[curves] Comparing high-speed / high-security curve implementations

Ben Smith hyperelliptic at gmail.com
Wed Apr 23 12:59:03 PDT 2014

Hi All,

2014-04-23 14:06 GMT+02:00 Diego Aranha <dfaranha at gmail.com>:
> This is probably too "researchy" and not ready for prime time, but we
> recently implemented a GLS binary curve over GF(2^254) [1]  with the
> following results for constant-time variable-base scalar multiplication:

Maybe in the same vein, I helped with the theoretical part of an
implementation over GF(p^2) with p = 2^127 - 1 (Huseyin Hisil and
Craig Costello did all the hard work).  It's a Montgomery curve
(x-coordinate only) with an efficient endomorphism, aiming at roughly
128-bit security.

Ivy Bridge: 148K.
(That's for the uniform & constant-time version; there are results for
a few other addition chains in the paper.)

[1] http://eprint.iacr.org/2013/692
[2] http://research.microsoft.com/en-us/downloads/ef32422a-af38-4c83-a033-a7aafbc1db55/
[3] hhisil.yasar.edu.tr/files/hisil20140318compact.tar.gz


You know we all became mathematicians for the same reason: we were lazy.
  --Max Rosenlicht

More information about the Curves mailing list