From a96814a527162a80bf3de74f0dd2956b22d3c091 Mon Sep 17 00:00:00 2001 From: "Chris A. Taylor" Date: Tue, 18 Feb 2014 11:29:32 -0800 Subject: [PATCH] Kummer strikes back results --- README.md | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 7eaba8f..1668c77 100644 --- a/README.md +++ b/README.md @@ -333,18 +333,6 @@ On i7-3520M Ivy Bridge, TB off, using SUPERCOP: - ecsimul_gen : (not implemented) - ecsimul : (not implemented) -##### kumfp127g [http://eprint.iacr.org/2012/670.pdf](http://eprint.iacr.org/2012/670.pdf): - -- Availability : Free, open-source, but not portable (uncommented assembly only) -- This code is also extremely complex and looks tricky to audit. - -On i7-3520M Ivy Bridge, TB off, using SUPERCOP: - -- ecmul_gen : (slower) `108kcy` -- ecmul : (faster) `110kcy` -- ecsimul_gen : (not implemented) -- ecsimul : (not implemented) - ##### Hamburg's implementation [http://mikehamburg.com/papers/fff/fff.pdf](http://mikehamburg.com/papers/fff/fff.pdf): - Availability : Not available online @@ -374,6 +362,33 @@ On 3.4 GHz i7-3770 Ivy Bridge with TB off: - ecsimul_gen : (faster) `111kcy` - ecsimul : (not implemented) +##### Kummer strikes back [http://cr.yp.to/hecdh/kummer-20140218.pdf](http://cr.yp.to/hecdh/kummer-20140218.pdf): + +- Availability : Equivalently free, open-source, and portable + +On Haswell: + +- ecmul_gen : (slower) `72kcy` +- ecmul : (faster) `72kcy` +- ecsimul_gen : (not implemented) +- ecsimul : (not implemented) + +This looks like the most promising direction for future efficient EC-DH. This +will be a huge improvement on Snowshoe when it is more mature. + +##### kumfp127g [http://eprint.iacr.org/2012/670.pdf](http://eprint.iacr.org/2012/670.pdf): + +- WARNING: It was revealed in [20] that this code is not actually timing-invariant. +- Availability : Free, open-source, but not portable (uncommented assembly only) +- This code is also extremely complex and looks tricky to audit. + +On i7-3520M Ivy Bridge, TB off, using SUPERCOP: + +- ecmul_gen : (slower) `108kcy` +- ecmul : (faster) `110kcy` +- ecsimul_gen : (not implemented) +- ecsimul : (not implemented) + ##### Crypto++ Library 5.6.2 On iMac (2.7 GHz Core i5-2500S Sandy Bridge, June 2011): @@ -986,6 +1001,9 @@ Introduces the Elligator-2 point unpacking algorithm, which is implemented by Sn ##### [19] ["Elliptic and Hyperelliptic Curves: a Practical Security Analysis" (Bos Costello Miele 2013)](http://eprint.iacr.org/2013/644.pdf) Analyzes the practical security of BN254 +##### [20] ["Kummer strikes back: new DH speed records" (Berstein et al 2014)](http://cr.yp.to/hecdh/kummer-20140218.pdf) +Reveals timing attacks in existing Kummer code and reports new world-record experimental results + ## Credits