Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

Paper 2010/559

Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

Diego F. Aranha, Jean-Luc Beuchat, Jérémie Detrey, and Nicolas Estibals

Abstract

This article presents a novel pairing algorithm over supersingular genus-$2$ binary hyperelliptic curves. Starting from Vercauteren's work on optimal pairings, we describe how to exploit the action of the $2^{3m}$-th power Verschiebung in order to reduce the loop length of Miller's algorithm even further than the genus-$2$ $\eta_T$ approach. As a proof of concept, we detail an optimized software implementation and an FPGA accelerator for computing the proposed optimal Eta pairing on a genus-$2$ hyperelliptic curve over $\mathbb{F}_{2^{367}}$, which satisfies the recommended security level of $128$ bits. These designs achieve favourable performance in comparison with the best known implementations of $128$-bit-security Type-1 pairings from the literature.

Note: Updated version, incorporating remarks and comments from anonymous Eurocrypt and CT-RSA reviewers.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Published elsewhere. Unknown where it was published
Keywords: Optimal Eta pairing supersingular genus-2 curve software implementation FPGA implementation
Contact author(s): Jeremie Detrey @ loria fr
History: 2011-11-23: last of 3 revisions; 2010-11-03: received; See all versions
Short URL: https://ia.cr/2010/559
License: CC BY

BibTeX

@misc{cryptoeprint:2010/559,
      author = {Diego F.  Aranha and Jean-Luc Beuchat and Jérémie Detrey and Nicolas Estibals},
      title = {Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves},
      howpublished = {Cryptology {ePrint} Archive, Paper 2010/559},
      year = {2010},
      url = {https://eprint.iacr.org/2010/559}
}