Trevor Perrin writes: > What do people think? The critical statement is "59,000" Haswell cycles for FourQ, compared to 60556 Haswell cycles (reported by eBATS) for Kummer.
What's amusing about this is that Haswell is the only platform where we didn't bother writing an asm implementation for Kummer---this is a very simple C implementation with intrinsics. Anyone want to bet on what the results of an asm implementation will be? > Without using the endomorphisms the performance is better than 25519 Somewhat faster than 25519, but much slower _and_ less conservative than Kummer. If the endomorphisms aren't used then the rankings are clearly fast: Kummer, then FourQ, then 25519 conservative: 25519, then Kummer, then FourQ so FourQ isn't Pareto-optimal. Being able to use the endomorphisms to save time is the only thing that makes FourQ potentially interesting, but it's also exactly the part covered by the GLV patents. ---Dan _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
