[Resource Topic] 2019/1361: Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level

Welcome to the resource topic for 2019/1361

Title:
Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level

Authors: Kaushik Nath, Palash Sarkar

Abstract:

In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 256-bit security level. To this end, we work with three primes, namely p_1:=2^{506}-45, p_2=2^{510}-75 and p_3:=2^{521}-1. While p_3 has been considered earlier in the literature, p_1 and p_2 are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p_1 leads to a 3\%-4\% slowdown and the new Montgomery curve over p_2 leads to a 4.5\%-5\% slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over p_1 and p_2 provide an acceptable trade-off between security and efficiency.

ePrint: https://eprint.iacr.org/2019/1361

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .