On Wed, Apr 23, 2014 at 12:59 PM, Ben Smith <[email protected]> wrote: > Hi All, > > 2014-04-23 14:06 GMT+02:00 Diego Aranha <[email protected]>: >> This is probably too "researchy" and not ready for prime time, but we >> recently implemented a GLS binary curve over GF(2^254) [1] with the >> following results for constant-time variable-base scalar multiplication: > > Maybe in the same vein, I helped with the theoretical part of an > implementation over GF(p^2) with p = 2^127 - 1 (Huseyin Hisil and > Craig Costello did all the hard work). It's a Montgomery curve > (x-coordinate only) with an efficient endomorphism, aiming at roughly > 128-bit security. > > Ivy Bridge: 148K.
Thanks, do you have Sandy Bridge or Haswell numbers, since that's what I have for others? Also, I mistyped the DJB-Kummer Haswell cycles, corrected figures below. I should probably just put this at a URL soon... Sandy Bridge: [1] Intel P-256, 374K (1) [2] Curve25519, 194K (0.54) [3] Microsoft ed-382-mont, 590K (0.56) [4,5] Goldilocks-448, 688K (0.43) [6] Snowshoe-256, 132K (0.35) [7] Oliviera-256, 116K (0.31) [8] DJB-Kummer-256, 91.5K (0.24) Haswell: [1] Intel P-256, 291K (1) [2] Curve25519, 162K (0.58) [4,5] Goldilocks-448, 571K (0.46) [7] Oliviera-256, 60K (0.21) [8] DJB-Kummer-256, 72K (0.25) Trevor [1] http://eprint.iacr.org/2013/816.pdf [2] https://eprint.iacr.org/2014/134.pdf [3] http://research.microsoft.com/pubs/209303/curves.pdf [4] https://moderncrypto.org/mail-archive/curves/2014/000064.html [5] https://moderncrypto.org/mail-archive/curves/2014/000101.html [6] https://github.com/catid/snowshoe [7] http://eprint.iacr.org/2013/131.pdf [8] http://cr.yp.to/hecdh/kummer-20140218.pdf _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
