Implementing Cryptographic Pairings on Smartcards Mike Scott

Whats a Pairing? Denoted e(P,Q), P and Q points on curve over extension field GF(q k ), k is the embedding degree. P of order r. k smallest integer such that r|(q k -1) Useful range of k between 2 and 36 Pairing evaluates as element of order r in GF(q k ) Pairing algorithm does not need knowledge of r

What’s a Pairing? MOV condition – Don’t use these curves! Pairing-based Crypto – We need these curves! Bilinearity: e(aP,bQ) = e(P,Q) ab = e(bP,aQ) A Pairing is a flexible crypto primitive – with more structure than most Famously pairings enable Identity Based Encryption (IBE)

Pairing-friendly Elliptic curves Right now we have choice between supersingular curves, any characteristic, and … Non-supersingular curves of prime characteristic. Group size r at least 160 bits. Index calculus “difficulty” at least 1024 bits, so k.lg(q) at least 1024, where q is the field size and k is the embedding degree.

Pairing-friendly Elliptic curves We will use 3 different pairing friendly curves. In all cases the group size is at least 160 bits. –GF(2 m ) supersingular curve, m=379 and k=4 –GF(p) non-supersingular curve, lg(p)=512 and k=2 (generated using Cocks-Pinch method) –GF(p) non-supersingular curve, lg(p)=256 and k=4 (generated from a pairing-friendly family – see Freeman-Scott-Teske (to appear))

SmartMIPS Architecture 32-bit RISC MIPS-based processor. No crypto-coprocessor – but instruction set enhancements (Groβschadl & Savas). Fast clock speed (up to 36MHz), fast enough to do standard crypto < 0.5 second. Triple register ACX|HI|LO

SmartMIPS Architecture MADDU instruction – multiplies two 32-bit integers and adds to triple register MADDP instruction – multiplies two 32-bit binary polynomials and xors to triple register 5 stage pipeline 2k Instruction cache (2-way associative) 256k Flash memory 16k RAM

SmartMIPS Architecture Finally a processor with GF(2 m ) support! But MIPS architecture like to loop unroll… … but small instruction cache means that we cannot unroll to the max  CPU Time = #Instructions X CPI Clock Speed

SmartMIPS Architecture Faster clock speeds implies cache misses are more costly, which implies greater CPI which implies greater CPU Time  So very important to use tight loops and avoid cache misses where possible. Minimizing instruction count is not going to be optimal!

Pairing algorithms Chance to show-case state of the art algorithms. For GF(2 m ) curve, the η T pairing is optimal. For GF(p) k=2 Cocks-Pinch curve, BKLS algorithm for the Tate pairing. For GF(p) k=4 FST curve, Ate pairing is best. Considered in the context of IBE, the first parameter to the pairing is fixed, so we will use precomputation.

Pairing algorithms All these algorithms need to efficiently handle extension field arithmetic Base field GF(q), extension field GF(q k )

Implementation Uses MIRACL library Uses stack only allocation, for everything. All of the 16k RAM is available for the stack. Groβschadl & Savas-like assembly language coding for the inner loops. Use the MADDP instruction for assembly language GF(2 m ) squaring.

Implementation In a pairing-based protocol we are also interested in variable-point multiplication over the base field GF(q)… (Fixed point multiplication as required in IBE will be very fast using precomputation) Also interested in pairing exponentiation.

Results – Instructions (%cache misses) E[GF(2 239 )] η T k=4 E[(GF(p)] Tate k=2 E[(GF(p)] Ate k=4 Pairing (10.9%) (7.3%) (15.8%) Point Mult (9.6%) (6.1%) (17.5%) Field Exp (11.4%) (7.2%) (15.7%) RSA decrypt (3.4%)

Results – Clocks/CPI/Time 9 MHz E[GF(2 239 )] η T k=4 E[(GF(p)] Tate k=2 E[(GF(p)] Ate k=4 Pairing / 1.16/ / 1.17/ / 1.33/1.21 Point Mult / 1.20/ / 1.15/ / 1.40/0.42 Field Exp / 1.24/ / 1.17/ / 1.31/0.24 RSA decrypt / 1.08/0.53

Results – Clocks/CPI/Time 36 MHz E[GF(2 239 )] η T k=4 E[(GF(p)] Tate k=2 E[(GF(p)] Ate k=4 Pairing / 1.32/ / / 1.67/0.38 Point Mult / 1.42/ / 1.29/ / 1.82/0.13 Field Exp / 1.50/ / 1.33/ / 1.63/0.07 RSA decrypt / 1.16/0.14

Results – Timings 3GHz Pentium IV E[GF(2 239 )] η T k=4 E[(GF(p)] Tate k=2 E[(GF(p)] Ate k=4 Pairing Point Mult Field Exp RSA decrypt1.92

Pairing Delegation Idea – delegate pairing calculation to the terminal Exchange the cost of the pairing for 1 point multiplications and 3 extension field exponentiations. May be beneficial….

Questions ?? Thank you!