Cryptology ePrint Archive: Report 2009/056

Designing an ASIP for Cryptographic Pairings over Barreto-Naehrig Curves

David Kammler and Diandian Zhang and Peter Schwabe and Hanno Scharwaechter and Markus Langenberg and Dominik Auras and Gerd Ascheid and Rainer Leupers and Rudolf Mathar and Heinrich Meyr

Abstract: This paper presents a design-space exploration of an application-specific instruction-set processor (ASIP) for the computation of various cryptographic pairings over Barreto-Naehrig curves (BN curves). Cryptographic pairings are based on elliptic curves over finite fields--in the case of BN curves a field Fp of large prime order p. Efficient arithmetic in these fields is crucial for fast computation of pairings. Moreover, computation of cryptographic pairings is much more complex than elliptic-curve cryptography (ECC) in general. Therefore, we facilitate programming of the proposed ASIP by providing a C compiler. In order to speed up $\mathbb{F}_p$ -arithmetic, a RISC core is extended with additional functional units. The critical path delay of these units is adjusted to the base architecture in order to maintain the operating frequency. Independently from that adjustment, these units are scalable allowing for a trade-off between execution time and area consumption. Because the resulting speedup can be limited by the memory throughput, utilization of multiple data memories is proposed. However, developing a C compiler for multiple memories is a challenging task. Therefore, we introduce an enhanced memory system enabling multiple concurrent memory accesses while remaining totally transparent to the C compiler. The proposed design needs 15.8 ms for the computation of the Optimal-Ate pairing over a 256-bit BN curve at 338 MHz implemented with a 130 nm standard cell library. The processor core consumes 97 kGates making it suitable for the use in embedded systems.

Category / Keywords: implementation / Application-specific instruction-set processor (ASIP), design-space exploration, pairing- based cryptography, Barreto-Naehrig curves, elliptic-curve cryptography (ECC), $\mathbb{F}_p$ -arithmetic.

Date: received 4 Feb 2009, last revised 14 Jul 2009

Contact author: kammler at iss rwth-aachen de

Available format(s): PDF | BibTeX Citation

Note: Version from Mar 31, 2009 contains an extended result comparison.

Version: 20090714:105436 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]