Hardware Accelerator for the Tate Pairing in Characteristic Three Based on Karatsuba-Ofman Multipliers

Beuchat, Jean-Luc; Detrey, Jérémie; Estibals, Nicolas; Okamoto, Eiji; Rodríguez-Henríquez, Francisco

doi:10.1007/978-3-642-04138-9_17

“…We extend here the work presented in [10] and propose novel hardware architectures for computing the η T pairing over binary and ternary fields based on parallel pipelined Karatsuba multipliers and enhanced unified arithmetic operators. We stress that the modified Tate pairing can be directly computed from the reduced η T pairing at almost no extra cost [7].…”

Section: Introductionmentioning

confidence: 89%

Fast Architectures for the \eta_T Pairing over Small-Characteristic Supersingular Elliptic Curves

Beuchat

¹

,

Detrey

²

,

Estibals

³

et al. 2011

IEEE Trans. Comput.

Self Cite

View full text Add to dashboard Cite

This paper is devoted to the design of fast parallel accelerators for the cryptographic ηT pairing on supersingular elliptic curves over finite fields of characteristics two and three. We propose here a novel hardware implementation of Miller's algorithm based on a parallel pipelined Karatsuba multiplier. After a short description of the strategies we considered to design our multiplier, we point out the intrinsic parallelism of Miller's loop and outline the architecture of coprocessors for the ηT pairing over F2m and F3m. Thanks to a careful choice of algorithms for the tower field arithmetic associated with the ηT pairing, we manage to keep the pipelined multiplier at the heart of each coprocessor busy. A final exponentiation is still required to obtain a unique value, which is desirable in most cryptographic protocols. We supplement our pairing accelerators with a coprocessor responsible for this task. An improved exponentiation algorithm allows us to save hardware resources. According to our place-and-route results on Xilinx FPGAs, our designs improve both the computation time and the area-time trade-off compared to previously published coprocessors.

show abstract

“…Inverse 41 129 484 As we have now reduced the pairing computation to a sequence of operations over F q with q = p m , we need a coprocessor able to perform additions, multiplications and Frobenius (squarings and cubings) over this field. To this intent, we chose the coprocessor that Beuchat et al developed for the final exponentiation in [10]. The architecture of this coprocessor is reproduced in Fig.…”

Section: Additionmentioning

confidence: 99%

Compact Hardware for Computing the Tate Pairing over 128-Bit-Security Supersingular Curves

Estibals

¹

2010

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This paper presents a novel method for designing compact yet efficient hardware implementations of the Tate pairing over supersingular curves in small characteristic. Since such curves are usually restricted to lower levels of security because of their bounded embedding degree, aiming for the recommended security of 128 bits implies considering them over very large finite fields. We however manage to mitigate this effect by considering curves over field extensions of moderately-composite degree, hence taking advantage of a much easier tower field arithmetic. This technique of course lowers the security on the curves, which are then vulnerable to Weil descent attacks, but a careful analysis allows us to maintain their security above the 128-bit threshold. As a proof of concept of the proposed method, we detail an FPGA accelerator for computing the Tate pairing on a supersingular curve over F 3 5•97 , which satisfies the 128-bit security target. On a mid-range Xilinx Virtex-4 FPGA, this accelerator computes the pairing in 2.2 ms while requiring no more than 4755 slices.

show abstract

“…As we have now reduced the pairing computation to a sequence of operations over F q with q = p m , we need a coprocessor able to perform additions, multiplications and Frobenius (squarings and cubings) over this field. To this intent, we chose the coprocessor that Beuchat et al developed for the final exponentiation in [10]. The architecture of this coprocessor is reproduced in Fig.…”

Section: Our Test Case: F 3 5•97mentioning

confidence: 99%

Pairing-Based Cryptography - Pairing 2010

Takagi¹,

Okamoto²,

Okamoto³

et al. 2010

Lecture Notes in Computer Science

6

0

View full text Add to dashboard Cite

This paper presents a novel method for designing compact yet efficient hardware implementations of the Tate pairing over supersingular curves in small characteristic. Since such curves are usually restricted to lower levels of security because of their bounded embedding degree, aiming for the recommended security of 128 bits implies considering them over very large finite fields. We however manage to mitigate this effect by considering curves over field extensions of moderately-composite degree, hence taking advantage of a much easier tower field arithmetic. This technique of course lowers the security on the curves, which are then vulnerable to Weil descent attacks, but a careful analysis allows us to maintain their security above the 128-bit threshold. As a proof of concept of the proposed method, we detail an FPGA accelerator for computing the Tate pairing on a supersingular curve over F 3 5•97 , which satisfies the 128-bit security target. On a mid-range Xilinx Virtex-4 FPGA, this accelerator computes the pairing in 2.2 ms while requiring no more than 4755 slices.

show abstract

Hardware Accelerator for the Tate Pairing in Characteristic Three Based on Karatsuba-Ofman Multipliers

Cited by 8 publications

References 39 publications

Fast Architectures for the \eta_T Pairing over Small-Characteristic Supersingular Elliptic Curves

Fast Architectures for the \eta_T Pairing over Small-Characteristic Supersingular Elliptic Curves

Compact Hardware for Computing the Tate Pairing over 128-Bit-Security Supersingular Curves

Pairing-Based Cryptography - Pairing 2010

Contact Info

Product

Resources

About