The ring-learning with errors (R-LWE) problem is the basic building block of many ciphers resisting quantum-computing attacks and homomorphic encryption enabling computations on encrypted data. The most critical operation in these schemes is modular multiplication of long polynomials with large coefficients. The polynomial multiplication complexity can be reduced by the Karatsuba formula. In this work, a new method is proposed to integrate modular reduction into the Karatsuba polynomial multiplication. Modular reduction is carried out on intermediate segment products instead of the final product so that more substructure sharing is enabled. Moreover, this paper develops a complete architecture for the modular polynomial multiplication. Computation scheduling optimizations are proposed to reduce the memory access and number of clock cycles needed. Taking advantage of the additional shareable substructures, the proposed scheme reduces the size of the memories, which account for the majority of the modular polynomial multiplier silicon area, by 20% and 12.5%, when the Karatsuba decomposition factor is 2 and 3, respectively, and achieves shorter latency compared to prior designs.

带错误的环学习 (R-LWE) 问题是许多抵抗量子计算攻击的密码的基本组成部分，并且同态加密能够对加密数据进行计算。这些方案中最关键的运算是具有大系数的长多项式的模乘。多项式乘法复杂度可以通过 Karatsuba 公式降低。在这项工作中，提出了一种将模归约集成到 Karatsuba 多项式乘法中的新方法。对中间段产品而不是最终产品进行模块化减少，从而实现更多的子结构共享。此外，本文为模多项式乘法开发了一个完整的体系结构。提出了计算调度优化以减少所需的内存访问和时钟周期数。