Towards Faster and Greener Cryptoprocessor for Eta Pairing on Supersingular Elliptic Curve over $\mathbb{F}_{2^{1223}}$

For the first time ever, the FPGA based cryptoprocessor presented in [12] makes it possible to compute an eta pairing at the 128-bit security level in less than one millisecond. The high performance of their cryptoprocessor comes largely from the use of the Karatsuba method for field multiplication. In this article, for the same type of pairing we propose hybrid sequential/parallel multipliers based on the Toeplitz matrix-vector products and present some optimizations for the final exponentiation, resulting in high performance cryptoprocessors. On the same kind of FPGA devices, our cryptoprocessor performs pairing faster than that of [12] while requiring less hardware resources. We also present ASIC implementations and report that the three-way split multiplier based cryptoprocessor consumes less energy than the two-way. Moreover, by taking advantage of the area efficiency of the Toeplitz matrix-vector product approach, we are able to deploy additional hardware to concurrently perform two multiplications with one common input, completing a pairing operation in less than 88 μs and 48 μs (i.e., about 11K and 21K pairing operations per second) in FPGA and ASIC, respectively.