<div dir="ltr">Trevor,<div><br></div><div>GLS stands for Galbraith-Linn-Scott and the binary curves were initially studied at eprint 2008/334. This is the same technique used by Longa et al. in their 4-dimensional scalar decomposition.</div>
<div><br></div><div>These implementations run in constant time, but the curves have endomorphisms (like Koblitz curves) which make many researchers worried about their actual security in practice, due to the additional structure. An advantage is that generating curves for some of these families is intrinsically rigid (in the SafeCurves sense). SECG supported curves with endomorphisms (called "Koblitz prime curves" in the original document) and one of them became the standard for Bitcoin's ECDSA. AFAIK, no important speedup was ever found for the ECDLP with such parameters, and some authors claim that binary Koblitz curves are actually more resistant to some attacks (like approaches based on isogenies).</div>
<div><br></div><div>If you restrict the curves to an extremely conservative parameter choice, then Curve25519 seems to be the clear winner.</div><div><br></div><div>Best,</div><div class="gmail_extra"><div><div dir="ltr">
--<br>Diego de Freitas Aranha<br>Institute of Computing - University of Campinas<br><a href="http://www.ic.unicamp.br/~dfaranha" target="_blank">http://www.ic.unicamp.br/~dfaranha</a></div></div>
<br><br><div class="gmail_quote">On Wed, Apr 23, 2014 at 4:48 PM, Trevor Perrin <span dir="ltr"><<a href="mailto:trevp@trevp.net" target="_blank">trevp@trevp.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks Diego, CodesInChaos,<br>
<br>
I've added those (and the DJB Kummer work) to my table.<br>
<br>
I'm not sure I'm comparing apples-to-apples anymore (GLS curves?<br>
"Lainey" curves (snowshoe)? Kummer surfaces?) The speed of these<br>
things is impressive, but are there downsides?<br>
<br>
I was mainly interested in "extra-strength" curves like<br>
Goldilocks-448, E-521, and Curve41417, since I assumed the non-NIST,<br>
128-bit security level was pretty much won for Curve25519/Ed25519.<br>
But maybe things are more interesting at 128-bits than I thought?<br>
<div class=""><br>
<br>
Sandy Bridge:<br>
<br>
[1] Intel P-256, 374K (1)<br>
<br>
[2] Curve25519, 194K (0.54)<br>
<br>
[3] Microsoft ed-382-mont, 590K (0.56)<br>
<br>
[4,5] Goldilocks-448, 688K (0.43)<br>
<br>
</div>[6] Snowshoe-256, 132K (0.35)<br>
<br>
[7] Oliviera-256, 116K (0.31)<br>
<br>
[8] DJB-Kummer-256, 91.5K (0.24)<br>
<div class=""><br>
<br>
Haswell:<br>
<br>
[1] Intel P-256, 291K (1)<br>
<br>
[2] Curve25519, 162K (0.58)<br>
<br>
[4,5] Goldilocks-448, 571K (0.46)<br>
<br>
</div>[7] Oliviera-256, 60K (0.21)<br>
<br>
[8] DJB-Kummer-256, 91K (0.31)<br>
<div class=""><br>
<br>
Trevor<br>
<br>
<br>
[1] <a href="http://eprint.iacr.org/2013/816.pdf" target="_blank">http://eprint.iacr.org/2013/816.pdf</a><br>
[2] <a href="https://eprint.iacr.org/2014/134.pdf" target="_blank">https://eprint.iacr.org/2014/134.pdf</a><br>
[3] <a href="http://research.microsoft.com/pubs/209303/curves.pdf" target="_blank">http://research.microsoft.com/pubs/209303/curves.pdf</a><br>
[4] <a href="https://moderncrypto.org/mail-archive/curves/2014/000064.html" target="_blank">https://moderncrypto.org/mail-archive/curves/2014/000064.html</a><br>
[5] <a href="https://moderncrypto.org/mail-archive/curves/2014/000101.html" target="_blank">https://moderncrypto.org/mail-archive/curves/2014/000101.html</a><br>
</div>[6] <a href="https://github.com/catid/snowshoe" target="_blank">https://github.com/catid/snowshoe</a><br>
[7] <a href="http://eprint.iacr.org/2013/131.pdf" target="_blank">http://eprint.iacr.org/2013/131.pdf</a><br>
[8] <a href="http://cr.yp.to/hecdh/kummer-20140218.pdf" target="_blank">http://cr.yp.to/hecdh/kummer-20140218.pdf</a><br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Curves mailing list<br>
<a href="mailto:Curves@moderncrypto.org">Curves@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/curves" target="_blank">https://moderncrypto.org/mailman/listinfo/curves</a><br>
</div></div></blockquote></div><br></div></div>