A device includes a processor and a memory configured to store instructions. The processor is configured to receive a particular instruction from among the instructions and to execute the particular instruction to generate first output data corresponding to a sum of first input data and second input data. The processor is also configured to execute the particular instruction to perform a divide operation on the second input data and to generate second output data corresponding to a difference of the first input data and a result of the divide operation.

Embodiments of the present application provide a system, a device, and a method for a two-variable number theoretic transform. A matrix having the two-variable number theoretic transform may be applied to a matrix having dimensions ab, where a=2.sup.x and b=2.sup.y for xy. The two-variable number theoretic transform includes two stages: decomposition by rows and row-wise fast Fourier transforms (FFTs), with twiddle factors computed based on a first root satisfying .sup.b=1 mod p; and decomposition by columns and column-wise FFTs, with twiddle factors computed based on a second root satisfying .sup.2a=2 or 2 mod p. Since each of the stages uses a different root, the number of twiddle factors is reduced.

Some embodiments are directed to a cryptographic encrypted computation method (400). The method involves performing a blind rotation of a ciphertext according to a test polynomial. The blind rotation results in an encrypted polynomial product of the test polynomial and a bootstrapping monomial represents the plaintext value as an exponent, modulo a modulus (q) and modulo a quotient polynomial (p(X)). . . . The quotient polynomial p(X) divides a number-theoretic transform (NTT) polynomial X.sup.M1 that allows a number-theoretic transform modulo the modulus q, e.g., q is a power of two and p(X)=X.sup.N+X.sup.N/2+1. The blind rotation is performed using the NTT, while the test polynomial is defined in such a way that the polynomial product is programmed to have desired output values for respective plaintext values as a fixed coefficient.

The present disclosure includes an operation apparatus configured to perform a winograd convolution operation. A control circuit of the operation apparatus is configured to send a control instruction to instruct a compute circuit to perform the winograd convolution operation. The computer circuit is configured to extract data from the storage circuit for the winograd convolution operation in response to the control instruction and disassembles a transformation operation into multiple summation operations.

Encryption techniques are disclosed that implement a transformation network having at least two stages of butterfly operations, wherein the transformation network is designed to carry out a discrete Fourier transform over rings of multiple input signals to obtain multiple output signals. An error detection device is also described that is designed to obtain at least one subset of the multiple input signals and at least one subset of the multiple output signals of the transformation network and to carry out an error analysis. The error analysis is based on a comparison of a first linear combination of the subset of the multiple input signals to a second linear combination of the subset of the multiple output signals.