Speed reports for elliptic-curve cryptography D. J. Bernstein
Authenticators and signatures
A state-of-the-art Diffie-Hellman function

Speed reports for elliptic-curve cryptography

The following table summarizes various speed reports for elliptic-curve scalar multiplication: i.e., for computing nP, given an integer n and a point P on an elliptic curve.

Sometimes the public key P is compressed to its x-coordinate. For example, the table below lists 595537 Athlon cycles for scalar multiplication on NIST P-224 with 448-bit keys, and 678633 Athlon cycles for scalar multiplication on NIST P-224 with 224-bit keys. A 448-bit key in this case is a pair (x,y) on the curve, while a 224-bit key is simply x.

The ``constant time'' column considers timing attacks, including cache-timing attacks. ``Constant time: yes'' means that the software speed is independent of n and P.

The ``validation included'' column considers invalid-key attacks. ``Validation included: yes'' means that the software can accept arbitrary public keys as input, not just pre-validated public keys.

The ``known attack'' column describes, for each curve, the known discrete-logarithm algorithm having the lowest price-performance ratio. In each case, the fastest algorithm is a Pollard-type algorithm dominated by elliptic-curve additions. These algorithms have very low communication costs and parallelize perfectly across many processors.

constant time validation included cycles CPU field size curve key bits known attack source

no no 500000 Alpha 21264 (2^61-1)^3 366 2^90 adds 1999 Kobayashi Morita Kobayashi Horito

no no 580000 Pentium II 2^163 NIST K-163 326 2^77 adds 2000 Hankerson Hernandez Menezes

no no 595537 Athlon (642) 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

yes yes 624786 Athlon (622) 2^255-19 Curve25519 255 2^125 adds 2005 Bernstein

yes yes 640838 Pentium M (695) 2^255-19 Curve25519 255 2^125 adds 2005 Bernstein

no no 650000 Alpha 21264 (2^61-1)^3 366 2^90 adds 1999 Bailey Paar

no no 668566 UltraSPARC II 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

no yes 678633 Athlon (642) 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no no 682000 Pentium III 2^163 326 2^81 adds 2002 Harley

no no 724776 Pentium III (672) 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

no no 726922 Pentium III (686) 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

no no 734731 Pentium II (652) 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

no no 780000 Pentium II 2^192-2^64+1 NIST P-192 384 2^96 adds 2000 Brown Hankerson Hernandez Menezes

no no 780000 Pentium II (2^31-1)^6 372 2^91 adds 1999 Kobayashi Morita Kobayashi Horito

no yes 785900 UltraSPARC II 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no yes 823862 Pentium III (672) 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no yes 826955 Pentium III (686) 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no no 827360 Pentium 4 (f05) 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

yes yes 832457 Pentium III (686) 2^255-19 Curve25519 255 2^125 adds 2005 Bernstein

no yes 835530 Pentium II (652) 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no no 837000 Pentium III 2^163 NIST B-163 326 2^81 adds 2003 Fong Hankerson Lopez Menezes

no no 838000 Athlon near 2^160 320 2^80 adds 2004 Avanzi

no yes 943244 Pentium 4 (f05) 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

yes yes 957904 Pentium 4 (f12) 2^255-19 Curve25519 255 2^125 adds 2005 Bernstein

no no 985097 Pentium (525) 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

no no 1019027 PowerPC RS64-III 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

no yes 1120824 Pentium (525) 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no yes 1166080 PowerPC RS64-III 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no no 1170368 PowerPC 7410 2^224-2^96+1 NIST P-224 448 2^112 adds 2001 Bernstein

no no 1200000 Pentium II 2^224-2^96+1 NIST P-224 448 2^112 adds 2000 Brown Hankerson Hernandez Menezes

no no 1200000 Pentium II 2^233 NIST K-233 466 2^112 adds 1999 Lopez Dahab

no no 1200000 UltraSPARC 2^163 326 2^81 adds 1998 Certicom

no yes 1355344 PowerPC 7410 2^224-2^96+1 NIST P-224 224 2^112 adds 2001 Bernstein

no no 1395000 Athlon near 2^192 384 2^96 adds 2004 Avanzi

no no 1720000 Pentium III 2^233 NIST B-233 466 2^116 adds 2003 Fong Hankerson Lopez Menezes

no no 1800000 Pentium 2^224-2^96+1 NIST P-224 448 2^112 adds 2000 Brown Hankerson Hernandez Menezes

no no 2300000 UltraSPARC 2^160-2933 320 2^80 adds 1998 Cohen Miyaji Ono

no no 2700000 Pentium 4 2^224-2^96+1 NIST P-224 448 2^112 adds 2000 Brown Hankerson Hernandez Menezes

no no 3048000 Athlon near 2^256 512 2^128 adds 2004 Avanzi

no no 3100000 Pentium (2^31-1)^6 372 2^91 adds 1999 Bailey Paar

no no 3600000 UltraSPARC 2^192-3345 384 2^96 adds 1998 Cohen Miyaji Ono

no no 4100000 UltraSPARC 2^163 326 2^81 adds 1999 Lopez Dahab

no no 4200000 Pentium Pro near 2^192 384 2^96 adds 1998 De Win, Bosselaers, Vanderberghe, De Gersem

no no 4800000 UltraSPARC 2^191 382 2^86 adds 1999 Lopez Dahab

no no 5100000 UltraSPARC 2^224-1025 448 2^112 adds 1998 Cohen Miyaji Ono

no no 7500000 Pentium II 2^176 352 ? 1999 Aydos Savas Koc

no no 7700000 UltraSPARC 2^239 478 2^115 adds 1999 Lopez Dahab

no no 9600000 Pentium 2^176 352 ? 1996 De Win, Mister, Preneel, Wiener

no no 10000000 Pentium Pro 2^191 382 2^95 adds 1998 De Win, Bosselaers, Vanderberghe, De Gersem

no no 11800000 Alpha 2^176 352 ? 1998 Guajardo Paar

no no 12800000 Pentium 2^177 354 2^88 adds 1996 De Win, Mister, Preneel, Wiener

constant time	validation included	cycles	CPU	field size	curve	key bits	known attack	source
no	no	500000	Alpha 21264	(2^61-1)^3		366	2^90 adds	1999 Kobayashi Morita Kobayashi Horito
no	no	580000	Pentium II	2^163	NIST K-163	326	2^77 adds	2000 Hankerson Hernandez Menezes
no	no	595537	Athlon (642)	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
yes	yes	624786	Athlon (622)	2^255-19	Curve25519	255	2^125 adds	2005 Bernstein
yes	yes	640838	Pentium M (695)	2^255-19	Curve25519	255	2^125 adds	2005 Bernstein
no	no	650000	Alpha 21264	(2^61-1)^3		366	2^90 adds	1999 Bailey Paar
no	no	668566	UltraSPARC II	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
no	yes	678633	Athlon (642)	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	no	682000	Pentium III	2^163		326	2^81 adds	2002 Harley
no	no	724776	Pentium III (672)	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
no	no	726922	Pentium III (686)	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
no	no	734731	Pentium II (652)	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
no	no	780000	Pentium II	2^192-2^64+1	NIST P-192	384	2^96 adds	2000 Brown Hankerson Hernandez Menezes
no	no	780000	Pentium II	(2^31-1)^6		372	2^91 adds	1999 Kobayashi Morita Kobayashi Horito
no	yes	785900	UltraSPARC II	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	yes	823862	Pentium III (672)	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	yes	826955	Pentium III (686)	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	no	827360	Pentium 4 (f05)	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
yes	yes	832457	Pentium III (686)	2^255-19	Curve25519	255	2^125 adds	2005 Bernstein
no	yes	835530	Pentium II (652)	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	no	837000	Pentium III	2^163	NIST B-163	326	2^81 adds	2003 Fong Hankerson Lopez Menezes
no	no	838000	Athlon	near 2^160		320	2^80 adds	2004 Avanzi
no	yes	943244	Pentium 4 (f05)	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
yes	yes	957904	Pentium 4 (f12)	2^255-19	Curve25519	255	2^125 adds	2005 Bernstein
no	no	985097	Pentium (525)	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
no	no	1019027	PowerPC RS64-III	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
no	yes	1120824	Pentium (525)	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	yes	1166080	PowerPC RS64-III	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	no	1170368	PowerPC 7410	2^224-2^96+1	NIST P-224	448	2^112 adds	2001 Bernstein
no	no	1200000	Pentium II	2^224-2^96+1	NIST P-224	448	2^112 adds	2000 Brown Hankerson Hernandez Menezes
no	no	1200000	Pentium II	2^233	NIST K-233	466	2^112 adds	1999 Lopez Dahab
no	no	1200000	UltraSPARC	2^163		326	2^81 adds	1998 Certicom
no	yes	1355344	PowerPC 7410	2^224-2^96+1	NIST P-224	224	2^112 adds	2001 Bernstein
no	no	1395000	Athlon	near 2^192		384	2^96 adds	2004 Avanzi
no	no	1720000	Pentium III	2^233	NIST B-233	466	2^116 adds	2003 Fong Hankerson Lopez Menezes
no	no	1800000	Pentium	2^224-2^96+1	NIST P-224	448	2^112 adds	2000 Brown Hankerson Hernandez Menezes
no	no	2300000	UltraSPARC	2^160-2933		320	2^80 adds	1998 Cohen Miyaji Ono
no	no	2700000	Pentium 4	2^224-2^96+1	NIST P-224	448	2^112 adds	2000 Brown Hankerson Hernandez Menezes
no	no	3048000	Athlon	near 2^256		512	2^128 adds	2004 Avanzi
no	no	3100000	Pentium	(2^31-1)^6		372	2^91 adds	1999 Bailey Paar
no	no	3600000	UltraSPARC	2^192-3345		384	2^96 adds	1998 Cohen Miyaji Ono
no	no	4100000	UltraSPARC	2^163		326	2^81 adds	1999 Lopez Dahab
no	no	4200000	Pentium Pro	near 2^192		384	2^96 adds	1998 De Win, Bosselaers, Vanderberghe, De Gersem
no	no	4800000	UltraSPARC	2^191		382	2^86 adds	1999 Lopez Dahab
no	no	5100000	UltraSPARC	2^224-1025		448	2^112 adds	1998 Cohen Miyaji Ono
no	no	7500000	Pentium II	2^176		352	?	1999 Aydos Savas Koc
no	no	7700000	UltraSPARC	2^239		478	2^115 adds	1999 Lopez Dahab
no	no	9600000	Pentium	2^176		352	?	1996 De Win, Mister, Preneel, Wiener
no	no	10000000	Pentium Pro	2^191		382	2^95 adds	1998 De Win, Bosselaers, Vanderberghe, De Gersem
no	no	11800000	Alpha	2^176		352	?	1998 Guajardo Paar
no	no	12800000	Pentium	2^177		354	2^88 adds	1996 De Win, Mister, Preneel, Wiener