A Comparison between Hardware Accelerators for the Modified Tate Pairing over F 2

Transcription

1 A Comparison between Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m Jean-Luc Beuchat 1, Nicolas Brisebarre,Jérémie Detrey 3, Eiji Okamoto 1,andFranciscoRodríguez-Henríquez 4 1 Graduate School of Systems and Information Engineering, University of Tsukuba, Tennodai, Tsukuba, Ibaraki, , Japan LIP/Arénaire (CNRS ENS Lyon INRIA UCBL), ENS Lyon, 46, allée d Italie, F Lyon Cedex 07, France 3 Cosec group, B-IT, Dahlmannstraße, D Bonn, Germany 4 Computer Science Section, Electrical Engineering Department, Centro de Investigación y de Estudios Avanzados del IPN, Av. Instituto Politécnico Nacional No. 508, México City, México Abstract. In this article we propose a study of the modified Tate pairing in characteristics two and three. Starting from the η T pairing introduced by Barreto et al. [1], we detail various algorithmic improvements in the case of characteristic two. As far as characteristic three is concerned, we refer to the survey by Beuchat et al. [5]. We then show how to get back to the modified Tate pairing at almost no extra cost. Finally, we explore the trade-offs involved in the hardware implementation of this pairing for both characteristics two and three. From our experiments, characteristic three appears to have a slight advantage over characteristic two. Keywords: Modified Tate pairing, reduced η T pairing, finite field arithmetic, elliptic curve, hardware accelerator, FPGA. 1 Introduction Over the past few years, bilinear pairings over elliptic and hyperelliptic curves have been the focus of an ever increasing attention in cryptology. Since their introduction to this domain by Menezes, Okamoto & Vanstone [3] and Frey & Rück [9], and the first discovery of their constructive properties by Mitsunari, Sakai & Kasahara [6], Sakai, Oghishi & Kasahara [31], and Joux [17], a large number of pairing-based cryptographic protocols have already been published. For those reasons, efficient computation of pairings is crucial and, according to the recommendations of [1, 1], the Tate pairing, rather than the Weil pairing, appears to be the most appropriate choice. Miller [4, 5] proposed in 1986 the first algorithm for iteratively computing the Weil and Tate pairings. In the case of the Tate pairing, a further final exponentiation of the Miller s algorithm result is required to obtain a uniquely defined value. Various improvements were published in [, 7, 10, ] and we will S.D. Galbraith and K.G. Paterson (Eds.): Pairing 008, LNCS 509, pp , 008. c Springer-Verlag Berlin Heidelberg 008

2 98 J.-L. Beuchat et al. consider in this paper the modified Tate pairing as defined in []. Generalizing some results by Duursma & Lee [7], Barreto et al. then introduced the η T pairing [1], in which the number of iterations in Miller s algorithm is halved. This nondegenerate bilinear pairing can also be used as a tool for computing the modified Tate pairing, at the expense of an additional exponentiation. General purpose microprocessors are intrinsically not suited for computations on finite fields of small characteristic, hence software implementations are bound to be quite slow and the need for special purpose hardware coprocessors is strong [5, 6, 11, 16, 18, 19, 0, 8, 9, 30, 33]. In this context, we extend here to the characteristic two the results by Beuchat et al. [5] in the case of the hardware implementation of the reduced η T pairing in characteristic three. In Section, we detail the algorithms required to compute the reduced η T pairing in characteristic two. Some algorithmic improvements in both the pairing computation and the tower-field arithmetic are also presented, and an accurate cost analysis in terms of operations over the base field F m is given. We then study in Section 3 the relation between the η T and Tate pairings, and show that the modified Tate pairing can be computed from the reduced η T pairing at almost no extra cost in characteristics two and three. Section 4 gives hardware implementation results of the modified Tate pairing in both characteristics and for various field extension degrees. Comparisons between F m and F 3 m are presented at equivalent levels of security and they show a slight advantage in favor of characteristic three. Finally, some comparisons with already published solutions are also given to attest the meaningfulness of our results. Supplementary material is available in a research report version of this paper [4]. Computation of the Reduced η T Pairing in Characteristic Two.1 Preliminary Definitions We consider the supersingular curve E over F m defined by the equation y + y = x 3 + x + b, (1) where b {0, 1} and m is an odd integer. We define δ = b when m 1, 7 (mod 8); in all other cases, δ =1 b. The number of rational points of E over F m is given by N =#E(F m)= m +1+ν (m+1)/,whereν =( 1) δ []. The embedding degree of this curve, which is the least positive integer k such that N divides km 1, is 4. Choosing T = m N and a prime l dividing N, Barreto et al. [1] defined the η T pairing of two points P and Q E(F m)[l] as: η T (P, Q) =f T,P (ψ(q)), where T = νt, P =[ ν]p,ande(f m)[l] denotes the l-torsion subgroup of E(F m). The distortion map ψ is defined from E(F m)[l] toe(f 4m)[l] as ψ(x, y) =(x + s,y+ sx + t),

3 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 99 for all (x, y) E(F m)[l] [1]. The elements s and t of F 4m satisfy s = s +1 and t = t + s. This allows for representing F 4m as an extension of F m using the basis (1,s,t,st): F 4m = F m[s, t] = F m[x, Y ]/(X + X +1,Y + Y + X). Finally, f T,P is an element of F m(e), where F m(e) denotes the function field of the curve, and is given by f T,P : E(F 4m)[l] F 4m ψ(q) m 1 i=0 g [i ]P m 1 (ψ(q)) where: The point doubling formula is given by [ i ] ) P = (x i P + i, yi P + ixi P + τ(i), i l P (ψ(q)), () with { 0 if i 0, 1 (mod 4), τ(i) = 1 otherwise. g V, for all V =(x V,y V ) E(F m)[l], is the rational function defined over E(F 4m)[l] corresponding to the doubling of V. For all (x, y) E(F 4m)[l], we have g V (x, y) =(x V +1)(x V + x)+y V + y [1]. According to the equation of the elliptic curve (1), x 3 V + x V + y V is equal to yv + b and we obtain [33]: g V (x, y) =x(x V +1)+yV + y + b. (3) We considered both forms of g V (x, y) when studying η T pairing algorithms over F m and discovered that the second one always leads to the fastest algorithms. l V, for all V =(x V [,y V ) ] E(F m)[l], is the equation of the line corresponding to the addition of m+1 V with [ν]v, and defined for all (x, y) E(F 4m)[l] as follows: where l V (x, y) =x V +(x V + α)(x + α)+x + y V + y + δ +1+ (x V + x +1 α)s + t, (4) α = { 0 if m 3 (mod 4), 1 if m 1 (mod 4).. Computation of the η T Pairing in Characteristic Two Barreto et al. suggested reversing the loop to compute the η T pairing [1]. They introduced the new index j = m 1 i and obtained m 1 ( ) j f T,P (ψ(q)) = l P (ψ(q)) g [ ] m 1 j P (ψ(q)). j=0

4 300 J.-L. Beuchat et al. A tedious case-by-case analysis allows one to prove that: ( ) j g [ ] m 1 j P (ψ(q)) =(x j P (x j P + α) (xj Q + α)+y j P + yj Q + β + + xj Q + α)s + t, where β = { b if m 1, 3 (mod 8), 1 b if m 5, 7 (mod 8). This equation differs from the one given by Barreto et al. [1]: taking advantage of the second form of g V (3), we obtain a slight reduction in the number of additions over F m. We suggest a second improvement to save a multiplication over F m.atfirst glance multiplying l P (ψ(q)) by g [ ] m 1 P (ψ(q)) involves three multiplications over F m. However, when j =0,wehave: g [ ] m 1 P (ψ(q)) = (x P + α)(x Q + α)+y P + y Q + β +(x P + x Q + α)s + t. Seeing that α + β = δ +1,werewritel P (ψ(q)) as follows: l P (ψ(q)) = g [ ] m 1 P (ψ(q)) + x P + x Q + α + s. Defining g 0 = (x P + α)(x Q + α) +y P + y Q + β, g 1 = x P + x Q + α, and g = x P + x Q + α, we eventually obtain: g [ ] m 1 P (ψ(q)) = g 0 + g 1 s + t and l P (ψ(q)) = (g 0 + g )+(g 1 +1)s + t. The product l P (ψ(q)) g [ ] m 1 P (ψ(q)) can be computed by means of two multiplications over F m (see [4, Appendix D.]). Algorithm 1 describes the computation of the η T pairing according to this construction. Addition over F m involves m bitwise exclusive-or operations that can be implemented in parallel. We refer to this operation as addition (A) when we give the cost of an algorithm. However, the addition of an element of F requires a single exclusive-or operation, denoted by XOR. Additionally, M denotes multiplications, S squarings and R square roots. We also introduce δ =1 δ. The first step consists in computing P =[ ν]p (line 1). Multiplication over F 4m usually requires nine multiplications and twenty additions over F m.however, the sparsity of G (as given line 13) allows one to compute the product F G (line 14) by means of only six multiplications and fourteen additions over F m (see [4, Appendix D.] for further details). Contrary to what was suggested by Ronan et al. [9], the loop unrolling technique introduced by Granger et al. [13]

5 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 301 in the context of the Tate pairing in characteristic three turns out to be useless in our case. Let G j and G j+1 denote the values of G at iterations j and j +1, respectively. Algorithm 1 computes (F G j ) G j+1 by means of twelve multiplications and some additions over F m. The loop unrolling trick consists in taking advantage of the sparsity of G j and G j+1 : only three multiplications over F m are required to compute the product G j G j+1. Unfortunately, the result is not a sparse polynomial, and the multiplication by F involves nine multiplications over F m. Thus, computing (G j G j+1 ) F instead of (F G j ) G j+1 does not decrease the number of multiplications over the underlying field. Algorithm 1. Computation of the η T pairing in characteristic two: reversedloop approach with square roots. Input: P, Q F m[l]. Output: η T (P, Q) F 4m. 1. y P y P + δ; ( δ XOR). u x P + α; v x Q + α (α XOR) 3. g 0 u v + y P + y Q + β; (1 M, A, β XOR) 4. g 1 u + x Q; g v + x P ; (1 S, A) 5. G g 0 + g 1s + t; 6. L (g 0 + g )+(g 1 +1)s + t; (1 A, 1 XOR) 7. F L G; (M,1S,5A,XOR) 8. for j =1to m 1 do 9. x P x P ; y P y P ; x Q x Q; y Q yq; ( R, S) 10. u x P + α; v x Q + α (α XOR) 11. g 0 u v + y P + y Q + β; (1 M, A, β XOR) 1. g 1 u + x Q; (1 A) 13. G g 0 + g 1s + t; 14. F F G; (6M,14A) 15. end for 16. return F M ; The square roots in Algorithm 1 could be computed according to the technique described by Fong et al. [8]. However, this approach would require dedicated hardware and could potentially slow down a pairing coprocessor. Thus, it is attractive to study square-root-free algorithms which allow one to design simpler arithmetic and logic units. Another argument preventing the usage of square roots is that the complexity of their computation heavily depends on the particular irreducible polynomial selected for representing the field F m.onthe other hand, the complexity of squarings is somehow more independent of the irreducible polynomial [7, 3]. To get rid of the square roots, we remark that η T (P, Q) =η T ([ m 1 m 1 ] ) P, Q.

6 30 J.-L. Beuchat et al. Let [ j ]Q = ( x [j ]Q,y [j ]Q).Since g [ ]([ m 1 j ] (ψ(q)) = g m 1 P ) [ j ]P (ψ(q)), the η T pairing is equal to f T,P (ψ(q)) = l[ m 1 ]P (ψ(q)) m 1 m 1 j=0 m 1 ( (g[ ) j ]P (ψ(q))) j j, where l [ ] m 1 P (ψ(q)) = x P (x P + x Q + α)+(α +1)x P + y P + y Q + γ + δ +(x P + x Q)s + t, ( g[ j ]P (ψ(q))) j = ( x P +1) (x [ j ]Q +1 ) + yp + y [ j ]Q + b + ( x P + x [ j ]Q +1 ) s + t, and γ = { 0 if m 1, 7 (mod 8), 1 if m 3, 5 (mod 8). Again, one can simplify the computation of the product l [ ] m 1 P (ψ(q)) g P (ψ(q)). Noting that γ + δ = b and defining g 0 = x P x Q + x P + x Q + yp + y q + b +1,g 1 = x P + x Q +1,andg = x 4 P + x Q +1,weobtain l [ ] m 1 P (ψ(q)) g P (ψ(q)) = ((g 0 + g )+(g 1 +1)s + t) (g 0 + g 1s + t). An implementation of the η T pairing following this construction is given in Algorithm. We also studied direct approaches based on Equation (). However, they turned out to be slower and we will not consider such algorithms in this paper (see [4, Appendix A] for details)..3 Final Exponentiation The η T pairing has to be reduced in order to be uniquely defined. We have to raise η T (P, Q) tothemth power, where M = 4m 1 N =( m 1)( m +1 ν m+1 ). Two algorithms have been proposed in the open literature for ν =1andν = 1, respectively:

7 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 303 Algorithm. Computation of the η T pairing in characteristic two: reversedloop approach without square roots. Input: P, Q F m[l]. Output: η T (P, Q) F 4m. 1. y P y P + δ; ( δ XOR). x P x P ; y P yp ; ( S) 3. y P y P + b; u x P +1; (b +1XOR) 4. g 1 u + x Q; (1 A) 5. g 0 x P x Q + y P + y Q + g 1; (1 M, 3 A) 6. x Q x Q +1; (1XOR) 7. g x P + x Q; (1 S, 1 A) 8. G g 0 + g 1s + t; 9. L (g 0 + g )+(g 1 +1)s + t; (1 A, 1 XOR) 10. F L G; (M,1S,5A,XOR) 11. for j 1to m 1 do 1. F F ; (4 S, 4 A) 13. x Q x 4 Q; y Q yq; 4 (4 S) 14. x Q x Q +1; y Q y Q + x Q; (1 A, 1 XOR) 15. g 0 u x Q + y P + y Q; (1 M, A) 16. g 1 x P + x Q; (1 A) 17. G g 0 + g 1s + t; 18. F F G; (6M,14A) 19. end for 0. Return F M ; Ronan et al. [9] assumed that ν = 1, unrolled the different powering, and grouped the inversions together. Thus, their final exponentiation algorithm involves a single inversion over F 4m. Shu et al. [33] noted that raising the η T pairing to the power of m 1 requires only one inversion over F m. Whenν = 1, the second part of the final exponentiation consists in raising this intermediate result to the power of m +1+ m+1. In the following, we show that the final exponentiation of the η T pairing in characteristic two always involves a single inversion over F m. SinceM =( m 1)( m +1)+ν(1 m ) m+1, we compute η T (P, Q) M = ( ) m +1 η T (P, Q) m 1 (η ) m+1 T (P, Q) ν(1 m ), and we remark that the final exponentiation requires a single inversion over F m.letu = η T (P, Q) F 4m.WritingU = U 0 + U 1 t,whereu 0 and U 1 F m and noting that t m = t +1,we obtainu m = U 0 + U 1 + U 1 t. Therefore, we have:

8 304 J.-L. Beuchat et al. U m 1 = U 0 + U 1 + U 1 t (U 0 + U 1 + U 1 t) = U 0 + U 1 t (U 0 + U 1 t) (U 0 + U 1 + U 1 t) = U 0 + U1 + U1 s + U1 t U0 + U 0U 1 + U1 s,and U U 1 m 0 + U 1 t = U 0 + U 1 + U 1 t = U 0 + U 1 s + U 1 t U0 + U 0U 1 + U1 s, where U0 + U 0 U 1 + U1 s F m. Algorithm 3 summarizes the computation of the η T (P, Q) M : Accordingtoournotation,wehaveU = U 0 + U 1 t,whereu 0 = u 0 + u 1 s and U 1 = u + u 3 s.sinces = s +1,weremarkthat: U0 =(u 0 + u 1)+u 1s, U1 =(u + u 3 )+u 3 s, U 1 s = u 3 + u s. Therefore, 4 squarings and additions over F m allow us to get T 0 = U 0, T 1 = U 1,andT = U 1 s. Multiplication over F m on line 3 is performed according to the Karatsuba- Ofman s scheme and involves three multiplications and four additions over F m: T 3 = U 0 U 1 = u 0 u + u 1 u 3 +((u 0 + u 1 )(u + u 3 )+u 0 u )s. Thanks to the tower field, inversion of D = U0 + U 0U 1 + U1 s F m is replaced by an inversion (denoted by I), a squaring, three multiplications, and two additions over F m (see [4, Appendix C] for details). The next step consists in computing V = V 0 + V 1 t = U m 1 and W = W 0 + W 1 t = U ν(1 m),wherev 0, V 1, W 0,andW 1 F m. Defining T 5 = U0 +U 1 s U0 +U0U1+U 1 s and T U1 6 = U0 +U0U1+U 1 s (line 6), we easily check that U m 1 = (T 5 + T 6 )+T 6 t and U 1 m = T 5 + T 6 t.thus, { T 5 + T 6 if ν = 1, V 0 = T 5 + T 6, W 0 = V 1 = W 1 = T 6. T 6 if ν =1, Raising V = V 0 + V 1 t F to the ( m + 1)th power over F 4m 4m (line 15) consists in multiplying V m by V. This operation turns out to be less expensive than the usual multiplication over F 4m (see [4, Appendix D.3] for details)..4 Overall Cost Evaluations Table 1 summarizes the costs of the algorithms studied in this section in terms of arithmetic operations over F m. Software implementations benefit from the

9 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 305 Algorithm 3. Final exponentiation of the reduced η T pairing. Input: U = u 0 + u 1s + u t + u 3st F 4m. The intermediate variables m i belong to F m.thet i s, V i s, W i s, and D belong to F m. V and W F 4m. Output: V = U M F 4m, withm =(m + 1)( m ν m+1 +1). 1. m 0 u 0; m 1 u 1; m u ; m 3 u 3; (4 S). T 0 (m 0 + m 1)+m 1s; T 1 (m + m 3)+m 3s; ( A) 3. T m 3 + m s; T 3 (u 0 + u 1s) (u + u 3s); (3 M, 4 A) 4. T 4 T 0 + T ; D T 3 + T 4; (4 A) 5. D D 1 ; (1I,3M,1S,A) 6. T 5 T 1 D; T 6 T 4 D; (6 M, 8 A) 7. V 0 T 5 + T 6; ( A) 8. V 1, W 1 T 5; 9. if ν = 1 then 10. W 0 V 0; 11. else 1. W 0 T 6; 13. end if 14. V V 0 + V 1t; W W 0 + W 1t; 15. V V m +1 (5 M, S, 9 A) 16. for i 1to m+1 do 17. W W ; (4 S, 4 A) 18. end for 19. Return V W ; (9M,0A) Extended Euclidean Algorithm (EEA) to perform the inversion over F m.however, supplementing a pairing coprocessor with dedicated hardware for the EEA is not the most appropriate solution. Computing the inverse of a F m by means of multiplications and squarings over F m according to Fermat s little theorem and Itoh and Tsujii s work [15] allows one to keep the circuit area as small as possible without impacting too severely on the performances [3]. Since (,wefirstraisea a 1 = a 1) m 1 to the power of m 1 1 using a Brauer-type addition chain for m 1. Then, a squaring over F m suffices to obtain a 1.We reported the cost of this inversion scheme for typical values of m in Table. 3 Computation of the Modified Tate Pairing Several researchers designed hardware accelerators over F m and F 3 m for the modified Tate pairing. According to Barreto et al. [1], a second exponentiation allows one to compute the modified Tate pairing from the reduced η T pairing. Thus, the modified Tate pairing is believed to be slower and a comparison between architectures for the modified Tate and η T pairings would be unfair. Here, we take advantage of the bilinearity of the reduced η T pairing and show how to get the modified Tate pairing almost for free.

10 306 J.-L. Beuchat et al. Table 1. Cost of the presented algorithms for computing the reduced η T characteristic two in terms of operations over the underlying field F m pairing in Additions XORs η T pairing with η T pairing without Final Exponentiation square roots square root (Algorithm 3) (Algorithm 1) (Algorithm ) m 1 11m m δ + 5+ δ + b + m 1 (α + β) m+1 Multiplications 3+7 m m 1 6 Squarings m +1 4m m +9 Square roots m 1 Inversions 1 Table. Cost of inversion over F m according to Itoh and Tsujii s algorithm in terms of multiplications and squarings Field F 39 F 51 F 83 F 313 Cost 10 M, 38 S 10 M, 50 S 11 M, 8 S 10 M, 31 S 3.1 Modified Tate Pairing in Characteristic Two The modified Tate pairing in characteristic two is given by ê(p, Q) M = η T (P, Q) MT,whereM = 4m 1 N and T = m N [1]. Let V = η T (P, Q) M. We have V N = η T (P, Q) 4m 1 =1.Sinceη T (P, Q) M is a bilinear pairing, we obtain: ê(p, Q) M = V T = V m N = V m = η T (P, Q) M m = η T ([ m ]P, Q) M, where [ m ]P =(x P +1,x P + y P + α + 1). Thus, it suffices to provide a hardware accelerator for the reduced η T pairing with [ m ]P and Q to get the modified Tate pairing. Since this preprocessing step involves an XOR operation and an addition over F m, it can be computed in software. Conversely, a processor for the modified Tate pairing computes the η T pairing if its inputs are [ m ]P and Q: η T (P, Q) M =ê([ m ]P, Q) M, where [ m ]P =(x P +1,x P + y P + α). 3. Modified Tate Pairing in Characteristic Three The same approach allows one to compute the modified Tate pairing in characteristic three. Let m be a positive integercoprime to 6 and E be the supersingular elliptic curve defined by E : y = x 3 x + b, whereb { 1, 1}. Thenumberof

11 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 307 rational points of E over F 3 m is given by N =#E(F 3 m)=3 m +1+μb3 m+1 [], with { 1 if m 1, 11 (mod 1), μ = 1 if m 5, 7 (mod 1). In characteristic three, we have the following relation between the reduced η T and modified Tate pairings [1]: ( ηt (P, Q) M ) 3T = ( ê(p, Q) M ) L, with M = 36m 1 N, T =3m N, andl = μb3 m+3. Defining V = η T (P, Q) M and seeing that V N =1,weobtain F 3 6m V 3T = V 3m+1 3 m+1 N+3N = V 3m+1. Dividing by L at the exponent level, we finally get the following relation between the reduced η T and modified Tate pairings: [ where μb3 3m 1 ê(p, Q) M = V 3m+1 L 3m 1 μb3 = V = η T ([ μb3 3m 1 ] P =( 3 x P b, μbλ 3 y P )and λ =( 1) m+1 = { ] P, Q) M, 1 if m 7, 11 (mod 1), 1 if m 1, 5 (mod 1). Again, the overhead introduced is negligible compared to the calculation time of the reduced η T pairing. Consider now the cube-root-free reversed-loop algorithm proposed by Beuchat et al. (Algorithm 4 in [5]). In this case, we suggest to [ ] M compute η T ([ μb]p, 3 3m 1 Q). Surprisingly, the modified Tate pairing in characteristic three turns out to be slightly less expensive than the η T pairing: we save two cubings and one addition over F 3 m (see [4, Appendix B] for details). Conversely, [ ] a processor for the modified Tate pairing provided with [ μb]p and 3 3m+1 Q will return the reduced η T pairing. 4 Implementation Results and Comparisons 4.1 A Unified Operator for the Arithmetic over F m and F 3 m In [3], Beuchat et al. presented an FPGA-based accelerator for the computation of the η T pairing in characteristic three. The coprocessor was based on a unified operator capable of handling all the necessary arithmetic operations over thebasefieldf 3 m. This streamlined design led to smaller circuits while retaining competitive performances with respect to the other published architectures.

12 308 J.-L. Beuchat et al. For these reasons, we chose to use such a unified operator for our own implementations in characteristic three. We also adapted the operator for supporting finite-field arithmetic in characteristic two. The core of this unified operator is an array multiplier [34] for computing the product of two elements of F p m (where p = or 3), represented in a polynomial basis using a degree-m polynomial f(x) irreducible over F p : F p m = Fp [x]/(f(x)). D coefficients of the multiplicand are processed at each clock cycle. The D corresponding partial products are then shifted and reduced modulo f(x) according to their respective weight, and finally summed into a register thanks to a tree of adders over F p m. A feedback loop allows the accumulation of the previous partial products. A product over F p m is therefore computed in m/d clock cycles. With only slight modifications, it is possible for this multiplier to also support the other operations required by the computation of the modified Tate pairing. For instance, bypassing the shift/modulo-f(x) reduction stage allows for additions, subtractions and accumulations. Similarly, the Frobenius endomorphism (i.e. squaring in characteristic two or cubing in characteristic three) only amounts to a linear combination of the coefficients of the polynomial. This linear combination can be computed at design time and then directly hard-wired as an alternative datapath during the shift/modulo stage. 4. Characteristic Two Versus Characteristic Three It is common knowledge that arithmetic over F m is more compact and efficient than over F 3 m. However, due to the different embedding degrees enjoyed by the elliptic curves of interest, competitive levels of security for pairing implementations in characteristic two are only achieved at the price of working over extension degrees much larger than what their counterparts in characteristic three require. For a better understanding of this trade-off, we present here FPGA implementation results of a coprocessor for the modified Tate pairing in both characteristics two and three. The coprocessor is based on the previously described unified operator and implements the square- and cube-root-free reversed-loop algorithms (Algorithm, and Algorithm 4 in [5]) along with the corresponding final exponentiation. We also experimented with several values for D, aiming at a more exhaustive study of the trade-off between cost and performances. Tables 3 and 4 present the post-place-and-route results for characteristic two and three respectively. These results were obtained for a Xilinx Virtex-II Pro 0 FPGA with average speedgrade, using the Xilinx ISE 9.i tool suite. The two tables are also summarized in Figure 1. The given results show a slight advantage of characteristic three over characteristic two, for all the studied levels of security. This goes against the performances obtained by Barreto et al. in the case of software implementation [1], but also against the hardware results published by Shu et al. in [33]. Of course, this observation remains closely related to our unified architecture. However, as detailed in the following, our coprocessors perform better than the previously published solutions in terms of area-time product, which leads us to believe this observation to be accurate.

13 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 309 Table 3. Implementation results of the modified Tate pairing in characteristic two using our unified operator (on a Xilinx Virtex-II Pro xcvp0, speedgrade -6) Field Security D Area Frequency Estimated #cycles [bits] [slices] [MHz] calc. time [μs] F F F F F Table 4. Implementation results of the modified Tate pairing in characteristic three using our unified operator (on a Xilinx Virtex-II Pro xcvp0, speedgrade -6) Field Security D Area Frequency Estimated #cycles [bits] [slices] [MHz] calc. time [μs] F F F F F

14 310 J.-L. Beuchat et al. Area [slices] 9000 Char. Char. 3 D = 7 D = D =15 D = D =31 D = Security [bits] Calc. time [μs] 800 Char. Char. 3 D = 7 D =3 700 D =15 D = D =31 D = Security [bits] Fig. 1. Area (left) and calculation time (right) for the modified Tate pairing on our unified operator, in both characteristics two and three, for various extension degrees and different values for the parameter D Moreover, the optimal number D of coefficients processed per clock cycle for the array multiplier appears to be 15 in characteristic two and 7 in characteristic three. However, modifying the value of this parameter changes only marginally the overall area-time product. According to the requirements of each application in terms of area and speed, one can then select the most appropriate value for D. 4.3 Comparisons Tables 5, 6 and 7 present the cost and performances of other coprocessors for the computation of the modified Tate and reduced η T pairings in characteristics two and three as published in the open literature. The results are summarized in Figure as a comparison of these solutions against our proposed architecture in terms of their area-time product. Despite its inherent lack of parallelism between operations, our unified operator greatly benefits from its compact design in order to reach higher frequencies. Combined with the algorithmic improvements described in this paper and in [5], this leads to competitive calculation times. Additionally, the streamlined design allows for reaching higher extension degrees and levels of security without risking to exhaust the FPGA resources: the slow increase of the area-time product with the security level of the system hints at the high scalability of the coprocessor. Finally, the good performances of our solution against the previously published works vouches for a strong confidence in the outcome of our comparison between characteristics two and three for the hardware implementation of the modified Tate pairing. 5 Conclusion We discussed several algorithms to compute the η T pairing and its final exponentiation in characteristic two. We then showed how to get back to the modified

15 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 311 Table 5. FPGA-based accelerators for the modified Tate pairing over F m in the literature. The parameter D refers to the number of coefficients processed at each clock cycle by a multiplier. The architectures by Shu et al. [33] include four kinds of multipliers. Shu et al. [33] Curve FPGA #mult. D E(F 39) xcvp100 Area Freq. Calculation [slices] [MHz] time [μs] Keller et al. [18] E(F 51) xcv Keller et al. [19] E(F 51) xcv Keller et al. [18] E(F 83) xcv Keller et al. [19] E(F 83) xcv Shu et al. [33] E(F 83) xcvp Ronan et al. [9] E(F 313) xcvp Ronan et al. [30] C(F 103 ) xcvp Table 6. FPGA-based accelerators for the modified Tate pairing over F 3 97 in the literature. The parameter D refers to the number of coefficients processed at each clock cycle by a multiplier. FPGA #mult. D Area Freq. Calculation [slices] [MHz] time [μs] Grabher and Page [11] xcvp Kerins et al. [0] xcvp

16 31 J.-L. Beuchat et al. Table 7. FPGA-based accelerators for reduced η T pairing over F 3 97 in the literature. The parameter D refers to the number of coefficients processed at each clock cycle by a multiplier. FPGA #mult. D Area Freq. Calculation [slices] [MHz] time [μs] Ronan et al. [8] xcvp Jiang [16] xc4vlx00 Not specified Beuchat et al. [5] xcvp xcvp Beuchat et al. [6] xc4vlx AT product [slices s] 100 [18] [18] [0] [19] [19] Unified operator, char. (D = 15) Unified operator, char. 3(D = 7) Results from the literature 10 1 [11], [8] [16] [33] [33] [9] [30] [6] Security [bits] Fig.. Area-time product of the proposed coprocessor for the modified Tate pairing in characteristics two and three against the other solutions published in the literature Tate pairing at almost no extra cost. Finally, we explored the trade-offs involved in the hardware implementation of the modified Tate pairing for both characteristic two and three. Our architectures are based on the unified arithmetic operator introduced in [3], and achieve a better area-time trade-off compared to previously published solutions [11, 16, 18, 19, 0, 8, 9, 30, 33]. Our modified Tate pairing coprocessors embed a single multiplier. A challenge consists in designing parallel architectureswith the same (or evena smaller) areatime product. Future work should also include a study of the η T pairing over genus- curves. The Ate pairing [14] would also be of interest, for it generalizes to ordinary curves the improvements introduced by the η T pairing in the case of supersingular curves.

17 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m 313 Acknowledgment The authors would like to thank Guillaume Hanrot and the anonymous referees for their valuable comments. This work was supported by the New Energy and Industrial Technology Development Organization (NEDO), Japan. The authors would also like to express their deepest gratitude to the Carthusian Monks of the Grande Chartreuse in the French Alps for their succulent herbal products which fueled our efforts in writing this article. References 1. Barreto, P.S.L.M., Galbraith, S.D., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular Abelian varieties. Designs, Codes and Cryptography 4, (007). Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairingbased cryptosystems. In: Yung, M. (ed.) CRYPTO 00. LNCS, vol. 44, pp Springer, Heidelberg (00) 3. Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E.: Arithmetic operators for pairing-based cryptography. In: Paillier, P., Verbauwhede, I. (eds.) CHES 007. LNCS, vol. 477, pp Springer, Heidelberg (007) 4. Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Rodríguez-Henríquez, F.: A comparison between hardware accelerators for the modified Tate pairing over F m and F 3 m. Cryptology eprint Archive, Report 008/115 (008) 5. Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Shirase, M., Takagi, T.: Algorithms and arithmetic operators for computing the η T pairing in characteristic three. IEEE Transactions on Computers 57(11) (November 008) (to appear) An extended version is available as Report 007/417 of the Cryptology eprint Archive 6. Beuchat, J.-L., Shirase, M., Takagi, T., Okamoto, E.: An algorithm for the η T pairing calculation in characteristic three and its hardware implementation. In: Kornerup, P., Muller, J.-M. (eds.) Proceedings of the 18th IEEE Symposium on Computer Arithmetic, pp IEEE Computer Society, Los Alamitos (007) 7. Duursma, I., Lee, H.S.: Tate pairing implementation for hyperelliptic curves y = x p x + d. In: Laih, C.S. (ed.) ASIACRYPT 003. LNCS, vol. 894, pp Springer, Heidelberg (003) 8. Fong, K., Hankerson, D., López, J., Menezes, A.: Field inversion and point halving revisited. IEEE Transactions on Computers 53(8), (004) 9. Frey, G., Rück, H.-G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation 6(06), (1994) 10. Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the Tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 00. LNCS, vol. 369, pp Springer, Heidelberg (00) 11. Grabher, P., Page, D.: Hardware acceleration of the Tate pairing in characteristic three. In: Rao, J.R., Sunar, B. (eds.) CHES 005. LNCS, vol. 3659, pp Springer, Heidelberg (005) 1. Granger, R., Page, D., Smart, N.P.: High security pairing-based cryptography revisited. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 006. LNCS, vol. 4076, pp Springer, Heidelberg (006)

18 314 J.-L. Beuchat et al. 13. Granger, R., Page, D., Stam, M.: On small characteristic algebraic tori in pairingbased cryptography. LMS Journal of Computation and Mathematics 9, (006) 14. Hess, F., Smart, N., Vercauteren, F.: The Eta pairing revisited. IEEE Transactions on Information Theory 5(10), (006) 15. Itoh, T., Tsujii, S.: A fast algorithm for computing multiplicative inverses in GF( m ) using normal bases. Information and Computation 78, (1988) 16. Jiang, J.: Bilinear pairing (Eta T Pairing) IP core. Technical report, City University of Hong Kong Department of Computer Science (May 007) 17. Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS 000. LNCS, vol. 1838, pp Springer, Heidelberg (000) 18. Keller, M., Kerins, T., Crowe, F., Marnane, W.P.: FPGA implementation of a GF( m ) Tate pairing architecture. In: Bertels, K., Cardoso, J.M.P., Vassiliadis, S. (eds.) ARC 006. LNCS, vol. 3985, pp Springer, Heidelberg (006) 19. Keller, M., Ronan, R., Marnane, W.P., Murphy, C.: Hardware architectures for the Tate pairing over GF( m ). Computers and Electrical Engineering 33(5 6), (007) 0. Kerins, T., Marnane, W.P., Popovici, E.M., Barreto, P.S.L.M.: Efficient hardware for the Tate pairing calculation in characteristic three. In: Rao, J.R., Sunar, B. (eds.) CHES 005. LNCS, vol. 3659, pp Springer, Heidelberg (005) 1. Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 005. LNCS, vol. 3796, pp Springer, Heidelberg (005). Kwon, S.: Efficient Tate pairing computation for elliptic curves over binary fields. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 005. LNCS, vol. 3574, pp Springer, Heidelberg (005) 3. Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curves logarithms to logarithms in a finite field. IEEE Transactions on Information Theory 39(5), (1993) 4. Miller, V.S.: Short programs for functions on curves (1986), 5. Miller, V.S.: The Weil pairing, and its efficient calculation. Journal of Cryptology 17(4), (004) 6. Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fundamentals E85-A(), (00) 7. Rodríguez-Henríquez, F., Morales-Luna, G., López, J.: Low-complexity bit-parallel square root computation over GF( m ) for all trinomials. IEEE Transactions on Computers 57(4), (008) 8. Ronan, R., Murphy, C., Kerins, T., ÓhÉigeartaigh, C., Barreto, P.S.L.M.: A flexible processor for the characteristic 3 η T pairing. Int. J. High Performance Systems Architecture 1(), (007) 9. Ronan, R., ÓhÉigeartaigh, C., Murphy, C., Scott, M., Kerins, T.: FPGA acceleration of the Tate pairing in characteristic. In: Proceedings of the IEEE International Conference on Field Programmable Technology FPT 006, pp IEEE, Los Alamitos (006) 30. Ronan, R., ÓhÉigeartaigh, C., Murphy, C., Scott, M., Kerins, T.: Hardware acceleration of the Tate pairing on a genus hyperelliptic curve. Journal of Systems Architecture 53, (007) 31. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: 000 Symposium on Cryptography and Information Security (SCIS 000), Okinawa, Japan, pp. 6 8 (January 000)

19 Hardware Accelerators for the Modified Tate Pairing over F m and F 3 m Scott, M.: Optimal irreducible polynomials for GF( m ) arithmetic. Cryptology eprint Archive, Report 007/19 (007) 33. Shu, C., Kwon, S., Gaj, K.: FPGA accelerated Tate pairing based cryptosystem over binary fields. In: Proceedings of the IEEE International Conference on Field Programmable Technology FPT 006, pp IEEE, Los Alamitos (006) 34. Song, L., Parhi, K.K.: Low energy digit-serial/parallel finite field multipliers. Journal of VLSI Signal Processing 19(), (1998)