C

The benchmark numbers below were collected on a consumer notebook with an AMD Ryzen 7 5800H processor, with a base clock speed of 3.2 GHz and 16 GB memory. Simultaneous Multi-Threading and Precision Boost were enabled. The computer was running Linux 6.1.30, and the implementations were compiled with GCC 12.2.1.

Reference implementation:

Scheme
Runtimes in milliseconds Sizes in bytes
KeyGen Sign Verify sk pk sig
FAEST-128s 0.029243 57.371800 54.685000 32 32 5006
FAEST-128f 0.028902 10.595000 8.688150 32 32 6336
FAEST-192s 0.133169 140.986000 130.200000 56 64 12744
FAEST-192f 0.132448 29.458600 22.124800 56 64 16792
FAEST-256s 0.217883 192.760000 172.761000 64 64 22100
FAEST-256f 0.219252 53.337600 38.639500 64 64 28400
FAEST-EM-128s 0.024842 55.443800 53.514200 32 32 4566
FAEST-EM-128f 0.024569 9.271280 8.194980 32 32 5696
FAEST-EM-192s 0.068062 124.585000 115.081000 48 48 10824
FAEST-EM-192f 0.070450 21.847700 18.475900 48 48 13912
FAEST-EM-256s 0.202160 181.046000 166.831000 64 64 20956
FAEST-EM-256f 0.209743 45.798400 37.475200 64 64 26736

x86-64 implementation with AVX2, AES-NI, and other ISA extensions:

Scheme
Runtimes in milliseconds Sizes in bytes
KeyGen Sign Verify sk pk sig
FAEST-128s 0.000641 8.096220 8.096920 32 32 5006
FAEST-128f 0.000638 0.873933 0.868901 32 32 6336
FAEST-192s 0.002215 19.177500 19.310600 56 64 12744
FAEST-192f 0.002223 1.957010 1.961630 56 64 16792
FAEST-256s 0.003340 26.651500 26.763300 64 64 22100
FAEST-256f 0.003342 3.103970 3.103690 64 64 28400
FAEST-EM-128s 0.000535 8.085880 8.046230 32 32 4566
FAEST-EM-128f 0.000530 0.854931 0.856541 32 32 5696
FAEST-EM-192s 0.001225 18.460400 18.519800 48 48 10824
FAEST-EM-192f 0.001218 1.869360 1.868780 48 48 13912
FAEST-EM-256s 0.002581 25.645900 25.871500 64 64 20956
FAEST-EM-256f 0.002567 3.035020 3.028910 64 64 26736

Rust

  • Implementation for our Crypto 2023 paper. Note that this is for an older version of our protocol, which uses different primitives and is incompatible with the specification.