notes on convolution-based NTTs

It turns out that under the convolution theory, we can transform 2 sequences of values into their NTT forms, multiply them pointwise and then transform the result back into the standard form, and that is equivalent to doing polynomial multiplication on the original 2 sequences of values. In other words,

\[c = INTT(NTT(a) \cdot NTT(b))\]

NTT is an \(O(n \space \text{log} \space n)\) operation, which addresses point 1.

A root of unity is any complex number that yields 1 when raised to some positive integer \(n\), otherwise known as the n-th root of unity. We are interested in roots of unity because they form the roots of cyclotomic polynomials which factorize the polynomial \(x^n - 1\), which is one of the key polynomials that we are interested in lattice cryptography.

And because the n-th root of unity yields 1, you can think of the roots of unity as points in a unit circle in a complex plane (that is, if the set of real numbers appear on a 1-dimensional line, the complex plane ‘extends’ the real numbers by adding a 2nd dimension (visually, a y-axis). The roots of unity are then points on this 2 dimensional plane forming the unit circle since the distance from the origin to any root of unity is 1. Visually, we can imagine a circle with 3 points on it spaced out equally, starting from 1:

Since we know that complex numbers can be expressed in the form \(re^{i\theta}\). For the unit circle, \(r = 1\), and since the 3 points are spaced out equally, \(\theta= 2\pi / 3\), and the next point is simply \(\theta^2 = 4\pi / 3\) (or \(-2\pi / 3\)), and these points are \(\omega\) and \(\omega^2\) respectively.

Now imagine we have a degree \(n - 1\) polynomial - we simply extend this simple example of a degree \(3\) with 3 points to \(n - 1\) points.

We briefly mentioned ideals above - the CRT states that \(R/IJ\) is isomorphic to \((R/I) \times (R/J)\) if \(I\) and \(J\) are coprime, i.e. that exists \(u \in I\) and \(v \in J\) such that \(u + v = 1\). However, we can also work with ideals that are not coprime, i.e. the roots of unity we just talked about.

Formally, we have an isomorphism, or a mapping \(\phi\), for polynomial rings in the form \(\mathbb{Z}_q/(x^{2m} - \omega^2)\) where \(m \gt 0\) and invertible \(\omega \in \mathbb{Z}_q\):

\[\phi : \mathbb{Z}_q/(x^{2m} - \omega^2) \cong \mathbb{Z}_q/(x^{m} - \omega) \times \mathbb{Z}_q/(x^{m} + \omega)\]

Which, when mapped to a polynomial with coefficients a_i:

\[\phi (\sum_{i=0}^{2m-1}{a_i x^i}) = (\sum_{i=0}^{m-1}{(a_i + \omega \cdot a_{i+m})x^i}, \sum_{i=0}^{m-1}{(a_i - \omega \cdot a_{i+m})x^i})\]

And for its inverse:

\[\phi^{-1} (\sum_{i=0}^{m-1}{a_i^{'} x^i}, \sum_{i=0}^{m-1}{a_i^{''} x^i}) = \sum_{i=0}^{m-1}{\frac{1}{2}(a_i^{'} + a_i^{''})x^i} + \sum_{i=0}^{m-1}{\frac{\omega^{-1}}{2}(a_i^{'} + a_i^{''})x^{i+m}}\]

To see why the above mapping makes sense: when we compute \(a \space \text{mod} \space (x^m - \omega)\), we use the identity \(x^m \equiv \omega\) since \(x^m - \omega = 0\) in this ring. So, terms with \(x^{m+i}\) reduce to \(\omega x^i\). Thus, we end up with, for the \(x_i\) term in the first ring,

\[\sum_{i=0}^{m-1}{(a_i + \omega \cdot a_{i+m})x^i}\]

The same logic works for computations modulo \((x^m + \omega)\). In which case, each \(i\)-th coefficient can be computed via the sum of two parts:

\[a_i^{'} = a_i + \omega \cdot a_{i+m}\] \[a_i^{''} = a_i - \omega \cdot a_{i+m}\]

Which is exactly the Cooley-Tukey butterfly (CT butterfly). As for the inverse, the \(i\)-th and the \(i+ \frac{n}{2}\)-th coefficient of a can be derived from the \(i\)-th coefficient of a’ and a’’:

\[a_i = (a_i^{'} + a_i^{''})/2\] \[a_{i+m} = \omega^{-1}(a_i^{'} - a_i^{''})/2\]

Which is the Gentleman-Sande butterfly (GS butterfly).

Note that the above details how CRT works for positive wrapped convolutions but not negative wrapped convolutions, which does computations over the ring \(\mathbb{Z}_q[x]/(x^n + 1)\) instead.

We need to make 2 adjustments to make negative wrapped convolutions work:

1. set \(q\) to be a prime number satisfying \(q \equiv \space 1 (\text{mod} \space 2n)\) such that the primitive \(2n\)-th root of unity \(\psi_{2n}\) exists, and

2. Take \(\omega_n = \psi_{2n}^{2} \space \text{mod} \space q\).

These changes are needed because we need \(\psi_{2n}^n = -1 \space \text{mod} \space q\) in order to re-express \(x^n + 1\) as \(x^n - \psi_{2n}^n\), and from there we can proceed with the same trick above.

The beauty of combining the CT butterfly with the GS butterfly is that we get rid of the need for bit reversal, since the standard CT butterfly takes input in the natural order to produce an output in bit-reversed order, which the GS butterfly takes as input to produce an output in the natural order! Naively, we can think of the GS butterfly as ‘undoing’ the CT butterfly operation.