Arithmetic Operators for Pairing-Based Cryptography

Size: px

Start display at page:

Download "Arithmetic Operators for Pairing-Based Cryptography"

Winifred Pitts
6 years ago
Views:

1 Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba Tennodai, Tsukuba Ibaraki, , Japan Joint work with Nicolas Brisebarre (Université J. Monnet, Saint-Étienne, France), Jérémie Detrey (ENS Lyon, France), Eiji Okamoto (University of Tsukuba, Japan), Masaaki Shirase (Future University, Hakodate, Japan), and Tsuyoshi Takagi (Future University, Hakodate, Japan) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 1 / 38

2 Outline of the Talk 1 Example: Three-Party Key Agreement 2 Computation of the η T Pairing 3 A Coprocessor for the η T Pairing Computation 4 A Coprocessor for the Final Exponentiation 5 A Coprocessor for the Full Pairing Computation 6 Conclusion Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 2 / 38

3 Example: Three-Party Key Agreement Key agreement How can Alice, Bob, and Chris agree upon a shared secret key? Alice Bob? Chris Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 3 / 38

4 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

5 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Diffie-Hellman problem (DHP) Given P, ap, and bp, find abp. Alice a Bob b ap bp Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

6 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Diffie-Hellman problem (DHP) Given P, ap, and bp, find abp. Alice a ap Bob b ap bp bp Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

7 Example: Three-Party Key Agreement Discrete logarithm problem (DLP) G = P : additively-written group of order n DLP: given P, Q, find the integer x {0,..., n 1} such that Q = xp Diffie-Hellman problem (DHP) Given P, ap, and bp, find abp. Alice a Bob b abp abp Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 4 / 38

8 Example: Three-Party Key Agreement Alice ap a Bob bp b Chris cp c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

9 Example: Three-Party Key Agreement Alice a ap bp Bob bp b ap First round cp Chris cp c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

10 Example: Three-Party Key Agreement Alice abp a Bob acp b Chris bcp c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

11 Example: Three-Party Key Agreement Alice a abp acp Bob acp b abp Second round bcp Chris bcp c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

12 Example: Three-Party Key Agreement Alice abcp a Bob abcp b Chris abcp c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 5 / 38

13 Example: Three-Party Key Agreement Three-party two-round key agreement protocol Does a three-party one-round key agreement protocol exist? Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 6 / 38

14 Example: Three-Party Key Agreement Bilinear pairing G 1 = P : additively-written group G 2 : multiplicatively-written group with identity 1 A bilinear pairing on (G 1, G 2 ) is a map ê : G 1 G 1 G 2 that satisfies the following conditions: 1 Bilinearity. For all Q, R, S G 1, ê(q + R, S) = ê(q, S)ê(R, S) and ê(q, R + S) = ê(q, R)ê(Q, S). 2 Non-degeneracy. ê(p, P) 1. 3 Computability. ê can be efficiently computed. Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 7 / 38

15 Example: Three-Party Key Agreement Bilinear Diffie-Hellman problem (BDHP) Given P, ap, bp, and cp, compute ê(p, P) abc Assumption: the BDHP is difficult Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 8 / 38

16 Example: Three-Party Key Agreement Alice ap a Bob bp b Chris cp c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

17 Example: Three-Party Key Agreement Alice ap a bp Bob bp b ap ap cp bp cp Chris cp c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

18 Example: Three-Party Key Agreement Alice ê(bp, cp) a a Bob ê(ap, cp) b b ê(bp, cp) a = ê(ap, cp) b = ê(ap, bp) c = ê(p, P) abc Chris ê(ap, bp) c c Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 9 / 38

19 Example: Three-Party Key Agreement Examples of cryptographic bilinear maps Weil pairing Tate pairing η T pairing (Barreto et al.) Ate pairing (Hess et al.) Applications Identity based encryption Short signature Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 10 / 38

20 Computation of the η T Pairing Elliptic curve over F 3 m Q = (x q, y q ) P = (x p, y p ) P Q η T pairing calculation η T (P, Q) (F 3 6m) Exponentiation η T (P, Q) W F 3 6m Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 11 / 38

21 Computation of the η T Pairing Tower Field 1 ρ ρ 2 F 3 6m = F 3 2m[ρ]/(ρ 3 ρ 1) 1 σ F 3 2m = F 3 m[σ]/(σ 2 + 1) 1 x x 2 x m 3 x m 2 x m 1 F 3 m = F 3 [x]/(f (x)) F 3 = Z/3Z = {0, 1, 2} Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 12 / 38

22 Computation of the η T Pairing Tower Field F 3 2m F 3 2m F 32m 1 σ ρ σρ ρ 2 σρ 2 F 3 6m 12m bits 1 x x 2 x m 3 x m 2 x m 1 F 3 m 2m bits F 3 2 bits Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 13 / 38

23 Computation of the η T Pairing η T (P, Q) Addition Multiplication Cubing Cube root η T (P, Q) 3 m+1 2 Addition Multiplication Cubing (Arith 18) Bilinearity of η T (P, Q) W ( ([ η T (P, Q) W = 3m η T 3 m 1 2 ] P, Q ) m+1 ) W 3 2 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 14 / 38

24 Computation of the η T Pairing Multiplication over F 3 6m η T (P, Q) m+1 2 multiplications Operands: A and B F 3 6m 1 with σ ρ σρ ρ 2 σρ 2 B = r 2 0 y p y q r r 0, y p, and y q F 3 m Cost: 13 multiplications and 46 additions over F 3 m Multiplication over F 3 6m Exponentiation Only one multiplication Operands: A and B F 3 6m Cost: 18 multiplications and 58 additions over F 3 m Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 15 / 38

25 A Coprocessor for the η T Pairing Computation P = (x p, y p ) Q = (x q, y q ) η T pairing calculation η T (P, Q) Exponentiation (Waifi 2007) η T (P, Q) W (Arith 18) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 16 / 38

26 A Coprocessor for the η T Pairing Computation P = (x p, y p ) Q = (x q, y q ) η T pairing calculation η T (P, Q) Exponentiation (Waifi 2007) η T (P, Q) W (Arith 18) Computation of η T (P, Q): multiplication over F 3 6m New algorithm 15 multiplications and 29 additions over F 3 m Allows one to share operands between multipliers (less registers) Architecture 9 multipliers Most significant coefficient first (Horner s rule) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 16 / 38

27 A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [x]/(x 97 + x ) FPGA: Cyclone II EP2C35 (Altera) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

28 A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [x]/(x 97 + x ) FPGA: Cyclone II EP2C35 (Altera) η T (P, Q) (Arith 18) Arithmetic over F multipliers 2 adders 1 cubing unit Area: LEs Frequency: 149 MHz Computation time: 33 µs Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

29 A Coprocessor for the η T Pairing Computation Prototype Field: F 3 97 = F 3 [x]/(x 97 + x ) FPGA: Cyclone II EP2C35 (Altera) η T (P, Q) (Arith 18) Arithmetic over F multipliers 2 adders 1 cubing unit Area: LEs Frequency: 149 MHz Computation time: 33 µs Exponentiation (Waifi 2007) Challenge Raise η T (P, Q) to the W power in 33 µs (or less) with the smallest amount of hardware Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 17 / 38

30 A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

31 A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Short time to market Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

32 A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Short time to market Small series Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

33 A Coprocessor for the η T Pairing Computation Why FPGAs? Prototyping Short time to market Small series Hardware accelerators for some applications (e.g. cryptography) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 18 / 38

34 A Coprocessor for the Final Exponentiation Final exponentiation: operations over F 3 m Additions 477 Multiplications 78 Cubings 3m + 3 Inversion 1 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 19 / 38

35 A Coprocessor for the Final Exponentiation Addition over F 3 m a m 1 b m 1 a 1 b 1 a 0 b 0 Modulo 3 Modulo 3 Modulo 3... addition addition addition s m 1 = (a m 1 + b m 1 ) mod 3 s 1 = (a 1 + b 1 ) mod 3 s 0 = (a 0 + b 0 ) mod 3 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 20 / 38

36 A Coprocessor for the Final Exponentiation Addition, subtraction, and accumulation over F 3 m Enable Add/Accumulate c 2 c 3 c s(x) a(x) b(x) +/ +/ Addition of 3 operands c 5 Enable c 0 c 1 Enable Multiplication by 1 or 2 2b(x) b(x) (mod 3) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 21 / 38

37 A Coprocessor for the Final Exponentiation Multiplication over F 3 m Array multiplier ( m/3 clock cycles) Most significant coefficient first (Horner s rule) Enable c 0 x 3 mod f b(x) PPG p(x) a 3i c 3 c 4 a(x) Shift register a 3i+1 PPG PPG x x 2 mod f mod f Addition of 4 operands Enable and reset c 1 c 2 a 3i+2 Load and shift Multiplication by 0, 1, or 2 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 22 / 38

38 A Coprocessor for the Final Exponentiation Cubing over F 3 [x]/(x 97 + x ) a 96 a 95 a 94 a 2 a 1 a 0 ν 0 (x) ν 1 (x) ν 2 (x) a 32 a 64 a 65 a 93 0 a 60 a 61 a 89 0 a 60 a 61 a 0 Addition of 3 operands a(x) 3 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 23 / 38

39 A Coprocessor for the Final Exponentiation Arithmetic operators over F 3 97 Operation Area [LEs] Control [bits] Add./sub Mult Cubing ALU on a Cyclone II FPGA Ctrl a(x) b(x) Addition Multiplication p(x) Cubing Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 24 / 38

40 A Coprocessor for the Final Exponentiation Unified arithmetic operator Operations Addition Subtraction Accumulation Multiplication Cubing Area (Cyclone II): 2676 LEs (instead of 3308) Control bits: 11 (instead of 17) Inversion: Fermat s little theorem (96 cubings and 9 multiplications) a 3m 2 = a 1, where a F 3 m Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 25 / 38

41 A Coprocessor for the Final Exponentiation Unified arithmetic operator c0 c1 c7 c8 d2(x) d1(x) d0(x) c2 Shift register R2 R1 c3 Load R0 d03i PPG PPG PPG d03i+1 ν0(x) ν1(x) x 2 ν2(x) mod f(x) x 1 0 mod f(x) 1 0 Enable c6 d03i+2 x 3 mod f(x) 1 p(x) c4 c5 0 Shift Load c9 c10 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 26 / 38

42 A Coprocessor for the Final Exponentiation Prototype Field: F 3 97 = F 3 [x]/(x 97 + x ) FPGA: Cyclone II EP2C35 (Altera) η T (P, Q) (Arith 18) Arithmetic over F multipliers 2 adders 1 cubing unit Area: LEs Frequency: 149 MHz Computation time: 33 µs Exponentiation (Waifi 2007) Unified operator Area: 2787 LEs Frequency: 159 MHz Computation time: 26 µs Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 27 / 38

43 A Coprocessor for the Full Pairing Computation Operations over F 3 m Single unified operator for computing η T (P, Q) W Additions 51 m 1 2 Multiplications 15 m 1 2 Cubings 10m + 2 Inversion Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 28 / 38

44 A Coprocessor for the Full Pairing Computation Results (CHES 2007) FPGA: Xilinx Virtex-II Pro 4 F 3 [x]/(x 97 + x ) Area: 1888 slices + 6 memory blocks Clock frequency: 147 MHz Clock cycles for a full pairing: Calculation time: 222µs Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 29 / 38

45 A Coprocessor for the Full Pairing Computation Results (CHES 2007) FPGA: Xilinx Virtex-II Pro 4 F 3 [x]/(x 97 + x ) Area: 1888 slices + 6 memory blocks Clock frequency: 147 MHz Clock cycles for a full pairing: Calculation time: 222µs Extended Euclidean algorithm (EEA) Area: 2210 additional slices Clock cycles for a full pairing: instead of Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 29 / 38

46 Conclusion Comparisons Architecture Area Calculation time FPGA Arith 18 & Waifi LEs 33 µs Cyclone II CHES slices 222 µs Virtex-II Pro Grabher and Page (CHES 2005) 4481 slices 432 µs Virtex-II Pro Kerins et al. (CHES 2005) slices 850 µs Virtex-II Pro Ronan et al. (ITNG 2007) slices 178 µs Virtex-II Pro (1 slice 2 LEs) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 30 / 38

47 Conclusion VHDL code generator Generation of an unified operator according to F p m Support for the following operations: Addition Multiplication Frobenius (a(x) p mod f (x)) Inverse Frobenius ( p a(x) mod f (x)) and f (x) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 31 / 38

48 Conclusion VHDL code generator Generation of an unified operator according to F p m Support for the following operations: Addition Multiplication Frobenius (a(x) p mod f (x)) Inverse Frobenius ( p a(x) mod f (x)) and f (x) Future work Automatic generation of the control unit Application (e.g. short signature) Genus 2 Side-channel Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 31 / 38

49 Appendix Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 32 / 38

50 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 c 0 c 1 σ c 2 ρ c 3 σρ c 4 ρ 2 c 5 σρ 2 a 4 r 0 a 5 r 0 a 0 r 0 a 1 r 0 a 2 r 0 a 3 r 0 a 2 a 3 a 4 a 5 a 0 a 1 a 2 a 3 a 4 a 5 a 4 r 0 a 5 r 0 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 33 / 38

51 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 c 0 c 1 σ c 2 ρ c 3 σρ c 4 ρ 2 c 5 σρ 2 a 4 r 0 a 5 r 0 a 0 r 0 a 1 r 0 a 2 r 0 a 3 r 0 a 2 a 3 a 4 a 5 a 0 a 1 a 2 a 3 a 4 a 5 a 4 r 0 a 5 r 0 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 1 Compute in parallel r 2 0, y py q, a 0 r 0, a 1 r 0, a 2 r 0, a 3 r 0, a 4 r 0, and a 5 r 0 (8 multiplications) Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 33 / 38

52 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 c 0 c 1 σ c 2 ρ c 3 σρ c 4 ρ 2 c 5 σρ 2 a 4 r 0 a 5 r 0 a 0 r 0 a 1 r 0 a 2 r 0 a 3 r 0 a 2 a 3 a 4 a 5 a 0 a 1 a 2 a 3 a 4 a 5 a 4 r 0 a 5 r 0 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 1 Compute in parallel r 2 0, y py q, a 0 r 0, a 1 r 0, a 2 r 0, a 3 r 0, a 4 r 0, and a 5 r 0 (8 multiplications) 2 Apply Karatsuba s algorithm to compute the remaining products by means of 9 multipliers Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 33 / 38

53 Multiplication over F 3 6m η T (P, Q) A ( r y p y q σ r 0 ρ ρ 2 ) = c 0 + c 1 σ + c 2 ρ + c 3 σρ + c 4 ρ 2 + c 5 σρ 2 a 0 r0 2 a 0 y p y q a 2 r0 2 a 2 y p y q a 4 r0 2 a 4 y p y q a 1 y p y q a 1 r0 2 a 3 y p y q a 3 r0 2 a 5 y p y q a 5 r0 2 Karatsuba s algorithm (9 multiplications performed in parallel): a 0 y p y q a 1 r 2 0 = (a 0 + a 1 ) (y p y q r 2 0 ) + a 0 r 2 0 a 1 y p y q a 2 y p y q a 3 r 2 0 = (a 2 + a 3 ) (y p y q r 2 0 ) + a 2 r 2 0 a 3 y p y q a 4 y p y q a 5 r 2 0 = (a 4 + a 5 ) (y p y q r 2 0 ) + a 4 r 2 0 a 5 y p y q Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 34 / 38

54 Multiplication over F 3 6m η T (P, Q) Shift Load Load Load Load c4 D0 c3 c0 c1 c2 D1 M 0 M 1 M 2 a 0 r 0 a 2 r 0 a 4 r 0 a 0 r0 2 a 2 r0 2 a 4 r0 2 c5 Load Three multipliers c7 Clear Common operand: r 0 or r Synchronous reset c10 c6 c9 Select Load c8 Clear P Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 35 / 38

55 Multiplication over F 3 6m η T (P, Q) Shift Load Load Load Load c4 D0 c3 c0 c1 c2 D1 M 3 M 4 M 5 a 1 r 0 a 3 r 0 a 5 r 0 a 1 y p y q a 3 y p y q a 5 y p y q c5 Load Three multipliers c7 Clear Common operand: r 0 or y p y q Synchronous reset c10 c6 c9 Select Load c8 Clear P Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 35 / 38

56 Multiplication over F 3 6m η T (P, Q) Load Load Load D0 c0 c1 c2 D1 Load c10 Select c3 c5 Shift M 6 M 7 M 8 r0 2 y py q (a 0 + a 1) (a 2 + a 3) (a 4 + a 5) (y py q r0 2 ) (y py q r0 2 ) (y py q r0 2 ) c4 c6 c8 Load Load Clear c12 c11 Select Synchronous reset c7 c9 Load Clear P Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 36 / 38

57 A Coprocessor for the η T Pairing Computation d0 Mux0 1 0 d1 D0 Ctrl D1 pe_mult_block_t1_generic Q D0 Ctrl D1 pe_mult_block_t1_generic Q D0 Ctrl D1 pe_mult_block_t2_generic Q D0 Ctrl D1 pe_add S D2 Ctrl 0 1 Mux1 Qa D Ctrl pe_cubing C Mux2 0 1 RAM Qb Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 37 / 38

58 A Coprocessor for the Full Pairing Computation P, Q Select Addr Wen 7 bits 198 bits 7 bits Data Addr Wen Wen Addr Data Port B Port A RAM QA QB 194 bits 194 bits 198 bits d2(x) p(x) d1(x) Unified d0(x) operator 11 bits Control 194 bits ηt (P, Q) W ROM Addr Q 10 bits 32 bits Finite State Machine Start Done Port B Port A Processing element c 31 c 30 c 29 c 28 c 27 c 26 c 25 c 24 c 23 c 22 c 21 c 20 c 19 c 18 c 17 c 16 c 15 c 14 c 13 c 12 c 11 c 10 c 9 c 8 c 7 c 6 c 5 c 4 c 3 c 2 c 1 c 0 Counter Wen Address Address Jean-Luc Beuchat (LCIS) η T Pairing in Characteristic Three 38 / 38

An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation

An Algorithm for the η T Pairing Calculation in Characteristic Three and its Hardware Implementation Jean-Luc Beuchat 1 Masaaki Shirase 2 Tsuyoshi Takagi 2 Eiji Okamoto 1 1 Graduate School of Systems and