Reduction Optimal Trinomials for Efficient Software Implementation of the η_T Pairing

摘要

The η_T pairing for supersingular elliptic curve over GF(3~m) has been paid attention because of its computational efficiency. Since most parts of computation of the η_T pairing are multiplications over GF(3~m), it is important to improve the speed of the multiplication when implementing the η_T pairing. In this paper we consider software implementation of multiplication over GF(3~m) and propose to use irreducible trinomials x~m + ax~k + b over GF(3) such that w, bit length of word of targeted CPU, divides k. We call the trinomials "reduction optimal trinomials (ROTs)". ROTs actually exist for several m's and typical values of w = 16 and 32. We list them for extension degrees m = 97, 167, 193 and 239. These m's are derived from security considerations. Using ROT it is possible to implement efficient modulo operation (reduction) in multiplication over GF(3~m) comparing with the case using other type of trinomials (e.g., trinomials with minimum k for each m). The reason of this is that for the cases of reduction by ROT the number of shift operations on multiple precision data reduces to less than half comparing with the cases by other trinomials. Implementation results show that reduction algorithm specialized for ROT is 20-30% faster on 32-bit CPU and around 40% faster on 16-bit CPU than algorithm for irreducible trinomials with general k.