[curves] FourQ
Michael Hamburg
mike at shiftleft.org
Tue Sep 15 10:13:33 PDT 2015
> On Sep 15, 2015, at 5:49 PM, D. J. Bernstein <djb at cr.yp.to> wrote:
>
> Trevor Perrin writes:
>> What do people think?
>
> The critical statement is "59,000" Haswell cycles for FourQ, compared to
> 60556 Haswell cycles (reported by eBATS) for Kummer.
>
> What's amusing about this is that Haswell is the only platform where we
> didn't bother writing an asm implementation for Kummer---this is a very
> simple C implementation with intrinsics. Anyone want to bet on what the
> results of an asm implementation will be?
>
>> Without using the endomorphisms the performance is better than 25519
>
> Somewhat faster than 25519, but much slower _and_ less conservative than
> Kummer. If the endomorphisms aren't used then the rankings are clearly
>
> fast: Kummer, then FourQ, then 25519
> conservative: 25519, then Kummer, then FourQ
>
> so FourQ isn't Pareto-optimal. Being able to use the endomorphisms to
> save time is the only thing that makes FourQ potentially interesting,
> but it's also exactly the part covered by the GLV patents.
>
> —Dan
I agree that FourQ is not a conservative option.
But while patents chill the use of this work for the next few years,
FourQ does have the advantage over Kummer that it can be used for
signatures and other non-ECDH systems.
Also, it is an interesting curve whether or not it’s actually the absolute
fastest.
— Mike
More information about the Curves
mailing list