# Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

@article{Aranha2012OptimalEP, title={Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves}, author={Diego F. Aranha and Jean-Luc Beuchat and J{\'e}r{\'e}mie Detrey and Nicolas Estibals}, journal={IACR Cryptol. ePrint Arch.}, year={2012}, volume={2010}, pages={559} }

This article presents a novel pairing algorithm over supersingular genus-2 binary hyperelliptic curves. Starting from Vercauteren's work on optimal pairings, we describe how to exploit the action of the 23m-th power Verschiebung in order to reduce the loop length of Miller's algorithm even further than the genus-2 ηT approach.
As a proof of concept, we detail an optimized software implementation and an FPGA accelerator for computing the proposed optimal Eta pairing on a genus-2 hyperelliptic…

## 33 Citations

High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields

- Computer Science, MathematicsCHES
- 2011

This paper presents an efficient architecture for computing cryptographic ηT pairing for providing 128-bit security on supersingular elliptic curves over characteristic two fields and achieves eight times speedup compared to the best known existing design.

Hardware processors for pairing-based cryptography

- Computer Science, Mathematics
- 2016

Bilinear pairings can be used to construct cryptographic systems with very desirable properties. A pairing performs a mapping on members of groups on elliptic and genus 2 hyperelliptic curves to an…

Towards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over $\mathbb{F}_{2^{1223}}$

- Computer Science, MathematicsSelected Areas in Cryptography
- 2012

For the same type of pairing, this article proposes hybrid sequential/parallel multipliers based on the Toeplitz matrix-vector products and presents some optimizations for the final exponentiation, resulting in high performance cryptoprocessors.

GPU-Based Implementation of 128-Bit Secure Eta Pairing over a Binary Field

- Computer Science, MathematicsAFRICACRYPT
- 2013

This paper reports the fastest GPU-based implementations of eta pairing on an NVIDIA Tesla C2050 platform, and proposes efficient parallel implementation strategies for multiplication, square, square root and inverse in the underlying field.

Towards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over F_{2^{1223}}

- Computer Science, Mathematics
- 2012

This article proposes hybrid sequential/parallel multipliers based on the Toeplitz matrix-vector products and presents some optimizations for the exponentiation, resulting in high performance cryptoprocessors.

Contributions à la cryptographie à base de couplage

- Computer Science, Mathematics
- 2017

A variant of Miller’s formula is proposed which gives rise to a generically faster algorithm for any pairing friendly curve and provides an improvement in cases little studied until now, in particular when denominator elimination is not available.

FPGA Implementation of Pairings Using Residue Number System and Lazy Reduction

- Computer Science, MathematicsCHES
- 2011

This paper presents two FPGA-based high speed pairing designs using the Residue Number System and lazy reduction, and shows that by combining RNS, which is naturally suitable for parallel architectures, and lazy Reduction, the speed of pairing computation in hardware can be largely increased.

Breaking '128-bit Secure' Supersingular Binary Curves (or how to solve discrete logarithms in 𝔽24·1223 and 𝔽212·367)

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2014

This paper proposes a new field representation and efficient general descent principles which together make the new techniques far more practical, and shows that the aforementioned genus one curve has approximately 59 bits of security, and a total break of the genus two curve.

Faster Pairing Coprocessor Architecture

- Computer Science, MathematicsPairing
- 2012

A high-speed pairing coprocessor using Residue Number System (RNS) which is intrinsically suitable for parallel computation and which outperforms all reported hardware and software designs.

An FPGA-based programmable processor for bilinear pairings

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

The results show that high flexibility is achieved by the proposed cryptoprocessor at a competitive timing and area usage when it is compared to custom designs for pairings defined over singular/supersingular elliptic curves at a 128-bit security level.

## References

SHOWING 1-10 OF 59 REFERENCES

Hardware acceleration of the Tate pairing on a genus 2 hyperelliptic curve

- Computer Science, MathematicsJ. Syst. Archit.
- 2007

Efficient Hardware Implementation of Fp-Arithmetic for Pairing-Friendly Curves

- Computer Science, MathematicsIEEE Transactions on Computers
- 2012

A new method to speed up IFp-arithmetic in hardware for pairing-friendly curves, such as the well-known Barreto-Naehrig (BN) curves, using Montgomery reduction in a polynomial ring combined with a coefficient reduction phase using a pseudo-Mersenne number is described.

Efficient and Generalized Pairing Computation on Abelian Varieties

- Mathematics, Computer ScienceIEEE Transactions on Information Theory
- 2009

Using the R-ate pairing, the loop length in Miller's algorithm can be as small as log (r1/phi(k)) some pairing-friendly elliptic curves which have not reached this lower bound.

TATE PAIRING COMPUTATION ON THE DIVISORS OF HYPERELLIPTIC CURVES OF GENUS 2

- Mathematics, Computer Science
- 2008

We present an explicit Eta pairing approach for computing the Tate pairing on general divisors of hyperelliptic curves Hd of genus 2, where Hd : y 2 + y = x5 + x3 + d is defined over F2n with d = 0…

Multi-core Implementation of the Tate Pairing over Supersingular Elliptic Curves

- Computer Science, MathematicsCANS
- 2009

The design of a fast multi-core library for the cryptographic Tate pairing over supersingular elliptic curves is described and one important design question that arises is answered: how many cores should be utilized for a given application.

Compact Hardware for Computing the Tate Pairing over 128-Bit-Security Supersingular Curves

- Computer Science, MathematicsPairing
- 2010

This paper presents a novel method for designing compact yet efficient hardware implementations of the Tate pairing over supersingular curves in small characteristic by considering curves over field extensions of moderately-composite degree, hence taking advantage of a much easier tower field arithmetic.

Pairing-Friendly Elliptic Curves of Prime Order

- Mathematics, Computer ScienceSelected Areas in Cryptography
- 2005

This paper describes a method to construct elliptic curves of prime order and embedding degree k = 12 and shows that the ability to handle log(D)/log(r) ~ (q–3)/(q–1) enables building curves with ρ ~ q/(q-1).

Faster Explicit Formulas for Computing Pairings over Ordinary Curves

- Mathematics, Computer ScienceEUROCRYPT
- 2010

Efficient formulas for computing pairings on ordinary elliptic curves over prime fields are described, improving on the state-of-the-art performance of cryptographic pairings by 28%-34% on several popular 64-bit computing platforms.

High Speed Cryptoprocessor for η T Pairing on 128-bit Secure Supersingular Elliptic Curves over Characteristic Two Fields

- Computer Science, MathematicsCHES
- 2011

This paper presents an efficient architecture for computing cryptographic ηT pairing for providing 128-bit security on supersingular elliptic curves over characteristic two fields and achieves eight times speedup compared to the best known existing design.

Fast Architectures for the \eta_T Pairing over Small-Characteristic Supersingular Elliptic Curves

- Computer Science, MathematicsIEEE Transactions on Computers
- 2011

A novel hardware implementation of Miller's algorithm based on a parallel pipelined Karatsuba multiplier is proposed, which improves both the computation time and the area-time trade-off compared to previously published coprocessors.