, G., Alagic, G., Alperin-Sheriff, J., Apon, D.,
Cooper, D., Dang, Q., Liu, Y.-K., Miller, C., Moody,
D., Peralta, R., et al. (2019). Status report on the first
round of the NIST post-quantum cryptography stan-
dardization process. US Department of Commerce,
National Institute of Standards and Technology.
Avanzi, R., Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyuba-
shevsky, V., Schanck, J. M., Schwabe, P., Seiler, G.,
and Stehl
´
e, D. (2017). CRYSTALS-KYBER algo-
rithm specifications and supporting documentation.
NIST PQC Round, 2:4.
Bayer-Fluckiger, E. and Suarez, I. (2006). Ideal lattices
over totally real number fields and euclidean minima.
Archiv der Mathematik, 86(3):217–225.
Bernstein, D. J. and Lange, T. (2017). Post-quantum cryp-
tography. Nature, 549(7671):188–194.
Chen, C., Danba, O., Hoffstein, J., H
¨
ulsing, A., Rijn-
eveld, J., Schanck, J. M., Schwabe, P., Whyte, W.,
and Zhang, Z. (2019). Algorithm specifications and
supporting documentation. Brown University and On-
board security company, Wilmington USA.
Chen, D. D., Mentens, N., Vercauteren, F., Roy, S. S.,
Cheung, R. C., Pao, D., and Verbauwhede, I. (2014).
High-speed polynomial multiplication architecture for
ring-lwe and she cryptosystems. IEEE Transactions
on Circuits and Systems I: Regular Papers, 62(1):157–
166.
Dai, W., Whyte, W., and Zhang, Z. (2018). Optimiz-
ing polynomial convolution for NTRUEncrypt. IEEE
Transactions on Computers, 67(11):1572–1583.
Ducas, L., Durmus, A., Lepoint, T., and Lyubashevsky,
V. (2013). Lattice signatures and bimodal Gaus-
sians. In Annual Cryptology Conference, pages 40–
56. Springer.
Fedorenko, S. and Trifonov, P. (2002). On computing the
fast Fourier transform over finite fields. In Proc. 8th
Int. Workshop on Algebraic and Combinatorial Cod-
ing Theory, Tsarskoe Selo, Russia, pages 108–111.
Hoffstein, J., Pipher, J., and Silverman, J. H. (1998). NTRU:
A ring-based public key cryptosystem. In Interna-
tional Algorithmic Number Theory Symposium, pages
267–288. Springer.
H
¨
ulsing, A., Rijneveld, J., Schanck, J., and Schwabe,
P. (2017). High-speed key encapsulation from
ntru. In International Conference on Cryptographic
Hardware and Embedded Systems, pages 232–252.
Springer.
Karmakar, A., Mera, J. M. B., Roy, S. S., and Verbauwhede,
I. (2018). SABER on arm CCA-secure module lattice-
based key encapsulation on arm. Cryptology ePrint
Archive.
Lyubashevsky, V. and Seiler, G. (2019). NTTRU: truly
fast NTRU using NTT. IACR Transactions on Cryp-
tographic Hardware and Embedded Systems, pages
180–201.
Pollard, J. M. (1971). The fast Fourier transform in a finite
field. Mathematics of computation, 25(114):365–374.
Zhou, S., Xue, H., Zhang, D., Wang, K., Lu, X., Li, B., and
He, J. (2018). Preprocess-then-NTT technique and its
applications to KYBER and NEW HOPE. In Interna-
tional Conference on Information Security and Cryp-
tology, pages 117–137. Springer.
Zhu, Y., Liu, Z., and Pan, Y. (2019). When NTT meets
Karatsuba: Preprocess-then-NTT technique revisited.
IACR Cryptol. ePrint Arch., 2019:1079.
Public Key Compression and Fast Polynomial Multiplication for NTRU using the Corrected Hybridized NTT-Karatsuba Method
153
