Académique Documents
Professionnel Documents
Culture Documents
2 1
0 1 2 1
( ) ...
N
N
b X b b X b X b X
can be calculated as,
c(X) = a(X) *b(X)
0 1 1 1 1
mod
...
k k k N k i j
i j N
c a b a b a b ab
In other notation, if we write the polynomials a, b
and c as coefficient vectors, then, the result c = a b
simply equals to convolution product of two vectors
as shown below [7]:
4 4 4 4 4
0 0 0 0 0
4 0 3 0 2 0 1 0 0 0
3 1 2 1 1 1 0 1 4 1
2 2 1 2 0 2 4 2 3 2
1 3 0 3 4 3 3 3 2 3
0 4 4 4 3 4 2 4 1 4
4 3 2 1 0
a a a a a
b b b b b
a b a b a b a b a b
a b a b a b a b a b
a b a b a b a b a b
a b a b a b a b a b
a b a b a b a b a b
c c c c c
NTRU public-key cryptosystem has three integer
param-eters (N; q; p) and four sets L
f
; L
g
; L
r
; L
m
of
polynomials of degree N-1 which have all integer
coefficients. It is assumed that N is prime, gcd(p; q) =
1 and q is always fairly larger than p. NTRU with N =
263 provides an equivalent security level of 1024-bit
RSA and 160 bits long ECC[5, 10].
Key Generation: To generate key sets of NTRU, one
must first choose two random polynomials f L
f
and
g L
g
. These two polynomials must be small polyno-
mials which means their coefficients must be much
smaller than q. Besides, f
q
f
-1
(mod q) and f
p
f
-1
(mod p) must exist. Then, the following computation
is performed, h f
q
*g (mod q). Now h is our public
key while f and f
p
are our secret keys. For, more
information about parameter selection, small
polynomials and finding inverses of polynomials we
refer to [4, 8, 9].
Encryption: Firstly, a message m which is a small
polynomial is chosen from the plaintext set L
m
and
then a small random polynomial r is chosen from the
set L
r
as blinding value. Finally, encrypted text is
evaluated as, e pr*h+m(mod q). During encryption,
h will be alwaysmultiplied by p. So, to avoid
unnecessary computation it is suggested to use h pf
q
*g (mod q) [11].
Decryption: In order to decrypt the encrypted text e,
one must first compute a f *e pr *g + f*m (mod
q). At this stage it is essential to chose the coefficients
of a between -q/2 and q/2 instead of 0 and q-1.
Otherwise, message may not be properly recovered.
After this step, b a (mod p) = f *m should be
calculated. As the final step, message can be
recovered by the multiplication of f
p
and b modulo p,
c b* f
p
(mod p) = m.
4. Phng php thit k cng sut thp
C nhiu phng php c th gim in nng
c mc cng ngh v kin trc. y, chng
ti s ch cp n cng ngh m chng ti s
dng.
Mch din duc d kin s duc chy tn
s thp (500kHz), do chng ti s dng th vin
cng ngh r r thp tng hp thit k ca mnh,
gip chng ti tiu th cng sut tnh thp hn ng
k. ng thi, chng ti cng s dng mt s
phng php lm gim i mc tiu th cng sut
ng nh clock gating, ton hng c lp v tnh ton
truc.
Mc ch ca clock gating l iu khin u vo
clock ca thanh ghi bng tn hiu enable v cch ly u
vo clock n khi c gi tr mi c np vo thanh
ghi v lm gim hot ng chuyn mch bng cch
ny. Trong mch clock gating [13], n c u tin s
dng cht v hiu ha cc s c c th xy ra vi
u vo clock ca thanh ghi. Hnh 1 cho thy cng
clock ca thanh ghi
Ton hng c lp l mt cch khc lm gim
hot ng chuyn mch bng cch cch ly u vo
ca cc mch phc tp t hp (vd. b nhn, b cng)
khi u ra ca chng khng c s dng
trnh lng ph nng lung bi key generation,
public key h r * pf
q
*g (mod q) c tnh ton trc
v lu tr trong mch v chng ti cho rng h l ging
nhau mi s m ha.
5. Implementation of encryption-only NTRU
Chng ti chn N=167, q=128 v p=3 trong cc
tham s ci t NTRU nhm mang li mc bo mt
cao nht [4]. Nh php chn public key h c cc h
s trong khong [0,127], a thc ngu nhin r v thng
ip m c cc h s trong b {-1,0,1}. Nh vy h s
ca h s c biu din bng 7 bits v cc h s ca r,
m c biu din bng 2 bits. V khi thc hin vi s
m, php b 2 s uc s dng
Cu trc chnh ca phn m ha, nh trn hnh 2,
gm c 1 LUT cha h, mt hm nhn da thc (PM)
thc hin php nhn sao, mt thanh ghi xoay vng
1 phn (PRR) ( rng Nx2 bits) d gi v quay r, mt
khi iu khin logic iu khin qu trnh m ha
Trong thit k ny chng ti khng quan tm n
s sinh ra ca a thc ngu nhin, v vy chng ti gi
thit rng chng ti c th nhn c cc h s ca a
thc ngu nhin tng ng t u vo r
in
5.1. Look-up table
B to chc nng (LUT) thc hin t hp hon
chnh cc ng vo, a ra cc h s kha cng khai
ty theo a ch u vo ca chng
5.2 Polynomial multiplier
y l li s hc chnh, ni m tt c cc tnh ton
c thc hin. N c mt b nhn 7-bit , mt b cng
thy nh truc 7-bit (CLA) v mt thanh ghi 7-bit nh
trong hnh 3
5.3 Partially rotating register
Thanh ghi xoay vng 1 phn l 1 bin th ca thanh
ghi xoay vng chun. Chng ti thc hin 1 s sa
i thu c li ch ti a t clock gating. Trong m
ha, h s a thc ngu nhin ti u vo ca PM c
thay i cho mi gi tr kha cng khai mi.
So in case of a regular register, whole bits must be
shifted one time, which means switching activity of
Nx2 registers for every partial product computation.
We have seen by our measurements that clock gating a
regular rotate register does not have a positive effect on
power consumption during NTRU encryption. On the
contrary, it increases the dynamic power consumption
due to extra switching activity comes from gating
circuits (see Table 1). To overcome that negative
situation we designed a partially rotating register, as
illustrated in Figure 4.
In this architecture the right hand side 32-bit
register is the part that is always rotating during
encryption and loading of random polynomial. During
the loading stage most significant two bits of that
register are used as input and the output is always the
least significant two bits of that register. A partial
rotate signal is sent by the controller till all 16 values
of the register have been used and then a whole rotate
signal is sent to renew the values of partial rotate
register. After receiving that signal, circuit makes a
block rotation with width of 32 bits. With this method,
only 32 bits are switching constantly during encryption
while the rest of the registers switch only 9 times, in
the computation of each cipher text word.
5.4 Control logic
Controller ca khi m ha c thit k nh 1
my trng thi (FSM) vi 4 trng thi. N iu khin
cc qu trnh bng 2 b m 8 bit v 1 b m 4 bit.
N bt u vi trng thi initial sau reset v lun
kim tra u vo Enc. Nu n pht hin tn hiu cao, n
s chuyn sang trng thi loading. Trong trng thi
loading, h s ca r c load ln lt t PRR. Sau khi
load tt c cc h s, FSM chuyn qua trng thi
multiplication.
Trong multiplication, cc h s ca h v r c
nhn v tch ly. Tip sau multiplication l trng thi
add message , ni m message c thm vo tng
hin ti, cipher text l u ra v tn hiu done ln 1
trong 1 chu k clock Sau khi thm message, n chuyn
li trng thi multiplication tnh ton cc h s tip
theo cho n h s cui cng. Sau khi tnh xong h s
cui cng n chuyn v trng thi initial
6. Thc hin m ha-gii m NTRU
Cc b tham s tng t cng c s dng
thit k m ha- gii m NTRU.Trong trng hp ny,
chng ti c thm hai a thc l, pravite keys f and
f
p
. f c cc h s t b {-1,0,1} trong khi f
p
c cc
h s t b {0,1,2}
Hnh 5 biu din cu trc ca thit k. n gin
ta khng biu din ton b cc khi v tn hiu bn
trong thit k. gii m, 1 n v Mod-3, 2 LUT lu
tr private key f and f
p
, 1 PRR Nx7 bit v 1 thanh ghi
kt qu uc thm vo thit k truc
Ngoi ra cn c 4 b nh tuyn c to thnh t
cc b nhn, c chc nng iu khin chnh xc gi
tr u vo ty theo trng thi m ha v gii m.
Trong m ha, 7 bit v 2 bit u vo ca PM b rng
buc bi LUT h v rng thanh ghi u ra Nx2
tng ng. u ra ca PM c kt ni ti thanh
ghi kt qu. Trong php nhn u tin ca gii
m, 7 bit v 2 bit u vo ca PM b rng buc bi
rng PRR Nx7 v LUT f tng ng. V u ra ca
PM c kt ni ti Mod-3 unit, trong khi u ra
ca Mod-3 unit c kt ni vi u vo ca thanh
ghi Nx2.Trong php nhn th 2 ca gii m, 7 bit v 2
bit u vo ca PM c kt ni ti LUT f
p
v
thanh ghi Nx2 tng ng. u ra ca PM c ni
tr li Mod -3 unit nhng u ra ca Mod-3 unit li
b rng buc bi thanh ghi kt qu.
Cc thnh phn c s dng trong cc cng c
m ha NTRU cng c s dng trong thit k ny.
Mt ln na, chng ti s dng LUT lu tr cc
kha cng khai v kha ring. PRR rng Nx7 bit
ging nh cu trc xc nh trong mc 5, ch iu
chnh di bit. Thanh ghi rng Nx2 bits thc hin
ging nh thanh ghi xoay vng tri. Thanh ghi kt
qu cng l 1 thanh ghi chun vi tn hiu load
Thay i duy nht xy ra trong PM. T , chng
ti thit k PM ch lm vic trong modulo 128. Chng
ti thm mt u ra trn-thng l u ra carry ca
CLA, m s lng cc modulo 128 gim trong
nhn th hai ca gii m (cc tnh ton c thc hin
theo modulo 3) .
Ngoi ra, trong thit k ny PM c kh nng
nhn 2 khi c s dng trong qu trnh gii m
6.1 Routers
C 4 routers trong thit k. 1 cho u vo a ch
ca LUT, 1 cho u vo ca PM, 1 cho u vo thanh
ghi xoay vng v 1 cho u vo thanh ghi kt qu. Cc
modules duy tr cc kt ni cn thit gia chng ty
theo tn hiu iu khin c to ra bi controlle
6.2 Mod-3 Unit
Mod 3 rt gn c thc hin bi my trng thi
hu hn (FSM) trn c s mch [12]. FSM bt u t
trng thi 0 v kim tra bits t tri sang phi v
chuyn trng thi ty theo gi tr ca bits . Trng
thi hon thnh sau khi kim tra bits cui cng l gi
tr ca s trong modulo 3
u ra trn ca PM cng c kt ni ti module
ny. l 2 bits m trn dng m khi xy ra
trn. Bng cch s dng gi tr m ny, chng ti c
c chnh xc kt qu Mod-3 rt gn.
6.3 Control logic
iu khin ca thit k c thc hin ging nh
1 FSM vi 7 trng thi. N iu khin chuyn trng
thi vi 2 b m 8bits v 1 b m 4bits. Bt u
FSM vi trng thi initial, tip theo l reset v trc tip
chuyn qua trng thi checking bng cch iu khin
u vo ca Enc v Dec.
u vo ca Enc v Dec c tip tc kim tra
trong trng thi checking. Khi pht hin 1 tn hiu cao
ca 1 trong cc u vo, FSM chuyn qua trng thi
loading, ngoi ra cc trng thi khc khng thay i.
Trong trng thi loading, nu l m ha, h s ca
r s c load vo thanh ghi c rng Nx2. Nu
l gii m, h s ca cipher text e c load vo PRR
d rng Nx7. Loading c k tip bi trng thi
multiplication. Trng thi multiplication l chung cho
c m ha v gii m, bi a thc nhn trong c 2
trung hp l tng t nh nhau.
Sau khi hon thnh multilication v tch luy h
s, n chuyn qua trng thi add message trong khi
m ha chuyn qua trng thi khc: reduction 3
Trong trng thi add message, thng tin c thm
vo tng hin thi v iu khin n trng thi final
result. trng thi reduction 3, kt qu to ra bi
PM c load vo trong Mod-3 v s gi tr modulo 3
l c tnh truc. C trong Mod 3 rt gn u tin
v th 2, b diu khin u a n trng thi final
result sau khi tnh ton
trng thi final result, nu mch thc hin m
ha, b iu khin load kt qu t thanh ghi kt qu v
u ra xc nh 1 trong 1 chu k clock
Nu gii m c thc hin v mch thc hin
php nhn u tin, FSM load kt qu Mod 3 t
thanh ghi rng Nx2. Nu php nhn th 2 c
thc hin, kt qu Mod 3 c load t thanh ghi kt
qu v u ra xc nh 1 trong 1 chu k clock. Trong
tt c cc trung hp nu h s cui cng xc
nh, h thng chuyn qua trng thi initial, nu khng,
n chuyn qua trng thi multiplication
7 Analysis
Chng ti trnh by thit k ca mnh trong GEZEL
[14] v ti uu ha chng c in nng v ti
nguyn thp. Ging nh th vin cng ngh, th vin
Faraday Low Leakage 0,13um c s dng trong
thit k. Thit k c tng hp bi Synopsys Design
Vision ti tn s 500kHz v cng sut trung bnh c
o bi Synopsys Power Compiler. Tt c cc php o
cng sut c thc hin bng cch s dng cc hot
ng chuyn mch, ci m c bt bi gate-level
m phng vi ModelSim. T , vic thc hin
NTRU cng sut thp 1 cch chi tit thuc v cng
vic ca Kaps. Chng ti so snh kt qu ca
mnh vi cng vic ca anh y [6].
Chng ti tng hp 3 thit k m ha khc nhau.
1 l khng c bt c ci tin no v nng lung tiu
th, 1 l vi cng clock thanh ghi v cui cng l
vi cng clock thanh ghi v thanh ghi xoay vng 1
phn. Chng ti k hiu chng ln lut l Enc1, Enc2
v Enc3. S lung cng ca thit k c tnh da vo
php chia din tch mch cho din tch ca 1 cng
NAND 2 u vo
Nh chng ta thy bng 1, Enc3 l thit k ti u
nht ca chng ti v cc thit k trc hu ht c
s cng tng t nhau trong khi thit k ca chng ti
tt hn [6] vi 1,72 uW cng sut ng v 1,74 uW
tng cng sut tiu th. Do trong th vin k thut, n
v ca nng lng r r l pW, chng ti cng o c
s tiu th nng lung tnh gim 1 cch ng k. Khi
thanh ghi xoay vng l ngun gc chnh ca ti
nguyn (73,6%) v nng lng (82,6%) tiu th trong
Enc1, chng ti ch s dng 1 phn chng t c
mc tit kim nng lung ng hn 50%. Ngoi ra,
tng nng lung tiu th trong thit k Enc3 trng
thi ri o c l 0,18uW
Thit k ca chng ti hon thnh m ha vi N x
(N+1) + N chu k clock. Vi trng hp ca chng ti
N=167 v vi tn s clock l 500kHz, n mt 56,44ms
(28 223 chu k clock), nhanh hn 3,5% so vi [6] (m
ha mt 58,45ms-29 225 chu k clock)
Theo nhng g tt nht m chng ti bit, khng c
mt thit k m ha-gii m NTRU uc bo co truc
, v vy chng ti ch trnh by kt qu ca mnh.
Bng 2 trnh by ti nguyn s dng ca thit k ti
u. Nh ta c th thy trong bng, tng s cng s
dng l 10 500 cng, v 84% ti nguyn l c s
dng bi thanh ghi
Cng sut tiu th trong mch c o trong 3
trng thi lm vic khc nhau ca thit k: M ha,
gii m v trng thi ngh. Bng 3 cho ta thy kt qu
.
Nh c th thy trong thit k ti u ch tiu th
6uW trong khi m ha-gii m v 0,5uW trong trng
thi ngh. Thanh ghi xoay vng l ngun chnh tiu
th cng sut. Khong 80% nng lung l c tiu
th bi cc thanh ghi trong m ha v gii m
Trong thit k m ha - gii m NTRU, m ha cn
N x (N + 2) + N chu k clock, trong khi gii m mt 2
x N x (N +11) + N chu k clock. i vi trung hp
N= 167 v vi tn s clock 500kHz, m ha ha mt
56.78 ms (28 390 chu k clock), gii m mt 119.23
ms (59 619 chu k clock)
8 Conclusion
Trong bi bo ny chng ti trnh by 1 thit k
NTRU nh v cng sut thp ph hp vi cc ng
dng bo mt ph bin nh RFIDs v cc nt cm
bin. Chng ti thit k 2 cu trc. Mt l ch c kh
nng m ha v 1 l c c 2, m ha v gii m. Vi
thit k NTRU ch m ha cn s dng 2800 cng,
mt gii php rt nh gn. M ha cn 56,44ms v
n nhanh hon 3,5% so vi cc thit k tt nht truc
. Thit k ca chng ti tiu th 1,72uW cng sut
ng. thi im hin ti n tit kim gp 2 ln so
vi cc nghin cu truc . Nghin cu ny l ln
u tin thc hin hon chnh thit k NTRU vi mch
m ha v gii m. Chng ti t c s lung
cng l 12300 cng cho 1 thit k, ci tin hn na l
10500 cng. Thit k ti u cho kt qu nh sau:
5,93uW, 6,04uW, 0,45uW cho tiu th nng lung
ng tng ng trong m ha, gii m v trng thi
ngh. Thi gian ch trong m ha, gii m tng ng
mt 56,78ms v 119,23ms
Hn na, tng tc trong thit k, cc khi
PM c th c s dng song song vi 1 vi thay di
trong phn cn li ca thit k. Ngoi ra, n c th lm
gim s php nhn cn thit trong gii m t 2 xung 1
bng cch chn tham s thut ton mt cch khc
References
[1] D. Bailey, D. Coffin, A. Elbirt, J. Silverman,
and A. Wood-bury. NTRU in Constrained Devices. In
Cryptographic Hardware and Embedded Systems,
Paris, France, 2001.
[2] L. Batina, N. Mentens, K. Sakiyama, B.
Preneel, and I. Ver-bauwhede. Low-cost elliptic curve
cryptography for wireless sensor networks. In 4th
EuropeanWorkshop on Security and Privacy in Ad hoc
and Sensor Networks, Lecture Notes in Computer
Science, volume 4537, pages 617. Springer-Verlag,
2006.
[3] G. Gaubatz, J.-P. Kaps, E.Ozt urk, and B.
Sunar. State of the art in ultra-low power public key
cryptography for wireless sensor networks. In Third
IEEE Int. Conf. Pervasive Com-put. Commun.
Workshops, volume v2005, pages 146150.IEEE
Computer Society, Mar 2005.
[4] J. Hoffstein, J. Pipher, and J. H. Silverman.
NTRU: A Ring-Base Public Key Cryptosystem. In J. P.
Buhler, editor, Algo-rithmic Number Theory (ANTS
III), Lecture Notes in Com-puter Science, volume
1423, pages 267288, Berlin, 1998.Springer-Verlag.
[5] N. Howgrave-Graham, J. H. Silverman, and W.
Whyte.Choosing Parameter Sets for NTRUEncrypt
with NAEP and SVES3. In Topics in Cryptology CT-
RSA 2005, Lecture Notes in Computer Science,
volume 3376, pages 118135, Berlin, 2005. Springer.
[6] J. Kaps. Cryptography for Ultra-Low Power
Devices. PhD thesis, Worcester Polytechnic Institute,
May 2006.
[7] C. M. ORourke. Efficient NTRU
Implementations. Mas-ters thesis, Worcester
Polytechnic Institute, April 2002.
[8] J. H. Silverman. Invertibility in Truncated
Polynomial
Rings. Technical report, NTRU Cryptosystems,
1998.
[9] J. H. Silverman. Almost Inverses and Fast
NTRU Key Cre-ation. Technical report, NTRU
Cryptosystems, 1999.
[10]http://www.ntru.com/cryptolab/faqs.htm#sixtee
n.
[11] The NTRU Public Key Cryptosystem A-
Tutorial.
[12] www.zenoli.net/category/mathematics/, 2007.
[13] Synopsys, Inc. Power Compiler User Guide,
2006.
[14]http://rijndael.ece.vt.edu/gezel2/index.p