VAMPIRE

eBACS: ECRYPT Benchmarking of Cryptographic Systems


ECRYPT II
General information: Introduction eBASH eBASC eBAEAD eBATS SUPERCOP XBX Computers
How to submit new software: Tips Hash functions Stream ciphers Auth ciphers DH functions Public-key encryption Public-key signatures
List of primitives measured: SHA-3 finalists All hash functions Stream ciphers CAESAR candidates All auth ciphers DH functions Public-key encryption Public-key signatures
Measurements indexed by machine: SHA-3 finalists All hash functions Stream ciphers CAESAR candidates All auth ciphers DH functions Public-key encryption Public-key signatures

List of public-key Diffie–Hellman secret-sharing systems measured

eBATS (ECRYPT Benchmarking of Asymmetric Systems) is a project in ECRYPT's VAMPIRE lab to measure the performance of public-key systems. This page lists the public-key Diffie–Hellman secret-sharing systems covered by VAMPIRE's benchmarking tool, SUPERCOP. The page then lists implementations of these systems.

There is a separate page that lists machines and, for each machine, the measurements of these systems.

Designers and implementors interested in submitting new Diffie–Hellman systems and new implementations of existing systems should read the call for submissions.

Which Diffie–Hellman systems are measured?

PrimitiveDescriptionDesigners
claus Classic Diffie–Hellman secret sharing modulo a 1024-bit prime Example for eBATS
curve2251 Elliptic-curve Diffie–Hellman secret sharing using a curve over a field with 2^251 elements Pierrick Gaudry (Laboratoire Lorrain de Recherche en Informatique et ses Applications)
Emmanuel Thomé (Laboratoire Lorrain de Recherche en Informatique et ses Applications)
curve25519 Elliptic-curve Diffie–Hellman secret sharing using the curve y^2=x^3+486662x^2+x modulo 2^255-19 Daniel J. Bernstein
ecfp256e Elliptic-curve Diffie–Hellman secret sharing using the twisted Edwards curve -x^2+y^2=1+dx^2y^2 modulo 2^256-587, where d= 59702978421801250797625733354188749104239349061620892363256064453045589344976 Huseyin Hisil
ecfp256h Elliptic-curve Diffie–Hellman secret sharing using the Hessian curve x^3+y^3+1=53010xy modulo 2^256-587 Huseyin Hisil
ecfp256i Elliptic-curve Diffie–Hellman secret sharing using the Jacobi intersection s^2+c^2=1, 3764s^2+d^2=1 modulo 2^256-587 Huseyin Hisil
ecfp256q Elliptic-curve Diffie–Hellman secret sharing using the twisted Jacobi quartic curve y^2=11x^4-x^2+1 modulo 2^256-587 Huseyin Hisil
ecfp256s Elliptic-curve Diffie–Hellman secret sharing using the short Weierstrass curve y^2=x^3-3x+11 modulo 2^256-587 Huseyin Hisil
ed448goldilocks Ed448-Goldilocks sign and dh Mike Hamburg
ed521gs
gls254 Elliptic-curve Diffie–Hellman secret sharing using the GLS binary curve (L^2 + LZ + aZ^2)X^2 = X^4 + bZ^4 defined over GF(2^254) and implemented with lambda-projective coordinates (X, L, Z). Thomaz Oliveira, Computer Science Department, CINVESTAV-IPN, Mexico
Julio López, Institute of Computing, University of Campinas, Brazil
Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Francisco Rodríguez-Henríquez, Computer Science Department, CINVESTAV-IPN, Mexico
gls1271 Galbraith, Lin, Scott: Elliptic-curve Diffie–Hellman secret sharing using (in ref3) a twist of the curve y^2=x^3-3x+44 over a field with (2^127-1)^2 elements; or (in ref4) a twist of the Edwards curve x^2+y^2=x^2y^2+42 over a field with (2^127-1)^2 elements Michael Scott
gls254prot Elliptic-curve Diffie–Hellman secret sharing using the GLS binary curve (L^2 + LZ + aZ^2)X^2 = X^4 + bZ^4 defined over GF(2^254) and implemented with lambda-projective coordinates (X, L, Z). Thomaz Oliveira, Computer Science Department, CINVESTAV-IPN, Mexico
Julio López, Institute of Computing, University of Campinas, Brazil
Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Francisco Rodríguez-Henríquez, Computer Science Department, CINVESTAV-IPN, Mexico
hecfp127i
hecfp128bk
hecfp128fkt
hecfp128i
hecfp61e2bk
hecfp61e2i
hecfp64e2bk
hecfp64e2i
hector Hyperelliptic Curve with Two-Rank One: Diffie–Hellman secret sharing using a genus-2 hyperelliptic curve of 2-rank 1 over a field of size 2^113 Peter Birkner (Technische Universiteit Eindhoven)
Peter Schwabe (Technische Universiteit Eindhoven)
jacfp127i
jacfp128bk
k298 Elliptic-curve Diffie–Hellman secret sharing using a Koblitz curve defined over the field F_2^298 Thomaz Oliveira, Cinvestav-IPN
Julio López, University of Campinas
Francisco Rodríguez-Henríquez, Cinvestav-IPN

k277mon Elliptic-curve Diffie–Hellman secret sharing using a Koblitz curve defined over the field F_2^277 (Montgomery ladder scalar multiplication) Thomaz Oliveira, Cinvestav-IPN
Julio López, University of Campinas
Francisco Rodríguez-Henríquez, Cinvestav-IPN

k277taa Elliptic-curve Diffie–Hellman secret sharing using a Koblitz curve defined over the field F_2^277 (tau-and-add scalar multiplication) Thomaz Oliveira, Cinvestav-IPN
Julio López, University of Campinas
Francisco Rodríguez-Henríquez, Cinvestav-IPN

kumfp127g
kumfp128g
kumfp61e2g
kumfp64e2g
kumjacfp127g
kummer
nist521gs
nistp256 Elliptic-curve Diffie–Hellman secret sharing using the standard NIST P-256 elliptic curve, a curve modulo the prime 2^256-2^224+2^192+2^96-1 Yassir Nawaz (University of Waterloo)
Guang Gong (University of Waterloo)
prjfp127i
prjfp128bk
sclaus1024 Variant of CLAUS, using 160-bit exponents and 1024-bit modulus Wei Dai
sclaus2048 Variant of CLAUS, using 224-bit exponents and 2048-bit modulus Wei Dai
surf2113 Hyperelliptic-curve Diffie–Hellman secret sharing using a genus-2 curve over a field with 2^113 elements Pierrick Gaudry (Laboratoire Lorrain de Recherche en Informatique et ses Applications)
Emmanuel Thomé (Laboratoire Lorrain de Recherche en Informatique et ses Applications)
surf127eps Hyperelliptic-curve Diffie–Hellman secret sharing using a genus-2 curve with complex multiplication by Q(i sqrt(5+sqrt(53))) modulo the prime 2^127-735 Pierrick Gaudry (Laboratoire Lorrain de Recherche en Informatique et ses Applications)
Thomas Houtmann (École Polytechnique)
Emmanuel Thomé (École Polytechnique)

Implementations

PrimitiveImplementationAuthors
clauscryptopp Wei Dai (wrapper around Crypto++)
clausgmp Daniel J. Bernstein (wrapper around GMP)
clausntl Daniel J. Bernstein (wrapper around NTL)
clausopenssl Daniel J. Bernstein (wrapper around OpenSSL)
curve2251mpfq Pierrick Gaudry, Laboratoire Lorrain de Recherche en Informatique et ses Applications
Emmanuel Thomé, Laboratoire Lorrain de Recherche en Informatique et ses Applications
curve2251relic/amd64-avx Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Jonathan Taverne, Université de Lyon, Université Lyon1, ISFA, France
Armando Faz-Hernández, Computer Science Department, CINVESTAV-IPN, Mexico
Francisco Rodríguez-Henríquez, Computer Science Department, CINVESTAV-IPN, Mexico
Darrel Hankerson, Auburn University, USA
Julio López, Institute of Computing, University of Campinas, Brazil
curve2251relic/amd64-clmul Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Jonathan Taverne, Université de Lyon, Université Lyon1, ISFA, France
Armando Faz-Hernández, Computer Science Department, CINVESTAV-IPN, Mexico
Francisco Rodríguez-Henríquez, Computer Science Department, CINVESTAV-IPN, Mexico
Darrel Hankerson, Auburn University, USA
Julio López, Institute of Computing, University of Campinas, Brazil
curve2251relic/amd64-ssse3 Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Julio López, Institute of Computing, University of Campinas, Brazil
Darrel Hankerson, Auburn University, USA
curve25519mpfq Pierrick Gaudry, Laboratoire Lorrain de Recherche en Informatique et ses Applications
Emmanuel Thomé, Laboratoire Lorrain de Recherche en Informatique et ses Applications
curve25519ref Daniel J. Bernstein (wrapper around crypto_scalarmult/curve25519)
ecfp256ev01/var Huseyin Hisil
ecfp256ev01/w8s1 Huseyin Hisil
ecfp256ev01/w8s2 Huseyin Hisil
ecfp256ev01/w8s4 Huseyin Hisil
ecfp256ev01/w8s8 Huseyin Hisil
ecfp256hv01/var Huseyin Hisil
ecfp256hv01/w8s1 Huseyin Hisil
ecfp256hv01/w8s2 Huseyin Hisil
ecfp256hv01/w8s4 Huseyin Hisil
ecfp256hv01/w8s8 Huseyin Hisil
ecfp256iv01/var Huseyin Hisil
ecfp256iv01/w8s1 Huseyin Hisil
ecfp256iv01/w8s2 Huseyin Hisil
ecfp256iv01/w8s4 Huseyin Hisil
ecfp256iv01/w8s8 Huseyin Hisil
ecfp256qv01/var Huseyin Hisil
ecfp256qv01/w8s1 Huseyin Hisil
ecfp256qv01/w8s2 Huseyin Hisil
ecfp256qv01/w8s4 Huseyin Hisil
ecfp256qv01/w8s8 Huseyin Hisil
ecfp256sv01/var Huseyin Hisil
ecfp256sv01/w8s1 Huseyin Hisil
ecfp256sv01/w8s2 Huseyin Hisil
ecfp256sv01/w8s4 Huseyin Hisil
ecfp256sv01/w8s8 Huseyin Hisil
ed448goldilocks32
ed448goldilocks64
ed448goldilocksamd64
ed448goldilocksarm32
ed448goldilocksneon
ed521gsref
gls254opt
gls254prot Thomaz Oliveira, Computer Science Department, CINVESTAV-IPN, Mexico
Julio López, Institute of Computing, University of Campinas, Brazil
Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Francisco Rodríguez-Henríquez, Computer Science Department, CINVESTAV-IPN, Mexico

gls254ref Thomaz Oliveira, Computer Science Department, CINVESTAV-IPN, Mexico
Julio López, Institute of Computing, University of Campinas, Brazil
Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Francisco Rodríguez-Henríquez, Computer Science Department, CINVESTAV-IPN, Mexico

gls1271ref4 Michael Scott, Dublin City University
gls254protopt
gls254protprot Thomaz Oliveira, Computer Science Department, CINVESTAV-IPN, Mexico
Julio López, Institute of Computing, University of Campinas, Brazil
Diego de Freitas Aranha, Department of Computer Science, University of Brasília, Brazil
Francisco Rodríguez-Henríquez, Computer Science Department, CINVESTAV-IPN, Mexico

hecfp127iv02/var
hecfp127iv02/w8s01
hecfp127iv02/w8s02
hecfp127iv02/w8s04
hecfp127iv02/w8s08
hecfp127iv02/w8s16
hecfp127iv02/w8s32
hecfp128bkv02/varglv4
hecfp128bkv02/w8s01glv4
hecfp128bkv02/w8s02glv4
hecfp128bkv02/w8s04glv4
hecfp128bkv02/w8s08glv4
hecfp128bkv02/w8s16glv4
hecfp128bkv02/w8s32glv4
hecfp128fktv02/varglv4
hecfp128fktv02/w8s01glv4
hecfp128fktv02/w8s02glv4
hecfp128fktv02/w8s04glv4
hecfp128fktv02/w8s08glv4
hecfp128fktv02/w8s16glv4
hecfp128fktv02/w8s32glv4
hecfp128iv02/var
hecfp128iv02/w8s01
hecfp128iv02/w8s02
hecfp128iv02/w8s04
hecfp128iv02/w8s08
hecfp128iv02/w8s16
hecfp128iv02/w8s32
hecfp61e2bkv01/varglv8
hecfp61e2bkv01/w8s01glv8
hecfp61e2bkv01/w8s02glv8
hecfp61e2bkv01/w8s04glv8
hecfp61e2bkv01/w8s08glv8
hecfp61e2bkv01/w8s16glv8
hecfp61e2bkv01/w8s32glv8
hecfp61e2iv01/var
hecfp61e2iv01/w8s01
hecfp61e2iv01/w8s02
hecfp61e2iv01/w8s04
hecfp61e2iv01/w8s08
hecfp61e2iv01/w8s16
hecfp61e2iv01/w8s32
hecfp64e2bkv01/varglv8
hecfp64e2bkv01/w8s01glv8
hecfp64e2bkv01/w8s02glv8
hecfp64e2bkv01/w8s04glv8
hecfp64e2bkv01/w8s08glv8
hecfp64e2bkv01/w8s16glv8
hecfp64e2bkv01/w8s32glv8
hecfp64e2iv01/var
hecfp64e2iv01/w8s01
hecfp64e2iv01/w8s02
hecfp64e2iv01/w8s04
hecfp64e2iv01/w8s08
hecfp64e2iv01/w8s16
hecfp64e2iv01/w8s32
hectorref Peter Birkner, Technische Universiteit Eindhoven
Peter Schwabe, Technische Universiteit Eindhoven
jacfp127iv01/var
jacfp127iv01/w4s01
jacfp127iv01/w4s02
jacfp127iv01/w4s04
jacfp127iv01/w4s08
jacfp127iv01/w4s16
jacfp127iv01/w4s32
jacfp127iv01/w8s01
jacfp127iv01/w8s02
jacfp127iv01/w8s04
jacfp127iv01/w8s08
jacfp127iv01/w8s16
jacfp127iv01/w8s32
jacfp128bkv01/varglv4
jacfp128bkv01/w4s01glv4
jacfp128bkv01/w4s02glv4
jacfp128bkv01/w4s04glv4
jacfp128bkv01/w4s08glv4
jacfp128bkv01/w4s16glv4
jacfp128bkv01/w4s32glv4
jacfp128bkv01/w8s01glv4
jacfp128bkv01/w8s02glv4
jacfp128bkv01/w8s04glv4
jacfp128bkv01/w8s08glv4
jacfp128bkv01/w8s16glv4
jacfp128bkv01/w8s32glv4
k298ref
k277monref
k277taaref
kumfp127gv02/var
kumfp128gv02/var
kumfp61e2gv01/var
kumfp64e2gv01/var
kumjacfp127gv01/var
kumjacfp127gv01/w4s01
kumjacfp127gv01/w4s02
kumjacfp127gv01/w4s04
kumjacfp127gv01/w4s08
kumjacfp127gv01/w4s16
kumjacfp127gv01/w4s32
kumjacfp127gv01/w8s01
kumjacfp127gv01/w8s02
kumjacfp127gv01/w8s04
kumjacfp127gv01/w8s08
kumjacfp127gv01/w8s16
kumjacfp127gv01/w8s32
kummerref
nist521gsref
nistp256nawaz Yassir Nawaz, University of Waterloo
Guang Gong, University of Waterloo
nistp256ref Jan Mojzis (wrapper around crypto_scalarmult/nistp256)
nistp256wbl
prjfp127iv01/var
prjfp127iv01/w4s01
prjfp127iv01/w4s02
prjfp127iv01/w4s04
prjfp127iv01/w4s08
prjfp127iv01/w4s16
prjfp127iv01/w4s32
prjfp127iv01/w8s01
prjfp127iv01/w8s02
prjfp127iv01/w8s04
prjfp127iv01/w8s08
prjfp127iv01/w8s16
prjfp127iv01/w8s32
prjfp128bkv01/varglv4
prjfp128bkv01/w4s01glv4
prjfp128bkv01/w4s02glv4
prjfp128bkv01/w4s04glv4
prjfp128bkv01/w4s08glv4
prjfp128bkv01/w4s16glv4
prjfp128bkv01/w4s32glv4
prjfp128bkv01/w8s01glv4
prjfp128bkv01/w8s02glv4
prjfp128bkv01/w8s04glv4
prjfp128bkv01/w8s08glv4
prjfp128bkv01/w8s16glv4
prjfp128bkv01/w8s32glv4
sclaus1024cryptopp Wei Dai (wrapper around Crypto++)
sclaus1024gmp Wei Dai (wrapper around GMP)
sclaus2048cryptopp Wei Dai (wrapper around Crypto++)
sclaus2048gmp Wei Dai (wrapper around GMP)
surf2113mpfq Pierrick Gaudry, Laboratoire Lorrain de Recherche en Informatique et ses Applications
Emmanuel Thomé, Laboratoire Lorrain de Recherche en Informatique et ses Applications
surf127epsmpfq Pierrick Gaudry, Laboratoire Lorrain de Recherche en Informatique et ses Applications
Thomas Houtmann, École Polytechnique
Emmanuel Thomé, École Polytechnique

scalarmult implementations

It is recommended for crypto_dh implementors to build crypto_dh on top of crypto_scalarmult. Here is a list of crypto_scalarmult implementations.
PrimitiveImplementationAuthors
curve25519amd64-51 Daniel J. Bernstein
Niels Duif
Tanja Lange
lead: Peter Schwabe
Bo-Yin Yang
curve25519amd64-64 Daniel J. Bernstein
Niels Duif
Tanja Lange
lead: Peter Schwabe
Bo-Yin Yang
curve25519athlon Daniel J. Bernstein
curve25519costigan-schwabe/cbe Neil Costigan (Dublin City University)
Peter Schwabe (Technische Universiteit Eindhoven)
curve25519donna Adam Langley (Google)
curve25519donna_c64 Adam Langley (Google)
curve25519neon2 Daniel J. Bernstein
Peter Schwabe
curve25519ref10 D. J. Bernstein
curve25519ref Matthew Dempsky (Mochi Media)
curve25519sandy2x Tung Chou
kummeravx2
kummeravx2int
kummeravx
kummerneon
kummerref5
kummerref5u
nistp256mj32 Jan Mojzis

Version

This is version 2017.07.26 of the primitives-dh.html web page. This web page is in the public domain.