Paper 2019/1361

Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level

Kaushik Nath and Palash Sarkar


In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 256-bit security level. To this end, we work with three primes, namely $p_1:=2^{506}-45$, $p_2=2^{510}-75$ and $p_3:=2^{521}-1$. While $p_3$ has been considered earlier in the literature, $p_1$ and $p_2$ are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over $p_1$ leads to a $3\%$-$4\%$ slowdown and the new Montgomery curve over $p_2$ leads to a $4.5\%$-$5\%$ slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over $p_1$ and $p_2$ provide an acceptable trade-off between security and efficiency.

Available format(s)
Publication info
Preprint. MINOR revision.
Elliptic curve cryptographyElliptic curve Diffie-Hellman key agreementMontgomery formEdwards form256-bit security.
Contact author(s)
kaushikn_r @ isical ac in
palash @ isical ac in
2019-11-27: received
Short URL
Creative Commons Attribution


      author = {Kaushik Nath and Palash Sarkar},
      title = {Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1361},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.