## Arithmetic Operators for Pairing-Based Cryptography

### Cached

### Download Links

- [www.cipher.risk.tsukuba.ac.jp]
- [www.cipher.risk.tsukuba.ac.jp]
- [eprint.iacr.org]
- [www.ens-lyon.fr]
- DBLP

### Other Repositories/Bibliography

Citations: | 6 - 3 self |

### BibTeX

@MISC{Beuchat_arithmeticoperators,

author = {Jean-luc Beuchat and Nicolas Brisebarre and Jérémie Detrey and Eiji Okamoto},

title = {Arithmetic Operators for Pairing-Based Cryptography},

year = {}

}

### OpenURL

### Abstract

Abstract. Since their introduction in constructive cryptographic applications, pairings over (hyper)elliptic curves are at the heart of an ever increasing number of protocols. Software implementations being rather slow, the study of hardware architectures became an active research area. In this paper, we first study an accelerator for the ηT pairing over F3[x]/(x 97 + x 12 + 2). Our architecture is based on a unified arithmetic operator which performs addition, multiplication, and cubing over F 3 97. This design methodology allows us to design a compact coprocessor (1888 slices on a Virtex-II Pro 4 FPGA) which compares favorably with other solutions described in the open literature. We then describe ways to extend our approach to any characteristic and any extension field.

### Citations

818 |
The arithmetic of elliptic curves
- Silverman
- 1986
(Show Context)
Citation Context ...ling with general curves providing common levels of security, the Tate pairing seems to be more efficient than the Weil pairing. Let E be a supersingular elliptic curve over Fpm (see Theorem V.3.1 of =-=[28]-=- for a definition), where p is a prime and m a positive integer, and let E(Fpm) denote the group of its points. Let ℓ > 0 be an integer relatively prime to p. The embedding degree (or security multipl... |

675 |
The Art of Computer Programming, volume 2: Seminumerical Algorithms
- Knuth
- 1988
(Show Context)
Citation Context ...n construct another sequence (n0, . . . , nl) satisfying � n0 = 1, and ni = nji + nki, for all 1 ≤ i ≤ l. S is said to compute nl, the last element of the sequence. For more details, see for instance =-=[19]-=-. Moreover, we can see that we have, for n ≤ n ′ a (pn+n′ −1)/(p−1) (p = a n � −1)/(p−1) · a (pn′ �p n −1)/(p−1) . Consequently, given an addition chain S of length l for m−1, we can compute the requi... |

291 | Efficient Algorithms for PairingBased Cryptosystems
- Barreto, Kim, et al.
- 2002
(Show Context)
Citation Context ...upport disjoint from the support of fℓ,P . Then the Tate pairing of order ℓ is the map eℓ : E(Fpm)[ℓ] × E(Fpkm)[ℓ] → F∗ pkm defined by eℓ(P, Q) = fℓ,P (DQ) (pkm−1)/ℓ (we give here the definition from =-=[3]-=-, slightly different from the initial one given in [11]). It satisfies the following properties: – Non-degeneracy. For all P ∈ E(Fpm)[ℓ] \ {O}, there is some point Q ∈ E(Fpkm)[ℓ] such that eℓ(P, Q) �=... |

285 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ... characteristic and any extension field. Keywords: ηT pairing, finite field arithmetic, elliptic curve, hardware accelerator, FPGA. 1 Introduction Introduced in cryptography for code-breaking purpose =-=[11, 22]-=-, the Weil and Tate pairings are at the heart of an ever increasing number of protocols since the work of Joux [16] who first discovered their constructive properties. The interested reader should ref... |

260 |
A one round protocol for tripartite Diffie-Hellman
- Joux
- 2000
(Show Context)
Citation Context ...rator, FPGA. 1 Introduction Introduced in cryptography for code-breaking purpose [11, 22], the Weil and Tate pairings are at the heart of an ever increasing number of protocols since the work of Joux =-=[16]-=- who first discovered their constructive properties. The interested reader should refer to the survey by Dutta, Barua, and Sarkar for further details [9]. According to [14, 20], when dealing with gene... |

189 |
A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ... characteristic and any extension field. Keywords: ηT pairing, finite field arithmetic, elliptic curve, hardware accelerator, FPGA. 1 Introduction Introduced in cryptography for code-breaking purpose =-=[11, 22]-=-, the Weil and Tate pairings are at the heart of an ever increasing number of protocols since the work of Joux [16] who first discovered their constructive properties. The interested reader should ref... |

152 |
The arithmetic of elliptic curves, Graduate Texts
- Silverman
(Show Context)
Citation Context ...ling with general curves providing common levels of security, the Tate pairing seems to be more efficient than the Weil pairing. Let E be a supersingular elliptic curve over Fpm (see Theorem V.3.1 of =-=[28]-=- for a definition), where p is a prime and m a positive integer, and let E(Fpm) denote the group of its points. Let ℓ > 0 be an integer relatively prime to p. The embedding degree (or security multipl... |

142 |
Implementing the Tate pairing
- Galbraith, Harrison, et al.
- 2002
(Show Context)
Citation Context ...ing to [3], curves over fields of characteristic three often offer the best possible ratio between security level and space requirements. Different ways for computing the Tate pairing can be found in =-=[3, 10, 12, 21]-=-. In [2], Barreto et al. introduced the ηT pairing which extended and improved the Duursma-Lee techniques [10]. To do it, they first need to consider the following distortion map ψ : Eb (F3m) → Eb (F3... |

130 | Efficient pairing computation on supersingular abelian varieties
- Barreto, Galbraith, et al.
(Show Context)
Citation Context ...ver fields of characteristic three often offer the best possible ratio between security level and space requirements. Different ways for computing the Tate pairing can be found in [3, 10, 12, 21]. In =-=[2]-=-, Barreto et al. introduced the ηT pairing which extended and improved the Duursma-Lee techniques [10]. To do it, they first need to consider the following distortion map ψ : Eb (F3m) → Eb (F36m) defi... |

92 |
S.: A fast algorithm for computing multiplicative inverses in GF (2 m ) using normal bases
- Itoh, Tsujii
- 1988
(Show Context)
Citation Context ...dware to perform the inversion over F 3 97 according to the Extended Euclidean Algorithm (EEA), Beuchat et al. [6] proposed an algorithm based on Fermat’s little theorem and on Itoh and Tsujii’s work =-=[15]-=- for F 3 97. It involves 96 cubings and 9 multiplications. Algorithm 1 summarizes the computation of the full pairing. It is worth noticing that ηT (P, Q) W can be computed only by means of additions ... |

86 |
Tate pairing implementation for hyperelliptic curves y 2 = x p − x + d
- Duursma, Lee
- 2003
(Show Context)
Citation Context ...ing to [3], curves over fields of characteristic three often offer the best possible ratio between security level and space requirements. Different ways for computing the Tate pairing can be found in =-=[3, 10, 12, 21]-=-. In [2], Barreto et al. introduced the ηT pairing which extended and improved the Duursma-Lee techniques [10]. To do it, they first need to consider the following distortion map ψ : Eb (F3m) → Eb (F3... |

77 | Pairing-based cryptography at high security levels
- Koblitz, Menezes
- 2005
(Show Context)
Citation Context ...cols since the work of Joux [16] who first discovered their constructive properties. The interested reader should refer to the survey by Dutta, Barua, and Sarkar for further details [9]. According to =-=[14, 20]-=-, when dealing with general curves providing common levels of security, the Tate pairing seems to be more efficient than the Weil pairing. Let E be a supersingular elliptic curve over Fpm (see Theorem... |

76 | Evidence that XTR is more secure than supersingular elliptic curve cryptosystems (full version
- Verheul
(Show Context)
Citation Context ...36m) defined, for all R ∈ Eb (F3m) by ψ(R) = ψ(xr, yr) = (−xr + ρ, yrσ), where σ and ρ belong to F36m and respectively satisfy σ2 = −1 and ρ3 = ρ + b (that concept of distortion map was introduced in =-=[31]-=-). We define the modified Tate pairing ê by ê(P, Q) = e(P, ψ(Q)) for all P, Q ∈ E(F3m)[ℓ]. Moreover, following [17], we construct F36m as an extension of F3m using the basis (1, σ, ρ, σρ, ρ2 , σρ2 ), ... |

37 |
Low-energy digit-serial/parallel finite field multipliers
- Song, Parhi
- 1998
(Show Context)
Citation Context ...to perform addition, multiplication, and cubing over F3[x]/(f(x)), where f(x) = x 97 + x 12 + 2. The operator is based on the array multiplier architecture proposed by Shu, Kwon, and Gaj in [27] (see =-=[5, 29]-=- for an introduction to array multipliers). Since such multipliers process D coefficients of an operand at each clock cycle, they mainly consist of D Partial Product Generators (PPGs), a D-operand add... |

28 | Pairing-Based Cryptographic Protocols: A survey”, Cryptology ePrint Archive, Report
- Dutta, Barua, et al.
- 2004
(Show Context)
Citation Context ...ng number of protocols since the work of Joux [16] who first discovered their constructive properties. The interested reader should refer to the survey by Dutta, Barua, and Sarkar for further details =-=[9]-=-. According to [14, 20], when dealing with general curves providing common levels of security, the Tate pairing seems to be more efficient than the Weil pairing. Let E be a supersingular elliptic curv... |

28 | High security pairing-based cryptography revisited
- Granger, Page, et al.
- 2006
(Show Context)
Citation Context ...cols since the work of Joux [16] who first discovered their constructive properties. The interested reader should refer to the survey by Dutta, Barua, and Sarkar for further details [9]. According to =-=[14, 20]-=-, when dealing with general curves providing common levels of security, the Tate pairing seems to be more efficient than the Weil pairing. Let E be a supersingular elliptic curve over Fpm (see Theorem... |

22 | Efficient hardware for the tate pairing calculation in characteristic three
- Kerins, Marnane, et al.
(Show Context)
Citation Context ...ely satisfy σ2 = −1 and ρ3 = ρ + b (that concept of distortion map was introduced in [31]). We define the modified Tate pairing ê by ê(P, Q) = e(P, ψ(Q)) for all P, Q ∈ E(F3m)[ℓ]. Moreover, following =-=[17]-=-, we construct F36m as an extension of F3m using the basis (1, σ, ρ, σρ, ρ2 , σρ2 ), which is equivalent to considering the tower F3m, F32m � F3m[y]/(y2 +1) and F36m � F32m[z]/(z3 −z−b). Hence, the co... |

20 | A note on efficient computation of cube roots in characteristic 3. Cryptology ePrint Archive, Report 035/2004
- Barreto
- 2004
(Show Context)
Citation Context ...is controlled by a general purpose processor [13]. The ALU embeds an adder, a subtracter, a multiplier (with D = 4), a cubing unit, and a cube root operator based on the method highlighted by Barreto =-=[1]-=-. This architecture occupies 4481 slices and allows one to perform the Duursma-Lee algorithm and its final exponentiation in 432.3 µs. The main advantage is maybe that the control can be compiled usin... |

16 | Itoh-tsuji inversion in standard basis and its application in cryptography and codes
- Guajardo, Paar
- 2002
(Show Context)
Citation Context ...can further reduce the calculation time. Let r = (p m − 1)/(p − 1) and a ∈ F ∗ p m. Since (ar ) p−1 = a pm −1 = 1, a r belongs to Fp and the multiplicative inverse of a is computed as a r−1 (a r ) −1 =-=[14]-=-. Algorithm 3 summarizes this scheme which is often applied for inversion in optimal extensionsArithmetic Operators for Pairing-Based Cryptography 11 Algorithm 2 Inversion over Fpm (1). Input: A prime... |

14 | Efficient GF(p m ) Arithmetic Architectures for Cryptographic Applications
- Bertoni, Guajardo, et al.
- 2003
(Show Context)
Citation Context ...to perform addition, multiplication, and cubing over F3[x]/(f(x)), where f(x) = x 97 + x 12 + 2. The operator is based on the array multiplier architecture proposed by Shu, Kwon, and Gaj in [27] (see =-=[5, 29]-=- for an introduction to array multipliers). Since such multipliers process D coefficients of an operand at each clock cycle, they mainly consist of D Partial Product Generators (PPGs), a D-operand add... |

14 | Efficient Tate Pairing Computation for Supersingular Elliptic Curves over Binary Fields
- Kwon
- 2004
(Show Context)
Citation Context ...ing to [3], curves over fields of characteristic three often offer the best possible ratio between security level and space requirements. Different ways for computing the Tate pairing can be found in =-=[3, 10, 12, 21]-=-. In [2], Barreto et al. introduced the ηT pairing which extended and improved the Duursma-Lee techniques [10]. To do it, they first need to consider the following distortion map ψ : Eb (F3m) → Eb (F3... |

14 |
H.G.: A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ... characteristic and any extension field. Keywords: ηT pairing, finite field arithmetic, elliptic curve, hardware accelerator, FPGA. 1 Introduction Introduced in cryptography for code-breaking purpose =-=[22, 11]-=-, the Weil and Tate pairings are at the heart of an ever increasing number of protocols since the work of Joux [16] who first discovered their constructive properties. The interested reader should ref... |

13 | Parallel hardware architectures for the cryptographic Tate pairing
- Bertoni, Breveglieri, et al.
- 2006
(Show Context)
Citation Context ...0 = −ypr0 + yqσ + ypρ by R1 = −r2 0 + ypyqσ −r0ρ−ρ 2 involves for instance only 8 multiplications and 9 additions over F3m (see Algorithm 4 in Appendix A for details). As pointed out by Bertoni et al =-=[4]-=-, the multiplication over F36m occurring in the main loop of the pairing calculation (Algorithm 1) requires 13 multiplications over F3m. P, Q Select Addr Wen ROM Addr c31 c30 c29 c28 c27 c26 Counter Q... |

13 | D.: Hardware acceleration of the Tate pairing in characteristic three
- Grabher, Page
- 2005
(Show Context)
Citation Context ...against architectures proposed by other researchers for p = 3 and m = 97. Grabher and Page designed a coprocessor dealing with arithmetic over F3 m, which is controlled by a general purpose processor =-=[13]-=-. The ALU embeds an adder, a subtracter, a multiplier (with D = 4), a cubing unit, and a cube root operator based on the method highlighted by Barreto [1]. This architecture occupies 4481 slices and a... |

12 |
Algorithms and Architectures for Use in FPGA Implementations of Identity Based Encryption Schemes
- Kerins, Popovici, et al.
(Show Context)
Citation Context ...We assume that the accelerator embeds a single unified operator and carries out the pairing calculation according to Algorithm 1. Recall that the EEA performs an inversion over F3m in 2m clock cycles =-=[18]-=-. Then, Table 1 and the previous cost analysis allow us to find out the number of clock cycles and to give examples for D = 3 and 7. Our results indicate that supplementing our coprocessor with dedica... |

12 | K.: FPGA accelerated Tate pairing based cryptosystems over binary fields. Cryptology ePrint Archive, Report 2006/179
- Shu, Kwon, et al.
- 2006
(Show Context)
Citation Context ...ator able to perform addition, multiplication, and cubing over F3[x]/(f(x)), where f(x) = x 97 + x 12 + 2. The operator is based on the array multiplier architecture proposed by Shu, Kwon, and Gaj in =-=[27]-=- (see [5, 29] for an introduction to array multipliers). Since such multipliers process D coefficients of an operand at each clock cycle, they mainly consist of D Partial Product Generators (PPGs), a ... |

11 | E.: An algorithm for the ηt pairing calculation in characteristic three and its hardware implementation
- Beuchat, Shirase, et al.
- 2007
(Show Context)
Citation Context ...ices [27]. The approach proposed in this paper reduces the area and the computation time by 29 and 3.8 respectively. Beuchat et al. described a fast architecture for the computation of the ηT pairing =-=[7]-=-. The authors introduced a novel multiplication algorithm over F 3 6m which takes advantage of the constant coefficients of R1. Thus, this design must be supplemented with a coprocessor for final expo... |

10 | Efficient generation of minimal length addition chains
- Thurber
- 1999
(Show Context)
Citation Context ... ki = i − 1 for all 1 ≤ i ≤ l), the number of Frobenius maps is exactly m−2 [19]. With the intent of minimizing the number of operations, we have adapted some efficient algorithms from the literature =-=[30]-=- to find the shortest Brauer-type addition chain for any value of m−1. It is to be noted that Brauer-type chains are proved to be optimal for m − 1 up to and including 12508 [19], which is an acceptab... |

7 | A coprocessor for the final exponentiation of the ηT pairing in characteristic three
- Beuchat, Brisebarre, et al.
- 2007
(Show Context)
Citation Context ...nius map. Moreover, they designed a novel arithmetic operator implementing addition, cubing, and multiplication over F 3 97 which performs in a fast and cheap way the final exponentiation ηT (P, Q) W =-=[6]-=-. In this paper, we extend this approach to the computation of the full ηT pairing (i.e. including the final exponentiation). In Section 2, we present a compact implementation of the ηT pairing over t... |

7 |
The Art of Computer Programming, 3rd edn
- Knuth
- 1998
(Show Context)
Citation Context ...nce (n0, . . . , nl) satisfying { n0 = 1, and ni = nji + nki, for all 1 ≤ i ≤ l.250 J.-L. Beuchat et al. S is said to compute nl, the last element of the sequence. For more details, see for instance =-=[19]-=-. Moreover, we can see that we have, for n ≤ n ′ a (pn+n′ −1)/(p−1) (p = a n −1)/(p−1) · ( a (pn′ )p n −1)/(p−1) . Consequently, given an addition chain S of length l for m−1, we can compute the requi... |

5 |
Ç.K.: Cryptographic Algorithms on Reconfigurable Hardware
- Rodríguez-Henríquez, Saqib, et al.
(Show Context)
Citation Context ...the bits of the two operands, particularly suited for small values of p (typically p = 2 to 7). For higher characteristics, it will be necessary to resort to more complex methods for modular addition =-=[24]-=-. Also as in the original operator, multiplication over Fp[x]/(f(x)) relies on a parallel-serial algorithm, with D digits of the multiplier being processed at each iteration. The generation of the par... |

5 | Some Efficient Algorithms for the Final Exponentiation of ηT
- Shirase, Takagi
- 2007
(Show Context)
Citation Context ...requiring only seven additions (or subtractions) over F3 m (see for instance [7]). The final exponentiation is carried out according to a novel algorithm introduced by Shirase, Takagi, and Okamoto in =-=[26]-=-. This scheme involves additions, cubings, multiplications, and a single inversion over F3 m. In this section we will consider the field F 3 97 = F3[x]/(x 97 + x 12 + 2) and the curve y 2 = x 3 −x+1 o... |

2 |
N.: A parallel version of the Itoh-Tsujii multiplicative inversion algorithm
- Rodríguez-Henríquez, Morales-Luna, et al.
- 2007
(Show Context)
Citation Context ...to the multiplexer. Loading s in the parallel register R2, we can then directly perform the final product s · t −1 = a −1 . Addition chains to compute a (pm−1 −1)/(p−1) . As already shown in [32] and =-=[23]-=-, additions chains can prove to be perfectly suited to raise elements of Fp m to particular powers, such as the radix-p repunit (pm−1 −1)/(p−1) required by our inversion algorithm. An addition chain S... |

2 | L.M.: Hardware implementation of the ηT pairing in characteristic 3. Cryptology ePrint Archive
- Ronan, hÉigeartaigh, et al.
(Show Context)
Citation Context ...onan et al. wrote a C program which automatically generates a VHDL description of a coprocessor and its control unit according to the number of multipliers over F3m to be included and the parameter D =-=[25]-=-. An architecture embedding three multipliers processing D = 8 coefficients at each clock cycle computes for instance a full pairing in 178 µs. Though 1.25 times faster, this design requires five time... |

1 | Computing special powers in finite fields
- Gathen, Nöcker
- 2003
(Show Context)
Citation Context ...0 thanks to the multiplexer. Loading s in the parallel register R2, we can then directly perform the final product s · t −1 = a −1 . Addition chains to compute a (pm−1 −1)/(p−1) . As already shown in =-=[32]-=- and [23], additions chains can prove to be perfectly suited to raise elements of Fp m to particular powers, such as the radix-p repunit (pm−1 −1)/(p−1) required by our inversion algorithm. An additio... |

1 |
M.: Computing special powers in finite fields. Mathematics of Computation 73(247), 1499–1523 (2003) A Computation of the ηT Pairing We consider here the first multiplication over F36m of the ηT pairing calculation (Algorithm 1). Let A = (a0, a1, a2, a3, a
- Gathen, Nöcker
(Show Context)
Citation Context ...0 thanks to the multiplexer. Loading s in the parallel register R2, we can then directly perform the final product s · t −1 = a −1 . Addition chains to compute a (pm−1 −1)/(p−1) . As already shown in =-=[32]-=- and [23], additions chains can prove to be perfectly suited to raise elements of Fp m to particular powers, such as the radix-p repunit (pm−1 −1)/(p−1) required by our inversion algorithm. An additio... |