Hardware Accelerator for the Tate Pairing in Characteristic Three Based on Karatsuba-Ofman Multipliers

  • Jean-Luc Beuchat
  • Jérémie Detrey
  • Nicolas Estibals
  • Eiji Okamoto
  • Francisco Rodríguez-Henríquez
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)


This paper is devoted to the design of fast parallel accelerators for the cryptographic Tate pairing in characteristic three over supersingular elliptic curves. We propose here a novel hardware implementation of Miller’s loop based on a pipelined Karatsuba-Ofman multiplier. Thanks to a careful selection of algorithms for computing the tower field arithmetic associated to the Tate pairing, we manage to keep the pipeline busy. We also describe the strategies we considered to design our parallel multiplier. They are included in a VHDL code generator allowing for the exploration of a wide range of operators. Then, we outline the architecture of a coprocessor for the Tate pairing over \(\mathbb{F}_{3^m}\). However, a final exponentiation is still needed to obtain a unique value, which is desirable in most of the cryptographic protocols. We supplement our pairing accelerator with a coprocessor responsible for this task. An improved exponentiation algorithm allows us to save hardware resources.

According to our place-and-route results on Xilinx FPGAs, our design improves both the computation time and the area-time trade-off compared to previoulsy published coprocessors.


Tate pairing ηT pairing elliptic curve finite field arithmetic Karatsuba-Ofman multiplier hardware accelerator FPGA 


  1. 1.
    Barenghi, A., Bertoni, G., Breveglieri, L., Pelosi, G.: A FPGA coprocessor for the cryptographic Tate pairing over \(\mathbb{F}_p\). In: Proceedings of the Fourth International Conference on Information Technology: New Generations (ITNG 2008). IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
  2. 2.
    Barreto, P.S.L.M.: A note on efficient computation of cube roots in characteristic 3. Cryptology ePrint Archive, Report 2004/305 (2004)Google Scholar
  3. 3.
    Barreto, P.S.L.M., Galbraith, S.D., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular Abelian varieties. Designs, Codes and Cryptography 42, 239–271 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Bertoni, G., Breveglieri, L., Fragneto, P., Pelosi, G.: Parallel hardware architectures for the cryptographic Tate pairing. In: Proceedings of the Third International Conference on Information Technology: New Generations (ITNG 2006). IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  7. 7.
    Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Rodríguez-Henríquez, F.: A comparison between hardware accelerators for the modified tate pairing over \(\mathbb{F}_{2^m}\) and \(\mathbb{F}_{3^m}\). In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 297–315. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Shirase, M., Takagi, T.: Algorithms and arithmetic operators for computing the ηT pairing in characteristic three. IEEE Transactions on Computers 57(11), 1454–1468 (2008)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Beuchat, J.-L., Brisebarre, N., Shirase, M., Takagi, T., Okamoto, E.: A coprocessor for the final exponentiation of the ηT pairing in characteristic three. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 25–39. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Beuchat, J.-L., Doi, H., Fujita, K., Inomata, A., Ith, P., Kanaoka, A., Katouno, M., Mambo, M., Okamoto, E., Okamoto, T., Shiga, T., Shirase, M., Soga, R., Takagi, T., Vithanage, A., Yamamoto, H.: FPGA and ASIC implementations of the ηT pairing in characteristic three. In: Computers and Electrical Engineering (to appear)Google Scholar
  11. 11.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Duursma, I., Lee, H.S.: Tate pairing implementation for hyperelliptic curves y2 = xp − x + d. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 111–123. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Fan, H., Sun, J., Gu, M., Lam, K.-Y.: Overlap-free Karatsuba-Ofman polynomial multiplication algorithm. Cryptology ePrint Archive, Report 2007/393 (2007)Google Scholar
  16. 16.
    Frey, G., Rück, H.-G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation 62(206), 865–874 (1994)MathSciNetzbMATHGoogle Scholar
  17. 17.
    Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the Tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 324–337. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Gorla, E., Puttmann, C., Shokrollahi, J.: Explicit formulas for efficient multiplication in \(\mathbb{F}_{3^{6m}}\). In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 173–183. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Grabher, P., Page, D.: Hardware acceleration of the Tate pairing in characteristic three. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 398–411. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Granger, R., Page, D., Smart, N.P.: High security pairing-based cryptography revisited. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 480–494. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Hankerson, D., Menezes, A., Scott, M.: Identity-Based Cryptography. In: Software Implementation of Pairings, ch. 12. Cryptology and Information Security Series, pp. 188–206. IOS Press, Amsterdam (2009)Google Scholar
  22. 22.
    Hanrot, G., Zimmermann, P.: A long note on Mulders’ short product. Journal of Symbolic Computation 37(3), 391–401 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Hess, F.: Pairing lattices. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 18–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  24. 24.
    Hess, F., Smart, N., Vercauteren, F.: The Eta pairing revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Jiang, J.: Bilinear pairing (Eta_T Pairing) IP core. Technical report, City University of Hong Kong – Department of Computer Science (May 2007)Google Scholar
  26. 26.
    Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  27. 27.
    Kammler, D., Zhang, D., Schwabe, P., Scharwaechter, H., Langenberg, M., Auras, D., Ascheid, G., Leupers, R., Mathar, R., Meyr, H.: Designing an ASIP for cryptographic pairings over Barreto-Naehrig curves. Cryptology ePrint Archive, Report 2009/056 (2009)Google Scholar
  28. 28.
    Keller, M., Kerins, T., Crowe, F., Marnane, W.P.: FPGA implementation of a GF(2m) Tate pairing architecture. In: Bertels, K., Cardoso, J.M.P., Vassiliadis, S. (eds.) ARC 2006. LNCS, vol. 3985, pp. 358–369. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  29. 29.
    Keller, M., Ronan, R., Marnane, W.P., Murphy, C.: Hardware architectures for the Tate pairing over GF(2m). Computers and Electrical Engineering 33(5–6), 392–406 (2007)CrossRefzbMATHGoogle Scholar
  30. 30.
    Kerins, T., Marnane, W.P., Popovici, E.M., Barreto, P.S.L.M.: Efficient hardware for the Tate pairing calculation in characteristic three. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 412–426. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  31. 31.
    Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  32. 32.
    Kömürcü, G., Savaş, E.: An efficient hardware implementation of the Tate pairing in characteristic three. In: Prasolova-Førland, E., Popescu, M. (eds.) Proceedings of the Third International Conference on Systems – ICONS 2008, pp. 23–28. IEEE Computer Society Press, Los Alamitos (2008)Google Scholar
  33. 33.
    Li, H., Huang, J., Sweany, P., Huang, D.: FPGA implementations of elliptic curve cryptography and Tate pairing over a binary field. Journal of Systems Architecture 54, 1077–1088 (2008)CrossRefGoogle Scholar
  34. 34.
    Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curves logarithms to logarithms in a finite field. IEEE Transactions on Information Theory 39(5), 1639–1646 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Miller, V.S.: Short programs for functions on curves (1986),
  36. 36.
    Miller, V.S.: The Weil pairing, and its efficient calculation. Journal of Cryptology 17(4), 235–261 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Mitsunari, S.: A fast implementation of ηT pairing in characteristic three on Intel Core 2 Duo processor. Cryptology ePrint Archive, Report 2009/032 (2009)Google Scholar
  38. 38.
    Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fundamentals E85–A(2), 481–484 (2002)Google Scholar
  39. 39.
    Ronan, R., Murphy, C., Kerins, T., ÓhÉigeartaigh, C., Barreto, P.S.L.M.: A flexible processor for the characteristic 3 ηT pairing. Int. J. High Performance Systems Architecture 1(2), 79–88 (2007)CrossRefGoogle Scholar
  40. 40.
    Ronan, R., ÓhÉigeartaigh, C., Murphy, C., Scott, M., Kerins, T.: FPGA acceleration of the Tate pairing in characteristic 2. In: Proceedings of the IEEE International Conference on Field Programmable Technology – FPT 2006, pp. 213–220. IEEE, Los Alamitos (2006)CrossRefGoogle Scholar
  41. 41.
    Ronan, R., ÓhÉigeartaigh, C., Murphy, C., Scott, M., Kerins, T.: Hardware acceleration of the Tate pairing on a genus 2 hyperelliptic curve. Journal of Systems Architecture 53, 85–98 (2007)CrossRefGoogle Scholar
  42. 42.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: 2000 Symposium on Cryptography and Information Security (SCIS 2000), Okinawa, Japan, January 2000, pp. 26–28 (2000)Google Scholar
  43. 43.
    Shu, C., Kwon, S., Gaj, K.: FPGA accelerated Tate pairing based cryptosystem over binary fields. In: Proceedings of the IEEE International Conference on Field Programmable Technology – FPT 2006, pp. 173–180. IEEE, Los Alamitos (2006)CrossRefGoogle Scholar
  44. 44.
    Song, L., Parhi, K.K.: Low energy digit-serial/parallel finite field multipliers. Journal of VLSI Signal Processing 19(2), 149–166 (1998)CrossRefGoogle Scholar
  45. 45.
    Vercauteren, F.: Optimal pairings. Cryptology ePrint Archive, Report 2008/096 (2008)Google Scholar
  46. 46.
    Washington, L.C.: Elliptic Curves – Number Theory and Cryptography, 2nd edn. CRC Press, Boca Raton (2008)CrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Luc Beuchat
    • 1
  • Jérémie Detrey
    • 2
  • Nicolas Estibals
    • 2
  • Eiji Okamoto
    • 1
  • Francisco Rodríguez-Henríquez
    • 3
  1. 1.Graduate School of Systems and Information EngineeringUniversity of TsukubaIbarakiJapan
  2. 2.CACAO project-teamLORIA, INRIA Nancy - Grand EstVillers-les-Nancy CédexFrance
  3. 3.Computer Science DepartmentCentro de Investigación y de Estudios Avanzados del IPNMéxico CityMéxico

Personalised recommendations