Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level

Kaushik Nath and Palash Sarkar

Abstract

In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 256-bit security level. To this end, we work with three primes, namely $p_1:=2^{506}-45$, $p_2=2^{510}-75$ and $p_3:=2^{521}-1$. While $p_3$ has been considered earlier in the literature, $p_1$ and $p_2$ are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over $p_1$ leads to a $3\%$-$4\%$ slowdown and the new Montgomery curve over $p_2$ leads to a $4.5\%$-$5\%$ slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over $p_1$ and $p_2$ provide an acceptable trade-off between security and efficiency.

Available format(s)
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
Elliptic curve cryptographyElliptic curve Diffie-Hellman key agreementMontgomery formEdwards form256-bit security.
Contact author(s)
kaushikn_r @ isical ac in
palash @ isical ac in
History
Short URL
https://ia.cr/2019/1361

CC BY

BibTeX

@misc{cryptoeprint:2019/1361,
author = {Kaushik Nath and Palash Sarkar},
title = {Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level},
howpublished = {Cryptology ePrint Archive, Paper 2019/1361},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/1361}},
url = {https://eprint.iacr.org/2019/1361}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.