fpga implementations of pairing using residue number ... · question : can we bridge the gap to...
TRANSCRIPT
![Page 1: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/1.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
FPGA Implementations of Pairing usingResidue Number System and Lazy Reduction
Ray Cheung 1 Sylvain Duquesne 2 Junfeng Fan 4
Nicolas Guillermin 2,3 Ingrid Verbauwhede 4 Gavin Yao1
1 Department of Electronic EngineeringCity University of Hong Kong, Hong Kong SAR,
2 IRMAR, UMR CNRS 6625, Université Rennes 1Campus de Beaulieu, 35042 Rennes cedex, France
3 DGA.IS, La Roche Marguerite - 35170 - Bruz, France4 ESAT/SCD-COSIC, Katholieke Universiteit Leuven
Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
Oct, 2011CHES 2011, Nara FPGA Implementation of Pairing using RNS 1/24
![Page 2: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/2.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Agenda
1 Motivations
2 Backgrounds
3 Pairing Coprocessor Design
4 Implementation Results
5 Conclusions
CHES 2011, Nara FPGA Implementation of Pairing using RNS 2/24
![Page 3: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/3.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Motivations
Getting the fastest hardware implementationfor a 128 bit security Pairing
supersingular curves/small char. ordinary curves/big char.
faster hardware architecture faster software implementationsfrobenius embedding degreeparallelism smaller curves
Question : Can we bridge the gap to make ordinary curveswin?
CHES 2011, Nara FPGA Implementation of Pairing using RNS 3/24
![Page 4: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/4.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Motivations
Getting the fastest hardware implementationfor a 128 bit security Pairing
supersingular curves/small char. ordinary curves/big char.
faster hardware architecture faster software implementationsfrobenius embedding degreeparallelism smaller curves
Question : Can we bridge the gap to make ordinary curveswin?
CHES 2011, Nara FPGA Implementation of Pairing using RNS 3/24
![Page 5: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/5.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Motivations
Getting the fastest hardware implementationfor a 128 bit security Pairing
supersingular curves/small char. ordinary curves/big char.
faster hardware architecture
faster software implementations
frobenius
embedding degree
parallelism
smaller curves
Question : Can we bridge the gap to make ordinary curveswin?
CHES 2011, Nara FPGA Implementation of Pairing using RNS 3/24
![Page 6: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/6.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Motivations
Getting the fastest hardware implementationfor a 128 bit security Pairing
supersingular curves/small char. ordinary curves/big char.
faster hardware architecture faster software implementationsfrobenius embedding degreeparallelism smaller curves
Question : Can we bridge the gap to make ordinary curveswin?
CHES 2011, Nara FPGA Implementation of Pairing using RNS 3/24
![Page 7: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/7.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Motivations
Getting the fastest hardware implementationfor a 128 bit security Pairing
supersingular curves/small char. ordinary curves/big char.
faster hardware architecture faster software implementationsfrobenius embedding degreeparallelism smaller curves
Question : Can we bridge the gap to make ordinary curveswin?
CHES 2011, Nara FPGA Implementation of Pairing using RNS 3/24
![Page 8: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/8.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Agenda
1 Motivations
2 Backgrounds
3 Pairing Coprocessor Design
4 Implementation Results
5 Conclusions
CHES 2011, Nara FPGA Implementation of Pairing using RNS 4/24
![Page 9: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/9.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 10: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/10.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 11: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/11.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 12: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/12.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 13: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/13.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 14: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/14.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 15: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/15.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 16: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/16.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
What is Pairing and how do we use it?A pairing is a bilinear map e : G1 �G2 Ñ GT with G1 �G2 and GT groupswith hard Discrete Logarithm
Useful for :
Three-party one-roundDiffie-Hellman keyagreement [Joux’00]
Identity-based encryption[Boneh�01]
Short signature[Boneh�01]
Blind signature[Boldyreva’03]
A
B C
A
B C
(a, ga)
(b, gb) (c, gc)
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
A
B C
(a, ga)
(b, gb) (c, gc)
ga ↔
gb g a ↔
g c
gb ↔ gc
to B: gab
to C: gac
to A: gab
to C: gbcto A: gac
to B: gbc
A
B C
(a, ga)
(b, gb) (c, gc)gb gc
ga
A
B C
(a, ga)
(b, gb) (c, gc)gb
e(gb, gc)a = e(g, g)abc
e(ga, gc)b = e(g, g)abc e(ga, gb)c = e(g, g)abc
gc
ga
CHES 2011, Nara FPGA Implementation of Pairing using RNS 5/24
![Page 17: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/17.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Barreto-Naehrig Curves
BN curve over Fp:y 2� x 3
� bwhere b � 0 such that #E � `
p � 36u4 � 36u3 � 24u2 � 6u � 1
` � 36u4 � 36u3 � 18u2 � 6u � 1
for u P Z and p, ` primes.
Very adapted for 128 bits security
CHES 2011, Nara FPGA Implementation of Pairing using RNS 6/24
![Page 18: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/18.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Barreto-Naehrig Curves
BN curve over Fp:y 2� x 3
� bwhere b � 0 such that #E � `
p � 36u4 � 36u3 � 24u2 � 6u � 1
` � 36u4 � 36u3 � 18u2 � 6u � 1
for u P Z and p, ` primes.
Very adapted for 128 bits security
CHES 2011, Nara FPGA Implementation of Pairing using RNS 6/24
![Page 19: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/19.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Pairing Parameter Selection
Chosen curves
Security u rlog2 ps
126-bit �p262 � 255 � 1q 254128-bit �p263 � 222 � 218 � 27 � 1q 258192-bit �p2160 � 274 � 212 � 1q 646
CHES 2011, Nara FPGA Implementation of Pairing using RNS 7/24
![Page 20: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/20.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Optimal Ate Pairing on BN Curves
pairing
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]pairing
Miller's loopFinal exponentiation
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Fp arithmetic (modular operations)
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
Barrett [Barrett'86]Montgomery [Montgomery'85]FVV [Fan+11]Blakley [Ghosh+10]RNS [Kawamura+00]
CHES 2011, Nara FPGA Implementation of Pairing using RNS 8/24
![Page 21: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/21.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Optimal Ate Pairing on BN Curves
pairing
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
pairing
Miller's loopFinal exponentiation
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Fp arithmetic (modular operations)
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
Barrett [Barrett'86]Montgomery [Montgomery'85]FVV [Fan+11]Blakley [Ghosh+10]RNS [Kawamura+00]
CHES 2011, Nara FPGA Implementation of Pairing using RNS 8/24
![Page 22: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/22.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Optimal Ate Pairing on BN Curves
pairing
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]pairing
Miller's loopFinal exponentiation
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Fp arithmetic (modular operations)
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
Barrett [Barrett'86]Montgomery [Montgomery'85]FVV [Fan+11]Blakley [Ghosh+10]RNS [Kawamura+00]
CHES 2011, Nara FPGA Implementation of Pairing using RNS 8/24
![Page 23: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/23.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Optimal Ate Pairing on BN Curves
pairing
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]pairing
Miller's loopFinal exponentiation
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Fp arithmetic (modular operations)
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
Barrett [Barrett'86]Montgomery [Montgomery'85]FVV [Fan+11]Blakley [Ghosh+10]RNS [Kawamura+00]
CHES 2011, Nara FPGA Implementation of Pairing using RNS 8/24
![Page 24: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/24.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Optimal Ate Pairing on BN Curves
pairing
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]pairing
Miller's loopFinal exponentiation
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
pairing
Miller's loopFinal exponentiation
BN, Fp12, Fp2, Fp arithmetic
Fp arithmetic (modular operations)
Tate [Frey+94]Ate [Hess+06]Optimal [Lee+08,Vercauteren'10]
[Miller'04]
KaratsubaLazy reduction[Scott'08, Aranha+11]
Barrett [Barrett'86]Montgomery [Montgomery'85]FVV [Fan+11]Blakley [Ghosh+10]RNS [Kawamura+00]
CHES 2011, Nara FPGA Implementation of Pairing using RNS 8/24
![Page 25: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/25.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Residue Number System (RNS)
RNS is defined by n pairwise coprime integer constants:B � tb1,b2, � � � ,bnu.
MB :�±n
i�1 bi ,bi P B
Any integer X ,0 ¤ X MB, X is uniquely represented by:X � tX mod b1,X mod b2, � � � ,X mod bnu,
Arithmetic operations on RNS (Z{MBZ)
Normal RNSR � X � Y mod MB ri � xi � yi mod biR � X � Y mod MB ri � xi � yi mod biR � X {Y mod MB ri � xi y�1
i mod bi
only if gcdpY ,MBq � 1
CHES 2011, Nara FPGA Implementation of Pairing using RNS 9/24
![Page 26: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/26.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Residue Number System (RNS)
RNS is defined by n pairwise coprime integer constants:B � tb1,b2, � � � ,bnu.
MB :�±n
i�1 bi ,bi P B
Any integer X ,0 ¤ X MB, X is uniquely represented by:X � tX mod b1,X mod b2, � � � ,X mod bnu,
Arithmetic operations on RNS (Z{MBZ)
Normal RNSR � X � Y mod MB ri � xi � yi mod biR � X � Y mod MB ri � xi � yi mod biR � X {Y mod MB ri � xi y�1
i mod bi
only if gcdpY ,MBq � 1
CHES 2011, Nara FPGA Implementation of Pairing using RNS 9/24
![Page 27: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/27.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Residue Number System (RNS)
RNS is defined by n pairwise coprime integer constants:B � tb1,b2, � � � ,bnu.
MB :�±n
i�1 bi ,bi P B
Any integer X ,0 ¤ X MB, X is uniquely represented by:X � tX mod b1,X mod b2, � � � ,X mod bnu,
Arithmetic operations on RNS (Z{MBZ)
Normal RNSR � X � Y mod MB ri � xi � yi mod biR � X � Y mod MB ri � xi � yi mod biR � X {Y mod MB ri � xi y�1
i mod bi
only if gcdpY ,MBq � 1
CHES 2011, Nara FPGA Implementation of Pairing using RNS 9/24
![Page 28: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/28.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
RNS Montgomery reduction [Bajard�98]
RNS Montgomery – MB
Input: A � aMB mod p andB � bMB mod p
Output: T � abMB mod p
in B1: TB Ð ABBB
2: QB Ð TB � p�pq�1
3: QBBase Extension
ÝÝÝÝÝÝÝÝÝÝÝÝÝÑQC
3: SB Ð pT �QBpq{MB
5: SBBase Extension
ÐÝÝÝÝÝÝÝÝÝÝÝÝÝSC
gcdpMB,MBq � MB � 1M�1
B does not exist in B.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 10/24
![Page 29: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/29.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
RNS Montgomery reduction [Bajard�98]
RNS Montgomery – MB
Input: A � aMB mod p andB � bMB mod p
Output: T � abMB mod p
in B1: TB Ð ABBB
2: QB Ð TB � p�pq�1
3: QBBase Extension
ÝÝÝÝÝÝÝÝÝÝÝÝÝÑQC
3: SB Ð pT �QBpq{MB
5: SBBase Extension
ÐÝÝÝÝÝÝÝÝÝÝÝÝÝSC
gcdpMB,MBq � MB � 1M�1
B does not exist in B.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 10/24
![Page 30: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/30.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
RNS Montgomery reduction [Bajard�98]
RNS Montgomery – MB
Input: A � aMB mod p andB � bMB mod p
Output: T � abMB mod p
in B in C1: TB Ð ABBB TC Ð ACBC
2: QB Ð TB � p�pq�1
3: QBBase Extension
ÝÝÝÝÝÝÝÝÝÝÝÝÝÑQC
4: SC Ð pTC �QCpqpM�1B qC
5: SBBase Extension
ÐÝÝÝÝÝÝÝÝÝÝÝÝÝSC
Introduce a new base C to perform division by MB.
Needs the computation of Base Extension [Kawamura�00]
CHES 2011, Nara FPGA Implementation of Pairing using RNS 10/24
![Page 31: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/31.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
RNS Montgomery reduction [Bajard�98]
RNS Montgomery – MB
Input: A � aMB mod p andB � bMB mod p
Output: T � abMB mod p
in B in C1: TB Ð ABBB TC Ð ACBC
2: QB Ð TB � p�pq�1
3: QBBase Extension
ÝÝÝÝÝÝÝÝÝÝÝÝÝÑQC
4: SC Ð pTC �QCpqpM�1B qC
5: SBBase Extension
ÐÝÝÝÝÝÝÝÝÝÝÝÝÝSC
Introduce a new base C to perform division by MB.Needs the computation of Base Extension [Kawamura�00]
CHES 2011, Nara FPGA Implementation of Pairing using RNS 10/24
![Page 32: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/32.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
RNS complexity and Lazy reduction
RNS Montgomery
Multiplication :2n MUL
Reduction (RED):2n2 � 3n MUL
Conventional Montgomery
Multiplication:n2 MUL
Reduction:n2 � n MUL
AB mod p:2n2 � 5n MUL
AB mod p:2n2 � n MUL
AB � CD mod p:2n2 � 7n MUL
AB � CD mod p:3n2 � n MUL
°ki�1 Ai Bi mod p:
2n2 � p3 � 2k qn MUL
°ki�1 Ai Bi mod p:
p1 � k qn2 � n MUL
CHES 2011, Nara FPGA Implementation of Pairing using RNS 11/24
![Page 33: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/33.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
RNS complexity and Lazy reduction
RNS Montgomery
Multiplication :2n MUL
Reduction (RED):2n2 � 3n MUL
Conventional Montgomery
Multiplication:n2 MUL
Reduction:n2 � n MUL
AB mod p:2n2 � 5n MUL
AB mod p:2n2 � n MUL
AB � CD mod p:2n2 � 7n MUL
AB � CD mod p:3n2 � n MUL
°ki�1 Ai Bi mod p:
2n2 � p3 � 2k qn MUL
°ki�1 Ai Bi mod p:
p1 � k qn2 � n MUL
CHES 2011, Nara FPGA Implementation of Pairing using RNS 11/24
![Page 34: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/34.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
RNS complexity and Lazy reduction
RNS Montgomery
Multiplication :2n MUL
Reduction (RED):2n2 � 3n MUL
Conventional Montgomery
Multiplication:n2 MUL
Reduction:n2 � n MUL
AB mod p:2n2 � 5n MUL
AB mod p:2n2 � n MUL
AB � CD mod p:2n2 � 7n MUL
AB � CD mod p:3n2 � n MUL
°ki�1 Ai Bi mod p:
2n2 � p3 � 2k qn MUL
°ki�1 Ai Bi mod p:
p1 � k qn2 � n MUL
CHES 2011, Nara FPGA Implementation of Pairing using RNS 11/24
![Page 35: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/35.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Theoretical conclusions
Lazy reduction reduces the complexity of Pairings[Aranha�11]
RNS reduces the complexity of lazy reductionRNS involves easy parallelism
Remains to verify it "in real world"
CHES 2011, Nara FPGA Implementation of Pairing using RNS 12/24
![Page 36: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/36.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Theoretical conclusions
Lazy reduction reduces the complexity of Pairings[Aranha�11]
RNS reduces the complexity of lazy reduction
RNS involves easy parallelism
Remains to verify it "in real world"
CHES 2011, Nara FPGA Implementation of Pairing using RNS 12/24
![Page 37: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/37.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Theoretical conclusions
Lazy reduction reduces the complexity of Pairings[Aranha�11]
RNS reduces the complexity of lazy reductionRNS involves easy parallelism
Remains to verify it "in real world"
CHES 2011, Nara FPGA Implementation of Pairing using RNS 12/24
![Page 38: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/38.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Pairings and Barreto-Naehrig CurvesResidue number system (RNS)RNS Montgomery
Theoretical conclusions
Lazy reduction reduces the complexity of Pairings[Aranha�11]
RNS reduces the complexity of lazy reductionRNS involves easy parallelism
Remains to verify it "in real world"
CHES 2011, Nara FPGA Implementation of Pairing using RNS 12/24
![Page 39: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/39.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Agenda
1 Motivations
2 Backgrounds
3 Pairing Coprocessor Design
4 Implementation Results
5 Conclusions
CHES 2011, Nara FPGA Implementation of Pairing using RNS 13/24
![Page 40: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/40.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Cox-Rower Architecture [Kawamura�00]
Main featuren rowers
MUL: 2 cyclesRED: 2n+3 cycles
One rower,one channelMicrocodedsequencer
Row
er0
ControllerROM
(BRAM)
Row
er1
...
Row
er7
DATACTRL
ξ register
cox
CHES 2011, Nara FPGA Implementation of Pairing using RNS 14/24
![Page 41: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/41.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Rower Design
2 accumulatorsSmall-constant multiplier3-port RAMsSame data path
36x36
Multiplier
Constant Multiplier{2,3,4,6}
Acc0 Acc1
Accumulators
Channel Reduction
ξj
ρ
ξi
RAM0
CHES 2011, Nara FPGA Implementation of Pairing using RNS 15/24
![Page 42: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/42.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Rower Design
Underlying Field
Fp2 � Fpris{pi2 � 1q
Fp12 � Fp2rγs{pγ6 � p1 � iqq
px0 � x1iqpy0 � y1iqp1� iq�px0y0 � x1y1 � x0y1 � x1y0q�
px0y0 � x1y1 � x0y1 � x1y0qi
36x36
Multiplier
Constant Multiplier{2,3,4,6}
Acc0 Acc1
Accumulators
Channel Reduction
ξj
ρ
ξi
RAM0
CHES 2011, Nara FPGA Implementation of Pairing using RNS 15/24
![Page 43: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/43.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Rower Design
Underlying Field
Fp2 � Fpris{pi2 � 1q
Fp12 � Fp2rγs{pγ6 � p1 � iqq
px0 � x1iqpy0 � y1iqp1� iq
�px0y0 � x1y1 � x0y1 � x1y0q�
px0y0 � x1y1 � x0y1 � x1y0qi
36x36
Multiplier
Constant Multiplier{2,3,4,6}
Acc0 Acc1
Accumulators
Channel Reduction
ξj
ρ
ξi
RAM0
CHES 2011, Nara FPGA Implementation of Pairing using RNS 15/24
![Page 44: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/44.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Rower Design
Underlying Field
Fp2 � Fpris{pi2 � 1q
Fp12 � Fp2rγs{pγ6 � p1 � iqq
px0 � x1iqpy0 � y1iqp1� iq�px0y0 � x1y1 � x0y1 � x1y0q�
px0y0 � x1y1 � x0y1 � x1y0qi
36x36
Multiplier
Constant Multiplier{2,3,4,6}
Acc0 Acc1
Accumulators
Channel Reduction
ξj
ρ
ξi
RAM0
CHES 2011, Nara FPGA Implementation of Pairing using RNS 15/24
![Page 45: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/45.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Further Optimization
ObservationsComputational intensiveness: base extension.
Base extension: n2 multiplications by constant.Constant is determined by base B and C.
Constant size is 35 bits.With selected bases, bit-length: 35 Ñ 25.Bit-length of the constant is shortened.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 16/24
![Page 46: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/46.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Further Optimization
ObservationsComputational intensiveness: base extension.Base extension: n2 multiplications by constant.
Constant is determined by base B and C.
Constant size is 35 bits.With selected bases, bit-length: 35 Ñ 25.Bit-length of the constant is shortened.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 16/24
![Page 47: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/47.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Further Optimization
ObservationsComputational intensiveness: base extension.Base extension: n2 multiplications by constant.Constant is determined by base B and C.
Constant size is 35 bits.With selected bases, bit-length: 35 Ñ 25.Bit-length of the constant is shortened.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 16/24
![Page 48: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/48.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Further Optimization
ObservationsComputational intensiveness: base extension.Base extension: n2 multiplications by constant.Constant is determined by base B and C.
Constant size is 35 bits.
With selected bases, bit-length: 35 Ñ 25.Bit-length of the constant is shortened.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 16/24
![Page 49: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/49.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Further Optimization
ObservationsComputational intensiveness: base extension.Base extension: n2 multiplications by constant.Constant is determined by base B and C.
Constant size is 35 bits.With selected bases, bit-length: 35 Ñ 25.
Bit-length of the constant is shortened.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 16/24
![Page 50: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/50.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Further Optimization
ObservationsComputational intensiveness: base extension.Base extension: n2 multiplications by constant.Constant is determined by base B and C.
Constant size is 35 bits.With selected bases, bit-length: 35 Ñ 25.Bit-length of the constant is shortened.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 16/24
![Page 51: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/51.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Dual mode 4-stage pipelined MUL
One 35�35multiplier
Two 35�25multipliers
@250MHzon Virtex-6
MUL: 2 cycles
RED: n+4 cycles(v.s. 2n+3 cycles)
35x25 35x2535x35
CHES 2011, Nara FPGA Implementation of Pairing using RNS 17/24
![Page 52: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/52.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Architectural Design IFurther OptimizationArchitectural Design II
Dual mode 4-stage pipelined MUL
One 35�35multiplier
Two 35�25multipliers
@250MHzon Virtex-6
MUL: 2 cycles
RED: n+4 cycles(v.s. 2n+3 cycles)
35x25 35x2535x35
CHES 2011, Nara FPGA Implementation of Pairing using RNS 17/24
![Page 53: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/53.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Comparison
Agenda
1 Motivations
2 Backgrounds
3 Pairing Coprocessor Design
4 Implementation Results
5 Conclusions
CHES 2011, Nara FPGA Implementation of Pairing using RNS 18/24
![Page 54: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/54.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Comparison
Pairing Parameter Selection
Design I
Security u rlog2 ps126-bit �p262 � 255 � 1q 254128-bit �p263 � 222 � 218 � 27 � 1q 258192-bit �p2160 � 274 � 212 � 1q 646
Design II
126-bit �p262 � 255 � 1q 254
CHES 2011, Nara FPGA Implementation of Pairing using RNS 19/24
![Page 55: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/55.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Comparison
Logic Utilization and Cycle Count
Logic utilizationDesign n Device Multipliers Logic Embedded
Elements Memory8 Cyclone II 35 18multipliers 14274 LC 67 M4k
I 8 Stratix III 72 DSP18el 4233 ALMs 1 M144k + 18 M9k(Altera) 19 Stratix III 171 DSP18el 9910 ALMs 1 M144k + 40 M9k
II 8 Virtex-6 32 DSP48E1s 7032 Slices 45 18Kb BRAMs(Xilinx)
Cycle count and Latency
Curve Cycles Technology Frequency Latency
Design I
BN126 176111 Cyclone II 91 MHz 1.93 msBN126 176111 Stratix III 165 MHz 1.07 msBN128 192502 Stratix III 165 MHz 1.16 msBN192 789849 Stratix III 131 MHz 6.02 ms
Design II BN126 143111 Virtex-6 250 MHz 0.57 ms
CHES 2011, Nara FPGA Implementation of Pairing using RNS 20/24
![Page 56: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/56.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Comparison
Logic Utilization and Cycle Count
Logic utilizationDesign n Device Multipliers Logic Embedded
Elements Memory8 Cyclone II 35 18multipliers 14274 LC 67 M4k
I 8 Stratix III 72 DSP18el 4233 ALMs 1 M144k + 18 M9k(Altera) 19 Stratix III 171 DSP18el 9910 ALMs 1 M144k + 40 M9k
II 8 Virtex-6 32 DSP48E1s 7032 Slices 45 18Kb BRAMs(Xilinx)
Cycle count and Latency
Curve Cycles Technology Frequency Latency
Design I
BN126 176111 Cyclone II 91 MHz 1.93 msBN126 176111 Stratix III 165 MHz 1.07 msBN128 192502 Stratix III 165 MHz 1.16 msBN192 789849 Stratix III 131 MHz 6.02 ms
Design II BN126 143111 Virtex-6 250 MHz 0.57 ms
CHES 2011, Nara FPGA Implementation of Pairing using RNS 20/24
![Page 57: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/57.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
Comparison
Comparison
Design Pairing/ Platform Algorithm Area Freq. Cycle DelaySecurity[bit] [MHz] [ms]
Design optimal ate Altera RNS 4233 ALMs165 176,111 1.07
I 126 (Stratix III) (Parallel) 72 DSPsDesign optimal ate Xilinx RNS 7032 slices
250 143,111 0.573II 126 (Virtex-6) (Parallel) 32 DSPs
Fan�11ate/128 Xilinx HMM 4014 slices
210336,366 1.60
opt. ate/128 (Virtex-6) (Parallel) 42 DSPs 245,430 1.17
Estibals’10Tate F35�97 Xilinx
-4755 Slices
192 428,853 2.23128 (Virtex-4) 7 BRAMs
Aranha�10opt. Eta F2367 Xilinx
- 4518 Slices 220 773,960� 3.52128 (Virtex-4)
Ghosh�11ηTF21223 Xilinx
- 15167 Slices 250 76,000� 0.19128 (Virtex-6)
Beuchat�10optimal ate Core
Montgomery - 2800 2,330,000 0.83126 i7
Aranha�11optimal ate Phenom
Montgomery - 3000 1,562,000 0.52126 II
CHES 2011, Nara FPGA Implementation of Pairing using RNS 21/24
![Page 58: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/58.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
ConclusionsQ&A
Conclusions
Conclusions1 Pairing using RNS + lazy reduction.2 Novel base selection specification.3 Hardware architectures.4 New speed record.
CHES 2011, Nara FPGA Implementation of Pairing using RNS 22/24
![Page 59: FPGA Implementations of Pairing using Residue Number ... · Question : Can we bridge the gap to make ordinary curves win? CHES 2011, Nara FPGA Implementation of Pairing using RNS](https://reader033.vdocuments.us/reader033/viewer/2022042418/5f3412ffbe508a52ce2d6bdb/html5/thumbnails/59.jpg)
MotivationsBackgrounds
Pairing Coprocessor DesignImplementation Results
Conclusions
ConclusionsQ&A
Thank you!
CHES 2011, Nara FPGA Implementation of Pairing using RNS 23/24