1 / 19

Implementing Cryptographic Pairings on Smartcards

Implementing Cryptographic Pairings on Smartcards. Mike Scott. Whats a Pairing?. Denoted e(P,Q), P and Q points on curve over extension field GF( q k ), k is the embedding degree. P of order r. k smallest integer such that r| ( q k -1 ) Useful range of k between 2 and 36

Download Presentation

Implementing Cryptographic Pairings on Smartcards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Implementing Cryptographic Pairings on Smartcards Mike Scott

  2. Whats a Pairing? • Denoted e(P,Q), P and Q points on curve over extension field GF(qk), k is the embedding degree. • P of order r. • k smallestintegersuch that r|(qk-1) • Useful range of k between 2 and 36 • Pairing evaluates as element of order r in GF(qk) • Pairing algorithm does not need knowledge of r

  3. What’s a Pairing? • MOV condition – Don’t use these curves! • Pairing-based Crypto – We need these curves! • Bilinearity: e(aP,bQ) = e(P,Q)ab = e(bP,aQ) • A Pairing is a flexible crypto primitive – with more structure than most • Famously pairings enable Identity Based Encryption (IBE)

  4. Pairing-friendly Elliptic curves • Right now we have choice between supersingular curves, any characteristic, and … • Non-supersingular curves of prime characteristic. • Group size r at least 160 bits. • Index calculus “difficulty” at least 1024 bits, so k.lg(q) at least 1024, where q is the field size and k is the embedding degree.

  5. Pairing-friendly Elliptic curves • We will use 3 different pairing friendly curves. In all cases the group size is at least 160 bits. • GF(2m) supersingular curve, m=379 and k=4 • GF(p) non-supersingular curve, lg(p)=512 and k=2 (generated using Cocks-Pinch method) • GF(p) non-supersingular curve, lg(p)=256 and k=4(generated from a pairing-friendly family – see Freeman-Scott-Teske (to appear))

  6. SmartMIPS Architecture • 32-bit RISC MIPS-based processor. • No crypto-coprocessor – but instruction set enhancements (Groβschadl & Savas). • Fast clock speed (up to 36MHz), fast enough to do standard crypto < 0.5 second. • Triple register ACX|HI|LO

  7. SmartMIPS Architecture • MADDU instruction – multiplies two 32-bit integers and adds to triple register • MADDP instruction – multiplies two 32-bit binary polynomials and xors to triple register • 5 stage pipeline • 2k Instruction cache (2-way associative) • 256k Flash memory • 16k RAM

  8. SmartMIPS Architecture • Finally a processor with GF(2m) support! • But MIPS architecture like to loop unroll… • … but small instruction cache means that we cannot unroll to the max  • CPU Time = #Instructions X CPI ----------------------------------- Clock Speed

  9. SmartMIPS Architecture • Faster clock speeds implies cache misses are more costly, which implies greater CPI which implies greater CPU Time  • So very important to use tight loops and avoid cache misses where possible. • Minimizing instruction count is not going to be optimal!

  10. Pairing algorithms • Chance to show-case state of the art algorithms. • For GF(2m) curve, the ηT pairing is optimal. • For GF(p) k=2 Cocks-Pinch curve, BKLS algorithm for the Tate pairing. • For GF(p) k=4 FST curve, Ate pairing is best. • Considered in the context of IBE, the first parameter to the pairing is fixed, so we will use precomputation.

  11. Pairing algorithms • All these algorithms need to efficiently handle extension field arithmetic • Base field GF(q), extension field GF(qk)

  12. Implementation • Uses MIRACL library • Uses stack only allocation, for everything. All of the 16k RAM is available for the stack. • Groβschadl & Savas-like assembly language coding for the inner loops. • Use the MADDP instruction for assembly language GF(2m) squaring.

  13. Implementation • In a pairing-based protocol we are also interested in variable-point multiplication over the base field GF(q)… • (Fixed point multiplication as required in IBE will be very fast using precomputation) • Also interested in pairing exponentiation.

  14. Results – Instructions (%cache misses)

  15. Results – Clocks/CPI/Time 9 MHz

  16. Results – Clocks/CPI/Time 36 MHz

  17. Results – Timings 3GHz Pentium IV

  18. Pairing Delegation • Idea – delegate pairing calculation to the terminal • Exchange the cost of the pairing for 1 point multiplications and 3 extension field exponentiations. • May be beneficial….

  19. Questions ?? Thank you! mike@computing.dcu.ie

More Related