VAMPIRE

eBACS: ECRYPT Benchmarking of Cryptographic Systems


ECRYPT II
General information:IntroductioneBASHeBASCeBAEADeBATSSUPERCOPXBXComputersArch
How to submit new software:Tipshashstreamaeaddhkemencryptsign
List of primitives measured:lwcsha3hashstreamlwccaesaraeaddhkemencryptsign
Measurements:lwcsha3hashstreamlwccaesaraeaddhkemencryptsign
List of subroutines:verifydecodeencodesortcorehashblocksxofscalarmult

Measurements of public-key Diffie–Hellman secret-sharing systems on one machine: amd64; Zen 4 (a60f12); 2023 AMD Ryzen 7 7700; 8 x 3800MHz; hertz, supercop-20260627

[Page version: 20260711 08:21:53]

eBATS (ECRYPT Benchmarking of Asymmetric Systems) is a project to measure the performance of public-key systems. This page presents benchmark results collected in eBATS for public-key Diffie–Hellman secret-sharing systems:

Each table row lists the first quartile of many speed measurements (or StQ1 starting with supercop-20260214), the median of many speed measurements (or StQ2 starting with supercop-20260214), the third quartile of many speed measurements (or StQ3 starting with supercop-20260214), and the name of the primitive. Measurements with large interquartile range (or stabilized interquartile range) are indicated in red with question marks. The symbol T: (starting with supercop-20200816) means that the SUPERCOP database at the time of benchmarking did not list constant time as a goal for this implementation. The symbol T!!! means that constant time was listed as a goal for this implementation, but that the implementation failed TIMECOP. (TIMECOP failures are not necessarily security issues; they can sometimes be resolved by, e.g., declaring that a rejection-sampling condition is safe to declassify.)

There is a separate page with more information about each Diffie–Hellman system and each implementation. Designers and implementors interested in submitting new Diffie–Hellman systems and new implementations of existing systems should read the call for submissions.


Test results

Graphs: (pkcycles,pkbytes) (scycles,pkbytes)

Cycles to generate a key pair
25%50%75%system
224072241822431curve25519
241052519226489
T:
jacfp127i
263312777629031
T:
kumjacfp127g
272152842929600
T:
prjfp127i
277992903130412
T:
hecfp127i
308583105131647
T:
gls254
314023144731496
T:
gls254prot
305803179733091
T:
jacfp128bk
309703236635809
T:
ecfp256e
342603553539268
T:
curve2251
353563663938013
T:
prjfp128bk
368883834439861
T:
hecfp128bk
372813856240185
T:
hecfp128fkt
371083862040083
T:
hecfp128i
362543868944072
T:
ecfp256s
373723995645738
T:
ecfp256q
406764070641145nistp256
424074247242506
T:
kummer
426434269742753
T:
k277taa
483524845249549
T:
k298
611276135561386
T:
k277mon
792717937079527
T:
kumfp127g
104317104390104477
T:
kumfp128g
144156145002145925
T:
ecfp256i
161344161801162660
T:
ed448goldilocks
162892163904164899
T:
ecfp256h
208349210042212158
T:
sclaus1024
776894779451781680
T:
ed521gs
938931940961943353
T:
nist521gs
101422910182821022939
T:
claus
109198611007371108577
T:
sclaus2048
Cycles to compute a shared secret
25%50%75%system
295702958929652
T:
gls254
312923139231467
T:
gls254prot
423864241242451
T:
kummer
426444270942732
T:
k277taa
482084827148337
T:
k298
535845360153609curve25519
607756100961340
T:
k277mon
787877887478984
T:
jacfp128bk
815738158681607
T:
kumfp127g
823208241282651
T:
kumjacfp127g
940099414394305
T:
prjfp128bk
975969769197962
T:
hecfp128fkt
988789902499224
T:
hecfp128bk
109162109185109235
T:
kumfp128g
120886120977121080
T:
jacfp127i
128790128849128971
T:
ecfp256e
136008136165136646
T:
curve2251
137066137104137205
T:
ecfp256i
140938141002141088
T:
ecfp256q
150246150354150458
T:
prjfp127i
153052153143153270
T:
hecfp127i
153892153906153943nistp256
154846154906155306
T:
ecfp256h
196602196672197116
T:
ecfp256s
210622210703210923
T:
hecfp128i
214523216567218112
T:
sclaus1024
541995548510550281
T:
ed448goldilocks
775421777183779851
T:
ed521gs
939930941839943458
T:
nist521gs
101137810128631018600
T:
claus
111033711158411123705
T:
sclaus2048