curve_efficiency
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRST
1
2
This analyzes the cycles-per-security efficiency of some conventional elliptic curves and some more exotic curves (GLS/GLV, Kummer surfaces, etc.)
3
The operation being compared is a constant-time implementation of variable-base scalar multiplication.
4
Numbers are cited for Intel's Sandy Bridge and Haswell microarchitectures (without Turbo Boost).
5
Efficiency scores are calculated by dividing the predicted cycles by the actual cycles for that security level.
6
The predicted cycle count is based on Gueron's reported P-256 as a baseline and the assumption that cycle counts should scale as security ratio^2.6 (due to Karatsuba).
7
Higher scores are better.
8
9
Conventional curves
10
11
Sandy Bridge
12
13
nameimplementationsecurity levelkcyclespredictedscorereferenceother URL
14
P-256Gueron, Krasnov128374374.001.00http://eprint.iacr.org/2013/816.pdf
15
w-256-mersBos, Costello, Longa, Naehrig128281374.001.33http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curves_for_Cryptography.pdfhttp://research.microsoft.com/pubs/209303/curves.pdf
16
w-384-mersBos, Costello, Longa, Naehrig1927441,073.271.44http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curves_for_Cryptography.pdfhttp://research.microsoft.com/pubs/209303/curves.pdf
17
w-512-mersBos, Costello, Longa, Naehrig25615432,267.511.47http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curves_for_Cryptography.pdfhttp://research.microsoft.com/pubs/209303/curves.pdf
18
ed-256-mersBos, Costello, Longa, Naehrig127234366.451.57http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curves_for_Cryptography.pdfhttp://research.microsoft.com/pubs/209303/curves.pdf
19
ed-384-mersBos, Costello, Longa, Naehrig1916171,058.801.72http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curves_for_Cryptography.pdfhttp://research.microsoft.com/pubs/209303/curves.pdf
20
ed-512-mersBos, Costello, Longa, Naehrig25512932,244.551.74http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curves_for_Cryptography.pdfhttp://research.microsoft.com/pubs/209303/curves.pdf
21
ed-254-montBos, Costello, Longa, Naehrig126196359.001.83http://patricklonga.webs.com/Presentation_CFRG_Selecting_Elliptic_Curves_for_Cryptography.pdfhttp://research.microsoft.com/pubs/209303/curves.pdf
22
Ted37919Bos, Costello, Longa, Naehrig1884941,016.102.06http://www.realworldcrypto.com/rwc2015/program-2/RWC-2015-Longa.pdf?attredirects=0
23
curve25519Tung Chou125.5157355.302.26https://eprint.iacr.org/2014/134.pdfhttp://cr.yp.to/ecdh.html
24
E-521Granger, Scott26010302,360.782.29https://moderncrypto.org/mail-archive/curves/2014/000310.htmlhttps://moderncrypto.org/mail-archive/curves/2014/000310.html* May not be constant time
25
goldilocksHamburg223666.51,583.872.38http://www.ietf.org/mail-archive/web/cfrg/current/msg05327.htmlhttp://ed448goldilocks.sourceforge.net/
26
27
28
Haswell
29
30
namesecurity levelkcyclespredictedscorereferenceother URL
31
P-256Gueron, Krasnov1282912911.00http://eprint.iacr.org/2013/816.pdf
32
P-384OpenSSL 1.0.21922269835.080.37personal results - unverified - "openssl speed" on 1.7 GHz Macbook Air, TurboBoost disabled
33
P-256OpenSSL 1.0.2 (Kasper, Langley, Laurie)128527291.000.55personal results - unverified - "openssl speed" on 1.7 GHz Macbook Air, TurboBoost disabled
34
P-224OpenSSL 1.0.2 (Kasper, Langley, Laurie)112254205.640.81personal results - unverified - "openssl speed" on 1.7 GHz Macbook Air, TurboBoost disabled
35
P-521OpenSSL 1.0.2 (Kasper, Langley, Laurie)260.517141,846.071.08personal results - unverified - "openssl speed" on 1.7 GHz Macbook Air, TurboBoost disabled
36
curve25519Tung Chou125.5156276.451.77https://moderncrypto.org/mail-archive/curves/2015/000637.html
37
Ted37919Bos, Costello, Longa, Naehrig188410790.601.93http://www.realworldcrypto.com/rwc2015/program-2/RWC-2015-Longa.pdf?attredirects=0
38
E-521Hamburg2608031,836.872.29https://moderncrypto.org/mail-archive/curves/2014/000318.html
39
goldilocksHamburg2235291,232.372.33http://www.ietf.org/mail-archive/web/cfrg/current/msg05359.htmlhttp://ed448goldilocks.sourceforge.net/
40
41
42
Exotic curves
43
44
Sandy Bridge
45
46
nameimplementationsecurity levelkcyclespredictedscorereferenceother URL
47
P-256Gueron, Krasnov1283743741.00http://eprint.iacr.org/2013/816.pdf
48
Costello, Hisil, Smith126154359.002.33https://moderncrypto.org/mail-archive/curves/2014/000132.htmlhttp://eprint.iacr.org/2013/692
49
snowshoe126132359.002.72https://github.com/catid/snowshoe
50
Oliveira, López, Aranha, Rodríguez-Henríquez127115366.453.19https://moderncrypto.org/mail-archive/curves/2014/000123.htmlhttp://eprint.iacr.org/2013/131.pdf
51
Bernstein, Chuengsatiansup, Lange, Schwabe12691.5359.003.92https://eprint.iacr.org/2014/134.pdf
52
FourQ122.571333.644.70http://eprint.iacr.org/2015/565.pdfhttp://research.microsoft.com/en-us/projects/fourqlib/
53
FourQ (without endomorphisms)122.5138333.642.42http://eprint.iacr.org/2015/565.pdfhttp://research.microsoft.com/en-us/projects/fourqlib/
54
55
Haswell
56
57
nameimplementationsecurity levelkcyclespredictedscorereferenceother URL
58
P-256Gueron, Krasnov1282912911.00http://eprint.iacr.org/2013/816.pdf
59
Costello, Hisil, Smith126139279.332.01https://moderncrypto.org/mail-archive/curves/2014/000132.htmlhttp://eprint.iacr.org/2013/692
60
Bernstein, Chuengsatiansup, Lange, Schwabe12672279.333.88https://eprint.iacr.org/2014/134.pdf
61
Oliveira, López, Aranha, Rodríguez-Henríquez12760285.134.75https://moderncrypto.org/mail-archive/curves/2014/000123.htmlhttp://eprint.iacr.org/2013/131.pdf
62
FourQ122.559259.604.40http://eprint.iacr.org/2015/565.pdfhttp://research.microsoft.com/en-us/projects/fourqlib/
63
FourQ (without endormorphisms)122.5109259.602.38http://eprint.iacr.org/2015/565.pdfhttp://research.microsoft.com/en-us/projects/fourqlib/
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu