Reduction Optimal Trinomials for Efficient Software Implementation of the η_t Pairing

摘要

The η_T pairing for supersingular elliptic curves over GF(3~m) has been paid attention because of its computational efficiency. Since most computation parts of the η_T pairing are GF(3~m) multiplications, it is important to improve the speed of the multiplication when implementing the η_T pairing. In this paper we investigate software implementation of GF(3~m) multiplication and propose using irreducible trinomials x~m+ax~k+b over GF(3) such that k is a multiple of w, where w is the bit length of the word of targeted CPU. We call the trinomials "reduction optimal trinomials (ROTs)." ROTs actually exist for several m's and for typical values of w = 16 and 32. We list them for extension degrees m = 97, 167, 193, 239, 317, and 487. These m's are derived from security considerations. Using ROTs, we are able to implement efficient modulo operations (reductions) for GF(3~m) multiplication compared with cases in which other types of irreducible trinomials are used (e.g., trinomials with a minimum k for each m). The reason for this is that for cases using ROTs, the number of shift operations on multiple precision data is reduced to less than half compared with cases using other trinomials. Our implementation results show that programs of reduction specialized for ROTs are 20-30% faster on 32-bit CPU and approximately 40% faster on 16-bit CPU compared with programs using irreducible trinomials with general k.