Reduction Modulo $2^{448}-2^{224}-1$

Kaushik Nath; Palash Sarkar

Paper 2019/1304

Reduction Modulo $2^{448} - 2^{224} - 1$

Kaushik Nath and Palash Sarkar

Abstract

An elliptic curve known as Curve448 defined over the finite field $F_{p}$ , where $p = 2^{448} - 2^{224} - 1$ , has been proposed as part of the Transport Layer Security (TLS) protocol, version 1.3. Elements of $F_{p}$ can be represented using 7 limbs where each limb is a 64-bit quantity. This paper describes efficient algorithms for reduction modulo $p$ that are required for performing field arithmetic in $F_{p}$ using 7-limb representation. A key feature of our work is that we provide the relevant proofs of correctness of the algorithms. We also report efficient 64-bit assembly implementations for key generation and shared secret computation phases of the Diffie-Hellman key agreement protocol on Curve448. Timings results on the Haswell and Skylake processors demonstrate that the new 64-bit implementations for computing the shared secret are faster than the previously best known 64-bit implementations.

Note: Minor revision

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint. MINOR revision.
Keywords: Curve448 Goldilocks prime modulo reduction elliptic curve cryptography Diffie-Hellman key agreement.
Contact author(s): kaushikn_r @ isical ac in
palash @ isical ac in
History: 2022-01-06: last of 3 revisions; 2019-11-11: received; See all versions
Short URL: https://ia.cr/2019/1304
License: CC BY

BibTeX

@misc{cryptoeprint:2019/1304,
      author = {Kaushik Nath and Palash Sarkar},
      title = {Reduction Modulo $2^{448}-2^{224}-1$},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/1304},
      year = {2019},
      url = {https://eprint.iacr.org/2019/1304}
}

Paper 2019/1304

Reduction Modulo 2448−2224−1

Abstract

Metadata

Reduction Modulo $2^{448} - 2^{224} - 1$