Abstract. The cost of the folklore algorithm for computing cube roots in F3m in standard polynomial basis is less that one multiplication, but still O(m 2). Here we show that, if F3m is represented in trinomial basis as F3[x]/(x m + ax k + b) with a, b = ±1, the actual cost of computing cube roots in F3m is only O(m). 1

Though the implementation of the Tate pairing is commonly believed to be computationally more intensive than other cryptographic operations, such as ECC point multiplication, there has been a substantial progress in speeding up the Tate pairing computations. Because of their inherent parallelism, the existing Tate pairing algorithms are very suitable for hardware implementation aimed at achieving a high operation speed. Supersingular elliptic curves over binary fields are good candidates for hardware implementation due to their simple underlying algorithms and binary arithmetic. In this paper we propose e#cient Tate pairing implementations over binary fields F 2 239 and F 2 283 via FPGA. Though our field sizes are larger than those used in earlier architectures with the same security strength based on cubic elliptic curves or binary hyperelliptic curves, fewer multiplications in the underlying field are required, so that the computational latency for one pairing can be reduced. As a result, our pairing accelerators implemented via FPGA can run 15-to-25 times faster than other FPGA realizations at the same level of security strength, and at the same time achieve lower product of latency by area.

Fast algorithms for multiplication in finite fields are required for several cryptographic applications, in particular for implementing elliptic curve operations over binary fields F2m. In this paper we present new software algorithms for efficient multiplication over F2m that use a Gaussian normal basis representation. Two approaches are presented, direct normal basis multiplication, and a method that exploits a mapping to a ring where fast polynomial-based techniques can be employed. Our analysis including experimental results on an Intel Pentium family processor shows that the new algorithms are faster and can use memory more efficiently than previous methods. Despite significant improvements, we conclude that the penalty in multiplication is still sufficiently large to discourage the use of normal bases in software implementations of elliptic curve systems. Key words Multiplication in F2 m, Gaussian normal basis, elliptic curve cryptography. 1

Recently Tate pairing and its variations are attracted in cryptography. Their operations consist of a main iteration loop and a final exponentiation. The final exponentiation is necessary for generating a unique value of the bilinear pairing in the extension fields. The speed of the main loop has become fast by the recent improvements, e.g., the Duursma-Lee algorithm and #T pairing. In this paper we discuss how to enhance the speed of the final exponentiation of the #T pairing in the extension field F 3 6n . Indeed, we propose some efficient algorithms using the torus T2 (F 3 3n) that can efficiently compute an inversion and a powering by 3 +1. Consequently, the total processing cost of computing the #T pairing can be reduced by 17% for n = 97.

A series of recent algorithmic advances has delivered highly effective methods for pairing evaluation and parameter generation. However, the resulting multitude of options means many different variations of base field must ideally be supported on the target platform. Typical hardware accelerators in the form of co-processors possess neither the flexibility nor the scalability to support fields of different characteristic and order. On the other hand, extending the instruction set of a general-purpose processor by custom instructions for field arithmetic allows to combine the performance of hardware with the flexibility of software. To this end, we investigate the integration of a tri-field multiply-accumulate (MAC) unit into a SPARC V8 processor core to support arithmetic in Fp, F2n and F3n. Besides integer multiplication, the MAC unit can also execute dedicated multiply and MAC instructions for binary and ternary polynomials. Our results show that the tri-field MAC unit adds only a small size overhead while significantly accelerating arithmetic in F2n and F3n, which sheds new light on the relative performance of Fp, F2n and F3n in the context of pairing-based cryptography.

Abstract. In this paper we propose a new structure for multiplication using optimal normal bases of type 2. The multiplier uses an efficient linear transformation to convert the normal basis representations of ele-ments of Fqn to suitable polynomials of degree at most n over Fq. These polynomials are multiplied using any method which is suitable for the implementation platform, then the product is converted back to the normal basis using the inverse of the above transformation. The efficiency of the transformation arises from a special factorization of its matrix into sparse matrices. This factorization — which resembles the FFT factorization of the DFT matrix — allows to compute the transformation and its inverse using O(n log n) operations in Fq, rather than O(n 2) operations needed for a general change of basis. Using this technique we can reduce the asymptotic cost of multiplication in optimal normal bases of type 2 from 2M(n) + O(n) reported by Gao et al. (2000) to M(n) + O(n log n) operations in Fq, where M(n) is the number of Fq-operations to multiply two polynomials of degree n − 1 over Fq. We show that this cost is also smaller than other proposed multipliers for n> 160, values which are used in elliptic curve cryptography.

Abstract: In this paper we propose new formulae and algorithms for arithmetic on ordinary elliptic curve with a point of order 3 over finite field of characteristic three, by which the cost of a point multiplication on the curves decreases about 10~20 %.

Abstract. Fast arithmetic for characteristic three finite fields F3 m is desirable in pairing-based cryptography because there is a suitable family of elliptic curves over F3 m having embedding degree 6. In this paper we present some structure results for Gaussian normal bases of F3 m, and use the results to devise faster multiplication algorithms. We carefully compare multiplication in F3 m using polynomial bases and Gaussian normal bases. Finally, we compare the speed of encryption and decryption for the Boneh-Franklin and Sakai-Kasahara identity-based encryption schemes at the 128-bit security level, in the case where supersingular elliptic curves with embedding degrees 2, 4 and 6 are employed. 1.

Pairing based cryptosystems can accomplish novel security applications such as ID-based cryptosystems, which have not been constructed efficiently without the pairing. The processing speed of the pairing based cryptosystems is relatively slow compared with the other conventional public key cryptosystems. However, several efficient algorithms for computing the pairing have been proposed, namely Duursma-Lee algorithm and its variant T pairing. In this paper, we present an efficient implementation of the pairing over some mobile phones. The processing speed of our implementation in ARM9 processors on BREW achieves under 100 milliseconds using the supersingular curve over F 3 97. It has become efficient enough to implement security applications, such as ID-based cryptosystems and broadcast encryption, using the pairing on BREW mobilephones.

Pairings on elliptic curves have been used as cryptographic primitives for the development of new applications such as identity based schemes. For the practical applications, it is crucial to provide efficient and secure implementations of the pairings. There have been several works on efficient implementations of the pairings. However, the research for secure implementations of the pairings has not been thoroughly investigated. In this paper