多項式乘法的新技巧：驗證應用單項式於中國剩餘定理之多項式乘法

邱俊茗; Chun-Ming Chiu

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/98677

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君	zh_TW
dc.contributor.advisor	Hsu-Chun Hsiao	en
dc.contributor.author	邱俊茗	zh_TW
dc.contributor.author	Chun-Ming Chiu	en
dc.date.accessioned	2025-08-18T01:19:04Z	-
dc.date.available	2025-08-18	-
dc.date.copyright	2025-08-15	-
dc.date.issued	2025	-
dc.date.submitted	2025-08-06	-
dc.identifier.citation	[1] E. Alkim, D. Y.-L. Cheng, C.-M. M. Chung, H. Evkan, L. W.-L. Huang, V. Hwang, C.-L. T. Li, R. Niederhagen, C.-J. Shih, J. Wälde, and B.-Y. Yang. Polynomial multiplication in NTRU prime. IACR TCHES, 2021(1):217–238, 2021. [2] J. B. Almeida, M. Barbosa, G. Barthe, B. Grégoire, V. Laporte, J.-C. Léchenet, T. Oliveira, H. Pacheco, M. Quaresma, P. Schwabe, A. Séré, and P.-Y. Strub. Formally verifying Kyber episode IV: Implementation correctness. IACR TCHES, 2023(3):164–193, 2023. [3] J. B. Almeida, S. A. Olmos, M. Barbosa, G. Barthe, F. Dupressoir, B. Grégoire, V. Laporte, J.-C. Léchenet, C. Low, T. Oliveira, H. Pacheco, M. Quaresma, P. Schwabe, and P.-Y. Strub. Formally verifying kyber - episode V: Machine-checked IND-CCA security and correctness of ML-KEM in EasyCrypt. In L. Reyzin and D. Stebila, editors, CRYPTO 2024, Part II, volume 14921 of LNCS, pages 384–421. Springer, Cham, Aug. 2024. [4] ARM. NEON Programmer’s Guide, 2013. https://developer.arm.com/documentation/den0018/a. [5] M. Barbosa, G. Barthe, X. Fan, B. Grégoire, S.-H. Hung, J. Katz, P.-Y. Strub, X. Wu, and L. Zhou. EasyPQC: Verifying post-quantum cryptography. In G. Vigna and E. Shi, editors, ACM CCS 2021, pages 2564–2586. ACM Press, Nov. 2021. [6] H. Becker, V. Hwang, M. J. Kannwischer, B.-Y. Yang, and S.-Y. Yang. Neon NTT: Faster Dilithium, Kyber, and Saber on Cortex-A72 and Apple M1. IACR TCHES, 2022(1):221–244, 2022. [7] D. J. Bernstein. Multidigit multiplication for mathematicians. 2001. https://cr.yp.to/papers.html#m3. [8] D. J. Bernstein, B. B. Brumley, M.-S. Chen, C. Chuengsatiansup, T. Lange, A. Marotzke, B.-Y. Peng, N. Tuveri, C. van Vredendaal, and B.-Y. Yang. NTRU Prime. Technical report, National Institute of Standards and Technology, 2020. available at https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions. [9] D. J. Bernstein, B. B. Brumley, M.-S. Chen, and N. Tuveri. OpenSSLNTRU: Faster post-quantum TLS key exchange. In K. R. B. Butler and K. Thomas, editors, USENIX Security 2022, pages 845–862. USENIX Association, Aug. 2022. [10] H.-T. Chen, Y.-H. Chung, V. Hwang, and B.-Y. Yang. Algorithmic views of vectorized polynomial multipliers - NTRU. In A. Chattopadhyay, S. Bhasin, S. Picek, and C. Rebeiro, editors, INDOCRYPT 2023, Part II, volume 14460 of LNCS, pages 177–196. Springer, Cham, Dec. 2023. [11] C.-M. M. Chung, V. Hwang, M. J. Kannwischer, G. Seiler, C.-J. Shih, and B.-Y. Yang. NTT multiplication for NTT-unfriendly rings. IACR TCHES, 2021(2):159–188, 2021. [12] R. Crandall and B. Fagin. Discrete weighted transforms and large-integer arithmetic. Math. Comput., 62(205):305 – 324, Jan. 1994. [13] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In M. J. Wiener, editor, CRYPTO’99, volume 1666 of LNCS, pages 537–554. Springer, Berlin, Heidelberg, Aug. 1999. [14] I. J. Good. The interaction algorithm and practical fourier analysis. J. of the Royal Statistical Society, Series B, 20(2):361–372, 1958. [15] C. A. Hassan and O. Yayla. Radix-3 NTT-based polynomial multiplication for lattice-based cryptography. Cryptology ePrint Archive, Report 2022/726, 2022. [16] J. Huang, J. Zhang, H. Zhao, Z. Liu, R. C. C. Cheung, Ç. K. Koç, and D. Chen. Improved plantard arithmetic for lattice-based cryptography. IACR TCHES, 2022(4):614–636, 2022. [17] V. Hwang. Pushing the limit of vectorized polynomial multiplications for NTRU prime. In Y. L. Tianqing Zhu, editor, ACISP 24, Part II, volume 14896 of LNCS, pages 84–102. Springer, Singapore, July 2024. [18] V. Hwang, Y. Kim, and S. C. Seo. Barrett multiplication for dilithium on embedded devices. Cryptology ePrint Archive, Report 2023/1955, 2023. [19] V. Hwang, C.-T. Liu, and B.-Y. Yang. Algorithmic views of vectorized polynomial multipliers - NTRU prime. In C. Pöpper and L. Batina, editors, ACNS 24International Conference on Applied Cryptography and Network Security, Part II, volume 14584 of LNCS, pages 24–46. Springer, Cham, Mar. 2024. [20] V. Hwang, J. Liu, G. Seiler, X. Shi, M.-H. Tsai, B.-Y. Wang, and B.-Y. Yang. Verified NTT multiplications for NISTPQC KEM lattice finalists: Kyber, SABER, and NTRU. IACR TCHES, 2022(4):718–750, 2022. [21] L.-C. Lai, J. Liu, X. Shi, M.-H. Tsai, B.-Y. Wang, and B.-Y. Yang. Automatic verification of cryptographic block function implementations with logical equivalence checking. In J. Garcia-Alfaro, R. Kozik, M. Choraś, and S. Katsikas, editors, ESORICS 2024, Part IV, volume 14985 of LNCS, pages 377–395. Springer, Cham, Sept. 2024. [22] C. M. Rader. Discrete fourier transforms when the number of data samples is prime. Proceedings of the IEEE, 56(6):1107–1108, 1968. [23] G. Seiler. Faster AVX2 optimized NTT multiplication for ring-LWE lattice cryptography. Cryptology ePrint Archive, Report 2018/039, 2018. [24] L. H. Thomas. Applications of Digital Computers, chapter Using a computer to solve problems in physics. Ginn, Boston, 1963. [25] Y. Zhang. ARM NEON programming quick reference, 2015. https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/arm-neon-programming-quick-reference.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/98677	-
dc.description.abstract	針對多項式乘法的問題，我們在論文中展示了新穎的轉換策略，並示範如何將其應用在 NTRU Prime 密碼系統上。明確而言，在此密碼系統的所有參數集中，我們特別關注了 sntrup761 跟 ntrulpr761 這兩者。它們使用的多項式商環都是 ℤ₄₅₉₁[x]/⟨x⁷⁶¹−x−1⟩。為了評估我們的新想法是否具實用性，我們使用了 C++ 語言與 ARM Neon intrinsics，將新提出的演算法實做出來。過程中我們發現到，代數轉換過程中事實上存在著不少優化契機。我們進一步利用了這些機會，最終設計出了效率十分出色的乘法器，其在 Cortex-A72 的平台上的計算速度勝過了所有現有紀錄。通常而言，為了避免整數溢流錯誤，基於整數模運算的演算法會經常需要更換計算過程的中間值，轉而用另一個同餘但絕對值較小的整數取代。為了追求效率，我們在實做中盡可能跳過了這個步驟。不可否認的，這增加了整數溢流錯誤的危險性。針對這類型的錯誤，由於引發機率實在過低，基於測試資料的傳統偵測方法往往是沒有幫助的。為了確認我們實做出的是否正確無誤，我們運用了名為 CryptoLine 的形式驗證工具。驗證過程中，我們使用了 CryptoLine 最新版本的所有功能，其中幫助最大的兩個功能是基於 Integer Set Library 的值域驗證，以及程式等價性的驗證。透過後者，我們可以將同一個程式碼用不同的設定，編譯成另一個「優化較不徹底但容易驗證」的執行檔。最終透過證明新版本的正確性以及兩者的等價性，我們可以間接得到原版本執行檔的正確性保證。	zh_TW
dc.description.abstract	In this paper we present a novel transformation strategy for polynomial multiplications and apply it to NTRU Prime, specifically the parameter sets sntrup761 and ntrulpr761 working in the ring ℤ₄₅₉₁[x]/⟨x⁷⁶¹−x−1⟩. To evaluate the practicality of our idea, we implemented the algorithm in C++ with ARM Neon intrinsics. By further exploiting the various optimization opportunities in the transformation process, we achieve state-of-the-art performance on Cortex-A72. Because of the aggressively lazy modular reduction strategy, overflows are of serious concern. Such errors in an optimized implementation are notoriously difficult to detect using traditional test vectors. To this end, the compiled binary file is formally verified using the tool CryptoLine. We use all the features in the current version of CryptoLine. This includes the Integer Set Library for range checking, plus the Logical Equivalence Checking to verify the correctness of the binary produced with the most optimized compiler setting by showing it as being equivalent to a binary from a less optimized compilation.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-08-18T01:19:04Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2025-08-18T01:19:04Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	致謝 i 摘要 iii Abstract v Contents vii List of Figures xi List of Tables xiii Chapter 1 Introduction 1 1.1 Contributions 2 1.2 Related Work 3 Chapter 2 Preliminaries 5 2.1 NTRU Prime 5 2.2 Modular Reductions and Multiplications 6 2.2.1 Barrett Reduction and Multiplication 6 2.3 CRT and FFTs/NTTs 7 2.3.1 Good–Thomas 9 2.3.2 Rader 9 2.4 Doing iNTT as NTT 13 2.5 Weighted Convolutions and Toeplitz Matrix-Vector Products 14 Chapter 3 Implementation 17 3.1 Choice of Ring 17 3.2 Algorithmic and Computational Overview 19 3.2.1 Transformation Process of Main Part 19 3.2.2 Transformation Process of Low Part 20 3.2.3 Base-case Weighted Convolutions 21 3.2.4 CRT with Minimal Data Movements 21 3.2.5 Final Reductions and Freezing Coefficients 23 3.3 Optimization Opportunities 23 3.3.1 Zero-skipping 23 3.3.2 Early-dropping 27 3.3.3 Base-case Convolutions 28 3.4 Basic Procedures 28 3.4.1 NTT designs 28 3.4.2 Variants of Barrett Reduction/Multiplication 33 Chapter 4 Verification 37 4.1 Correctness and Range Analysis of Modular Arithmetics 37 4.2 Algebraic Transformations 39 4.2.1 Specifying Equality between Polynomials 41 4.2.2 Specifying Congruence between Polynomials 43 4.3 Main Part 44 4.3.1 Forward NTT 44 4.3.2 Weighted Convolution 47 4.3.3 Inverse NTT 48 4.4 Low Part 49 4.5 CRT 50 4.6 Final Reductions 51 4.7 Compiler Optimization 52 Chapter 5 Results 55 5.1 Performance of Polynomial Multiplication 55 5.2 Cost of Verification 56 Chapter 6 Conclusion 59 References 61	-
dc.language.iso	en	-
dc.subject	數論轉換	zh_TW
dc.subject	多項式乘法	zh_TW
dc.subject	整數模運算	zh_TW
dc.subject	中國剩餘定理	zh_TW
dc.subject	混合底數	zh_TW
dc.subject	Mixed-radix	en
dc.subject	CRT	en
dc.subject	Modular Arithmetic	en
dc.subject	NTT	en
dc.subject	Polynomial multiplication	en
dc.title	多項式乘法的新技巧：驗證應用單項式於中國剩餘定理之多項式乘法	zh_TW
dc.title	A New Trick for Polynomial Multiplication: A verified CRT polymul utilizing a monomial factor	en
dc.type	Thesis	-
dc.date.schoolyear	113-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	王柏堯;黎士瑋;楊柏因	zh_TW
dc.contributor.oralexamcommittee	Bow-Yaw Wang;Shih-Wei Li;Bo-Yin Yang	en
dc.subject.keyword	多項式乘法,數論轉換,混合底數,中國剩餘定理,整數模運算,	zh_TW
dc.subject.keyword	Polynomial multiplication,NTT,Mixed-radix,CRT,Modular Arithmetic,	en
dc.relation.page	64	-
dc.identifier.doi	10.6342/NTU202501941	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2025-08-11	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊工程學系	-
dc.date.embargo-lift	2025-08-18	-
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
ntu-113-2.pdf	571.36 kB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。