### Security and Efficiency Trade-offs for Elliptic Curve Diffie-Hellman at the 128-bit and 224-bit Security Levels

Kaushik Nath and Palash Sarkar

##### Abstract

Within the Transport Layer Security (TLS) Protocol Version 1.3, RFC 7748 specifies elliptic curves targeted at the 128-bit and the 224-bit security levels. For the 128-bit security level, the Montgomery curve Curve25519 and its birationally equivalent twisted Edwards curve Ed25519 are specified; for the 224-bit security level, the Montgomery curve Curve448, the Edwards curve Edwards448 (which is isogenous to Curve448) and another Edwards curve which is birationally equivalent to Curve448 are specified. Our first contribution is to provide the presently best known 64-bit assembly implementations of Diffie-Hellman shared secret computation using Curve25519. The main contribution of this work is to propose new pairs of Montgomery-Edwards curves at the 128-bit and the 224-bit security levels. The new curves are nice in the sense that they have very small curve coefficients and base points. Compared to the curves in RFC~7748, the new curves lose two bits of security. The gain is improved efficiency. For Intel processors, we have made different types of implementations of the Diffie-Hellman shared secret computation using the new curves. The new curve at the 128-bit level is faster than Curve25519 for all types of implementations, while the new curve at the 224-bit level is faster than Curve448 using 64-bit sequential implementation using schoolbook multiplication, but is slower than Curve448 for vectorized implementation using Karatsuba multiplication. Overall, the new curves provide good alternatives to Curve25519 and Curve448.

Note: Major revision.

Available format(s)
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
Elliptic curve cryptographyMontgomery formEdwards formTransport layer securityDiffie-Hellman ProtocolCurve25519Curve448
Contact author(s)
kaushikn_r @ isical ac in
palash @ isical ac in
History
2020-08-12: last of 2 revisions
See all versions
Short URL
https://ia.cr/2019/1259

CC BY

BibTeX

@misc{cryptoeprint:2019/1259,
author = {Kaushik Nath and Palash Sarkar},
title = {Security and Efficiency Trade-offs for Elliptic Curve Diffie-Hellman at the 128-bit and 224-bit Security Levels},
howpublished = {Cryptology ePrint Archive, Paper 2019/1259},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/1259}},
url = {https://eprint.iacr.org/2019/1259}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.