Subscribe

Issue No.02 - February (2011 vol.60)

pp: 266-281

Jérémie Detrey , INRIA Nancy - Grand Est, Nancy

Nicolas Estibals , INRIA Nancy - Grand Est, Nancy

Eiji Okamoto , University of Tsukuba, Tsukuba

Jean-Luc Beuchat , University of Tsukuba, Tsukuba

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TC.2010.163

ABSTRACT

This paper is devoted to the design of fast parallel accelerators for the cryptographic \eta_T pairing on supersingular elliptic curves over finite fields of characteristics two and three. We propose here a novel hardware implementation of Miller's algorithm based on a parallel pipelined Karatsuba multiplier. After a short description of the strategies that we considered to design our multiplier, we point out the intrinsic parallelism of Miller's loop and outline the architecture of coprocessors for the \eta_T pairing over {\bf F}_{2^m} and {\bf F}_{3^m}. Thanks to a careful choice of algorithms for the tower field arithmetic associated with the \eta_T pairing, we manage to keep the pipelined multiplier at the heart of each coprocessor busy. A final exponentiation is still required to obtain a unique value, which is desirable in most cryptographic protocols. We supplement our pairing accelerators with a coprocessor responsible for this task. An improved exponentiation algorithm allows us to save hardware resources. According to our place-and-route results on Xilinx FPGAs, our designs improve both the computation time and the area–time trade-off compared to previously published coprocessors.

INDEX TERMS

Tate pairing, \eta_T pairing, elliptic curve, finite field arithmetic, Karatsuba multiplier, hardware accelerator, FPGA.

CITATION

Jérémie Detrey, Nicolas Estibals, Eiji Okamoto, Jean-Luc Beuchat, "Fast Architectures for the \eta_T Pairing over Small-Characteristic Supersingular Elliptic Curves",

*IEEE Transactions on Computers*, vol.60, no. 2, pp. 266-281, February 2011, doi:10.1109/TC.2010.163REFERENCES

- [1] A. Barenghi, G. Bertoni, L. Breveglieri, and G. Pelosi, "A FPGA Coprocessor for the Cryptographic Tate Pairing Over ${\bf F}_p$ ,"
Proc. Fourth Int'l Conf. Information Technology: New Generations (ITNG '08), 2008.- [2] P.S.L.M. Barreto, "A Note on Efficient Computation of Cube Roots in Characteristic 3," Report 2004/305, Cryptology ePrint Archive, 2004.
- [3] P.S.L.M. Barreto, S.D. Galbraith, C. ÓhÉigeartaigh, and M. Scott, "Efficient Pairing Computation on Supersingular Abelian Varieties,"
Designs, Codes and Cryptography, vol. 42, pp. 239-271, 2007.- [4] P.S.L.M. Barreto, H.Y. Kim, B. Lynn, and M. Scott, "Efficient Algorithms for Pairing-Based Cryptosystems,"
Advances in Cryptology—CRYPTO '02, M. Yung, ed., pp. 354-368, 2002.- [5] P.S.L.M. Barreto and M. Naehrig, "Pairing-Friendly Elliptic Curves of Prime Order,"
Proc. Int'l Workshop Selected Areas in Cryptography (SAC '05), B. Preneel and S. Tavares, eds., pp. 319-331, 2006.- [6] G. Bertoni, L. Breveglieri, P. Fragneto, and G. Pelosi, "Parallel Hardware Architectures for the Cryptographic Tate Pairing,"
Proc. Third Int'l Conf. Information Technology: New Generations (ITNG '06), 2006.- [7] J.-L. Beuchat, N. Brisebarre, J. Detrey, E. Okamoto, and F. Rodríguez-Henríquez, "A Comparison between Hardware Accelerators for the Modified Tate Pairing over ${\bf F}_{2^m}$ and ${\bf F}_{3^m}$ ,"
Proc. Int'l Conf. Pairing-Based Cryptography—Pairing '08, S.D. Galbraith and K.G. Paterson, eds., pp. 297-315, 2008.- [8] J.-L. Beuchat, N. Brisebarre, J. Detrey, E. Okamoto, M. Shirase, and T. Takagi, "Algorithms and Arithmetic Operators for Computing the $\eta_{T}$ Pairing in Characteristic Three,"
IEEE Trans. Computers, vol. 57, no. 11, pp. 1454-1468, Nov. 2008.- [9] J.-L. Beuchat, N. Brisebarre, M. Shirase, T. Takagi, and E. Okamoto, "A Coprocessor for the Final Exponentiation of the $\eta_{T}$ Pairing in Characteristic Three,"
Proc. Int'l Workshop Arithmetic of Finite Fields (Waifi '07), C. Carlet and B. Sunar, eds., pp. 25-39, 2007.- [10] J.-L. Beuchat, J. Detrey, N. Estibals, E. Okamoto, and F. Rodríguez-Henríquez, "Hardware Accelerator for the Tate Pairing in Characteristic Three Based on Karatsuba-Ofman Multipliers,"
Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES '09), C. Clavier and K. Gaj, eds., pp. 225-239, 2009.- [11] J.-L. Beuchat, H. Doi, K. Fujita, A. Inomata, P. Ith, A. Kanaoka, M. Katouno, M. Mambo, E. Okamoto, T. Okamoto, T. Shiga, M. Shirase, R. Soga, T. Takagi, A. Vithanage, and H. Yamamoto, "FPGA and ASIC Implementations of the $\eta_{T}$ Pairing in Characteristic Three,"
Computers and Electrical Eng., vol. 36, no. 1, pp. 73-87, Jan. 2010.- [12] J.-L. Beuchat, E. López-Trejo, L. Martínez-Ramos, S. Mitsunari, and F. Rodríguez-Henríquez, "Multi-Core Implementation of the Tate Pairing over Supersingular Elliptic Curves,"
Proc. Int'l Conf. Cryptology and Network Security (CANS '09), J.A. Garay, A. Miyaji, and A. Otsuka, eds., pp. 413-432, 2009.- [13] R. Dutta, R. Barua, and P. Sarkar, "Pairing-Based Cryptographic Protocols: A Survey," Report 2004/64, Cryptology ePrint Archive, 2004.
- [14] I. Duursma and H.S. Lee, "Tate Pairing Implementation for Hyperelliptic Curves $y^2=x^p-x+d$ ,"
Advances in Cryptology—ASIACRYPT '03, C.S. Laih, ed., pp. 111-123, 2003.- [15] H. Fan, J. Sun, M. Gu, and K.-Y. Lam, "Overlap-Free Karatsuba-Ofman Polynomial Multiplication Algorithm," Report 2007/393, Cryptology ePrint Archive, 2007.
- [16] K. Fong, D. Hankerson, J. López, and A. Menezes, "Field Inversion and Point Halving Revisited,"
IEEE Trans. Computers, vol. 53, no. 8, pp. 1047-1059, Aug. 2004.- [17] S.D. Galbraith, K. Harrison, and D. Soldera, "Implementing the Tate Pairing,"
Proc. Int'l Symp. Algorithmic Number Theory—ANTS V, C. Fieker and D.R. Kohel, eds., pp. 324-337, 2002.- [18] E. Gorla, C. Puttmann, and J. Shokrollahi, "Explicit Formulas for Efficient Multiplication in ${\bf F}_{3^{6m}}$ ,"
Proc. Int'l Workshop Selected Areas in Cryptography (SAC '07), C. Adams, A. Miri, and M. Wiener, eds., pp. 173-183, 2007.- [19] P. Grabher and D. Page, "Hardware Acceleration of the Tate Pairing in Characteristic Three,"
Proc. Workshop Cryptographic Hardware and Embedded Systems (CHES '05), J.R. Rao and B. Sunar, eds., pp. 398-411, 2005.- [20] D. Hankerson, A. Menezes, and M. Scott,
Software Implementation of Pairings, chapter 12, pp. 188-206. IOS Press, 2009.- [21] G. Hanrot and P. Zimmermann, "A Long Note on Mulders' Short Product,"
J. Symbolic Computation, vol. 37, no. 3, pp. 391-401, 2004.- [22] F. Hess, "Pairing Lattices,"
Proc. Int'l Conf. Pairing-Based Cryptography—Pairing '08, S.D. Galbraith and K.G. Paterson, eds., pp. 18-38, 2008.- [23] F. Hess, N. Smart, and F. Vercauteren, "The Eta Pairing Revisited,"
IEEE Trans. Information Theory, vol. 52, no. 10, pp. 4595-4602, Oct. 2006.- [24] J. Jiang, "Bilinear Pairing (Eta_T Pairing) IP Core," technical report, Dept. of Computer Science, City Univ. of Hong Kong, May 2007.
- [25] A. Joux, "A One Round Protocol for Tripartite Diffie-Hellman,"
Proc. Int'l Symp. Algorithmic Number Theory—ANTS IV, W. Bosma, ed., pp. 385-394, 2000.- [26] D. Kammler, D. Zhang, P. Schwabe, H. Scharwaechter, M. Langenberg, D. Auras, G. Ascheid, R. Leupers, R. Mathar, and H. Meyr, "Designing an ASIP for Cryptographic Pairings over Barreto-Naehrig Curves," Report 2009/056, Cryptology ePrint Archive, 2009.
- [27] A. Karatsuba and Y. Ofman, "Multiplication of Multidigit Numbers on Automata,"
Soviet Physics Doklady (English Translation), vol. 7, no. 7, pp. 595-596, Jan. 1963.- [28] M. Keller, T. Kerins, F. Crowe, and W.P. Marnane, "FPGA Implementation of a GF $(2^m)$ Tate Pairing Architecture,"
Proc. Int'l Workshop Applied Reconfigurable Computing (ARC '06), K. Bertels, J.M.P. Cardoso, and S. Vassiliadis, eds., pp. 358-369, 2006.- [29] M. Keller, R. Ronan, W.P. Marnane, and C. Murphy, "Hardware Architectures for the Tate Pairing over GF $(2^m)$ ,"
Computers and Electrical Eng., vol. 33, nos. 5/6, pp. 392-406, 2007.- [30] T. Kerins, W.P. Marnane, E.M. Popovici, and P.S.L.M. Barreto, "Efficient Hardware for the Tate Pairing Calculation in Characteristic Three,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '05), J.R. Rao and B. Sunar, eds., pp. 412-426, 2005.- [31] G. Kömürcü and E. Savaş, "An Efficient Hardware Implementation of the Tate Pairing in Characteristic Three,"
Proc. Third Int'l Conf. Systems (ICONS '08), E. Prasolova-Førland and M. Popescu, eds., pp. 23-28, 2008.- [32] H. Li, J. Huang, P. Sweany, and D. Huang, "FPGA Implementations of Elliptic Curve Cryptography and Tate Pairing over a Binary Field,"
J. Systems Architecture, vol. 54, pp. 1077-1088, 2008.- [33] V.S. Miller, "Short Programs for Functions on Curves," http://crypto.stanford.edumiller, 1986.
- [34] V.S. Miller, "The Weil Pairing, and Its Efficient Calculation,"
J. Cryptology, vol. 17, no. 4, pp. 235-261, 2004.- [35] S. Mitsunari, "A Fast implementation of $\eta_{T}$ Pairing in Characteristic Three on Intel Core 2 Duo Processor," Report 2009/032, Cryptology ePrint Archive, 2009.
- [36] S. Mitsunari, R. Sakai, and M. Kasahara, "A New Traitor Tracing,"
IEICE Trans. Fundamentals, vol. 2, pp. 481-484, Feb. 2002.- [37] F. Rodríguez-Henríquez, G. Morales-Luna, and J. López, "Low-Complexity Bit-Parallel Square Root Computation Over ${GF}(2^m)$ for All Trinomials,"
IEEE Trans. Computers, vol. 57, no. 4, pp. 472-480, Apr. 2008.- [38] R. Ronan, C. Murphy, T. Kerins, C. Ó hÉigeartaigh, and P.S.L.M. Barreto, "A Flexible Processor for the Characteristic $3 \;\eta_{T}$ Pairing,"
Int'l J. High Performance Systems Architecture, vol. 1, no. 2, pp. 79-88, 2007.- [39] R. Ronan, C. ÓhÉigeartaigh, C. Murphy, M. Scott, and T. Kerins, "FPGA Acceleration of the Tate Pairing in Characteristic 2,"
Proc. IEEE Int'l Conf. Field Programmable Technology (FPT '06), pp. 213-220, 2006.- [40] R. Ronan, C. ÓhÉigeartaigh, C. Murphy, M. Scott, and T. Kerins, "Hardware Acceleration of the Tate Pairing on a Genus 2 Hyperelliptic Curve,"
J. Systems Architecture, vol. 53, pp. 85-98, 2007.- [41] R. Sakai, K. Ohgishi, and M. Kasahara, "Cryptosystems Based on Pairing"
Proc. 2000 Symp. Cryptography and Information Security (SCIS '00), pp. 26-28, Jan. 2000.- [42] C. Shu, S. Kwon, and K. Gaj, "FPGA Accelerated Tate Pairing Based Cryptosystem over Binary Fields,"
Proc. IEEE Int'l Conf. Field Programmable Technology (FPT '06), pp. 173-180, 2006.- [43] C. Shu, S. Kwon, and K. Gaj, "Reconfigurable Computing Approach for Tate Pairing Cryptosystems over Binary Fields,"
IEEE Trans. Computers, vol. 58, no. 9, pp. 1221-1237, Sept. 2009.- [44] J.H. Silverman,
The Arithmetic of Elliptic Curves. Springer-Verlag, 1986.- [45] L. Song and K.K. Parhi, "Low Energy Digit-Serial/Parallel Finite Field Multipliers,"
J. VLSI Signal Processing, vol. 19, no. 2, pp. 149-166, July 1998.- [46] F. Vercauteren, "Optimal Pairings," Report 2008/096, Cryptology ePrint Archive, 2008.
- [47] L.C. Washington,
Elliptic Curves—Number Theory and Cryptography, second ed., CRC Press, 2008. |