Optimal Ate pairing 的硬體實作

Abstract

Bilinear pairings on elliptic curves have many applications in both constructive cryptography and cryptanalysis. Pairing computation is much more complicated compared to that of other popular public-key cryptosystems. Efficient implementation of cryptographic pairing has thus received increasing interest, both from software and hardware approaches, pursuing higher speed or, in the cases of hardware implementation, smaller time-area product. In this paper, we will present the design and implementation of a programmable cryptographic coprocessor that supports various pairings at 128-bit security level. Unlike the general architecture, our design is optimized for carrying out pairing computation over fields of large characteristics. As a result, our design stays competitive even compared with specialized implementations in terms of time-area product. For example, we will show that by using heterogeneous arithmetic units, we can achieve a significant speed-up for pairing computation over Barreto-Naehrig curves, resulting in an implementation that achieves a latency of 3.58 ms with a gate count of around 156K. To the best of our knowledge, this is the smallest time-area product achieved among all implementations of optimal ate pairing using application-specific integrated circuits.