[curves] Comparing high-speed / high-security curve implementations
hyperelliptic at gmail.com
Wed Apr 23 12:59:03 PDT 2014
2014-04-23 14:06 GMT+02:00 Diego Aranha <dfaranha at gmail.com>:
> This is probably too "researchy" and not ready for prime time, but we
> recently implemented a GLS binary curve over GF(2^254)  with the
> following results for constant-time variable-base scalar multiplication:
Maybe in the same vein, I helped with the theoretical part of an
implementation over GF(p^2) with p = 2^127 - 1 (Huseyin Hisil and
Craig Costello did all the hard work). It's a Montgomery curve
(x-coordinate only) with an efficient endomorphism, aiming at roughly
Ivy Bridge: 148K.
(That's for the uniform & constant-time version; there are results for
a few other addition chains in the paper.)
You know we all became mathematicians for the same reason: we were lazy.
More information about the Curves