LogoLogo
LogoLogo
  • Introduction
    • About Us
    • Notations & Definitions
      • MPC
      • ZK
    • Contribute to this Site!
  • Primitives
    • Multiplication
      • Karatsuba Multiplication
      • Toom-Cook Multiplication
    • NAF (Non-adjacent form)
    • Chinese Remainder Theorem (CRT)
    • Euclidean Algorithm
      • Extended Euclidean Algorithm
      • Binary Euclidean Algorithm
      • Extended Binary Euclidean Algorithm
    • Coding Theory
      • Linear Code
    • Number Theoretic Transform
    • Abstract Algebra
      • Group
        • -Morphisms
        • Batch Inverse
      • Elliptic Curve
        • Weierstrass Curve
          • Coordinate Forms
          • Fast Elliptic Curve Arithmetic and Improved WEIL Pairing Evaluation
        • Edwards Curve
          • Coordinate Forms
          • Twisted Edwards ↔ Short Weierstrass Transformation
        • Batch Inverse for Batch Point Additions
        • Scalar Multiplication
          • Double-and-add
          • GLV Decomposition
        • MSM
          • Pippenger's Algorithm
          • Signed Bucket Index
          • CycloneMSM
          • EdMSM
          • cuZK
        • 2-Chain and 2-Cycle of Elliptic Curves
    • Encryption Scheme
      • ElGamal Encryption
    • Modular Arithmetic
      • Modular Reduction
        • Barrett Reduction
        • Montgomery Reduction
      • Modular Inverse
        • Bernstein-Yang's Inverse
    • Multiset Check
    • Sumcheck
    • Commitment Scheme
      • Fflonk
      • SHPlonk
      • Zeromorph
  • MPC
    • Yao's Garbled Circuits
    • GMW
    • BMR
  • ZK
    • Arithmetization
      • R1CS
      • PLONK
      • AIR
    • Folding
      • LatticeFold
      • Nova
        • Nova over Cycles of Curves
    • Lookup
      • Lasso
      • LogUp-GKR
    • SNARK
      • Groth16
      • HyperPlonk
      • Spartan
        • SPARK
    • STARK
      • Additive NTT
      • Basefold
      • Binius
      • Brakedown
      • CircleSTARK
      • FRI
        • FRI Security Features and Optimizations
      • DEEP FRI
      • STIR
      • WHIR
    • Distributed ZK
      • Ryan's Trick for Distributed Groth16
  • Application
    • zkLogin
    • zkHoldem
    • zkTLS
      • DECO
      • Proxying is enough
  • zkVM
Powered by GitBook
On this page
  • Preliminaries
  • Discrete Linear Convolution
  • Polynomial Multiplication
  • Cyclic Convolution
  • Negacyclic convolution
  • Number Theoretic Transform
  • Cooley-Tukey (CT) Algorithm for Fast NTT
  • Gentleman-Sande (GS) Algorithm for Fast INTT
  • References:
Export as PDF
  1. Primitives

Number Theoretic Transform

Presentation: https://youtu.be/jeHQtLduHN8

PreviousLinear CodeNextAbstract Algebra

Last updated 1 month ago

Preliminaries

Discrete Linear Convolution

Convolution is a mathematical operation that blends two functions (or signals) to produce a third function, which shows how one function modifies or overlaps with the other.

A convolution is linear if it satisfies the properties of additivity and homogeneity. This means that the convolution of a linear combination of sequences is the same as the corresponding linear combination of their convolutions. For example, (A+B)∘C=A∘C+B∘C(A+B)\circ C= A\circ C + B\circ C(A+B)∘C=A∘C+B∘C

So discrete linear convolution is when it is working on sequences of integers rather than on continuous functions.

Polynomial Multiplication

Definition 1: Suppose that G(x)G(x)G(x) and H(x)H(x)H(x) are polynomials of degree n−1n − 1n−1 in the ring Zq[x]\mathbb{Z}_q[x]Zq​[x] where q∈Zq \in \mathbb{Z}q∈Z and xxx is the polynomial variable, a polynomial multiplication of G(x)G(x)G(x) and H(x)H(x)H(x) is defined as:

Y(x)=G(x)⋅H(x)=∑k=02(n−1)ykxk(1)Y(x)=G(x)\cdot H(x)=\sum_{k=0}^{2(n-1)}y_k x^k \tag{1}Y(x)=G(x)⋅H(x)=k=0∑2(n−1)​yk​xk(1)

where yk=∑i=0kgihk−imod  qy_k=\sum_{i=0}^{k}g_i h_{k-i} \mod qyk​=∑i=0k​gi​hk−i​modq, g\bm{g}g and h\bm{h}h are the polynomial coefficients of G(x)G(x)G(x) and H(x)H(x)H(x) respectively.

Polynomial multiplication is equivalent to a discrete linear convolution between the coefficients' vectors g=(g0,…,gn)\bm{g}=(g_0,\dots,g_n)g=(g0​,…,gn​) and h=(h0,…,hn)\bm{h}=(h_0,\dots,h_n)h=(h0​,…,hn​).

Cyclic Convolution

Definition 2: Suppose that G(x)G(x)G(x) and H(x)H(x)H(x) are polynomials of degree n−1n − 1n−1 in the quotient ring Zq[x]/(xn−1)\mathbb{Z}_q[x]/(x^n − 1)Zq​[x]/(xn−1) where q∈Zq\in\mathbb{Z}q∈Z. A cyclic convolution or positive wrapped convolution (PWC) is defined as:

Negacyclic convolution

Note that the only difference between cyclic and negacyclic convolution is the divisor.

Number Theoretic Transform

Many researchers do not differentiate the term NTT and FFT-based algorithms to calculate NTT, which creates confusion when understanding the topic. This report refers to the transformation itself as NTT and the FFT-like algorithms as fast-NTT

and

To reduce the complexity and fasten the process of the matrix multiplication needed for the NTT transformation, one can use ‘‘divide and conquer’’ techniques by utilizing the periodicity and symmetry property of:

Cooley-Tukey (CT) Algorithm for Fast NTT

PWC case

The idea is to calculate similar terms in the brackets once and then distribute the results instead of calculating them multiple times.

NWC case

Gentleman-Sande (GS) Algorithm for Fast INTT

PWC case

If we consider the odd and even term separately, we get:

NWC case

If we consider the odd and even term, we get:

References:

PWC(x)=∑k=0n−1ckxk(2)\mathsf{PWC}(x)=\sum^{n-1}_{k=0}c_kx^k\tag{2}PWC(x)=k=0∑n−1​ck​xk(2)

where ck=∑i=0kgihk−i+∑i=k+1n−1gihk+n−imod  qc_k=\sum^{k}_{i=0}g_i h_{k-i} + \sum^{n-1}_{i=k+1}g_i h_{k+n-i} \mod qck​=∑i=0k​gi​hk−i​+∑i=k+1n−1​gi​hk+n−i​modq. If Y(x)Y(x)Y(x) from equation (1)(1)(1) is the result of their linear convolution in the ring Zq[x]\mathbb{Z}_q[x]Zq​[x], it can also be defined as:

PWC(x)=Y(x)mod  (xn−1)(3)\mathsf{PWC}(x)=Y(x) \mod (x^n-1) \tag{3}PWC(x)=Y(x)mod(xn−1)(3)

Naive method to calculate the PWC\mathsf{PWC}PWC is through a polynomial multiplication followed by a long division. This method has O(n2)O(n^2)O(n2) complexity.

The term "cyclic" stems from the fact that xnx^nxn cycles back to 111 in this quotient ring. For example, F(x)=xnF(x)=x^nF(x)=xn will map to F(x)=1F(x)=1F(x)=1 in this quotient ring.

Definition 3: Suppose that G(x)G(x)G(x) and H(x)H(x)H(x) are polynomials of degree n−1n − 1n−1 in the quotient ring Z[x]/(xn+1)\mathbb{Z}[x]/(x^n + 1)Z[x]/(xn+1) where q∈Zq \in \mathbb{Z}q∈Z. A negacyclic convolution or negative wrapped convolution, NWC(x)\mathsf{NWC}(x)NWC(x) is defined as:

NWC(x)=∑k=0n−1ckxk(4)\mathsf{NWC}(x)=\sum_{k=0}^{n-1}c_k x^k \tag{4}NWC(x)=k=0∑n−1​ck​xk(4)

where ck=∑i=0kgihk−i−∑i=k+in−1gihk+n−imod  qc_k=\sum_{i=0}^k g_i h_{k-i} - \sum_{i=k+i}^{n-1}g_i h_{k+n-i}\mod qck​=∑i=0k​gi​hk−i​−∑i=k+in−1​gi​hk+n−i​modq. If Y(x)Y(x)Y(x) from equation (1)(1)(1) is the result of their linear convolution in the ring Z[x]\mathbb{Z}[x]Z[x], it also can be defined as:

NWC(x)=Y(x)mod  (xn+1)(5)\mathsf{NWC}(x)=Y(x) \mod (x^n + 1) \tag{5}NWC(x)=Y(x)mod(xn+1)(5)

The term "negacyclic" stems from the fact that xnx^nxn cycles back to −1-1−1 in this quotient ring. For example, F(x)=xnF(x)=x^nF(x)=xn will map to F(x)=−1F(x)=-1F(x)=−1 in this quotient ring.

The classical NTT has quadratic complexity of O(n2)O(n^2)O(n2) while fast-NTT algorithms have a more efficient quasi-linear complexity O(nlog⁡n).O(n\log n).O(nlogn).

Remember that for NTT, we are particularly interested in the evaluations at the roots of the quotient polynomial. (A⋅B=C+QuotientPoly⋅cA\cdot B= C + \mathsf{QuotientPoly} \cdot cA⋅B=C+QuotientPoly⋅c and we want the QuotientPoly\mathsf{QuotientPoly}QuotientPoly to vanish).

Definition 4: Let Zq\mathbb{Z}_qZq​ be an integer ring modulo qqq, and n−1n − 1n−1 is the polynomial degree of G(x)G(x)G(x) and H(x)H(x)H(x). Such rings have a multiplicative identity (unity) of 1. Define ω\omegaω as primitive nnn-th root of unity in Zq\mathbb{Z}_qZq​ if and only if:

ωn≡1mod  q(6)\omega^n\equiv 1 \mod q \tag{6} ωn≡1modq(6)
ωk≢1mod  q(7)\omega^k\not\equiv 1\mod q\tag{7}ωk≡1modq(7)

for all k=1,…,n−1k=1,\dots,n-1k=1,…,n−1.

One thing to note is that the primitive nnn-th root of unity in a ring Zq\mathbb{Z}_qZq​ might not be unique. For example, in a ring Z7\mathbb{Z}_{7}Z7​, primitive 3rd root of unity can be 222 and 444. The choice of value of ω\omegaω will be important in calculating NWC\mathsf{NWC}NWC and PWC\mathsf{PWC}PWC.

Definition 5: The Number Theoretic Transform (NTT) of a vector of polynomial coefficients a\boldsymbol{a}a is defined as a^=NTT(a)\hat{\boldsymbol{a}} = \mathsf{NTT}(\boldsymbol{a})a^=NTT(a), where:

a^j=∑i=0n−1ωijaimod  q(8)\hat{a}_j=\sum^{n-1}_{i=0}\omega^{ij}a_i\mod q \tag{8}a^j​=i=0∑n−1​ωijai​modq(8)

and j=0,1,…,n−1j=0,1,\dots,n-1j=0,1,…,n−1. Here, a^\hat{\bm{a}}a^ denotes the evaluations of the polynomial defined by a\bm{a}a over {ω0,ω1,…,ωn−1}\{\omega^{0},\omega^{1},\dots,\omega^{n-1}\}{ω0,ω1,…,ωn−1} which are the roots of (xn−1)(x^n-1)(xn−1).

Definition 6: The Inverse of Number Theoretic Transform (INTT) of an NTT vector a^\hat{\boldsymbol{a}}a^ is defined as a=INTT(a^)\boldsymbol{a} = \mathsf{INTT}(\hat{\boldsymbol{a}})a=INTT(a^), where:

ai=n−1∑j=0n−1w−ija^jmod  q(9)a_i=n^{-1}\sum^{n-1}_{j=0}w^{-ij}\hat{a}_j \mod q\tag{9}ai​=n−1j=0∑n−1​w−ija^j​modq(9)

and j=0,1,…,n−1j=0,1,\dots,n-1j=0,1,…,n−1.

Note that the INTT has a very similar formula to NTT. The only differences are ω\omegaω replaced by its inverse in Zq\mathbb{Z}_qZq​ and a n−1n^{−1}n−1 scaling factor. It always holds that a=INTT(NTT(a))\bm{a} = \mathsf{INTT}(\mathsf{NTT}(\bm{a}))a=INTT(NTT(a)).

In the ZK scene, it is common to work on a polynomial with some max degree n−1n-1n−1. This just means that we are working on polynomials from the quotient ring Zq[x]/(xn−1)\mathbb{Z}_q[x]/(x^n − 1)Zq​[x]/(xn−1). In such rings, we must utilize positive-wrapped convolution.

In the context of PQC and HE, the chosen ring is mostly Zq[x]/(xn+1)\mathbb{Z}_q[x]/(x^n + 1)Zq​[x]/(xn+1) instead of Zq[x]/(xn−1)\mathbb{Z}_q[x]/(x^n − 1)Zq​[x]/(xn−1). One must calculate the polynomial multiplications via the negative-wrapped convolution in such rings. To calculate negative-wrapped convolution, one needs the primitive 2n2n2n-th root of unity, ψ\psiψ.

Definition 7: Let Zq\mathbb{Z}_qZq​ be an integer ring modulo qqq, and n−1n - 1n−1 is the polynomial degree of G(x)G(x)G(x) and H(x)H(x)H(x) and ω\omegaω is its primitive nnn-th root of unity. Define ψ\psiψ as the primitive 2n2n2n-th root of unity if and only if:

(ψ2≡ωmod  q)∧(ψn≡−1mod  q)(10)(\psi^2\equiv\omega\mod q)\land (\psi^n \equiv -1 \mod q) \tag{10}(ψ2≡ωmodq)∧(ψn≡−1modq)(10)

Example. In a ring Z7681\mathbb{Z}_{7681}Z7681​ and n=4n = 4n=4, when ω=3383\omega = 3383ω=3383, the value of ψ\psiψ can be 1925 or 5756 as 19252≡57562≡3383mod  76811925^2 \equiv 5756^2 \equiv 3383 \mod 768119252≡57562≡3383mod7681 and 19254≡57564≡7680≡−1mod  76811925^4 \equiv 5756^4 \equiv 7680 \equiv −1 \mod 768119254≡57564≡7680≡−1mod7681. Therefore, one can choose the value of ψ=1925\psi = 1925ψ=1925 or ψ=5756\psi = 5756ψ=5756.

Definition 8: The Negative-Wrapped Number Theoretic Transform (NTTψ\mathsf{NTT}^\psiNTTψ) of a vector of polynomial coefficients a\bm{a}a is defined as a^=NTTψ(a)\hat{\boldsymbol{a}} = \mathsf{NTT^\psi}(\boldsymbol{a})a^=NTTψ(a), where:

a^j=∑i=0n−1ψ2ij+iaimod  q(11)\hat{a}_j = \sum^{n−1}_{i=0} \psi^{2ij+i}a_i \mod q \tag{11}a^j​=i=0∑n−1​ψ2ij+iai​modq(11)

and j=0,1,…,n−1j=0,1,\dots,n-1j=0,1,…,n−1. Here, a^\hat{\bm{a}}a^ denotes the evaluations of the polynomial defined by a\bm{a}a over {ψ1,ψ3,…,ψ2n−1}\{\psi^{1},\psi^{3},\dots,\psi^{2n-1}\}{ψ1,ψ3,…,ψ2n−1} which are the roots of (xn+1)(x^n+1)(xn+1).

Definition 9: The Negative-Wrapped Inverse of Number Theoretic Transform (INTT) of an NTT vector a^\hat{\bm{a}}a^ is defined as a=INTTψ−1(a^)\bm{a} = \mathsf{INTT}^{\psi^{-1}}(\hat{\bm{a}})a=INTTψ−1(a^), where:

ai=n−1∑j=0n−1ψ−iω−ija^jmod  q(12)a_i=n^{-1}\sum_{j=0}^{n-1}\psi^{-i}\omega^{-ij}\hat{a}_j \mod q \tag{12}ai​=n−1j=0∑n−1​ψ−iω−ija^j​modq(12)

and i=0,1,…,n−1i=0,1,\dots,n-1i=0,1,…,n−1. Substituting ω=ψ2\omega = \psi^2ω=ψ2 yields:

ai=n−1∑j=0n−1ψ−(2ij+i)a^jmod  q(17)a_i=n^{-1}\sum^{n-1}_{j=0}\psi^{-(2ij+i)}\hat{a}_j\mod q \tag{17}ai​=n−1j=0∑n−1​ψ−(2ij+i)a^j​modq(17)
periodicity:   ψk+2n=ψksymmetry:   ψk+n=−ψk(18)\begin{aligned}\text{periodicity:}\ \ \ &\psi^{k+2n}& &=&\psi^k \\ \text{symmetry:}\ \ \ &\psi^{k+n}& &=&-\psi^k\end{aligned} \tag{18}periodicity:   symmetry:   ​ψk+2nψk+n​​==​ψk−ψk​(18)

From equation (8) for NTT\mathsf{NTT}NTT, one can separate the summation into two parts, based on odd and even indices:

a^j=∑i=0n−1ωijaimod  q=∑i=0n/2−1ω2ija2i+∑i=0n/2−1ω2ij+ja2i+1mod  q=∑i=0n/2−1ω2ija2i+ωj∑i=0n/2−1ω2ija2i+1mod  q(19)\begin{aligned} \hat{a}_j& = \sum_{i=0}^{n-1}\omega^{ij}a_i\mod q \\ &=\sum_{i=0}^{n/2-1}\omega^{2ij}a_{2i} + \sum_{i=0}^{n/2-1}\omega^{2ij + j}a_{2i+1}\mod q\\ &=\sum_{i=0}^{n/2-1}\omega^{2ij}a_{2i} + \omega^{j}\sum_{i=0}^{n/2-1}\omega^{2ij}a_{2i+1}\mod q \end{aligned}\tag{19}a^j​​=i=0∑n−1​ωijai​modq=i=0∑n/2−1​ω2ija2i​+i=0∑n/2−1​ω2ij+ja2i+1​modq=i=0∑n/2−1​ω2ija2i​+ωji=0∑n/2−1​ω2ija2i+1​modq​(19)

Similarly, we can get the equation for a^j+n2\hat{\bm{a}}_{j+\frac{n}{2}}a^j+2n​​ by using the fact that ωn2≡−1mod  q\omega^{\frac{n}{2}}\equiv-1 \mod qω2n​≡−1modq :

a^j+n2=∑i=0n−1ωi(j+n2)aimod  q=∑i=0n/2−1ω2i(j+n2)a2i+∑i=0n/2−1ω(2i+1)(j+n2)a2i+1mod  q=∑i=0n/2−1ω2ij+nia2i+∑i=0n/2−1ω2ij+j+ni+n2a2i+1mod  q=∑i=0n/2−1ω2ija2i+ωj+n2∑i=0n/2−1ω2ija2i+1mod  q=∑i=0n/2−1ω2ija2i−ωj∑i=0n/2−1ω2ija2i+1mod  q(20)\begin{aligned} \hat{a}_{j+\frac{n}{2}}& = \sum_{i=0}^{n-1}\omega^{i(j+\frac{n}{2})}a_i &\mod q \\ &=\sum_{i=0}^{n/2-1}\omega^{2i(j+\frac{n}{2})}a_{2i} + \sum_{i=0}^{n/2-1}\omega^{(2i+1)(j + \frac{n}{2})}a_{2i+1} &\mod q\\ &=\sum_{i=0}^{n/2-1}\omega^{2ij + {ni}}a_{2i} + \sum_{i=0}^{n/2-1}\omega^{2ij + j + ni + \frac{n}{2}}a_{2i+1} &\mod q \\ &=\sum_{i=0}^{n/2-1}\omega^{2ij}a_{2i} + \omega^{j+\frac{n}{2}}\sum_{i=0}^{n/2-1}\omega^{2ij}a_{2i+1} &\mod q \\ &=\sum_{i=0}^{n/2-1}\omega^{2ij}a_{2i} - \omega^{j}\sum_{i=0}^{n/2-1}\omega^{2ij}a_{2i+1} &\mod q\end{aligned}\tag{20}a^j+2n​​​=i=0∑n−1​ωi(j+2n​)ai​=i=0∑n/2−1​ω2i(j+2n​)a2i​+i=0∑n/2−1​ω(2i+1)(j+2n​)a2i+1​=i=0∑n/2−1​ω2ij+nia2i​+i=0∑n/2−1​ω2ij+j+ni+2n​a2i+1​=i=0∑n/2−1​ω2ija2i​+ωj+2n​i=0∑n/2−1​ω2ija2i+1​=i=0∑n/2−1​ω2ija2i​−ωji=0∑n/2−1​ω2ija2i+1​​modqmodqmodqmodqmodq​(20)

If we denote, Aj=∑i=0n/2−1ω2ija2iA_j=\sum^{n/2-1}_{i=0}\omega^{2ij}a_{2i}Aj​=∑i=0n/2−1​ω2ija2i​ and Bj=∑i=0n/2−1ω2ija2i+1B_j=\sum^{n/2-1}_{i=0}\omega^{2ij}a_{2i+1}Bj​=∑i=0n/2−1​ω2ija2i+1​, the equation (19)(19)(19) and (20)(20)(20) becomes:

a^j=Aj+ωjBjmod  qa^j+n/2=Aj−ωjBjmod  q(21)\begin{aligned}\hat{\boldsymbol{a}}_j&=A_j + \omega^j B_j \mod q\\\hat{\boldsymbol{a}}_{j+n/2}&=A_j-\omega^jB_j \mod q \end{aligned}\tag{21}a^j​a^j+n/2​​=Aj​+ωjBj​modq=Aj​−ωjBj​modq​(21)

With this finding, we can calculate AjA_jAj​ and BjB_jBj​ for j=0,…,n2j=0,\dots,\frac{n}{2}j=0,…,2n​ and calculate a^\hat{\bm{a}}a^ by reusing them for the upper half. Notice that AjA_jAj​ and BjB_jBj​ can be calculated using n2\frac{n}{2}2n​ point NTT so if we repeat recursively, we can achieve the best case scenario O(nlog⁡n)O(n\log n)O(nlogn) which occurs when nnn is a power of 2.

Example. Let's consider the case when a=(1,2,3,4)\bm{a}=(1,2,3,4)a=(1,2,3,4).

a^=[ω0ω0ω0ω0ω0ω1ω2ω3ω0ω2ω4ω6ω0ω3ω6ω9]⋅[1234]\hat{\bm{a}}= \begin{bmatrix} \omega^{0} & \omega^{0} & \omega^{0} & \omega^{0} \\ \omega^{0} & \omega^{1} & \omega^{2} & \omega^{3} \\ \omega^{0} & \omega^{2} & \omega^{4} & \omega^{6} \\ \omega^{0} & \omega^{3} & \omega^{6} & \omega^{9} \end{bmatrix} \cdot \begin{bmatrix} 1 \\ 2 \\ 3 \\ 4 \\ \end{bmatrix}a^=​ω0ω0ω0ω0​ω0ω1ω2ω3​ω0ω2ω4ω6​ω0ω3ω6ω9​​⋅​1234​​
a^=[ω0ω0ω0ω0ω0ω1ω2ω3ω0ω2ω0ω2ω0ω3ω2ω1]⋅[1234]\hat{\bm{a}}= \begin{bmatrix} \omega^{0} & \omega^{0} & \omega^{0} & \omega^{0} \\ \omega^{0} & \omega^{1} & \omega^{2} & \omega^{3} \\ \omega^{0} & \omega^{2} & \omega^{0} & \omega^{2} \\ \omega^{0} & \omega^{3} & \omega^{2} & \omega^{1} \end{bmatrix} \cdot \begin{bmatrix} 1 \\ 2 \\ 3 \\ 4 \\ \end{bmatrix}a^=​ω0ω0ω0ω0​ω0ω1ω2ω3​ω0ω2ω0ω2​ω0ω3ω2ω1​​⋅​1234​​
a^0=ω0⋅1+ω0⋅2+ω0⋅3+ω0⋅4a^1=ω0⋅1+ω1⋅2+ω2⋅3+ω3⋅4a^2=ω0⋅1+ω2⋅2+ω0⋅3+ω2⋅4a^3=ω0⋅1+ω3⋅2+ω2⋅3+ω1⋅4\hat{a}_0=\omega^0\cdot 1 + \omega^0\cdot 2 + \omega^0\cdot 3 + \omega^0\cdot 4 \\ \hat{a}_1=\omega^0\cdot 1 + \omega^1\cdot 2 + \omega^2\cdot 3 + \omega^3\cdot 4 \\ \hat{a}_2=\omega^0\cdot 1 + \omega^2\cdot 2 + \omega^0\cdot 3 + \omega^2\cdot 4 \\ \hat{a}_3=\omega^0\cdot 1 + \omega^3\cdot 2 + \omega^2\cdot 3 + \omega^1\cdot 4a^0​=ω0⋅1+ω0⋅2+ω0⋅3+ω0⋅4a^1​=ω0⋅1+ω1⋅2+ω2⋅3+ω3⋅4a^2​=ω0⋅1+ω2⋅2+ω0⋅3+ω2⋅4a^3​=ω0⋅1+ω3⋅2+ω2⋅3+ω1⋅4
a^0=ω0⋅(1+3)+ω0⋅(2+4)a^1=ω0⋅(1−3)+ω1⋅(2−4)a^2=ω0⋅(1+3)−ω0⋅(2+4)a^3=ω0⋅(1−3)−ω1⋅(2−4)\hat{a}_0=\omega^0\cdot (1 + 3) + \omega^0\cdot (2 + 4) \\ \hat{a}_1=\omega^0\cdot (1 - 3) + \omega^1\cdot (2 - 4) \\ \hat{a}_2=\omega^0\cdot (1 + 3) -\omega^0\cdot (2 + 4) \\ \hat{a}_3=\omega^0\cdot (1 - 3) - \omega^1\cdot (2 - 4) a^0​=ω0⋅(1+3)+ω0⋅(2+4)a^1​=ω0⋅(1−3)+ω1⋅(2−4)a^2​=ω0⋅(1+3)−ω0⋅(2+4)a^3​=ω0⋅(1−3)−ω1⋅(2−4)

From equation (11)(11)(11) for NTTψ\mathsf{NTT}^\psiNTTψ, one can separate the summation into two parts similarly into following:

a^j=∑i=0n−1ψ2ij+iaimod  q=∑i=0n/2−1ψ4ij+2ia2i+∑i=0n/2−1ψ4ij+2j+2i+1aa2i+1mod  q=∑i=0n/2−1ψ4ij+2ia2i+ψ2j+1∑i=0n/2−1ψ4ij+2iaa2i+1mod  q(22)\begin{aligned}\hat{\boldsymbol{a}}_j& = \sum_{i=0}^{n-1}\psi^{2ij+i}\boldsymbol{a}_i\mod q \\ & = \sum_{i=0}^{n/2-1}\psi^{4ij+2i}\boldsymbol{a}_{2i} + \sum_{i=0}^{n/2-1}\psi^{4ij + 2j + 2i + 1}\boldsymbol{a}_{a_{2i+1}}&\mod q\\ &=\sum_{i=0}^{n/2-1}\psi^{4ij+2i}\boldsymbol{a}_{2i} + \psi^{2j+1}\sum_{i=0}^{n/2-1}\psi^{4ij + 2i}\boldsymbol{a}_{a_{2i+1}}&\mod q\end{aligned}\tag{22}a^j​​=i=0∑n−1​ψ2ij+iai​modq=i=0∑n/2−1​ψ4ij+2ia2i​+i=0∑n/2−1​ψ4ij+2j+2i+1aa2i+1​​=i=0∑n/2−1​ψ4ij+2ia2i​+ψ2j+1i=0∑n/2−1​ψ4ij+2iaa2i+1​​​modqmodq​(22)

Based on the ψ\psiψ's symmetry properties:

a^j+n/2=∑i=0n/2−1ψ4ij+2ia2i−ψ2j+1∑i=0n/2−1ψ4ij+2iaa2i+1mod  q(23)\hat{\boldsymbol{a}}_{j+n/2}=\sum_{i=0}^{n/2-1}\psi^{4ij+2i}\boldsymbol{a}_{2i} - \psi^{2j + 1}\sum_{i=0}^{n/2-1}\psi^{4ij + 2i}\boldsymbol{a}_{a_{2i+1}}\mod q \tag{23}a^j+n/2​=i=0∑n/2−1​ψ4ij+2ia2i​−ψ2j+1i=0∑n/2−1​ψ4ij+2iaa2i+1​​modq(23)

Let Aj=∑i=0n/2−1ψ4ij+2ia2iA_j=\sum^{n/2-1}_{i=0}\psi^{4ij + 2i}a_{2i}Aj​=∑i=0n/2−1​ψ4ij+2ia2i​ and Bj=∑i=0n/2−1ψ4ij+2ia2i+1B_j=\sum^{n/2-1}_{i=0}\psi^{4ij+2i}a_{2i+1}Bj​=∑i=0n/2−1​ψ4ij+2ia2i+1​, equations (22)(22)(22) and (23)(23)(23) become:

a^j=Aj+ψ2j+1Bjmod  qa^j+n/2=Aj−ψ2j+1Bjmod  q(24)\begin{aligned}\hat{\boldsymbol{a}}_j &= A_j + \psi^{2j+1}B_j\mod q\\ \hat{\boldsymbol{a}}_{j+n/2}&=A_j-\psi^{2j+1}B_j\mod q\end{aligned}\tag{24}a^j​a^j+n/2​​=Aj​+ψ2j+1Bj​modq=Aj​−ψ2j+1Bj​modq​(24)

With this finding, we can calculate AjA_jAj​ and BjB_jBj​ for j=0,…,n2j=0,\dots,\frac{n}{2}j=0,…,2n​ and calculate a^\hat{\bm{a}}a^ by reusing them for the upper half. Notice that AjA_jAj​ and BjB_jBj​ can be calculated using n2\frac{n}{2}2n​ point NTT so if we repeat recursively, we can achieve the best case scenario O(nlog⁡n)O(n\log n)O(nlogn) which occurs when nnn is a power of 2.

Figure 1 illustrates how this butterfly operation is denoted as a graph. This figure represents the computation of A+ψkBA+\psi^kBA+ψkB and A−ψkBA-\psi^k BA−ψkB.

For the INTT, instead of dividing the summation by even and odd indices, it is separated by the lower and upper half of the summation. From equation (10)(10)(10) for INTT\mathsf{INTT}INTT and ignoring n−1n^{-1}n−1 term:

ai=∑j=0n−1ω−ija^jmod  q=∑j=0n2−1ω−ija^j+∑j=0n2−1ω−i(j+n2)a^j+n2mod  q=∑j=0n2−1ω−ija^j+ω−ni2∑j=0n2−1ω−ija^j+n2mod  q=∑j=0n2−1(a^j+ω−ni2a^j+n2)⋅ω−ijmod  q(25)\begin{aligned} a_i&=\sum^{n-1}_{j=0}\omega^{-ij}\hat{a}_j &\mod q \\ &=\sum^{\frac{n}{2}-1}_{j=0}\omega^{-ij}\hat{a}_j+\sum^{\frac{n}{2}-1}_{j=0}\omega^{-i(j+\frac{n}{2})}\hat{a}_{j+\frac{n}{2}} &\mod q\\ &=\sum^{\frac{n}{2}-1}_{j=0}\omega^{-ij}\hat{a}_j+\omega^{-\frac{ni}{2}}\sum^{\frac{n}{2}-1}_{j=0}\omega^{-ij}\hat{a}_{j+\frac{n}{2}} &\mod q \\ &=\sum^{\frac{n}{2}-1}_{j=0}(\hat{a}_j+\omega^{-\frac{ni}{2}}\hat{a}_{j+\frac{n}{2}})\cdot\omega^{-ij} &\mod q \end{aligned}\tag{25}ai​​=j=0∑n−1​ω−ija^j​=j=0∑2n​−1​ω−ija^j​+j=0∑2n​−1​ω−i(j+2n​)a^j+2n​​=j=0∑2n​−1​ω−ija^j​+ω−2ni​j=0∑2n​−1​ω−ija^j+2n​​=j=0∑2n​−1​(a^j​+ω−2ni​a^j+2n​​)⋅ω−ij​modqmodqmodqmodq​(25)
a2i=∑j=0n2−1(a^j+ω−nia^j+n2)⋅ω−2ijmod  q=∑j=0n2−1(a^j+a^j+n2)⋅ω−2ijmod  q(26)\begin{align*} a_{2i}&=\sum^{\frac{n}{2}-1}_{j=0}(\hat{a}_j+\omega^{-ni}\hat{a}_{j+\frac{n}{2}})\cdot\omega^{-2ij} &\mod q \\ &=\sum^{\frac{n}{2}-1}_{j=0}(\hat{a}_j+\hat{a}_{j+\frac{n}{2}})\cdot\omega^{-2ij} &\mod q \end{align*} \tag{26}a2i​​=j=0∑2n​−1​(a^j​+ω−nia^j+2n​​)⋅ω−2ij=j=0∑2n​−1​(a^j​+a^j+2n​​)⋅ω−2ij​modqmodq​(26)
a2i+1=∑j=0n2−1(a^j+ω−ni−n2a^j+n2)⋅ω−2ij−jmod  q=∑j=0n2−1((a^j−a^j+n2)⋅ω−j)⋅ω−2ijmod  q(27)\begin{aligned} a_{2i+1}&=\sum^{\frac{n}{2}-1}_{j=0}(\hat{a}_j+\omega^{-ni-\frac{n}{2}}\hat{a}_{j+\frac{n}{2}})\cdot\omega^{-2ij -j} &\mod q \\ &=\sum^{\frac{n}{2}-1}_{j=0}((\hat{a}_j-\hat{a}_{j+\frac{n}{2}})\cdot\omega^{-j})\cdot\omega^{-2ij} &\mod q \end{aligned} \tag{27}a2i+1​​=j=0∑2n​−1​(a^j​+ω−ni−2n​a^j+2n​​)⋅ω−2ij−j=j=0∑2n​−1​((a^j​−a^j+2n​​)⋅ω−j)⋅ω−2ij​modqmodq​(27)

Let Ai=∑j=0n2−1(a^j+a^j+n2)ω−2ijA_{i}=\sum^{\frac{n}{2}-1}_{j=0}(\hat{a}_j+\hat{a}_{j+\frac{n}{2}})\omega^{-2ij}Ai​=∑j=02n​−1​(a^j​+a^j+2n​​)ω−2ij and Bi=∑j=0n2−1((a^j−a^j+n2)ω−j)ω−2ijB_{i}=\sum^{\frac{n}{2}-1}_{j=0}\bigg((\hat{a}_j-\hat{a}_{j+\frac{n}{2}})\omega^{-j}\bigg)\omega^{-2ij}Bi​=∑j=02n​−1​((a^j​−a^j+2n​​)ω−j)ω−2ij, equation (26)(26)(26) and (27)(27)(27) become:

a2i=Aimod  qa2i+1=Bimod  q(27)\begin{aligned} a_{2i}&=A_{i}&\mod q\\ a_{2i+1}&=B_i &\mod q \tag{27} \end{aligned}a2i​a2i+1​​=Ai​=Bi​​modqmodq​(27)

With this finding, we just need to calculate AiA_iAi​ and BiB_iBi​ for 0≤i≤n2−10\leq i \leq \frac{n}{2}-10≤i≤2n​−1. Notice that AiA_iAi​ and BiB_iBi​ can be calculated using n2\frac{n}{2}2n​ point INTT so if we repeat recursively, we can achieve the best case scenario O(nlog⁡n)O(n\log n)O(nlogn) which occurs when nnn is a power of 2.

Similarly, continuing from equation (17)(17)(17) for INTTψ\mathsf{INTT}^\psiINTTψ, ignoring n−1n^{−1}n−1 term, we got:

ai=∑j=0n−1ψ−(2ij+i)a^jmod  q=ψ−i∑j=0n−1ψ−2ija^jmod  q=ψ−i(∑j=0n2−1ψ−2ija^j+∑j=0n2−1ψ−2i(j+n2)a^j+n2)mod  q(28)\begin{aligned} a_i& = \sum_{j=0}^{n-1}\psi^{-(2ij+i)}\hat{a}_j&\mod q \\ & = \psi^{-i}\sum_{j=0}^{n-1}\psi^{-2ij}\hat{a}_j&\mod q \\ &=\psi^{-i}\Bigg(\sum_{j=0}^{\frac{n}{2}-1}\psi^{-2ij}\hat{a}_{j} + \sum_{j=0}^{\frac{n}{2}-1}\psi^{-2i(j+\frac{n}{2})}\hat{a}_{j+\frac{n}{2}}\Bigg)&\mod q\\ \end{aligned}\tag{28}ai​​=j=0∑n−1​ψ−(2ij+i)a^j​=ψ−ij=0∑n−1​ψ−2ija^j​=ψ−i(j=0∑2n​−1​ψ−2ija^j​+j=0∑2n​−1​ψ−2i(j+2n​)a^j+2n​​)​modqmodqmodq​(28)
a2i=ψ−2i(∑j=0n2−1ψ−4ija^j+∑j=0n2−1ψ−4i(j+n2)a^j+n2)mod  q=ψ−2i∑j=0n2−1(a^j+a^j+n2)ψ−4ijmod  q(29)\begin{aligned} a_{2i}&=\psi^{-2i}\Bigg(\sum^{\frac{n}{2}-1}_{j=0}\psi^{-4ij}\hat{a}_j+\sum^{\frac{n}{2}-1}_{j=0}\psi^{-4i(j+\frac{n}{2})}\hat{a}_{j+\frac{n}{2}}\Bigg) &\mod q \\ &=\psi^{-2i}\sum^{\frac{n}{2}-1}_{j=0}\bigg(\hat{a}_j + \hat{a}_{j+\frac{n}{2}}\Bigg)\psi^{-4ij} &\mod q \\ \end{aligned} \tag{29}a2i​​=ψ−2i(j=0∑2n​−1​ψ−4ija^j​+j=0∑2n​−1​ψ−4i(j+2n​)a^j+2n​​)=ψ−2ij=0∑2n​−1​(a^j​+a^j+2n​​)ψ−4ij​modqmodq​(29)
a2i+1=ψ−2i−1(∑j=0n2−1ψ−2(2i+1)ja^j+∑j=0n2−1ψ−2(2i+1)(j+n2)a^j+n2)mod  q=ψ−2i−1(∑j=0n2−1ψ−4ij−2ja^j+∑j=0n2−1ψ−4ij−2j−2ni−na^j+n2)mod  q=ψ−2i−1∑j=0n2−1((a^j−a^j+n2)ψ−2j)ψ−4ijmod  q(30)\begin{aligned} a_{2i+1}&=\psi^{-2i-1}\Bigg(\sum^{\frac{n}{2}-1}_{j=0}\psi^{-2(2i+1)j}\hat{a}_j+\sum^{\frac{n}{2}-1}_{j=0}\psi^{-2(2i+1)(j+\frac{n}{2})}\hat{a}_{j+\frac{n}{2}}\Bigg) &\mod q \\ &=\psi^{-2i-1}\Bigg(\sum^{\frac{n}{2}-1}_{j=0}\psi^{-4ij-2j}\hat{a}_j+\sum^{\frac{n}{2}-1}_{j=0}\psi^{-4ij-2j-2ni - n}\hat{a}_{j+\frac{n}{2}}\Bigg) &\mod q \\ &=\psi^{-2i-1}\sum^{\frac{n}{2}-1}_{j=0}\bigg((\hat{a}_j - \hat{a}_{j+\frac{n}{2}})\psi^{-2j}\Bigg)\psi^{-4ij} &\mod q \end{aligned}\tag{30} a2i+1​​=ψ−2i−1(j=0∑2n​−1​ψ−2(2i+1)ja^j​+j=0∑2n​−1​ψ−2(2i+1)(j+2n​)a^j+2n​​)=ψ−2i−1(j=0∑2n​−1​ψ−4ij−2ja^j​+j=0∑2n​−1​ψ−4ij−2j−2ni−na^j+2n​​)=ψ−2i−1j=0∑2n​−1​((a^j​−a^j+2n​​)ψ−2j)ψ−4ij​modqmodqmodq​(30)

Let Ai=∑j=0n2−1ψ−(4ij+2i)(a^j+a^j+n2)A_{i}=\sum^{\frac{n}{2}-1}_{j=0}\psi^{-(4ij+2i)}(\hat{a}_j + \hat{a}_{j+\frac{n}{2}})Ai​=∑j=02n​−1​ψ−(4ij+2i)(a^j​+a^j+2n​​) and Bi=∑j=0n2−1ψ−(4ij+2i)((a^j−a^j+n2)ψ−2j)B_i=\sum^{\frac{n}{2}-1}_{j=0}\psi^{-(4ij+2i)}\bigg((\hat{a}_j - \hat{a}_{j+\frac{n}{2}})\psi^{-2j}\Bigg) Bi​=∑j=02n​−1​ψ−(4ij+2i)((a^j​−a^j+2n​​)ψ−2j), then equation (29)(29)(29) and (30)(30)(30) becomes:

a2i=Aimod  qa2i+1=ψ−1Bimod  q(31)\begin{aligned} a_{2i}&=A_i &\mod q\\ a_{2i+1}&=\psi^{-1}B_i &\mod q \end{aligned} \tag{31}a2i​a2i+1​​=Ai​=ψ−1Bi​​modqmodq​(31)

With this finding, we just need to calculate AiA_iAi​ and BiB_iBi​ for 0≤i≤n2−10\leq i \leq \frac{n}{2}-10≤i≤2n​−1. Notice that AiA_iAi​ and BiB_iBi​ can be calculated using n2\frac{n}{2}2n​ point INTT so if we repeat recursively, we can achieve the best case scenario O(nlog⁡n)O(n\log n)O(nlogn) which occurs when nnn is a power of 2.

Figure 2 illustrates how this butterfly operation is denoted as a graph. This figure represents the computation of (A+B)(A+B)(A+B) and (A−B)ψk(A-B)\psi^k (A−B)ψk.

by A. Satriawan et al (2023)

by Sibylle Schupp (2003)

Written by of

Conceptual Review on Number Theoretic Transform and Comprehensive Review on Its Implementations
Lifting a butterfly – A component-based FFT
A41
BATZORIG ZORIGOO
Figure 1. Cooley-Tukey Butterfly graph notation
Figure 2. Gentleman-Sande (GS) butterfly graph notation