Re: [Cfrg] ed448goldilocks vs. numsp384t1 and numsp512t1

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 20 October 2014 21:24 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD181ACEE5 for <cfrg@ietfa.amsl.com>; Mon, 20 Oct 2014 14:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level:
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d43m5zV3Y_nw for <cfrg@ietfa.amsl.com>; Mon, 20 Oct 2014 14:24:46 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B6621ACEE2 for <cfrg@irtf.org>; Mon, 20 Oct 2014 14:24:45 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 2285881A2C for <cfrg@irtf.org>; Tue, 21 Oct 2014 00:24:42 +0300 (EEST)
Date: Tue, 21 Oct 2014 00:24:41 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: cfrg@irtf.org
Message-ID: <20141020212441.GA23673@LK-Perkele-VII>
References: <ACC414D4-6651-42C7-B0EF-8E381EE9A0B9@shiftleft.org> <20141018203017.23023.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20141018203017.23023.qmail@cr.yp.to>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/O_4GUOIi7UUKS5PqAgtHCU1mKp0
Subject: Re: [Cfrg] ed448goldilocks vs. numsp384t1 and numsp512t1
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 21:24:50 -0000

On Sat, Oct 18, 2014 at 08:30:17PM -0000, D. J. Bernstein wrote:
> Michael Hamburg writes:
> > I didn’t do this last time, which is (part of?) why the numbers from
> > my own benchmarks do not match DJB’s numbers; see below.
> 
> Numbers are now coming into eBATS (see http://bench.cr.yp.to) for Mike's
> fixed ed448goldilocks software, and confirm what Mike said about speed
> compared to Microsoft's claimed speed. Here's the updated comparison
> chart on Sandy Bridge, the microarchitecture selected by Microsoft for
> benchmarks in http://eprint.iacr.org/2014/130.pdf:
> 
>     617000 cycles claimed: numsp384t1 (ed-384-mers),    ~2^192 security.
>     666544 cycles measured on h6sandy: ed448goldilocks, ~2^224 security.
>    1293000 cycles claimed: numsp512t1 (ed-512-mers),    ~2^256 security.

IIRC, Mike has said that Ed448 software is not quite optimized as far
as it would go.

Also, these all are apples-to-apples comparisions (either all uncompressed
or all compressed), right?

> These DH ratios don't _perfectly_ predict ratios for other operations---
> the instruction mix changes, and speeds of other operations depend on
> choices of precomputed table size---but at this point it's unsurprising
> to see ed448goldilocks close to numsp384t1 for signature generation:
> 
>     231000 cycles claimed: numsp384t1 (ed-384-mers),    ~2^192 security.
>     234844 cycles measured on h6sandy: ed448goldilocks, ~2^224 security.
>     446000 cycles claimed: numsp512t1 (ed-512-mers),    ~2^256 security.
> 
> Also signature verification:
> 
>     624000 cycles claimed: numsp384t1 (ed-384-mers),    ~2^192 security.
>     729152 cycles measured on h6sandy: ed448goldilocks, ~2^224 security.
>    1320000 cycles claimed: numsp512t1 (ed-512-mers),    ~2^256 security.

Here Ed448 seems to be slightly slow for some reason.

I would have estimated (on very dubious grounds) ~680k.



-Ilari