[curves] Comparing high-speed / high-security curve implementations
Trevor Perrin
trevp at trevp.net
Wed Apr 23 12:48:15 PDT 2014
Thanks Diego, CodesInChaos,
I've added those (and the DJB Kummer work) to my table.
I'm not sure I'm comparing apples-to-apples anymore (GLS curves?
"Lainey" curves (snowshoe)? Kummer surfaces?) The speed of these
things is impressive, but are there downsides?
I was mainly interested in "extra-strength" curves like
Goldilocks-448, E-521, and Curve41417, since I assumed the non-NIST,
128-bit security level was pretty much won for Curve25519/Ed25519.
But maybe things are more interesting at 128-bits than I thought?
Sandy Bridge:
[1] Intel P-256, 374K (1)
[2] Curve25519, 194K (0.54)
[3] Microsoft ed-382-mont, 590K (0.56)
[4,5] Goldilocks-448, 688K (0.43)
[6] Snowshoe-256, 132K (0.35)
[7] Oliviera-256, 116K (0.31)
[8] DJB-Kummer-256, 91.5K (0.24)
Haswell:
[1] Intel P-256, 291K (1)
[2] Curve25519, 162K (0.58)
[4,5] Goldilocks-448, 571K (0.46)
[7] Oliviera-256, 60K (0.21)
[8] DJB-Kummer-256, 91K (0.31)
Trevor
[1] http://eprint.iacr.org/2013/816.pdf
[2] https://eprint.iacr.org/2014/134.pdf
[3] http://research.microsoft.com/pubs/209303/curves.pdf
[4] https://moderncrypto.org/mail-archive/curves/2014/000064.html
[5] https://moderncrypto.org/mail-archive/curves/2014/000101.html
[6] https://github.com/catid/snowshoe
[7] http://eprint.iacr.org/2013/131.pdf
[8] http://cr.yp.to/hecdh/kummer-20140218.pdf
More information about the Curves
mailing list