[curves] Comparing high-speed / high-security curve	implementations
    Ben Smith 
    hyperelliptic at gmail.com
       
    Wed Apr 23 12:59:03 PDT 2014
    
    
  
Hi All,
2014-04-23 14:06 GMT+02:00 Diego Aranha <dfaranha at gmail.com>:
> This is probably too "researchy" and not ready for prime time, but we
> recently implemented a GLS binary curve over GF(2^254) [1]  with the
> following results for constant-time variable-base scalar multiplication:
Maybe in the same vein, I helped with the theoretical part of an
implementation over GF(p^2) with p = 2^127 - 1 (Huseyin Hisil and
Craig Costello did all the hard work).  It's a Montgomery curve
(x-coordinate only) with an efficient endomorphism, aiming at roughly
128-bit security.
Ivy Bridge: 148K.
(That's for the uniform & constant-time version; there are results for
a few other addition chains in the paper.)
[1] http://eprint.iacr.org/2013/692
[2] http://research.microsoft.com/en-us/downloads/ef32422a-af38-4c83-a033-a7aafbc1db55/
[3] hhisil.yasar.edu.tr/files/hisil20140318compact.tar.gz
ben
-- 
You know we all became mathematicians for the same reason: we were lazy.
  --Max Rosenlicht
    
    
More information about the Curves
mailing list