Performance Evaluation of Public Key
Cryptosystems
Rohan Malewar, Vijay Koneru, Rakesh Malireddy and Vasunandan Peddi
Abstract:- NTRU a Public Key Crypto System
( PKCS) which works over a finite ring of
polynomials for providing security whereas the
XTR can be applied over any system that uses
Discrete Logarithm Problem for its security. This
papers evaluates the performances of both
XTR and NTRU in terms of time taken for key
generation, encryption and decryption at different
security levels.
I. INTRODUCTION
Public key cryptography is a form of
cryptography which generally allows users to
communicate securely without having prior
access to a shared secret key. The revolutionary
idea was to split the key into two so that each
party has both a public key (which can be freely
distributed) and a private key (which is known
only to the party concerned). The key pairs are
generated in such a way that they have a specific
mathematical relationship, but at the same time it
is computationally infeasible to generate the
private key given knowledge of the public key.
Public-key cryptography is an integral
component of secure communication. Currently,
the most widely used public key system is
RSA,[3] which was created by Rivest, Shamir
and Adelman in 1978 and is based on the
difficulty of factoring large numbers. The need
for mobility has altered existing security
requirements and public-key systems must now
be capable of performing at high speed, whilst at
the same time providing robust security. XTR
and NTRU are two recently introduced publickey algorithms that were designed with
efficiency specifically in mind. In this project we
aim to Performance Evaluation of Public key
Cryptosystems XTR[1] &NTRU[2].
Fig 1.1 Public key cryptosystem example.
II. DESCRIPTION OF NTRU
NTRU is the first public-key algorithm not based
on either integer factorisation or the discrete
logarithm problem to be considered secure by the
cryptographic community. The algorithm was
introduced in 1998 by Jeffrey Hoffstein, Jill
Pipher and Joseph Silverman and promises
efficient performance combined with robust
security, in much the same way as XTR. Unlike
XTR, however, NTRU is a brand new
cryptosystem and is capable of encryption in its
own right. The algorithm’s security is based on
the difficulty of finding extremely short vectors
in lattices of very high dimension. NTRU’s
creators claim that it is resistant to parallel
processing attacks and that this fact, combined
with its disposable key technology, considerably
reduces the risk of power attacks, timing attacks
and security breaches due to lost or intercepted
keys. Nonetheless, the real area of interest lies in
NTRU’s performance and whether or not it is
suitable for integration into low-cost and mobile
devices.
The mathematics behind NTRU is based on the
manipulation of lists of small integers that
represent the coefficients of truncated
polynomials. Let R be the ring of truncated
polynomials of degree (N – 1) with integer
coefficients. Thus, a member of R will take the
following form:
a = a0 + a1X + a2X2 + … + aN-2XN-2 + aN-1XN-1
The polynomials in R may be added together in
the usual way by simply adding their
coefficients, i.e.:
a + b = (a0 + b0) + (a1 + b1)X + … + (aN-1 + bN-1)XN1
Multiplication in R is slightly different from
usual in that, after the polynomials have been
multiplied together, XN is replaced by 1, XN+1 is
replaced by X, XN+2 is replaced by X2, and so on.
The general formula for multiplying polynomials
in R is:
a * b = c0 + c1X + c2X2 + … + cN-2XN-2 + cN-1XN-1
where
ck = a0bk + a1bk-1 + … + akb0 + ak+1bN-1 + ak+2bN-2 + …
+ aN-1bk+1
The list of parameters in NTRU implementation
are as follows:
N - The polynomials in the truncated polynomial
ring have degree N-1.N should be prime.
q - Large modulus: usually, the coefficients of
the truncated polynomials will be reduced mod
q.
p - Small modulus. As the final step in
decryption, the coefficients of the message are
reduced mod p.
Relation of p and q: p and q should be selected
in such a way that they are relatively to prime to
each other and q should be large compared to p.
I.e. gcd (p, q) =1.
A. Key Generation:
For the public key, the user must:
Choose a secret key which is a randomly
generated polynomial “f” which belongs to the
Ring R, with coefficients reduced modulo p.
Choose “g” which is also a randomly generated
polynomial that belongs to the Ring R, with
coefficients reduced modulo p, and compute the
inverse polynomial Fq of the secret key
f modulo q.
Similarly Fp is also computed by taking inverse
of the polynomial f with reduced modulo p. If
inverse of “f” does not exist then the process is
repeated until we get the inverse.
The polynomial f has df coefficients equal to +1,
(df-1) coefficients equal to -1, and the rest equal
to 0.
The polynomial g has dg coefficients equal to
+1, dg coefficients equal to -1,and the rest equal
to 0.
Once Fq has been computed, the public key, h, is
found as
h = Fq * g (mod q)
B. Algorithm for key generation:
Before commencing the key generation
algorithm, decide what level of security is
required and select the appropriate parameter set.
1) Randomly generate a polynomial g that has dg
coefficients equal to 1 and dg coefficients equal
to –1.
2) Randomly generate a polynomial f that has df
coefficients equal to 1 and (df – 1) coefficients
equal to –1.
3) Compute the value of fp such that:
f * fp = 1 (mod p)
If fp does not exist then return to step 2.
4) Compute the value of fq such that:
f * fq = 1 (mod q)
If fq does not exist then return to step 2.
5) Compute the value of h such that:
h = pfq * g (mod q)
6) The NTRU private key is (f, fp) and the public
key is h.
C. Encryption
If Bob wants to send Alice a message using
Alice’s public key h he must first express the
message in the form of a polynomial M whose
coefficients are chosen modulo p (say from –p/2
to p/2). He can then encrypt M as follows:
1) Randomly generate a polynomial r that has dr
coefficients equal to 1 and dr coefficients equal
to –1.
2) Compute the value of the polynomial E such
that:
E = r * h + M (mod q)
3) Send E to Alice.
D. Decryption
Upon receiving the encrypted polynomial E from
Bob, Alice recovers the message using her
private key (f, fp) as follows:
1) Compute the value of a such that:
a = f * E (mod q)
2) Compute the value of b such that:
b = a (mod p)
3) Compute the value of M such that:
M = fp * b (mod p)
4) The polynomial M is the same polynomial
that Bob created originally to represent his
message and so Alice can now simply convert M
back into a readable form.
E. How it works?
Alice's encrypted message e looks like e = r*h +
m (modulo q). Bob's first step is to compute f*e
and reduce the coefficients modulo q. Remember
that Bob's public key h was actually formed by
multiplying pfq*g and reducing its coefficients
modulo q. So although Bob doesn't know r and
m, when he computes a = f*e (modulo q), he is
actually performing the following computation:
a = f*e (modulo q)
= f*(r*h + m) (modulo q)
[since e = r*h + m (modulo q)]
= f*(r*pfq*g + m) (modulo q)
[since h = pfq*g (modulo q)]
= pr*g + f*m (modulo q)
[since f*fq = 1(modulo q)]
Now consider the sizes of the various
parameters. The polynomials r, g, f, and m all
have coefficients that are quite small. This means
that the coefficients of the products r*g and f*m
are also quite small, in comparison to q. Since
the prime p is also small compared to q, this
means that the coefficients of the polynomial
pr*g + f*m already lie between -q/2 and q/2, so
reducing the coefficients modulo q has no effect
at all.
In other words, when Bob computes “a” by first
multiplying f*e and then reducing the
coefficients modulo q, the polynomial “a” that he
ends up with is exactly equal to the polynomial
pr*g + f*m. When Bob next reduces the
coefficients of “a” modulo p to form the
polynomial “b”, he is really reducing the
coefficients of pr*g + f*m modulo p, so the “b”
that he ends up with is equal to
b = f*m (modulo p).
Keep in mind that Bob still doesn't know the
value of m, but he now knows the value of d. So
his final step is to multiply b by fp and use the
fact that fp*f = 1 (modulo p) to compute
d = fp* b = fp* f*m = m (modulo p),
This allows him to recover Alice’s message m.
Implementation of NTRU in C
The degree of the polynomial N is chosen to be
the input from the user.The value of p is chosen
to be constant at 2 and q is chosen to be constant
at 128.
The functions that have been used are described
as below:
i)random_poly( )
The random_poly function generates the random
polynomials once the integer inputs m1 and p1
are given by the user.This function generates the
co-effecients of the polynomial which has m1
number of 1’s and p1 number of –1’s.
ii)zero_poly( )
The zero_poly function checks whether or not all
the co-effecients of a polynomial are zero.
iii)poly_copy( )
The poly_copy function copies all the coeffecients of one polynomial into another.
iv)poly_degree( )
The poly_degree function calculates the degree
of a polynomial.
v)poly_mult( )
The poly_mult function calculates the product of
2 polynomials with respect to mod m.This
function is used in several instances where we
require the product of 2 polynomials.The
generation of the public key,the generation of the
ciphertext etc.
vi)poly_long_div( )
The poly_long_div function computes q and r
such that a = b * q + r
(mod m) where a has degree of no more than n.
For this function to work
correctly, m must be equal to 2 or 3.
vii)poly_inverse( )
The poly_inverse function computes the inverse
of a polynomial.The arguments passed to this
function are the polynomial whose inverse is to
be computed and the value of the degree of the
polynomial that is N.
viii)create_key( )
The create_key function is used for the
generation of the public key h and the private
key(f,fp) as described above.
ix)encrypt( )
The encrypt function is used to produce the
ciphertext e once we have the message m that is
to be sent.This also makes use of some of the
functions described above like the poly_mult
function.
x)decrypt( )
The decrypt function is used to produce the
plaintext m once we have the ciphertext e
III. DESCRIPTION OF XTR
The XTR public-key algorithm was introduced
in 2000 by Arjen Lenstra and EricVerheul [1]. It
was designed specifically with efficiency in
mind and much of the underlying theory is based
on the earlier work of Andries Brouwer, Ruud
Pellikaan and Eric Verheul, as described in their
paper, “Doing More with Fewer Bits” [15]. In
this paper, the authors describe a variant of the
classical Diffie-Hellman key exchange scheme
that allows the total number of bits exchanged to
Arithmetic
be reduced to one third of the number
in the
Operation
original scheme. Unfortunately, the
potential
in offer
increase in performance that this should
was not fully realised. The problemGF(p2)
lay in the
Xp was
particular way that the algorithm
implemented. The computational inefficiencies
X2
inherent in the proposed method led to a system
X*Y fast,
that was both impractical and not especially
despite its communication advantage. XTR
significantly improves upon this algorithm and
achieves the same communication efficiency
x * z – y *at a
p
greatly reduced computational cost. As zwith
its
predecessor, XTR is not a new cryptosystem;
rather it is an efficient and compact
implementation of the classical Diffie-Hellman
scheme. Thus, we can be confident of its
security. The real area of interest lies in its
performance
XTR is the first method we are aware of that
uses GF(p2) arithmetic to achieve GF(p6)
security, without requiring explicit construction
of GF(p6). Let g be an element of order q > 6
dividing p2−p+1. Because p2−p+1 divides the
order p6−1 of GF(p6)_ this g generates an order q
subgroup of GF(p6)_. Since q does not divide
any ps − 1 for s = 1, 2, 3 (cf. [11]), the subgroup
generated by g cannot be embedded in the
multiplicative group of any true subfield of
GF(p6). We show, however, that arbitrary powers
of g can be represented using a single element of
the subfield GF(p2), and that such powers can be
computed efficiently using arithmetic operations
in GF(p2) while avoiding arithmetic in GF(p6).
A .Representation of an Element of GF(p2):
Let p be a large prime such that p = 2 (mod
3).Let α and αp be zeros of Y2 + Y + 1 that form
an optimal normal basis for GF(p2) over GF(p).
Since αi = αi (mod 3) an element x ε GF(p2)
Using this representation results in a large
reduction in the cost of many arithmetic
operations in GF(p2). The following table shows
how several of these operations are carried out
and specifies the cost of each (as is customary,
the cost of additions in GF(p) are not
counted):can be represented as:
x1α + x2αp = x1α + x2α2 where x1, x2 ε GF(p).
Calculation Required
Cost / No. of
Multiplication
in GF(p)
x2  x1 2
0
x2 ( x2  2 x1 )  x1 ( x1  2 x2 ) x 2
( x1 y1  2 x2 y2  ( x1  x2 )( y1  y2 ) 
2
2 x1 y1  x2 y2  ( x1  x2 )( y1  y2 )) 2
( z1 ( y1  x2  y2 )  z2 ( x2  x1  y2 )) 
3
4
( z1 ( x1  x2  y1 )  ( z2 ( y2  x1  y1 ) 2
Table a:Arithmetic operations in GF(p2)
In similar way the elements of GF( p6) are
represented by the elements of the GF(p)
Let x, y, z belongs to GF(p6) with p = 2 mod 3,
and let a, b belongs to Z with 0 < a, b < p.
Assume that a squaring in GF(p) takes 80% of
the time of a multiplication in GF(p) we can
state some of the postulates like
i. Computing x2 takes 14.4 multiplications in
GF(p).
ii. Computing x _ y takes 18 multiplications in
GF(p).
iii. Computing xa takes an expected 23.4 log2(a)
multiplications in GF(p).
iv. Computing xa _ yb takes an expected 27.9
log2(max(a, b)) multiplications in
GF(p).
Having established how the arithmetic in GF(p2)
is performed, we are now in a position to
examine the algorithm used for XTR
exponentiation. To aid in this process, I first state
the following definitions:
Definition 1: For c ε GF(p2) let F(c, X) be the
polynomial X3 – cX2 + cpX – 1
ε GF(p2)[X] with roots h0, h1, h2 in GF(p6) and
let cn = h0n + h1n + h2n for n ε Z.
Definition 2: Let Sn(c) = (cn
–1,
cn, cn+1) ε
2 3
GF(p ) .
Computation of Sn(c) given c If n < 0, apply this
algorithm to −n and If n = 0, then S0(c) = (cp, 3,
c) If n = 1, then S1(c) = (3, c, c2 − 2cp) If n = 2,
use Corollary 2.3.5.ii and S1(c) to compute c3
and thereby S2(n).
B. To compute Sn(c) for n > 2
Computation of Sn(c) given c (where n > 2):
1) Compute S3(c) = (c2, c3, c4)
where c2 = c2 – 2c
c3 = cc2 – ccp + 3
c4 = cc3 – c2cp + c
2) If n is odd let m = (n – 1) / 2 else let m = (n –
2) / 2.
3) Let L be the bit-length of m.
4) Let x = c2, y = c3, z = c4.
5) For i = L – 2, L – 3, L – 4, …, 0 in succession
do the following:
Let mi be the ith bit of m (the least significant bit
is the 0th bit).
If mi = 0:
x' = x2 – 2xp
y' = xy – cpyp + zp
z’ = y2 – 2yp
Else mi = 1:
x' = y2 – 2yp
y’ = yz – cyp + xp
z’ = z2 – 2zp
x = x’, y = y’, z = z’
6) If n is even:
x’ = y
y’ = z
z’ = cz – cpy + x
x = x’, y = y’, z = z’
7) Sn(c) = (x, y, z)
2) Compute Se(Tr(g)) using Algorithm 1.
3) Compute the matrix M where:
M=
1
D
*
 2c 2  6c p
2c 2 p  3c  c p  2
 2P
2
p p 1
 2c  3c (c  2c )  9
 c p 1  9 (2c 2 p  3c  c p  2 ) p



(2c  3c  c ) 
(2c 2  6c p ) p 

c p 1  9
2p
p2 p
and
D  2c2 p 2  18c p 1  4(c3 p  c3 )  27
4) Compute C(A(Tr(g))e) = M * (Se(Tr(g)))T.
5) Compute Tr(ge+k) = Sk(Tr(g)) * C(A(Tr(g))e).
6) Compute Sb(Tr(ge+k)) using above algorithm.
7) Return Tr(g(e+k)b) = Tr(ga * gbk).
It is worth noting that the XTR algorithm itself is
not capable of encryption, as such. As mentioned
previously, it is merely an efficient and compact
implementation of the classical Diffie-Hellman
key-exchange algorithm. However, XTR can be
used in anycryptosystem that relies on the
discrete logarithm problem for its security.
Lenstra and Verheul suggest combining XTR
with the ElGamal algorithm [20, 21] to produce
a fully functional encryption scheme. I now
describe how the key generation, encryption and
decryption stages of this XTR cryptosystem are
performed.
D. XTR Key Generation:
Let Q be the bit-length of q. To achieve security
equivalent to 1024-bit
RSA, set 6Q ≈ 1024, i.e. Q ≈ 170.
1) Find random r ε Z such that q = r2 – r + 1 is a
Q-bit prime.
2) Find k ε Z such that p = r + kq and p = 2 (mod
3).
3) Choose random c ε GF(p2) \ GF(p) and
compute cp+1 using above Algorithm 1.
4) If cp+1 ε GF(p) then return to step 3.
5) Compute c(p2 – p + 1) / q using Algorithm 1.
6) If c(p2 – p + 1) / q = 3 then return to step 3.
7) Let Tr(g) = c(p2 – p + 1) / q .
8) The XTR public key data consists of (p, q,
Tr(g)).
C. Computation of trace group Tr(g):
E . XTR-ElGamal Encryption:
Computation of Tr(ga * gbk) given Tr(g),
Sk(Tr(g)) for unknown k and a, b ε Z with 0 <a,
b < q:
1) Compute e = a / b (mod q).
Let (p, q, Tr(g)) be XTR public key data either
owned by Alice or shared by all parties.
Moreover, let Tr(gk) be a value computed and
made public by Alice for some secret integer k,
selected by and known only to Alice. Bob may
encrypt a message M for Alice as follows:
1) Bob selects a random b ε Z such that 1 < b < q
– 2 and uses Algorithm 1 to compute
Sb(Tr(g)) = (Tr(gb-1), Tr(gb), Tr(gb+1)).
2) Again using Algorithm 1, Bob computes
Sb(Tr(gk)) = (Tr(g(b-1)k), Tr(gbk), Tr(g(b+1)k)).
3) Bob determines the symmetric encryption key
K based on Tr(gbk).
4) Bob uses an agreed symmetric encryption
method with key K to encrypt M, resulting in the
encryption E.
5) Bob sends (Tr(gb), E) to Alice.
IV. OBSERVATIONS:
Key
Generation
Decryption
5 ms
40 ms
23 ms
11 ms
Key
Generation
Encryption
Decryption
94 ms
0.5 ms
0.9 ms
77 ms
23.6 ms
8.5ms
1024bit
1224 ms
RSA
170 –
bit
73 ms
XTR
Table:1
F. XTR-ElGamal Decryption:
Upon receipt of (Tr(gb), E) from Bob, Alice
decrypts E as follows:
1) Using Algorithm 1, Alice computes
Sk(Tr(gb)) = (Tr(gb(k-1)), Tr(gbk), Tr(gb(k+1))).
2) Alice determines the symmetric encryption
key K based on Tr(gbk).
3) Alice uses the agreed symmetric encryption
method with key K to
decrypt E, resulting in the message M.
Encryption
263bit
NTRU
170 –
bit
XTR
Table:2
Key generation:
The XTR-ElGamal cryptosystem reduces the
communication and computational overhead by a
factor of three at no cost to security Hence,
despite the complexity of its mathematical basis,
XTR does appear to have the potential for
integration into low-cost and mobile devices.
XTR outperforms NTRU in key generation. By a
factor of approximately 1.3 and from the
previous results produced by verhul. We can
observe that XTR outperforms the RSA by a
huge factor. It shows that Key generation is fast
in the XTR when compared to both PKCS RSA
as well as NTRU.
IV .Previous Implementations of XTR and NTRU
Encryption:
To date, there have been very few attempts at
implementing XTR. There are two publicly
available implementations: one was coded by
Lenstra for use as a demonstration program and
the other by Wei Dai as part of the Crypto++
library. Consequently, there is also very little
empirical data available concerning the
performance of XTR as compared to other
algorithms. Lenstra and Verheul offer a
comparison of XTR and RSA run times on a 450
MHz Pentium II NT workstation
Table-1 comparison of RSA and XTR
Current observations of XTR and NTRU on
PC 1.6 GHz with 512MB RAM
Table-2:Comparsion of NTRU and XTR.
The timings obtained for encryption evidently
show that XTR is by far the slowest performer of
both the algorithms in this area. XTR is at least
16 times slower than NTRU. When XTR is
compared with RSA the XTR is very slow of the
both. So of all the 3 algorithms the XTR is slow
in key generation.
Decryption:
The decryption timings show NTRU to be the
fastest performer of the both algorithms in tests
run. It is always at least 9 times faster than the
XTR. When comparing the XTR with RSA we
can see that XTR outperforms the RSA.
V. CONCLUSION
NTRU clearly gives the best overall performance
of the three algorithms tested. It is evidently
faster than both XTR and RSA for decryption
and, along with RSA, produces a far better
performance than XTR for encryption. Although
XTR is slightly faster for key generation, NTRU
is still easily the most impressive of the three
algorithms. Unfortunately for XTR, it is very
slow at encryption in comparison with the other
two algorithms. This aside, XTR still offers far
better overall performance than RSA. One
additional factor that must be considered when
comparing the relative performance of the
algorithms is the implementation method used
for each. NTRU has an immediate advantage
since it is written in pure C whereas both XTR
and RSA are written in C++ (which produces
slightly slower executable code) and make
extensive use of the LiDIA library routines.
Since these library routines were written in such
a way that they can be used for a wide variety of
purposes, they will never be as efficient as
similar routines that have been optimized for a
particular task. Of course, this problem does not
apply in the case of NTRU, where many of the
polynomial routines are optimized specifically
for use with this cryptosystem.
It is meaningless to attempt quantitative
comparison of the timings obtained on one
platform with those obtained on the other. The
Pentium II processor of the NT workstation and
the Athlon processor of the PC have very
different architectures and so merely taking their
respective clock speeds into account is not
sufficient to draw significant conclusions.
VI. REFERENCES:
[1] A.K Lenstra and E.R Verheul ,The XTR
public key system Advances in Cryptology:
roceedings of CRYPTO 00,Springer –
Verlag(2000), I-20.
[2] J.Hoffestein, J.Pipher and J.Silverman,
NTRU:A Ring based Public KeyCryptosystem,
Lecture
Notes
in
Computer
Science1423,Springer-Verlag (1998),267-288.
[3] LiDIA C++ library for Computational
Number
Theory
:http://www.informatik.tudarmsta.
de/TI/LiDIA/
[4] R.L.Rivest, A Shamir and L.M Adelman, On
Digital
Signatures
and
Public
–
KeyCryptosystems,.
L. Rivest, A. Shamir and L. M. Adelman, On
Digital
Signatures
and
Public-Key
Cryptosystems, MIT Laboratory for Computer
Science, Technical Report, MIT/LCS/TR-212
(1979).
[5] W.Diffie and M.E.Hellman, New Directions
in Cryptography, IEEE Transactions on
Information Theory 22(1976),644-654.
[6] T.EIGamal, A Public Key Cryptosystem and
a Signature scheme Based on Discrete
Logarthims, IEEE Transcatioins on Information
Theory 31(4),1985,469-472.
[7] A.Menzes, S.Vanstone, ECSTR(XTR):
Eliptic Curve Singular Trace Representation
rump session of Crypto 2000.
[8] NTRU Crypto Lab NTRU Algorithms,
NTRU Sign (Online),
(http://www.ntru.com/cryptolab/intro_ntrusign.ht
m ), NTRU Cryptosystems, Inc.
[9] J. Hoffstein, N. Howgrave-Graham, J. Pipher,
J. H. Silverman, W. Whyte,
“NTRU Sign: Digital Signatures Using NTRU
Lattice” (PDF),
(http://www.ntru.com/cryptolab/pdf/www.ntru.c
om/cryptolab/pdf/NTRUSign_RSA.pdf ), CTRSA Proceedings,
2003.
[10] Colleen M. O'Rourke, "Efficient NTRU
Implementations" (PDF),
(http://www.crypto.wpi.edu/Publications/Docum
ents/ms_corourke.pdf ), MS Thesis,
Worcester Polytechnic Institute, May 2002.
[11] Handbook of Applied Cryptography
Menezes, Oorschot, Vanstone,
[12] NTRU CryptoLab Tutorials (online),
( http://ntru.com/cryptolab/tutorials.htm), NTRU
Cryptosystems. Inc
[13] J. Hoffstein, J. Silverman, “Optimizations
for NTRU” (PDF), (
http://www.ntru.com/cryptolab/pdf/TECH_ARTI
CLE_OPT.pdf ), Public-Key
Cryptography and Computational Number
Theory (Warsaw, September 11-15, 2000
[14] Crypto++ Library 4.2:
http://www.eskimo.com/~weidai/cryptlib.html
[15] A. E. Brouwer, R. Pellikaan and E. R.
Verheul, Doing More with Fewer Bits,
Advances in Cryptology: Proceedings of
ASIACRYPT 99, Springer-Verlag
(1999), 321-332
[16] ECRYPT IST – 2002 507932 “Alternatives
to RSA”