**Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level**

*Kaushik Nath and Palash Sarkar*

**Abstract: **In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 256-bit security level.
To this end, we work with three primes, namely $p_1:=2^{506}-45$, $p_2=2^{510}-75$ and $p_3:=2^{521}-1$. While $p_3$ has been considered earlier in the literature, $p_1$ and $p_2$ are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over $p_1$ leads to a $3\%$-$4\%$ slowdown and the new Montgomery curve over $p_2$ leads to a $4.5\%$-$5\%$ slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over $p_1$ and $p_2$ provide an acceptable trade-off between security and efficiency.

**Category / Keywords: **implementation / Elliptic curve cryptography, Elliptic curve Diffie-Hellman key agreement, Montgomery form, Edwards form, 256-bit security.

**Date: **received 26 Nov 2019

**Contact author: **kaushikn_r at isical ac in,palash@isical ac in

**Available format(s): **PDF | BibTeX Citation

**Version: **20191127:081613 (All versions of this report)

**Short URL: **ia.cr/2019/1361

[ Cryptology ePrint archive ]