The cr.yp.to microblog: 2020.11.14 06:10:22

2020.11.14 06:10:22 (1327478962939850752) from Daniel J. Bernstein, replying to "Pedro Maat C. Massolino (@pmaat)" (1327417924177551360):

Can do at least 2x better than this by swapping in the (fully implemented) integer multipliers from https://quantum.isogeny.org, which are just 78828 ANDs for 255-bit multiplication, or 46355 ANDs for 255-bit squaring. Bit operations for even fancier multipliers can do even better.

Context

2020.11.14 01:22:50 (1327406600483713025) from "Pedro Maat C. Massolino (@pmaat)", replying to "Nigel Smart (@SmartCryptology)" (1327280495978278914):

Part 1: Taking curve25519. 1 modular multiplication can be done with 255 bit mult+255 additions+3additions for red. Each addition takes 255 full adders. That gives 65790 FA and 255 ands. One modular addition is 510 FA.

2020.11.14 01:32:46 (1327409099999485952) from "Pedro Maat C. Massolino (@pmaat)", replying to "Pedro Maat C. Massolino (@pmaat)" (1327406600483713025):

Part 2: Taking a ladder step as 6M+4S+1a24 mult+8 add. We can approximate to 11 M + 8 add. Which is 727770FA+2805add. If we repeat this for 255 bits ( not going to simplify for the first 2 bits): 185581350FA + 715275ands. We also need 2 mux per bit of 255 bits, thus 510 muxes

2020.11.14 01:39:39 (1327410833421381632) from "Pedro Maat C. Massolino (@pmaat)", replying to "Pedro Maat C. Massolino (@pmaat)" (1327409099999485952):

Part 3: each mux is 4 ands, 3 ors and 2 invs, thus 2040 ands, 1530 ors and 1020 invs. Each FA is 2 xor, 2 and, 1 or. 371162700 xor, 371880015 ands, 185582880 ors and 1020 invs. So almost 371 million ands and xors.

2020.11.14 02:07:50 (1327417924177551360) from "Pedro Maat C. Massolino (@pmaat)", replying to "Pedro Maat C. Massolino (@pmaat)" (1327410833421381632):

Forgot: I forgot field inversion. I am going to assume it takes 266 multiplications to invert. That adds 17500140 FA and 67830 ands. 406948125 ands, the xor and or also need correction