低开销三进制域Eta双线性对硬件加速器  

作　　者：李翔宇[1] LI Xiang-Yu(Beijing National Research Center for Information Science and Technology,Institute of Microelectronics,Tsinghua University,Beijing 100084,China)

机构地区：[1]清华大学微电子学研究所北京信息科学与技术国家研究中心,北京100084

出　　处：《密码学报》2021年第3期376-387,共12页Journal of Cryptologic Research

基　　金：国家核高基重大专项(2017ZX01030301)。

摘　　要：基于身份标识的加密(Identity-Based Encryption,IBE)在物联网领域有很高的潜在应用价值,双线性对运算是其中的关键运算.本文针对物联网需求设计了一种低开销的双线性对硬件加速器.它选择了低开销的超奇异椭圆曲线上的三进制域eta对.该设计将Miller算法与幂运算分为两个硬件部分,流水线执行,增加了电路的吞吐率.Miller算法硬件实现中通过将Miller循环中的GF(36m)上的稀疏乘法与立方结合并重新调度和优化,减少中间值相关的开销.优化后的方案,具有更简单的运算单元,减少了寄存器的使用和存储器的读写.核心模乘运算采用了最高位优先的字串行结构.考虑到电路的规模较大,控制较复杂,采用了微码控制的方式进行实现.本文选取定义在GF(3^(97))上的椭圆曲线上的eta对进行了ASIC实现,在90 nm工艺下,版图面积650×650µm^(2),计算时间为16.7µs,面积延时积比现有eta对ASIC实现减小了38.8%.Identity-based encryption(IBE)has a high value for the Internet-of-Things(IoT)ap-plications,in which bilinear pairing is a critical function.A low-cost bilinear pairing accelerator for IoT nodes is presented in this paper.The eta pairing in characteristic three over a super-singular elliptic curve is chosen.With the chosen elliptic curve,the Miller’s algorithm and the exponentiation are implemented separately and work in the pipeline manner,which increase the throughput of the accelerator.With respect to the Miller algorithm implementation,the cubing and the sparse multi-plications over GF(3^(6m))in the Miller’s algorithm are merged and their arithmetic are modified and scheduled to reduce the intermediate data related overhead.With these optimizations,the Miller’s loop is implemented by a structure that has simpler arithmetic units,fewer registers,and fewer mem-ory accesses compared with the conventional designs.The main modular multiplication adopts the control logic that the most-significant-element first(MSE).As the hardware has a large scale and the flow control is complex,the micro-code style controller is employed.The ASIC of the eta pairing of the elliptic curve over GF(3^(97))was implemented.In a 90 nm technology,its layout area is 650×650µm^(2) and its computation time is 16.7µs.The area-time product of the proposed design is decreased by 38.8%compared with the state-of-the-art ASIC accelerators.

关 键 词：基于身份标识的加密 双线性对 专用集成电路 eta对 

分 类 号：TN495[电子电信—微电子学与固体电子学]