Re: [Cfrg] Comparing ECC curves
Mike Hamburg <mike@shiftleft.org> Thu, 24 July 2014 16:53 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04CE11A061D for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 09:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFNSIf6ToGw3 for <cfrg@ietfa.amsl.com>; Thu, 24 Jul 2014 09:53:13 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D42B1A0547 for <Cfrg@irtf.org>; Thu, 24 Jul 2014 09:53:13 -0700 (PDT)
Received: from [192.168.1.102] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id AE81E3AA13; Thu, 24 Jul 2014 09:51:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1406220674; bh=pxLngsGA0W/ZvYplItCumey6aHIhw2dZPIVqgx1bWao=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=CJU3Dw2K9ADrGenesnQHE6sW63jhP5Eq03THFtSxsXevylLFauz5VR/nHm5G1ZOsI 2V1jdYwLq9KtsxekRhSDwdnsiysAjDFPOcTM04ZH0CsZaeH3yrx+HQ3JfYftj6plPd SKcqVwt49Iw2oofgGmCORAi66EvoskesHcEDDKjU=
Message-ID: <53D139EF.1020002@shiftleft.org>
Date: Thu, 24 Jul 2014 09:53:03 -0700
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <phill@hallambaker.com>, David Jacobson <dmjacobson@sbcglobal.net>
References: <CAMm+Lwj9EPJ9v92xrkM1ceAbkWYe22fpOOBObUbUJjkk8X0dng@mail.gmail.com> <bf68fd7300e14fb58330b094f4795f30@BY2PR03MB474.namprd03.prod.outlook.com> <53D117AD.8060506@sbcglobal.net> <CAMm+LwiJbkr3z5DxDtVMqjrzt0bz=5+4MRkwBMSScoLh_K=k0Q@mail.gmail.com>
In-Reply-To: <CAMm+LwiJbkr3z5DxDtVMqjrzt0bz=5+4MRkwBMSScoLh_K=k0Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010602060200050603070208"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/EKuUNTog97m1gYnRn8TC26x9Ns8
Cc: "Cfrg@irtf.org" <Cfrg@irtf.org>
Subject: Re: [Cfrg] Comparing ECC curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 16:53:15 -0000
On 7/24/2014 8:11 AM, Phillip Hallam-Baker wrote: > E-521 seems to have been chosen as the fastest prime giving a work > factor of at least 2^256. If someone finds a prime that gives a work > factor of 2^240 and is 30% faster, I would have to think about which I > preferred. It may interest you to know that that the prime 2^480 - 2^240 - 1 is about 40% faster than 2^512 - 569 on modern 64-bit Intel processors, meaning that each field operation takes about 60% of the time. For example, on Haswell a field multiply mod 2^480 - 2^240 - 1 costs about 121 cycles, and addition (with no reduce, because of reduced radix) takes fewer cycles than the pipeline (it's just two AVX2 add instructions). I believe it is also about that much faster on than 2^521 - 1 on Sandy Bridge, but only by 20% or so on Haswell due to an implementation of multiplication mod 2^521-1 using 3-way Karatsuba/Chung-Hasan with AVX2. It uses 9 limbs of 58 bits each organized as (Z[w]/(w^3-2))[t]/(t^3-w), and needs AVX2 for all the adding. I don't know how the three primes stack up on ARM. -- Mike
- [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Benjamin Black
- Re: [Cfrg] Comparing ECC curves Michael Hamburg
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Watson Ladd
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Watson Ladd
- Re: [Cfrg] Comparing ECC curves Patrick Longa Pierola
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves David Jacobson
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Patrick Longa Pierola
- Re: [Cfrg] Comparing ECC curves Mike Hamburg
- Re: [Cfrg] Comparing ECC curves Phillip Hallam-Baker
- Re: [Cfrg] Comparing ECC curves Mike Jones
- Re: [Cfrg] Comparing ECC curves Yoav Nir
- Re: [Cfrg] Comparing ECC curves Michael Hamburg