Sandy2X: New Curve25519 speed records

Abstract

This paper sets speed records on well-known Intel chips for the Curve25519 elliptic-curve Diffie-Hellman scheme and the Ed25519 digital signature scheme. In particular, it takes only 159 128 Sandy Bridge cycles or 156 995 Ivy Bridge cycles to compute a Diffie-Hellman shared secret, while the previous records are 194 036 Sandy Bridge cycles or 182 708 Ivy Bridge cycles. There have been many papers analyzing elliptic-curve speeds on Intel chips, and they all use Intel’s serial 64×64 → 128-bit multiplier for field arithmetic. These papers have ignored the 2-way vectorized 32 × 32 → 64-bit multiplier on Sandy Bridge and Ivy Bridge: it seems obvious that the serial multiplier is faster. However, this paper uses the vectorized multiplier. This is the first speed record set for elliptic-curve cryptography using a vectorized multiplier on Sandy Bridge and Ivy Bridge. Our work suggests that the vectorized multiplier might be a better choice for elliptic-curve computation, or even other types ofcomputation that involve prime-field arithmetic, even in the case where the computation does not exhibit very nice internal parallelism.