[curves] Comparing high-speed / high-security curve implementations
trevp at trevp.net
Wed Apr 23 13:05:12 PDT 2014
On Wed, Apr 23, 2014 at 12:59 PM, Ben Smith <hyperelliptic at gmail.com> wrote:
> Hi All,
> 2014-04-23 14:06 GMT+02:00 Diego Aranha <dfaranha at gmail.com>:
>> This is probably too "researchy" and not ready for prime time, but we
>> recently implemented a GLS binary curve over GF(2^254)  with the
>> following results for constant-time variable-base scalar multiplication:
> Maybe in the same vein, I helped with the theoretical part of an
> implementation over GF(p^2) with p = 2^127 - 1 (Huseyin Hisil and
> Craig Costello did all the hard work). It's a Montgomery curve
> (x-coordinate only) with an efficient endomorphism, aiming at roughly
> 128-bit security.
> Ivy Bridge: 148K.
Thanks, do you have Sandy Bridge or Haswell numbers, since that's what
I have for others?
Also, I mistyped the DJB-Kummer Haswell cycles, corrected figures
below. I should probably just put this at a URL soon...
 Intel P-256, 374K (1)
 Curve25519, 194K (0.54)
 Microsoft ed-382-mont, 590K (0.56)
[4,5] Goldilocks-448, 688K (0.43)
 Snowshoe-256, 132K (0.35)
 Oliviera-256, 116K (0.31)
 DJB-Kummer-256, 91.5K (0.24)
 Intel P-256, 291K (1)
 Curve25519, 162K (0.58)
[4,5] Goldilocks-448, 571K (0.46)
 Oliviera-256, 60K (0.21)
 DJB-Kummer-256, 72K (0.25)
More information about the Curves