Fast architectures for the $\eta_T$ pairing over small-characteristic supersingular elliptic curves

Jean-Luc Beuchat; Jérémie Detrey; Nicolas Estibals; Eiji Okamoto; Francisco Rodríguez-Henríquez

inria-00424016, version 2

Fast architectures for the $\eta_T$ pairing over small-characteristic supersingular elliptic curves

Jean-Luc Beuchat ()^a^, 1, Jérémie Detrey ()^b^, 2, Nicolas Estibals ()^c^, 2, Eiji Okamoto ()^a^, 1, Francisco Rodríguez-Henríquez ()^d^, 3

IEEE Transactions on Computers 60, 2 (2011) 266-281

Résumé : This paper is devoted to the design of fast parallel accelerators for the cryptographic $\eta_T$ pairing on supersingular elliptic curves over finite fields of characteristics two and three. We propose here a novel hardware implementation of Miller's algorithm based on a parallel pipelined Karatsuba multiplier. After a short description of the strategies we considered to design our multiplier, we point out the intrinsic parallelism of Miller's loop and outline the architecture of coprocessors for the $\eta_T$ pairing over $\F_{2^m}$ and $\F_{3^m}$. Thanks to a careful choice of algorithms for the tower field arithmetic associated with the $\eta_T$ pairing, we manage to keep the pipelined multiplier at the heart of each coprocessor busy. A final exponentiation is still required to obtain a unique value, which is desirable in most cryptographic protocols. We supplement our pairing accelerators with a coprocessor responsible for this task. An improved exponentiation algorithm allows us to save hardware resources. According to our place-and-route results on Xilinx FPGAs, our designs improve both the computation time and the area-time trade-off compared to previously published coprocessors.

a – University of Tsukuba
b – INRIA
c – Université Henri Poincaré - Nancy I
d – Insituto Politécnico Nacional
1 : Laboratory of Cryptography and Information Security (LCIS)
University of Tsukuba
2 : CARAMEL (INRIA Nancy - Grand Est / LORIA)
INRIA – CNRS : UMR7503 – Université de Lorraine
3 : Centro de Investigacion y de Estudios Avanzados del Instituto Politécnico Nacional (CINVESTAV)
Centro de Investigacion y de Estudios Avanzados del IPN

inria-00424016, version 2
http://hal.inria.fr/inria-00424016
oai:hal.inria.fr:inria-00424016
Contributeur : Jérémie Detrey <>
Soumis le : Jeudi 25 Novembre 2010, 15:05:28
Dernière modification le : Mercredi 9 Février 2011, 17:03:06

Voir la fiche détaillée

Documents associés

PDF :

DOI : 10.1109/TC.2010.163

Exporter

Bibtex EndNote TEI RefWorks

%% inria-00424016, version 2
%% http://hal.inria.fr/inria-00424016
@article{beuchat:inria-00424016,
    hal_id = {inria-00424016},
    url = {http://hal.inria.fr/inria-00424016},
    title = {{Fast architectures for the $\eta\_T$ pairing over small-characteristic supersingular elliptic curves}},
    author = {Beuchat, Jean-Luc and Detrey, J{\'e}r{\'e}mie and Estibals, Nicolas and Okamoto, Eiji and Rodr{\'\i}guez-Henr{\'\i}quez, Francisco},
    abstract = {{This paper is devoted to the design of fast parallel accelerators for the cryptographic $\eta\_T$ pairing on supersingular elliptic curves over finite fields of characteristics two and three. We propose here a novel hardware implementation of Miller's algorithm based on a parallel pipelined Karatsuba multiplier. After a short description of the strategies we considered to design our multiplier, we point out the intrinsic parallelism of Miller's loop and outline the architecture of coprocessors for the $\eta\_T$ pairing over $\F\_{2^m}$ and $\F\_{3^m}$. Thanks to a careful choice of algorithms for the tower field arithmetic associated with the $\eta\_T$ pairing, we manage to keep the pipelined multiplier at the heart of each coprocessor busy. A final exponentiation is still required to obtain a unique value, which is desirable in most cryptographic protocols. We supplement our pairing accelerators with a coprocessor responsible for this task. An improved exponentiation algorithm allows us to save hardware resources. According to our place-and-route results on Xilinx FPGAs, our designs improve both the computation time and the area-time trade-off compared to previously published coprocessors.}},
    language = {Anglais},
    affiliation = {Laboratory of Cryptography and Information Security - LCIS , CARAMEL - INRIA Nancy - Grand Est / LORIA , Centro de Investigacion y de Estudios Avanzados del Instituto Polit{\'e}cnico Nacional - CINVESTAV},
    booktitle = {{Special Section on Computer Arithmetic}},
    publisher = {IEEE Computer Society},
    pages = {266-281},
    journal = {IEEE Transactions on Computers},
    volume = {60},
    number = {2 },
    audience = {internationale },
    doi = {10.1109/TC.2010.163 },
    year = {2011},
    month = Feb,
    pdf = {http://hal.inria.fr/inria-00424016/PDF/bdeor\_ieee\_tc\_arith.pdf},
}

<?xml version="1.0" encoding="UTF-8"?>
<listBibl xmlns="http://www.tei-c.org/ns/1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:mml="http://www.w3.org/1998/Math/MathML">
<listBibl type="article"><head>Articles dans des revues avec comité de lecture</head>
<biblStruct type="article" xml:id="inria-00424016"><analytic>
<author><persName><forename>Jean-Luc</forename><surname>Beuchat</surname></persName>
<affiliation>
<orgName type="laboratory">LCIS</orgName>
<orgName type="team">Laboratory of Cryptography and Information Security</orgName>
<country>JP</country>
<orgName type="institution">University of Tsukuba</orgName>
</affiliation>
</author>
<author><persName><forename>Jérémie</forename><surname>Detrey</surname></persName>
<affiliation>
<orgName type="laboratory">INRIA Nancy - Grand Est / LORIA</orgName>
<orgName type="team">CARAMEL</orgName>
<country>FR</country>
<orgName type="institution">INRIA</orgName>
<orgName type="institution">CNRS : UMR7503</orgName>
<orgName type="institution">Université de Lorraine</orgName>
</affiliation>
</author>
<author><persName><forename>Nicolas</forename><surname>Estibals</surname></persName>
<affiliation>
<orgName type="laboratory">INRIA Nancy - Grand Est / LORIA</orgName>
<orgName type="team">CARAMEL</orgName>
<country>FR</country>
<orgName type="institution">INRIA</orgName>
<orgName type="institution">CNRS : UMR7503</orgName>
<orgName type="institution">Université de Lorraine</orgName>
</affiliation>
</author>
<author><persName><forename>Eiji</forename><surname>Okamoto</surname></persName>
<affiliation>
<orgName type="laboratory">LCIS</orgName>
<orgName type="team">Laboratory of Cryptography and Information Security</orgName>
<country>JP</country>
<orgName type="institution">University of Tsukuba</orgName>
</affiliation>
</author>
<author><persName><forename>Francisco</forename><surname>Rodríguez-Henríquez</surname></persName>
<affiliation>
<orgName type="laboratory">CINVESTAV</orgName>
<orgName type="team">Centro de Investigacion y de Estudios Avanzados del Instituto Politécnico Nacional</orgName>
<country>MX</country>
<orgName type="institution">Centro de Investigacion y de Estudios Avanzados del IPN</orgName>
</affiliation>
</author>
<title type="main" level="a">Fast architectures for the $\eta_T$ pairing over small-characteristic supersingular elliptic curves</title></analytic><monogr><title level="j" type="main">IEEE Transactions on Computers</title><imprint><publisher>IEEE Computer Society</publisher><biblScope type="publicationDate">2011-02-01</biblScope><biblScope type="vol">60</biblScope><biblScope type="issue">2</biblScope><biblScope type="pp">266-281</biblScope></imprint></monogr><idno type="doi">10.1109/TC.2010.163</idno><idno type="HALid">http://hal.inria.fr/inria-00424016</idno><idno type="HALFile">http://hal.inria.fr/inria-00424016/PDF/bdeor_ieee_tc_arith.pdf</idno></biblStruct>
</listBibl>
</listBibl>