Designing an ASIP for Cryptographic Pairings over Barreto-Naehrig Curves

  • David Kammler
  • Diandian Zhang
  • Peter Schwabe
  • Hanno Scharwaechter
  • Markus Langenberg
  • Dominik Auras
  • Gerd Ascheid
  • Rudolf Mathar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)


This paper presents a design-space exploration of an application-specific instruction-set processor (ASIP) for the computation of various cryptographic pairings over Barreto-Naehrig curves (BN curves). Cryptographic pairings are based on elliptic curves over finite fields—in the case of BN curves a field \(\mathbb{F}_p\) of large prime order p. Efficient arithmetic in these fields is crucial for fast computation of pairings. Moreover, computation of cryptographic pairings is much more complex than elliptic-curve cryptography (ECC) in general. Therefore, we facilitate programming of the proposed ASIP by providing a C compiler.

In order to speed up \(\mathbb{F}_p\) arithmetic, a RISC core is extended with additional scalable functional units. Because the resulting speedup can be limited by the memory throughput, utilization of multiple data-memory banks is proposed.

The presented design needs 15.8 ms for the computation of the Optimal-Ate pairing over a 256-bit BN curve at 338 MHz implemented with a 130 nm standard cell library. The processor core consumes 97 kGates making it suitable for the use in embedded systems.


Application-specific instruction-set processor (ASIP) design-space exploration pairing-based cryptography Barreto-Naehrig curves elliptic-curve cryptography (ECC) \(\mathbb{F}_p\) arithmetic 


  1. 1.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Information Theory 39(5), 1639–1646 (1993)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Frey, G., Rück, H.G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. of Computation 62(206), 865–874 (1994)MathSciNetMATHGoogle Scholar
  3. 3.
    Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptology 17(4), 297–319 (2004)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Boneh, D.: A brief look at pairings based cryptography. In: Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science – FOCS 2007, pp. 19–26 (2007)Google Scholar
  7. 7.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management – part 1: General (revised). National Institute of Standards and Technology, NIST Special Publication 800-57 (2007)
  9. 9.
    Näslund, M.: Ecrypt yearly report on algorithms and keysizes (2007-2008) (2008),
  10. 10.
    Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over Barreto-Naehrig curves. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Grabher, P., Großschädl, J., Page, D.: On software parallel implementation of cryptographic pairings. Cryptology ePrint Archive, Report 2008/205 (2008),
  12. 12.
    Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and their computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over Barreto-Naehrig curves. Cryptology ePrint Archive, Report 2007/309 (2007),
  14. 14.
    Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Rodríguez-Henríquez, F.: A comparison between hardware accelerators for the modified Tate pairing over \(\mathbb{F}_{2^m}\) and \(\mathbb{F}_{3^m}\). In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 297–315. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Beuchat, J.-L., Brisebarre, N., Detrey, J., Okamoto, E., Shirase, M., Takagi, T.: Algorithms and arithmetic operators for computing the ηt pairing in characteristic three. IEEE Trans. Comput. 57(11), 1454–1468 (2008)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Beuchat, J.-L., Shirase, M., Takagi, T., Okamoto, E.: An algorithm for the ηt pairing calculation in characteristic three and its hardware implementation. In: Proc. 18th IEEE Symp. Computer Arithmetic – ARITH 2007, pp. 97–104 (2007)Google Scholar
  17. 17.
    Beuchat, J.-L., Doi, H., Fujita, K., Inomata, A., Kanaoka, A., Katouno, M., Mambo, M., Okamoto, E., Okamoto, T., Shiga, T., Shirase, M., Soga, R., Takagi, T., Vithanage, A., Yamamoto, H.: FPGA and ASIC implementations of the ηt pairing in characteristic three. Cryptology ePrint Archive, Report 2008/280 (2008),
  18. 18.
    Shu, C., Kwon, S., Gaj, K.: FPGA accelerated Tate pairing based cryptosystems over binary fields. In: Proc. IEEE Int’l Conf. Field Programmable Technology – FPT 2006, pp. 173–180 (2006)Google Scholar
  19. 19.
    Keller, M., Ronan, R., Marnane, W., Murphy, C.: Hardware architectures for the Tate pairing over GF(2m). Computers & Electrical Eng. 33(5-6), 392–406 (2007)CrossRefMATHGoogle Scholar
  20. 20.
    Keller, M., Kerins, T., Crowe, F., Marnane, W.: FPGA implementation of a GF(2m) Tate pairing architecture. In: Bertels, K., Cardoso, J.M.P., Vassiliadis, S. (eds.) ARC 2006. LNCS, vol. 3985, pp. 358–369. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Ronan, R., Ó hÉigeartaigh, C., Murphy, C., Scott, M., Kerins, T.: FPGA acceleration of the Tate pairing in characteristic 2. In: Proc. IEEE Int’l Conf. Field Programmable Technology, pp. 213–220 (2006)Google Scholar
  22. 22.
    Grabher, P., Page, D.: Hardware acceleration of the Tate pairing in characteristic three. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 398–411. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Jiang, J.: Bilinear pairing (Eta_T pairing) IP core. Technical report (2007),
  24. 24.
    Kerins, T., Marnane, W.P., Popovici, E.M., Barreto, P.S.L.M.: Efficient hardware for the Tate pairing calculation in characteristic three. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 412–426. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Ronan, R., Murphy, C., Kerins, T., Ó hÉigeartaigh, C., Barreto, P.S.L.M.: A flexible processor for the characteristic 3 ηt pairing. Int’l J. High Performance Systems Architecture 1(2), 79–88 (2007)CrossRefGoogle Scholar
  26. 26.
    Kömürcü, G., Savas, E.: An efficient hardware implementation of the Tate pairing in characteristic three. In: Proc. Third Int’l Conf. Systems – ICONS 2008, pp. 23–28 (2008)Google Scholar
  27. 27.
    Barenghi, A., Bertoni, G., Breveglieri, L., Pelosi, G.: A FPGA coprocessor for the cryptographic Tate pairing over \(\mathbb{F}_p\). In: Proc. Fifth Int’l Conf. Information Technology: New Generations – ITNG 2008, pp. 112–119 (2008)Google Scholar
  28. 28.
    Vejda, T., Page, D., Großschädl, J.: Instruction set extensions for pairing-based cryptography. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 208–224. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Satoh, A., Takano, K.: A scalable dual-field elliptic curve cryptographic processor. IEEE Trans. Computers 52(4), 449–460 (2003)CrossRefGoogle Scholar
  30. 30.
    Chen, G., Bai, G., Chen, H.: A high-performance elliptic curve cryptographic processor for general curves over GF(p) based on a systolic arithmetic unit. IEEE Trans. Circuits and Systems II: Express Briefs 54(5), 412–416 (2007)CrossRefGoogle Scholar
  31. 31.
    Güneysu, T., Paar, C.: Ultra high performance ECC over NIST primes on commercial FPGAs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 62–78. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  32. 32.
    Galbraith, S.: Pairings. In: Blake, I.F., Seroussi, G., Smart, N.P. (eds.) Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, Cambridge University Press, Cambridge (2005)Google Scholar
  33. 33.
    Miller, V.S.: The Weil pairing, and its efficient calculation. J. Cryptology 17, 235–261 (2004)MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Trans. Information Theory 52(10), 4595–4602 (2006)MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Lee, E., Lee, H.S., Park, C.M.: Efficient and generalized pairing computation on Abelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008),
  36. 36.
    Vercauteren, F.: Optimal pairings. Cryptology ePrint Archive, Report 2008/096 (2008),
  37. 37.
    Hess, F.: Pairing lattices. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 18–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  38. 38.
    Barreto, P.S.L.M., Galbraith, S.D., Ó hÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular Abelian varieties. Designs, Codes and Cryptography 42(3), 239–271 (2007)MathSciNetCrossRefMATHGoogle Scholar
  39. 39.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  40. 40.
    CoWare: Processor Designer (2009),
  41. 41.
    National Institute of Standards and Technology, NIST: FIPS 186-2: Digital Signature Standard (DSS) (2000),
  42. 42.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  43. 43.
    Montgomery, P.: Modular multiplication without trial division. Mathematics of Computation 44(170), 519–521 (1985)MathSciNetCrossRefMATHGoogle Scholar
  44. 44.
    Nibouche, O., Bouridane, A., Nibouche, M.: Architectures for Montgomery’s multiplication. IEE Proc. – Computers and Digital Techniques 150(6), 361–368 (2003)CrossRefMATHGoogle Scholar
  45. 45.
  46. 46.
    Shu, C., Kwon, S., Gaj, K.: FPGA accelerated Tate pairing based cryptosystems over binary fields. Cryptology ePrint Archive, Report 2006/179 (2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • David Kammler
    • 1
  • Diandian Zhang
    • 1
  • Peter Schwabe
    • 2
  • Hanno Scharwaechter
    • 1
  • Markus Langenberg
    • 3
  • Dominik Auras
    • 1
  • Gerd Ascheid
    • 1
  • Rudolf Mathar
    • 3
  1. 1.Institute for Integrated Signal Processing Systems (ISS)RWTH Aachen UniversityAachenGermany
  2. 2.Department of Mathematics and Computer ScienceEindhoven University of TechnologyEindhovenNetherlands
  3. 3.Institute for Theoretical Information Technology (TI)RWTH Aachen UniversityAachenGermany

Personalised recommendations