Negative Wrapped Convolution (NWC)

Updated 22 October 2025

Negative Wrapped Convolution (NWC) is a technique for efficient negacyclic convolution that uses pre- and post-processing with a 2n-th root of unity to avoid zero-padding in polynomial modular multiplication.
It reduces computational costs in homomorphic encryption by replacing 2n-point transforms with more efficient n-point number theoretic transforms, directly addressing the bottleneck in R-LWE schemes.
The LC-NWC variant further optimizes the process by integrating weighting into the transform’s butterfly stages, achieving up to 60% multiplier savings compared to traditional zero-padded approaches.

Negative Wrapped Convolution (NWC) is a technique for efficient polynomial modular multiplication in the ring $R_{n,q} = \mathbb{Z}_q[x]/(x^n+1)$ , foundational to homomorphic encryption (HE) protocols, particularly those based on the ring learning with errors (R-LWE) problem. NWC eliminates the need for zero-padding, enabling the use of $n$ -point number theoretic transforms (NTT) rather than computationally expensive $2n$-point transforms. By introducing structured pre- and post-processing steps involving powers of a $2n$-th root of unity, NWC directly realizes negacyclic convolution, a central operation in polynomial arithmetic for cryptographic applications.

1. Mathematical Principles of Negative Wrapped Convolution

Given two length- $n$ polynomials,

$a(x) = \sum_{j=0}^{n-1} a_j x^j, \quad b(x) = \sum_{j=0}^{n-1} b_j x^j,$

the ring $R_{n,q}$ enforces the reduction $x^n \equiv -1$ (negacyclicity). Standard convolution modulo $x^n-1$ is replaced by negacyclic convolution modulo $x^n+1$ . This wrap-around with sign inversion can be directly captured via the following weighting scheme:

Let $\psi_{2n}$ be a primitive $2n$-th root of unity modulo $q$ .
Weight each input coefficient by $\psi_{2n}^j$ in preprocessing:

$\tilde{a}(x) = \sum_{j=0}^{n-1} a_j \psi_{2n}^j x^j, \qquad \tilde{b}(x) = \sum_{j=0}^{n-1} b_j \psi_{2n}^j x^j.$

Perform the $n$ -point NTT (with $\omega_n = \psi_{2n}^2$ ) on the weighted inputs:

$\tilde{A}_k = \sum_{j=0}^{n-1} a_j \psi_{2n}^j \omega_n^{kj}, \qquad \tilde{B}_k = \sum_{j=0}^{n-1} b_j \psi_{2n}^j \omega_n^{kj}.$

Multiply outputs pointwise: $\tilde{P}_k = \tilde{A}_k \cdot \tilde{B}_k$ .
Apply the $n$ -point INTT to obtain $\tilde{p}_j$ .
Post-process by multiplying each $\tilde{p}_j$ by $\psi_{2n}^{-j}$ to recover the product modulo $x^n+1$ :

$p(x) = \sum_{j=0}^{n-1} \tilde{p}_j \psi_{2n}^{-j} x^j.$

A derivation gives for the $\ell$ -th coefficient: $p_\ell = \sum_{i=0}^\ell a_i b_{\ell-i} - \sum_{i=\ell+1}^{n-1} a_i b_{n+\ell-i},$ which defines the negacyclic (negative-wrapped) convolution corresponding to modular reduction by $x^n+1$ .

2. Efficient Polynomial Modular Multiplication for Homomorphic Encryption

Polynomial modular multiplication is a primary bottleneck in HE, especially in R-LWE based schemes, where ciphertexts are high-degree polynomials in $R_{n,q}$ . Traditionally, negacyclic convolution is realized via zero-padding both inputs to length $2n$, applying a $2n$-point NTT/INTT, and then reducing the $2n$-length result. This incurs significant computational and hardware cost, scaling as $O(2n \log_2 2n)$ .

NWC achieves the same polynomial modular multiplication with only $n$ -point NTT/INTT steps, with modest overhead for pre- and post-multiplications by roots of unity. This yields efficiency improvements in all HE operations—encryption, evaluation, and decryption—since these are dominated by long negacyclic modular multiplications.

3. Comparative Analysis: Zero-Padded, NWC, and LC-NWC

The following table summarizes key distinctions:

Method	Transform Used	Weighting/Processing
Zero-Padded Convolution	$2n$-point NTT/INTT	None (inputs zero-padded, result modularly reduced)
Negative Wrapped Convolution (NWC)	$n$ -point NTT/INTT	Pre-multiplied by $\psi_{2n}^j$ , post-multiplied by $\psi_{2n}^{-j}$
Low-Complexity NWC (LC-NWC)	$n$ -point NTT/INTT	Weights and scaling merged into butterfly stages

Zero-Padded: Conceptually straightforward but computationally demanding. Requires twice the input length and additional reduction.
NWC: Avoids zero-padding, achieving correct negacyclic wraparound via structured input/output weighting. Involves $2n$ extra modular multiplications, but transform size is halved.
LC-NWC: Further reduces complexity by absorbing weighting factors (and INTT scaling constants) directly into the NTT/INTT computation, leveraging decimation-in-time butterfly decomposition. Achieves multiplier savings of 54%–60% relative to the zero-padded method, contingent on multiplier counting conventions.

4. Schematic Workflow and Algebraic Recap

The NWC algorithm can be summarized by the following algebraic sequence:

Pre-weight inputs by powers of $\psi_{2n}$ .
Compute $n$ -point NTTs of the weighted polynomials.
Multiply transforms pointwise.
Compute $n$ -point INTT of product.
Post-weight outputs by powers of $\psi_{2n}^{-1}$ .

Key equations: $\begin{align*} \tilde{a}(x) &= \sum_{j=0}^{n-1} a_j \psi_{2n}^j x^j \ \tilde{b}(x) &= \sum_{j=0}^{n-1} b_j \psi_{2n}^j x^j \ \tilde{A}_k &= \mathrm{NTT}_n(\tilde{a})(k), \quad \tilde{B}_k = \mathrm{NTT}_n(\tilde{b})(k) \ \tilde{P}_k &= \tilde{A}_k \cdot \tilde{B}_k \ \tilde{p}_j &= \mathrm{INTT}_n(\tilde{P})(j) \ p(x) &= \sum_{j=0}^{n-1} \tilde{p}_j \psi_{2n}^{-j} x^j \end{align*}$ For coefficient-level interpretation: $p_\ell = \sum_{i=0}^\ell a_i b_{\ell-i} - \sum_{i = \ell + 1}^{n-1} a_i b_{n+\ell-i}$

5. Architectural and Algorithmic Optimizations: LC-NWC

Low-Complexity NWC (LC-NWC) integrates input/output weighting multiplications with the NTT/INTT butterfly stages using a decimation-in-time factorization. This restructuring:

Splits the input into even and odd terms, e.g. $a_k^{(0)}, a_k^{(1)}$ .
At each butterfly, combines the root of unity multiplication and weighting into a single arithmetic unit, reducing independent multiplications.
In the INTT, allows consolidation of the inverse transform scaling ( $n^{-1}$ ) and inverse roots into shift-add operations in some cases (e.g., trivial multiplications). These optimizations are especially impactful in hardware implementations (FPGA, ASIC), where area and power constraints are critical.

6. Applications and Impact in Secure Computation

NWC and its LC-NWC variant are of particular utility in HE schemes where arithmetic over $R_{n,q}$ dominates computational cost. The ability to perform negacyclic convolution without zero-padding and large transforms results in significant speed and area improvements for all polynomial multiplications, thereby directly enhancing throughput and power efficiency in privacy-preserving protocols. As NTT operates exclusively with integer modular arithmetic, no precision is lost to rounding errors, a property essential for cryptographic correctness.

7. Summary and Outlook

Negative Wrapped Convolution enables efficient negacyclic polynomial multiplication by embedding sign inversion and modular reduction into input/output weightings compatible with $n$ -point number theoretic transforms. LC-NWC further merges these weightings into in-place transform computation, yielding up to 60% multiplier savings over baseline zero-padded approaches. These methods are integral to fast HE implementations, precisely addressing performance bottlenecks in cryptographic polynomial arithmetic. The approach leverages algebraic symmetries and specialized roots of unity to attain hardware-friendly, highly scalable modular multiplication architectures relevant across high-assurance secure computing systems (Chiu et al., 2023).

PDF Markdown Chat (Pro)

References (1)

Long Polynomial Modular Multiplication using Low-Complexity Number Theoretic Transform (2023)

Follow Topic

Get notified by email when new papers are published related to Negative Wrapped Convolution (NWC).