[curves] Comparing high-speed / high-security curve implementations
dfaranha at gmail.com
Wed Apr 23 05:06:56 PDT 2014
This is probably too "researchy" and not ready for prime time, but we
recently implemented a GLS binary curve over GF(2^254)  with the
following results for constant-time variable-base scalar multiplication:
Sandy Bridge: 115K
Code was submitted to SUPERCOP and remains available at , but it's not
very readable at this time (multiple hands and lots of macros). I'm
currently porting it to RELIC. An implementation over curve K283 is coming
in a month or so, since Haswell has better support for binary fields than
prime fields, for the first time ever!
Diego de Freitas Aranha
Institute of Computing - University of Campinas
On Tue, Apr 22, 2014 at 8:32 PM, Trevor Perrin <trevp at trevp.net> wrote:
> I'm trying to understand the time/security ratio for modern ECDH
> Some cycle-counts are below, for the best ECDH implementations I'm
> aware of. The numbers are for const-time variable-base scalar mult
> (the main component of ECDH) on two recent Intel microarchitectures.
> I've also provided a "normalized" time/security ratio in parentheses,
> which assumes that cycle-counts "should" scale as (security_level)^2.6
> due to Karatsuba, and sets "1" to the time/security ratio of Intel's
> recent P-256 implementation (smaller numbers are better).
> For curves with security level > 128, the best implementations I'm
> aware of are from Microsoft (, though code isn't available?) and
> Mike Hamburg [4,5]. I've listed the best-peforming of Microsoft's
> several curves. Mike's curve appears to be the fastest, for its
> security level.
> Is there anything I'm missing that's competitive? Anything coming soon?
> Sandy Bridge:
>  Intel P-256, 374K (1)
>  Curve25519, 194K (0.54)
>  Microsoft ed-382-mont, 590K (0.56)
> [4,5] Goldilocks-448, 688K (0.43)
>  Intel P-256, 291K (1)
>  Curve25519, 162K (0.58)
> [4,5] Goldilocks-448, 571K (0.46)
>  http://eprint.iacr.org/2013/816.pdf
>  https://eprint.iacr.org/2014/134.pdf
>  http://research.microsoft.com/pubs/209303/curves.pdf
>  https://moderncrypto.org/mail-archive/curves/2014/000064.html
>  https://moderncrypto.org/mail-archive/curves/2014/000101.html
> Curves mailing list
> Curves at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves