[curves] Comparing high-speed / high-security curve implementations

Trevor Perrin trevp at trevp.net
Wed Apr 23 13:05:12 PDT 2014


On Wed, Apr 23, 2014 at 12:59 PM, Ben Smith <hyperelliptic at gmail.com> wrote:
> Hi All,
>
> 2014-04-23 14:06 GMT+02:00 Diego Aranha <dfaranha at gmail.com>:
>> This is probably too "researchy" and not ready for prime time, but we
>> recently implemented a GLS binary curve over GF(2^254) [1]  with the
>> following results for constant-time variable-base scalar multiplication:
>
> Maybe in the same vein, I helped with the theoretical part of an
> implementation over GF(p^2) with p = 2^127 - 1 (Huseyin Hisil and
> Craig Costello did all the hard work).  It's a Montgomery curve
> (x-coordinate only) with an efficient endomorphism, aiming at roughly
> 128-bit security.
>
> Ivy Bridge: 148K.

Thanks, do you have Sandy Bridge or Haswell numbers, since that's what
I have for others?

Also, I mistyped the DJB-Kummer Haswell cycles, corrected figures
below.  I should probably just put this at a URL soon...

Sandy Bridge:

[1] Intel P-256, 374K (1)

[2] Curve25519, 194K (0.54)

[3] Microsoft ed-382-mont, 590K (0.56)

[4,5] Goldilocks-448, 688K (0.43)

[6] Snowshoe-256, 132K (0.35)

[7] Oliviera-256, 116K (0.31)

[8] DJB-Kummer-256, 91.5K (0.24)


Haswell:

[1] Intel P-256, 291K (1)

[2] Curve25519, 162K (0.58)

[4,5] Goldilocks-448, 571K (0.46)

[7] Oliviera-256, 60K (0.21)

[8] DJB-Kummer-256, 72K (0.25)


Trevor


[1] http://eprint.iacr.org/2013/816.pdf
[2] https://eprint.iacr.org/2014/134.pdf
[3] http://research.microsoft.com/pubs/209303/curves.pdf
[4] https://moderncrypto.org/mail-archive/curves/2014/000064.html
[5] https://moderncrypto.org/mail-archive/curves/2014/000101.html
[6] https://github.com/catid/snowshoe
[7] http://eprint.iacr.org/2013/131.pdf
[8] http://cr.yp.to/hecdh/kummer-20140218.pdf


More information about the Curves mailing list