j2kun
commented
5 months ago Let's make this issue a bit more specific for anyone reading this issue who isn't familiar with the details.
Cf. the Dilithium spec, section 1.2 "Implementation Considerations" (page 5) of https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf
They use Z_q[X]/(X^256 + 1) and do a matrix-vector multiplication where the matrix has size 6x5. They use the "fully-splitting NTT algorithm" so that the polynomials can be multiplied componentwise after being transformed.
This ticket should be split into more manageable pieces. I think they might be:
- Define appropriate IR constructs to identify polynomial representations in NTT/FFT/coefficient domains. I believe we discussed using the tensor encoding attribute to store something like "this tensor is an NTT-domain polynomial with parameters ..."
- Write a pass that converts "naive" polynomial multiplications into combinations of NTT + element-wise mul + INTT
- Write canonicalizations that collapse unnecessary NTT/INTT
- Write an initial lowering for NTT/INTT using a standard algorithm
- Support lowering a linalg.generic of polymuls (should already be supported by @AlexanderViand-Intel's recent work)
- Write optimized NTT/INTT lowerings for special hardware (e.g., AVX)
If you agree I can go ahead and file those issues, and this ticket can be switched perhaps to adding the end-to-end test of a Dilithium signature.
AlexanderViand-Intel
As the title says.
We considered the Dilithium signature scheme and the Kyber KEM as initial "end-to-end" examples for
polynomialand this lowering. While Dilithium shouldn't be an issue, Kyber's ring doesn't support full-depth NTT, so the lowering would have to be aware of this (See https://electricdusk.com/ntt.html for a nice explanation of the issue).