Paper 2014/130

Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis

Joppe W. Bos, Craig Costello, Patrick Longa, and Michael Naehrig


We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomery-friendly and pseudo-Mersenne primes allows us to consider more possibilities which help to improve the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constant-time, exception-free scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variable-base scalar multiplication on the new Weierstrass curves at the 128-bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.42, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128-, 192- and 256-bit security levels, respectively. Finally, we discuss how these curves behave in a real-world protocol by considering different scalar multiplication scenarios in the transport layer security (TLS) protocol. The proposed curves and the results of the analysis are intended to contribute to the recent efforts towards recommending new elliptic curves for Internet standards.

Note: To appear in the Journal of Cryptographic Engineering (JCEN)

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
Contact author(s)
plonga @ microsoft com
2015-04-24: last of 2 revisions
2014-02-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Joppe W.  Bos and Craig Costello and Patrick Longa and Michael Naehrig},
      title = {Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis},
      howpublished = {Cryptology ePrint Archive, Paper 2014/130},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.