Re: [Cfrg] E-521 vs. numsp512t1
Mike Hamburg <mike@shiftleft.org> Thu, 23 October 2014 17:06 UTC
Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06E3E1ACE12 for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 10:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.855
X-Spam-Level: ****
X-Spam-Status: No, score=4.855 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_71=0.6, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KujXLr51IGbY for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 10:06:39 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1F0A1ACE01 for <cfrg@irtf.org>; Thu, 23 Oct 2014 10:06:39 -0700 (PDT)
Received: from [192.168.1.124] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id E125D3AA13; Thu, 23 Oct 2014 10:04:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1414083854; bh=fVlvXnL4VnrE84ZdiSgRPlHxo6e3KOxBq3Ct1/BUqpE=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=MAmpY7wHbPRm3PCmNTuGU8n0h7I+pN3QLbJ6PfgIz8wxo4et9MFrsVOSYRKqk/cwU /c//1EhJZn4E+D4Gc7Gyyj03NhRdywLGTpeeLgUvZZB3wyteodjbBVxPwpdyFfOK8/ H9W5dYtgnBm4KauWtaFhWJ4sC0GbR21c474n9kwA=
Message-ID: <5449359C.10105@shiftleft.org>
Date: Thu, 23 Oct 2014 10:06:36 -0700
From: Mike Hamburg <mike@shiftleft.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, David Leon Gil <coruus@gmail.com>
References: <20141022213447.20218.qmail@cr.yp.to> <CAA7UWsXmo_H4vYVzfPdjP3xzgyHvCcwvQfP==OZi1P5Wvn-Qvw@mail.gmail.com> <20141022234258.GA29823@LK-Perkele-VII>
In-Reply-To: <20141022234258.GA29823@LK-Perkele-VII>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Xgb2ra2bDtkkxXu3TcSIRyHWKXs
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: [Cfrg] E-521 vs. numsp512t1
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 17:06:41 -0000
On 10/22/2014 04:42 PM, Ilari Liusvaara wrote: > On Wed, Oct 22, 2014 at 07:19:44PM -0400, David Leon Gil wrote: >> On Wed, Oct 22, 2014 at 5:34 PM, D. J. Bernstein <djb@cr.yp.to> wrote: >>> Rob Granger and Mike Scott have posted a new paper "Faster ECC over >>> \F_{2^521-1}" (https://eprint.iacr.org/2014/852) reporting ECC speeds >>> mod 2^521-1, and in particular the first (as far as I know) serious >>> implementation of E-521. >> The implementation djb mentions is available on their website: >> >> http://indigo.ie/~mscott/{ed521,ws521}.cpp >> > > Watch out (from ed521.cpp): > > > void mul(int *w,ECp *P) > { > ECp W[33],Q; > precomp(P,W); > > copy(&W[w[86]],P); > for (int i=85;i>=0;i--) > { > if (w[i]>=0) copy(&W[w[i]],&Q); > else neg(&W[-w[i]],&Q); > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > window(&Q,P); > } > norm(P); > } > > > That does not look constant-time... > > > -Ilari > Also, on curves at moderncrypto dot org, Samuel Neves is reporting (and I can confirm) that the performance numbers do not account for TurboBoost. He measured a slower but still impressive ~884kcy. That said, the Granger-Scott implementation does not take advantage of vectorization or assembly optimizations, even to the degree that Goldilocks does (asm wide multiply and accumulate, mostly there to constrain the scheduler and register allocator). It would be interesting to check its performance with more optimization. On a related note, one of the numbers I reported for Goldilocks (~480k Haswell cycles) also did not account for TurboBoost. DJB's Titan0 SUPERCOP measurement of 529kcy on Haswell is accurate. It turns out that on Ubuntu at least (Linux 3.13.0-29), disabling HyperThreading re-enables TurboBoost, so be careful what order you do it in. Cheers, -- Mike
- [Cfrg] E-521 vs. numsp512t1 D. J. Bernstein
- Re: [Cfrg] E-521 vs. numsp512t1 David Leon Gil
- Re: [Cfrg] E-521 vs. numsp512t1 Ilari Liusvaara
- Re: [Cfrg] E-521 vs. numsp512t1 Mike Hamburg
- Re: [Cfrg] E-521 vs. numsp512t1 Andy Lutomirski