Fast Architectures for the \eta_T Pairing over Small-Characteristic Supersingular Elliptic Curves

This paper is devoted to the design of fast parallel accelerators for the cryptographic η_T pairing on supersingular elliptic curves over finite fields of characteristics two and three. We propose here a novel hardware implementation of Miller´s algorithm based on a parallel pipelined Karatsuba multiplier. After a short description of the strategies that we considered to design our multiplier, we point out the intrinsic parallelism of Miller´s loop and outline the architecture of coprocessors for the η_T pairing over F(2^m) and F(2^m). Thanks to a careful choice of algorithms for the tower field arithmetic associated with the η_T pairing, we manage to keep the pipelined multiplier at the heart of each coprocessor busy. A final exponentiation is still required to obtain a unique value, which is desirable in most cryptographic protocols. We supplement our pairing accelerators with a coprocessor responsible for this task. An improved exponentiation algorithm allows us to save hardware resources. According to our place-and-route results on Xilinx FPGAs, our designs improve both the computation time and the area-time trade-off compared to previously published coprocessors.