Cryptology ePrint Archive: Report 2019/1259

“Nice” Curves

Kaushik Nath and Palash Sarkar

Abstract: Within the Transport Layer Security (TLS) Protocol Version 1.3, RFC 7748 specifies elliptic curves targeted at the 128-bit and the 224-bit security levels. For the 128-bit security level, the Montgomery curve Curve25519 and its birationally equivalent twisted Edwards curve Ed25519 are specified, while for the 224-bit security level, the Montgomery curve Curve448 and its birationally equivalent Edwards curve Edwards448 are specified. The contribution of this work is to propose new pairs of Montgomery-Edwards curves at both the 128-bit and the 224-bit security levels. The new curves are nice in the sense that they have very small curve coefficients and base points. Compared to the curves in RFC 7748, the new curves lose two bits of security. The main advantage of the new curves over those in RFC 7748 is that for 64-bit implementation, all the reduction steps on the outputs of additions and subtractions in the ladder algorithm can be omitted. For 64-bit implementations on the Skylake and the Kaby Lake processors, about 21% improvement in speed is achieved at the 128-bit security level and about 28% improvement in speed is obtained at the 224-bit security level.

Category / Keywords: implementation / Elliptic curve cryptography, Montgomery form, Edwards form, Transport Layer Security.

Date: received 30 Oct 2019, last revised 18 Nov 2019

Contact author: kaushikn_r at isical ac in,palash@isical ac in

Available format(s): PDF | BibTeX Citation

Note: Fixed a typo and some minor editorial issues.

Version: 20191118:120205 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]