Cryptology ePrint Archive: Report 2019/1259

Security and Efficiency Trade-offs for Elliptic Curve Diffie-Hellman at the 128-bit and 224-bit Security Levels

Kaushik Nath and Palash Sarkar

Abstract: Within the Transport Layer Security (TLS) Protocol Version 1.3, RFC 7748 specifies elliptic curves targeted at the 128-bit and the 224-bit security levels. For the 128-bit security level, the Montgomery curve Curve25519 and its birationally equivalent twisted Edwards curve Ed25519 are specified; for the 224-bit security level, the Montgomery curve Curve448, the Edwards curve Edwards448 (which is isogenous to Curve448) and another Edwards curve which is birationally equivalent to Curve448 are specified. Our first contribution is to provide the presently best known 64-bit assembly implementations of Diffie-Hellman shared secret computation using Curve25519. The main contribution of this work is to propose new pairs of Montgomery-Edwards curves at the 128-bit and the 224-bit security levels. The new curves are nice in the sense that they have very small curve coefficients and base points. Compared to the curves in RFC~7748, the new curves lose two bits of security. The gain is improved efficiency. For Intel processors, we have made different types of implementations of the Diffie-Hellman shared secret computation using the new curves. The new curve at the 128-bit level is faster than Curve25519 for all types of implementations, while the new curve at the 224-bit level is faster than Curve448 using 64-bit sequential implementation using schoolbook multiplication, but is slower than Curve448 for vectorized implementation using Karatsuba multiplication. Overall, the new curves provide good alternatives to Curve25519 and Curve448.

Category / Keywords: implementation / Elliptic curve cryptography, Montgomery form, Edwards form, Transport layer security, Diffie-Hellman Protocol, Curve25519, Curve448

Date: received 30 Oct 2019, last revised 12 Aug 2020

Contact author: kaushikn_r at isical ac in, palash at isical ac in

Available format(s): PDF | BibTeX Citation

Note: Major revision.

Version: 20200812:115239 (All versions of this report)

Short URL: ia.cr/2019/1259


[ Cryptology ePrint archive ]