[curves] FourQ
D. J. Bernstein
djb at cr.yp.to
Tue Sep 15 08:49:28 PDT 2015
Trevor Perrin writes:
> What do people think?
The critical statement is "59,000" Haswell cycles for FourQ, compared to
60556 Haswell cycles (reported by eBATS) for Kummer.
What's amusing about this is that Haswell is the only platform where we
didn't bother writing an asm implementation for Kummer---this is a very
simple C implementation with intrinsics. Anyone want to bet on what the
results of an asm implementation will be?
> Without using the endomorphisms the performance is better than 25519
Somewhat faster than 25519, but much slower _and_ less conservative than
Kummer. If the endomorphisms aren't used then the rankings are clearly
fast: Kummer, then FourQ, then 25519
conservative: 25519, then Kummer, then FourQ
so FourQ isn't Pareto-optimal. Being able to use the endomorphisms to
save time is the only thing that makes FourQ potentially interesting,
but it's also exactly the part covered by the GLV patents.
---Dan
More information about the Curves
mailing list