[curves] Comparing high-speed / high-security curve implementations
Trevor Perrin
trevp at trevp.net
Wed Apr 23 13:05:12 PDT 2014
On Wed, Apr 23, 2014 at 12:59 PM, Ben Smith <hyperelliptic at gmail.com> wrote:
> Hi All,
>
> 2014-04-23 14:06 GMT+02:00 Diego Aranha <dfaranha at gmail.com>:
>> This is probably too "researchy" and not ready for prime time, but we
>> recently implemented a GLS binary curve over GF(2^254) [1] with the
>> following results for constant-time variable-base scalar multiplication:
>
> Maybe in the same vein, I helped with the theoretical part of an
> implementation over GF(p^2) with p = 2^127 - 1 (Huseyin Hisil and
> Craig Costello did all the hard work). It's a Montgomery curve
> (x-coordinate only) with an efficient endomorphism, aiming at roughly
> 128-bit security.
>
> Ivy Bridge: 148K.
Thanks, do you have Sandy Bridge or Haswell numbers, since that's what
I have for others?
Also, I mistyped the DJB-Kummer Haswell cycles, corrected figures
below. I should probably just put this at a URL soon...
Sandy Bridge:
[1] Intel P-256, 374K (1)
[2] Curve25519, 194K (0.54)
[3] Microsoft ed-382-mont, 590K (0.56)
[4,5] Goldilocks-448, 688K (0.43)
[6] Snowshoe-256, 132K (0.35)
[7] Oliviera-256, 116K (0.31)
[8] DJB-Kummer-256, 91.5K (0.24)
Haswell:
[1] Intel P-256, 291K (1)
[2] Curve25519, 162K (0.58)
[4,5] Goldilocks-448, 571K (0.46)
[7] Oliviera-256, 60K (0.21)
[8] DJB-Kummer-256, 72K (0.25)
Trevor
[1] http://eprint.iacr.org/2013/816.pdf
[2] https://eprint.iacr.org/2014/134.pdf
[3] http://research.microsoft.com/pubs/209303/curves.pdf
[4] https://moderncrypto.org/mail-archive/curves/2014/000064.html
[5] https://moderncrypto.org/mail-archive/curves/2014/000101.html
[6] https://github.com/catid/snowshoe
[7] http://eprint.iacr.org/2013/131.pdf
[8] http://cr.yp.to/hecdh/kummer-20140218.pdf
More information about the Curves
mailing list