Hai-bin SHEN,Hua-feng CHEN,Xiao-lang YAN

DOI: https://doi.org/10.3785/j.issn.1008-973X.2006.09.004

2006-01-01

Abstract:To accelerate point multiplication operation of elliptic curve cryptography (ECC), a fast reduction algorithm for modular operation was introduced. The algorithm applied the characteristic of the small second item's degree of irreducible polynomial in characteristic 2 finite field. Based on the algorithm and projective Montgomery point multiplication algorithm, a configurable ECC accelerator using very large scale integrated circuit technology was proposed. Scalable field design and unique pipeline technique was adapted in the accelerator. Simulation results show that the accelerator designed by the algorithm can rapidly complete ECC point multiplication operation. When 162 bits key and 192 bits key are selected, the point multiplication operation takes 0.22 ms and 0.43 ms respectively. The accelerator has simple interface and good flexibility, and provides a method for hardware implementation of public key cryptography algorithm.

Chuhui Wang,Zewen Ye,Haibin Shen,Kejie Huang

DOI: https://doi.org/10.1007/978-3-031-69766-1_10

2024-01-01

Abstract:Bit Flipping Key Encapsulation (BIKE) is a code-based key encapsulation mechanism that utilizes Quasi-Cyclic Medium Density Parity-Check (QC-MDPC) codes, which is a promising candidate in the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. Polynomial multiplication calculation is the most critical operation in BIKE, which limits the speed of key generation and encapsulation. The high degree of the polynomial not only requires millions of computations but also necessitates complex memory access. To address this issue, we propose a Computation-in-Memory (CIM) based accelerator architecture for polynomial multiplication operations in BIKE. To minimize the size of the CIM core while maintaining high computational throughput, we propose a folded mapping strategy and a one-memory-multiple-NAND architecture. As a result, a 128x128 array is sufficient for the bike1 parameters, with zero padding at the higher part of the multiplicand. Furthermore, we introduce a data flow scheme that integrates carry-less multiplication and polynomial reduction operations to improve computational efficiency. The post-layout simulation results in 28nm CMOS technology show that our fastest configuration design occupies an area of approximately 1.37 mm(2) with a low power consumption of around 14.17 mW. Compared with state-of-the-art hardware implementations, our proposed design improves the speed of polynomial multiplication by approximately 2.5x.

Hua-feng CHEN,Hai-bin SHEN,Xiao-lang YAN

DOI: https://doi.org/10.3785/j.issn.1008-973X.2007.11.002

2007-01-01

Abstract:A parallel fast computation method was proposed for elliptic curve cryptography (ECC) point multiplication over characteristic 2 finite field. The method made use of hardware dynamic instruction schedule technique which applied instruction level parallelism in combination with thread level parallelism to improve the parallel computation performance. The structure designed by this method monitors the operation of arithmetic component and generates point multiplication instruction sequences dynamically before the decode stage. The dynamic schedule cuts the performance loss caused by the data hazards stall which cannot be solved by the data bypass or forwarding. The results achieved by the field programmable gate array (FPGA) implementation show that the proposed design can complete the elliptic curve point multiplication operation in Galois Fields GF (2193) in 22.7μs.

Jun Han,Yang Li,Zhiyi Yu,Xiaoyang Zeng

DOI: https://doi.org/10.1109/tvlsi.2014.2316514

2015-04-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Pairings are attractive and competitive cryptographic primitives for establishing various novel and powerful information security schemes. This paper presents a flexible and high-performance processor for cryptographic pairings over pairing-friendly curves at high security levels. In this design, hardware for Fp2 arithmetic is optimized to accelerate the pairing computation, and especially a combined modular multiplier, which implements (AB + CD) based on Montgomery method, is proposed. This combined multiplier has the data path delay close to that of a single multiplier implementing (AB) but saves 20% area cost compared with two single multipliers. The Design I of the proposed processor is the first fabricated chip for pairing cryptography. An improved version, Design II, is implemented using TSMC 65-nm CMOS technology and achieves the working frequency of 633 MHz after placing and routing. As demonstrated, the optimal ate pairings of 126- and 128-bit security can be computed by Design II in 0.521 and 0.554 ms, respectively. These results outperform the hardware implementations reported by previous works.

engineering, electrical & electronic,computer science, hardware & architecture

Ye Zhang,Chun Jason Xue,Duncan S. Wong,Nikos Mamoulis,Siu Ming Yiu

DOI: https://doi.org/10.1007/978-3-642-34129-8_31

2012-01-01

Abstract:Recently, composite-order bilinear pairing has been shown to be useful in many cryptographic constructions. However, it is time-costly to evaluate. This is because the composite order should be at least 1024bit and, hence, the elliptic curve group order n and base field become too large, rendering the bilinear pairing algorithm itself too slow to be practical (e.g., the Miller loop is Ω(n)). Thus, composite-order computation easily becomes the bottleneck of a cryptographic construction, especially, in the case where many pairings need to be evaluated at the same time. The existing solution to this problem that converts composite-order pairings to prime-order ones is only valid for certain constructions. In this paper, we leverage the huge number of threads available on Graphics Processing Units (GPUs) to speed up composite-order pairing computation. We investigate suitable SIMD algorithms for base/extension field, elliptic curve and bilinear pairing computation as well as mapping these algorithms into GPUs with careful considerations. Experimental results show that our method achieves a record of 8.7ms per pairing on a 80bit security level, which is a 20-fold speedup compared to the state-of-the-art CPU implementation. This result also opens the road to adopting higher security levels and using rich-resource parallel platforms, which for example are available in cloud computing. For example, we can achieve a record of 7 ×10− 6 USD per pairing on the Amazon cloud computing environment.

Weizhen Wang,Jun Han,Jielin Wang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/asicon.2015.7516999

2015-01-01

Abstract:Finite field arithmetic is the base of cryptography algorithms like Elliptic Curves Cryptography (ECC) and RSA. In this paper, We have designed an arithmetic unit to implement the operation (A ± αB)mod N, where α is a small number compared with N. In our design, the coefficient α is smaller than 128. The basic motivation of designing this multiply-accumulate (MAC) unit is to support some high security ECC algorithms such as Optimal Ate Pairings. The well-known Optimal Ate Pairing based on Barreto-Naehrig elliptic curve is famous for it's efficient implementation. In those cryptography algorithms, the calculation of αB mod N is required, where α is a small number. It is unefficient to use modular multiplication to calculate it. This is the basic motivation of implementing the operation (A ± αB)mod N with α <;<; N. Considering that the Barreto-Naehrig elliptic curve for pairing are defined in F P12 , we implement the arithmetic unit to be a Single Instruction Multiple Data (SIMD) unit with pipelined structure. Thus, the design is suitable for arithmetic in extensions of finte fields. We have modified the Barrett reduction algorithm to make it suitable for the design. The design is synthesized with SMIC 65nm CMOS process. Compared with using modular multiplication to calculate (A ± αB)mod N, Our work shows better performance with small latency and high throughput.

Junichi Sakamoto,Daisuke Fujimoto,Riku Anzai,Naoki Yoshida,Tsutomu Matsumoto

DOI: https://doi.org/10.1109/tvlsi.2024.3402164

2024-07-26

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:This study focuses on the acceleration of cryptographic pairing operations on field-programmable gate arrays (FPGAs) for server-side applications. Previous studies on FPGA pairing implementations focused on area efficiency for embedded devices, trying to achieve maximum performance with minimal circuit resources. However, their architectures are likely to be inefficient for server-side applications, where the primary interest is maximum performance when FPGA resources are finished. Their architectures are inefficient for two reasons: low utilization of the digital signal processor (DSP) and low operation frequency. In this study, we propose a high-throughput pairing processor architecture for server-side FPGAs, taking full advantage of DSPs. First, we propose a loop-unrolled modular multiplication algorithm that is suitable for a server-side FPGA. The algorithm shows the highest throughput and area efficiency compared to algorithms from previous studies. Second, we design a pairing processor architecture that embeds the proposed modular multiplier, thus, maintaining its high throughput by supporting redundant adders and interleaved executions. We evaluate BN254 and BLS12_381 pairings on the proposed processor architecture and the evaluation results show that it achieves good throughput that is approximately two and five times faster than that from previous studies, respectively.

engineering, electrical & electronic,computer science, hardware & architecture

Oussama Azzouzi,Mohamed Anane,Mouloud Koudil,Mohamed Issad,Yassine Himeur

DOI: https://doi.org/10.1007/s11227-023-05578-5

2023-08-25

Abstract:While FPGA is a suitable platform for implementing cryptographic algorithms, there are several challenges associated with implementing Optimal Ate pairing on FPGA, such as security, limited computing resources, and high power consumption. To overcome these issues, this study introduces three approaches that can execute the optimal Ate pairing on Barreto-Naehrig curves using Jacobean coordinates with the goal of reaching 128-bit security on the Genesys board. The first approach is a pure software implementation utilizing the MicroBlaze processor. The second involves a combination of software and hardware, with key operations in $F_{p}$ and $F_{p^{2}}$ being transformed into IP cores for the MicroBlaze. The third approach builds on the second by incorporating parallelism to improve the pairing process. The utilization of multiple MicroBlaze processors within a single system offers both versatility and parallelism to speed up pairing calculations. A variety of methods and parameters are used to optimize the pairing computation, including Montgomery modular multiplication, the Karatsuba method, Jacobean coordinates, the Complex squaring method, sparse multiplication, squaring in $G_{\phi 6}F_{p^{12}}$, and the addition chain method. The proposed systems are designed to efficiently utilize limited resources in restricted environments, while still completing tasks in a timely manner.

Cryptography and Security

Tom English,Maurice Keller,Ka Lok Man,Emanuel Popovici,Michel Schellekens,William Marnane

DOI: https://doi.org/10.1109/soccon.2009.5398017

2009-01-01

Abstract:We report on the implementation of an IP core for Pairing-based cryptography. The core performs an elliptic curve cryptographic operation called the Tate Pairing over the field GF(2251). In this paper, we describe the implementation of the design in TSMC 65nm GP CMOS standard cells and the optimisations made for low-power operation. The resulting core computes the pairing in 1.5ms and consumes less than 4mW.

Yi Wu,GuanTong Su,JianLong Su,GuoQiang Bai,XingJun Wu

DOI: https://doi.org/10.1109/icasid.2018.8693124

2018-01-01

Abstract:Compared to RSA, Elliptic curve cryptosystem provides the same security level with shorter key length, which makes the calculation complexity much smaller. Ate pairing is an optimized bilinear pairing with outstanding performance and it is playing more and more important role in elliptic curve cryptosystem. Therefore, the reduction of Miller loops to accelerate the computation of Ate-pairing is the fundamental purpose. In this paper, we explore the optimization of Ate-pairing. We improved the Ate pairing performance leading to the shortest Miller loop of r 1/φ(k) , which support former conjecture. These improvements could be useful when Ate pairing is used in IBC schemes requiring high-speed but facing limited hardware resources. Both the experiment result and previous manuscripts proved the correctness and validity of the optimization.

Shiping Cai,Zhi Hu,Zheng-An Yao,Chang-An Zhao

DOI: https://doi.org/10.48550/arXiv.2109.07050

2021-09-15

Abstract:Pairings have been widely used since their introduction to cryptography. They can be applied to identity-based encryption, tripartite Diffie-Hellman key agreement, blockchain and other cryptographic schemes. The Acceleration of pairing computations is crucial for these cryptographic schemes or protocols. In this paper, we will focus on the Elliptic Net algorithm which can compute pairings in polynomial time, but it requires more storage than Miller's algorithm. We use several methods to speed up the Elliptic Net algorithm. Firstly, we eliminate the inverse operation in the improved Elliptic Net algorithm. In some circumstance, this finding can achieve further improvements. Secondly, we apply lazy reduction technique to the Elliptic Net algorithm, which helps us achieve a faster implementation. Finally, we propose a new derivation of the formulas for the computation of the Optimal Ate pairing on the twisted curve. Results show that the Elliptic Net algorithm can be significantly accelerated especially on the twisted curve. The algorithm can be $80\%$ faster than the previous ones on the twisted 381-bit BLS12 curve and $71.5\%$ faster on the twisted 676-bit KSS18 curve respectively.

Cryptography and Security,Algebraic Geometry,Number Theory

Yang Li,Jun Han,Shuai Wang,Dabin Fang,Xiaoyang Zeng

DOI: https://doi.org/10.1109/IPEC.2012.6522664

2012-01-01

Abstract:Pairings are attractive and competitive cryptographic primitives for establishing various novel and powerful information security schemes. An efficient implementation of pairings is usually critical for realizing a cryptographic scheme practically. This paper presents a high-performance pairing processor with a new combined Montgomery multiplier which implements the fundamental operations of Fp2 multiplication efficiently. The processor is fabricated in TSMC 65nm CMOS process. The chip achieves 800MHz (1.2V) with 266.5mW power consumption and a core area of 2.51mm2, and computes an optimal Ate pairing (254-bit curve) in 0.64ms.

Yalong Pang,Ying Zhang,Jun Han,Xiaoyang Zeng

DOI: https://doi.org/10.1109/asicon.2017.8252537

2017-01-01

Abstract:The quadratic extension field F p 2 is the underlying field in pairing, and speeding up the F p 2 arithmetic will benefit the overall pairing computation largely. This paper we proposed a modified Barrett modular multiplication algorithm and devise an architecture to perform the operation in the form of “AB+ηCD mod M”. In our design, the η is a 5-bit two's complement. The proposed Barrett modular multiplier can implement the fundamental operations of F p 2 multiplication efficiently. The advantages of our design are that the proposed hardware circuit can adapt different parameters of pairing flexibly, and each final result is reduced under modulus M as well, which will shorten the width of the operands and decrease the overhead of the memory access bandwidth. The proposed architecture is synthesized under SMIC 65nm CMOS technology. And the results show that the max work frequency is 709MHz (1.2V) and the design requires 226kGates. It can compute F p 2 multiplication (254 bits) in 0.07us.

Muhammad Kashif,Ihsan Cicek,Malik Imran

DOI: https://doi.org/10.23919/eleco47770.2019.8990437

2019-11-01

Abstract:The work presents an elliptic curve crypto accelerator to implement scalar multiplication on standardized NIST curve over Galois binary fields by using polynomial basis. The proposed design provides efficient hardware utilization and low power consumption. For this purpose, hybrid finite field multiplier is proposed using standard Karatsuba multiplier and shlft-and-add multiplication algorithms. The proposed hybrid finite field multiplier can perform one finite field multiplication in $\frac{m}{2}$ clock cycles, with m being the key-length. Montgomery algorithm with projective coordinates (LopezDahab) is used for the computation of scalar multiplication. An FSM based control unit is developed, governing the overall operations of proposed accelerator. The proposed architecture has been modeled in Verilog-HDL and implemented up to place and route level using the Xilinx Vivado and ISE design software for various FPGA devices. The achieved results demonstrate the convenience of proposed ECC accelerator for resource constrained embedded systems applications requiring low area and low power hardware.

Yingchao Cui,Qing Liu,Yingbiao Yao,Xiaorong Xu,Wei Wu,Xin Xu

DOI: https://doi.org/10.1016/j.micpro.2023.104944

IF: 3.503

2023-10-18

Microprocessors and Microsystems

Abstract:For the elliptic curve cryptography (ECC) over prime field, this paper presents an area-efficient and low-latency elliptic curve scalar multiplication (ECSM) accelerator, which supports to process any prime number p ≤ 256 bits. The proposed accelerator is based on a parallel hardware implementation of iterative digit-digit Montgomery multiplication and an optimized data flow architecture for elliptic curve point operations. The proposed design is implemented in Xilinx Virtex-7 FPGA. The experimental results show that the proposed architecture occupies 23.7k look-up tables (LUTs) and performs single 256-bit scalar multiplication in 0.56 ms. The area-time product of the proposed architecture is only 13.36. Compared with other state-of-the-art ECSM implementations, the proposed architecture has obvious advantage in terms of the area-time product.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Guantong Su,Guoqiang Bai

DOI: https://doi.org/10.3390/electronics12051235

IF: 2.9

2023-03-05

Electronics

Abstract:Cryptosystems based on supersingular isogeny are a novel tool in post-quantum cryptography. One compelling characteristic is their concise keys and ciphertexts. However, the performance of supersingular isogeny computation is currently worse than that of other schemes. This is primarily due to the following factors. Firstly, the underlying field is a quadratic extension of the finite field, resulting in higher computational complexity. Secondly, the strategy for large-degree isogeny evaluation is complex and dependent on the elementary arithmetic units employed. Thirdly, adapting the same hardware to different parameters is challenging. Considering the evolution of similar curve-based cryptosystems, we believe proper algorithm optimization and hardware acceleration will reduce its speed overhead. This paper describes a high-performance and flexible hardware architecture that accelerates isogeny computation. Specifically, we optimize the design by creating a dedicated quadratic Montgomery multiplier and an efficient scheduling strategy that are suitable for supersingular isogeny. The multiplier operates on Fp2 under projective coordinate formulas, and the scheduling is tailored to it. By exploiting additional parallelism through replicated multipliers and concurrent isogeny subroutines, our 65 nm SMIC technology cryptographic accelerator can generate ephemeral public keys in 2.40 ms for Alice and 2.79 ms for Bob with a 751-bit prime setting. Sharing the secret key costs another 2.04 ms and 2.35 ms, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Guantong Su,Xingjun Wu,Guoqiang Bai

DOI: https://doi.org/10.1109/edssc.2019.8753928

2019-01-01

Abstract:In this paper, we present a high performance extension field multiplier for pairing acceleration on reconfigurable device. It is shown that combining Residue Number System (RNS), which is designed for concurrent architecture and modern FPGA programmable logic array. The parallelism of RNS can be fully exploited. The proof of concept is implemented on a Xilinx Ultrascale+ FPGA, which takes 352 DSPs and accomplish a F-p6 multiplication in 44 cycles at a 500MHz clock frequency.

Xiaokang Xiong,Duncan S. Wong,Xiaotie Deng

DOI: https://doi.org/10.1109/NCA.2009.30

2009-01-01

Abstract:Since the introduction of bilinear pairing to public key cryptography in 2001, pairing has been considered as one of the most expensive public key operations in terms of both computational complexity and memory requirement. Recently some work has been done on improving the computation time of pairing on resource-constrained wireless sensors. However, little has been focused on reducing the memory consumption. In this paper, we propose three new algorithms for speeding up the computation and reducing the memory footprint of cubing, modular reduction and polynomial multiplication in ΗT pairing over finite fields of characteristic three. We further propose new programming techniques for making the implementation even more lightweight. Our experimental results show that one ΗT pairing, with security level comparable to 1024-bit RSA, can be done on a MICAz sensor node in just 5.3 seconds, using only 154 bytes of RAM and 8,576 bytes of ROM. To the best of our knowledge, this is the most efficient nesC implementation to date. Also, when compared with the best known result found in the literature, our implementation reduces the RAM usage by 75% and the ROM usage by 51%. The resulting size of our implementation corresponds to only 3.7% and 6.5% of the RAM and ROM capacities of MICAz, respectively.

Tianyi XIE,Kai HUANG,Siwen XIU,Congxue TANG,Xiaolang YAN

DOI: https://doi.org/10.3778/j.issn.1002-8331.1410-0277

2016-01-01

Abstract:The software efficiency of Elliptic Curve Cryptography(ECC)algorithm over GF ( p) is analyzed. Against the disadvantages of the software implementation, the partition between software and hardware is given. A kind of hardware accelerator suitable for Sytem-on-Chip(SoC)is proposed, and the SoC architecture is designed. Hardware acceleration for both filed multiplication and Miller-Rabin primality test is implemented, which largely improves the performance of ECC at the expense of a little cost of area. The SM2 public key cryptographic algorithm is implemented on chip. Based on the HJTC 0.11μm eFlash standard cell-library, the area of the accelerator is about 0.6 mm2 . The accelerator can execute 167 operations per second for 192 bit unknown-point multiplication and 94 operations per second for 256 bit in 50 MHz. Experimental results show that the performance per unit area of the accelerator is higher than other approaches.

Xusheng Zhang,Kunpeng Wang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-642-36334-4_1

2012-01-01

Abstract:In implementation of elliptic curve cryptography, three kinds of finite fields have been widely studied, i.e. prime field, binary field and optimal extension field. In pairing-based cryptography, however, pairing-friendly curves are usually chosen among ordinary curves over prime fields and supersingular curves over extension fields with small characteristics. In this paper, we study pairings on elliptic curves over extension fields from the point of view of accelerating the Miller's algorithm to present further advantage of pairing-friendly curves over extension fields, not relying on the much faster field arithmetic. We propose new pairings on elliptic curves over extension fields can make better use of the multi-pairing technique for the efficient implementation. By using some implementation skills, our new pairings could be implemented much more efficiently than the optimal ate pairing and the optimal twisted ate pairing on elliptic curves over extension fields. At last, we use the similar method to give more efficient pairings on Estibals's supersingular curves over composite extension fields in parallel implementation.