01 January, 2026 by

Fast Fourier Transform in Efficient Polynomial Multiplication

Fast Fourier Transforms (FFT) can be used for efficient polynomial multiplication, which is particularly useful when dealing with large polynomials in several cryptography applications, for example, Shamir Secret Sharing, Multiparty Computation, Pairing-based Elliptic Curve, and many others.

Fourier Transform (FT\text{FT})

The Fourier Transform of a function f(t)f(t) on a continuous-time domain:

F(ω)=f(t)eiωtdtF(\omega) = \int_{-\infty}^{\infty} f(t) e^{-i \omega t} dt

Discrete Fourier Transform (DFT\text{DFT})

Let x0,...,xn1x_0, ..., x_{n-1} be complex numbers. The Discrete Fourier Transform:

Xk=0..n1=m=0n1xmei2πkm/nX_{k=0..n-1} = \sum_{m=0}^{n-1} x_m e^{-i2 \pi km / n}

where ei2πk/ne^{-i2 \pi k/n} is a primitive nn-th root of 1 (also known as nn-th root of unity).

To work with points (x,y)R2(x,y) \in \mathbb{R}^2 on a Cartesian coordinate, we can map R2C\mathbb{R}^2 \rightarrow \mathbb{C}.

DFT from time domain to frequency domainDFT from time domain to frequency domain

Inverse Discrete Fourier Transform (DFT1\text{DFT}^{-1})

We follow the same notation in Discrete Fourier Transform:

xm=1nk=0n1Xkei2πkm/nx_m = \frac{1}{n} \sum_{k=0}^{n-1} X_k e^{i2 \pi km/n}

Polynomial Multiplication

Giving 2 polynomials A(x)A(x) and B(x)B(x) with high degrees mm and nn respectively, compute C(x)=A(x)×B(x)C(x) = A(x) \times B(x). As we see that C(x)=m+n|C(x)| = m + n.

Solution. Let's represent polynomials as coefficient vectors A=[a0,a1,...,am1],B=[b0,b1,...,bn1]A=[a_0,a_1,...,a_{m-1}], B=[b_0,b_1,...,b_{n-1}], where:

A(x)=a0+a1x+a2x2+...+am1xm1B(x)=b0+b1x+b2x2+...+bn1xn1\begin{align*} A(x) &= a_0 + a_1x + a_2x^2 + ... + a_{m-1}x^{m-1}\\ B(x) &= b_0 + b_1x + b_2x^2 + ... + b_{n-1}x^{n-1} \end{align*}

After padding zeros to the both coefficient vetors so that they're both length Nn+m1N \ge n+m-1 and NN is a power of 2, we can transform the padded vectors to DFT(A)=[A(σ0),A(σ1),...,A(σn1)]\text{DFT}(A) = [ A(\sigma^0), A(\sigma^1),... , A(\sigma^{n-1}) ] where 0kN,σ=ei2πk/n0 \le k \le N, \sigma = e^{-i2 \pi k/n} is a nn-th root of unity, and DFT(B)\text{DFT}(B) similarly.

Now we have the transformed vector DFT(C)\text{DFT}(C) following:

DFT(C)[k]=DFT(A)[k]×DFT(B)[k]\text{DFT}(C)[k] = \text{DFT}(A)[k] \times \text{DFT}(B)[k]

To compute CC, just apply Inverse DFT to DFT(C)\text{DFT}(C), C=DFT1(DFT(C))C = \text{DFT}^{-1}(\text{DFT}(C)). Applying Lagrange interpolation, if you desire C(x)C(x). \qquad \blacksquare

To improve the efficiency, we can use Fast Fourier Transform, FFT(A)\text{FFT}(A) and FFT(B)\text{FFT}(B).

You have questions?

Please create issues on my GitHub for any questions.