Low-cost Implementations of NTRU for pervasive security

Ali Can Atc

Istanbul Technical University
Institute of Science and Technology
aticial@itu.edu.tr

Junfeng Fan Katholike
Universiteit Leuven
ESAT/COSIC and IBBT
junfeng.fan@esat.kuleuven.be
Lejla Batina Katholike
Universiteit Leuven
ESAT/COSIC and IBBT
lejla.batina@esat.kuleuven.be

Ingrid Verbauwhede Katholike
Universiteit Leuven ESAT/COSIC and
IBBT
ingrid.verbauwhede@esat.kuleuven.be
S. Berna O

rs Yalcn
Istanbul Technical University
Faculty of Electrical and Electronics Engineering
siddika.ors@itu.edu.tr



Abstract

NTRU is a public-key cryptosystem based on the
shortest vector problem in a lattice which is an
alternative to RSA and ECC. This work presents a
compact and low power NTRU design that is suitable
for pervasive security appli- cations such as RFIDs
and sensor nodes. We have designed two architectures,
one is only capable of encryption and the other one
performs both encryption and decryption. The
strategy for the designs includes clock gating of
registers, operand isolation and precomputation.
This work is also the first one to present a complete
NTRU design with en- cryption/decryption circuitry.
Our encryption-only NTRU design has a gate-count
of 2.8 kgates and dynamic power consumption of 1.72
W . Moreover, encryption-decryption NTRU design
consumes about 6 W dynamic power and consists
of 10.5 kgates.


1. Introduction

The feasibility of Public-key (PK) solutions for
RFIDs and sensor networks is an open research
problem due to severe limitations in costs, area and
power. RFID tags and sensor nodes are extreme
examples as they imply very

This work is funded partially by IBBT, Katholieke Universiteit

Leuven (OT/06/40) and FWO projects (G.0300.07 and G.0450.04).
This work was supported in part by the IAP Programme P6/26
BCRYPT of the Belgian State (Belgian Science Policy), by the EU
IST FP6 projects (ECRYPT) and by the IBBT-QoE project of the
IBBT.
low budget for the number of gates, power, bandwidth
etc. whilst they sometimes require security solutions.
Imple- mentations of Public-key Cryptography (PKC)
are very dif- ficult in those environments as PKC
deploys computation- ally demanding operations.
However, PKC protocols are useful for applications
that need strong cryptography and services such as
authentication, signatures, key-exchange etc. In
addition, the use of PKC reduces power due to less
protocol overhead [3].
In this paper, we present low-cost implementations
of the Public-key algorithm NTRU, which are viable
for RFIDs and sensor nodes. Section 2 investigates
the previous im- plementations of low-cost PKC.
Section 3 summarizes the basics of NTRU algorithm
such as key generation, encryp- tion and decryption.
Section 4 gives brief information about the low-power
design methods used in the designs. Sec- tion 5 gives
the details of the architecture of encryption-only NTRU
whereas, section 6 shows the architecture of encryp-
tion/decryption NTRU. Section 7 discusses the power,
area and latency results of our implementation and
previous im- plementations. And finally, Section 8
concludes the paper.


2. Previous work

To the best of our knowledge very few papers
discuss the possibility for PKC (specifically NTRU)
for RFIDs and sensor nodes. In the masters thesis of
ORourke [7], a hard- ware core is designed which
performs only NTRU polyno- mial multiplication. It
has a gate count of minimum 1483




gates, but the design is not optimized for low-cost and
there is no power consumption data. Another NTRU
design is im- plemented by Bailey et al. [1], and it
performs only encryp- tion. The design has
approximately 60 000 gates in a Xilinx Virtex
1000EFG860 FPGA. The most detailed low-cost im-
plementation of NTRU is realized by Kaps [6]. The
author investigated implementations of two
algorithms: Rabins scheme and NTRUEncrypt. It is
concluded that NTRU- Encrypt features a suitable
low-power and small footprint solution with a total
complexity of 3000 gates and power consumption of
less than 20 W at 500 kH z. As one would expect, he
showed that Rabins scheme is not a feasible so-
lution. Apart from NTRU implementations, there also
ex- ist a compact ECC implementation in [2]. In this
work, the best solution has 6718 gates for modular
arithmetic unit and control unit (data memory not
included), and it consumes power less than 30 W at
500 kH z.

3. NTRU algorithm

NTRU [4] is a public-key cryptosystem based on
the shortest vector problem in a lattice. Basic
operations of NTRU are realized in a truncated
polynomial ring R= Z [X]/(X
N
1). Polynomials in the
ring have integer co- efficients and a degree of N1.
Addition is carried out in a normal way by adding the
coefficients that have the same degree while
multiplication is carried out in the following way.
During multiplication the rule X
N
1 is applied to all
elements which have a degree equal or greater than N.
This multiplication is called star multiplication [1] and
denoted with the symbol. Thus, the product of two
polynomials a and b
2 1
0 1 2 1
( ) ...
N
N
a X a a X a X a X

2 1
0 1 2 1
( ) ...
N
N
b X b b X b X b X

can be calculated as,
c(X) = a(X) *b(X)
0 1 1 1 1
mod
...
k k k N k i j
i j N
c a b a b a b ab





In other notation, if we write the polynomials a, b
and c as coefficient vectors, then, the result c = a b
simply equals to convolution product of two vectors
as shown below [7]:
4 4 4 4 4
0 0 0 0 0
4 0 3 0 2 0 1 0 0 0
3 1 2 1 1 1 0 1 4 1
2 2 1 2 0 2 4 2 3 2
1 3 0 3 4 3 3 3 2 3
0 4 4 4 3 4 2 4 1 4
4 3 2 1 0
a a a a a
b b b b b
a b a b a b a b a b
a b a b a b a b a b
a b a b a b a b a b
a b a b a b a b a b
a b a b a b a b a b
c c c c c

NTRU public-key cryptosystem has three integer
param-eters (N; q; p) and four sets L
f
; L
g
; L
r
; L
m
of
polynomials of degree N-1 which have all integer
coefficients. It is assumed that N is prime, gcd(p; q) =
1 and q is always fairly larger than p. NTRU with N =
263 provides an equivalent security level of 1024-bit
RSA and 160 bits long ECC[5, 10].
Key Generation: To generate key sets of NTRU, one
must first choose two random polynomials f L
f
and
g L
g
. These two polynomials must be small polyno-
mials which means their coefficients must be much
smaller than q. Besides, f
q
f
-1
(mod q) and f
p
f
-1

(mod p) must exist. Then, the following computation
is performed, h f
q
*g (mod q). Now h is our public
key while f and f
p
are our secret keys. For, more
information about parameter selection, small
polynomials and finding inverses of polynomials we
refer to [4, 8, 9].
Encryption: Firstly, a message m which is a small
polynomial is chosen from the plaintext set L
m
and
then a small random polynomial r is chosen from the
set L
r
as blinding value. Finally, encrypted text is
evaluated as, e pr*h+m(mod q). During encryption,
h will be alwaysmultiplied by p. So, to avoid
unnecessary computation it is suggested to use h pf
q
*g (mod q) [11].
Decryption: In order to decrypt the encrypted text e,
one must first compute a f *e pr *g + f*m (mod
q). At this stage it is essential to chose the coefficients
of a between -q/2 and q/2 instead of 0 and q-1.
Otherwise, message may not be properly recovered.
After this step, b a (mod p) = f *m should be
calculated. As the final step, message can be
recovered by the multiplication of f
p
and b modulo p,
c b* f
p
(mod p) = m.

4. Phng php thit k cng sut thp

C nhiu phng php c th gim in nng
c mc cng ngh v kin trc. y, chng
ti s ch cp n cng ngh m chng ti s
dng.

Mch din duc d kin s duc chy tn
s thp (500kHz), do chng ti s dng th vin
cng ngh r r thp tng hp thit k ca mnh,
gip chng ti tiu th cng sut tnh thp hn ng
k. ng thi, chng ti cng s dng mt s
phng php lm gim i mc tiu th cng sut
ng nh clock gating, ton hng c lp v tnh ton
truc.
Mc ch ca clock gating l iu khin u vo
clock ca thanh ghi bng tn hiu enable v cch ly u
vo clock n khi c gi tr mi c np vo thanh
ghi v lm gim hot ng chuyn mch bng cch
ny. Trong mch clock gating [13], n c u tin s
dng cht v hiu ha cc s c c th xy ra vi
u vo clock ca thanh ghi. Hnh 1 cho thy cng
clock ca thanh ghi

Ton hng c lp l mt cch khc lm gim
hot ng chuyn mch bng cch cch ly u vo
ca cc mch phc tp t hp (vd. b nhn, b cng)
khi u ra ca chng khng c s dng
trnh lng ph nng lung bi key generation,
public key h r * pf
q
*g (mod q) c tnh ton trc
v lu tr trong mch v chng ti cho rng h l ging
nhau mi s m ha.

5. Implementation of encryption-only NTRU

Chng ti chn N=167, q=128 v p=3 trong cc
tham s ci t NTRU nhm mang li mc bo mt
cao nht [4]. Nh php chn public key h c cc h
s trong khong [0,127], a thc ngu nhin r v thng
ip m c cc h s trong b {-1,0,1}. Nh vy h s
ca h s c biu din bng 7 bits v cc h s ca r,
m c biu din bng 2 bits. V khi thc hin vi s
m, php b 2 s uc s dng
Cu trc chnh ca phn m ha, nh trn hnh 2,
gm c 1 LUT cha h, mt hm nhn da thc (PM)
thc hin php nhn sao, mt thanh ghi xoay vng
1 phn (PRR) ( rng Nx2 bits) d gi v quay r, mt
khi iu khin logic iu khin qu trnh m ha

Trong thit k ny chng ti khng quan tm n
s sinh ra ca a thc ngu nhin, v vy chng ti gi
thit rng chng ti c th nhn c cc h s ca a
thc ngu nhin tng ng t u vo r
in


5.1. Look-up table

B to chc nng (LUT) thc hin t hp hon
chnh cc ng vo, a ra cc h s kha cng khai
ty theo a ch u vo ca chng

5.2 Polynomial multiplier

y l li s hc chnh, ni m tt c cc tnh ton
c thc hin. N c mt b nhn 7-bit , mt b cng
thy nh truc 7-bit (CLA) v mt thanh ghi 7-bit nh
trong hnh 3


5.3 Partially rotating register

Thanh ghi xoay vng 1 phn l 1 bin th ca thanh
ghi xoay vng chun. Chng ti thc hin 1 s sa
i thu c li ch ti a t clock gating. Trong m
ha, h s a thc ngu nhin ti u vo ca PM c
thay i cho mi gi tr kha cng khai mi.
So in case of a regular register, whole bits must be
shifted one time, which means switching activity of
Nx2 registers for every partial product computation.
We have seen by our measurements that clock gating a
regular rotate register does not have a positive effect on
power consumption during NTRU encryption. On the
contrary, it increases the dynamic power consumption
due to extra switching activity comes from gating
circuits (see Table 1). To overcome that negative
situation we designed a partially rotating register, as
illustrated in Figure 4.

In this architecture the right hand side 32-bit
register is the part that is always rotating during
encryption and loading of random polynomial. During
the loading stage most significant two bits of that
register are used as input and the output is always the
least significant two bits of that register. A partial
rotate signal is sent by the controller till all 16 values
of the register have been used and then a whole rotate
signal is sent to renew the values of partial rotate
register. After receiving that signal, circuit makes a
block rotation with width of 32 bits. With this method,
only 32 bits are switching constantly during encryption
while the rest of the registers switch only 9 times, in
the computation of each cipher text word.

5.4 Control logic

Controller ca khi m ha c thit k nh 1
my trng thi (FSM) vi 4 trng thi. N iu khin
cc qu trnh bng 2 b m 8 bit v 1 b m 4 bit.
N bt u vi trng thi initial sau reset v lun
kim tra u vo Enc. Nu n pht hin tn hiu cao, n
s chuyn sang trng thi loading. Trong trng thi
loading, h s ca r c load ln lt t PRR. Sau khi
load tt c cc h s, FSM chuyn qua trng thi
multiplication.
Trong multiplication, cc h s ca h v r c
nhn v tch ly. Tip sau multiplication l trng thi
add message , ni m message c thm vo tng
hin ti, cipher text l u ra v tn hiu done ln 1
trong 1 chu k clock Sau khi thm message, n chuyn
li trng thi multiplication tnh ton cc h s tip
theo cho n h s cui cng. Sau khi tnh xong h s
cui cng n chuyn v trng thi initial

6. Thc hin m ha-gii m NTRU

Cc b tham s tng t cng c s dng
thit k m ha- gii m NTRU.Trong trng hp ny,
chng ti c thm hai a thc l, pravite keys f and
f
p
. f c cc h s t b {-1,0,1} trong khi f
p
c cc
h s t b {0,1,2}
Hnh 5 biu din cu trc ca thit k. n gin
ta khng biu din ton b cc khi v tn hiu bn
trong thit k. gii m, 1 n v Mod-3, 2 LUT lu
tr private key f and f
p
, 1 PRR Nx7 bit v 1 thanh ghi
kt qu uc thm vo thit k truc



Ngoi ra cn c 4 b nh tuyn c to thnh t
cc b nhn, c chc nng iu khin chnh xc gi
tr u vo ty theo trng thi m ha v gii m.
Trong m ha, 7 bit v 2 bit u vo ca PM b rng
buc bi LUT h v rng thanh ghi u ra Nx2
tng ng. u ra ca PM c kt ni ti thanh
ghi kt qu. Trong php nhn u tin ca gii
m, 7 bit v 2 bit u vo ca PM b rng buc bi
rng PRR Nx7 v LUT f tng ng. V u ra ca
PM c kt ni ti Mod-3 unit, trong khi u ra
ca Mod-3 unit c kt ni vi u vo ca thanh
ghi Nx2.Trong php nhn th 2 ca gii m, 7 bit v 2
bit u vo ca PM c kt ni ti LUT f
p
v
thanh ghi Nx2 tng ng. u ra ca PM c ni
tr li Mod -3 unit nhng u ra ca Mod-3 unit li
b rng buc bi thanh ghi kt qu.
Cc thnh phn c s dng trong cc cng c
m ha NTRU cng c s dng trong thit k ny.
Mt ln na, chng ti s dng LUT lu tr cc
kha cng khai v kha ring. PRR rng Nx7 bit
ging nh cu trc xc nh trong mc 5, ch iu
chnh di bit. Thanh ghi rng Nx2 bits thc hin
ging nh thanh ghi xoay vng tri. Thanh ghi kt
qu cng l 1 thanh ghi chun vi tn hiu load
Thay i duy nht xy ra trong PM. T , chng
ti thit k PM ch lm vic trong modulo 128. Chng
ti thm mt u ra trn-thng l u ra carry ca
CLA, m s lng cc modulo 128 gim trong
nhn th hai ca gii m (cc tnh ton c thc hin
theo modulo 3) .
Ngoi ra, trong thit k ny PM c kh nng
nhn 2 khi c s dng trong qu trnh gii m

6.1 Routers

C 4 routers trong thit k. 1 cho u vo a ch
ca LUT, 1 cho u vo ca PM, 1 cho u vo thanh
ghi xoay vng v 1 cho u vo thanh ghi kt qu. Cc
modules duy tr cc kt ni cn thit gia chng ty
theo tn hiu iu khin c to ra bi controlle

6.2 Mod-3 Unit

Mod 3 rt gn c thc hin bi my trng thi
hu hn (FSM) trn c s mch [12]. FSM bt u t
trng thi 0 v kim tra bits t tri sang phi v
chuyn trng thi ty theo gi tr ca bits . Trng
thi hon thnh sau khi kim tra bits cui cng l gi
tr ca s trong modulo 3

u ra trn ca PM cng c kt ni ti module
ny. l 2 bits m trn dng m khi xy ra
trn. Bng cch s dng gi tr m ny, chng ti c
c chnh xc kt qu Mod-3 rt gn.

6.3 Control logic

iu khin ca thit k c thc hin ging nh
1 FSM vi 7 trng thi. N iu khin chuyn trng
thi vi 2 b m 8bits v 1 b m 4bits. Bt u
FSM vi trng thi initial, tip theo l reset v trc tip
chuyn qua trng thi checking bng cch iu khin
u vo ca Enc v Dec.
u vo ca Enc v Dec c tip tc kim tra
trong trng thi checking. Khi pht hin 1 tn hiu cao
ca 1 trong cc u vo, FSM chuyn qua trng thi
loading, ngoi ra cc trng thi khc khng thay i.
Trong trng thi loading, nu l m ha, h s ca
r s c load vo thanh ghi c rng Nx2. Nu
l gii m, h s ca cipher text e c load vo PRR
d rng Nx7. Loading c k tip bi trng thi
multiplication. Trng thi multiplication l chung cho
c m ha v gii m, bi a thc nhn trong c 2
trung hp l tng t nh nhau.
Sau khi hon thnh multilication v tch luy h
s, n chuyn qua trng thi add message trong khi
m ha chuyn qua trng thi khc: reduction 3
Trong trng thi add message, thng tin c thm
vo tng hin thi v iu khin n trng thi final
result. trng thi reduction 3, kt qu to ra bi
PM c load vo trong Mod-3 v s gi tr modulo 3
l c tnh truc. C trong Mod 3 rt gn u tin
v th 2, b diu khin u a n trng thi final
result sau khi tnh ton
trng thi final result, nu mch thc hin m
ha, b iu khin load kt qu t thanh ghi kt qu v
u ra xc nh 1 trong 1 chu k clock
Nu gii m c thc hin v mch thc hin
php nhn u tin, FSM load kt qu Mod 3 t
thanh ghi rng Nx2. Nu php nhn th 2 c
thc hin, kt qu Mod 3 c load t thanh ghi kt
qu v u ra xc nh 1 trong 1 chu k clock. Trong
tt c cc trung hp nu h s cui cng xc
nh, h thng chuyn qua trng thi initial, nu khng,
n chuyn qua trng thi multiplication

7 Analysis

Chng ti trnh by thit k ca mnh trong GEZEL
[14] v ti uu ha chng c in nng v ti
nguyn thp. Ging nh th vin cng ngh, th vin
Faraday Low Leakage 0,13um c s dng trong
thit k. Thit k c tng hp bi Synopsys Design
Vision ti tn s 500kHz v cng sut trung bnh c
o bi Synopsys Power Compiler. Tt c cc php o
cng sut c thc hin bng cch s dng cc hot
ng chuyn mch, ci m c bt bi gate-level
m phng vi ModelSim. T , vic thc hin
NTRU cng sut thp 1 cch chi tit thuc v cng
vic ca Kaps. Chng ti so snh kt qu ca
mnh vi cng vic ca anh y [6].
Chng ti tng hp 3 thit k m ha khc nhau.
1 l khng c bt c ci tin no v nng lung tiu
th, 1 l vi cng clock thanh ghi v cui cng l
vi cng clock thanh ghi v thanh ghi xoay vng 1
phn. Chng ti k hiu chng ln lut l Enc1, Enc2
v Enc3. S lung cng ca thit k c tnh da vo
php chia din tch mch cho din tch ca 1 cng
NAND 2 u vo


Nh chng ta thy bng 1, Enc3 l thit k ti u
nht ca chng ti v cc thit k trc hu ht c
s cng tng t nhau trong khi thit k ca chng ti
tt hn [6] vi 1,72 uW cng sut ng v 1,74 uW
tng cng sut tiu th. Do trong th vin k thut, n
v ca nng lng r r l pW, chng ti cng o c
s tiu th nng lung tnh gim 1 cch ng k. Khi
thanh ghi xoay vng l ngun gc chnh ca ti
nguyn (73,6%) v nng lng (82,6%) tiu th trong
Enc1, chng ti ch s dng 1 phn chng t c
mc tit kim nng lung ng hn 50%. Ngoi ra,
tng nng lung tiu th trong thit k Enc3 trng
thi ri o c l 0,18uW
Thit k ca chng ti hon thnh m ha vi N x
(N+1) + N chu k clock. Vi trng hp ca chng ti
N=167 v vi tn s clock l 500kHz, n mt 56,44ms
(28 223 chu k clock), nhanh hn 3,5% so vi [6] (m
ha mt 58,45ms-29 225 chu k clock)
Theo nhng g tt nht m chng ti bit, khng c
mt thit k m ha-gii m NTRU uc bo co truc
, v vy chng ti ch trnh by kt qu ca mnh.
Bng 2 trnh by ti nguyn s dng ca thit k ti
u. Nh ta c th thy trong bng, tng s cng s
dng l 10 500 cng, v 84% ti nguyn l c s
dng bi thanh ghi



Cng sut tiu th trong mch c o trong 3
trng thi lm vic khc nhau ca thit k: M ha,
gii m v trng thi ngh. Bng 3 cho ta thy kt qu
.
Nh c th thy trong thit k ti u ch tiu th
6uW trong khi m ha-gii m v 0,5uW trong trng
thi ngh. Thanh ghi xoay vng l ngun chnh tiu
th cng sut. Khong 80% nng lung l c tiu
th bi cc thanh ghi trong m ha v gii m
Trong thit k m ha - gii m NTRU, m ha cn
N x (N + 2) + N chu k clock, trong khi gii m mt 2
x N x (N +11) + N chu k clock. i vi trung hp
N= 167 v vi tn s clock 500kHz, m ha ha mt
56.78 ms (28 390 chu k clock), gii m mt 119.23
ms (59 619 chu k clock)

8 Conclusion

Trong bi bo ny chng ti trnh by 1 thit k
NTRU nh v cng sut thp ph hp vi cc ng
dng bo mt ph bin nh RFIDs v cc nt cm
bin. Chng ti thit k 2 cu trc. Mt l ch c kh
nng m ha v 1 l c c 2, m ha v gii m. Vi
thit k NTRU ch m ha cn s dng 2800 cng,
mt gii php rt nh gn. M ha cn 56,44ms v
n nhanh hon 3,5% so vi cc thit k tt nht truc
. Thit k ca chng ti tiu th 1,72uW cng sut
ng. thi im hin ti n tit kim gp 2 ln so
vi cc nghin cu truc . Nghin cu ny l ln
u tin thc hin hon chnh thit k NTRU vi mch
m ha v gii m. Chng ti t c s lung
cng l 12300 cng cho 1 thit k, ci tin hn na l
10500 cng. Thit k ti u cho kt qu nh sau:
5,93uW, 6,04uW, 0,45uW cho tiu th nng lung
ng tng ng trong m ha, gii m v trng thi
ngh. Thi gian ch trong m ha, gii m tng ng
mt 56,78ms v 119,23ms


Hn na, tng tc trong thit k, cc khi
PM c th c s dng song song vi 1 vi thay di
trong phn cn li ca thit k. Ngoi ra, n c th lm
gim s php nhn cn thit trong gii m t 2 xung 1
bng cch chn tham s thut ton mt cch khc

References
[1] D. Bailey, D. Coffin, A. Elbirt, J. Silverman,
and A. Wood-bury. NTRU in Constrained Devices. In
Cryptographic Hardware and Embedded Systems,
Paris, France, 2001.
[2] L. Batina, N. Mentens, K. Sakiyama, B.
Preneel, and I. Ver-bauwhede. Low-cost elliptic curve
cryptography for wireless sensor networks. In 4th
EuropeanWorkshop on Security and Privacy in Ad hoc
and Sensor Networks, Lecture Notes in Computer
Science, volume 4537, pages 617. Springer-Verlag,
2006.
[3] G. Gaubatz, J.-P. Kaps, E.Ozt urk, and B.
Sunar. State of the art in ultra-low power public key
cryptography for wireless sensor networks. In Third
IEEE Int. Conf. Pervasive Com-put. Commun.
Workshops, volume v2005, pages 146150.IEEE
Computer Society, Mar 2005.
[4] J. Hoffstein, J. Pipher, and J. H. Silverman.
NTRU: A Ring-Base Public Key Cryptosystem. In J. P.
Buhler, editor, Algo-rithmic Number Theory (ANTS
III), Lecture Notes in Com-puter Science, volume
1423, pages 267288, Berlin, 1998.Springer-Verlag.
[5] N. Howgrave-Graham, J. H. Silverman, and W.
Whyte.Choosing Parameter Sets for NTRUEncrypt
with NAEP and SVES3. In Topics in Cryptology CT-
RSA 2005, Lecture Notes in Computer Science,
volume 3376, pages 118135, Berlin, 2005. Springer.
[6] J. Kaps. Cryptography for Ultra-Low Power
Devices. PhD thesis, Worcester Polytechnic Institute,
May 2006.
[7] C. M. ORourke. Efficient NTRU
Implementations. Mas-ters thesis, Worcester
Polytechnic Institute, April 2002.
[8] J. H. Silverman. Invertibility in Truncated
Polynomial
Rings. Technical report, NTRU Cryptosystems,
1998.
[9] J. H. Silverman. Almost Inverses and Fast
NTRU Key Cre-ation. Technical report, NTRU
Cryptosystems, 1999.
[10]http://www.ntru.com/cryptolab/faqs.htm#sixtee
n.
[11] The NTRU Public Key Cryptosystem A-
Tutorial.
[12] www.zenoli.net/category/mathematics/, 2007.
[13] Synopsys, Inc. Power Compiler User Guide,
2006.
[14]http://rijndael.ece.vt.edu/gezel2/index.p