Kummer strikes back results

catid · Feb 18, 2014 · a96814a · a96814a
1 parent 16f705f
commit a96814a
Showing 1 changed file with 30 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -333,18 +333,6 @@ On i7-3520M Ivy Bridge, TB off, using SUPERCOP:
 - ecsimul_gen : (not implemented)
 - ecsimul : (not implemented)
 
-##### kumfp127g [http://eprint.iacr.org/2012/670.pdf](http://eprint.iacr.org/2012/670.pdf):
-
-- Availability : Free, open-source, but not portable (uncommented assembly only)
-- This code is also extremely complex and looks tricky to audit.
-
-On i7-3520M Ivy Bridge, TB off, using SUPERCOP:
-
-- ecmul_gen : (slower) `108kcy`
-- ecmul : (faster) `110kcy`
-- ecsimul_gen : (not implemented)
-- ecsimul : (not implemented)
-
 ##### Hamburg's implementation [http://mikehamburg.com/papers/fff/fff.pdf](http://mikehamburg.com/papers/fff/fff.pdf):
 
 - Availability : Not available online
@@ -374,6 +362,33 @@ On 3.4 GHz i7-3770 Ivy Bridge with TB off:
 - ecsimul_gen : (faster) `111kcy`
 - ecsimul : (not implemented)
 
+##### Kummer strikes back [http://cr.yp.to/hecdh/kummer-20140218.pdf](http://cr.yp.to/hecdh/kummer-20140218.pdf):
+
+- Availability : Equivalently free, open-source, and portable
+
+On Haswell:
+
+- ecmul_gen : (slower) `72kcy`
+- ecmul : (faster) `72kcy`
+- ecsimul_gen : (not implemented)
+- ecsimul : (not implemented)
+
+This looks like the most promising direction for future efficient EC-DH.  This
+will be a huge improvement on Snowshoe when it is more mature.
+
+##### kumfp127g [http://eprint.iacr.org/2012/670.pdf](http://eprint.iacr.org/2012/670.pdf):
+
+- WARNING: It was revealed in [20] that this code is not actually timing-invariant.
+- Availability : Free, open-source, but not portable (uncommented assembly only)
+- This code is also extremely complex and looks tricky to audit.
+
+On i7-3520M Ivy Bridge, TB off, using SUPERCOP:
+
+- ecmul_gen : (slower) `108kcy`
+- ecmul : (faster) `110kcy`
+- ecsimul_gen : (not implemented)
+- ecsimul : (not implemented)
+
 ##### Crypto++ Library 5.6.2
 
 On iMac (2.7 GHz Core i5-2500S Sandy Bridge, June 2011):
@@ -986,6 +1001,9 @@ Introduces the Elligator-2 point unpacking algorithm, which is implemented by Sn
 ##### [19] ["Elliptic and Hyperelliptic Curves: a Practical Security Analysis" (Bos Costello Miele 2013)](http://eprint.iacr.org/2013/644.pdf)
 Analyzes the practical security of BN254
 
+##### [20] ["Kummer strikes back: new DH speed records" (Berstein et al 2014)](http://cr.yp.to/hecdh/kummer-20140218.pdf)
+Reveals timing attacks in existing Kummer code and reports new world-record experimental results
+
 
 ## Credits