[curves] Comparing high-speed / high-security curve implementations

Trevor Perrin trevp at trevp.net
Wed Apr 23 12:48:15 PDT 2014


Thanks Diego, CodesInChaos,

I've added those (and the DJB Kummer work) to my table.

I'm not sure I'm comparing apples-to-apples anymore (GLS curves?
"Lainey" curves (snowshoe)? Kummer surfaces?)  The speed of these
things is impressive, but are there downsides?

I was mainly interested in "extra-strength" curves like
Goldilocks-448, E-521, and Curve41417, since I assumed the non-NIST,
128-bit security level was pretty much won for Curve25519/Ed25519.
But maybe things are more interesting at 128-bits than I thought?


Sandy Bridge:

[1] Intel P-256, 374K (1)

[2] Curve25519, 194K (0.54)

[3] Microsoft ed-382-mont, 590K (0.56)

[4,5] Goldilocks-448, 688K (0.43)

[6] Snowshoe-256, 132K (0.35)

[7] Oliviera-256, 116K (0.31)

[8] DJB-Kummer-256, 91.5K (0.24)


Haswell:

[1] Intel P-256, 291K (1)

[2] Curve25519, 162K (0.58)

[4,5] Goldilocks-448, 571K (0.46)

[7] Oliviera-256, 60K (0.21)

[8] DJB-Kummer-256, 91K (0.31)


Trevor


[1] http://eprint.iacr.org/2013/816.pdf
[2] https://eprint.iacr.org/2014/134.pdf
[3] http://research.microsoft.com/pubs/209303/curves.pdf
[4] https://moderncrypto.org/mail-archive/curves/2014/000064.html
[5] https://moderncrypto.org/mail-archive/curves/2014/000101.html
[6] https://github.com/catid/snowshoe
[7] http://eprint.iacr.org/2013/131.pdf
[8] http://cr.yp.to/hecdh/kummer-20140218.pdf


More information about the Curves mailing list