Hardware Operators for Pairing-Based Cryptography Part I: Because - - PowerPoint PPT Presentation

Hardware Operators for Pairing-Based Cryptography

— Part I: Because size matters — Jean-Luc Beuchat

Laboratory of Cryptography and Informantion Security University of Tsukuba, Japan jeanluc.beuchat@gmail.com Joint work with: Nicolas Brisebarre Ar´ enaire, LIP, ´ ENS Lyon, France J´ er´ emie Detrey CACAO, LORIA, Nancy, France Nicolas Estibals CACAO, LORIA, Nancy, France Eiji Okamoto LCIS, University of Tsukuba, Japan Francisco Rodr´ ıguez-Henr´ ıquez CSD, IPN, Mexico City, Mexico

1

Outline of the talk

◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 1 / 38

2

Outline of the talk

◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 2 / 38

3

Elliptic curves

◮ E defined by a Weierstraß equation of the form y 2 = x3 + Ax + B

E

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 3 / 38

3

Elliptic curves

◮ E defined by a Weierstraß equation of the form y 2 = x3 + Ax + B ◮ E(K) set of rational points over a field K

E P Q

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 3 / 38

3

Elliptic curves

◮ E defined by a Weierstraß equation of the form y 2 = x3 + Ax + B ◮ E(K) set of rational points over a field K ◮ Additive group law over E(K)

E P Q P + Q

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 3 / 38

3

Elliptic curves

◮ E defined by a Weierstraß equation of the form y 2 = x3 + Ax + B ◮ E(K) set of rational points over a field K ◮ Additive group law over E(K) ◮ Many applications in cryptography since 1985

• EC-based Diffie-Hellman key exchange
• EC-based Digital Signature Algorithm
• ...

E P Q P + Q

◮ Interest: smaller keys than usual cryptosystems (RSA, DSA, ElGamal, ...)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 3 / 38

3

Elliptic curves

◮ E defined by a Weierstraß equation of the form y 2 = x3 + Ax + B ◮ E(K) set of rational points over a field K ◮ Additive group law over E(K) ◮ Many applications in cryptography since 1985

• EC-based Diffie-Hellman key exchange
• EC-based Digital Signature Algorithm
• ...

E P Q P + Q

◮ Interest: smaller keys than usual cryptosystems (RSA, DSA, ElGamal, ...) ◮ But there’s more: bilinear pairings

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 3 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P ◮ Scalar multiplication: for any integer k, we have kP = P + P + · · · + P

• k times

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P ◮ Scalar multiplication: for any integer k, we have kP = P + P + · · · + P

• k times

P k

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P ◮ Scalar multiplication: for any integer k, we have kP = P + P + · · · + P

• k times

P k P k

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P ◮ Scalar multiplication: for any integer k, we have kP = P + P + · · · + P

• k times

P k P k

◮ Discrete logarithm: given Q ∈ ●1, compute k such that Q = kP

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P ◮ Scalar multiplication: for any integer k, we have kP = P + P + · · · + P

• k times

P k P k

◮ Discrete logarithm: given Q ∈ ●1, compute k such that Q = kP

Q = P k

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P ◮ Scalar multiplication: for any integer k, we have kP = P + P + · · · + P

• k times

P k P k

◮ Discrete logarithm: given Q ∈ ●1, compute k such that Q = kP

Q = P k k

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

4

Group cryptography

◮ (●1, +), an additively-written cyclic group of prime order #●1 = ℓ ◮ P, a generator of the group: ●1 = P ◮ Scalar multiplication: for any integer k, we have kP = P + P + · · · + P

• k times

P k P k

◮ Discrete logarithm: given Q ∈ ●1, compute k such that Q = kP

Q = P k k

◮ We assume that the discrete logarithm problem (DLP) in ●1 is hard

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 4 / 38

5

Bilinear pairings

◮ (●2, ×), a multiplicatively-written cyclic group of order #●2 = #●1 = ℓ

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 5 / 38

5

Bilinear pairings

◮ (●2, ×), a multiplicatively-written cyclic group of order #●2 = #●1 = ℓ ◮ A bilinear pairing on (●1, ●2) is a map ˆ e : ●1 × ●1 → ●2 that satisfies the following conditions:

• non-degeneracy: ˆ

e(P, P) = 1●2 (equivalently ˆ e(P, P) generates ●2)

• bilinearity:

ˆ e(Q1 + Q2, R) = ˆ e(Q1, R) · ˆ e(Q2, R) ˆ e(Q, R1 + R2) = ˆ e(Q, R1) · ˆ e(Q, R2)

• computability: ˆ

e can be efficiently computed

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 5 / 38

5

Bilinear pairings

◮ (●2, ×), a multiplicatively-written cyclic group of order #●2 = #●1 = ℓ ◮ A bilinear pairing on (●1, ●2) is a map ˆ e : ●1 × ●1 → ●2 that satisfies the following conditions:

• non-degeneracy: ˆ

e(P, P) = 1●2 (equivalently ˆ e(P, P) generates ●2)

• bilinearity:

ˆ e(Q1 + Q2, R) = ˆ e(Q1, R) · ˆ e(Q2, R) ˆ e(Q, R1 + R2) = ˆ e(Q, R1) · ˆ e(Q, R2)

• computability: ˆ

e can be efficiently computed ◮ Immediate property: for any two integers k1 and k2 ˆ e(k1Q, k2R) = ˆ e(Q, R)k1k2

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 5 / 38

5

Bilinear pairings

◮ (●2, ×), a multiplicatively-written cyclic group of order #●2 = #●1 = ℓ ◮ A bilinear pairing on (●1, ●2) is a map ˆ e : ●1 × ●1 → ●2 that satisfies the following conditions:

• non-degeneracy: ˆ

e(P, P) = 1●2 (equivalently ˆ e(P, P) generates ●2)

• bilinearity:

ˆ e(Q1 + Q2, R) = ˆ e(Q1, R) · ˆ e(Q2, R) ˆ e(Q, R1 + R2) = ˆ e(Q, R1) · ˆ e(Q, R2)

• computability: ˆ

e can be efficiently computed ◮ Immediate property: for any two integers k1 and k2 ˆ e(k1Q, k2R) = ˆ e(Q, R)k1k2

k1Q R k2

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 5 / 38

5

Bilinear pairings

◮ (●2, ×), a multiplicatively-written cyclic group of order #●2 = #●1 = ℓ ◮ A bilinear pairing on (●1, ●2) is a map ˆ e : ●1 × ●1 → ●2 that satisfies the following conditions:

• non-degeneracy: ˆ

e(P, P) = 1●2 (equivalently ˆ e(P, P) generates ●2)

• bilinearity:

ˆ e(Q1 + Q2, R) = ˆ e(Q1, R) · ˆ e(Q2, R) ˆ e(Q, R1 + R2) = ˆ e(Q, R1) · ˆ e(Q, R2)

• computability: ˆ

e can be efficiently computed ◮ Immediate property: for any two integers k1 and k2 ˆ e(k1Q, k2R) = ˆ e(Q, R)k1k2

k1Q R k2 ˆ e(Q, R) k2

k1

ˆ e

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 5 / 38

6

Pairings in cryptography

◮ At first, used to attack supersingular elliptic curves

• Menezes-Okamoto-Vanstone and Frey-R¨

uck attacks, 1993 and 1994 DLP●1 kP

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

6

Pairings in cryptography

◮ At first, used to attack supersingular elliptic curves

• Menezes-Okamoto-Vanstone and Frey-R¨

uck attacks, 1993 and 1994 DLP●1 <P DLP●2 kP − → ˆ e(kP, P) = ˆ e(P, P)k

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

6

Pairings in cryptography

◮ At first, used to attack supersingular elliptic curves

• Menezes-Okamoto-Vanstone and Frey-R¨

uck attacks, 1993 and 1994 DLP●1 <P DLP●2 kP − → ˆ e(kP, P) = ˆ e(P, P)k

• for cryptographic applications, we will also require the DLP in ●2 to be hard

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

6

Pairings in cryptography

◮ At first, used to attack supersingular elliptic curves

• Menezes-Okamoto-Vanstone and Frey-R¨

uck attacks, 1993 and 1994 DLP●1 <P DLP●2 kP − → ˆ e(kP, P) = ˆ e(P, P)k

• for cryptographic applications, we will also require the DLP in ●2 to be hard

◮ One-round three-party key agreement (Joux, 2000) ◮ Identity-based encryption

• Boneh-Franklin, 2001
• Sakai-Kasahara, 2001

◮ Short digital signatures

• Boneh-Lynn-Shacham, 2001
• Zang-Safavi-Naini-Susilo, 2004

◮ ...

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest Signature: aD

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest Signature: aD

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest Signature: aD

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest Signature: aD

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest Signature: aD aD D

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest Signature: aD aD D P P a

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

7

Short signature (Boneh, Lynn & Shacham, 2001)

a Alice Bob PKI P P a D Message digest Signature: aD aD D P P a ˆ e(D, aP) ˆ e(aD, P)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

8

Outline of the talk

◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 8 / 38

9

Pairings over elliptic curves

◮ We first define

• ❋q, a finite field, with q = 2m, 3m or p
• E, an elliptic curve defined over ❋q
• ℓ, a large prime factor of #E(❋q)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

9

Pairings over elliptic curves

◮ We first define

• ❋q, a finite field, with q = 2m, 3m or p
• E, an elliptic curve defined over ❋q
• ℓ, a large prime factor of #E(❋q)

◮ ●1 = E(❋q)[ℓ], the ❋q-rational ℓ-torsion of E:

• 1 = {P ∈ E(❋q) | ℓP = O}

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

9

Pairings over elliptic curves

◮ We first define

• ❋q, a finite field, with q = 2m, 3m or p
• E, an elliptic curve defined over ❋q
• ℓ, a large prime factor of #E(❋q)

◮ ●1 = E(❋q)[ℓ], the ❋q-rational ℓ-torsion of E:

• 1 = {P ∈ E(❋q) | ℓP = O}

◮ ●2 = µℓ, the group of ℓ-th roots of unity in ❋×

qk:

• 2 = {U ∈ ❋×

qk | Uℓ = 1}

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

9

Pairings over elliptic curves

◮ We first define

• ❋q, a finite field, with q = 2m, 3m or p
• E, an elliptic curve defined over ❋q
• ℓ, a large prime factor of #E(❋q)

◮ ●1 = E(❋q)[ℓ], the ❋q-rational ℓ-torsion of E:

• 1 = {P ∈ E(❋q) | ℓP = O}

◮ ●2 = µℓ, the group of ℓ-th roots of unity in ❋×

qk:

• 2 = {U ∈ ❋×

qk | Uℓ = 1}

◮ k is the embedding degree, the smallest integer such that µℓ ⊆ ❋×

qk

• usually large for ordinary elliptic curves
• bounded in the case of supersingular elliptic curves

(4 in characteristic 2; 6 in characteristic 3; and 2 in characteristic > 3)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

9

Pairings over elliptic curves

◮ We first define

• ❋q, a finite field, with q = 2m, 3m or p
• E, an elliptic curve defined over ❋q
• ℓ, a large prime factor of #E(❋q)

◮ ●1 = E(❋q)[ℓ], the ❋q-rational ℓ-torsion of E:

• 1 = {P ∈ E(❋q) | ℓP = O}

◮ ●2 = µℓ, the group of ℓ-th roots of unity in ❋×

qk:

• 2 = {U ∈ ❋×

qk | Uℓ = 1}

◮ k is the embedding degree, the smallest integer such that µℓ ⊆ ❋×

qk

• usually large for ordinary elliptic curves
• bounded in the case of supersingular elliptic curves

(4 in characteristic 2; 6 in characteristic 3; and 2 in characteristic > 3)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

10

The Tate pairing

E

ˆ e

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

10

The Tate pairing

E P = (xP, yP) Q = (xQ, yQ)

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] ( P , Q )

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

10

The Tate pairing

E P = (xP, yP) Q = (xQ, yQ) µℓ ˆ e(P, Q)

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] − → µℓ ⊆ ❋×

qk

( P , Q ) − → ˆ e(P, Q)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

10

The Tate pairing

E P = (xP, yP) Q = (xQ, yQ) µℓ ˆ e(P, Q)

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] − → µℓ ⊆ ❋×

qk

( P , Q ) − → ˆ e(P, Q) ◮ Computation via Miller’s iterative algorithm:

• m/2 iterations over ❋2m and ❋3m (ηT pairing)
• log2 p iterations over ❋p

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

11

Security considerations

aP

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

11

Security considerations

aP dlog●1 a

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

11

Security considerations

aP dlog●1 a

◮ Discrete logarithm problem should be hard in ●1

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

11

Security considerations

aP dlog●1 a

◮ Discrete logarithm problem should be hard in ●1

aP

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

11

Security considerations

aP dlog●1 a

◮ Discrete logarithm problem should be hard in ●1

aP P

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

11

Security considerations

aP dlog●1 a

◮ Discrete logarithm problem should be hard in ●1

aP P ˆ e

a

ˆ e(P, P)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

11

Security considerations

aP dlog●1 a

◮ Discrete logarithm problem should be hard in ●1

aP P ˆ e

a

ˆ e(P, P) dlog●2 a

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

11

Security considerations

aP dlog●1 a

◮ Discrete logarithm problem should be hard in ●1

aP P ˆ e

a

ˆ e(P, P) dlog●2 a

◮ Discrete logarithm problem should be hard in ●2

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

12

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

12

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ Discrete logarithm in ●1 = E(❋q)[ℓ] (Pollard’s ρ): √ ℓ ≈ √q ◮ Discrete logarithm in ●2 = µℓ ⊆ ❋×

qk (FFS or NFS):

exp

• c · (ln qk)

1 3 · (ln ln qk) 2 3

• Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters

12 / 38

12

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ Discrete logarithm in ●1 = E(❋q)[ℓ] (Pollard’s ρ): √ ℓ ≈ √q = exp 1 2 · (ln q)

• ◮ Discrete logarithm in ●2 = µℓ ⊆ ❋×

qk (FFS or NFS):

exp

• c · (ln qk)

1 3 · (ln ln qk) 2 3

• Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters

12 / 38

12

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ Discrete logarithm in ●1 = E(❋q)[ℓ] (Pollard’s ρ): √ ℓ ≈ √q = exp 1 2 · (ln q)

• ◮ Discrete logarithm in ●2 = µℓ ⊆ ❋×

qk (FFS or NFS):

exp

• c · (ln qk)

1 3 · (ln ln qk) 2 3

• ◮ The discrete logarithm problem is usually easier in ●2 than in ●1
• current security: ∼ 280, equivalent to 80-bit symmetric encryption or RSA-1024
• recommended security: ∼ 2128 (AES-128, RSA-3072)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

13

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ The embedding degree k depends on the field characteristic q

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

13

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ The embedding degree k depends on the field characteristic q Base field (❋q) ❋2m ❋3m ❋p Embedding degree (k) 4 6 2

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

13

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ The embedding degree k depends on the field characteristic q Base field (❋q) ❋2m ❋3m ❋p Embedding degree (k) 4 6 2 Lower security (∼ 264) m = 239 m = 97 |p| ≈ 256 bits Medium security (∼ 280) m = 373 m = 163 |p| ≈ 512 bits Higher security (∼ 2128) m = 1103 m = 503 |p| ≈ 1536 bits

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

13

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ The embedding degree k depends on the field characteristic q Base field (❋q) ❋2m ❋3m ❋p Embedding degree (k) 4 6 2 Lower security (∼ 264) m = 239 m = 97 |p| ≈ 256 bits Medium security (∼ 280) m = 373 m = 163 |p| ≈ 512 bits Higher security (∼ 2128) m = 1103 m = 503 |p| ≈ 1536 bits ◮ ❋2m: simpler finite field arithmetic

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

13

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ The embedding degree k depends on the field characteristic q Base field (❋q) ❋2m ❋3m ❋p Embedding degree (k) 4 6 2 Lower security (∼ 264) m = 239 m = 97 |p| ≈ 256 bits Medium security (∼ 280) m = 373 m = 163 |p| ≈ 512 bits Higher security (∼ 2128) m = 1103 m = 503 |p| ≈ 1536 bits ◮ ❋2m: simpler finite field arithmetic ◮ ❋3m: smaller field extension

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

13

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ The embedding degree k depends on the field characteristic q Base field (❋q) ❋2m ❋3m ❋p Embedding degree (k) 4 6 2 Lower security (∼ 264) m = 239 m = 97 |p| ≈ 256 bits Medium security (∼ 280) m = 373 m = 163 |p| ≈ 512 bits Higher security (∼ 2128) m = 1103 m = 503 |p| ≈ 1536 bits ◮ ❋2m: simpler finite field arithmetic ◮ ❋3m: smaller field extension ◮ ❋p: prohibitive field sizes

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

13

Security considerations

ˆ e : E(❋q)[ℓ] × E(❋q)[ℓ] → µℓ ⊆ ❋×

qk

◮ The embedding degree k depends on the field characteristic q Base field (❋q) ❋2m ❋3m ❋p Embedding degree (k) 4 6 2 Lower security (∼ 264) m = 239 m = 97 |p| ≈ 256 bits Medium security (∼ 280) m = 373 m = 163 |p| ≈ 512 bits Higher security (∼ 2128) m = 1103 m = 503 |p| ≈ 1536 bits ◮ ❋2m: simpler finite field arithmetic ◮ ❋3m: smaller field extension ◮ ❋p: prohibitive field sizes

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

14

Computation of the Tate pairing

ˆ e : E(❋pm)[ℓ] × E(❋pm)[ℓ] → µℓ ⊆ ❋×

pkm

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

14

Computation of the Tate pairing

ˆ e : E(❋pm)[ℓ] × E(❋pm)[ℓ] → µℓ ⊆ ❋×

pkm

◮ Arithmetic over ❋pm:

• polynomial basis: ❋pm ∼

= ❋p[x]/(f (x))

• f (x), degree-m polynomial irreducible over ❋p

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

14

Computation of the Tate pairing

ˆ e : E(❋pm)[ℓ] × E(❋pm)[ℓ] → µℓ ⊆ ❋×

pkm

◮ Arithmetic over ❋pm:

• polynomial basis: ❋pm ∼

= ❋p[x]/(f (x))

• f (x), degree-m polynomial irreducible over ❋p

◮ Arithmetic over ❋×

pkm:

• tower-field representation
• only arithmetic over the underlying field ❋pm

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

14

Computation of the Tate pairing

ˆ e : E(❋pm)[ℓ] × E(❋pm)[ℓ] → µℓ ⊆ ❋×

pkm

◮ Arithmetic over ❋pm:

• polynomial basis: ❋pm ∼

= ❋p[x]/(f (x))

• f (x), degree-m polynomial irreducible over ❋p

◮ Arithmetic over ❋×

pkm:

• tower-field representation
• only arithmetic over the underlying field ❋pm

◮ Operations over ❋pm: Characteristic 2 Characteristic 3 Base field (❋pm) ❋2m ❋2313 ❋3m ❋3127 +/− 27⌊m

2 ⌋ + 75

4287 119⌊m

4 ⌋ + 260

3949 × 7⌊m

2 ⌋ + 29

1121 25⌊m

4 ⌋ + 93

868 ap 6m + 9 1887 17⌊m

2 ⌋ + 8

1079 a−1 1 1 1 1

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

14

Computation of the Tate pairing

ˆ e : E(❋pm)[ℓ] × E(❋pm)[ℓ] → µℓ ⊆ ❋×

pkm

◮ Arithmetic over ❋pm:

• polynomial basis: ❋pm ∼

= ❋p[x]/(f (x))

• f (x), degree-m polynomial irreducible over ❋p

◮ Arithmetic over ❋×

pkm:

• tower-field representation
• only arithmetic over the underlying field ❋pm

◮ Operations over ❋pm: Characteristic 2 Characteristic 3 Base field (❋pm) ❋2m ❋2313 ❋3m ❋3127 +/− 27⌊m

2 ⌋ + 75

4287 119⌊m

4 ⌋ + 260

3949 × 7⌊m

2 ⌋ + 29

1121 25⌊m

4 ⌋ + 93

868 ap 6m + 9 1887 17⌊m

2 ⌋ + 8

1079 a−1 1 1 1 1 ◮ Software not well suited to small characteristic: need for hardware acceleration

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

15

Outline of the talk

◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 15 / 38

15

Outline of the talk

◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic (only in characteristic 3) ◮ Implementation results ◮ Concluding thoughts

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 15 / 38

16

Arithmetic over ❋3m

◮ f ∈ ❋3[x]: degree-m irreducible polynomial over ❋3 f = xm + fm−1xm−1 + · · · + f1x + f0

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 16 / 38

16

Arithmetic over ❋3m

◮ f ∈ ❋3[x]: degree-m irreducible polynomial over ❋3 f = xm + fm−1xm−1 + · · · + f1x + f0 ◮ ❋3m ∼ = ❋3[x]/(f ) ◮ a ∈ ❋3m: a = am−1xm−1 + · · · + a1x + a0 ◮ Each element of ❋3 stored using two bits

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 16 / 38

17

Addition over ❋3m

a b a b +

◮ r = a + b = (am−1 + bm−1)xm−1 + · · · + (a1 + b1)x + (a0 + b0)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

17

Addition over ❋3m

a b a b + bm−1 am−1 ( + ) b1 a1 ( + ) b0 a0 ( + ) mod 3 mod 3 mod 3 am−1 a1 a0 b0 b1 bm−1

◮ r = a + b = (am−1 + bm−1)xm−1 + · · · + (a1 + b1)x + (a0 + b0)

• coefficient-wise additions over ❋3: ri = (ai + bi) mod 3

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

17

Addition over ❋3m

a b a b + bm−1 am−1 ( + ) b1 a1 ( + ) b0 a0 ( + ) mod 3 mod 3 mod 3 am−1 a1 a0 b0 b1 bm−1 + 1 2 1 2 2 1 0 1 2 1 2

◮ r = a + b = (am−1 + bm−1)xm−1 + · · · + (a1 + b1)x + (a0 + b0)

• coefficient-wise additions over ❋3: ri = (ai + bi) mod 3
• addition over ❋3: small look-up tables

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

18

Addition, subtraction and accumulation over ❋3m

c3 c2 c4 c0 load add/sub add/sub accumulate R1 R0 b a r c1 load c5 enable +/− +/−

• sign selection: multiplication by 1 or 2

−a ≡ 2a (mod 3)

• feedback loop for accumulation

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 18 / 38

19

Multiplication over ❋3m

◮ Parallel-serial multiplication

• multiplicand loaded in a parallel register
• multiplier loaded in a shift register

◮ Most significant coefficients first (Horner scheme) ◮ D coefficients processed at each clock cycle: m D

• cycles per multiplication

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 19 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( (

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · · · x · x2 · x3

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · · · x · x2 · x3

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · · · x · x2 · x3 ) mod f ) mod f ) mod f ( ( (

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · · · x · x2 · x3 ) mod f ) mod f ) mod f ( ( ( r (partial sum)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · · · x · x2 · x3 ) mod f ) mod f ) mod f ( ( ( r (partial sum) mod f ) · x3 mod f ) · x2 a mod f ) · x a a r ( (bm−4 · (bm−5 · bm−6 ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · · · x · x2 · x3 ) mod f ) mod f ) mod f ( ( ( r (partial sum) mod f ) · x3 mod f ) · x2 a mod f ) · x a a r ( (bm−4 · (bm−5 · bm−6 ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

20

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

b a xm−1 1 x x2 · · · bm−3 bm−1 bm−2 a a a · · · · x2 · x ) mod f ) mod f ( ( r (partial sum) mod f ) · x2 a mod f ) · x a a (bm−1 · (bm−2 · bm−3 · bm−5 bm−4 bm−6 a a a · · · · x · x2 · x3 ) mod f ) mod f ) mod f ( ( ( r (partial sum) mod f ) · x3 mod f ) · x2 a mod f ) · x a a r ( (bm−4 · (bm−5 · bm−6 · · · ·

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

21

Multiplication over ❋3m

◮ Computing the partial products bj · a:

• coefficient-wise multiplication over ❋3: (bj · ai) mod 3
• multiplications over ❋3: small look-up tables

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

21

Multiplication over ❋3m

◮ Computing the partial products bj · a:

• coefficient-wise multiplication over ❋3: (bj · ai) mod 3
• multiplications over ❋3: small look-up tables

◮ Multiplication by xj: simple shift (only wires)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

21

Multiplication over ❋3m

◮ Computing the partial products bj · a:

• coefficient-wise multiplication over ❋3: (bj · ai) mod 3
• multiplications over ❋3: small look-up tables

◮ Multiplication by xj: simple shift (only wires) ◮ Modulo f reduction:

• f = xm + fm−1xm−1 + · · · + f1x + f0 gives

xm ≡ (−fm−1)xm−1 + · · · + (−f1)x + (−f0) (mod f )

• highest degree of polynomial to reduce: m + D − 1
• if f is carefully selected (e.g. a trinomial or pentanomial),
• nly a few multiplications and additions over ❋3

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

21

Multiplication over ❋3m

◮ Computing the partial products bj · a:

• coefficient-wise multiplication over ❋3: (bj · ai) mod 3
• multiplications over ❋3: small look-up tables

◮ Multiplication by xj: simple shift (only wires) ◮ Modulo f reduction:

• f = xm + fm−1xm−1 + · · · + f1x + f0 gives

xm ≡ (−fm−1)xm−1 + · · · + (−f1)x + (−f0) (mod f )

• highest degree of polynomial to reduce: m + D − 1
• if f is carefully selected (e.g. a trinomial or pentanomial),
• nly a few multiplications and additions over ❋3
• example for m = 97: f = x97 + x12 + 2

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

22

Multiplication over ❋3m

◮ Example for D = 3 (3 coefficients per iteration):

c1 c0 enableclear c3 c4 shift register c2 load shift load a b r PPG

mod f mod f ×x mod f ×x2 ×x3

PPG PPG R1 R0

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 22 / 38

23

Frobenius map over ❋3m: cubing

◮ Since 3 1

• =

3 2

• = 3:

a3 ≡ am−1x3(m−1) + · · · + a1x3 + a0 (mod 3) ◮ Degree-(3m − 3) polynomial: requires a modulo f reduction

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 23 / 38

23

Frobenius map over ❋3m: cubing

◮ Since 3 1

• =

3 2

• = 3:

a3 ≡ am−1x3(m−1) + · · · + a1x3 + a0 (mod 3) ◮ Degree-(3m − 3) polynomial: requires a modulo f reduction ◮ Symbolic computation of the reduction: each coefficient of the result is a linear combination of the ai’s a3 mod f =

n−1

• j=0

wj · µj with wj ∈ ❋3, µj ∈ ❋3m, and µj,i ∈ {0} ∪ {am−1, ... , a1, a0}

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 23 / 38

24

Frobenius map over ❋3m

◮ Example for m = 97 and f = x97 + x12 + 2:

a3 mod f = (a32x96 + a64x95 + a96x94 + · · · + a33x2 + a65x + a0 ) × 1 + ( + + a88x94 + · · · + + + a89) × 1 + ( + + a92x94 + · · · + + + a93) × 1 + ( + a60x95 + + · · · + + a61x + 0 ) × 2

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 24 / 38

24

Frobenius map over ❋3m

◮ Example for m = 97 and f = x97 + x12 + 2:

a3 mod f = (a32x96 + a64x95 + a96x94 + · · · + a33x2 + a65x + a0 ) × 1 + ( + + a88x94 + · · · + + + a89) × 1 + ( + + a92x94 + · · · + + + a93) × 1 + ( + a60x95 + + · · · + + a61x + 0 ) × 2 = (a32x96 + a64x95 + a96x94 + · · · + a33x2 + a65x + a0 ) × 1 + ( + a60x95 + a88x94 + · · · + + a61x + a89) × 1 + ( + a60x95 + a92x94 + · · · + + a61x + a93) × 1

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 24 / 38

24

Frobenius map over ❋3m

◮ Example for m = 97 and f = x97 + x12 + 2:

a3 mod f = (a32x96 + a64x95 + a96x94 + · · · + a33x2 + a65x + a0 ) × 1 + ( + + a88x94 + · · · + + + a89) × 1 + ( + + a92x94 + · · · + + + a93) × 1 + ( + a60x95 + + · · · + + a61x + 0 ) × 2 = (a32x96 + a64x95 + a96x94 + · · · + a33x2 + a65x + a0 ) × 1 + ( + a60x95 + a88x94 + · · · + + a61x + a89) × 1 + ( + a60x95 + a92x94 + · · · + + a61x + a93) × 1

◮ Required hardware:

• only wires to compute the µj’s
• multiplications over ❋3 for the weights wj
• multi-operand addition over ❋3m

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 24 / 38

25

Frobenius map over ❋3m

c0 c1 enable c3 c2 load a r select sign

µ0 µ1

R0

µ2

× ±w1 × ±w2 × ±w0

• feedback loop for successive cubings
• sign selection for computing either a3 or −a3

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 25 / 38

26

Inversion over ❋3m

◮ Extended Euclidean Algorithm?

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 26 / 38

26

Inversion over ❋3m

◮ Extended Euclidean Algorithm?

• fast computation
• ... but need for additional hardware

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 26 / 38

26

Inversion over ❋3m

◮ Extended Euclidean Algorithm?

• fast computation
• ... but need for additional hardware

◮ Our solution: Fermat’s little theorem a−1 = a3m−2

• n ❋3m (a = 0)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 26 / 38

26

Inversion over ❋3m

◮ Extended Euclidean Algorithm?

• fast computation
• ... but need for additional hardware

◮ Our solution: Fermat’s little theorem a−1 = a3m−2

• n ❋3m (a = 0)
• algorithm by Itoh and Tsujii
• requires only multiplications and cubings over ❋3m

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 26 / 38

26

Inversion over ❋3m

◮ Extended Euclidean Algorithm?

• fast computation
• ... but need for additional hardware

◮ Our solution: Fermat’s little theorem a−1 = a3m−2

• n ❋3m (a = 0)
• algorithm by Itoh and Tsujii
• requires only multiplications and cubings over ❋3m
• only one inversion for the full pairing: delay overhead is negligible (< 1%)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 26 / 38

27

The full processing element

multiplication addition r b a control Frobenius

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 27 / 38

27

The full processing element

multiplication addition r b a control Frobenius

◮ For the Tate pairing: limited parallelism between additions, multiplications and Frobenius maps ◮ Can we share hardware resources between the three operators?

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 27 / 38

28

What can we share?

◮ Input and output registers ◮ Partial product generators:

• sign selection for the addition / subtraction
• partial products for the multiplication
• multiplication by the wj’s for the Frobenius map

◮ Multi-operand addition tree ◮ Feedback loops for accumulation

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 28 / 38

29

Our unified operator

c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable

×x2 ×x3 ×x mod f mod f mod f µ3 µ2 µ1

PPG PPG PPG

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 29 / 38

29

Our unified operator

c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable

×x2 ×x3 ×x mod f mod f mod f µ3 µ2 µ1

PPG PPG PPG c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable PPG PPG PPG

µ3 ×x2 mod f µ1 mod f ×x µ2 ×x3 mod f Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 29 / 38

29

Our unified operator

c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable

×x2 ×x3 ×x mod f mod f mod f µ3 µ2 µ1

PPG PPG PPG c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable PPG PPG PPG

µ3 ×x2 mod f µ1 mod f ×x µ2 ×x3 mod f

c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable

×x2 ×x mod f

PPG PPG PPG

mod f mod f ×x3 µ2 µ1 µ3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 29 / 38

29

Our unified operator

c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable

×x2 ×x3 ×x mod f mod f mod f µ3 µ2 µ1

PPG PPG PPG c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable PPG PPG PPG

µ3 ×x2 mod f µ1 mod f ×x µ2 ×x3 mod f

c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable

×x2 ×x mod f

PPG PPG PPG

mod f mod f ×x3 µ2 µ1 µ3

c1 c3 c2 c4 c0 select c8 c6 cubing c10 a b shift register load shift d r load load select c5 multiplication c7 multiplication accumulate c9 enable

µ3 µ2 µ1

PPG PPG PPG

×x2 mod f ×x3 mod f ×x mod f Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 29 / 38

30

Outline of the talk

◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 30 / 38

31

Experimental setup

◮ Full coprocessor for computation of the Tate pairing ◮ Architecture based on our unified operator ◮ Prototyped on a Xilinx Virtex-II Pro 20 FPGA (mid-range model) ◮ Post place-and-route results: area, computation time, AT product

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 31 / 38

32

Coprocessor area (characteristic 2)

65 70 75 80 85 90

Equivalent symmetric key size [bits]

10% 20% 30% 40% 50% 60% 70% 80%

Area usage [%]

D = 7 D = 15 D = 31

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 32 / 38

32

Coprocessor area (characteristic 3)

65 70 75 80 85 90

Equivalent symmetric key size [bits]

10% 20% 30% 40% 50% 60% 70% 80%

Area usage [%]

D = 3 D = 7 D = 15

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 32 / 38

32

Coprocessor area

65 70 75 80 85 90

Equivalent symmetric key size [bits]

10% 20% 30% 40% 50% 60% 70% 80%

Area usage [%]

D = 3 D = 7 D = 15 Characteristic 2 Characteristic 3 D = 7 D = 15 D = 31

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 32 / 38

33

Calculation time (characteristic 2)

100 200 300 400 500 600 700 800 65 70 75 80 85 90

Equivalent symmetric key size [bits]

• Calc. time [µs]

D = 7 D = 15 D = 31

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 33 / 38

33

Calculation time (characteristic 3)

100 200 300 400 500 600 700 800 65 70 75 80 85 90

Equivalent symmetric key size [bits]

• Calc. time [µs]

D = 3 D = 7 D = 15

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 33 / 38

33

Calculation time

100 200 300 400 500 600 700 800 65 70 75 80 85 90

Equivalent symmetric key size [bits]

• Calc. time [µs]

D = 3 D = 7 D = 15 Characteristic 2 Characteristic 3 D = 7 D = 15 D = 31

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 33 / 38

34

Comparison with published results

0.1 1 10 100 65 70 75 80 85 90

Equivalent symmetric key size [bits] AT product

. Results from the literature

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 34 / 38

34

Comparison with published results

0.1 1 10 100 65 70 75 80 85 90

Equivalent symmetric key size [bits] AT product

. Results from the literature Unified operator, char. 2 (D = 15) Unified operator, char. 3 (D = 7)

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 34 / 38

34

Comparison with published results

0.1 1 10 100 65 70 75 80 85 90

Equivalent symmetric key size [bits] AT product

. Results from the literature Unified operator, char. 2 (D = 15) Unified operator, char. 3 (D = 7) Parallel operator, char. 2 Parallel operator, char. 3

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 34 / 38

34

Comparison with published results

0.1 1 10 100 65 70 75 80 85 90

Equivalent symmetric key size [bits] AT product

. Results from the literature Unified operator, char. 2 (D = 15) Unified operator, char. 3 (D = 7) Parallel operator, char. 2 Parallel operator, char. 3 AES-128?

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 34 / 38

35

Outline of the talk

◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 35 / 38

36

Concluding thoughts

◮ Characteristic 3 performs slightly better than characteristic 2

• at least on our unified architecture
• good overall performances vouch for stronger confidence in this observation

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 36 / 38

36

Concluding thoughts

◮ Characteristic 3 performs slightly better than characteristic 2

• at least on our unified architecture
• good overall performances vouch for stronger confidence in this observation
• not true anymore on parallel architectures: the battle is not over!

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 36 / 38

36

Concluding thoughts

◮ Characteristic 3 performs slightly better than characteristic 2

• at least on our unified architecture
• good overall performances vouch for stronger confidence in this observation
• not true anymore on parallel architectures: the battle is not over!

◮ Unified operator

• small but also competitively fast
• parameter D to explore the area-time tradeoff
• high scalability: support for larger extension degrees and higher levels of security
• automatic VHDL generation: ultra-fast development

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 36 / 38

36

Concluding thoughts

◮ Characteristic 3 performs slightly better than characteristic 2

• at least on our unified architecture
• good overall performances vouch for stronger confidence in this observation
• not true anymore on parallel architectures: the battle is not over!

◮ Unified operator

• small but also competitively fast
• parameter D to explore the area-time tradeoff
• high scalability: support for larger extension degrees and higher levels of security
• automatic VHDL generation: ultra-fast development

◮ Perspectives

• parallel architectures (work in progress with N. Cortez-Duarte and N. Estibals)
• hyperelliptic curves (work in progress with G. Hanrot on genus 2)
• Ate pairing
• pairings on Edwards curves

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 36 / 38

36

Concluding thoughts

◮ Characteristic 3 performs slightly better than characteristic 2

• at least on our unified architecture
• good overall performances vouch for stronger confidence in this observation
• not true anymore on parallel architectures: the battle is not over!

◮ Unified operator

• small but also competitively fast
• parameter D to explore the area-time tradeoff
• high scalability: support for larger extension degrees and higher levels of security
• automatic VHDL generation: ultra-fast development

◮ Perspectives

• parallel architectures (work in progress with N. Cortez-Duarte and N. Estibals)
• hyperelliptic curves (work in progress with G. Hanrot on genus 2)
• Ate pairing
• pairings on Edwards curves
• AES-128-equivalent security!

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 36 / 38

37

With thanks to our sponsor

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 37 / 38

38

Thank you for your attention

Questions?

Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 38 / 38