VAMPIRE

eBACS: ECRYPT Benchmarking of Cryptographic Systems


ECRYPT II
General information:IntroductioneBASHeBASCeBAEADeBATSSUPERCOPXBXComputersArch
How to submit new software:Tipshashstreamaeaddhkemencryptsign
List of primitives measured:lwcsha3hashstreamlwccaesaraeaddhkemencryptsign
Measurements:lwcsha3hashstreamlwccaesaraeaddhkemencryptsign
List of subroutines:verifydecodeencodesortcorehashblocksxofscalarmult

Measurements of public-key Diffie–Hellman secret-sharing systems on one machine: amd64; Broadwell+AES (406f1); 2016 Intel Xeon E5-2609 v4; 8 x 1700MHz; bolero, supercop-20240625

[Page version: 20240720 10:46:06]

eBATS (ECRYPT Benchmarking of Asymmetric Systems) is a project to measure the performance of public-key systems. This page presents benchmark results collected in eBATS for public-key Diffie–Hellman secret-sharing systems:

Each table row lists the first quartile of many speed measurements, the median of many speed measurements, the third quartile of many speed measurements, and the name of the primitive. Measurements with large variance are indicated in red with question marks. The symbol T: (starting with supercop-20200816) means that the SUPERCOP database at the time of benchmarking did not list constant time as a goal for this implementation. The symbol T!!! means that constant time was listed as a goal for this implementation, but that the implementation failed TIMECOP. (TIMECOP failures are not necessarily security issues; they can sometimes be resolved by, e.g., declaring that a rejection-sampling condition is safe to declassify.)

There is a separate page with more information about each Diffie–Hellman system and each implementation. Designers and implementors interested in submitting new Diffie–Hellman systems and new implementations of existing systems should read the call for submissions.


Implementation notes

Graphs: old (pkcycles,pkbytes) (scycles,pkbytes)

Cycles to generate a key pair
25%50%75%system
252242636029108
T:
jacfp127i
26956?28420?36829?
T:
kumjacfp127g
280642912431176
T:
prjfp127i
294243050032116
T:
hecfp127i
327803450038416
T:
jacfp128bk
373283786841168
T:
gls254
392483942848992
T:
gls254prot
396804055642956
T:
hecfp128bk
395004059243420
T:
hecfp128fkt
394524289645392
T:
hecfp128i
40124?44984?53929?
T:
prjfp128bk
42652?47992?58079?
T:
curve2251
491524928455604
T:
k277taa
558605602862688
T:
k298
669527317678752
T:
kummer
782928183294964
T:
k277mon
9136891572101112
T:
kumfp127g
83148?94840?112246?
T:
gls1271
129888131292139808
T:
kumfp128g
145868148524157824
T:
curve25519
156656?164416?222178?
T:
ed448goldilocks
191916?203132?267767?
T:
sclaus1024
278544287608302308
T:
nistp256
543728561456616344
T:
surf2113
925552936884974800
T:
ed521gs
9750649981121048328
T:
sclaus2048
115325211909521240960
T:
claus
Cycles to compute a shared secret
25%50%75%system
359723604436164
T:
gls254
391043919242188
T:
gls254prot
490444912855548
T:
k277taa
556365572460000
T:
k298
667207268476200
T:
kummer
782327838487488
T:
k277mon
9306893356100628
T:
kumfp127g
9656497432105568
T:
jacfp128bk
9907699932108860
T:
kumjacfp127g
120696121184130616
T:
hecfp128bk
116332?124684?164543?
T:
prjfp128bk
125440?135112?177480?
T:
hecfp128fkt
134132136856147652
T:
kumfp128g
142928148968165956
T:
curve25519
155544157212170436
T:
jacfp127i
188576192732205296
T:
prjfp127i
187760195388209572
T:
hecfp127i
189136195956208724
T:
sclaus1024
157492?217556?228016?
T:
curve2251
210056?238708?265380?
T:
gls1271
273840290556307604
T:
hecfp128i
476524484944513664
T:
ed448goldilocks
552488581704629392
T:
surf2113
926184939548966916
T:
ed521gs
9737769945201047368
T:
sclaus2048
9803729958681038636
T:
nistp256
115108811852841214064
T:
claus