[curves] Comparing high-speed / high-security curve implementations

Michael Hamburg mike at shiftleft.org
Wed Apr 23 13:29:53 PDT 2014


On Apr 23, 2014, at 12:48 PM, Trevor Perrin <trevp at trevp.net> wrote:

> Thanks Diego, CodesInChaos,
> 
> I've added those (and the DJB Kummer work) to my table.
> 
> I'm not sure I'm comparing apples-to-apples anymore (GLS curves?
> "Lainey" curves (snowshoe)? Kummer surfaces?)  The speed of these
> things is impressive, but are there downsides?
> 
> I was mainly interested in "extra-strength" curves like
> Goldilocks-448, E-521, and Curve41417, since I assumed the non-NIST,
> 128-bit security level was pretty much won for Curve25519/Ed25519.
> But maybe things are more interesting at 128-bits than I thought?

There’s been a long stream of papers at the 120-something-ish-bit
security level.  Curve25519 / Ed25519 is the go-to because it’s been
around the longest, it has free high-quality source available for multiple
platforms, and it’s simple and conservatively designed, and it implements
a fairly complete set of operations.

Cheers,
— Mike


More information about the Curves mailing list