Implementing Cryptographic Pairings on Smartcards

1
Implementing Cryptographic Pairings on Smartcards

• Mike Scott

2
Whats a Pairing?

• Denoted e(P,Q), P and Q points on curve over
  extension field GF(qk), k is the embedding
  degree.
• P of order r.
• k smallest integer such that r(qk-1)
• Useful range of k between 2 and 36
• Pairing evaluates as element of order r in GF(qk)
• Pairing algorithm does not need knowledge of r

3
Whats a Pairing?

• MOV condition Dont use these curves!
• Pairing-based Crypto We need these curves!
• Bilinearity e(aP,bQ) e(P,Q)ab e(bP,aQ)
• A Pairing is a flexible crypto primitive with
  more structure than most
• Famously pairings enable Identity Based
  Encryption (IBE)

4
Pairing-friendly Elliptic curves

• Right now we have choice between supersingular
  curves, any characteristic, and
• Non-supersingular curves of prime characteristic.
• Group size r at least 160 bits.
• Index calculus difficulty at least 1024 bits,
  so k.lg(q) at least 1024, where q is the field
  size and k is the embedding degree.

5
Pairing-friendly Elliptic curves

• We will use 3 different pairing friendly curves.
  In all cases the group size is at least 160 bits.
• GF(2m) supersingular curve, m379 and k4
• GF(p) non-supersingular curve, lg(p)512 and k2
  (generated using Cocks-Pinch method)
• GF(p) non-supersingular curve, lg(p)256 and k4
  (generated from a pairing-friendly family see
  Freeman-Scott-Teske (to appear))

6
SmartMIPS Architecture

• 32-bit RISC MIPS-based processor.
• No crypto-coprocessor but instruction set
  enhancements (Großschadl Savas).
• Fast clock speed (up to 36MHz), fast enough to do
  standard crypto lt 0.5 second.
• Triple register ACXHILO

7
SmartMIPS Architecture

• MADDU instruction multiplies two 32-bit
  integers and adds to triple register
• MADDP instruction multiplies two 32-bit binary
  polynomials and xors to triple register
• 5 stage pipeline
• 2k Instruction cache (2-way associative)
• 256k Flash memory
• 16k RAM

8
SmartMIPS Architecture

• Finally a processor with GF(2m) support!
• But MIPS architecture like to loop unroll
• but small instruction cache means that we
  cannot unroll to the max ?
• CPU Time
• Instructions X CPI
• ----------------------------------
  -
• Clock Speed

9
SmartMIPS Architecture

• Faster clock speeds implies cache misses are more
  costly, which implies greater CPI which implies
  greater CPU Time ?
• So very important to use tight loops and avoid
  cache misses where possible.
• Minimizing instruction count is not going to be
  optimal!

10
Pairing algorithms

• Chance to show-case state of the art algorithms.
• For GF(2m) curve, the ?T pairing is optimal.
• For GF(p) k2 Cocks-Pinch curve, BKLS algorithm
  for the Tate pairing.
• For GF(p) k4 FST curve, Ate pairing is best.
• Considered in the context of IBE, the first
  parameter to the pairing is fixed, so we will use
  precomputation.

11
Pairing algorithms

• All these algorithms need to efficiently handle
  extension field arithmetic
• Base field GF(q), extension field GF(qk)

12
Implementation

• Uses MIRACL library
• Uses stack only allocation, for everything. All
  of the 16k RAM is available for the stack.
• Großschadl Savas-like assembly language coding
  for the inner loops.
• Use the MADDP instruction for assembly language
  GF(2m) squaring.

13
Implementation

• In a pairing-based protocol we are also
  interested in variable-point multiplication over
  the base field GF(q)
• (Fixed point multiplication as required in IBE
  will be very fast using precomputation)
• Also interested in pairing exponentiation.

14
Results Instructions (cache misses)
EGF(2239) ?T k4 E(GF(p) Tate k2 E(GF(p) Ate k4
Pairing 3705344 (10.9) 7753341 (7.3) 8156645 (15.8)
Point Mult. 2589569 (9.6) 7418768 (6.1) 2663217 (17.5)
Field Exp. 151117 (11.4) 1364124 (7.2) 1614016 (15.7)
RSA decrypt 4372772 (3.4)
15
Results Clocks/CPI/Time 9 MHz
EGF(2239) ?T k4 E(GF(p) Tate k2 E(GF(p) Ate k4
Pairing 4311454/ 1.16/0.48 9104450/ 1.17/1.01 10860479/ 1.33/1.21
Point Mult. 3118344/ 1.20/0.35 8529176/ 1.15/0.95 3739596/ 1.40/0.42
Field Exp. 1924596/ 1.24/0.21 1593313/ 1.17/0.18 2122221/ 1.31/0.24
RSA decrypt 4740271/ 1.08/0.53
16
Results Clocks/CPI/Time 36 MHz
EGF(2239) ?T k4 E(GF(p) Tate k2 E(GF(p) Ate k4
Pairing 4891054/ 1.32/0.14 10467010 1.35/0.29 13621597/ 1.67/0.38
Point Mult. 3677188/ 1.42/0.10 9570210/ 1.29/0.27 4847055/ 1.82/0.13
Field Exp. 2326675/ 1.50/0.06 1814285/ 1.33/0.05 2630846/ 1.63/0.07
RSA decrypt 5072415/ 1.16/0.14
17
Results Timings 3GHz Pentium IV
EGF(2239) ?T k4 E(GF(p) Tate k2 E(GF(p) Ate k4
Pairing 3.88 2.97 3.16
Point Mult. 1.82 3.08 1.17
Field Exp. 1.14 0.54 0.62
RSA decrypt 1.92
18
Pairing Delegation

• Idea delegate pairing calculation to the
  terminal
• Exchange the cost of the pairing for 1 point
  multiplications and 3 extension field
  exponentiations.
• May be beneficial.

19

• Questions ??
• Thank you!
• mike_at_computing.dcu.ie