190 likes | 208 Views
Implementing Cryptographic Pairings on Smartcards. Mike Scott. Whats a Pairing?. Denoted e(P,Q), P and Q points on curve over extension field GF( q k ), k is the embedding degree. P of order r. k smallest integer such that r| ( q k -1 ) Useful range of k between 2 and 36
E N D
Implementing Cryptographic Pairings on Smartcards Mike Scott
Whats a Pairing? • Denoted e(P,Q), P and Q points on curve over extension field GF(qk), k is the embedding degree. • P of order r. • k smallestintegersuch that r|(qk-1) • Useful range of k between 2 and 36 • Pairing evaluates as element of order r in GF(qk) • Pairing algorithm does not need knowledge of r
What’s a Pairing? • MOV condition – Don’t use these curves! • Pairing-based Crypto – We need these curves! • Bilinearity: e(aP,bQ) = e(P,Q)ab = e(bP,aQ) • A Pairing is a flexible crypto primitive – with more structure than most • Famously pairings enable Identity Based Encryption (IBE)
Pairing-friendly Elliptic curves • Right now we have choice between supersingular curves, any characteristic, and … • Non-supersingular curves of prime characteristic. • Group size r at least 160 bits. • Index calculus “difficulty” at least 1024 bits, so k.lg(q) at least 1024, where q is the field size and k is the embedding degree.
Pairing-friendly Elliptic curves • We will use 3 different pairing friendly curves. In all cases the group size is at least 160 bits. • GF(2m) supersingular curve, m=379 and k=4 • GF(p) non-supersingular curve, lg(p)=512 and k=2 (generated using Cocks-Pinch method) • GF(p) non-supersingular curve, lg(p)=256 and k=4(generated from a pairing-friendly family – see Freeman-Scott-Teske (to appear))
SmartMIPS Architecture • 32-bit RISC MIPS-based processor. • No crypto-coprocessor – but instruction set enhancements (Groβschadl & Savas). • Fast clock speed (up to 36MHz), fast enough to do standard crypto < 0.5 second. • Triple register ACX|HI|LO
SmartMIPS Architecture • MADDU instruction – multiplies two 32-bit integers and adds to triple register • MADDP instruction – multiplies two 32-bit binary polynomials and xors to triple register • 5 stage pipeline • 2k Instruction cache (2-way associative) • 256k Flash memory • 16k RAM
SmartMIPS Architecture • Finally a processor with GF(2m) support! • But MIPS architecture like to loop unroll… • … but small instruction cache means that we cannot unroll to the max • CPU Time = #Instructions X CPI ----------------------------------- Clock Speed
SmartMIPS Architecture • Faster clock speeds implies cache misses are more costly, which implies greater CPI which implies greater CPU Time • So very important to use tight loops and avoid cache misses where possible. • Minimizing instruction count is not going to be optimal!
Pairing algorithms • Chance to show-case state of the art algorithms. • For GF(2m) curve, the ηT pairing is optimal. • For GF(p) k=2 Cocks-Pinch curve, BKLS algorithm for the Tate pairing. • For GF(p) k=4 FST curve, Ate pairing is best. • Considered in the context of IBE, the first parameter to the pairing is fixed, so we will use precomputation.
Pairing algorithms • All these algorithms need to efficiently handle extension field arithmetic • Base field GF(q), extension field GF(qk)
Implementation • Uses MIRACL library • Uses stack only allocation, for everything. All of the 16k RAM is available for the stack. • Groβschadl & Savas-like assembly language coding for the inner loops. • Use the MADDP instruction for assembly language GF(2m) squaring.
Implementation • In a pairing-based protocol we are also interested in variable-point multiplication over the base field GF(q)… • (Fixed point multiplication as required in IBE will be very fast using precomputation) • Also interested in pairing exponentiation.
Pairing Delegation • Idea – delegate pairing calculation to the terminal • Exchange the cost of the pairing for 1 point multiplications and 3 extension field exponentiations. • May be beneficial….
Questions ?? Thank you! mike@computing.dcu.ie