TY - GEN
T1 - Reduction optimal trinomials for efficient software implementation of the ηT pairing
AU - Nakajima, Toshiya
AU - Izu, Tetsuya
AU - Takagi, Tsuyoshi
PY - 2007/12/1
Y1 - 2007/12/1
N2 - The ηT pairing for supersingular elliptic curve over GF(3m) has been paid attention because of its computational efficiency. Since most parts of computation of the ηT pairing are multiplications over GF(3m), it is important to improve the speed of the multiplication when implementing the ηT pairing. In this paper we consider software implementation of multiplication over GF (3 m) and propose to use irreducible trinomials xm + ax k + b over GF(3) such that w, bit length of word of targeted CPU, divides k. We call the trinomials "reduction optimal trinomials (ROTs)". ROTs actually exist for several m's and typical values of w = 16 and 32. We list them for extension degrees m = 97, 167, 193 and 239. These m's are derived from security considerations. Using ROT it is possible to implement efficient modulo operation (reduction) in multiplication over GF(3m) comparing with the case using other type of trinomials (e.g., trinomials with minimum k for each m). The reason of this is that for the cases of reduction by ROT the number of shift operations on multiple precision data reduces to less than half comparing with the cases by other trinomials. Implementation results show that reduction algorithm specialized for ROT is 20-30% faster on 32-bit CPU and around 40% faster on 16-bit CPU than algorithm for irreducible trinomials with general k.
AB - The ηT pairing for supersingular elliptic curve over GF(3m) has been paid attention because of its computational efficiency. Since most parts of computation of the ηT pairing are multiplications over GF(3m), it is important to improve the speed of the multiplication when implementing the ηT pairing. In this paper we consider software implementation of multiplication over GF (3 m) and propose to use irreducible trinomials xm + ax k + b over GF(3) such that w, bit length of word of targeted CPU, divides k. We call the trinomials "reduction optimal trinomials (ROTs)". ROTs actually exist for several m's and typical values of w = 16 and 32. We list them for extension degrees m = 97, 167, 193 and 239. These m's are derived from security considerations. Using ROT it is possible to implement efficient modulo operation (reduction) in multiplication over GF(3m) comparing with the case using other type of trinomials (e.g., trinomials with minimum k for each m). The reason of this is that for the cases of reduction by ROT the number of shift operations on multiple precision data reduces to less than half comparing with the cases by other trinomials. Implementation results show that reduction algorithm specialized for ROT is 20-30% faster on 32-bit CPU and around 40% faster on 16-bit CPU than algorithm for irreducible trinomials with general k.
UR - http://www.scopus.com/inward/record.url?scp=38149133166&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=38149133166&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:38149133166
SN - 9783540756507
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 44
EP - 57
BT - Advances in Information and Computer Security - Second International Workshop on Security, IWSEC 2007, Proceedings
T2 - 2nd International Workshop on Security, IWSEC 2007
Y2 - 29 October 2007 through 31 October 2007
ER -