[curves] Balancing reduced-radix and full-radix performance for extra-strength primes
Mike Hamburg
mike at shiftleft.org
Mon Jan 19 21:12:40 PST 2015
On 01/19/2015 08:58 PM, Trevor Perrin wrote:
> On Mon, Jan 19, 2015 at 6:24 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>> On their “comparison” slide did they mention that the Ed448-Goldilocks and E-521 impls both use point compression, and therefore have a 10% penalty vs their Ted37919 numbers? It seems a little dishonest if they didn’t.
> I don't recall that being mentioned. He probably assumed it was just
> timing an x-coordinate Montgomery ladder, and didn't expect your
> special point format.
>
> (Maybe you should submit just an x-coordinate ladder to SUPERCOP. I'd
> like to see the numbers without decompression, this is inaccurate in
> my spreadsheet too.)
>
> Trevor
Hmm, I guess I'm overtired today.
Yeah, my code is pretty close to being just an x-coordinate ladder.
Within 1% anyway. So the penalty it pays is more like 6%. I was
thinking that if their code also did decompression, it would be 10%
slower, but if they're using compressed points then the Montgomery
ladder is a better choice.
-- Mike
More information about the Curves
mailing list